Periodic Reporting for period 3 - ELVER (Engineering with Logic and Verification: Mathematically Rigorous Engineering for Safe and Secure Computer Systems)
Periodo di rendicontazione: 2021-10-01 al 2023-03-31
Computer systems have become critical to modern society, but they are pervasively subject to security flaws and malicious attacks, with large-scale exposures of confidential data, denial-of-service and ransom attacks, and the threat of nation-state attackers: they are trusted, but are far from trustworthy. This is especially important for the major pan-industry components of our information infrastructure: processors, programming languages, operating systems, etc. The basic problem is that conventional engineering techniques suffice only to make systems that *usually* work. The usual test-and-debug development methods, with poorly specified abstractions described in prose, lack the mathematical rigour of other engineering disciplines - yet the huge investment in legacy systems and skills makes it hard to improve. ELVER will develop *mathematically rigorous* methods for specifying, testing, and reasoning about *real systems*, focussed on the core mechanisms used by hardware and software to enforce security boundaries. It will establish mathematical models for the industry ARM architecture, used pervasively in mobile phones and embedded devices, and the CHERI research architecture, which protects against many attacks. Using these, ELVER will build tools for analysis of system software, develop techniques for mathematical proof of safety and security properties, and explore improved systems programming languages. ELVER will build on successful collaborations with ARM, IBM, and the C/C++ ISO standards committees. It will directly impact mainstream processor architectures, languages, and development methods, smoothly complementing existing methods while simultaneously enabling longer-term research towards the gold standard of provably secure systems. ELVER will thus demonstrate the feasibility and benefits of a more rigorous approach to system engineering, putting future systems on more solid foundations, and hence making them safer and more secure.
ELVER has four main objectives:
Objective 1: Establish trustworthy and usable rigorous architectural models for Arm systems and security features (in collaboration with Arm), the RISC-V architecture, and the CHERI research architecture.
Objective 2: Build analysis tools for system software based on architectural models
Objective 3: Proof-based verification of safety and security properties
Objective 4: Re-examine the C abstraction for secure systems software
ELVER has four main objectives:
Objective 1: Establish trustworthy and usable rigorous architectural models for Arm systems and security features (in collaboration with Arm), the RISC-V architecture, and the CHERI research architecture.
Objective 2: Build analysis tools for system software based on architectural models
Objective 3: Proof-based verification of safety and security properties
Objective 4: Re-examine the C abstraction for secure systems software
ELVER, in collaboration with Arm, Google, the RISC-V community, the CHERI project, the Digital Security by Design project, and other academic groups, has:
(1) Established high-confidence mathematically rigorous semantic models for sequential aspects of multiple architectures, using our Sail instruction-set architecture (ISA) definition language, and the predecessor L3 language. These include Armv8-A (the architecture used by mobile phone and tablet processors), RISC-V (an emerging open architecture), CHERI-RISC-V and CHERI-MIPS (research architectures adding hardware capability support for improved security protection), and Morello (Arm's prototype extension of the Armv8-A architecture incorporating CHERI capabilities). For Armv8-A and Morello, these Sail models are automatically translated from Arm's internal definitions, for RISC-V, the hand-written Sail model has been adopted by RISC-V International as their reference formal model, and for CHERI-RISC-V and CHERI-MIPS the hand-written Sail model is the principal ISA design and reference document. Each of these is complete enough to boot operating systems. In each case the Sail infrastructure automatically generates multiple artifacts: a C emulator for use as an oracle in hardware and software testing, theorem-prover definitions in Isabelle, Coq, and HOL4 for proof-based verification, and, using our Isla tooling, an SMT-based symbolic evaluator.
(2) Established a robust model for Armv8-A instruction fetch and cache maintenance.
(3) Developed the Isla tooling for SMT-based symbolic evaluation of Sail ISA semantics and integrated this with arbitrary axiomatic relaxed-memory concurrency semantics, letting one for the first time compute the allowed behaviours of concurrent litmus tests with respect to full-scale ISA definitions.
(4) Developed the Cerberus-BMC bounded model-checking tool, that for the first time simultaneously supports (1) a choice of concurrency memory model (including substantial fragments of the C11, RC11, and Linux kernel memory models), (2) a modern memory object model, and (3) a well-validated thread-local semantics for a large fragment of C.
(5) Proved that the fundamental security properties (capability monotonicity and secure encapsulation) hold for the CHERI-MIPS ISA design, in Isabelle machine-checked proof above the L3-generated Isabelle definitions.
(6) Developed rigorous semantics for memory objects and pointers, in ISO C and in C as it is used and implemented in practice, focussing especially on pointer provenance. This has been implemented in our Cerberus semantics for C, and forms the basis for an ISO WG14 C standards committee Working Draft Technical Specification.
(7) Used Cerberus as part of the Refined C system (in collaboration with MPI-SWS and Radboud) for effective automated and foundational proof verification of C code.
(8) Used our understanding of C semantics and pointer provenance to inform the first adaptation of a full C-language operating system (FreeBSD) with an enterprise database (PostgreSQL) to CHERI C for complete spatial and referential memory safety -- and vice versa.
(9) Contributed to Cornucopia, a lightweight capability revocation system for CHERI that implements non-probabilistic C/C++temporal memory safety for standard heap allocations.
The work done here contributed to the development of the £170m UK Digital Security by Design programme, in which Arm (in a consortium with U. Cambridge, U. Edinburgh, and Linaro) is developing an industrial prototype processor, SoC, and development board, "Morello", incorporating CHERI ideas into a version of the main Armv8-A architecture. This processor has recently taped out, and, building on the work described here, it has been possible to produce a machine-checked proof of key security properties of the full industrial ISA design before tape-out. This is a step towards the potential deployment of these ideas in mass-market Arm processors, improving security for all mobile phones, tablets, and other such devices.
(1) Established high-confidence mathematically rigorous semantic models for sequential aspects of multiple architectures, using our Sail instruction-set architecture (ISA) definition language, and the predecessor L3 language. These include Armv8-A (the architecture used by mobile phone and tablet processors), RISC-V (an emerging open architecture), CHERI-RISC-V and CHERI-MIPS (research architectures adding hardware capability support for improved security protection), and Morello (Arm's prototype extension of the Armv8-A architecture incorporating CHERI capabilities). For Armv8-A and Morello, these Sail models are automatically translated from Arm's internal definitions, for RISC-V, the hand-written Sail model has been adopted by RISC-V International as their reference formal model, and for CHERI-RISC-V and CHERI-MIPS the hand-written Sail model is the principal ISA design and reference document. Each of these is complete enough to boot operating systems. In each case the Sail infrastructure automatically generates multiple artifacts: a C emulator for use as an oracle in hardware and software testing, theorem-prover definitions in Isabelle, Coq, and HOL4 for proof-based verification, and, using our Isla tooling, an SMT-based symbolic evaluator.
(2) Established a robust model for Armv8-A instruction fetch and cache maintenance.
(3) Developed the Isla tooling for SMT-based symbolic evaluation of Sail ISA semantics and integrated this with arbitrary axiomatic relaxed-memory concurrency semantics, letting one for the first time compute the allowed behaviours of concurrent litmus tests with respect to full-scale ISA definitions.
(4) Developed the Cerberus-BMC bounded model-checking tool, that for the first time simultaneously supports (1) a choice of concurrency memory model (including substantial fragments of the C11, RC11, and Linux kernel memory models), (2) a modern memory object model, and (3) a well-validated thread-local semantics for a large fragment of C.
(5) Proved that the fundamental security properties (capability monotonicity and secure encapsulation) hold for the CHERI-MIPS ISA design, in Isabelle machine-checked proof above the L3-generated Isabelle definitions.
(6) Developed rigorous semantics for memory objects and pointers, in ISO C and in C as it is used and implemented in practice, focussing especially on pointer provenance. This has been implemented in our Cerberus semantics for C, and forms the basis for an ISO WG14 C standards committee Working Draft Technical Specification.
(7) Used Cerberus as part of the Refined C system (in collaboration with MPI-SWS and Radboud) for effective automated and foundational proof verification of C code.
(8) Used our understanding of C semantics and pointer provenance to inform the first adaptation of a full C-language operating system (FreeBSD) with an enterprise database (PostgreSQL) to CHERI C for complete spatial and referential memory safety -- and vice versa.
(9) Contributed to Cornucopia, a lightweight capability revocation system for CHERI that implements non-probabilistic C/C++temporal memory safety for standard heap allocations.
The work done here contributed to the development of the £170m UK Digital Security by Design programme, in which Arm (in a consortium with U. Cambridge, U. Edinburgh, and Linaro) is developing an industrial prototype processor, SoC, and development board, "Morello", incorporating CHERI ideas into a version of the main Armv8-A architecture. This processor has recently taped out, and, building on the work described here, it has been possible to produce a machine-checked proof of key security properties of the full industrial ISA design before tape-out. This is a step towards the potential deployment of these ideas in mass-market Arm processors, improving security for all mobile phones, tablets, and other such devices.
In the remainder of the project we intend to focus further on the concurrent and sequential semantics of systems features, especially virtual memory, and on reasoning techniques above both the architectural and programming-language-level semantics that we are developing.