Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts

by   Sander Huyghebaert, et al.

Progress has recently been made on specifying instruction set architectures (ISAs) in executable formalisms rather than through prose. However, to date, those formal specifications are limited to the functional aspects of the ISA and do not cover its security guarantees. We present a novel, general method for formally specifying an ISAs security guarantees to (1) balance the needs of ISA implementations (hardware) and clients (software), (2) can be semi-automatically verified to hold for the ISA operational semantics, producing a high-assurance mechanically-verifiable proof, and (3) support informal and formal reasoning about security-critical software in the presence of adversarial code. Our method leverages universal contracts: software contracts that express bounds on the authority of arbitrary untrusted code. Universal contracts can be kept agnostic of software abstractions, and strike the right balance between requiring sufficient detail for reasoning about software and preserving implementation freedom of ISA designers and CPU implementers. We semi-automatically verify universal contracts against Sail implementations of ISA semantics using our Katamaran tool; a semi-automatic separation logic verifier for Sail which produces machine-checked proofs for successfully verified contracts. We demonstrate the generality of our method by applying it to two ISAs that offer very different security primitives: (1) MinimalCaps: a custom-built capability machine ISA and (2) a (somewhat simplified) version of RISC-V with PMP. We verify a femtokernel using the security guarantee we have formalized for RISC-V with PMP.


page 1

page 2

page 3

page 4


Formal Process Virtual Machine for Smart Contracts Verification

This paper reports on the development and verification of a novel formal...

Relational Models of Microarchitectures for Formal Security Analyses

There is a growing need for hardware-software contracts which precisely ...

A Hybrid Formal Verification System in Coq for Ensuring the Reliability and Security of Ethereum-based Service Smart Contracts

This paper reports on the development of a formal symbolic process virtu...

SciviK: A Versatile Framework for Specifying and Verifying Smart Contracts

The growing adoption of smart contracts on blockchains poses new securit...

Deductive Verification of Smart Contracts with Dafny

We present a methodology to develop verified smart contracts. We write s...

Specification and Verification of Side-channel Security for Open-source Processors via Leakage Contracts

Leakage contracts have recently been proposed as a new security abstract...

Automatically Proving Microkernels Free from Privilege Escalation from their Executable

Operating system kernels are the security keystone of most computer syst...

Please sign up or login with your details

Forgot password? Click here to reset