# Compositional Verification of Security Properties for Embedded Execution Platforms

Christoph Baumann\*, Oliver Schwarz\*, Mads Dam\*

\*KTH Royal Institute of Technology, Stockholm, Sweden \*RISE.SICS, Kista, Sweden

cbaumann@kth.se

PROOFS, Taipei, 2017-09-29

◆□▶ ◆□▶ ◆臣▶ ◆臣▶ 臣 の�?

# Low and High Level System Security Bugs

# 'Dirty Cow' Linux vulnerability found after nine years

The 'Dirty Cow' bug was originally introduced nine years ago, and has been sitting unnoticed for much of that time



Apple's App Store hit by the XCodeGhost of malware present

Apple, IOS, Malware, OS X, Vulnerability

AFTER JEEP HACK, CHRYSLER RECALLS 1.4M VEHICLES FOR BUG FIX





#### 'Quadrooter' flaws affect Android phones

All versions of Android are vulnerable to these flav until the September security release next month.





BadUSB Can Turn Thumb Drives Into Cyberweapons



PROOFS 2017 2 / 16

#### Tutus demonstrator



#### Tutus demonstrator



#### Tutus demonstrator



# Goal: Bisimulation with Ideal Model



- ideal model: secure by construction
- bisimulation relation R: transfer information flow properties
- verification: focus on arbitrary guest steps here

# SoCs complex / formal verification expensive



# SoCs complex / formal verification expensive



LEDs



< A > <



• (S)MMU: active?, page table base, current translations, mem requests

Baumann, Schwarz, Dam

**Compositional Platform Verification** 

PROOFS 2017 6 / 16



- (S)MMU: active?, page table base, current translations, mem requests
- Core: execution mode, some hypervisor registers relevant



- (S)MMU: active?, page table base, current translations, mem requests
- Core: execution mode, some hypervisor registers relevant
- Device: mostly uninterpreted, DMA enabled?, track communication



- (S)MMU: active?, page table base, current translations, mem requests
- Core: execution mode, some hypervisor registers relevant
- Device: mostly uninterpreted, DMA enabled?, track communication
- Memory: flat map of contents, received requests, forwarded I/O



- (S)MMU: active?, page table base, current translations, mem requests
- Core: execution mode, some hypervisor registers relevant
- Device: mostly uninterpreted, DMA enabled?, track communication
- Memory: flat map of contents, received requests, forwarded I/O
- GIC: hypervisor-accessed registers, abstract interrupt state



- (S)MMU: active?, page table base, current translations, mem requests
- Core: execution mode, some hypervisor registers relevant
- Device: mostly uninterpreted, DMA enabled?, track communication
- Memory: flat map of contents, received requests, forwarded I/O
- GIC: hypervisor-accessed registers, abstract interrupt state
- hypervisor: fine-grained LTS, communication with GIC

# Hypervisor LTS: IGC interrupt injection



PROOFS 2017 7 / 16

# Hypervisor LTS: IGC interrupt injection



# **Verification: Platform Invariants**

Component Constraints & HV configuration  $\Rightarrow$  Invariant *Inv*:

• Messages & interrupts: preserve guest separation

# **Verification: Platform Invariants**

- Messages & interrupts: preserve guest separation
- Core: HV registers set up correctly, PC-safety in HV mode

- Messages & interrupts: preserve guest separation
- Core: HV registers set up correctly, PC-safety in HV mode
- (S)MMU: active after init, points to right page table

- Messages & interrupts: preserve guest separation
- Core: HV registers set up correctly, PC-safety in HV mode
- (S)MMU: active after init, points to right page table
- Device: inactive at boot

- Messages & interrupts: preserve guest separation
- Core: HV registers set up correctly, PC-safety in HV mode
- (S)MMU: active after init, points to right page table
- Device: inactive at boot
- Memory: correct page tables set up

- Messages & interrupts: preserve guest separation
- Core: HV registers set up correctly, PC-safety in HV mode
- (S)MMU: active after init, points to right page table
- Device: inactive at boot
- Memory: correct page tables set up
- GIC: correct distributor configuration



• ideal core: HV invisible / atomic hypercall semantics



- ideal core: HV invisible / atomic hypercall semantics
- buffer for outgoing IGC notification interrupts



- ideal core: HV invisible / atomic hypercall semantics
- buffer for outgoing IGC notification interrupts
- IGC shared memory duplicated and copied on write



- ideal core: HV invisible / atomic hypercall semantics
- buffer for outgoing IGC notification interrupts
- IGC shared memory duplicated and copied on write
- ideal GIC: interrupt separation by construction



- ideal core: HV invisible / atomic hypercall semantics
- buffer for outgoing IGC notification interrupts
- IGC shared memory duplicated and copied on write
- ideal GIC: interrupt separation by construction
- message buffers as placeholders for (S)MMUs



- ideal core: HV invisible / atomic hypercall semantics
- buffer for outgoing IGC notification interrupts
- IGC shared memory duplicated and copied on write
- ideal GIC: interrupt separation by construction
- message buffers as placeholders for (S)MMUs
- memory: only guest portion, intermediate physical addresses







PROOFS 2017 10 / 16





Proof by induction on transition sequence:

- for any initial state  $\sigma_P^0$ ,  $Inv(\sigma_P^0)$  and exists  $\sigma_I^0$  such that  $\sigma_P^0 R \sigma_I^0$
- for any initial state  $\sigma_I^0$ , exists  $\sigma_P^0$  such that  $\sigma_P^0 R \sigma_I^0$



Proof by induction on transition sequence:

- for any initial state  $\sigma_P^0$ ,  $Inv(\sigma_P^0)$  and exists  $\sigma_I^0$  such that  $\sigma_P^0 R \sigma_I^0$
- for any initial state  $\sigma_I^0$ , exists  $\sigma_P^0$  such that  $\sigma_P^0 R \sigma_I^0$
- for  $\sigma_P$  and  $\sigma_I$  with  $\sigma_P R \sigma_I$  and  $Inv(\sigma_P)$ :

• 
$$\sigma_P \longrightarrow \sigma'_P \implies \exists \sigma'_I. \ \sigma_I \longrightarrow^* \sigma'_I \land \sigma'_P \ R \ \sigma'_I$$
  
•  $\sigma_I \longrightarrow \sigma'_I \implies \exists \sigma'_P. \ \sigma_P \longrightarrow^* \sigma'_P \land \sigma'_P \ R \ \sigma'_I$ 



Proof by induction on transition sequence:

- for any initial state  $\sigma_P^0$ ,  $Inv(\sigma_P^0)$  and exists  $\sigma_I^0$  such that  $\sigma_P^0 R \sigma_I^0$
- for any initial state  $\sigma_I^0$ , exists  $\sigma_P^0$  such that  $\sigma_P^0 R \sigma_I^0$
- for  $\sigma_P$  and  $\sigma_I$  with  $\sigma_P R \sigma_I$  and  $Inv(\sigma_P)$ :

• 
$$\sigma_P \longrightarrow \sigma'_P \implies \exists \sigma'_I. \ \sigma_I \longrightarrow^* \sigma'_I \land \sigma'_P \ R \ \sigma'_I$$
  
•  $\sigma_I \longrightarrow \sigma'_I \implies \exists \sigma'_P. \ \sigma_P \longrightarrow^* \sigma'_P \land \sigma'_P \ R \ \sigma'_I$ 

## **Verification: Bisimulation Theorem**



Proof by induction on transition sequence:

- for any initial state  $\sigma_P^0$ ,  $Inv(\sigma_P^0)$  and exists  $\sigma_I^0$  such that  $\sigma_P^0 R \sigma_I^0$
- for any initial state  $\sigma_I^0$ , exists  $\sigma_P^0$  such that  $\sigma_P^0 R \sigma_I^0$

• for  $\sigma_P$  and  $\sigma_I$  with  $\sigma_P R \sigma_I$  and  $Inv(\sigma_P)$ :

• 
$$\sigma_P \longrightarrow \sigma'_P \implies \exists \sigma'_I. \ \sigma_I \longrightarrow^* \sigma'_I \land \sigma'_P \ R \ \sigma'_I$$
  
•  $\sigma_I \longrightarrow \sigma'_I \implies \exists \sigma'_P. \ \sigma_P \longrightarrow^* \sigma'_P \land \sigma'_P \ R \ \sigma'_I$ 

## **Verification: Bisimulation Theorem**



Proof by induction on transition sequence:

- for any initial state  $\sigma_P^0$ ,  $Inv(\sigma_P^0)$  and exists  $\sigma_I^0$  such that  $\sigma_P^0 R \sigma_I^0$
- for any initial state  $\sigma_I^0$ , exists  $\sigma_P^0$  such that  $\sigma_P^0 R \sigma_I^0$

• for  $\sigma_P$  and  $\sigma_I$  with  $\sigma_P R \sigma_I$  and  $Inv(\sigma_P)$ :

• 
$$\sigma_P \longrightarrow \sigma'_P \implies \exists \sigma'_I. \ \sigma_I \longrightarrow^* \sigma'_I \land \sigma'_P \ R \ \sigma'_I$$
  
•  $\sigma_I \longrightarrow \sigma'_I \implies \exists \sigma'_P. \ \sigma_P \longrightarrow^* \sigma'_P \land \sigma'_P \ R \ \sigma'_I$ 









Baumann, Schwarz, Dam

PROOFS 2017 11 / 16









Baumann, Schwarz, Dam

PROOFS 2017 11 / 16



• ideal core sends memory request *r* to "MMU" buffer

Baumann, Schwarz, Dam

**Compositional Platform Verification** 

PROOFS 2017 12 / 16



- ideal core sends memory request r to "MMU" buffer
- same request sent in platform model



- ideal core sends memory request r to "MMU" buffer
- same request sent in platform model
- MMU sends page table lookup w to memory



- ideal core sends memory request r to "MMU" buffer
- same request sent in platform model
- MMU sends page table lookup *w* to memory
- memory answers with reply q, matching w, translation  $r \mapsto r'$



- ideal core sends memory request r to "MMU" buffer
- same request sent in platform model
- MMU sends page table lookup w to memory
- memory answers with reply q, matching w, translation  $r \mapsto r'$
- (translated) request forwarded to memory

|                         | basic | common | ideal | platform | hyperv. | bisim. | total  |
|-------------------------|-------|--------|-------|----------|---------|--------|--------|
| model specification     | 99    | 435    | 1,121 | 1,750    | 1,440   | 350    | 5,195  |
| invariant specification | -     | 17     | 387   | 518      | -       | 453    | 1,375  |
| machinery               | 309   | -      | 95    | -        | -       | 585    | 989    |
| proofs                  | 652   | 1,094  | 1,132 | 1,466    | 145     | 7,437  | 11,926 |
| total                   | 1,060 | 1,546  | 2,735 | 3,734    | 1,585   | 8,825  | 19,485 |

• implemented in HOL4 theorem prover

|                         | basic | common | ideal | platform | hyperv. | bisim. | total  |
|-------------------------|-------|--------|-------|----------|---------|--------|--------|
| model specification     | 99    | 435    | 1,121 | 1,750    | 1,440   | 350    | 5,195  |
| invariant specification | -     | 17     | 387   | 518      | -       | 453    | 1,375  |
| machinery               | 309   | -      | 95    | -        | -       | 585    | 989    |
| proofs                  | 652   | 1,094  | 1,132 | 1,466    | 145     | 7,437  | 11,926 |
| total                   | 1,060 | 1,546  | 2,735 | 3,734    | 1,585   | 8,825  | 19,485 |

- implemented in HOL4 theorem prover
- most important cases verified

|                         | basic | common | ideal | platform | hyperv. | bisim. | total  |
|-------------------------|-------|--------|-------|----------|---------|--------|--------|
| model specification     | 99    | 435    | 1,121 | 1,750    | 1,440   | 350    | 5,195  |
| invariant specification | -     | 17     | 387   | 518      | -       | 453    | 1,375  |
| machinery               | 309   | _      | 95    | -        | -       | 585    | 989    |
| proofs                  | 652   | 1,094  | 1,132 | 1,466    | 145     | 7,437  | 11,926 |
| total                   | 1,060 | 1,546  | 2,735 | 3,734    | 1,585   | 8,825  | 19,485 |

- implemented in HOL4 theorem prover
- most important cases verified
- first steps towards automation

|                         | basic | common | ideal | platform | hyperv. | bisim. | total  |
|-------------------------|-------|--------|-------|----------|---------|--------|--------|
| model specification     | 99    | 435    | 1,121 | 1,750    | 1,440   | 350    | 5,195  |
| invariant specification | -     | 17     | 387   | 518      | -       | 453    | 1,375  |
| machinery               | 309   | -      | 95    | -        | -       | 585    | 989    |
| proofs                  | 652   | 1,094  | 1,132 | 1,466    | 145     | 7,437  | 11,926 |
| total                   | 1,060 | 1,546  | 2,735 | 3,734    | 1,585   | 8,825  | 19,485 |

- implemented in HOL4 theorem prover
- most important cases verified
- first steps towards automation
- simplifier and resolution solvers for trivial cases

|                         | basic | common | ideal | platform | hyperv. | bisim. | total  |
|-------------------------|-------|--------|-------|----------|---------|--------|--------|
| model specification     | 99    | 435    | 1,121 | 1,750    | 1,440   | 350    | 5,195  |
| invariant specification | -     | 17     | 387   | 518      | -       | 453    | 1,375  |
| machinery               | 309   | _      | 95    | -        | -       | 585    | 989    |
| proofs                  | 652   | 1,094  | 1,132 | 1,466    | 145     | 7,437  | 11,926 |
| total                   | 1,060 | 1,546  | 2,735 | 3,734    | 1,585   | 8,825  | 19,485 |

- implemented in HOL4 theorem prover
- most important cases verified
- first steps towards automation
- simplifier and resolution solvers for trivial cases
- proofs robust against local changes

|                         | basic | common | ideal | platform | hyperv. | bisim. | total  |
|-------------------------|-------|--------|-------|----------|---------|--------|--------|
| model specification     | 99    | 435    | 1,121 | 1,750    | 1,440   | 350    | 5,195  |
| invariant specification | -     | 17     | 387   | 518      | -       | 453    | 1,375  |
| machinery               | 309   | _      | 95    | -        | -       | 585    | 989    |
| proofs                  | 652   | 1,094  | 1,132 | 1,466    | 145     | 7,437  | 11,926 |
| total                   | 1,060 | 1,546  | 2,735 | 3,734    | 1,585   | 8,825  | 19,485 |

- implemented in HOL4 theorem prover
- most important cases verified
- first steps towards automation
- simplifier and resolution solvers for trivial cases
- proofs robust against local changes
- lots of technical lemmas

• flat memory model

- flat memory model
- one core memory request at a time

- flat memory model
- one core memory request at a time
- one SMMU per device

- flat memory model
- one core memory request at a time
- one SMMU per device
- peripherals inactive at boot

- flat memory model
- one core memory request at a time
- one SMMU per device
- peripherals inactive at boot
- GICv2 model

Summary:

- compositonal approach to SoC modeling for security verification
- reusability of models, adaptability of proofs
- top-down approach, abstraction and late refinement
- early identification of invariants and proof obligations
- case study in HOL4

Summary:

- compositonal approach to SoC modeling for security verification
- reusability of models, adaptability of proofs
- top-down approach, abstraction and late refinement
- early identification of invariants and proof obligations
- case study in HOL4

TODOs:

- generalized formal framework, DSLs
- more automation
- advanced hardware features
- refinement of components
- property transfer

# THANKS!

prosper.sics.se haspoc.sics.se

