Huafeng CHEN,Haibin SHEN,Xiaolang YAN

2008-01-01

Abstract:The design-for-testability structure based on scan-chain often compromises the security of crypto chips.A method to attack certain hardware implementation of elliptic curve cryptography was presented.And an easy but effective secure scan method against the attack was proposed,which would not compromise the security of the chip,while maintaining high fault coverage.By controlling operational mode of the chip,the disability mechanism of scan enable signal was applied.The scan function was disabled when there existed security information in the chip.It solved the problem of secure information disclosure caused by scan chain design.

Mao Baolei,Hu Wei,Tai Yu,Zhang Huixiang,Mu Dejun

DOI: https://doi.org/10.1109/tencon.2013.6718912

2013-01-01

Abstract:Hardware designers tend to focus more on function correctness and performance parameters of the system than information security. As a result, hardware devices are disclosing confidential information through system side effects, which is vulnerable to attackers. Unfortunately, conventional security countermeasures such as encryption algorithms and access control mechanisms are inefficient in preventing information leakage through hard-to-detect covert channels. Recently, gate level information flow tracking (GLIFT) has been proposed to monitor all digital information flows in the underlying hardware and prevent information leakage caused by undesired interference between different hardware components. However, existing work in this realm restricts to combinational logic, which is not applicable for sequential circuits. This paper extends the GLIFT method to sequential logic and presents various methodologies for secure hardware design by enforcing bit-tight information flow control. Finally, experiments are conducted to evaluate area and performance overheads of the GLIFT method using sequential benchmarks.

Yu Tai,Wei Hu,Hui-Xiang Zhang,De-Jun Mu,Xing-Li Huang

DOI: https://doi.org/10.3103/s0146411616050096

2016-01-01

Automatic Control and Computer Sciences

Abstract:Vulnerabilities such as design flaws, malicious codes and covert channels residing in hardware design are known to expose hard-to-detect security holes. However, security hole detection methods based on functional testing and verification cannot guarantee test coverage or identify malicious code triggered under specific conditions and hardware-specific covert channels. As a complement approach to cipher algorithms and access control, information flow analysis techniques have been proved to be effective in detecting security vulnerabilities and preventing attacks through side channels. Recently, gate level information flow tracking (GLIFT) has been proposed to enforce bittight information flow security from the level of Boolean gates, which allows detection of hardware-specific security vulnerabilities. However, the inherent high complexity of GLIFT logic causes significant overheads in verification time for static analysis or area and performance for physical implementation, especially under multilevel security lattices. This paper proposes to reduce the complexity of GLIFT logic through state encoding and logic optimization techniques. Experimental results show that our methods can reduce the complexity of GLIFT logic significantly, which will allow the application of GLIFT for proving multilevel information flow security.

Andrew Becker,Wei Hu,Yu Tai,Philip Brisk,Ryan Kastner,Paolo Ienne

DOI: https://doi.org/10.1145/3061639.3062203

2017-01-01

Abstract:Hardware has become an increasingly attractive target for attackers, yet we still largely lack tools that enable us to analyze large designs for security flaws. Information flow tracking (IFT) models provide an approach to verifying a hardware design's adherence to security properties related to isolation and reachability.

Wei Hu,Armaiti Ardeshiricham,Mustafa S. Gobulukoglu,Xinmu Wang,Ryan Kastner

DOI: https://doi.org/10.1145/3240765.3240839

2018-01-01

Abstract:Hardware information flow analysis detects security vulnerabilities resulting from unintended design flaws, timing channels, and hardware Trojans. These information flow models are typically generated in a general way, which includes a significant amount of redundancy that is irrelevant to the specified security properties. In this work, we propose a property specific approach for information flow security. We create information flow models tailored to the properties to be verified by performing a property specific search to identify security critical paths. This helps find suspicious signals that require closer inspection and quickly eliminates portions of the design that are free of security violations. Our property specific trimming technique reduces the complexity of the security model; this accelerates security verification and restricts potential security violations to a smaller region which helps quickly pinpoint hardware security vulnerabilities.

Maoyuan Qin,Jiacheng Zhu,Baolei Mao,Wei Hu

DOI: https://doi.org/10.1016/j.vlsi.2023.102089

2024-01-01

Abstract:Security vulnerabilities provide attackers unauthorized access to critical resources and effective attack surfaces to compromise a system. Security verification is an emerging technique for detecting and locating such threats. However, existing security verification methods are typically restricted within the hardware or software boundary and incapable of meeting cross-layer verification requirements due to the differences in design semantics and the lack of a security model that fits both hardware and software. We attempt to address such a limitation from the perspective of information flow analysis and propose a hardware/software security co-verification method, which can check information flow security properties on fine-grained hardware information flow models. The proposed method can pinpoint security vulnerabilities by capturing information flow security property violations under clues of malicious information flows. Our information flow security model and properties are described using standard hardware design and verification languages, which allows our method to be seamlessly integrated with electronics design automation flows. Experimental results using RISC-V hardware/software designs show that the proposed method detects software, hardware and system-level security vulnerabilities, effectively.

Wei Hu,Jason Oberg,Ali Irturk,Mohit Tiwari,Timothy Sherwood,Dejun Mu,Ryan Kastner

DOI: https://doi.org/10.1109/TIFS.2012.2189105

IF: 7.231

2012-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Hardware-based side channels are known to expose hard-to-detect security holes enabling attackers to get a foothold into the system to perform malicious activities. Despite this fact, security is rarely accounted for in hardware design flows. As a result, security holes are often only identified after significant damage has been inflicted. Recently, gate level information flow tracking (GLIFT) has been proposed to verify information flow security at the level of Boolean gates. GLIFT is able to detect all logical flows including hardware specific timing channels, which is useful for ensuring properties related to confidentiality and integrity and can even provide real-time guarantees on system behavior. GLIFT can be integrated into the standard hardware design, testing and verification process to eliminate unintended information flows in the target design. However, generating GLIFT logic is a difficult problem due to its inherent complexity and the potential losses in precision. This paper provides a formal basis for deriving GLIFT logic which includes a proof on the NP-completeness of generating precise GLIFT logic and a formal analysis of the complexity and precision of various GLIFT logic generation algorithms. Experimental results using IWLS benchmarks provide a practical understanding of the computational complexity.

Maoyuan Qin,Wei Hu,Xinmu Wang,Dejun Mu,Baolei Mao

DOI: https://doi.org/10.1016/j.cose.2019.05.005

IF: 5.105

2019-01-01

Computers & Security

Abstract:Digital hardware lies in the heart of systems deployed in finance, medical care, basic infrastructure and national defense systems. However, due to the lack of effective security verification tools, hardware designs may contain security vulnerabilities resulting from performance optimizations, side channels, insecure debug ports and hardware Trojans, which provide attackers low level access to critical resources and effective attack surface to compromise a system. To address these security threats, we propose a theorem proof based gate level information flow tracking (GLIFT) method for formal verification of security properties and identifying security vulnerabilities that cause security property violations. Our method integrates a precise information flow tracking (IFT) model with the Coq theorem proof environment, inheriting the accuracy of GLIFT and the scalability of theorem proving based formal verification. We formalize semantic circuits and security theorems for proving security properties in order to detect security violations. The proposed method has been demonstrated on an OpenRISC development interface core and an RSA implementation both from OpenCores as well as several Trojan benchmarks from Trust-HUB. Experimental results show that the proposed method detects insecure debug port, timing channel and hardware Trojans that cause violation of important security properties such as confidentiality, integrity and isolation and also derives the trigger condition of hardware Trojans.

Yu Tai,Wei Hu,Dejun Mu,Baolei Mao,Lu Zhang

DOI: https://doi.org/10.1109/ACCESS.2017.2780254

IF: 3.9

2018-01-01

IEEE Access

Abstract:Computing hardware has become an attractive attack surface due to the globalization of semi-conductor design and supply chain, and the wide integration of third-party intellectual property cores. Recently, gate-level information flow tracking (GLIFT) has been proposed to monitor the flow of information in secure hardware design by associating data objects with sensitivity labels and tracking the flow of labeled data. GLIFT can be used to model and verify security-related properties, such as confidentiality and integrity. However, existing work in this realm only considers binary labels. These are inadequate for understanding simultaneous information flow behaviors and the root source information flows. In this paper, we propose a precise multi-bit GLIFT method to perform simultaneous multi-bit flow tracking for understanding exactly which bits are affecting a data object at the same time. The proposed method provides more detailed insights into simultaneous information flow behaviors and thus allows proof of quantitative information flow data properties. We compare the complexity and verification performance for different information flow models using primitive gates, IWLS benchmarks, several cryptographic cores, and trust HUB benchmarks. Experimental results have demonstrated that our method can reason about multi-bit information flow behaviors and identify potential security flaws.

Zichen Zhou,Bin Xu,Qining Lu,Bo Yin,Renhao Fan,Tao Liu,Xiang Wang

2012-01-01

Abstract:This paper presents a series of novel architectural-enhanced security solutions. In the crosscompilation link stage, the automated compiler extracts the intrusion model for instruction code and static data, meanwhile secure tags of each main memory segment are added at the compile time automatically. At runtime, the designed hardware observes its dynamic execution trace and checks whether the trace conforms to the permissible behavior and trigger appropriate response mechanisms. The proposed methods don’t change the compiler or the existing instruction set and imposes no special restriction to the software developer. The hardware structure of protection design is implemented on an actual OR1200FPGA platform. The experimental analysis shows that the proposed techniques can prevent a wide range of common software and physical attacks with minimal resource cost and low performance consumption.

Qiang Hao,Zhun Zhang,Dongdong Xu,Jiqing Wang,Jiakang Liu,Jinlei Zhang,Jinhui Ma,Xiang Wang

DOI: https://doi.org/10.3390/app12157750

2022-01-01

Applied Sciences

Abstract:As technology evolves, embedded systems access more networks and devices, which means more security threats. Existing security-monitoring methods with a single parameter (data or control flow) are not effective in detecting attackers tampering with the data or control flow of an embedded system. However, simply overlaying multiple security methods will result in excessive performance overhead for embedded systems. In this paper, we propose a novel hardware security-monitoring architecture that extracts DI (data integrity) digests and CFI (control flow integrity) tags to generate reference information when the program is offline. To monitor the indirect jumping behavior, this paper maps the legal target addresses into the bitmap, thus saving the search time. When the program is loaded, the reference information and the bitmap are safely loaded into the on-chip memory. The hardware monitoring module designed in this paper will check the DI summary and CFI tags in real time while executing the program. The architecture proposed in this paper has been implemented on the Xilinx Virtex 5 FPGA platform. Experimental results show that, compared with existing protection methods, the proposed approach in this paper can effectively detect multiple tampering-type attacks on the data and control flow of the embedded system, with a performance overhead of about 6%.

Ke Jiang,Tianwei Zhang,David Sanán,Yongwang Zhao,Yang Liu

DOI: https://doi.org/10.1007/978-3-031-17244-1_12

2022-01-01

Abstract:Security-aware CPU caches have been designed to mitigate side-channel attacks and prevent information leakage. How to validate the effectiveness of these designs remains an unsolved problem. Prior works assess the security of architectures empirically without a formal guarantee, making the evaluation results less convincing. In this paper, we propose a comprehensive methodology based on formal methods for security verification of cache architectures. Specifically, we design an entropy-based noninterference reasoning framework with two unwinding conditions to assess the information leakage of the cache designs. The reasoning framework quantifies the dependency relationships by the mutual information between the distributions of input and output of side channels. Given a cache design, we formalize its behavior specification along with the cache layouts into an abstract state machine, to instantiate the parameterized reasoning framework that discloses any potential vulnerabilities. We use our methodology to assess eight state-of-the-art cache architectures to demonstrate reliability as well as flexibility.

Wei Hu,Baolei Mao,Jason Oberg,Ryan Kastner

DOI: https://doi.org/10.1109/MC.2016.225

2016-01-01

IEEE Computer

Abstract:A method based on information-flow tracking uses gate-level logic to detect hardware Trojans that violate the confidentiality and integrity properties of third-party IP cores. Experiments on trust-HUB benchmarks show that the method reveals Trojan behavior and unintentional design vulnerabilities that functional testing cannot pinpoint.

Lennart M. Reimann,Jonathan Wiesner,Dominik Sisejkovic,Farhad Merchant,Rainer Leupers

2023-08-05

Abstract:Despite its ever-increasing impact, security is not considered as a design objective in commercial electronic design automation (EDA) tools. This results in vulnerabilities being overlooked during the software-hardware design process. Specifically, vulnerabilities that allow leakage of sensitive data might stay unnoticed by standard testing, as the leakage itself might not result in evident functional changes. Therefore, EDA tools are needed to elaborate the confidentiality of sensitive data during the design process. However, state-of-the-art implementations either solely consider the hardware or restrict the expressiveness of the security properties that must be proven. Consequently, more proficient tools are required to assist in the software and hardware design. To address this issue, we propose SoftFlow, an EDA tool that allows determining whether a given software exploits existing leakage paths in hardware. Based on our analysis, the leakage paths can be retained if proven not to be exploited by software. This is desirable if the removal significantly impacts the design's performance or functionality, or if the path cannot be removed as the chip is already manufactured. We demonstrate the feasibility of SoftFlow by identifying vulnerabilities in OpenSSL cryptographic C programs, and redesigning them to avoid leakage of cryptographic keys in a RISC-V architecture.

Cryptography and Security,Hardware Architecture

Wei Hu,Xinmu Wang,Dejun Mu

DOI: https://doi.org/10.1109/apccas.2018.8605726

2018-01-01

Abstract:Security path verification is an effective measure for identifying design paths that can lead to security violations. However, existing techniques in this realm typically lack the flexibility in formal models for verification performance-precision tradeoffs and rely on new design languages and tools. In this paper, we propose a security path verification technique through joint information flow analysis. We formalize qualitative information flow models of different precision and complexity to enable verification performance tradeoffs. We further employ quantitative information flow metrics to assess the severity of identified security path violations. Our information flow models and security properties are described in standard HDL and property specification languages respectively, allowing verification to be performed using tools familiar to hardware designers. Experimental results show that our method is effective in identifying security vulnerabilities caused by design flaw, timing channel and hardware Trojan with verification performance benefits.

Zichen Zhou,Bo Yin,Renhao Fan,Tao Liu,Bin Xu,Xiang Wang

2011-01-01

Abstract:Most embedded systems present a number of software vulnerabilities, such as buffer overflow, while the physical attacks are becoming popular as well. This paper presents a series of novel architectural-enhanced security solutions. The automated compiler extracts the intrusion model for intrusion detection and secure tag of each main memory segment at the compile time automatically. At runtime, the designed hardware observes its dynamic execution trace and checks whether the trace conforms to the permissible behavior and trigger appropriate response mechanisms. The proposed schemes don't change the compiler or the existing instruction set and imposes no restriction to the software developer. The architectural design is implemented on an actual OR1200-FPGA platform. The experimental analysis shows that the proposed techniques can eliminate a wide range of common software and physical attacks with low performance penalties and minimal overheads.

Wei Hu,Dejun Mu,Jason Oberg,Baolei Mao,Mohit Tiwari,Timothy Sherwood,Ryan Kastner

DOI: https://doi.org/10.1145/2676548

IF: 1.447

2014-01-01

ACM Transactions on Design Automation of Electronic Systems

Abstract:High-assurance systems found in safety-critical infrastructures are facing steadily increasing cyber threats. These critical systems require rigorous guarantees in information flow security to prevent confidential information from leaking to an unclassified domain and the root of trust from being violated by an untrusted party. To enforce bit-tight information flow control, gate-level information flow tracking (GLIFT) has recently been proposed to precisely measure and manage all digital information flows in the underlying hardware, including implicit flows through hardware-specific timing channels. However, existing work in this realm either restricts to two-level security labels or essentially targets two-input primitive gates and several simple multilevel security lattices. This article provides a general way to expand the GLIFT method for multilevel security. Specifically, it formalizes tracking logic for an arbitrary Boolean gate under finite security lattices, presents a precise tracking logic generation method for eliminating false positives in GLIFT logic created in a constructive manner, and illustrates application scenarios of GLIFT for enforcing multilevel information flow security. Experimental results show various trade-offs in precision and performance of GLIFT logic created using different methods. It also reveals the area and performance overheads that should be expected when expanding GLIFT for multilevel security.

Xiang Wang,Bin Xu,Weike Wang,Zhun Zhang,Xiaobing Zhang,Qiang Hao,Tongsheng Xia

DOI: https://doi.org/10.1109/icsess.2018.8663802

2018-01-01

Abstract:In order to resist software attack (such as buffer overflow) and hardware attack of embedded system, this paper presents a series of novel architectural-enhanced security solutions, including tracing the crucial process of execution behavior, cryptographic algorithm and integrity schemes for memory authentication and secure tag validation. The design is implemented on an actual FPGA platform. The experimental result shows that this design can eliminate a wide range of software and hardware attacks with low performance loss and minimal resource overheads.

Ryan Kastner,Jason Oberg,Wei Hu,Ali Irturk

2011-01-01

Abstract:Trusted systems fundamentally rely on the ability to tightly control the flow of information both in-to and out-of the device. Due to their inherent programmability, reconfigurable systems are riddled with security holes (timing channels, undefined behaviors, storage channels, backdoors) which can be used as a foothold for attackers to strike. System designers are constantly forced to respond to these attacks, often only after significant damage has been inflicted. We propose to use the reconfigurable nature of the system to our advantage by taking a bottom-up, hardware based approach to security. Using an information flow secure hardware foundation, which can precisely verify all information flows from Boolean gates, security can be verified all the way up the system stack. This can be used to ensure private keys are never leaked (for secrecy), and that untrusted information will not be used in the making of critical decisions (for safety and fault tolerance).

Jeremy Blackstone,Wei Hu,Alric Althoff,Armaiti Ardeshiricham,Lu Zhang,Ryan Kastner

DOI: https://doi.org/10.48550/arxiv.2012.02791

2020-01-01

Abstract: Classic hardware verification techniques (e.g., X-propagation and fault-propagation) and more recent hardware security verification techniques based on information flow tracking (IFT) aim to understand how information passes, affects, and otherwise modifies a circuit. These techniques all have separate usage scenarios, but when dissected into their core functionality, they relate in a fundamental manner. In this paper, we develop a common framework for gate level propagation analysis. We use our model to generate synthesizable propagation logic to use in standard EDA tools. To justify our model, we prove that Precise Hardware IFT is equivalent to gate level X-propagation and imprecise fault propagation. We also show that the difference between Precise Hardware IFT and fault propagation is not significant for 74X-series and '85 ISCAS benchmarks with more than 313 gates and the difference between imprecise hardware IFT and Precise Hardware IFT is almost always significant regardless of size.