$RTL2M$\mu$PATH: Multi-$\mu$PATH Synthesis with Applications to Hardware Security Verification$

RTL2M$\mu$PATH: Multi-$\mu$PATH Synthesis with Applications to Hardware Security Verification

The Check tools automate formal memory consistency model and security verification of processors by analyzing abstract models of microarchitectures, called $\mu$SPEC models. Despite the efficacy of this approach, a verification gap between $\mu$SPEC models, which must be manually written, and RT...

Ausführliche Beschreibung

Gespeichert in:

Bibliographische Detailangaben
Veröffentlicht in:	arXiv.org 2024-09
Hauptverfasser:	Hsiao, Yao, Nikoleris, Nikos, Khyzha, Artem, Mulligan, Dominic P, Petri, Gustavo, Fletcher, Christopher W, Trippel, Caroline
Format:	Artikel
Sprache:	eng
Schlagworte:	Automation Contracts Hardware Information flow Leakage Microprocessors Processors Security Synthesis Verification
Online-Zugang:	Volltext
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

container_end_page
container_issue
container_start_page
container_title	arXiv.org
container_volume
creator	Hsiao, Yao Nikoleris, Nikos Khyzha, Artem Mulligan, Dominic P Petri, Gustavo Fletcher, Christopher W Trippel, Caroline
description	The Check tools automate formal memory consistency model and security verification of processors by analyzing abstract models of microarchitectures, called $\mu$SPEC models. Despite the efficacy of this approach, a verification gap between $\mu$SPEC models, which must be manually written, and RTL limits the Check tools' broad adoption. Our prior work, called RTL2$\mu$SPEC, narrows this gap by automatically synthesizing formally verified $\mu$SPEC models from SystemVerilog implementations of simple processors. But, RTL2$\mu$SPEC assumes input designs where an instruction (e.g., a load) cannot exhibit more than one microarchitectural execution path ($\mu$PATH, e.g., a cache hit or miss path) -- its single-execution-path assumption. In this paper, we first propose an automated approach and tool, called RTL2M$\mu$PATH, that resolves RTL2$\mu$SPEC's single-execution-path assumption. Given a SystemVerilog processor design, instruction encodings, and modest design metadata, RTL2M$\mu$PATH finds a complete set of formally verified $\mu$PATHs for each instruction. Next, we make an important observation: an instruction that can exhibit more than one $\mu$PATH strongly indicates the presence of a microarchitectural side channel in the input design. Based on this observation, we then propose an automated approach and tool, called SynthLC, that extends RTL2M$\mu$PATH with a symbolic information flow analysis to support synthesizing a variety of formally verified leakage contracts from SystemVerilog processor designs. Leakage contracts are foundational to state-of-the-art defenses against hardware side-channel attacks. SynthLC is the first automated methodology for formally verifying hardware adherence to them.
format	Article
fullrecord	<record><control><sourceid>proquest</sourceid><recordid>TN_cdi_proquest_journals_3111726579</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>3111726579</sourcerecordid><originalsourceid>FETCH-proquest_journals_31117265793</originalsourceid><addsrcrecordid>eNqNij8LgkAcQI8gSMrv8IOWGgS9S602icIhIVKaBDnsxBPz7P4gfvsaHBqbHrz3ZsjChHjOfofxAtlKNa7r4iDEvk8sRO_ZFSf5Jn-ZfHuLsvgIiWk1d34UpGOna6a4goHrGqK-b3lJNRedAi0gpvI5UMkgZaWRXI_wYJJX07JC84q2itkTl2h9OWen2OmleBumdNEII7tvKojneSEO_PBA_rs-DlpDvg</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>3111726579</pqid></control><display><type>article</type><title>RTL2M$\mu$PATH: Multi-$\mu$PATH Synthesis with Applications to Hardware Security Verification</title><source>Free E- Journals</source><creator>Hsiao, Yao ; Nikoleris, Nikos ; Khyzha, Artem ; Mulligan, Dominic P ; Petri, Gustavo ; Fletcher, Christopher W ; Trippel, Caroline</creator><creatorcontrib>Hsiao, Yao ; Nikoleris, Nikos ; Khyzha, Artem ; Mulligan, Dominic P ; Petri, Gustavo ; Fletcher, Christopher W ; Trippel, Caroline</creatorcontrib><description>The Check tools automate formal memory consistency model and security verification of processors by analyzing abstract models of microarchitectures, called $\mu$SPEC models. Despite the efficacy of this approach, a verification gap between $\mu$SPEC models, which must be manually written, and RTL limits the Check tools' broad adoption. Our prior work, called RTL2$\mu$SPEC, narrows this gap by automatically synthesizing formally verified $\mu$SPEC models from SystemVerilog implementations of simple processors. But, RTL2$\mu$SPEC assumes input designs where an instruction (e.g., a load) cannot exhibit more than one microarchitectural execution path ($\mu$PATH, e.g., a cache hit or miss path) -- its single-execution-path assumption. In this paper, we first propose an automated approach and tool, called RTL2M$\mu$PATH, that resolves RTL2$\mu$SPEC's single-execution-path assumption. Given a SystemVerilog processor design, instruction encodings, and modest design metadata, RTL2M$\mu$PATH finds a complete set of formally verified $\mu$PATHs for each instruction. Next, we make an important observation: an instruction that can exhibit more than one $\mu$PATH strongly indicates the presence of a microarchitectural side channel in the input design. Based on this observation, we then propose an automated approach and tool, called SynthLC, that extends RTL2M$\mu$PATH with a symbolic information flow analysis to support synthesizing a variety of formally verified leakage contracts from SystemVerilog processor designs. Leakage contracts are foundational to state-of-the-art defenses against hardware side-channel attacks. SynthLC is the first automated methodology for formally verifying hardware adherence to them.</description><identifier>EISSN: 2331-8422</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Automation ; Contracts ; Hardware ; Information flow ; Leakage ; Microprocessors ; Processors ; Security ; Synthesis ; Verification</subject><ispartof>arXiv.org, 2024-09</ispartof><rights>2024. This work is published under http://creativecommons.org/licenses/by/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>776,780</link.rule.ids></links><search><creatorcontrib>Hsiao, Yao</creatorcontrib><creatorcontrib>Nikoleris, Nikos</creatorcontrib><creatorcontrib>Khyzha, Artem</creatorcontrib><creatorcontrib>Mulligan, Dominic P</creatorcontrib><creatorcontrib>Petri, Gustavo</creatorcontrib><creatorcontrib>Fletcher, Christopher W</creatorcontrib><creatorcontrib>Trippel, Caroline</creatorcontrib><title>RTL2M$\mu$PATH: Multi-$\mu$PATH Synthesis with Applications to Hardware Security Verification</title><title>arXiv.org</title><description>The Check tools automate formal memory consistency model and security verification of processors by analyzing abstract models of microarchitectures, called $\mu$SPEC models. Despite the efficacy of this approach, a verification gap between $\mu$SPEC models, which must be manually written, and RTL limits the Check tools' broad adoption. Our prior work, called RTL2$\mu$SPEC, narrows this gap by automatically synthesizing formally verified $\mu$SPEC models from SystemVerilog implementations of simple processors. But, RTL2$\mu$SPEC assumes input designs where an instruction (e.g., a load) cannot exhibit more than one microarchitectural execution path ($\mu$PATH, e.g., a cache hit or miss path) -- its single-execution-path assumption. In this paper, we first propose an automated approach and tool, called RTL2M$\mu$PATH, that resolves RTL2$\mu$SPEC's single-execution-path assumption. Given a SystemVerilog processor design, instruction encodings, and modest design metadata, RTL2M$\mu$PATH finds a complete set of formally verified $\mu$PATHs for each instruction. Next, we make an important observation: an instruction that can exhibit more than one $\mu$PATH strongly indicates the presence of a microarchitectural side channel in the input design. Based on this observation, we then propose an automated approach and tool, called SynthLC, that extends RTL2M$\mu$PATH with a symbolic information flow analysis to support synthesizing a variety of formally verified leakage contracts from SystemVerilog processor designs. Leakage contracts are foundational to state-of-the-art defenses against hardware side-channel attacks. SynthLC is the first automated methodology for formally verifying hardware adherence to them.</description><subject>Automation</subject><subject>Contracts</subject><subject>Hardware</subject><subject>Information flow</subject><subject>Leakage</subject><subject>Microprocessors</subject><subject>Processors</subject><subject>Security</subject><subject>Synthesis</subject><subject>Verification</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><recordid>eNqNij8LgkAcQI8gSMrv8IOWGgS9S602icIhIVKaBDnsxBPz7P4gfvsaHBqbHrz3ZsjChHjOfofxAtlKNa7r4iDEvk8sRO_ZFSf5Jn-ZfHuLsvgIiWk1d34UpGOna6a4goHrGqK-b3lJNRedAi0gpvI5UMkgZaWRXI_wYJJX07JC84q2itkTl2h9OWen2OmleBumdNEII7tvKojneSEO_PBA_rs-DlpDvg</recordid><startdate>20240928</startdate><enddate>20240928</enddate><creator>Hsiao, Yao</creator><creator>Nikoleris, Nikos</creator><creator>Khyzha, Artem</creator><creator>Mulligan, Dominic P</creator><creator>Petri, Gustavo</creator><creator>Fletcher, Christopher W</creator><creator>Trippel, Caroline</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope></search><sort><creationdate>20240928</creationdate><title>RTL2M$\mu$PATH: Multi-$\mu$PATH Synthesis with Applications to Hardware Security Verification</title><author>Hsiao, Yao ; Nikoleris, Nikos ; Khyzha, Artem ; Mulligan, Dominic P ; Petri, Gustavo ; Fletcher, Christopher W ; Trippel, Caroline</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-proquest_journals_31117265793</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Automation</topic><topic>Contracts</topic><topic>Hardware</topic><topic>Information flow</topic><topic>Leakage</topic><topic>Microprocessors</topic><topic>Processors</topic><topic>Security</topic><topic>Synthesis</topic><topic>Verification</topic><toplevel>online_resources</toplevel><creatorcontrib>Hsiao, Yao</creatorcontrib><creatorcontrib>Nikoleris, Nikos</creatorcontrib><creatorcontrib>Khyzha, Artem</creatorcontrib><creatorcontrib>Mulligan, Dominic P</creatorcontrib><creatorcontrib>Petri, Gustavo</creatorcontrib><creatorcontrib>Fletcher, Christopher W</creatorcontrib><creatorcontrib>Trippel, Caroline</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science & Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Hsiao, Yao</au><au>Nikoleris, Nikos</au><au>Khyzha, Artem</au><au>Mulligan, Dominic P</au><au>Petri, Gustavo</au><au>Fletcher, Christopher W</au><au>Trippel, Caroline</au><format>book</format><genre>document</genre><ristype>GEN</ristype><atitle>RTL2M$\mu$PATH: Multi-$\mu$PATH Synthesis with Applications to Hardware Security Verification</atitle><jtitle>arXiv.org</jtitle><date>2024-09-28</date><risdate>2024</risdate><eissn>2331-8422</eissn><abstract>The Check tools automate formal memory consistency model and security verification of processors by analyzing abstract models of microarchitectures, called $\mu$SPEC models. Despite the efficacy of this approach, a verification gap between $\mu$SPEC models, which must be manually written, and RTL limits the Check tools' broad adoption. Our prior work, called RTL2$\mu$SPEC, narrows this gap by automatically synthesizing formally verified $\mu$SPEC models from SystemVerilog implementations of simple processors. But, RTL2$\mu$SPEC assumes input designs where an instruction (e.g., a load) cannot exhibit more than one microarchitectural execution path ($\mu$PATH, e.g., a cache hit or miss path) -- its single-execution-path assumption. In this paper, we first propose an automated approach and tool, called RTL2M$\mu$PATH, that resolves RTL2$\mu$SPEC's single-execution-path assumption. Given a SystemVerilog processor design, instruction encodings, and modest design metadata, RTL2M$\mu$PATH finds a complete set of formally verified $\mu$PATHs for each instruction. Next, we make an important observation: an instruction that can exhibit more than one $\mu$PATH strongly indicates the presence of a microarchitectural side channel in the input design. Based on this observation, we then propose an automated approach and tool, called SynthLC, that extends RTL2M$\mu$PATH with a symbolic information flow analysis to support synthesizing a variety of formally verified leakage contracts from SystemVerilog processor designs. Leakage contracts are foundational to state-of-the-art defenses against hardware side-channel attacks. SynthLC is the first automated methodology for formally verifying hardware adherence to them.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><oa>free_for_read</oa></addata></record>
fulltext	fulltext
identifier	EISSN: 2331-8422
ispartof	arXiv.org, 2024-09
issn	2331-8422
language	eng
recordid	cdi_proquest_journals_3111726579
source	Free E- Journals
subjects	Automation Contracts Hardware Information flow Leakage Microprocessors Processors Security Synthesis Verification
title	RTL2M$\mu$PATH: Multi-$\mu$PATH Synthesis with Applications to Hardware Security Verification
url	https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-23T15%3A32%3A19IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=document&rft.atitle=RTL2M%5C(%5Cmu%5C)PATH:%20Multi-%5C(%5Cmu%5C)PATH%20Synthesis%20with%20Applications%20to%20Hardware%20Security%20Verification&rft.jtitle=arXiv.org&rft.au=Hsiao,%20Yao&rft.date=2024-09-28&rft.eissn=2331-8422&rft_id=info:doi/&rft_dat=%3Cproquest%3E3111726579%3C/proquest%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=3111726579&rft_id=info:pmid/&rfr_iscdi=true

RTL2M\(\mu\)PATH: Multi-\(\mu\)PATH Synthesis with Applications to Hardware Security Verification