Muhui Jiang,Xiaoye Zheng,Rui Chang,Yajin Zhou,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2024.3406900

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege.We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, EXAMINER PRO. With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of EXAMINER PRO, we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Thomas Bourgeat,Ian Clester,Andres Erbsen,Samuel Gruetter,Pratap Singh,Andy Wright,Adam Chlipala

DOI: https://doi.org/10.1145/3607833

2023-08-30

Proceedings of the ACM on Programming Languages

Abstract:Instruction sets, from families like x86 and ARM, are at the center of many ambitious formal-methods projects. Many verification, synthesis, programming, and debugging tools rely on formal semantics of instruction sets, but different tools can use semantics in rather different ways. The best-known work applying single semantics across diverse tools relies on domain-specific languages like Sail, where the language and its translation tools are specialized to the realm of instruction sets. In the context of the open RISC-V instruction-set family, we decided to explore a different approach, with semantics written in a carefully chosen subset of Haskell. This style does not depend on any new language translators, relying instead on parameterization of semantics over type-class instances. We have used a single core semantics to support testing, interactive proof, and model checking of both software and hardware, demonstrating that monads and the ability to abstract over them using type classes can support pleasant prototyping of ISA semantics.

Thomas Bourgeat,Ian Clester,Andres Erbsen,Samuel Gruetter,Pratap Singh,Andrew Wright,Adam Chlipala

DOI: https://doi.org/10.48550/arXiv.2104.00762

2022-11-17

Abstract:Instruction sets, from families like x86 and ARM, are at the center of many ambitious formal-methods projects. Many verification, synthesis, programming, and debugging tools rely on formal semantics of instruction sets, but different tools can use semantics in rather different ways. As a result, a central challenge for that community is how semantics should be written and what techniques should be used to connect them to new use cases. The best-known work applying single semantics across quite-different tools relies on domain-specific languages like Sail, where the language and its translation tools are specialized to the realm of instruction sets. We decided to explore a different approach, with semantics written in a carefully chosen subset of Haskell. This style does not depend on any new language translators, relying instead on parameterization of semantics over type-class instances. As a result, a semantics can be a first-class object within a logic, and application of a semantics for a new kind of tool can be a first-class operation in the logic, allowing sharing of theorems across applications. Our case study is for the open RISC-V instruction-set family, and we have used a single core semantics to support testing, interactive proof, and model checking of both software and hardware. We especially highlight an application of a first-class semantics within Coq that can be instantiated in different ways within one proof: simulation between variants where multiplication is implemented in hardware or in the machine code of a particular software trap handler.

Logic in Computer Science

Sharar Ahmadi,Brijesh Dongol,Matt Griffin

DOI: https://doi.org/10.1016/j.scico.2024.103088

IF: 1.039

2024-01-30

Science of Computer Programming

Abstract:Security-critical applications often rely on memory isolation mechanisms to ensure integrity of critical data (e.g., keys) and program instructions (e.g., implementing an attestation protocol). These include software-based security microvisor S μV or hardware-based (e.g., TrustLite or SMART) techniques. Here, we must guarantee that during an execution of a program, none of the assembly-level instructions corresponding to the program violate the imposed memory access restrictions. We focus on two security architectures (S μV and TrustLite). We use Binary Analysis Platform (BAP) to generate assembly-level code in an intermediate language (BIL) for a compiled C program. This is then translated to Isabelle/HOL theories. We develop an operational semantics by defining a collection of transition rules for a subset of BIL (called AIRv2) that is sufficient for our work. We develop an adversary model and define conformance predicates for each assembly-level instruction. A conformance predicate holds iff the associated memory access restriction imposed by the underlying security architecture is satisfied. We generate a set of programs covering all possible cases in which an assembly-level instruction attempts to violate at least one of the conformance predicates. For S μV, we capture all such violations not only by checking specific lines of the program but also by applying the operational semantics for every machine-state transition. This shows that the memory access restrictions of S μV is operationally maintained. For TrustLite, we capture all such violations by checking specific lines of the program. Also, we provide an example to show how we can use the operational semantics to capture such violations.

computer science, software engineering

陈文智,姜振宇,吴帆

DOI: https://doi.org/10.3724/sp.j.1016.2008.01888

2009-01-01

Abstract:As a typical representative of RISC architecture,MIPS has the problem of low code density and ineffective utilization of instruction fields,making procedure volume expansion.The authors made some extensions to the existing MIPS Instruction Set,called exMIPS ISA.The authors propose an instruction fusion technology for the MIPS architecture.The pre-fetched instructions was converted into exMIPS ISA,and multiple sequential instructions was compressed and merged into a single instruction when meeting the fusion-condition.A fused instruction′s execution is equivalent to multiple instructions running at the same time,and will gain extra CPU performance.The process of instruction fusion also enhances the effective utilization of the instruction fields and improves code density.Experimental results from SimpleScalar simulation platform show that great improvement can be achieved.

Shisong Qin,Chao Zhang,Kaixiang Chen,Zheming Li

DOI: https://doi.org/10.1145/3460319.3464842

2021-01-01

Abstract:ARM has become the most competitive processor architecture. Many platforms or tools are developed to execute or analyze ARM instructions, including various commercial CPUs, emulators, and binary analysis tools. However, they have deviations when processing the same ARM instructions, and little attention has been paid to systematically analyze such semantic deviations, not to mention the security implications of such deviations. In this paper, we conduct an empirical study on the ARM Instruction Semantic Deviation (ISDev) issue. First, we classify this issue into several categories and analyze the security implications behind them. Then, we further demonstrate several novel attacks which utilize the ISDev issue, including stealthy targeted attacks and targeted defense evasion. Such attacks could exploit the semantic deviations to generate malware that is specific to certain platforms or able to detect and bypass certain detection solutions. We have developed a framework iDEV to systematically explore the ISDev issue in existing ARM instructions processing tools and platforms via differential testing. We have evaluated iDEV on four hardware devices, the QEMU emulator, and five disassemblers which could process the ARMv7-A instruction set. The evaluation results show that, over six million instructions could cause dynamic executors (i.e., CPUs and QEMU) to present different runtime behaviors, and over eight million instructions could cause static disassemblers yielding different decoding results, and over one million instructions cause inconsistency between dynamic executors and static disassemblers. After analyzing the root causes of each type of deviation, we point out they are mostly due to ARM unpredictable instructions and program defects.

Deepak Krishnankutty,Zheng Li,Ryan Robucci,Nilanjan Banerjee,Chintan Patel

DOI: https://doi.org/10.1109/tc.2020.3018092

IF: 3.183

2020-11-01

IEEE Transactions on Computers

Abstract:Embedded systems are prone to leak information via side-channels associated with their physical internal activity, such as power consumption, timing, and faults. Leaked information can be analyzed to extract sensitive data and devices should be assessed for such vulnerabilities. Side-channel power-supply leakage from embedded devices can also provide information regarding instruction-level activity for control code executed on these devices. Methods proposed to disassemble instruction-level activity via side-channel leakage have not addressed issues related to pipelined multi-clock-cycle architectures, nor have proven robustness or reliability. The problem of detecting malicious code modifications while not obstructing the sequence of instructions being executed needs to be addressed. In this article, instruction sequences being executed on a general-purpose pipelined computing platform are identified and instructions that make up these sequences are classified based on hardware utilization. Individual instruction classification results using a fine-grained classifier is also presented. A dynamic programming algorithm was applied to detect the boundaries of instructions in a sequence with a 100 percent accuracy. A unique aspect of this technique is the use of multiple power supply pin measurements to increase precision and accuracy. To demonstrate the robustness of this technique, power leakage data from ten target FPGAs programmed with a prototype of the pipelined architecture was analyzed and classification accuracies averaging 99 percent were achieved with instructions labeled based on hardware utilization. Individual instruction classification accuracies above 90 percent were achieved using a fine-grained classifier. Classification accuracies were also verified when a target FPGA was subjected to different controlled temperatures. The classification accuracies on discrete (ASIC) pipelined-architecture microcontrollers was 97 percent.

engineering, electrical & electronic,computer science, hardware & architecture

Vania Joloboff,Shengpeng Liu,Fei He

2014-01-01

Abstract:We present here an architecture compiler, namely a software that takes as input the description of a processor architecture as it is available from the vendors on their web site, and generates an instruction set simulator for that processor, which can be readily integrated into a simulation framework. This architecture compiler extracts relevant information from the .pdf file, translated into an XML specification. After further XML transformations, the C++ code of the simulator is finally generated. The paper details the approach and the results for the ARM Version 7 processor, that is suitable for other architectures as well.

Rui Chang,Liehui Jiang,Wenzhi Chen,Yang Xiang,Yuxia Cheng,Abdulhameed Alelaiwi

DOI: https://doi.org/10.1007/s10586-017-0833-4

2017-01-01

Cluster Computing

Abstract:With the rapid development of Internet of Things technology and the promotion of embedded devices’ computation performance, smart devices are probably open to security threats and attacks while connecting with rich and novel Internet. Attracting lots of attention in embedded system security community recently, Trusted Execution Environment (TEE), allows for the execution of arbitrary code within environments completely isolated from the rest of a system. However, existing memory protection methods in a TEE are inadequate. In general, the software-based formal methods are not practical and the hardware-based implementation approaches lack of theoretical proof. To address the memory isolation and protection problems in TEE, in this paper, we propose a practical memory integrity protection method on an ARM-based platform, called MIPE, to defend against security threats including kernel data attacks and direct memory access attacks. MIPE utilizes TrustZone technique to create a isolated execution environment, which can protect the sensitive code and data against attacks. To present the integrity protection strategies, we provide the design of MIPE using B method, which is a practical formal method. We also implement MIPE on the Xilinx Zynq ZC702 evaluation board. The evaluation results show that the automatic proof rate of machines using B method is about 78.32%, and the proposed method is effective and feasible in terms of both load time and overhead.

Akito Monden,Antoine Monsifrot,Clark Thomborson

2003-01-01

Abstract:Many computer systems are designed to make it easy for end-users to install and update software. An undesirable side-effect, from the perspective of many software producers, is that hostile end-users may analyze or tamper with the software being installed or updated. This paper proposes a way to avoid the side-effect without affecting the ease of installation and update. We construct a computer system M with the following properties: 1) the end-user may install program P in any conveniently accessible area of M; 2) the program P contains obfuscated instructions whose semantics are obscure and difficult to understand; and 3) an internal interpreter W, embedded in a non-accessible area of M, interprets the obfuscated instructions without revealing their semantics. Our W is a finite state machine (FSM) which gives context-dependent semantics and operand syntax to the obfuscated instructions in P; thus, attempts to statically analyze the relation between instructions and their semantics will not succeed. We present a systematic method to construct a P whose instruction stream is always interpreted correctly regardless of its input, even though changes in input will (in general) affect the execution sequence of instructions in P. Our framework is easily applied to conventional computer systems by adding a FSM unit to a virtual machine or a reconfigurable processor.

Kui Yi,YueHua Ding

DOI: https://doi.org/10.1109/JCAI.2009.158

2009-04-25

Abstract:In this paper, we analyze MIPS instruction format¿ instruction data path¿decoder module function and design theory basend on RISC CPUT instruction set. Furthermore, we design instruction fetch(IF) module of 32-bit CPU based on RISC CPU instruction set. Function of IF module mainly includes fetch instruction and latch module¿address arithmetic module¿ check validity of instruction module¿synchronous control module. Function of IF modules are implemented by pipeline and simulated successfully on QuartusII¿

Engineering,Computer Science

Gideon Mohr,Marco Guarnieri,Jan Reineke

2024-01-18

Abstract:Microarchitectural attacks compromise security by exploiting software-visible artifacts of microarchitectural optimizations such as caches and speculative execution. Defending against such attacks at the software level requires an appropriate abstraction at the instruction set architecture (ISA) level that captures microarchitectural leakage. Hardware-software leakage contracts have recently been proposed as such an abstraction. In this paper, we propose a semi-automatic methodology for synthesizing hardware-software leakage contracts for open-source microarchitectures. For a given ISA, our approach relies on human experts to (a) capture the space of possible contracts in the form of contract templates and (b) devise a test-case generation strategy to explore a microarchitecture's potential leakage. For a given implementation of an ISA, these two ingredients are then used to automatically synthesize the most precise leakage contract that is satisfied by the microarchitecture. We have instantiated this methodology for the RISC-V ISA and applied it to the Ibex and CVA6 open-source processors. Our experiments demonstrate the practical applicability of the methodology and uncover subtle and unexpected leaks.

Cryptography and Security

Yuze Wang,Peng Liu,Weidong Wang,Xiaohang Wang,Yingtao Jiang

DOI: https://doi.org/10.1109/tc.2021.3097174

IF: 3.183

2021-01-01

IEEE Transactions on Computers

Abstract:One major security vulnerability of a microprocessor can be attributed to its underlying instruction set architecture (ISA). Generally, it is required that no secret instructions be included in the ISA or implemented in the processor micro-architecture. Such a requirement is particularly important for the reduced instruction set computing (RISC) processors that are widely used nowadays, and applying the proposed consistency testing approach is poised to ensure this requirement is met. Capable of revealing any possible dark instructions (i.e., executable instructions but without clear definitions of their behavior) in RISC processors, a consistency test comes in three phases. During the generation phase, based on the instruction set encoding rules, all the undefined instructions are generated. Even with a smaller test space, this step guarantees the test coverage needed to reveal all the dark instructions that may exist. In the next phase, all the undefined instructions obtained from the previous phase are executed on the processor under test, following a set of persistence strategies; any instruction exhibiting unusual execution result will be deemed suspicious and recorded so. During the last analysis phase, each of those recorded suspicious instructions will be checked and analyzed to decide whether it truly constitutes a dark instruction. We have applied the proposed testing model and strategy to several RISC processors and found that all of them have a few dark instructions previously unknown. The potential vulnerabilities of these processors introduced by their respective dark instructions have thus been evaluated and exposed.

engineering, electrical & electronic,computer science, hardware & architecture

MAIER Stefan

2008-01-01

Abstract:In order to gain the great performance of ASIP,this paper discusses different aspects of an ASIP instruction set specification like syntax,encoding,constraints as well as behaviors,and introduces our ADL model based methodology to check them.The automatic generation of test cases based on our straight-forward instruction representation is shown,and the efficient generation of them with good coverage is shown as well.The verification of the constraint checker,a very important tool for programmer,is performed.Results show that the toolkit can find some errors in previous delivery tools,and the introduced methodology verifies the feasibility of our instruction set specification.

Yuze Wang,Peng Liu,Weidong Wang,Xiaohang Wang,Yingtao Jiang

DOI: https://doi.org/10.1109/tc.2021.3097174

IF: 3.183

2021-01-01

IEEE Transactions on Computers

Abstract:One major security vulnerability of a microprocessor can be attributed to its underlying instruction set architecture (ISA). Generally, it is required that no secret instructions be included in the ISA or implemented in the processor micro-architecture. Such a requirement is particularly important for the reduced instruction set computing (RISC) processors that are widely used nowadays, and applying the proposed consistency testing approach is poised to ensure this requirement is met. Capable of revealing any possible dark instructions (i.e., executable instructions but without clear definitions of their behavior) in RISC processors, a consistency test comes in three phases. During the generation phase, based on the instruction set encoding rules, all the undefined instructions are generated. Even with a smaller test space, this step guarantees the test coverage needed to reveal all the dark instructions that may exist. In the next phase, all the undefined instructions obtained from the previous phase are executed on the processor under test, following a set of persistence strategies; any instruction exhibiting unusual execution result will be deemed suspicious and recorded so. During the last analysis phase, each of those recorded suspicious instructions will be checked and analyzed to decide whether it truly constitutes a dark instruction. We have applied the proposed testing model and strategy to several RISC processors and found that all of them have a few dark instructions previously unknown. The potential vulnerabilities of these processors introduced by their respective dark instructions have thus been evaluated and exposed.

Anirban Chakraborty,Nimish Mishra,Debdeep Mukhopadhyay

2024-06-15

Abstract:Transient execution attacks have been one of the widely explored microarchitectural side channels since the discovery of Spectre and Meltdown. However, much of the research has been driven by manual discovery of new transient paths through well-known speculative events. Although a few attempts exist in literature on automating transient leakage discovery, such tools focus on finding variants of known transient attacks and explore a small subset of instruction set. Further, they take a random fuzzing approach that does not scale as the complexity of search space increases. In this work, we identify that the search space of bad speculation is disjointedly fragmented into equivalence classes, and then use this observation to develop a framework named Shesha, inspired by Particle Swarm Optimization, which exhibits faster convergence rates than state-of-the-art fuzzing techniques for automatic discovery of transient execution attacks. We then use Shesha to explore the vast search space of extensions to the x86 Instruction Set Architecture (ISAs), thereby focusing on previously unexplored avenues of bad speculation. As such, we report five previously unreported transient execution paths in Instruction Set Extensions (ISEs) on new generation of Intel processors. We then perform extensive reverse engineering of each of the transient execution paths and provide root-cause analysis. Using the discovered transient execution paths, we develop attack building blocks to exhibit exploitable transient windows. Finally, we demonstrate data leakage from Fused Multiply-Add instructions through SIMD buffer and extract victim data from various cryptographic implementations.

Cryptography and Security

Adwait Godbole,Yatin A. Manerkar,Sanjit A. Seshia

2024-06-08

Abstract:Microarchitectural security verification of software has seen the emergence of two broad classes of approaches. The first is based on semantic security properties (e.g., non-interference) which are verified for a given program and a specified abstract model of the hardware microarchitecture. The second is based on attack patterns, which, if found in a program execution, indicates the presence of an exploit. While the former uses a formal specification that can capture several gadget variants targeting the same vulnerability, it is limited by the scalability of verification. Patterns, while more scalable, must be currently constructed manually, as they are narrower in scope and sensitive to gadget-specific structure. This work develops a technique that, given a non-interference-based semantic security hyperproperty, automatically generates attack patterns up to a certain complexity parameter (called the skeleton size). Thus, we combine the advantages of both approaches: security can be specified by a hyperproperty that uniformly captures several gadget variants, while automatically generated patterns can be used for scalable verification. We implement our approach in a tool and demonstrate the ability to generate new patterns, (e.g., for SpectreV1, SpectreV4) and improved scalability using the generated patterns over hyperproperty-based verification.

Cryptography and Security,Hardware Architecture

Zichen Zhou,Bo Yin,Renhao Fan,Tao Liu,Bin Xu,Xiang Wang

2011-01-01

Abstract:Most embedded systems present a number of software vulnerabilities, such as buffer overflow, while the physical attacks are becoming popular as well. This paper presents a series of novel architectural-enhanced security solutions. The automated compiler extracts the intrusion model for intrusion detection and secure tag of each main memory segment at the compile time automatically. At runtime, the designed hardware observes its dynamic execution trace and checks whether the trace conforms to the permissible behavior and trigger appropriate response mechanisms. The proposed schemes don't change the compiler or the existing instruction set and imposes no restriction to the software developer. The architectural design is implemented on an actual OR1200-FPGA platform. The experimental analysis shows that the proposed techniques can eliminate a wide range of common software and physical attacks with low performance penalties and minimal overheads.

Muhui Jiang,Tianyi Xu,Yajin Zhou,Yufeng Hu,Ming Zhong,Lei Wu,Xiapu Luo,Kui Ren

DOI: https://doi.org/10.48550/arXiv.2105.14273

2021-08-12

Abstract:Emulator is widely used to build dynamic analysis frameworks due to its fine-grained tracing capability, full system monitoring functionality, and scalability of running on different operating systemsand architectures. However, whether the emulator is consistent with real devices is unknown. To understand this problem, we aim to automatically locate inconsistent instructions, which behave differently between emulators and real devices. We target ARM architecture, which provides machine readable specification. Based on the specification, we propose a test case generator by designing and implementing the first symbolic execution engine for ARM architecture specification language (ASL). We generate 2,774,649 representative instruction streams and conduct differential testing with these instruction streams between four ARM real devices in different architecture versions (i.e., ARMv5, ARMv6, ARMv7-a, and ARMv8-a) and the state-of-the-art emulators (i.e., QEMU). We locate 155,642 inconsistent instruction streams, which cover 30% of all instruction encodings and 47.8% of the instructions. We find undefined implementation in ARM manual and implementation bugs of QEMU are the major causes of inconsistencies. Furthermore, we discover four QEMU bugs, which are confirmed and patched by thedevelopers, covering 13 instruction encodings including the most commonly used ones (e.g.,STR,BLX). With the inconsistent instructions, we build three security applications and demonstrate thecapability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Cryptography and Security

Yao Yingbiao,Liu Peng,Yao Qingdong,Xiao Zhibin

DOI: https://doi.org/10.3321/j.issn:1003-9775.2006.10.004

2006-01-01

Journal of Computer-Aided Design & Computer Graphics

Abstract:According to the function,syntax format and semantic requirements of instructions,we build instruction type sets and instruction operand sets of microprocessor.Then we create an instruction generation model for each instruction type set and verification program templates based on instruction generation models,verification plan,etc.Focusing on the functional verification of instruction sequences,we introduce its verification method which is based on the basic state transition path of FSM abstracted from pipeline control unit of microprocessor.At last,verification programs can be pseudo-randomly generated according to program templates.Experimental results show that this approach can efficiently generate RISC3200's verification programs with high functional coverage and low simulation time.