prosper and friends: an overview - sciencesconf.org · prosper and friends: an overview mads dam...
TRANSCRIPT
![Page 1: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/1.jpg)
PROSPERandFriends:AnOverview
MadsDamKTHRoyalIns=tuteofTechnology
Projectteam:MusardBalliu,ChristophBaumann,VictorDo,Chris=anGehrmann,RobertoGuanciale,JonasHaglund,NargesKhakpour,AndreasLindner,AndreasLundblad,
HamedNema=,OliverSchwarz,ArashVahidi
![Page 2: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/2.jpg)
ThePROSPERProject
• JointprojectKTH-SICSfundedbySwedishFounda=onforStrategicResearch
• StartJan2012,endedOct2017• Projectobjec=ves:– Buildfunc=onalhypervisorforARM-basedsystems
• …focusonsecurity– Fullyverifiedatsystemlevel
• Hypervisorcode• …plusinterac=onwithhardwareplaXorm
– SupportforGPOSs–RTOS,Linux,Android• …plussomesecurityservices
![Page 3: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/3.jpg)
PROSPER-Results
• Verifiedhypervisors:– Hypervisorv0–simplesepara=onkernelforARMv7– Hypervisorv1–memoryvirtualisa=onforARMv7– Hypervisorv2,HASPOC–hypervisorforARMv8– Increasingcomplexityandrealism
• Maindemonstrators:– Secureso\wareupdate(ARMv7)– Securenetworkinterface(ARMv7)– Red/blacksepara=onforAndroid(ARMv8,withTutusAB)– ...
![Page 4: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/4.jpg)
• Modelsandframeworks:– Add-onstoFox’sCambridgeHOL4/L3models– Composi=onalmodelframework– Componentmodels:MMUs,GICs,SMMUs,networkdevices…
– Asynchronousdeviceframework
• Tools:– ISAanalyzers– TreeDroid– InfoflowanalysistoolsEnCover(JVM)+others(binaries)– HOL4->BAPli\er
…more
![Page 5: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/5.jpg)
• Vulnerabili=esandcountermeasures:– Mismatchedcacheahributes– Countermeasuresintegrity,confiden=ality
• Systems:– So\boot– SecurebootforARMv8– Monotonicsepara=onkernel
• URLs:– prosper.sics.se– haspoc.sics.se
…more
![Page 6: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/6.jpg)
• Gothroughthethreehypervisorgenera=onsonebyone• Explain:– Designra=onale– Modellingandverifica=onapproach– Results
• Alsodiscusssomeoftherelatedresults:– ISAanalyzer– Vulnerabili=es,countermeasures,refinements
ThisPresenta=on
![Page 7: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/7.jpg)
Separa=onKernels
Separa=onkernel CPU CPU CPU
≅
• Execu=onenvironmentsindis=nguishablefromaphysicallydistributedsystem[Rushby’81]
CPU
![Page 8: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/8.jpg)
…OrHypervisors…
• Execu=onenvironmentsindis=nguishablefromaphysicallydistributedsystem[Rushby’81]
Hypervisor CPU CPU CPU
≅
CPU
![Page 9: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/9.jpg)
ProvableIsola=on–WhatIsInvolved?
• Largeendeavour• Formalsystemmodel– Processor,devices,interruptcontrollers,MMUs– Hypervisor,drivers,applica=oncode– Jus=fica=on:Precision,adequacy
• Formalizedsecurityrequirements– Securityspecifica=on– Jus=fica=on:Ahackmodel
• Verifica=on– Automated– Semi-automated– Interac=ve
≅
![Page 10: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/10.jpg)
Virtualiza=onTarget
![Page 11: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/11.jpg)
PROSPERv0
![Page 12: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/12.jpg)
ARMv7Processor
MMU Memory
Networkcontroller DMAcontroller
Virtualiza=onTarget,v0,v1
![Page 13: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/13.jpg)
ARMv7Processor
MemoryManagementUnit Memory
Networkcontroller DMAcontroller
PROSPERKernel,v0
![Page 14: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/14.jpg)
• Contextswitch:Fixedround-robinscheduling• Sta=cmemoryalloca=on• Asynchronousmessagepassingthroughhypercall• Paravirtualiza=on
PROSPERKernel,v0
Hypervisor
Dam,Guanciale,Khakpour,Nema=,Schwarz:FormalVerifica=onofInforma=onFlowSecurityforaSimpleARM-BasedSepara=onKernel,CCS’13
![Page 15: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/15.jpg)
Hypervisor
Verifica=onStrategy
Approach1:NoninterferenceConfiden=ality/nonexfiltra=on:• NoinfoflowfromGuest1toGuest2,…,GuestnortoHypervisorIntegrity(kindof)similar
Hypervisor
≅
![Page 16: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/16.jpg)
Approach1:VanillanoninterferenceBut:• Thiswasnotthepicturewewanted!• Whataboutcommunica=on?
Hypervisor
Verifica=onStrategy
Hypervisor
≅
![Page 17: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/17.jpg)
Alterna=veApproach
• Formulateidealmodel• Sa=sfiesisola=onproper=esbyconstruc=on
• Hypervisorfunc=onalityreplacedbyidealfunc=onality
• IdealCPUs–runonlyuserspacecode
• Allprivilegedexecu=onisidealized• Twoidealmessageboxes• Ideal=merfor“ac=vitytoggling”
CPU CPU
![Page 18: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/18.jpg)
Verifica=onGoal
• Equivalence:Eachguest“sees”thesameobserva=ons• WhenguestGisac=ve,theusermodeobservablepartsofthe
ARMv7machinestateareiden=cal• =>VanillaNIintheabsenceofcommunica=on
Separa=onkernel CPU CPU
CPU
≅
![Page 19: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/19.jpg)
UnwindingRela=on
Iden=cal:• MMUreadablememory• Usermodeobservableregisters• Messageboxes• Time
![Page 20: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/20.jpg)
UnwindingRela=on
IdeWeakbisimula=on• Perpar==on• Usermodeobserva=onstobepreserved• Weak(non-preemp=ve)handlertransi=ons• Therela=on?Seethepreviousslide!
![Page 21: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/21.jpg)
IdeBootLemma• Bootcodeterminatesandestablishestherela=on• Establishhypervisorinvariant• Machinecodeverifica=on(HOL4->BAP)
UnwindingRela=on
![Page 22: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/22.jpg)
IdeUserLemma• Noinfiltra=on/noexfiltra=onforusermodetransi=ons,NI• Independentofhandlercode,independentofguestcode• Theoremproving(HOL4)
UnwindingRela=on
![Page 23: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/23.jpg)
IdeSwitchLemma• Noinfiltra=on/noexfiltra=onforexcep=ons/interrupts• Independentofhandlercode,independentofguestcode• Theoremproving(HOL4)
UnwindingRela=on
![Page 24: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/24.jpg)
IdeHandlerLemmas• Handlerssa=sfytheircontracts• Dependentonhandlercode,independentofguestcode• Machinecodeverifica=on(HOL4->BAP)
UnwindingRela=on
![Page 25: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/25.jpg)
Verifica=onApproach
ARMv7proper2es
UserLemmaSwitchLemma
PropertyofARMv7
instruc=onsetarchitecture
HOL4+CambridgeARMv7model+L3+MMU
Noninterferencelemmas
Automa=on:Seelater
Handlercode
HandlerLemmasBootLemma
Codeproperty
Frequentlyupdated
C+assembly+gccBAP+STP
Contractverifica=on
“Semi”-automa=c
![Page 26: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/26.jpg)
PROSPERv1
![Page 27: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/27.jpg)
Processor
MemoryManagementUnit Memory
Networkcontroller DMAcontroller
PROSPERKernel,v1
![Page 28: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/28.jpg)
MMUVirtualiza=on
• MMU:KeycomponenttovirtualizecommodityOSs
• L1andL2pagetables• Pagetablesmapvirtualaddresses
tointermediateaddressestophysicaladdresses
• Controlisvital– Forvirtualiza=on– Forsandboxing,etc.
Guanciale,Nema=,Dam,Baumann:Provablysecurememoryisola=onforLinuxonARM,JournalofComputerSecurity24(6),2016
![Page 29: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/29.jpg)
TheProsperv1Hypervisor
• Primaryusecase:– SingleuntrustedOSguest– “Collabora=vely”scheduledsecureservices
• Paravirtualiza=on• Memorymanagement:– Directpaging,asinXen-x86orSecureVirtualArchitecture1– Pagetablesresideinguestmemory– Guestcanmanipulatepagetableswhennotinuse– Hypervisormediatesaccesstopagetableswhenac=ve– Guestfullyinchargeofmemorymanagement
1:Criswelletal:SecureVirtualArchitecture:Asafeexecu=onenvironment…SOSP’07
![Page 30: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/30.jpg)
TheProsperv1Hypervisor
DMMU–theMMUvirtualiza=onAPI:• Memorypar==onedinphysicalblocksof4KB• Blocksaretyped:t(block)in{L1,L2,D}• 9primi=veAPIcallstoac=vate,createorfreepagetablesand
tomaporunmapmemoryblocks• Areferencecounterkeepstrackofac=vereferences• Hypervisorpreventsunsoundrequests:– Noaccessoutsidetheguestmemory– Nowritableaccesstoapagetable
• Blocktypecanbechangedifthereferencecounteriszero
![Page 31: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/31.jpg)
Verifica=on
Twostages:1. Idealmodel– Hypervisorstateisidealized– Pagetablesstoredinmemory– Referencecounter=0=>pagetablecanbefreed– Hypervisoraddressesphysicalmemory– Correctnessproofisneeded
2. Implementa=onmodel– Algorithm+hypervisorstate->hypervisormemory– Hypervisoraddressesvirtualmemory
3. Refinementproof– Transfersinfoflowproper=estoimplementa=onmodel– Bisimula=onproofwithsometwists
![Page 32: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/32.jpg)
IdealModelCorrectnessProof
Maincomponentsofproof:• Invariantpropertymaintainedbythe9APIcalls
Neededforthebelow• Completemedia=on:
Guesttransi=onscannotdirectlyaffectMMUbehaviour• Integrity:
Guesttransi=onscannotaffecthypervisororsecureguestsstate
• Confiden=ality:Noflowofinforma=onfromhypervisororsecuregueststatetoinsecureguest-noninterference
![Page 33: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/33.jpg)
Implementa=on
Privilegedcomponents:• Interfacelayer• Linuxadapta=onlayer• DMMUhandlersFeatures:• Smallcri=calcore• Nodirectaccessto
cri=calfunc=onalityfromLinuxlayer
• Simplertoverify
![Page 34: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/34.jpg)
Processor
MemoryManagementUnit Memory
Networkcontroller DMAcontroller
PROSPERKernelv1-Applica=ons
![Page 35: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/35.jpg)
MProsper:ExecutableSpaceProtec=on
• Memoryblocksareexecutableorwriteable,butnotboth• Referencemonitorinterceptsmemoryahributechanges• Pagesaremadeexecutableonlyiftheyaredulysigned
• Examples:OpenBSD3.3,LinuxPaX,ExecShield,NetBSD,MSOsswithDataExecu=onPreven=on
• Here:UsingtheProsperkerneltoimplementthisinaprovablysecuremanner
• Monitorrunsasisolatedwithreadpermissions-tamperproof• ProofextendshypervisorsecurityproofChfouka,Nema=,Guanciale,Dam,Ekdahl:TrustworthyPreven=onofCodeInjec=oninLinuxonEmbeddedDevices,ESORICS’15
![Page 36: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/36.jpg)
EnforceWXpolicyOnLinuxrequesttochangeaccessrights:• Downgraderequest• Storesuspended
requestintableOndata/prefetchabort:• Downgradeandstore
currentseyng• Re-enablesuspended
request,ifsafe
MProsperDesign
![Page 37: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/37.jpg)
Processor
MemoryManagementUnit Memory
Networkcontroller DMAcontroller
PROSPERKernel,v1,Extensions
![Page 38: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/38.jpg)
Devices
Issues:• Memory-mappedIOregisters• Interrupts• DMA• Asynchronousopera=onVirtualiza=on:• Virtualizedregisteraccesses• Sta=cmemorypar==oningModeling:• Interleavingofprocessor/device
memoryaccessesusingoracle
CPU CPU
CPU
Schwarz,Dam:FormalVerifica=onofSecureUserModeDeviceExecu=onwithDMA,HVC’14
![Page 39: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/39.jpg)
StatusImplementa=on:
– PortsforLinux2.6.34andLinux3.10,BeagleBone,RPi2– PerformancecomparabletoXen– Lowmemoryoverheadcomparedtoshadowpaging– Experimentalmul=coreport,onehypervisorpercore
Models:– ARMv7modelinL3extendedwithMMUandsystemfunc=onality– ProvenISAlevelnon-interferenceproper=es– NIC+DMAmodels
Tools:– HOL4formodelanddesignverifica=on(refined-idealbisimula=on)– Li\erfromARMv7toBAP,par=allyverifiedinHOL4– Binarycodeverifica=onusingSMTsolver(STP)
Proofs:– Guestswitchlemma,verifiedhypervisordesign– Fullverifica=onv0,partbinaryverifica=onv1,– ProofforNICvirtualiza=oninprogress
![Page 40: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/40.jpg)
PROSPERv2
![Page 41: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/41.jpg)
Memory
CoreCore1Core1ARMv8-ACore
Virtualiza=onTargetv2,HASPOC
SMMU
NIC
SMMU
USB
GICGenericInterruptController
CoreCore1Core1MMU
![Page 42: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/42.jpg)
![Page 43: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/43.jpg)
MinimalCOTShypervisorforARMv8:• Fixed#guests,sta=cmemoryalloca=on• Coresanddevicesownedexclusively• Nodevicevirtualisa=onexceptGIC• Securebootloader• Memoryisola=onthroughHWextensionsand
SMMUs• Mainrun=mehypervisortaskisGICvirtualisa=on• Communica=ononlythroughpredefined
channels
![Page 44: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/44.jpg)
![Page 45: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/45.jpg)
SecurityGoal
• Idealmodel:Securebyconstruc=on• Bisimula=onrela=ontransfersinfoflowproper=es• Verifica=on:Focusononguest(usermode)execu=on
≅
![Page 46: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/46.jpg)
StatusImplementa=on:
– HiKeyboard,<64KBcodebase<10KLoC,<2MBDRAM– Demonstratorsstable,<15%OH(interruptpenal=es)– Interguestcommunica=onupto750Mbps– SecurebootfasterthanARMTrustedFirmware
Models:– ARMv8modelinL3extendedwithMMUandsystemfeatures– Composi=onalmodelforproofreusabilityandrefinement– Sequen=almemory,cachemodelunderdevelopment
Tools:– Li\erfromARMv8toBAP,verifiedinHOL4– FormalBAPIntermediateLanguageseman=csinHOL4
Proofs:– SystemlevelHOL4proofofguestnon-interferencecomplete– Pen-and-paperproofofdesign,CommonCriteriacompa=ble– Verifiedweakestprecondi=ongenera=on(ongoing)– ExperimentsinbinaryARMv8codeverifica=on
![Page 47: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/47.jpg)
ISAInforma=onFlow
![Page 48: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/48.jpg)
ISAInfoFlowAnalysis
Recall:Thisisapropertyoftheinstruc=onsetarchitecture!Isitimportant?– Yes,checkMeltdown/Spectre
CouldwehavecaughtMeltdown/Spectre?– Currentlyhavecachesinmodel,notspecula=on– Givenadequatemodelandenoughcpucycles,maybe
Schwarz,Dam:Automa=cderiva=onofplaXormnoninterferenceproper=es.SEFM2016,27-44
![Page 49: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/49.jpg)
Wishtodetermine:– Whatcanagivenuserprocessdetermineoftheprocessorstate?
Dualproblem:– Whichpartsoftheprocessorstatecanauserprocess(processatprivilegelevelx)influence?
– Canbesolvedinsimilarmanner
ISAInfoFlowAnalysis:TheProblem
pc reg0 pub secctrl
pc reg0 pub secctrl
![Page 50: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/50.jpg)
Input:– Ini=allevelassignmentI
Output:– ProvablyminimalfinallevelassignmentFcontainingI
Objec=ves:– Soundness,precision– ApplytoHOL4ISAspecasis– ImplementinHOL4– Fullyautoma=c– Testonrealis=cspecs
ISAInfoFlowAnalysis:TheProblem
![Page 51: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/51.jpg)
getControl s = !let m := s.mode! in ! let c := ! (if m = user ! bitmask (s.ctrl m) ! else ! s.ctrl m ! ) ! in (c,s) ! end !end !
ISAInfoFlowAnalysis:Complica=ons
Trickytomapintoastandardtype-basedseyng:• Mappingsneed
some=mestobeevaluated,some=mesnot
• Levelsneedsome=mestobeassignedbitwise,some=mesnot
• Heavycontextdependency
![Page 52: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/52.jpg)
Rewri=ng– CambridgeISAspecsarelargesocareisneeded– UseFox’sARMsteplibrarywheneverpossible
Instruc=ontaskqueue:– Rewritetosuitablenormalform– AhempttoproveNI– Success,moveon– Failure:
• Failureofproofsearchtoimplycounterexample• Usecounterexampletorefinelow-equivalencerela=on• Thisgivesminimality• Re-enqueuevalidatedinstruc=ons
ISAInfoFlowAnalysis:Approach
![Page 53: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/53.jpg)
ISAInfoFlowAnalysis:Results
ARMv7-Ausermode,noMMU,nosecurityorhypervisorextensions– Ini=al:PC– Finalincluded:Userreg’s,fullCPSR,someFPregisters,TEEHBR,SCTLRflagsEE,TE,V,A,U,DZ
– Notincluded:Bankedregisters,SPSRs,someFIQ-relatedregisters,CP15.SCTLR.{NMFI,VE}
– Running=me>21hrsonsingleXeonX3470coreMIPS-III– Ini=al:PC+somebasicregisters,final:all,1hr+
MIPS-IIIrestrictedusermode– Ini=alasabove,final:GPregisters+somestatusflags,38’
![Page 54: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/54.jpg)
Caches,caches,caches
![Page 55: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/55.jpg)
CachesandStuff
CurrentISAmodelingtendstoignoremanynastydetails– Cachesandcachemanagement– Specula=on– Lotsofsystemfeatures
Howmuchofaproblemisthis?Timingandpowerchannels– Verydifficulttoclosecompletely– Model-externalfeatures-abstractaway(?)
Cachestoragechannels– Determinis=cchannelsnotrelyingon=ming/power– Modelinternal-hardertoignore
PostMeltdown/Spectre:We’reintrouble(!)
![Page 56: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/56.jpg)
Example:MemoryIncoherence
Coherentmemory:– Observers(cores,MMUs,etc)allseethesamesequenceofwrites,perloca=on
Controlledincoherence:– Ifoneagentcanbesetuptocontrolwhatanotheragentsees,wehaveapoten=alahack
Mismatchedcacheabilityahributes– Virtualaliaseswithconflic=ngcacheability– Reasonablescenariosexist(e.g.,virtualisa=on)– Ifcacheandmemorycandisagreewithoutentrybecomingdirtythereisaproblem
– Thisissome=mesthecase– Integrityandconfiden=alityahacks
Guanciale,Nema=,Baumann,Dam:Cachestoragechannels:Alias-drivenahacksandverifiedcountermeasures.S&P2016,38-55
![Page 57: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/57.jpg)
Verifica=on
Need:– Morefine-grainedmodelwithcaches– Newproofmachinery– Formalisedcountermeasures– Notleast:Redoingworkalreadydone...
Approach:– Reuseverifica=ononcachelessmodel– Useproofobliga=ons:
• Onprocessormodel• Onhypervisor• Oncountermeasures• Onapplica=on
– Generalmul=leveldcache+icachemodel– Integrityproofdonefortwocountermeasures– Confiden=alityinprogress
![Page 58: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/58.jpg)
Challenges
![Page 59: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/59.jpg)
PreciseHardwareModels
Modernhardwareiscomplex– Weakly-consistentmemory– Out-of-Orderandspecula=on– Cachehierarchies,MMUs,DMAbusmasters,TLBs– Richfloraofdevicesw.rapidchurn– Howtokeepupandscale?
Vendor-providedmodels– Lackofdocumenta=onisabigissue– SeeAlastairReid’spresenta=ononARMmodels– Opensourcehardware,e.g.RISC-V?– Hiddeninstruc=ons?Vendor-specifics?HWTrojans?– “Unpredictablebehaviour”?
Generalityandreusability– vs.sidechannelprotec=on/bisimula=ons
![Page 60: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/60.jpg)
ManagingComplexity
BuildingformalHWmodelsishard– Hugeinformalspecs– Implementa=on-dependentbehaviour– Hardtotest
Canwemakeiteasier?– Domain-specificlanguagescanhelp– Decomposedmodelsforspecandproofreuse
• Absolutelynecessaryformodernarchitectures– Frameworksneededtomechaniseproofsearch
• HOL4goodstar=ngpointforthis– Executablemodels
• Generalityvsexecutability&speed– Automa=ngmodelconstruc=on
• CheckoutHeuleetal:Stra=fiedsynthesis:Automa=callylearningthex86-64instruc=onset,PLDI’16
![Page 61: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/61.jpg)
Thankyou!
![Page 62: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/62.jpg)
ARMv8PlaXormModel
• Composi=onalmodel,asyncmessagepassing
![Page 63: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/63.jpg)
ARMv8PlaXormModel
• Composi=onalmodel,asyncmessagepassing• (S)MMU:Ac=ve?,pagetablebase,currenttransla=ons
![Page 64: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/64.jpg)
ARMv8PlaXormModel
• Composi=onalmodel,asyncmessagepassing• (S)MMU:Ac=ve?,pagetablebase,currenttransla=ons• Core:Execu=onmode,somehypervisorextregisters
![Page 65: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/65.jpg)
ARMv8PlaXormModel
• Composi=onalmodel,asyncmessagepassing• (S)MMU:Ac=ve?,pagetablebase,currenttransla=ons• Core:Execu=onmode,somehypervisorextregisters• Device:Mostlyuninterpreted,DMAenabled?
![Page 66: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/66.jpg)
ARMv8PlaXormModel
• Composi=onalmodel,asyncmessagepassing• (S)MMU:Ac=ve?,pagetablebase,currenttransla=ons• Core:Execu=onmode,somehypervisorextregisters• Device:Mostlyuninterpreted,DMAenabled?• Memory:Flatmap,memory-mappedIO
![Page 67: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/67.jpg)
ARMv8PlaXormModel
• Composi=onalmodel,asyncmessagepassing• (S)MMU:Ac=ve?,pagetablebase,currenttransla=ons• Core:Execu=onmode,somehypervisorextregisters• Device:Mostlyuninterpreted,DMAenabled?• Memory:Flatmap,memory-mappedIO• GIC:Hypervisor-accessedregisters,interruptstate
![Page 68: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/68.jpg)
ARMv8PlaXormModel
• Composi=onalmodel,asyncmessagepassing• (S)MMU:Ac=ve?,pagetablebase,currenttransla=ons• Core:Execu=onmode,somehypervisorextregisters• Device:Mostlyuninterpreted,DMAenabled?• Memory:Flatmap,memory-mappedIO• GIC:Hypervisor-accessedregisters,interruptstate• Hypervisor:Fine-grainedLTS,GICinterac=on
![Page 69: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/69.jpg)
• Idealcore:HVinvisible/atomichypercallseman=cs
IdealModel
![Page 70: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/70.jpg)
• Idealcore:HVinvisible/atomichypercallseman=cs• BufferforoutgoingIGCno=fica=oninterrupts
IdealModel
![Page 71: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/71.jpg)
• Idealcore:HVinvisible/atomichypercallseman=cs• BufferforoutgoingIGCno=fica=oninterrupts• IGCsharedmemoryduplicatedandcopiedonwrite
IdealModel
![Page 72: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/72.jpg)
• Idealcore:HVinvisible/atomichypercallseman=cs• BufferforoutgoingIGCno=fica=oninterrupts• IGCsharedmemoryduplicatedandcopiedonwrite• IdealGIC:interruptsepara=onbyconstruc=on
IdealModel
![Page 73: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/73.jpg)
• Idealcore:HVinvisible/atomichypercallseman=cs• BufferforoutgoingIGCno=fica=oninterrupts• IGCsharedmemoryduplicatedandcopiedonwrite• IdealGIC:interruptsepara=onbyconstruc=on• Messagebuffersasplaceholdersfor(S)MMUs
IdealModel
![Page 74: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/74.jpg)
• Idealcore:HVinvisible/atomichypercallseman=cs• BufferforoutgoingIGCno=fica=oninterrupts• IGCsharedmemoryduplicatedandcopiedonwrite• IdealGIC:interruptsepara=onbyconstruc=on• Messagebuffersasplaceholdersfor(S)MMUs• Memory:onlyguestpor=on,intermediatephysicaladdresses
IdealModel
![Page 75: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/75.jpg)
Bisimula=onRela=on
![Page 76: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/76.jpg)
Bisimula=onRela=on
![Page 77: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/77.jpg)
Bisimula=onRela=on
![Page 78: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/78.jpg)
Bisimula=onRela=on
![Page 79: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/79.jpg)
Bisimula=onRela=on
![Page 80: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/80.jpg)
Bisimula=onRela=on
![Page 81: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/81.jpg)
Bisimula=onRela=on
![Page 82: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/82.jpg)
IntegrityCacheIncoherenceAhack
V1: D = access(VA_c). . . A1: write(VA_nc,1). . . V2: D = access(VA_c)V3: if not policy(D) reject. . . [evict VA_c]. . .V4: use(VA_c)
Virtualmemory
Physicalmemory Cache
VA_c
VA_nc
PA 0
D
![Page 83: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/83.jpg)
IntegrityCacheIncoherenceAhack
V1: D = access(VA_c). . . A1: write(VA_nc,1). . . V2: D = access(VA_c)V3: if not policy(D) reject. . . [evict VA_c]. . .V4: use(VA_c)
Virtualmemory
Physicalmemory Cache
D 0
VA_c
VA_nc
PA 0 PA 0
![Page 84: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/84.jpg)
IntegrityCacheIncoherenceAhack
V1: D = access(VA_c). . . A1: write(VA_nc,1). . . V2: D = access(VA_c)V3: if not policy(D) reject. . . [evict VA_c]. . .V4: use(VA_c)
Virtualmemory
Physicalmemory Cache
D 0
VA_c
VA_nc
PA 1 PA 0
![Page 85: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/85.jpg)
IntegrityCacheIncoherenceAhack
V1: D = access(VA_c). . . A1: write(VA_nc,1). . . V2: D = access(VA_c)V3: if not policy(D) reject. . . [evict VA_c]. . .V4: use(VA_c)
Virtualmemory
Physicalmemory Cache
D 0
VA_c
VA_nc
PA 1 PA 0
![Page 86: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/86.jpg)
IntegrityCacheIncoherenceAhack
V1: D = access(VA_c). . . A1: write(VA_nc,1). . . V2: D = access(VA_c)V3: if not policy(D) reject. . . [evict VA_c]. . .V4: use(VA_c)
Virtualmemory
Physicalmemory Cache
D 0
VA_c
VA_nc
PA 1
![Page 87: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/87.jpg)
IntegrityCacheIncoherenceAhack
V1: D = access(VA_c). . . A1: write(VA_nc,1). . . V2: D = access(VA_c)V3: if not policy(D) reject. . . [evict VA_c]. . .V4: use(VA_c)
Virtualmemory
Physicalmemory Cache
D 0
VA_c
VA_nc
PA 1 PA 1
![Page 88: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/88.jpg)
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1
D
VA_3
VA_4
PA-3
PA-4
secr
set-idx
![Page 89: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/89.jpg)
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 0
D
VA_3
VA_4
PA-3
PA-4
secr
![Page 90: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/90.jpg)
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 0
PA-1 0
D 0
VA_3
VA_4
PA-3
PA-4
secr
![Page 91: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/91.jpg)
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 1
PA-1 0
D 0
VA_3
VA_4
PA-3
PA-4
secr
![Page 92: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/92.jpg)
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 1
PA-1 0
D 0
VA_3
VA_4
PA-3
PA-4
secr 0!
![Page 93: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/93.jpg)
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 1
PA-1 0
D 0
VA_3
VA_4
PA-3
PA-4 PA-4
secr 0
![Page 94: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/94.jpg)
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 1
PA-1 0
D 0
VA_3
VA_4
PA-3
PA-4 PA-4
secr 0
![Page 95: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/95.jpg)
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 1
PA-1 0
D 0
VA_3
VA_4
PA-3
PA-4 PA-4
secr 1!
![Page 96: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/96.jpg)
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 1
PA-1 0
D 0
VA_3
VA_4
PA-3
PA-4 PA-4
secr 1
![Page 97: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/97.jpg)
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 1
PA-3
D 0
VA_3
VA_4
PA-3
PA-4 PA-4
secr 1
![Page 98: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/98.jpg)
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 1
PA-1 1
D 1
VA_3
VA_4
PA-3
PA-4 PA-4
secr 1
![Page 99: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/99.jpg)
ExampleAhacks
Threeahacksimplementedusingmismatchedcacheahributevector:1. AESinTrustzoneonRPi2
128bitkeyextracteda\er850encryp=ons2. Prosperv1onBeagleboardMX
Ahacker:Non-secureguestValida=onofnon-validpagetableAhackergetsfullcontrol
3. Extrac=onofexponentfrommodularexponenta=onprocedureNon-pcsecureprocedureinTrustzoneonRPi2Execu=onpathdetectedthroughinstruc=oncacheahack
![Page 100: PROSPER and Friends: An Overview - Sciencesconf.org · PROSPER and Friends: An Overview Mads Dam KTH Royal Ins=tute of Technology Project team: Musard Balliu, Christoph Baumann, Victor](https://reader034.vdocument.in/reader034/viewer/2022042414/5f2ead0de74f3a3a941d3242/html5/thumbnails/100.jpg)
Countermeasures
Forconfiden=ality:– Standard=mingapproaches:– PC-securecode,secretindependentmemoryaccesses,...
Forintegrity:– Guaranteecoherenceofaccessedmemory– Cacheflushes,explicitevic=onofcachelines,...
Specificformismatchedcacheahributes:– Secretindependentcachelineaccesses– Preventuncacheablealiasesforspecificmemoryregions