Abstract
Isadora is a specification mining tool for creating information-flow properties for hardware. Isadora combines hardware information-flow tracking and specification mining to produce properties that are suitable for the hardware security validation and support a better understanding of the hardware’s security posture. Isadora is fully automated; the user provides only a hardware specification and a testbench—they do not need to supply a threat model or security requirements. Isadora is evaluated on a RISC-V processor, an SoC access control mechanism, and the OpenTitan hardware root of trust. Isadora generates security properties that align with Common Weakness Enumerations (CWEs) and with properties written manually by security experts.
Similar content being viewed by others
Notes
Examples include Mentor Questa Secure Check, Cadence JasperGold Security Path Verification, and Tortuga Logic Radix.
References
Ammons, G., Bodík, R., and Larus, J.R.: Mining specifications. In 29th Symposium on Principles of Programming Languages (POPL). ACM, 4–16. (2002) https://doi.org/10.1145/503272.503275
Ardeshiricham, A., Hu, W., Marxen, J., Kastner, R.: Register transfer level information flow tracking for provably secure hardware design. In Design. Automation Test in Europe Conference Exhibition (DATE) 2017, 1691–1696 (2017)
Bilzor, M., Huffmire, T., Irvine, C., Levin, T.: Security checkers: Detecting processor malicious inclusions at runtime. In International Symposium on Hardware-Oriented Security and Trust (HOST). IEEE, 34–39 (2011)
Brown, M.: Cross-validation processor specifications. Master’s thesis, University of North Carolina at Chapel Hill (2017)
Chang, P.-H., Wang, L.C.: Automatic assertion extraction via sequential data mining of simulation traces. In 15th Asia and South Pacific Design Automation Conference (ASP-DAC). IEEE, 607–612 (2010)
Clarkson, M.R., Schneider, F.B.: Hyperproperties. J. Comput. Secur. 186, 1157–1210. (2010). http://dl.acm.org/citation.cfm?id=1891823.1891830
Danese, A., Ghasempouri, T., Pravadelli, G.: Automatic extraction of assertions from execution traces of behavioural models. In Design, Automation Test in Europe Conference Exhibition (DATE), 67–72 (2015)
Danese, A., Pravadelli, G., Zandonà, I.: Automatic generation of power state machines through dynamic mining of temporal assertions. In Design, Automation Test in Europe Conference Exhibition (DATE), 606–611 (2016)
Danese, A., Riva, N.D., Pravadelli, G.: A-TEAM: Automatic template-based assertion miner. In 54th Design Automation Conference (DAC). ACM/EDAC/IEEE, 1–6 (2017)
Dessouky, G., Gens, D., Haney, P., Persyn, G., Kanuparthi, A., Khattri, H., Fung, J.M., Sadeghi, A.-R., Rajendran, J.: Hardfails: Insights into software-exploitable hardware bugs. In 28th USENIX Security Symposium. USENIX Association, 213–230 (2019)
Deutschbein, C., Sturton, C.: Mining security critical linear temporal logic specifications for processors. In International Workshop on Microprocessor and SoC Test, Security, and Verification (MTV). IEEE (2018)
Deutschbein, C., Sturton, C.: Evaluating security specification mining for a cisc architecture. In 2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), 164–175 (2020)
Deutschbein, C., Sturton, C.: Evaluating security specification mining for a CISC architecture. In Symposium on Hardware Oriented Security and Trust (HOST). IEEE (2020)
Ernst, M.D., Perkins, J.H., Guo, P.J., McCamant, S., Pacheco, C., Tschantz, M.S., Xiao, C.: The Daikon system for dynamic detection of likely invariants. Sci. Comput. Program. 69(1–3), 35–45 (2007). https://doi.org/10.1016/j.scico.2007.01.015
Farzana, N., Rahman, F., Tehranipoor, M., Farahmandi, F.: Soc security verification using property checking. In 2019 IEEE International Test Conference (ITC), 1–10 (2019)
Gabel, M., Su, Z.: Javert: Fully automatic mining of general temporal properties from dynamic traces. In 16th International Symposium on Foundations of Software Engineering (FSE). ACM, 339–349. (2008a). https://doi.org/10.1145/1453101.1453150
Gabel, M., Su, Z.: Symbolic mining of temporal specifications. In 30th International Conference on Software Engineering (ICSE). ACM, 51–60. (2008b). https://doi.org/10.1145/1368088.1368096
Goguen, J.A., Meseguer, J.: Security policies and security models. In 1982 IEEE Symposium on Security and Privacy, 11–11 (1982)
Hangal, S., Chandra, N., Narayanan, S., Chakravorty, S.: IODINE: a tool to automatically infer dynamic invariants for hardware designs. In 42nd annual Design Automation Conference. ACM, 775–778 (2005a)
Hangal, S., Narayanan, S., Chandra, N., Chakravorty, S.: IODINE: A tool to automatically infer dynamic invariants for hardware designs. In 42nd Design Automation Conference (DAC). IEEE (2005b)
Hertz, S., Sheridan, D., Vasudevan, S.: Mining hardware assertions with guidance from static analysis. Trans Comput-Aided Design Integr Circuits Syst 32(6), 952–965 (2013)
Hicks, M., Sturton, C., King, S.T., Smith, J.M.: SPECS: A lightweight runtime mechanism for protecting software from security-critical processor bugs. In Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). ACM, 517–529 (2015) https://doi.org/10.1145/2694344.2694366
Hu, W., Althoff, A., Ardeshiricham, A., Kastner, R.: Towards property driven hardware security. In 2016 17th International Workshop on Microprocessor and SOC Test and Verification (MTV). IEEE, 51–56 (2016)
Hu, W., Ardeshiricham, A., Kastner, R.: Hardware information flow tracking. ACM Comput. Surv. 54, 4 (2021)
Hu, W., Mu, D., Oberg, J., Mao, B., Tiwari, M., Sherwood, T., Kastner, R.: Gate-level information flow tracking for security lattices. ACM Trans. Des. Autom. Electron. Syst. 20, 1 (2014). https://doi.org/10.1145/2676548
Li, W., Forin, A., Seshia, S.A.: Scalable specification mining for verification and diagnosis. In 47th Design Automation Conference (DAC). ACM, 755–760 (2010). https://doi.org/10.1145/1837274.1837466
Liu, L., Lin, C., Vasudevan, S.: Word level feature discovery to enhance quality of assertion mining. In International Conference on Computer-Aided Design (ICCAD). IEEE/ACM, 210–217 (2012)
Logic, T.: Radix Coverage for Hardware Common Weakness Enumeration (CWE) Guide
Meng, X., Kundu, S., Kanuparthi, A.K., Basu, K.: Rtl-contest: Concolic testing on rtl for detecting security vulnerabilities. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 1 (2021)
Min, C., Kashyap, S., Lee, B., Song, C., Kim, T.: Cross-checking semantic correctness: The case of finding file system bugs. In 25th Symposium on Operating Systems Principles (SOSP). ACM, 361–377. (2015). https://doi.org/10.1145/2815400.2815422
MITRE. The Common Weakness Enumeration Official Webpage
Perkins, J.H., Kim, S., Larsen, S., Amarasinghe, S., Bachrach, J., Carbin, M., Pacheco, C., Sherwood, F., Sidiroglou, S., Sullivan, G., Wong, W.-F., Zibin, Y., Ernst, M.D., Rinard, M.: Automatically patching errors in deployed software. In 22nd Symposium on Operating Systems Principles (SOSP). ACM, 87–102 (2009). https://doi.org/10.1145/1629575.1629585
Pilato, C., Wu, K., Garg, S., Karri, R., Regazzoni, F.: Tainthls: High-level synthesis for dynamic information flow tracking. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 38(5), 798–808 (2019)
Rawat, M., Muduli, S.K., Subramanyan, P.: Mining hyperproperties from behavioral traces. In 2020 IFIP/IEEE 28th International Conference on Very Large Scale Integration (VLSI-SOC), 88–93 (2020)
Reger, G., Barringer, H., Rydeheard, D.: A pattern-based approach to parametric specification mining. In 28th International Conference on Automated Software Engineering (ASE). IEEE/ACM, 658–663 (2013)
Restuccia, F., Meza, A., Kastner, R.: KER: A design and verification framework for safe and secure soc access control. CoRR arxiv:2106.13263 (2021)
Tan, L., Zhang, X., Ma, X., Xiong, W., Zhou, Y.: AutoISES: Automatically inferring security specifications and detecting violations. In 17th USENIX Security Symposium. USENIX Association, 379–394 (2008). http://dl.acm.org/citation.cfm?id=1496711.1496737
Tiwari, M., Wassel, H.M., Mazloom, B., Mysore, S., Chong, F.T., and Sherwood, T.: Complete information flow tracking from the gates up. In Proceedings of the 14th international conference on Architectural support for programming languages and operating systems, 109–120 (2009)
Weimer, W., Necula, G.C.: Mining temporal specifications for error detection. In 11th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Springer-Verlag, 461–476 (2005). https://doi.org/10.1007/978-3-540-31980-1_30
Yamaguchi, F., Lindner, F., Rieck, K.: Vulnerability extrapolation: Assisted discovery of vulnerabilities using machine learning. In 5th USENIX Conference on Offensive Technologies (WOOT). USENIX Association, 13 (2011). http://dl.acm.org/citation.cfm?id=2028052.2028065
Yang, J., Evans, D., Bhardwaj, D., Bhat, T., Das, M.: Perracotta: mining temporal API rules from imperfect traces. In 28th International Conference on Software Engineering (ICSE). ACM, 282–291 (2006). https://doi.org/10.1145/1134285.1134325
Zhang, D., Wang, Y., Suh, G.E., Myers, A.C.: A hardware design language for timing-sensitive information-flow security. Acm Sigplan Notices 50(4), 503–516 (2015)
Zhang, R., Stanley, N., Griggs, C., Chi, A., Sturton, C.: Identifying security critical properties for the dynamic verification of a processor. In Architectural Support for Prog. Lang. and Operating Sys. (ASPLOS). ACM (2017)
Acknowledgements
We thank our reviewers for their insightful comments and suggestions. This material is based upon work supported by the National Science Foundation under Grant Nos. CNS-1816637 and 1718586, by the Semiconductor Research Corporation, and by Intel. Any opinions, findings, conclusions, and recommendations expressed in this paper are solely those of the authors.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
A Sample properties
A Sample properties
In this section, we show examples of Isadora output.
1.1 A1 Case 154: ACW security property
To consider the output properties of Isadora, Fig. 7 shows an example of Isadora output, Case 154 of the 303 output properties over the ACW module. This a case that was sampled during evaluation. Here the condition predicates shown are signal equality testing versus zero. Other predicates are captured within the workflow but not propagated to individual properties formatted for output.
A visible difference between an Isadora output property and the property grammar of Sect. 2 is that at output stage Isadora properties may specify multiple source signals, may consider multiple sink signals though do not do so in this case, and may contain multiple invariants as conditions.
Case 154 includes an example of a flow condition between internal and peripheral visible signals in addition to specifying other aspects of design behavior. This is similar to the example of write readiness from Sect. 2, but in Case 154, the flow is from the internal signal to the peripheral, though the power state predicate is identical. Of note, as in the case of write readiness, this flow occurs exclusively within the write channel, as denoted by the ‘\(\texttt{W}\)’ present in ready wire and the data register.
\(\mathtt {AWREADY\_int}\) =/=> \(\texttt{WDATA}\) unless \((\texttt{ARESETN}\) \(\ne 0)\).
1.2 A2 Case 144: ACW functional property
One example of an Isadora property classified as functional, with truncated flow conditions, is presented in Fig. 8, and captures a logical update to an internal decoder signal. This additionally shows an example of a property over multiple sinks, a single source, and for which there are predicates capturing both equality and inequality to zero.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Deutschbein, C., Meza, A., Restuccia, F. et al. Isadora: automated information-flow property generation for hardware security verification. J Cryptogr Eng 13, 391–407 (2023). https://doi.org/10.1007/s13389-022-00306-w
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-022-00306-w