Identifying Security Critical Properties for the Dynamic Verification of a Processor

Zhang, Rui; Stanley, Natalie; Griggs, Christopher; Chi, Andrew; Sturton, Cynthia

doi:10.1145/3037697.3037734

Cited by 25 publications

(29 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This method of SCCI is semi-autonomous, as it requires the classifier model be pre-trained with either existing published errata on previous versions of the hardware design, or using manual identification. While we perform manual SCCI, results reported by Zhang et al [44] suggest that their tool would result in a similar set of root securitycritical signals.…”

Section: A Nemomentioning

confidence: 82%

“…Nemo takes as input a Verilog netlist and automatically identifies security-critical nets in the post-PaR netlist HDL, which it outputs in the form of a Graphviz dot file. Similar to prior work [42]- [44], Nemo assumes that a unique signal name prefix (within the RTL HDL) has been appended to various signals considered "security-critical". We make this assumption since determining what signals are "security critical" requires contextual knowledge of how the design will be used.…”

Section: A Nemomentioning

confidence: 99%

“…Manual identification requires a human expert to study the design's specification (e.g., Instruction Set Architecture in the case of a processor), and identify properties that are critical to the security of software or other hardware utilizing the design [30], [42]. The second, and current stateof-the-art developed by Zhang et al [44], is semi-autonomous identification. Semi-autonomous identification involves two steps.…”

Section: A Nemomentioning

confidence: 99%

See 2 more Smart Citations

ICAS: an Extensible Framework for Estimating the Susceptibility of IC Layouts to Additive Trojans

Trippel

Shin

Bush

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

The transistors used to construct Integrated Circuits (ICs) continue to shrink. While this shrinkage improves performance and density, it also reduces trust: the price to build leading-edge fabrication facilities has skyrocketed, forcing even nation states to outsource the fabrication of high-performance ICs. Outsourcing fabrication presents a security threat because the black-box nature of a fabricated IC makes comprehensive inspection infeasible. Since prior work shows the feasibility of fabrication-time attackers' evasion of existing post-fabrication defenses, IC designers must be able to protect their physical designs before handing them off to an untrusted foundry. To this end, recent work suggests methods to harden IC layouts against attack. Unfortunately, no tool exists to assess the effectiveness of the proposed defenses, thus leaving defensive gaps.This paper presents an extensible IC layout security analysis tool called IC Attack Surface (ICAS) that quantifies defensive coverage. For researchers, ICAS identifies gaps for future defenses to target, and enables the quantitative comparison of existing and future defenses. For practitioners, ICAS enables the exploration of the impact of design decisions on an IC's resilience to fabrication-time attack. ICAS takes a set of metrics that encode the challenge of inserting a hardware Trojan into an IC layout, a set of attacks that the defender cares about, and a completed IC layout and reports the number of ways an attacker can add each attack to the design. While the ideal score is zero, practically, we find that lower scores correlate with increased attacker effort.To demonstrate ICAS' ability to reveal defensive gaps, we analyze over 60 layouts of three real-world hardware designs (a processor, AES and DSP accelerators), protected with existing defenses. We evaluate the effectiveness of each circuit-defense combination against three representative attacks from the literature. Results show that some defenses are ineffective and others, while effective at reducing the attack surface, leave 10's to 1000's of unique attack implementations that an attacker can exploit.

show abstract

Section: A Nemomentioning

confidence: 82%

Section: A Nemomentioning

confidence: 99%

Section: A Nemomentioning

confidence: 99%

See 1 more Smart Citation

ICAS: an Extensible Framework for Estimating the Susceptibility of IC Layouts to Additive Trojans

Trippel

Shin

Bush

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…In subsequent work, one of the authors has developed a semiautomated method for learning new security properties using information gleaned from known exploitable bugs 8 ; and demonstrated that properties developed for one RISC processor may be suitable for use, after some translation, on a second RISC processor, even across architectures. 9 However, the development of security-critical properties for use with FinalFilter or any property-based verification method is still in its infancy and more research is needed.…”

Section: Using Finalfiltermentioning

confidence: 99%

FinalFilter: Asserting Security Properties of a Processor at Runtime

et al. 2019

Self Cite

View full text Add to dashboard Cite

and DARPA & IN AN IDEAL world, it would be possible to build a provably correct and secure processor. However, the complexity of today's processors puts this ideal out of reach. The complete verification of a modern processor remains intractable. Statically verifying even a simple security property-for example, "hardware privilege escalation never occurs"-remains beyond the state of the art in formal verification. Testing can complement formal verification methods, yet testing is incomplete and bugs in the hardware that leave it vulnerable continue to elude test suites. Further, a crafty malicious actor can evade typical testing coverage metrics. Recent efforts, including that of three of the authors, have explored the use of static analysis on the design files (e.g., hardware description level source code or gate-level netlists) to find suspicious circuitry. 1-3 These techniques rely on heuristics to define patterns that indicate a likely trojan and then search for instances in the design that match the pattern. However, malicious circuitry that does not match the pattern will be missed, as will inadvertent bugs that open vulnerabilities. By the time the weakness is uncovered, the hardware is already in the end user's hands and vulnerable to attack. In the absence of a full proof of correctness, what is needed is a final filter: a runtime verification technique that works-postdeployment-to detect and respond to security property violations as they occur during execution. In this article, we make the case for final filters using our tool, FinalFilter, as a case study. FINALFILTER Prior research, including our own, has shown that assertions hard-coded into the design can be a cheap and effective way to verify the correctness of any single execution run. 4;5 Assertions can cover properties that would be intractable to prove statically for the current state of the art. The downside

show abstract

“…We present Transys, a tool that takes in a set of security critical properties developed for one hardware design and translates those properties to a form that is appropriate for a second design. The insight that led to this work is the recent research into security specification development and security validation tools, which uses properties developed for one processor design in order to evaluate the proposed methodology on a second design [5], [6], [7]. The properties must be translated manually, and this process is mentioned only in passing, but it suggests that the properties crafted for one processor design can be made suitable for a second design.…”

Section: Introductionmentioning

confidence: 99%

Transys: Leveraging Common Security Properties Across Hardware Designs

Zhang

Sturton

2020

2020 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

This paper presents Transys, a tool for translating security critical properties written for one hardware design to analogous properties suitable for a second design. Transys works in three passes adjusting the variable names, arithmetic expressions, logical preconditions, and timing constraints of the original property to retain the intended semantics of the property while making it valid for the second design. We evaluate Transys by translating 27 assertions written in a temporal logic and 9 properties written for use with gate level information flow tracking across 38 AES designs, 3 RSA designs, and 5 RISC processor designs. Transys successfully translates 96% of the properties. Among these, the translation of 23 (64%) of the properties achieved a semantic equivalence rate of above 60%. The average translation time per property is about 70 seconds.

show abstract

Identifying Security Critical Properties for the Dynamic Verification of a Processor

Cited by 25 publications

References 22 publications

ICAS: an Extensible Framework for Estimating the Susceptibility of IC Layouts to Additive Trojans

ICAS: an Extensible Framework for Estimating the Susceptibility of IC Layouts to Additive Trojans

FinalFilter: Asserting Security Properties of a Processor at Runtime

Transys: Leveraging Common Security Properties Across Hardware Designs

Contact Info

Product

Resources

About