ACM Digital Library home
ACM home
Advanced Search
10.1145/1993498.1993512acmconferencesArticle/Chapter ViewAbstractPublication PagespldiConference Proceedingsconference-collections
research-article

Caisson: a hardware description language for secure information flow

Authors Info & Claims
PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and ImplementationJune 2011 Pages 109–120https://doi.org/10.1145/1993498.1993512
Published:04 June 2011Publication History
  • 94citation
  • 612
  • Downloads
Metrics
Total Citations94
Total Downloads612
Last 12 Months43
Last 6 weeks2

ABSTRACT

Information flow is an important security property that must be incorporated from the ground up, including at hardware design time, to provide a formal basis for a system's root of trust. We incorporate insights and techniques from designing information-flow secure programming languages to provide a new perspective on designing secure hardware. We describe a new hardware description language, Caisson, that combines domain-specific abstractions common to hardware design with insights from type-based techniques used in secure programming languages. The proper combination of these elements allows for an expressive, provably-secure HDL that operates at a familiar level of abstraction to the target audience of the language, hardware architects.

We have implemented a compiler for Caisson that translates designs into Verilog and then synthesizes the designs using existing tools. As an example of Caisson's usefulness we have addressed an open problem in secure hardware by creating the first-ever provably information-flow secure processor with micro-architectural features including pipelining and cache. We synthesize the secure processor and empirically compare it in terms of chip area, power consumption, and clock frequency with both a standard (insecure) commercial processor and also a processor augmented at the gate level to dynamically track information flow. Our processor is competitive with the insecure processor and significantly better than dynamic tracking.

References

  1. 90nm generic CMOS library, Synopsys University program, Synopsys Inc.Google ScholarGoogle Scholar
  2. Common critera evaluation and validation scheme. http://www.niap-ccevs.org/cc-scheme/cc_docs/.Google ScholarGoogle Scholar
  3. Validated FIPS 140-1 and FIPS 140-2 cryptographic modules. http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.Google ScholarGoogle Scholar
  4. What does CC EAL6 mean? http://www.ok-labs.com/blog/entry/what-does-cc-eal6-mean/.Google ScholarGoogle Scholar
  5. O. Accigmez, J. pierre Seifert, and C. K. Koc. Predicting secret keys via branch prediction. In The Cryptographers' Track at the RSA Conference, pages 225--242. Springer-Verlag, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. O. Aciiçmez. Yet another microarchitectural attack: Exploiting i-cache. In CCS Computer Security Architecture Workshop, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. O. Aciiçmez, J.-P. Seifert, and C. K. Koc. Micro-architectural cryptanalysis. IEEE Security and Privacy, 5:62--64, July 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. J. Agat. Transforming out timing leaks. In Proceedings of the 27th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL '00, pages 40--53, New York, NY, USA, 2000. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. G. Barthe, T. Rezk, and M. Warnier. Preventing Timing Leaks Through Transactional Branching Instructions. Electronic Notes Theoretical Computer Science, 153:33--55, May 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. G. Boudol and I. Castellani. Noninterference for concurrent programs. pages 382--395, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. E. M. Clarke, O. Grumberg, and D.Peled. Model Checking. MIT Press, 2000.Google ScholarGoogle Scholar
  12. J. R. Crandall and F. T. Chong. Minos: Control data attack prevention orthogonal to memory model. In Micro, pages 221--232, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: A flexible information flow architecture for software security. In ISCA, pages 482--493, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Communications of the ACM, 20(7):504--513, 1977. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. F. A. A. (FAA). Boeing model 787-8 airplane; systems and data networks security-isolation or protection from unauthorized passenger domain systems access. http://cryptome.info/faa010208.htm.Google ScholarGoogle Scholar
  16. A. Filinski. Linear continuations. In Proceedings of the 19th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL '92, pages 27--38, New York, NY, USA, 1992. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. C. Fournet and T. Rezk. Cryptographically sound implementations for typed information-flow security. In POPL, pages 323--335, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. J. A. Goguen and J. Meseguer. Security policies and security models. In IEEE Symposium on Security and Privacy, 1982.Google ScholarGoogle ScholarCross RefCross Ref
  19. C. Hankin. Program analysis tools. International Journal on Software Tools for Technology Transfer, 2(1), 1998.Google ScholarGoogle ScholarCross RefCross Ref
  20. D. Harel. Statecharts: A visual formalism for complex systems. Science of Computer Programming 8, 1987. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. D. Hedin and D. Sands. Timing aware information flow security for a javacard-like bytecode. 141(1):163--182, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. C. Hymans. Checking safety properties of behavioral VHDL descriptions by abstract interpretation. In International Static Analysis Symposium, pages 444--460. Springer, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. C. Hymans. Design and implementation of an abstract interpreter for VHDL. D.Geist and E.Tronci, editors, CHARME, 2860 of LNCS, 2003.Google ScholarGoogle Scholar
  24. G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: formal verification of an OS kernel. In SOSP, pages 207--220, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. P. C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, pages 388--397, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. J. Kong, O. Aciiçmez, J.-P. Seifert, and H. Zhou. Deconstructing new cache designs for thwarting software cache-based side channel attacks. In Proc. of the 2nd ACM workshop on Computer security architectures, pages 25--34, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, and S. Savage. Experimental security analysis of a modern automobile. IEEE Symposium on Security and Privacy, pages 447--462, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. Frans, K. Eddie, and K. R. Morris. Information flow control for standard OS abstractions. In SOSP, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. L. C. Lam and T.-c. Chiueh. A general dynamic information flow tracking framework for security applications. In Proceedings of the 22nd Annual Computer Security Applications Conference, pages 463--472, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. P. Li, Y. Mao, and S. Zdancewic. Information integrity policies. In Proceedings of the Workshop on Formal Aspects in Security and Trust, 2003.Google ScholarGoogle Scholar
  31. X. Li, M. Tiwari, B. Hardekopf, T. Sherwood, and F. T. Chong. Secure information flow analysis for hardware design: Using the right abstraction for the job. The Fifth ACM SIGPLAN Workshop on Programming Languages and Analysis for Security(PLAS), June 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. O. Mutlu and T. Moscibroda. Stall-time fair memory access scheduling for chip multiprocessors. In Micro, pages 146--160, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. A. C. Myers, N. Nystrom, L. Zheng, and S. Zdancewic. Jif: Java information flow. Software release. http://www.cs.cornell.edu/jif, July 2001.Google ScholarGoogle Scholar
  34. J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS, 2005.Google ScholarGoogle Scholar
  35. C. Percival. Cache missing for fun and profit. In Proc. of BSDCan, 2005.Google ScholarGoogle Scholar
  36. F. Qin, C. Wang, Z. Li, H.-s. Kim, Y. Zhou, and Y. Wu. Lift: A low-overhead practical information flow tracking system for detecting security attacks. In Micro, pages 135--148, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. A. Russo, J. Hughes, D. Naumann, and A. Sabelfeld. Closing internal timing channels by transformation. pages 120--135, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. O. Ruwase, P. B. Gibbons, T. C. Mowry, V. Ramachandran, S. Chen, M. Kozuch, and M. Ryan. Parallelizing dynamic information flow tracking. In SPAA, pages 35--45, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1), Jan. 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. M. Schlickling and M. Pister. A framework for static analysis of VHDL code. 7th International Workshop on Worst-Case Execution Time (WCET) Analysis, 2007.Google ScholarGoogle Scholar
  41. O. Sibert, P. A. Porras, and R. Lindell. An analysis of the intel 80x86 security architecture and implement ations. IEEE Transactions on Software Engineering, 22(5):283--293, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. G. Smith and D. Volpano. Secure information flow in a multi-threaded imperative language. pages 355--364, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In ASPLOS, pages 85--96, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. E. Technologies. The Esterel v7 Reference Manual, version v7.30 - initial IEEE standardization proposal edition. 2005.Google ScholarGoogle Scholar
  45. M. Tiwari, X. Li, H. Wassel, F. Chong, and T. Sherwood. Execution leases: A hardware-supported mechanism for enforcing strong non-interference. In Micro, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. M. Tiwari, H. Wassel, B. Mazloom, S. Mysore, F. Chong, and T. Sherwood. Complete information flow tracking from the gates up. In ASPLOS, March 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. T. K. Tolstrup. Language-based Security for VHDL. PhD thesis, Technical University of Denmark, 2006.Google ScholarGoogle Scholar
  48. T. K. Tolstrup, F. Nielson, and H. R. Nielson. Information flow analysis for VHDL. volume 3606 of LNCS, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. A. Reis, M. Vachharajani, and D. I. August. Rifle: An architectural framework for user-centric information-flow security. In Micro, pages 243--254, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. FlexiTaint: A programmable accelerator for dynamic taint propagation. In HPCA, pages 196--206, 2008.Google ScholarGoogle ScholarCross RefCross Ref
  51. D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. J. Comput. Secur., 4:167--187, January 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. D. Volpano and G. Smith. Eliminating covert flows with minimum typings. page 156, 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. D. Volpano and G. Smith. A type-based approach to program security. In In Proceedings of the 7th International Joint Conference on the Theory and Practice of Software Devel-opment, pages 607--621. Springer, 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Z. Wang and R. B. Lee. New cache designs for thwarting software cache-based side channel attacks. In ISCA, pages 494--505, New York, NY, USA, 2007. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. S. Zdancewic and A. C. Myers. Secure information flow via linear continuations. 15(2--3):209--234, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. S. Zdancewic and A. C. Myers. Observational determinism for concurrent program security. pages 29--43, 2003.Google ScholarGoogle Scholar
  57. N. Zeldovich, S. Boyd-Wickizer, and D.Mazieres. Security distributed systems with information flow control. In NSDI, pages 293--308, Apr. 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making information flow explicit in HiStar. In OSDI, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. N. Zeldovich, H. Kannan, M. Dalton, and C. Kozyrakis. Hardware enforcement of application security policies using tagged memory. In OSDI, Dec. 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Caisson: a hardware description language for secure information flow

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    Get this Publication

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    View Table of Contents
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!