1,946 research outputs found
Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties
In this paper, we formally verify security properties of the ARMv7 Instruction Set Architecture (ISA) for user mode executions.
To obtain guarantees that arbitrary (and unknown) user processes are able to run isolated from privileged software and other user processes, instruction level noninterference and integrity properties are provided, along with proofs that transitions to privileged modes can only occur in a controlled manner.
This work establishes a main requirement for operating system and hypervisor verification, as demonstrated for the PROSPER separation kernel. The proof is performed in the HOL4 theorem prover, taking the Cambridge model of ARM as basis.
To this end, a proof tool has been developed, which assists the verification of relational state predicates semi-automatically
Attestation Mechanisms for Trusted Execution Environments Demystified
Attestation is a fundamental building block to establish trust over software
systems. When used in conjunction with trusted execution environments, it
guarantees the genuineness of the code executed against powerful attackers and
threats, paving the way for adoption in several sensitive application domains.
This paper reviews remote attestation principles and explains how the modern
and industrially well-established trusted execution environments Intel SGX, Arm
TrustZone and AMD SEV, as well as emerging RISC-V solutions, leverage these
mechanisms.Comment: This publication incorporates results from the VEDLIoT project, which
received funding from the European Union's Horizon 2020 research and
innovation programme under grant agreement No 957197. arXiv admin note:
substantial text overlap with arXiv:2204.0679
SGXIO: Generic Trusted I/O Path for Intel SGX
Application security traditionally strongly relies upon security of the
underlying operating system. However, operating systems often fall victim to
software attacks, compromising security of applications as well. To overcome
this dependency, Intel introduced SGX, which allows to protect application code
against a subverted or malicious OS by running it in a hardware-protected
enclave. However, SGX lacks support for generic trusted I/O paths to protect
user input and output between enclaves and I/O devices.
This work presents SGXIO, a generic trusted path architecture for SGX,
allowing user applications to run securely on top of an untrusted OS, while at
the same time supporting trusted paths to generic I/O devices. To achieve this,
SGXIO combines the benefits of SGX's easy programming model with traditional
hypervisor-based trusted path architectures. Moreover, SGXIO can tweak insecure
debug enclaves to behave like secure production enclaves. SGXIO surpasses
traditional use cases in cloud computing and makes SGX technology usable for
protecting user-centric, local applications against kernel-level keyloggers and
likewise. It is compatible to unmodified operating systems and works on a
modern commodity notebook out of the box. Hence, SGXIO is particularly
promising for the broad x86 community to which SGX is readily available.Comment: To appear in CODASPY'1
TriCheck: Memory Model Verification at the Trisection of Software, Hardware, and ISA
Memory consistency models (MCMs) which govern inter-module interactions in a
shared memory system, are a significant, yet often under-appreciated, aspect of
system design. MCMs are defined at the various layers of the hardware-software
stack, requiring thoroughly verified specifications, compilers, and
implementations at the interfaces between layers. Current verification
techniques evaluate segments of the system stack in isolation, such as proving
compiler mappings from a high-level language (HLL) to an ISA or proving
validity of a microarchitectural implementation of an ISA.
This paper makes a case for full-stack MCM verification and provides a
toolflow, TriCheck, capable of verifying that the HLL, compiler, ISA, and
implementation collectively uphold MCM requirements. The work showcases
TriCheck's ability to evaluate a proposed ISA MCM in order to ensure that each
layer and each mapping is correct and complete. Specifically, we apply TriCheck
to the open source RISC-V ISA, seeking to verify accurate, efficient, and legal
compilations from C11. We uncover under-specifications and potential
inefficiencies in the current RISC-V ISA documentation and identify possible
solutions for each. As an example, we find that a RISC-V-compliant
microarchitecture allows 144 outcomes forbidden by C11 to be observed out of
1,701 litmus tests examined. Overall, this paper demonstrates the necessity of
full-stack verification for detecting MCM-related bugs in the hardware-software
stack.Comment: Proceedings of the Twenty-Second International Conference on
Architectural Support for Programming Languages and Operating System
TransForm: Formally Specifying Transistency Models and Synthesizing Enhanced Litmus Tests
Memory consistency models (MCMs) specify the legal ordering and visibility of
shared memory accesses in a parallel program. Traditionally, instruction set
architecture (ISA) MCMs assume that relevant program-visible memory ordering
behaviors only result from shared memory interactions that take place between
user-level program instructions. This assumption fails to account for virtual
memory (VM) implementations that may result in additional shared memory
interactions between user-level program instructions and both 1) system-level
operations (e.g., address remappings and translation lookaside buffer
invalidations initiated by system calls) and 2) hardware-level operations
(e.g., hardware page table walks and dirty bit updates) during a user-level
program's execution. These additional shared memory interactions can impact the
observable memory ordering behaviors of user-level programs. Thus, memory
transistency models (MTMs) have been coined as a superset of MCMs to
additionally articulate VM-aware consistency rules. However, no prior work has
enabled formal MTM specifications, nor methods to support their automated
analysis.
To fill the above gap, this paper presents the TransForm framework. First,
TransForm features an axiomatic vocabulary for formally specifying MTMs.
Second, TransForm includes a synthesis engine to support the automated
generation of litmus tests enhanced with MTM features (i.e., enhanced litmus
tests, or ELTs) when supplied with a TransForm MTM specification. As a case
study, we formally define an estimated MTM for Intel x86 processors, called
x86t_elt, that is based on observations made by an ELT-based evaluation of an
Intel x86 MTM implementation from prior work and available public
documentation. Given x86t_elt and a synthesis bound as input, TransForm's
synthesis engine successfully produces a set of ELTs including relevant ELTs
from prior work.Comment: *This is an updated version of the TransForm paper that features
updated results reflecting performance optimizations and software bug fixes.
14 pages, 11 figures, Proceedings of the 47th Annual International Symposium
on Computer Architecture (ISCA
- …