## Formal Method on Hardware Security

Oct 2022

**CPU Models** 

Refinement Property

More CPU Models

More Properties on CPU

Single-trace Property and Hyperpropert

Example: Non-interference Property

An Estimation Schome: Taint Analysis

An Estimation Scheme: Taint Analysis

#### **CPU Models**

Refinement Property

More CPU Models

#### More Properties on CPU

Single-trace Property and Hyperpropert Example: Non-interference Property

An Estimation Scheme: Taint Analysis

### **CPU Models**

► RTL Implementation

#### **CPU Models**

- ► RTL Implementation
- ► ISA Specification

#### **CPU Models**

- ► RTL Implementation
- ► ISA Specification: A set of implementations

**CPU Models** 

#### Refinement Property

More CPU Models

#### More Properties on CPU

Single-trace Property and Hyperpropert

Example: Non-interference Property

An Estimation Scheme: Taint Analysis

► RTL refines ISA

- RTL refines ISA
- ► 1-cycle ALU refines symbolic-cycle ALU

- ► RTL refines ISA
- ▶ 1-cycle ALU refines symbolic-cycle ALU
- ► 1-entry FIFO refines 2-entry FIFO

- RTL refines ISA
- ▶ 1-cycle ALU refines symbolic-cycle ALU
- ▶ 1-entry FIFO refines 2-entry FIFO
  - compare the enqueue(), dequeue() trace of the FIFO

- RTL refines ISA
- 1-cycle ALU refines symbolic-cycle ALU
- ▶ 1-entry FIFO refines 2-entry FIFO
  - compare the enqueue(), dequeue() trace of the FIFO
  - ► 1-entry: enq(), deq(), enq(), deq() ...
  - 2-entry: enq(), deq() ... or enq(), enq(), deq(), ... or ...

- RTL refines ISA
- 1-cycle ALU refines symbolic-cycle ALU
- ▶ 1-entry FIFO refines 2-entry FIFO
  - compare the enqueue(), dequeue() trace of the FIFO
  - ► 1-entry: enq(), deq(), enq(), deq() ...
  - ► 2-entry: enq(), deq() ... or enq(), enq(), deq(), ... or ...
  - Not correct in Verilog, is a good property in Bluespec

- RTL refines ISA
- ▶ 1-cycle ALU refines symbolic-cycle ALU
- ► 1-entry FIFO refines 2-entry FIFO regarding to enq(), deq() event sequences.

- RTL refines ISA
- ▶ 1-cycle ALU refines symbolic-cycle ALU regarding to RTL implementations.
- ▶ 1-entry FIFO refines 2-entry FIFO regarding to enq(), deq() event sequences.

- ▶ RTL refines ISA regarding to commit cycle of each instruction. (How to define the commit cycle of a OoO CPU?)
- ▶ 1-cycle ALU refines symbolic-cycle ALU regarding to RTL implementations.
- ▶ 1-entry FIFO refines 2-entry FIFO regarding to enq(), deq() event sequences.

- ▶ RTL refines ISA regarding to commit cycle of each instruction. (How to define the commit cycle of a OoO CPU?)
- ▶ 1-cycle ALU refines symbolic-cycle ALU regarding to RTL implementations.
- ▶ 1-entry FIFO refines 2-entry FIFO regarding to enq(), deq() event sequences.

- ▶ RTL refines ISA regarding to commit cycle of each instruction. (How to define the commit cycle of a OoO CPU?)
- ▶ 1-cycle ALU refines symbolic-cycle ALU regarding to RTL implementations.
- ▶ 1-entry FIFO refines 2-entry FIFO regarding to enq(), deq() event sequences. Bluespec cares about event, Verilog cares about signals

- ▶ RTL refines ISA regarding to commit cycle of each instruction. (How to define the commit cycle of a OoO CPU?)
- ► 1-cycle ALU refines symbolic-cycle ALU regarding to RTL implementations.
- ▶ 1-entry FIFO refines 2-entry FIFO regarding to enq(), deq() event sequences. Bluespec cares about event, Verilog cares about signals
- ➤ The real implementation refines our model in the paper regarding to ... :)

**CPU Models** 

Refinement Property

More CPU Models

#### More Properties on CPU

Single-trace Property and Hyperpropert

Example: Non-interference Property

An Estimation Scheme: Taint Analysis

#### More CPU Models

► RTL Implementation

► ISA Specification: A set of implementations

#### More CPU Models

- ► RTL Implementation
- RTL, but replace ALU with a symbolic-cycle ALU
- ▶ RTL, but replace all caches with symbolic-cyle MEM
- ► ISA Specification: A set of implementations

**CPU Models** 

Refinement Property

More CPU Models

#### More Properties on CPU

Single-trace Property and Hyperpropert

Example: Non-interference Property An Estimation Scheme: Taint Analysis

► Example: Memory Safety: any memory read/write instruction should within the boundary

- ► Example: Memory Safety: any memory read/write instruction should within the boundary
- Safety property and Liveness property

- Example: Memory Safety: any memory read/write instruction should within the boundary
- Safety property and Liveness property
  - Safety property: something bad will not happen
  - Liveness property: something good will eventually happen (no live lock)

- Example: Memory Safety: any memory read/write instruction should within the boundary
- Safety property and Liveness property
  - Safety property: something bad will not happen
  - Liveness property: something good will eventually happen (no live lock)
- Single-trace property and Hyperproperty

**CPU Models** 

Refinement Property

More CPU Models

More Properties on CPU
Single-trace Property and Hyperpropert

Example: Non-interference Property An Estimation Scheme: Taint Analysis

## Single-trace Property and Hyperproperty

Memory Safety: any memory read/write instruction should within the boundary

## Single-trace Property and Hyperproperty

- Memory Safety: any memory read/write instruction should within the boundary
- Non-interference property: Say we have a combinational function  $y_1, y_2 = f(x_1, x_2)$

$$x_1$$
 not interfere  $y_1$  iff  $\forall x_1, x_1', x_2,$  let  $y_1, y_2 = f(x_1, x_2),$   $y_1', y_2' = f(x_1', x_2),$  we have,  $y_1 = y_1'$ 

## Single-trace Property and Hyperproperty

- Memory Safety: any memory read/write instruction should within the boundary
- Non-interference property: Say we have a combinational function  $y_1, y_2 = f(x_1, x_2)$

$$x_1$$
 not interfere  $y_1$  iff  $\forall x_1, x_1', x_2,$  let  $y_1, y_2 = f(x_1, x_2),$   $y_1', y_2' = f(x_1', x_2),$  we have,  $y_1 = y_1'$ 

Hyperproperty is a property on a multiple traces

**CPU Models** 

Refinement Property

More CPU Models

More Properties on CPU

Single-trace Property and Hyperpropert

Example: Non-interference Property

An Estimation Scheme: Taint Analysis

## Example: Non-interference Property

A property on a pair of execution traces: for a function  $y_1, y_2 = f(x_1, x_2)$ :

$$x_1$$
 not interfere  $y_1$  iff  $\forall x_1, x_1', x_2,$  let  $y_1, y_2 = f(x_1, x_2),$   $y_1', y_2' = f(x_1', x_2),$  we have,  $y_1 = y_1'$ 

## Example: Non-interference Property

A property on a pair of execution traces: for a function  $y_1, y_2 = f(x_1, x_2)$ :

$$x_1$$
 not interfere  $y_1$  iff  $\forall x_1, x_1', x_2,$  let  $y_1, y_2 = f(x_1, x_2),$   $y_1', y_2' = f(x_1', x_2),$  we have,  $y_1 = y_1'$ 

Verify it with single trace: taint analysis: for a function  $y_1, y_2 = f(x_1, x_2)$ , we design an augment  $yt_1, yt_2 = ft(x_1, xt_1, x_2, xt_2)$ , such that:

$$x_1$$
 not interfere  $y_1$  iff  $\forall x_1,x_2,$  let  $yt_1,yt_2=ft(x_1,xt_1,x_2,xt_2),$  we have,  $yt_1=0$ 

**CPU Models** 

Refinement Property

More CPU Models

More Properties on CPU

Single-trace Property and Hyperpropert Example: Non-interference Property

An Estimation Scheme: Taint Analysis

## An Estimation Scheme: Taint Analysis

▶ Taint analysis: for a function  $y_1, y_2 = f(x_1, x_2)$ , we design an augment  $yt_1, yt_2 = ft(x_1, xt_1, x_2, xt_2)$ , such that:

```
x_1 not interfere y_1 iff \forall x_1,x_2, let yt_1,yt_2=ft(x_1,xt_1,x_2,xt_2), we have, yt_1=0
```

## An Estimation Scheme: Taint Analysis

► Taint analysis: for a function  $y_1, y_2 = f(x_1, x_2)$ , we design an augment  $yt_1, yt_2 = ft(x_1, xt_1, x_2, xt_2)$ , such that:

$$x_1$$
 not interfere  $y_1$  iff  $\forall x_1,x_2,$  let  $yt_1,yt_2=ft(x_1,xt_1,x_2,xt_2),$  we have,  $yt_1=0$ 

Finally, let me show a tool to automatically augment verilog with Taint functions.

## An Estimation Scheme: Taint Analysis

► Taint analysis: for a function  $y_1, y_2 = f(x_1, x_2)$ , we design an augment  $yt_1, yt_2 = ft(x_1, xt_1, x_2, xt_2)$ , such that:

$$x_1$$
 not interfere  $y_1$  iff  $\forall x_1, x_2,$  let  $yt_1, yt_2 = ft(x_1, xt_1, x_2, xt_2),$  we have,  $yt_1 = 0$ 

► Finally, let me show a tool to automatically augment verilog with Taint functions. More tools (JasperGold and ~100 more are coming http://mtlcad.mit.edu/setup.html).

## Taint Analysis: Gate-Level Information Flow Tracking (GLIFT)

Augment at each gate

► More on https://ieeexplore.ieee.org/document/5948366

# Taint Analysis: Gate-Level Information Flow Tracking (GLIFT)

- Augment at each gate
- When compose gates together or compose cycles together, will be conservative.
- ► More on https://ieeexplore.ieee.org/document/5948366