Verifying components of Arm(R) Confidential Computing Architecture with ESBMC

Tong Wu,Shale Xiong,Edoardo Manino,Gareth Stockwell,Lucas C. Cordeiro
2024-06-05
Abstract:Realm Management Monitor (RMM) is an essential firmware component within the recent Arm Confidential Computing Architecture (Arm CCA). Previous work applies formal techniques to verify the specification and prototype reference implementation of RMM. However, relying solely on a single verification tool may lead to the oversight of certain bugs or vulnerabilities. This paper discusses the application of ESBMC, a state-of-the-art Satisfiability Modulo Theories (SMT)-based software model checker, to further enhance RRM verification. We demonstrate ESBMC's ability to precisely parse the source code and identify specification failures within a reasonable time frame. Moreover, we propose potential improvements for ESBMC to enhance its efficiency for industry engineers. This work contributes to exploring the capabilities of formal verification techniques in real-world scenarios and suggests avenues for further improvements to better meet industrial verification needs.
Software Engineering
What problem does this paper attempt to address?
The main problem that this paper attempts to solve is to verify the correctness and security of the Realm Management Monitor (RMM), a key component in the Arm® Confidential Computing Architecture (Arm CCA). Specifically, the paper explores the following issues: 1. **Is the existing verification sufficient to ensure the security of RMM?** Whether the existing verification methods can fully discover and fix potential vulnerabilities and errors in RMM. 2. **Can other advanced technologies find more vulnerabilities?** Besides the existing verification tools (such as CBMC), are there other more advanced verification tools (such as ESBMC) that can discover more security issues? ### Research Background With the rise of cloud computing, data security has become an important issue. Arm CCA aims to provide a secure computing environment, in which RMM is a key firmware component for managing and isolating multiple execution instances (called "Realms"). In order to ensure the correctness and security of RMM, formal verification techniques need to be used to detect potential problems in its code. ### Main Contributions of the Paper 1. **Reproducing Known Problems**: The problems previously reported by CBMC were rediscovered through ESBMC, and the existence of these problems was confirmed. 2. **Discovering New Problems**: ESBMC also discovered 23 new problems that violate the RMM specification, which CBMC failed to detect. 3. **Performance Improvement**: It shows how to significantly improve the verification performance of ESBMC by optimizing the configuration of loop boundaries. 4. **Multi - Attribute Checking Challenges**: It emphasizes the challenges in handling multiple attributes and proposes improvement suggestions for the development of ESBMC. ### Methodology The paper adopts two main verification techniques: - **Bounded Verification**: By setting different loop unrolling depths to reduce the state space, thus speeding up the verification. - **Multi - Attribute Checking**: All attributes are gradually verified through incremental and inductive methods to ensure comprehensive coverage of possible error situations. ### Experimental Results The experimental results show that ESBMC discovers more violations than CBMC in some test cases. In addition, ESBMC shows better performance when dealing with complex programs, especially when the loop boundaries are properly configured. ### Conclusion This research not only proves the effectiveness and superiority of ESBMC in verifying RMM, but also points out the directions for future improvement, including developing more efficient SMT solving algorithms and dealing with data race problems in multi - threaded programs. In addition, the research suggests that software verification tools should be closely integrated with industrial - level compilers to improve the parsing accuracy and the readability of verification results. ### Formula Representation When discussing specific technical details, some formulas and concepts are involved. For example, in Bounded Model Checking (BMC), the program is encoded as a SAT/SMT formula: \[ \text{program} \to \text{SAT/SMT formula} \] If there is a situation that violates the property, then the formula is satisfiable: \[ \text{formula is satisfiable} \iff \exists \text{counterexample that violates the property} \] These formulas and concepts help to understand the logical and mathematical basis in the verification process.