

# Research Faculty Summit 2018 Systems | Fueling future disruptions





# Hardware-Aware Security **Verification and Synthesis**

Margaret Martonosi H. T. Adams '35 Professor Dept. of Computer Science **Princeton University** 

Joint work with Caroline Trippel, Princeton CS PhD student

# and Dr. Daniel Lustig, NVIDIA

# The Check Suite: An Ecosystem of Tools For Verifying Memory Consistency Model Implementations



### Our Approach

- Axiomatic specifications -> Happens-before graphs
- Check Happens-Before Graphs via Efficient SMT solvers
  - Cyclic => A->B->C->A... Can't happen
  - Acyclic => Scenario is observable



### Check: Formal, Axiomatic Models and Interfaces







# Example: ARM Read-Read Hazard

- ARM ISA spec ambiguous regarding same-address Ld $\rightarrow$ Ld ordering:
  - Compiler's job? Hardware job?
- C/C++ variables with atomic type require same-addr. Ld  $\rightarrow$  Ld ordering
- ARM issued errata1:
  - Rewrite compilers to insert fences (ordering instructions) with performance penalties
- ARM ISA had the right ordering instructions – just needed to use them.

std::atomic<int> z = {0}; std::atomic<int> \*y = {&z}; void thread0() z.store(1, std::memory order relaxed); int r0 = y->load(std::memory\_order\_relaxed); int r1 = z.load(std::memory\_order\_relaxed); if(r0 != r1)z.store(3, std::memory\_order\_relaxed); } void thread1() z.store(2, std::memory\_order\_relaxed); }

Original: Alglave 2011 Google Nexus 6: http://check.cs.princeton.edu/tutorial\_extras/SnapVideo.mov



### TriCheck Framework: Verifying Memory Event Ordering from Languages to Hardware



### **TriCheck Framework: Verifying Memory Event** Ordering from Languages to Hardware



Iteratively HLL, Compiler, ISA, uArch

# TriCheck Framework: RISC-V Case Study



### **Base RISC-V ISA: 144 buggy outcomes Base+Atomics: 221 buggy outcomes**



### January 2018: Spectre & Meltdown

HOW TO

SMART HOME

DEALS

DOWNLOAD

# Details you need on those

Design flaws in processors from leading chipmakers could let attackers access sensitive information. How

Triple Meltdown: How So Many Researchers Found a 20-Year-Old Ch

# ANDY GREENBERG SECURITY 01.07.18 02:23 PM

# **Attack Discovery & Synthesis:** What We Would Like

1. Specify system to study

Formal interface and specification of given system implementation

2. Specify attack pattern

E.g. Subtle event sequences during program's execution

3. Synthesis

Either output synthesized attacks. Or determine that none are possible

# Attack Discovery & Synthesis: CheckMate TL;DR

1. Specify system to study

2. Specify attack pattern

### 3. Synthesis

- What we did: Developed a tool to do this, based on the uHB graphs from previous sections.
- **Results:** Automatically synthesized Spectre and Meltdown, as well as two new distinct exploits and many variants.

[Trippel, Lustig, Martonosi. https://arxiv.org/abs/1802.03802] [Trippel, Lustig, Martonosi. MICRO-51. October, 2018]

In more detail...

# CheckMate Methodology

Frame classes of attacks as patterns of event 1. interleavings?

-> Essentially a snippet out of a happens-before graph

Specify hardware using uSpec axioms 2. -> Determine if attack is realizable on a given hardware implementation

### Exploit Programs: µhb Graphs featuring Exploit Patterns



## Microarchitecture-Aware Program Synthesis



# Microarchitecture-Aware Program Synthesis

**Microarchitecture Specification** 

```
Axiom "PO_Fetch":
forall microops "i1",
forall microops "i2",
SameCore i1 i2 /\ ProgramOrder i1 i2 =>
   AddEdge ((i1, Fetch), (i2, Fetch), "PO").
```

```
Axiom "Execute_stage_is_in_order":
forall microops "i1",
forall microops "i2",
SameCore i1 i2 /\
EdgeExists ((i1, Fetch), (i2, Fetch)) =>
AddEdge ((i1, Execute), (i2, Execute), "PPO")
```

Prior work addresses the problem of proving this correct with respect to RTL

- SW/OS/HW events and locations
- SW/OS/HW ordering details
- Hardware optimizations, e.g., speculation
- Processes and resource-sharing
- Memory hierarchies and cache coherence protocols



## Relational Model Finding (RMF): A Natural Fit for Security Litmus Test Synthesis

- A relational model is a set of constraints on an abstract system (for CheckMate, a µhb graph) of:
  - Set of abstract objects (for CheckMate, μhb graph nodes)
  - Set of N-dimensional relations (for example., 2D μhb graph edges relation connecting 2 nodes)
- For CheckMate, the constraints are a μhb pattern of interest
- RMF attempts to find and satisfying "instance" (or μhb graph)
- Implementation: Alloy DSL maps RMF problems onto Kodkod modelfinder, which in turn uses off-the-shelf SAT solvers
- CheckMate Tool maps µspec HW/OS spec to Alloy

# Spectre (Exploits Speculation)







### Hardware-specific exploit programs (if susceptible)

# SpectrePrime uhb Graph



# – Prime Probe

### **Overall Results: What exploits get synthesized?** And how long does it take?

| Exploit<br>Pattern | #Instrs<br>(RMF<br>Bound) | Output<br>Attack            | Minutes to<br>synthesize<br>1 <sup>st</sup> exploit | Minutes to<br>synthesize<br>all exploits | #Exploits<br>Synthesized |
|--------------------|---------------------------|-----------------------------|-----------------------------------------------------|------------------------------------------|--------------------------|
| Flush<br>+Reload   | 4                         | Traditional<br>Flush+Reload | 6.7                                                 | 9.7                                      | 70                       |
|                    | 5                         | Meltdown                    | 27.8                                                | 59.2                                     | 572                      |
|                    | 6                         | Spectre                     | 101.0                                               | 198.0                                    | 1144                     |
| Prime<br>+Probe    | 3                         | Traditional<br>Prime+Probe  | 5.4                                                 | 6.7                                      | 12                       |
|                    | 4                         | MeltdownPrime               | 17.0                                                | 8.2                                      | 24                       |
|                    | 5                         | SpectrePrime                | 71.8                                                | 76.7                                     | 24                       |

# CheckMate: Takeaways

- New Variants reported: SpectrePrime and MeltdownPrime
  - Speculative cacheline invalidations versus speculative cache pollution
  - Software mitigation is the same as for Meltdown & Spectre

- Key overall philosophy:
  - Move from ad hoc analysis to formal automated synthesis.
  - Span software, OS, and hardware for holistic hardware-aware analysis

[Trippel, Lustig, Martonosi. https://arxiv.org/abs/1802.03802] [Trippel, Lustig, Martonosi. MICRO-51. October, 2018]

# Acknowledgements

- CheckMate Co-Authors: Caroline Trippel, Princeton CS PhD student and Daniel Lustig, NVIDIA
- Funding: NSF, NVIDIA Graduate Fellowship
- Check Tools, additional co-authors: Yatin Manerkar, Abhishek Bhattacharjee, Michael Pellauer, Geet Sethi

Me: http://www.princeton.edu/~mrm Group Papers: http://mrmgroup.cs.princeton.edu Verification Tools: http://check.cs.princeton.edu

Thank you!

