Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts
Progress has recently been made on specifying instruction set ar- chitectures (ISAs) in executable formalisms rather than through prose. However, to date, those formal specifications are limited to the functional aspects of the ISA and do not cover its security guarantees. We present a novel, genera...
Gespeichert in:
| Hauptverfasser: | , , , |
|---|---|
| Format: | Tagungsbericht |
| Sprache: | eng |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 2097 |
|---|---|
| container_issue | |
| container_start_page | 2083 |
| container_title | |
| container_volume | |
| creator | Huyghebaert, Sander Keuchel, Steven De Roover, Coen Devriese, Dominique |
| description | Progress has recently been made on specifying instruction set ar-
chitectures (ISAs) in executable formalisms rather than through
prose. However, to date, those formal specifications are limited
to the functional aspects of the ISA and do not cover its security
guarantees. We present a novel, general method for formally speci-
fying an ISA's security guarantees to (1) balance the needs of ISA
implementations (hardware) and clients (software), (2) can be semi-
automatically verified to hold for the ISA operational semantics,
producing a high-assurance mechanically-verifiable proof, and (3)
support informal and formal reasoning about security-critical soft-
ware in the presence of adversarial code. Our method leverages
universal contracts: software contracts that express bounds on the
authority of arbitrary untrusted code. Universal contracts can be
kept agnostic of software abstractions, and strike the right balance
between requiring sufficient detail for reasoning about software
and preserving implementation freedom of ISA designers and CPU
implementers. We semi-automatically verify universal contracts
against Sail implementations of ISA semantics using our Kata-
maran tool; a semi-automatic separation logic verifier for Sail
which produces machine-checked proofs for successfully verified
contracts. We demonstrate the generality of our method by ap-
plying it to two ISAs that offer very different security primitives:
(1) MinimalCaps: a custom-built capability machine ISA and (2)
a (somewhat simplified) version of RISC-V with PMP. We verify a
femtokernel using the security guarantee we have formalized for
RISC-V with PMP. |
| format | Conference Proceeding |
| fullrecord | <record><control><sourceid>kuleuven_FZOIL</sourceid><recordid>TN_cdi_kuleuven_dspace_20_500_12942_720669</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>20_500_12942_720669</sourcerecordid><originalsourceid>FETCH-kuleuven_dspace_20_500_12942_7206693</originalsourceid><addsrcrecordid>eNqVjM2KwjAURgOjMP69Q9aicpu2xixF1HHr3zZc2tshM5lYklTUp1dkHkBX3zlw-D7YQEk1ywAkQA6yxTpJnqVjKUTyyboh_AAkKlNph21XJ_-H1tyM-x7xI3lTXR_I0ZV8Xtf2KZvdnO-oaLyJV75u0KOLRIFj4AdnzuQDWr44ueixiKHP2hXaQIP_7bHharlffI1_G0vNmZwuQ40FaQE6B9CJUJnQUsB0qtIem7wc63iJ6Vvvd7oIUvk</addsrcrecordid><sourcetype>Institutional Repository</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts</title><source>Lirias (KU Leuven Association)</source><creator>Huyghebaert, Sander ; Keuchel, Steven ; De Roover, Coen ; Devriese, Dominique</creator><creatorcontrib>Huyghebaert, Sander ; Keuchel, Steven ; De Roover, Coen ; Devriese, Dominique</creatorcontrib><description>Progress has recently been made on specifying instruction set ar-
chitectures (ISAs) in executable formalisms rather than through
prose. However, to date, those formal specifications are limited
to the functional aspects of the ISA and do not cover its security
guarantees. We present a novel, general method for formally speci-
fying an ISA's security guarantees to (1) balance the needs of ISA
implementations (hardware) and clients (software), (2) can be semi-
automatically verified to hold for the ISA operational semantics,
producing a high-assurance mechanically-verifiable proof, and (3)
support informal and formal reasoning about security-critical soft-
ware in the presence of adversarial code. Our method leverages
universal contracts: software contracts that express bounds on the
authority of arbitrary untrusted code. Universal contracts can be
kept agnostic of software abstractions, and strike the right balance
between requiring sufficient detail for reasoning about software
and preserving implementation freedom of ISA designers and CPU
implementers. We semi-automatically verify universal contracts
against Sail implementations of ISA semantics using our Kata-
maran tool; a semi-automatic separation logic verifier for Sail
which produces machine-checked proofs for successfully verified
contracts. We demonstrate the generality of our method by ap-
plying it to two ISAs that offer very different security primitives:
(1) MinimalCaps: a custom-built capability machine ISA and (2)
a (somewhat simplified) version of RISC-V with PMP. We verify a
femtokernel using the security guarantee we have formalized for
RISC-V with PMP.</description><identifier>ISSN: 1543-7221</identifier><identifier>ISBN: 9798400700507</identifier><language>eng</language><publisher>ACM</publisher><ispartof>Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2023, p.2083-2097</ispartof><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>309,310,315,780,27859</link.rule.ids><linktorsrc>$$Uhttps://lirias.kuleuven.be/handle/20.500.12942/720669$$EView_record_in_KU_Leuven_Association$$FView_record_in_$$GKU_Leuven_Association$$Hfree_for_read</linktorsrc></links><search><creatorcontrib>Huyghebaert, Sander</creatorcontrib><creatorcontrib>Keuchel, Steven</creatorcontrib><creatorcontrib>De Roover, Coen</creatorcontrib><creatorcontrib>Devriese, Dominique</creatorcontrib><title>Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts</title><title>Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security</title><description>Progress has recently been made on specifying instruction set ar-
chitectures (ISAs) in executable formalisms rather than through
prose. However, to date, those formal specifications are limited
to the functional aspects of the ISA and do not cover its security
guarantees. We present a novel, general method for formally speci-
fying an ISA's security guarantees to (1) balance the needs of ISA
implementations (hardware) and clients (software), (2) can be semi-
automatically verified to hold for the ISA operational semantics,
producing a high-assurance mechanically-verifiable proof, and (3)
support informal and formal reasoning about security-critical soft-
ware in the presence of adversarial code. Our method leverages
universal contracts: software contracts that express bounds on the
authority of arbitrary untrusted code. Universal contracts can be
kept agnostic of software abstractions, and strike the right balance
between requiring sufficient detail for reasoning about software
and preserving implementation freedom of ISA designers and CPU
implementers. We semi-automatically verify universal contracts
against Sail implementations of ISA semantics using our Kata-
maran tool; a semi-automatic separation logic verifier for Sail
which produces machine-checked proofs for successfully verified
contracts. We demonstrate the generality of our method by ap-
plying it to two ISAs that offer very different security primitives:
(1) MinimalCaps: a custom-built capability machine ISA and (2)
a (somewhat simplified) version of RISC-V with PMP. We verify a
femtokernel using the security guarantee we have formalized for
RISC-V with PMP.</description><issn>1543-7221</issn><isbn>9798400700507</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2023</creationdate><recordtype>conference_proceeding</recordtype><sourceid>FZOIL</sourceid><recordid>eNqVjM2KwjAURgOjMP69Q9aicpu2xixF1HHr3zZc2tshM5lYklTUp1dkHkBX3zlw-D7YQEk1ywAkQA6yxTpJnqVjKUTyyboh_AAkKlNph21XJ_-H1tyM-x7xI3lTXR_I0ZV8Xtf2KZvdnO-oaLyJV75u0KOLRIFj4AdnzuQDWr44ueixiKHP2hXaQIP_7bHharlffI1_G0vNmZwuQ40FaQE6B9CJUJnQUsB0qtIem7wc63iJ6Vvvd7oIUvk</recordid><startdate>20231126</startdate><enddate>20231126</enddate><creator>Huyghebaert, Sander</creator><creator>Keuchel, Steven</creator><creator>De Roover, Coen</creator><creator>Devriese, Dominique</creator><general>ACM</general><scope>FZOIL</scope></search><sort><creationdate>20231126</creationdate><title>Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts</title><author>Huyghebaert, Sander ; Keuchel, Steven ; De Roover, Coen ; Devriese, Dominique</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-kuleuven_dspace_20_500_12942_7206693</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2023</creationdate><toplevel>online_resources</toplevel><creatorcontrib>Huyghebaert, Sander</creatorcontrib><creatorcontrib>Keuchel, Steven</creatorcontrib><creatorcontrib>De Roover, Coen</creatorcontrib><creatorcontrib>Devriese, Dominique</creatorcontrib><collection>Lirias (KU Leuven Association)</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Huyghebaert, Sander</au><au>Keuchel, Steven</au><au>De Roover, Coen</au><au>Devriese, Dominique</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts</atitle><btitle>Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security</btitle><date>2023-11-26</date><risdate>2023</risdate><spage>2083</spage><epage>2097</epage><pages>2083-2097</pages><issn>1543-7221</issn><isbn>9798400700507</isbn><abstract>Progress has recently been made on specifying instruction set ar-
chitectures (ISAs) in executable formalisms rather than through
prose. However, to date, those formal specifications are limited
to the functional aspects of the ISA and do not cover its security
guarantees. We present a novel, general method for formally speci-
fying an ISA's security guarantees to (1) balance the needs of ISA
implementations (hardware) and clients (software), (2) can be semi-
automatically verified to hold for the ISA operational semantics,
producing a high-assurance mechanically-verifiable proof, and (3)
support informal and formal reasoning about security-critical soft-
ware in the presence of adversarial code. Our method leverages
universal contracts: software contracts that express bounds on the
authority of arbitrary untrusted code. Universal contracts can be
kept agnostic of software abstractions, and strike the right balance
between requiring sufficient detail for reasoning about software
and preserving implementation freedom of ISA designers and CPU
implementers. We semi-automatically verify universal contracts
against Sail implementations of ISA semantics using our Kata-
maran tool; a semi-automatic separation logic verifier for Sail
which produces machine-checked proofs for successfully verified
contracts. We demonstrate the generality of our method by ap-
plying it to two ISAs that offer very different security primitives:
(1) MinimalCaps: a custom-built capability machine ISA and (2)
a (somewhat simplified) version of RISC-V with PMP. We verify a
femtokernel using the security guarantee we have formalized for
RISC-V with PMP.</abstract><pub>ACM</pub><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | ISSN: 1543-7221 |
| ispartof | Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2023, p.2083-2097 |
| issn | 1543-7221 |
| language | eng |
| recordid | cdi_kuleuven_dspace_20_500_12942_720669 |
| source | Lirias (KU Leuven Association) |
| title | Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-12T14%3A44%3A31IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-kuleuven_FZOIL&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Formalizing,%20Verifying%20and%20Applying%20ISA%20Security%20Guarantees%20as%20Universal%20Contracts&rft.btitle=Proceedings%20of%20the%202023%20ACM%20SIGSAC%20Conference%20on%20Computer%20and%20Communications%20Security&rft.au=Huyghebaert,%20Sander&rft.date=2023-11-26&rft.spage=2083&rft.epage=2097&rft.pages=2083-2097&rft.issn=1543-7221&rft.isbn=9798400700507&rft_id=info:doi/&rft_dat=%3Ckuleuven_FZOIL%3E20_500_12942_720669%3C/kuleuven_FZOIL%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |