Rigorous engineering for hardware security: Formal modelling and proof in the CHERI design and implementation process

Kyndylan Nienhuis, Alexandre Joannou, Thomas Bauereiß, A. Fox, M. Roe, B. Campbell, Matthew Naylor, Robert M. Norton, S. Moore, P. Neumann, I. Stark, R. Watson, Peter Sewell
{"title":"Rigorous engineering for hardware security: Formal modelling and proof in the CHERI design and implementation process","authors":"Kyndylan Nienhuis, Alexandre Joannou, Thomas Bauereiß, A. Fox, M. Roe, B. Campbell, Matthew Naylor, Robert M. Norton, S. Moore, P. Neumann, I. Stark, R. Watson, Peter Sewell","doi":"10.1109/SP40000.2020.00055","DOIUrl":null,"url":null,"abstract":"The root causes of many security vulnerabilities include a pernicious combination of two problems, often regarded as inescapable aspects of computing. First, the protection mechanisms provided by the mainstream processor architecture and C/C++ language abstractions, dating back to the 1970s and before, provide only coarse-grain virtual-memory-based protection. Second, mainstream system engineering relies almost exclusively on test-and-debug methods, with (at best) prose specifications. These methods have historically sufficed commercially for much of the computer industry, but they fail to prevent large numbers of exploitable bugs, and the security problems that this causes are becoming ever more acute.In this paper we show how more rigorous engineering methods can be applied to the development of a new security-enhanced processor architecture, with its accompanying hardware implementation and software stack. We use formal models of the complete instruction-set architecture (ISA) at the heart of the design and engineering process, both in lightweight ways that support and improve normal engineering practice - as documentation, in emulators used as a test oracle for hardware and for running software, and for test generation - and for formal verification. We formalise key intended security properties of the design, and establish that these hold with mechanised proof. This is for the same complete ISA models (complete enough to boot operating systems), without idealisation.We do this for CHERI, an architecture with hardware capabilities that supports fine-grained memory protection and scalable secure compartmentalisation, while offering a smooth adoption path for existing software. CHERI is a maturing research architecture, developed since 2010, with work now underway on an Arm industrial prototype to explore its possible adoption in mass-market commercial processors. The rigorous engineering work described here has been an integral part of its development to date, enabling more rapid and confident experimentation, and boosting confidence in the design.","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"61 1","pages":"1003-1020"},"PeriodicalIF":0.0000,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"30","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP40000.2020.00055","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 30

Abstract

The root causes of many security vulnerabilities include a pernicious combination of two problems, often regarded as inescapable aspects of computing. First, the protection mechanisms provided by the mainstream processor architecture and C/C++ language abstractions, dating back to the 1970s and before, provide only coarse-grain virtual-memory-based protection. Second, mainstream system engineering relies almost exclusively on test-and-debug methods, with (at best) prose specifications. These methods have historically sufficed commercially for much of the computer industry, but they fail to prevent large numbers of exploitable bugs, and the security problems that this causes are becoming ever more acute.In this paper we show how more rigorous engineering methods can be applied to the development of a new security-enhanced processor architecture, with its accompanying hardware implementation and software stack. We use formal models of the complete instruction-set architecture (ISA) at the heart of the design and engineering process, both in lightweight ways that support and improve normal engineering practice - as documentation, in emulators used as a test oracle for hardware and for running software, and for test generation - and for formal verification. We formalise key intended security properties of the design, and establish that these hold with mechanised proof. This is for the same complete ISA models (complete enough to boot operating systems), without idealisation.We do this for CHERI, an architecture with hardware capabilities that supports fine-grained memory protection and scalable secure compartmentalisation, while offering a smooth adoption path for existing software. CHERI is a maturing research architecture, developed since 2010, with work now underway on an Arm industrial prototype to explore its possible adoption in mass-market commercial processors. The rigorous engineering work described here has been an integral part of its development to date, enabling more rapid and confident experimentation, and boosting confidence in the design.
严格的硬件安全工程:在CHERI设计和实施过程中进行正式建模和验证
许多安全漏洞的根本原因包括两个问题的有害组合,这两个问题通常被认为是计算中不可避免的方面。首先,主流处理器体系结构和C/ c++语言抽象所提供的保护机制(可以追溯到20世纪70年代或更早)只提供了基于虚拟内存的粗粒度保护。其次,主流系统工程几乎完全依赖于测试和调试方法,并且(充其量)使用散文规范。从历史上看,这些方法在商业上已经满足了计算机行业的大部分需求,但它们无法防止大量可利用的漏洞,由此引起的安全问题正变得越来越严重。在本文中,我们展示了如何将更严格的工程方法应用于开发新的安全增强的处理器体系结构,以及伴随的硬件实现和软件堆栈。我们在设计和工程过程的核心使用完整指令集架构(ISA)的正式模型,以轻量级的方式支持和改进正常的工程实践-作为文档,在模拟器中用作硬件和运行软件的测试oracle,以及用于测试生成-以及用于正式验证。我们正式确定了设计的关键预期安全属性,并确定这些属性与机械证明保持一致。这适用于相同的完整ISA模型(完整到足以引导操作系统),没有理想化。我们为CHERI这样做,这是一个具有硬件功能的架构,它支持细粒度的内存保护和可扩展的安全划分,同时为现有软件提供了一个平滑的采用路径。CHERI是一个成熟的研究架构,自2010年开发以来,目前正在进行Arm工业原型的工作,以探索其在大众市场商业处理器中的应用可能性。到目前为止,这里所描述的严格的工程工作已经成为其开发的一个组成部分,使实验更加快速和自信,并增强了对设计的信心。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信