Abstract
We present a methodology for identifying security critical properties for use in the dynamic verification of a processor. Such verification has been shown to be an effective way to prevent exploits of vulnerabilities in the processor, given a meaningful set of security properties. We use known processor errata to establish an initial set of security-critical invariants of the processor. We then use machine learning to infer an additional set of invariants that are not tied to any particular, known vulnerability, yet are critical to security.
We build a tool chain implementing the approach and evaluate it for the open-source OR1200 RISC processor. We find that our tool can identify 19 (86.4%) of the 22 manually crafted security-critical properties from prior work and generates 3 new security properties not covered in prior work.
- Intel pentium processor statistical analysis of floating point flaw. Intel White Paper, July 2004.Google Scholar
- Revision Guide for AMD Family 16h Models 00h-0Fh Processors. Product Revision, 2013.Google Scholar
- Intel Core i7--600, i5--500, i5--400 and i3--300 Mobile Processor Series. Specification Update, 2014.Google Scholar
- M. Abramovici and P. Bradley. Integrated circuit security: New threats and solutions. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, CSIIRW '09, pages 55:1--55:3, New York, NY, USA, 2009. ACM. Google Scholar
Digital Library
- A. V. Aho, M. S. Lam, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques, and Tools (2nd Edition). Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2006.Google Scholar
Digital Library
- F. E. Allen. Program optimization. In Annual Review in Automatic Programming, vol. 5, pages 239--307, 1969.Google Scholar
- D. Athow. Pentium FDIV: The processor bug that shook the world. techradar.pro, October 2014.Google Scholar
- T. M. Austin. DIVA: A reliable substrate for deep submicron microarchitecture design. In Microarchitecture, 1999. MICRO-32. Proceedings. 32nd Annual International Symposium on, pages 196--207, 1999. Google Scholar
Cross Ref
- A. A. Bayazit and S. Malik. Complementary use of runtime validation and model checking. In Proceedings of the 2005 IEEE/ACM International Conference on Computer-aided Design, ICCAD '05, pages 1052--1059, Washington, DC, USA, 2005. IEEE Computer Society. Google Scholar
Cross Ref
- M. Bilzor, T. Huffmire, C. Irvine, and T. Levin. Security checkers: Detecting processor malicious inclusions at runtime. In Hardware-Oriented Security and Trust (HOST), 2011 IEEE International Symposium on, pages 34--39, June 2011.Google Scholar
Cross Ref
- M. Bilzor, T. Huffmire, C. Irvine, and T. Levin. Evaluating security requirements in a general-purpose processor by combining assertion checkers with code coverage. In Hardware-Oriented Security and Trust (HOST), 2012 IEEE International Symposium on, pages 49--54. IEEE, 2012. Google Scholar
Cross Ref
- P.-H. Chang and L. C. Wang. Automatic assertion extraction via sequential data mining of simulation traces. In Design Automation Conference (ASP-DAC), 2010 15th Asia and South Pacific, pages 607--612. IEEE, 2010. Google Scholar
Cross Ref
- K. Constantinides and T. Austin. Using introspective software-based testing for post-silicon debug and repair. In Design Automation Conference (DAC), 2010 47th ACM/IEEE, pages 537--542, June 2010. Google Scholar
Digital Library
- K. Constantinides, O. Mutlu, T. Austin, and V. Bertacco. Software-based online detection of hardware defects mechanisms, architectural support, and evaluation. In 40th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO 2007), pages 97--108, Dec 2007. Google Scholar
Digital Library
- T. de Raadt. Intel Core 2. OpenBSD-misc mailing list, June 2007. http://marc.info/?l-openbsd-isc&m=118296441702631;.Google Scholar
- M. D. Ernst, J. H. Perkins, P. J. Guo, S. McCamant, C. Pacheco, M. S. Tschantz, and C. Xiao. The Daikon system for dynamic detection of likely invariants. Sci. Comput. Program., 69 (1--3): 35--45, Dec. 2007.Google Scholar
Digital Library
- H. Foster, A. Krolnik, and D. Lacey. Assertion-Based Design. Springer US, 2005. Google Scholar
Cross Ref
- J. Friedman, T. Hastie, and R. Tibshirani. glmnet: Lasso and elastic-net regularized generalized linear models. R package version, 1, 2009.Google Scholar
- S. Hangal, S. Narayanan, N. Chandra, and S. Chakravorty. IODINE: A tool to automatically infer dynamic invariants for hardware designs. In Proceedings of 42nd Design Automation Conference. IEEE, 2005. Google Scholar
Digital Library
- L. C. Heller and M. S. Farrell. Millicode in an IBM zSeries processor. IBM Journal of Research and Development, 48 (3.4): 425--434, May 2004.Google Scholar
- S. Hertz, D. Sheridan, and S. Vasudevan. Mining hardware assertions with guidance from static analysis. Computer-Aided Design of Integrated Circuits and Systems, IEEE Transactions on, 32 (6): 952--965, 2013.Google Scholar
Digital Library
- M. Hicks, C. Sturton, S. T. King, and J. M. Smith. SPECS: A lightweight runtime mechanism for protecting software from security-critical processor bugs. In Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS '15, pages 517--529, Istanbul, Turkey, 2015. ACM. Google Scholar
Digital Library
- D. Lampret. OpenRISC 1200 IP core specification, 2001.Google Scholar
- S. Ma and J. Huang. Penalized feature selection and classification in bioinformatics. Briefings in bioinformatics, 9 (5): 392--403, 2008. Google Scholar
Cross Ref
- A. Meixner and D. J. Sorin. Detouring: Translating software to circumvent hard faults in simple cores. In 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN), pages 80--89, June 2008. Google Scholar
Cross Ref
- C. Min, S. Kashyap, B. Lee, C. Song, and T. Kim. Cross-checking semantic correctness: The case of finding file system bugs. In Proceedings of the 25th Symposium on Operating Systems Principles, SOSP '15, pages 361--377, New York, NY, USA, 2015. ACM. Google Scholar
Digital Library
- S. Narayanasamy, B. Carneal, and B. Calder. Patching processor design errors. In 2006 International Conference on Computer Design, pages 491--498, Oct 2006. Google Scholar
Cross Ref
- J. H. Perkins, S. Kim, S. Larsen, S. Amarasinghe, J. Bachrach, M. Carbin, C. Pacheco, F. Sherwood, S. Sidiroglou, G. Sullivan, W.-F. Wong, Y. Zibin, M. D. Ernst, and M. Rinard. Automatically patching errors in deployed software. In Proceedings of the ACM SIGOPS 22Nd Symposium on Operating Systems Principles, SOSP '09, pages 87--102, New York, NY, USA, 2009. ACM. Google Scholar
Digital Library
- S. Sarangi, S. Narayanasamy, B. Carneal, A. Tiwari, B. Calder, and J. Torrellas. Patching processor design errors with programmable hardware. IEEE Micro, 27 (1): 12--25, Jan. 2007. Google Scholar
Digital Library
- S. R. Sarangi, A. Tiwari, and J. Torrellas. Phoenix: Detecting and recovering from permanent processor design bugs with programmable hardware. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 39, pages 26--37, Washington, DC, USA, 2006. IEEE Computer Society.Google Scholar
Digital Library
- L. Tan, X. Zhang, X. Ma, W. Xiong, and Y. Zhou. AutoISES: Automatically inferring security specifications and detecting violations. In Proceedings of the 17th Conference on Security Symposium, SS'08, pages 379--394, Berkeley, CA, USA, 2008. USENIX Association.Google Scholar
- S. G. Tucker. Microprogram control for System/360. IBM Systems Journal, 6 (4): 222--241, 1967. Google Scholar
Digital Library
- F. Yamaguchi, F. Lindner, and K. Rieck. Vulnerability extrapolation: Assisted discovery of vulnerabilities using machine learning. In Proceedings of the 5th USENIX Conference on Offensive Technologies, WOOT'11, pages 13--13, Berkeley, CA, USA, 2011. USENIX Association.Google Scholar
Digital Library
- H. Zou and T. Hastie. Regularization and variable selection via the elastic net. Journal of the Royal Statistical Society: Series B (Statistical Methodology), 67 (2): 301--320, 2005. Google Scholar
Cross Ref
Index Terms
Identifying Security Critical Properties for the Dynamic Verification of a Processor
Recommendations
Property Specific Information Flow Analysis for Hardware Security Verification
2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD)Hardware information flow analysis detects security vulnerabilities resulting from unintended design flaws, timing channels, and hardware Trojans. These information flow models are typically generated in a general way, which includes a significant amount ...
Identifying Security Critical Properties for the Dynamic Verification of a Processor
ASPLOS '17: Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating SystemsWe present a methodology for identifying security critical properties for use in the dynamic verification of a processor. Such verification has been shown to be an effective way to prevent exploits of vulnerabilities in the processor, given a meaningful ...
Identifying Security Critical Properties for the Dynamic Verification of a Processor
Asplos'17We present a methodology for identifying security critical properties for use in the dynamic verification of a processor. Such verification has been shown to be an effective way to prevent exploits of vulnerabilities in the processor, given a meaningful ...







Comments