automatized high-level evaluation of security properties
TRANSCRIPT
www.iti.tugraz.at
Automatized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller1, Armin Krieg2, Christopher Preschern1, Christian Steger1, Christian Kreiner1, Holger Bock2 and Josef Haid2 1 Institute for Technical Informatics, Graz University of Technology, Austria 2 Infineon Technologies Austria AG, Design Center Graz, Austria
8th Workshop on Embedded Systems Security (WESS 2013)
Montreal, September 29, 2013
Outline
Introduction
System Analysis and FSM Extraction Methodology
Model-Based Fault Injection
Experimental Results
Conclusions and Future Work
Automatized High-Level Evaluation of Security Properties for RTL Hardware Designs
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
2
Outline
Introduction
System Analysis and FSM Extraction Methodology
Model-Based Fault Injection
Experimental Results
Conclusions and Future Work
Automatized High-Level Evaluation of Security Properties for RTL Hardware Designs
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
3
The Formal Verification Gap
Common Criteria − Standard for computer security − EALs: measure of quality − Formal methods to verify security properties
Implementation of security properties neglected Translation of the RTL implementation
for model checkers
Introduction
4
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
[Beckert2010]
Model Checking
• Model in own language • Automated extracting of FSMs from RTL
[Brayton1996, Moundanos1996, Graf1997, Déharbe1998, Bei1999, Lahiri2002, Andraus2004]
Related Work
5
Adapted from [Boulé2008]
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
Formal Verification and Common Criteria
Related Work
6
Functional Requirement
Functional Specification
Target Design Description
Implementation
Sec
urity
P
olic
y M
odel
Assurance Class
Development Model Checking the Policy Model
[Beuster2011]
LTL Properties
FSM Model
FSM Model
Model Checker
Proposed Extension
Extraction
Model Checker
[Beckert2010, Beuster2011]
=
=
Verified Specification / Counterexample
Verified FSM implementation/ Counterexamplex
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
Outline
Introduction / Related Work
System Analysis and FSM Extraction Methodology
Model-Based Fault Injection
Experimental Results
Conclusions and Future Work
Automatized High-Level Evaluation of Security Properties for RTL Hardware Designs
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
7
Global Model-Checking Based Flow System Analysis and FSM Extraction Methodology
8
Java-based framework NuSMV model checker
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
Global Model-Checking Based Flow System Analysis and FSM Extraction Methodology
9
Synthesizeable Control dominated
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
Global Model-Checking Based Flow System Analysis and FSM Extraction Methodology
10
Synthesizeable Control dominated
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
System Analysis and FSM Extraction Methodology
11
1. VHDL structure parsing Extract system-internal
structures Dependency lists
2. Translation into CFG Description [Lohse1994]
Nodes for branches Condition List of transitions One parent
VHDL Structural Analysis
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
System Analysis and FSM Extraction Methodology
12
3. FSM Identification Realization
Find state register 1. Find all registers - Synchronous register: reacts on active clock edge 2. Decide, which of them are state register - State signal depends on itself - Dependency list search for circular dependency
VHDL Structural Analysis
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
Global Model-Checking Based Flow System Analysis and FSM Extraction Methodology
13
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
System Analysis and FSM Extraction Methodology
14
FSM Extraction
Next-state logic − Find next-state signal − Collect transitions and conditions
Initial Values
Input Signals − Signals in the dependency list of the state
Output Signals − Signals that depend on the state − Collect transitions
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
System Analysis and FSM Extraction Methodology
01.10.2013 Institut für Technische Informatik
15
Translation to the NuSMV language
(1) Variable declarations
System Analysis and FSM Extraction Methodology
01.10.2013 Institut für Technische Informatik
16
Translation to NuSMV
(2) Translation of FSMs into NuSMV
(3) FSM interconnection
MODULE main VAR shared_input : boolean; fsm1 : FSM1(shared_input, fsm2.output); fsm2 : FSM2(shared_input, fsm1.output);
Global Model-Checking Based Flow System Analysis and FSM Extraction Methodology
17
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
Outline
Introduction / Related Work
System Analysis and FSM Extraction Methodology
Model-Based Fault Injection
Experimental Results
Conclusions and Future Work
Automatized High-Level Evaluation of Security Properties for RTL Hardware Designs
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
18
System Analysis and FSM Extraction Methodology
19 Model-Based Fault Injection
• Common Criteria requirement
FRU FLT.1.1: The TOE Security Functionality (TSF) shall ensure the operation of [assignment: list of TOE capabilities] when the following failures occur: [assignment: list of type of failures].
• Advantages + Completeness
+ No manipulation of original design
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
Outline
Introduction
System Analysis and FSM Extraction Methodology
Model-Based Fault Injection
Experimental Results
Conclusions and Future Work
Automatized High-Level Evaluation of Security Properties for RTL Hardware Designs
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
20
Model-based Fault Injection VHDL modulo counter
Experimental Results
21
VHDL code
Automatic translation and fault injection
generated NuSMV model
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
Model-based Fault Injection LTL Specification Result
Experimental Results
22
Robust design support
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
Outline
Introduction
System Analysis and FSM Extraction Methodology
Model-Based Fault Injection
Experimental Results
Conclusions and Future Work
Automatized High-Level Evaluation of Security Properties for RTL Hardware Designs
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
23
Conclusion Conclusions and Future Work
24
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
Step towards filling the Common Criteria verification gap
Automatic generation of high-level representation of RTL implementation
Evaluation of fault-attack robustness
Model-based fault injection for the safety domain
Future Work
Thank you very much for your attention!
Any questions?
25
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
Sources
[CommonCriteria2012]Common Criteria for Information Technology Security Evaluation Part 2 Version 3.1, 2012. [Andraus2004] Z. Andraus and K. Sakallah. Automatic abstraction and verification of Verilog models. In Proceedings of the 41st annual Design Automation Conference, 2004. . [Bar-El2006] H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, and C. Whelan. The sorcerer’s apprentice guide to fault attacks. Proceedings of the IEEE, 2006. [Beckert2010] B. Beckert, D. Bruns, and S. Grebing. Mind the gap: Formal verification and the Common Criteria. International Verification Workshop, 2010. [Bei1999] J. Bei, H. Li, J. Bian, H. Xue, and X. Hong. Fsm modeling of synchronous vhdl design for symbolic model checking. In Proceedings of the ASP-DAC’99, 1999. [Beuster2011] G. Beuster and K. Greimel. Developing a Formal Security Policy Model for a Smart Card EAL6 Evaluation. Presentation, 2011. International Common Criteria Conference. [Boulé2008] M. Boulé and Z. Zilic. Generating hardware assertion checkers: for hardware verification, emulation, post-fabrication debugging and on-line monitoring. Springer Verlag, 2008. [Brayton1996] R. Brayton, G. Hachtel, A. Sangiovanni-Vincentelli, F. Somenzi, A. Aziz, S. Cheng, S. Edwards, S. Khatri, Y. Kukimoto, A. Pardo, et al. VIS: A system for verification and synthesis. In Computer Aided Verification, pages 428–432. Springer, 1996. [Déharbe1996] D. Déharbe, S. Shankar, and E. Clarke. Model checking VHDL with CV. In Formal Methods in Computer-Aided Design. Springer, 1998. [Ezekiel2009] J. Ezekiel and A. Lomuscio. Combining fault injection and model checking to verify fault tolerance in multi-agent systems. In Proceedings of The 8th International Conference on Autonomous Agents and Multiagent Systems-Volume 1, 2009.
01.10.2013 Institut für Technische Informatik
26
System Analysis and FSM Extraction Methodology
27
FSM Extraction
Next-state logic − Find next-state signal − Collect transitions and conditions
state signal
state signal
next-state signal
one-segment code styling
multi-segment code styling
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
Verification of Security Policies
• Verification of security requirements − Common Criteria property
− LTL specification
Verified property
Experimental Results
28
FIA SOS.2.2: The TOE Security Function (TSF) shall be able to enforce the use of TSF generated secrets for [assignment: list of TSF functions]
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
Verification of Security Policies UART control logic with password feature
Experimental Results
29
Automatic translation
Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])
Initial Values
Reset Patterns
01.10.2013 Institut für Technische Informatik
30
--synchronous reset
process(clk, reset) if rising_edge(clk) then if (reset) then …initial value assig.… else … logic… end if end process;
--asynchronous reset
process(clk, reset) if (reset) then … initial value assig.… else if rising_edge(clk) then … logic… end if end process;