Scribd
Upload
28 views72 pages

Mucfi CERN-2

The document discusses µCFI, a formal verification method for ensuring microarchitectural control-flow integrity in CPUs, emphasizing the need for guarantees against bugs through formal verification rather than incomplete testing methods like fuzzing. It highlights the ability of µCFI to capture multiple threat models and provides a framework for tracking information flow and identifying insecure instructions. The presentation also outlines the verification goals and the application of taint logic to enhance security in CPU designs.

Uploaded by

svenka3
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
28 views72 pages

Mucfi CERN-2

The document discusses µCFI, a formal verification method for ensuring microarchitectural control-flow integrity in CPUs, emphasizing the need for guarantees against bugs through formal verification rather than incomplete testing methods like fuzzing. It highlights the ability of µCFI to capture multiple threat models and provides a framework for tracking information flow and identifying insecure instructions. The presentation also outlines the verification goals and the application of taint logic to enhance security in CPU designs.

Uploaded by

svenka3
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 72

µCFI: Formal Verification of

Microarchitectural
Control-flow Integrity
Katharina Ceesay-Seitz, Flavien Solt,
Kaveh Razavi

COMSEC, Computer Security Group,


ETH Zurich

CERN RASWG 09.12.2024

1
Published at ACM Computer and Communications Security (CCS) 2024
CPU Verification
Testing, e.g., fuzzing

2
CPU Verification
Testing, e.g., fuzzing,
is incomplete

Security: need guarantee of


absence of bugs

3
CPU Verification
Formal verification:
• Provides formal guarantees for
all inputs

4
CPU Verification
Formal verification:
• Provides formal guarantees for
all inputs

• Often a CPU-specific, manual effort

5
Formal Property Verification

CPU

Formal properties,
HDL e.g.,
(Hardware SystemVerilog
Description Assertions
Language)
Design describe desired
behavior

6
Formal Property Verification

Formal model
CPU
checker
CPU
Formal
properties,
e.g.,
SystemVerilog SAT(isfiability)
Assertions solver

7
Formal Property Verification

Formal model = property


CPU
checker satisfied
Formal proof
Formal for all inputs
properties,
e.g., Counter
SystemVerilog SAT(isfiability) example
Assertions solver

8
SIMPLER
SOLUTION?

9
CPU Verification
Formal verification:
• Provides formal guarantees for
all inputs

µCFI - Generalized security property


• Easy application and reuse
• Independent of CPU's verification state
=> apply it early in the design cycle
• Captures multiple threat models

10
Definition Microarchitectural Control Flow (µCF)
Software program (assembly instructions)
Architectural
(software) PC
Program
Counter
(PC)
CPU

Architectural PC decides the order of instructions

If condition
Software 'if'
PC = Branch target = A
=
Else
Branch instruction
PC = Branch target = B

11
Definition Microarchitectural Control Flow (µCF)
Software program (assembly instructions)
Architectural
(software) PC
Program
Counter
(PC)
CPU

Microarchitectural control flow (µCF)

update time

Microarchitectural PC 0x80000004 0x80000008 0x80001000 value


= a register inside
the CPU 12
Microarchitectural Control Flow Violations
Constant Time (CT) program

reads
secret
data

13
Microarchitectural Control Flow Violations
Constant Time (CT) program

reads
secret
data
operand:

14
Microarchitectural Control Flow Violations
Constant Time (CT) program

operand:

PROBLEM?
operand:

15
Microarchitectural Control Flow Violations
Constant Time (CT) program

operand:

operand:
Secret influences µCF

Execution takes longer = timing side channel

Delayed PC update PC
16
Microarchitectural Control Flow Violations
Constant Time (CT) program Control-flow integrity secure program

reads
operand:
input
data Exception

operand:

17
Microarchitectural Control Flow Violations
Constant Time (CT) program Control-flow integrity secure program

operand:
operand:

PC

operand:

Input influences µCF


by changing PC value

18
µCFI - Microarchitectural Control-flow Integrity

• Prove that only ISA specified control and data flows exist
• Detect non-ISA specified flows

Operand PC

19
ISA = Instruction Set Architecture, PC = Program Counter
µCFI - Microarchitectural Control-flow Integrity

• Prove that only ISA specified control and data flows exist
• Detect non-ISA specified flows

One property Operand PC

Two threat
models
captured

20
ISA = Instruction Set Architecture, PC = Program Counter
µCFI - Microarchitectural Control-flow Integrity

• Prove that only ISA specified control and data flows exist
• Detect non-ISA specified flows

One property Operand PC

Two threat secret Information leakage


models
captured

21
ISA = Instruction Set Architecture, PC = Program Counter
µCFI - Microarchitectural Control-flow Integrity

• Prove that only ISA specified control and data flows exist
• Detect non-ISA specified flows

One property Operand PC

Two threat secret Information leakage


models
attacker- Control-flow hijack
captured
controlled

22
ISA = Instruction Set Architecture, PC = Program Counter
µCFI - Microarchitectural Control-flow Integrity

• Prove that only ISA specified control and data flows exist
• Detect non-ISA specified flows

Information flow property

Source Sink

23
ISA = Instruction Set Architecture
µCFI - Microarchitectural Control-flow Integrity

• Prove that only ISA specified control and data flows exist
• Detect non-ISA specified flows

Information flow property


Information =
Source Sink
data flows

time & control flows

24
ISA = Instruction Set Architecture
µCFI - Microarchitectural Control-flow Integrity

• Prove that only ISA specified control and data flows exist
• Detect non-ISA specified flows

Information flow property


Information =
Source Sink
data flows

Operand PC time & control flows

25
ISA = Instruction Set Architecture, PC = Program Counter
Formal Verification of Information Flow

Information flow tracking with


taint logic – CellIFT [1]
CPU

taint = secret or attacker-controlled information


Taint
logic

[1] F. Solt, B. Gras, K. Razavi, "CELLIFT: Leveraging Cells for Scalable and Precise Dynamic Information Flow Tracking in RTL", USENIX Security 2022
26
https://github.com/comsec-group/cellift-yosys
CellIFT

Information flow tracking with taint logic – CellIFT [1]

CPU

Taint
logic

Taint logic (CellIFT [1]) tracks


taint = secret or attacker-controlled
information flows

[1] F. Solt, B. Gras, K. Razavi, "CELLIFT: Leveraging Cells for Scalable and Precise Dynamic Information Flow Tracking in RTL", 27
USENIX Security 2022
Formal Verification of Information Flow

CPU

Formal SVA
properties
Taint
logic

28
Formal Verification of Information Flow

CPU

Formal SVA Formal


properties model
checker
Taint
logic

29
Formal Verification of Information Flow

CPU

Formal Formal proof


Formal SVA
properties model
checker Counter
Taint
logic example

30
Formally Verifying µCFI

CPU + taint logic


REGISTERS
Instruction ADD

Operand

Taint does not reach the PC

PC

taint = secret or attacker-controlled

31
PC = Program Counter
Formally Verifying µCFI

CPU + taint logic


REGISTERS
Instruction BNE
Branch Not Equal

Operand

Taint reaches the PC

PC

taint = secret or attacker-controlled

32
PC = Program Counter
Formally Verifying µCFI

CPU + taint logic


REGISTERS
Instruction BNE
Branch Not Equal

Operand

Taint reaches the PC

PC µCFI violated??
33
PC = Program Counter
Instruction Classification
Control-influencing:
direct branches,
beq t1, t2, 20 PC
instructions with
exceptions, … control
branch
control
target
are expected
to influence
the program counter

If reg[t1] == reg[t2]
Branch target = A
Else
Branch target = B

34
Instruction Classification
µCFI
Control-influencing:
branches,
instructions with
beq t1, t2, 20 PC Operand PC
exceptions, … control
branch
control data
target
are expected
to influence
the program counter CellDFT
via control paths only If reg[t1] == reg[t2]
Branch target = A
Else
Program Counter = reg[t1]
Branch target = B Program Counter = reg[t2]

35
µCFI
CellIFT
Operand PC
information

Non-influencing:
arithmetic, logic, ...

CPU
if reg[t1] == reg[t2]

CellIFT [1]
tracks information = Taint
logic
data,
control & timing flows

36
[1] F. Solt, B. Gras, K. Razavi, "CELLIFT: Leveraging Cells for Scalable and Precise Dynamic Information Flow Tracking in RTL", USENIX Security 2022
µCFI
CellDFT – Data Flow Tracking
Operand PC
New:
data

CPU
reg[t1] == reg[t2]

CellIFT [1] CellDFT

tracks information = only tracks Taint


data flows logic
data,
control & timing flows

37
[1] F. Solt, B. Gras, K. Razavi, "CELLIFT: Leveraging Cells for Scalable and Precise Dynamic Information Flow Tracking in RTL", USENIX Security 2022
Identifying Insecure Instructions

CPU + taint logic


REGISTERS
Instruction ADDI CSRRW

Control and Status Register


Read Write
Operand

Which instruction tainted the PC?

PC

38
Identifying Insecure Instructions

CPU + taint logic


REGISTERS
Instruction
ADDI

Operand

Check the program counter


taint after each instruction?

PC

39
Identifying Insecure Instructions

CPU + taint logic


REGISTERS
Instruction
ADDI CSRRW
Control and Status Register
Read Write
Operand

Check the program counter


taint after each instruction?

PC

40
Identifying Insecure Instructions

addi influences csrrw


CPU + taint logic
REGISTERS
Instruction

Operand

• addi's operand leaks, but violation is


associated with csrrw
• Checking program counter taint after
PC
each instruction is imprecise

41
Identifying Insecure Instructions

addi influences csrrw


CPU + taint logic
REGISTERS
Instruction

Operand

• addi's operand leaks, but violation is


associated with csrrw
• Checking program counter taint after
PC
each instruction is imprecise
• A bug may be hidden by csrrw's
specified information flow
42
µCFI - Verification Goals

For communication with software


engineers/tools:
• Security classification per instruction

43
µCFI - Verification Goals

For communication with software


engineers/tools:
• Security classification per instruction,
• surrounded by arbitrary,
potentially insecure, instructions

44
µCFI - Verification Goals

For communication with software:


• Security classification per instruction

To ease debugging:
• Identify the specific instruction that leaks

45
µCFI - Verification Goals

For communication with software:


• Security classification per instruction

To ease debugging:
• Identify the specific instruction that leaks

For strong security guarantees:


• consider influences on younger instructions
• over arbitrary, infinitely long programs
46
Precise Taint Injection
x = (taint) logic abstraction

CPU + taint logic


REGISTERS
Instruction
x
Operand

PC

47
Precise Taint Injection
Instruction
x = (taint) logic abstraction Under
Verification
CPU + taint logic
REGISTERS
Instruction
MUL ADD BNE
x
start stop
Operand
taint

• Controlled taint injection per instruction


PC
• Via SystemVerilog Assumptions

48
Precise Taint Injection
Instruction
Under
Verification
CPU + taint logic
REGISTERS
Instruction
MUL ADD BNE

start stop
Operand
taint

- Controlled taint injection per instruction


- Operand reading conditions automatically
PC
generated via static design analysis
(custom Yosys[1] pass)

49
[1]https://github.com/YosysHQ/yosys
Declassification of Architectural Paths
Instruction
Under
Verification
CPU + taint logic
REGISTERS
Instruction
MUL ADD BNE

reg t1
Operand

Will the PC be
tainted?

50
Declassification of Architectural Paths
Instruction
Under
Verification
CPU + taint logic
REGISTERS
Instruction
MUL ADD BNE

forwarded reg t1
Operand data • Instruction result of 'add' forwarded to a
'branch' taints the PC.
instruction
result

PC

51
Declassification of Architectural Paths
Instruction
Under
Verification
CPU + taint logic
REGISTERS x
Instruction
MUL ADD BNE

forwarded reg t1
Operand
data
x • Declassification:
Block taint propagation via architectural
instruction (forwarding and register writeback) paths
result
• Forwarded data considered as instruction input
PC
• Yosys pass checks that declassified paths do
not reach the program counter

52
Declassification of Architectural Paths

CPU + taint logic


REGISTERS
Instruction

buffer

Operand

No other microarchitectural flows are blocked

PC

53
Verified Microcontroller-class, in-order CPUs

RISC-V
CPUs Ibex
Scarv

PicoRV32 Kronos
used in Zk scalar
crypto
Root-of-Trust extensions
State bits 3.2k 2.0k 2.5k 2.3k
Net bits 1.6k 1.4k 4.6k 6.7k

54
Verified Microcontroller-class, in-order CPUs

RISC-V
CPUs Ibex
Scarv

PicoRV32 Kronos
used in Zk scalar
crypto
Root-of-Trust extensions
State bits 3.2k 2.0k 2.5k 2.3k
Net bits 1.6k 1.4k 4.6k 6.7k

Cell- IFT / DFT IFT / DFT IFT / DFT IFT / DFT


time to PROVE 17 h / 8m 16m / 30s 9h / 10m 14.5h / 50 m
time to FAIL 1h / 8m 37s / 15s 2h / 3m 11m / 34m
Model checker: Cadence Jasper Formal Property Verification App

55
Verified Microcontroller-class, in-order CPUs

RISC-V
CPUs Ibex
Scarv

PicoRV32 Kronos
used in Zk scalar
crypto
Root-of-Trust extensions
State bits 3.2k 2.0k 2.5k 2.3k
Net bits 1.6k 1.4k 4.6k 6.7k

Cell- IFT / DFT IFT / DFT IFT / DFT IFT / DFT


time to PROVE 17 h / 8m 16m / 30s 9h / 10m 14.5h / 50 m
time to FAIL 1h / 8m 37s / 15s 2h / 3m 11m / 34m

PROVEN instructions 38 25 27 38 + all crypto instr.


VULNERABLE 3 (documented) 8 14 3 (known)
instructions
56
New Discovered Security Vulnerabilities
Constant time violation: Kronos
CVE-2023-51974

Two control-flow hijacks:


CVE-2023-51973
CVE-2024-44927

57
New Discovered Security Vulnerabilities
Ibex
Constant time violation: Kronos
CVE-2023-51974

Two control-flow hijacks: Constant time violation + data leakage:


CVE-2023-51973 CVE-2024-28365
CVE-2024-44927

Control-flow hijack

58
Conclusion
• Introduced and formalized a generalized CPU security property

µCFI - Microarchitectural Control-flow Integrity

59
Conclusion
• Introduced and formalized a generalized CPU security property

µCFI - Microarchitectural Control-flow Integrity


• Automated verification method & implementation
• 4 open-source RISC-V CPUs verified
• Discovered 5 new vulnerabilities - 4 CVEs

60
Conclusion
• Introduced and formalized a generalized CPU security property

µCFI - Microarchitectural Control-flow Integrity


• Automated verification method & implementation
• 4 open-source RISC-V CPUs verified
• Discovered 5 new vulnerabilities - 4 CVEs

Thank you! Questions?


Information: Code: Contact:

@K_Ceesay-Seitz, @FlavienSolt
61
https://comsec.ethz.ch/ comsec-group/mucfi [email protected], [email protected]
BACKUP

62
CellIFT Yosys [1] pass
[2]
∀ cells (flip flops,
logic cells, …):
HDL RTLIL HDL
• Duplicate* in-/outputs for taint tracking
• Connect them with cell-type dependent
taint tracking logic
Taint
logic
a) State-holding
cells
b) Combinational
block
c) Gate-level
output of Yosys

*it is possible to add multiple independent taint instrumentations. Each in-/output gets a taint representation
per instrumentation.
[1] Yosys Open SYnthesis Suite - https://github.com/YosysHQ/yosys
63
[2] F. Solt, B. Gras, K. Razavi, "CELLIFT: Leveraging Cells for Scalable and Precise Dynamic Information Flow Tracking in RTL", USENIX Security 2022
Instruction classification
µCFI
information
Non-influencing:
add x4, x5, x6 PC Operand PC
arithmetic, logic, ...
information

Control-influencing: bne x1, x2, 20 PC Operand PC


branches, exceptions
branch data
control control
target

Value-influencing:
jalr ra, x1, 80 PC
jumps
jump data
data
target

64
Taint Start Condition
Update Condition Yosys Pass
Read-from Condition = the condition in which a signal is
updated with a chosen signal's value.

Taint start
UC
Operand's register Condition in which
Yosys
data read signal the operand's register
pass
data read signal is updated
Register file name with register data

CPU code (PicoRV32): Generated Read-from Condition:

65
Taint Stop Condition
Update Condition Yosys Pass
Update Condition (UC) = the condition in which a signal is
updated with another value than its own previous value.

Taint stop UC
Operand's register Condition in which
Yosys
data read signal the read data MAY be new
pass

For example:
• enable condition of a flip flop
• '1' (True) for continuous
assignments

66
Precise Taint Injection Conditions
Instruction
Sample Instruction Word (IW) in Under
formal setup Verification

start MUL ADD BNE

Potentially
IW == IUV and taint start condition stop
taint start
multiple taint
times per
stop
instruction

Taint stop condition - Controlled taint injection per instruction

Simple & precise


counter examples
67
Update Condition (UC) / Read-from Condition (RC)
Yosys Pass
a,b ... other internal signals
s ... signal
'past' = custom attribute

UC(s) = UC(a)

UC(s) = past (UC(a))

Update Condition UC(s)


UC(s) = condition && UC(a) || !condition && UC(b)

UC(s) = past(enable && (UC(a))


UC(s) = 1 (for UC)
= 0 (for RC)

UC(s) = 1
68
Find Forwarding Multiplexer Yosys Pass
• Automatically identifies forwarding multiplexers
• Checks declassification precondition: all
outgoing paths of declassified signals reach
1. Traverse outgoing paths of
another declassified signal or data source
forwarded data output and
without passing PC
check declassification
precondition
2. If a mux uses forwarded data
output, back-traverse
multiplexers' other input's
driving logic.
forwarded 3. Is it directly assigned with
data output operand's register data read
signal?
instruction
Operand's register x input data
o No: continue at mux
output
data read signal x o Yes: Forwarding mux
found x --> return mux
select signal

69
mux = multiplexer
Formal verification of information flow
Instruction
Under
Verification
CPU + taint logic
REGISTERS
Instruction
MUL ADD BNE

forwarded
Operand data Forwarded data considered as instruction input:

• Allow operand taint to propagate if instruction


instruction
x result
reads from forwarded data

PC

70
Taint injection assumptions

71
Introducing
µCFI - Microarchitectural Control-flow Integrity

Microarchitectural control flow (µCF) µCFI only allows


explicitly ISA specified
data dependencies
Program
0x80000004 0x80000008 0x80001000
Counter of the µCF
(PC)

Operand PC

ISA = Instruction Set Architecture 72

You might also like