Periodic Reporting for period 1 - UniversalContracts (Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts)
Reporting period: 2022-09-01 to 2025-02-28
The Instruction Set Architecture (ISA) is the interface that processor hardware offers to software developers. Current ISAs do not explicitly specify the security properties guaranteed by that interface, so that, for example, recent severe micro-architectural side-channel vulnerabilities like Spectre did not even violate the specifications. This project proposes a fundamentally new approach to specify ISA security properties by using what we call universal contracts. These are formal contracts in a compositional program logic that automatically hold for arbitrary code. Such contracts capture ISA-enforced upper bounds on the effects of arbitrary (even attacker-controlled) software. While this approach is widely different from traditional specifications, the approach looks extremely promising: universal contracts can be applied to general security primitives, mechanically verified against the ISA's operational semantics and they make it possible to obtain full-system security proofs by manually verifying only the trusted code of a sytem.
The high-level goals of this project are to contribute reusable techniques and tools for applying universal contracts in realistic ISAs. Specifically, the goals are to (1) design, prove and evaluate universal contracts for ISAs with state-of-practice security primitives, (2) develop semi-automation machinery for verifying universal contracts of ISAs, (3) extend universal contracts to deal with semantic complications like concurrency or micro-architectural side-channels and (4) design, implement and evaluate techniques which facilitate the construction of trusted software that relies on universal contracts, particularly assembly-level reasoning support and secure compilers. If successful, the project will fundamentally improve the security foundations of all software-based systems, by (1) clearly dividing the security responsibilities between hardware and software developers and (2) enabling scalable, rigorous, full-system security proofs.
The high-level goals of this project are to contribute reusable techniques and tools for applying universal contracts in realistic ISAs. Specifically, the goals are to (1) design, prove and evaluate universal contracts for ISAs with state-of-practice security primitives, (2) develop semi-automation machinery for verifying universal contracts of ISAs, (3) extend universal contracts to deal with semantic complications like concurrency or micro-architectural side-channels and (4) design, implement and evaluate techniques which facilitate the construction of trusted software that relies on universal contracts, particularly assembly-level reasoning support and secure compilers. If successful, the project will fundamentally improve the security foundations of all software-based systems, by (1) clearly dividing the security responsibilities between hardware and software developers and (2) enabling scalable, rigorous, full-system security proofs.
Since the start of this project two years ago, we have worked on several fronts towards the different goals of the project.
On the one hand, we have invested significantly in the technical infrastructure and tools for verifying universal contracts of ISAs.
Particularly, the Katamaran symbolic-execution-based verifier for Sail has been significantly improved and its foundations have been strengthened and validated.
New techniques based on a domain-specific modal program logic have been developed (initially in the simpler context of verified type inference, but subsequently ported to the Katamaran verifier) for facilitating and automating Katamaran's soundness proof.
We have also invested in the construction of a new backend for Sail that (mostly-)automatically translates functional ISA specs in Sail to deeply-embedded μSail code that can be verified using Katamaran and this work is reaching completion.
Furthermore, we have demonstrated and validated the use of universal contracts for formalizing, verifying and applying ISA security guarantees by applying it to two different ISAs: RISC-V PMP and MinimalCaps (modeled after CHERI-RISC-V).
We have also started extending Katamaran with support for relational verification, which will significantly enhance its capabilities for verifying confidentiality properties but also for capturing ISA architectural security guarantees that constrain micro-architectural side-channels.
Finally, in the context of the Cerise program logic for a minimal capability machine, we are exploring, with our collaborators, the definition of universal contracts that capture the guarantees of trusted execution primitives, as well as revocation primitives like local capabilities.
On the one hand, we have invested significantly in the technical infrastructure and tools for verifying universal contracts of ISAs.
Particularly, the Katamaran symbolic-execution-based verifier for Sail has been significantly improved and its foundations have been strengthened and validated.
New techniques based on a domain-specific modal program logic have been developed (initially in the simpler context of verified type inference, but subsequently ported to the Katamaran verifier) for facilitating and automating Katamaran's soundness proof.
We have also invested in the construction of a new backend for Sail that (mostly-)automatically translates functional ISA specs in Sail to deeply-embedded μSail code that can be verified using Katamaran and this work is reaching completion.
Furthermore, we have demonstrated and validated the use of universal contracts for formalizing, verifying and applying ISA security guarantees by applying it to two different ISAs: RISC-V PMP and MinimalCaps (modeled after CHERI-RISC-V).
We have also started extending Katamaran with support for relational verification, which will significantly enhance its capabilities for verifying confidentiality properties but also for capturing ISA architectural security guarantees that constrain micro-architectural side-channels.
Finally, in the context of the Cerise program logic for a minimal capability machine, we are exploring, with our collaborators, the definition of universal contracts that capture the guarantees of trusted execution primitives, as well as revocation primitives like local capabilities.
Our use of Katamaran and universal contracts to formalize, verify and apply the security guarantees of RISC-V PMP as well as capability machine ISAs, is the first general methodology that has been demonstrated to combine support for verification semi-automation and complicated higher-order security primitives like capabilities.
Additionally, Katamaran is currently the most advanced foundationally-verified program verifier and its internal use of Kripke-indexed monadic computations and domain-specific modal program logics is highly innovative.
We also expect that these ideas are more broadly applicable in building verified program verifiers; we have already demonstrated this for verifying type inference engines and we hope to demonstrate this broad applicability further in the future.
Additionally, Katamaran is currently the most advanced foundationally-verified program verifier and its internal use of Kripke-indexed monadic computations and domain-specific modal program logics is highly innovative.
We also expect that these ideas are more broadly applicable in building verified program verifiers; we have already demonstrated this for verifying type inference engines and we hope to demonstrate this broad applicability further in the future.