End-to-End Automated Exploit Generation for Validating the Security of Processor Designs

Zhang, Rui; Deutschbein, Calvin; Huang, Peng; Sturton, Cynthia

doi:10.1109/micro.2018.00071

Cited by 41 publications

(23 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Zhang et al [41] present Coppelia, a tool to automatically generate software exploits for hardware designs. However, the processor designs they consider, OR1200, PULPino, and Mor1kx, do not feature speculative execution.…”

Section: Related Workmentioning

confidence: 99%

Spectector: Principled Detection of Speculative Information Flows

Guarnieri

Köpf

Morales

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

157

View full text Add to dashboard Cite

Since the advent of SPECTRE, a number of countermeasures have been proposed and deployed. Rigorously reasoning about their effectiveness, however, requires a well-defined notion of security against speculative execution attacks, which has been missing until now.In this paper (1) we put forward speculative non-interference, the first semantic notion of security against speculative execution attacks, and (2) we develop SPECTECTOR, an algorithm based on symbolic execution to automatically prove speculative noninterference, or to detect violations.We implement SPECTECTOR in a tool, which we use to detect subtle leaks and optimizations opportunities in the way major compilers place SPECTRE countermeasures. A scalability analysis indicates that checking speculative non-interference does not exhibit fundamental bottlenecks beyond those inherited by symbolic execution.

show abstract

Section: Related Workmentioning

confidence: 99%

Spectector: Principled Detection of Speculative Information Flows

Guarnieri

Köpf

Morales

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

157

View full text Add to dashboard Cite

show abstract

“…Properties expressed in a restricted temporal logic are added, in the form of assertion statements, to the RTL design and simulation-based testing or static analysis is used to find violations. Researchers have recently begun to adapt ABV for the security validation of a hardware design [10], [5], [7], [6].…”

Section: A Restricted Temporal Logicmentioning

confidence: 99%

“…We present Transys, a tool that takes in a set of security critical properties developed for one hardware design and translates those properties to a form that is appropriate for a second design. The insight that led to this work is the recent research into security specification development and security validation tools, which uses properties developed for one processor design in order to evaluate the proposed methodology on a second design [5], [6], [7]. The properties must be translated manually, and this process is mentioned only in passing, but it suggests that the properties crafted for one processor design can be made suitable for a second design.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Transys: Leveraging Common Security Properties Across Hardware Designs

Zhang

Sturton

2020

2020 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

This paper presents Transys, a tool for translating security critical properties written for one hardware design to analogous properties suitable for a second design. Transys works in three passes adjusting the variable names, arithmetic expressions, logical preconditions, and timing constraints of the original property to retain the intended semantics of the property while making it valid for the second design. We evaluate Transys by translating 27 assertions written in a temporal logic and 9 properties written for use with gate level information flow tracking across 38 AES designs, 3 RSA designs, and 5 RISC processor designs. Transys successfully translates 96% of the properties. Among these, the translation of 23 (64%) of the properties achieved a semantic equivalence rate of above 60%. The average translation time per property is about 70 seconds.

show abstract

“…In subsequent work, one of the authors has developed a semiautomated method for learning new security properties using information gleaned from known exploitable bugs 8 ; and demonstrated that properties developed for one RISC processor may be suitable for use, after some translation, on a second RISC processor, even across architectures. 9 However, the development of security-critical properties for use with FinalFilter or any property-based verification method is still in its infancy and more research is needed.…”

Section: Using Finalfiltermentioning

confidence: 99%

FinalFilter: Asserting Security Properties of a Processor at Runtime

et al. 2019

Self Cite

View full text Add to dashboard Cite

and DARPA & IN AN IDEAL world, it would be possible to build a provably correct and secure processor. However, the complexity of today's processors puts this ideal out of reach. The complete verification of a modern processor remains intractable. Statically verifying even a simple security property-for example, "hardware privilege escalation never occurs"-remains beyond the state of the art in formal verification. Testing can complement formal verification methods, yet testing is incomplete and bugs in the hardware that leave it vulnerable continue to elude test suites. Further, a crafty malicious actor can evade typical testing coverage metrics. Recent efforts, including that of three of the authors, have explored the use of static analysis on the design files (e.g., hardware description level source code or gate-level netlists) to find suspicious circuitry. 1-3 These techniques rely on heuristics to define patterns that indicate a likely trojan and then search for instances in the design that match the pattern. However, malicious circuitry that does not match the pattern will be missed, as will inadvertent bugs that open vulnerabilities. By the time the weakness is uncovered, the hardware is already in the end user's hands and vulnerable to attack. In the absence of a full proof of correctness, what is needed is a final filter: a runtime verification technique that works-postdeployment-to detect and respond to security property violations as they occur during execution. In this article, we make the case for final filters using our tool, FinalFilter, as a case study. FINALFILTER Prior research, including our own, has shown that assertions hard-coded into the design can be a cheap and effective way to verify the correctness of any single execution run. 4;5 Assertions can cover properties that would be intractable to prove statically for the current state of the art. The downside

show abstract

End-to-End Automated Exploit Generation for Validating the Security of Processor Designs

Cited by 41 publications

References 30 publications

Spectector: Principled Detection of Speculative Information Flows

Spectector: Principled Detection of Speculative Information Flows

Transys: Leveraging Common Security Properties Across Hardware Designs

FinalFilter: Asserting Security Properties of a Processor at Runtime

Contact Info

Product

Resources

About