skip to main content
research-article
Public Access

A Principled Approach to Secure Multi-core Processor Design with ReWire

Published: 10 January 2017 Publication History

Abstract

There is no such thing as high assurance without high assurance hardware. High assurance hardware is essential because any and all high assurance systems ultimately depend on hardware that conforms to, and does not undermine, critical system properties and invariants. And yet, high assurance hardware development is stymied by the conceptual gap between formal methods and hardware description languages used by engineers. This article advocates a semantics-directed approach to bridge this conceptual gap. We present a case study in the design of secure processors, which are formally derived via principled techniques grounded in functional programming and equational reasoning. The case study comprises the development of secure single- and dual-core variants of a single processor, both based on a common semantic specification of the ISA. We demonstrate via formal equational reasoning that the dual-core processor respects a “no-write-down” information flow policy. The semantics-directed approach enables a modular and extensible style of system design and verification. The secure processors require only a very small amount of additional code to specify and implement, and their security verification arguments are concise and readable. Our approach rests critically on ReWire, a functional programming language providing a suitable foundation for formal verification of hardware designs. This case study demonstrates both ReWire’s expressiveness as a programming language and its power as a framework for formal, high-level reasoning about hardware systems.

References

[1]
Christiaan Baaij and Jan Kuper. 2014. Using rewriting to synthesize functional languages to digital circuits. In Proceedings of the 2014 International Symposium on Trends in Functional Programming (TFP’14). 17--33.
[2]
J. Bachrach, Huy Vo, B. Richards, Yunsup Lee, A. Waterman, R. Avizienis, J. Wawrzynek, and K. Asanovic. 2012. Chisel: Constructing hardware in a scala embedded language. In Proceedings of the 2012 49th ACM/EDAC/IEEE Design Automation Conference (DAC’12). 1212--1221.
[3]
Per Bjesse, Koen Claessen, and Mary Sheeran. 1998. Lava: Hardware design in Haskell. In ICFP’98. 174--184.
[4]
David Cock, Gerwin Klein, and Thomas Sewell. 2008. Secure microkernels, state monads and scalable refinement. In Proceedings of the 21st International Conference on Theorem Proving in Higher Order Logics (TPHOLs’08). 167--182.
[5]
Stephen A. Edwards. 2006. The challenges of synthesizing hardware from C-like languages. IEEE Design and Test of Computers 23, 5 (2006), 375--386.
[6]
Anthony Fox and Magnus O. Myreen. 2010. A trustworthy monadic formalization of the ARMv7 instruction set architecture. In Proceedings of the 1st International Conference on Interactive Theorem Proving (ITP’10). 243--258.
[7]
Nithin George, Hyoukjoong Lee, David Novo, Tiark Rompf, Kevin Brown, Arvind Sujeeth, Martin Odersky, Kunle Olukotun, and Paolo Ienne. 2014. Hardware system synthesis from domain-specific languages. In Proceedings of 24th Internation Conference on Field Programmable Logic and Applications (FPL’14).
[8]
Andy Gill. 2011. Declarative FPGA circuit synthesis using Kansas Lava. In ERSA’11.
[9]
Andy Gill. 2014. Domain-specific languages and code synthesis using Haskell. ACM Queue 12, 4, Article 30 (April 2014), 14 pages.
[10]
Carlos Eduardo Giménez. 1996. Un Calcul De Constructions Infinies Et Son Application A La Verification De Systemes Communicants. Ph.D. Dissertation. L’École Normale Supérieure de Lyon.
[11]
Joseph A. Goguen and José Meseguer. 1990. Security policies and security models. In Proceedings of the 1982 Symposium on Security and Privacy (SSP’82). IEEE Computer Society Press, 11--20.
[12]
S. Goncharov and L. Schröder. 2011. A coinductive calculus for asynchronous side-effecting processes. In Proceedings of the 18th International Conference on Fundamentals of Computation Theory. 276--287.
[13]
Ian Graves. 2015. Device-Level Composition in ReWire. Ph.D. Dissertation. University of Missouri.
[14]
W. Harrison, A. Procter, J. Agron, G. Kimmel, and G. Allwein. 2009. Model-driven engineering from modular monadic semantics: Implementation techniques targeting hardware and software. In Proceedings of the IFIP TC 2 Working Conference on Domain-Specific Languages. 20--44.
[15]
W. L. Harrison. 2006. Proof abstraction for imperative languages. In Proceedings of the 4th Asian Conference on Programming Languages and Systems (APLAS’06). 97--113.
[16]
W. L. Harrison and James Hook. 2009. Achieving information flow security through monadic control of effects. Journal of Computer Security 17, 5 (2009), 599--653.
[17]
William L. Harrison and Adam Procter. 2015. Cheap (but functional) threads. Submitted to the Journal of Functional Programming.
[18]
William L. Harrison, Adam Procter, and Gerard Allwein. 2012. The confinement problem in the presence of faults. In Proceedings of the 14th International Conference on Formal Engineering Methods (ICFEM’12). 182--197.
[19]
HyoukJoong Lee, Kevin Brown, Arvind Sujeeth, Hassan Chafi, Tiark Rompf, Martin Odersky, and Kunle Olukotun. 2011. Implementing domain-specific languages for heterogeneous parallel computing. IEEE Micro 31, 5 (Sept. 2011), 42--53.
[20]
Xun Li, Mohit Tiwari, Jason K. Oberg, Vineeth Kashyap, Frederic T. Chong, Timothy Sherwood, and Ben Hardekopf. 2011. Caisson: A hardware description language for secure information flow. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’11). ACM, New York, NY, 109--120.
[21]
Sheng Liang. 1998. Modular Monadic Semantics and Compilation. Ph.D. Dissertation. Yale University.
[22]
Sheng Liang, Paul Hudak, and Mark Jones. 1995. Monad transformers and modular interpreters. In Proceedings of the 22nd ACM Symposium on Principles of Programming Languages.
[23]
E. Moggi. 1991. Notions of computation and monads. Information and Computation 93, 1 (July 1991), 55--92.
[24]
Gerald J. Popek and Robert P. Goldberg. 1974. Formal requirements for virtualizable third generation architectures. Communications of the ACM 17, 7 (July 1974), 412--421.
[25]
Adam Procter. 2014. Semantics-Driven Design and Implementation of High-Assurance Hardware. Ph.D. Dissertation. University of Missouri.
[26]
Adam Procter, William L. Harrison, Ian Graves, Michela Becchi, and Gerard Allwein. 2015b. Online supplement accompanying “A Principled Approach to Secure Multi-Core Processor Design in ReWire”. Retrieved from http://adamprocter.com/tecs15.
[27]
Adam Procter, William L. Harrison, Ian Graves, Michela Becchi, and Gerard Allwein. 2015a. Semantics driven hardware design, implementation, and verification with ReWire. In Proceedings of the 16th ACM SIGPLAN/SIGBED Conference on Languages, Compilers and Tools for Embedded Systems (LCTES’15). Article 13, 13:1--13:10 pages.
[28]
John Reynolds. 1972. Definitional interpreters for higher order programming languages. ACM’72: Proceedings of the ACM Annual Conference. Vol. 2, 717--740.
[29]
Ingo Sander and Axel Jantsch. 2004. System modeling and transformational design refinement in ForSyDe. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 23, 1 (2004), 17--32.
[30]
Susmit Sarkar, Peter Sewell, Francesco Zappa Nardelli, Scott Owens, Tom Ridge, Thomas Braibant, Magnus O. Myreen, and Jade Alglave. 2009. The semantics of x86-CC multiprocessor machine code. In Proceedings of the 36th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’09). 379--391.
[31]
Walid Taha and Tim Sheard. 2000. MetaML and multi-stage programming with explicit annotations. Theoretical Computer Science 248, 12 (2000), 211--242.
[32]
Dennis Volpano, Cynthia Irvine, and Geoffrey Smith. 1996. A sound type system for secure flow analysis. Journal of Computer Security 4, 2--3 (1996), 167--187.
[33]
Matthew Wilding, David Greve, Raymond Richards, and David Hardin. 2010. Formal verification of partition management for the AAMP7G microprocessor. In Design and Verification of Microprocessor Systems for High-Assurance Applications, David S. Hardin (Ed.). 175--191.
[34]
Xilinx. 2011. PicoBlaze 8-bit Embedded Microcontroller User Guide. Xilinx, Inc.
[35]
Kuangya Zhai, Richard Townsend, Lianne Lairmore, Martha A. Kim, and Stephen A. Edwards. 2015. Hardware synthesis from a recursive functional language. In Proceedings of the International Conference on Hardware/Software Codesign and System Synthesis (CODES+ISSS).

Cited By

View all
  • (2024)A Quantitative Type Approach to Formal Component-Based System Design2024 Forum on Specification & Design Languages (FDL)10.1109/FDL63219.2024.10673844(1-10)Online publication date: 4-Sep-2024
  • (2023)Formalized High Level Synthesis with Applications to Cryptographic HardwareNASA Formal Methods10.1007/978-3-031-33170-1_20(332-352)Online publication date: 3-Jun-2023
  • (2020)Verifiable security templates for hardwareProceedings of the 23rd Conference on Design, Automation and Test in Europe10.5555/3408352.3408502(658-661)Online publication date: 9-Mar-2020
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Embedded Computing Systems
ACM Transactions on Embedded Computing Systems  Volume 16, Issue 2
Special Issue on LCETES 2015, Special Issue on ACSD 2015 and Special Issue on Embedded Devise Forensics and Security
May 2017
705 pages
ISSN:1539-9087
EISSN:1558-3465
DOI:10.1145/3025020
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Journal Family

Publication History

Published: 10 January 2017
Accepted: 01 June 2016
Revised: 01 April 2016
Received: 01 September 2015
Published in TECS Volume 16, Issue 2

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Equational reasoning
  2. hardware security
  3. monads
  4. reconfigurable computing

Qualifiers

  • Research-article
  • Research
  • Refereed

Funding Sources

  • Office of the Assistant Secretary of Defense for Research and Engineering
  • U.S. Department of Education under GAANN
  • NSF CAREER
  • NSF

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)121
  • Downloads (Last 6 weeks)12
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)A Quantitative Type Approach to Formal Component-Based System Design2024 Forum on Specification & Design Languages (FDL)10.1109/FDL63219.2024.10673844(1-10)Online publication date: 4-Sep-2024
  • (2023)Formalized High Level Synthesis with Applications to Cryptographic HardwareNASA Formal Methods10.1007/978-3-031-33170-1_20(332-352)Online publication date: 3-Jun-2023
  • (2020)Verifiable security templates for hardwareProceedings of the 23rd Conference on Design, Automation and Test in Europe10.5555/3408352.3408502(658-661)Online publication date: 9-Mar-2020
  • (2020)Verifiable Security Templates for Hardware2020 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE48585.2020.9116342(658-661)Online publication date: Mar-2020
  • (2019)The Mechanized Marriage of Effects and Monads with Applications to High-assurance HardwareACM Transactions on Embedded Computing Systems10.1145/327428218:1(1-26)Online publication date: 8-Jan-2019
  • (2018)Language Abstractions for Hardware-based Control-Flow Integrity Monitoring2018 International Conference on ReConFigurable Computing and FPGAs (ReConFig)10.1109/RECONFIG.2018.8641707(1-6)Online publication date: Dec-2018
  • (2017)A core calculus for secure hardwareProceedings of the 15th ACM-IEEE International Conference on Formal Methods and Models for System Design10.1145/3127041.3127048(122-131)Online publication date: 29-Sep-2017

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Full Access

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media