Xingyu Meng,Kshitij Raj,Sandip Ray,Kanad Basu

DOI: https://doi.org/10.1109/tcad.2022.3179307

IF: 2.9

2023-01-21

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Modern System-on-Chip (SoC) designs include a variety of Network-on-Chip (NoC) fabrics to implement coordination and communication of integrated hardware intellectual property (IP) blocks. An important class of security vulnerabilities involves a rogue hardware IP interfering with this communication to compromise the integrity of the system. Such interference includes message mutation, misdirection, delivery prevention, or IP masquerading, among others. In this article, we propose a scalable RTL-level SoC validation scheme, SeVNoC, for the systematic detection of security violations in inter-IP communications for SoC designs with NoC fabrics. Given a target security property to be validated, SeVNoC entails extraction of the control-flow graph of the relevant SoC, which is analyzed through a security property-based model comparison, without incurring state-space explosion. Our experiments on full-scale realistic SoC designs with multiple IPs and NoC architecture indicate that SeVNoC detects security violations in NoC communications with near-perfect accuracy, within only a few minutes.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

João C. Pereira,Tobias Klenze,Sofia Giampietro,Markus Limbeck,Dionysios Spiliopoulos,Felix A. Wolf,Marco Eilers,Christoph Sprenger,David Basin,Peter Müller,Adrian Perrig

2024-05-10

Abstract:We present the first formally-verified Internet router, which is part of the SCION Internet architecture. SCION routers run a cryptographic protocol for secure packet forwarding in an adversarial environment. We verify both the protocol's network-wide security properties and low-level properties of its implementation. More precisely, we develop a series of protocol models by refinement in Isabelle/HOL and we use an automated program verifier to prove that the router's Go code satisfies memory safety, crash freedom, freedom from data races, and adheres to the protocol model. Both verification efforts are soundly linked together. Our work demonstrates the feasibility of coherently verifying a critical network component from high-level protocol models down to performance-optimized production code, developed by an independent team. In the process, we uncovered critical bugs in both the protocol and its implementation, which were confirmed by the code developers, and we strengthened the protocol's security properties. This paper explains our approach, summarizes the main results, and distills lessons for the design and implementation of verifiable systems, for the handling of continuous changes, and for the verification techniques and tools employed.

Cryptography and Security,Networking and Internet Architecture,Programming Languages

Benjamin Lewis,Arnd Hartmanns,Prabal Basu,Rajesh Jayashankara Shridevi,Koushik Chakraborty,Sanghamitra Roy,Zhen Zhang

DOI: https://doi.org/10.1007/978-3-030-27008-7_7

2019-01-01

Abstract:The design of modern network-on-chip (NoC) systems faces reliability challenges due to process and environmental variations. Peak power supply noise (PSN) in the power delivery network of a NoC device plays a critical role in determining reliable operations: PSN typically leads to voltage droop, which can cause timing errors in the NoC router pipelines. Existing simulation-based approaches cannot provide rigorous, worst-case reliability guarantees on the probabilistic behaviors of PSN. To address this problem, this paper takes a significant step in formally analyzing PSN in modern NoCs. Specifically, we present a probabilistic model checking approach for the rigorous characterization of PSN for a generic central router of a large mesh-NoC system, under the Round Robin scheduling mechanism with a uniform random network traffic load. Defining features for PSN are extracted at the behavioral level to facilitate property formulation. Several abstract models have been derived for the central router’s concrete model based on the observations of its arbiter’s conflict resolution behavior. Probabilistic modeling and verification are performed using the Modest Toolset. Results show significant scalability of our abstract models, and reveal key PSN characteristics that are indicative of NoC design and optimization.

Tieming Chen,Zhenbo Yu,Shijian Li,Bo Chen

DOI: https://doi.org/10.1155/2016/8797568

IF: 2.336

2016-01-01

Journal of Sensors

Abstract:Model checking has successfully been applied on verification of security protocols, but the modeling process is always tedious and proficient knowledge of formal method is also needed although the final verification could be automatic depending on specific tools. At the same time, due to the appearance of novel kind of networks, such as wireless sensor networks (WSN) and wireless body area networks (WBAN), formal modeling and verification for these domain-specific systems are quite challenging. In this paper, a specific and novel formal modeling and verification method is proposed and implemented using an expandable tool called PAT to do WSN-specific security verification. At first, an abstract modeling data structure for CSP#, which is built in PAT, is developed to support the nodemobility related specification for modeling location-based node activity. Then, the traditional Dolev Yao model is redefined to facilitate modeling of location-specific attack behaviors on security mechanism. A throughout formal verification application on a location-based security protocol in WSN is described in detail to show the usability and effectiveness of the proposed methodology. Furthermore, also a novel location-based authentication security protocol in WBAN can be successfully modeled and verified directly using our method, which is, to the best of our knowledge, the first effort on employing model checking for automatic analysis of authentication protocol for WBAN.

Michael LeMay,Carl A. Gunter

DOI: https://doi.org/10.1007/978-3-319-23165-5_19

2017-01-17

Abstract:Mobile devices are in roles where the integrity and confidentiality of their apps and data are of paramount importance. They usually contain a System-on-Chip (SoC), which integrates microprocessors and peripheral Intellectual Property (IP) connected by a Network-on-Chip (NoC). Malicious IP or software could compromise critical data. Some types of attacks can be blocked by controlling data transfers on the NoC using Memory Management Units (MMUs) and other access control mechanisms. However, commodity processors do not provide strong assurances regarding the correctness of such mechanisms, and it is challenging to verify that all access control mechanisms in the system are correctly configured. We propose a NoC Firewall (NoCF) that provides a single locus of control and is amenable to formal analysis. We demonstrate an initial analysis of its ability to resist malformed NoC commands, which we believe is the first effort to detect vulnerabilities that arise from NoC protocol violations perpetrated by erroneous or malicious IP.

Cryptography and Security

Aurojit Panda,Ori Lahav,Katerina Argyraki,Mooly Sagiv,Scott Shenker

DOI: https://doi.org/10.48550/arXiv.1409.7687

2014-09-26

Abstract:Great progress has been made recently in verifying the correctness of router forwarding tables. However, these approaches do not work for networks containing middleboxes such as caches and firewalls whose forwarding behavior depends on previously observed traffic. We explore how to verify isolation properties in networks that include such "dynamic datapath" elements using model checking. Our work leverages recent advances in SMT solvers, and the main challenge lies in scaling the approach to handle large and complicated networks. While the straightforward application of model checking to this problem can only handle very small networks (if at all), our approach can verify simple realistic invariants on networks containing 30,000 middleboxes in a few minutes.

Networking and Internet Architecture,Logic in Computer Science

Jakub Szefer,Tianwei Zhang,Ruby B. Lee

DOI: https://doi.org/10.48550/arXiv.1807.01854

2018-07-05

Abstract:We present a new and practical framework for security verification of secure architectures. Specifically, we break the verification task into external verification and internal verification. External verification considers the external protocols, i.e. interactions between users, compute servers, network entities, etc. Meanwhile, internal verification considers the interactions between hardware and software components within each server. This verification framework is general-purpose and can be applied to a stand-alone server, or a large-scale distributed system. We evaluate our verification method on the CloudMonatt and HyperWall architectures as examples.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Bryan Olmos,Daniel Gerl,Aman Kumar,Djones Lettnin

2024-10-24

Abstract:The design of Systems on Chips (SoCs) is becoming more and more complex due to technological advancements. Missed bugs can cause drastic failures in safety-critical environments leading to the endangerment of lives. To overcome these drastic failures, formal property verification (FPV) has been applied in the industry. However, there exist multiple hardware designs where the results of FPV are not conclusive even for long runtimes of model-checking tools. For this reason, the use of High-level Equivalence Checking (HLEC) tools has been proposed in the last few years. However, the procedure for how to use it inside an industrial toolchain has not been defined. For this reason, we proposed an automated methodology based on metamodeling techniques which consist of two main steps. First, an untimed algorithmic description written in C++ is verified in an early stage using generated assertions; the advantage of this step is that the assertions at the software level run in seconds and we can start our analysis with conclusive results about our algorithm before starting to write the RTL (Register Transfer Level) design. Second, this algorithmic description is verified against its sequential design using HLEC and the respective metamodel parameters. The results show that the presented methodology can find bugs early related to the algorithmic description and prepare the setup for the HLEC verification. This helps to reduce the verification efforts to set up the tool and write the properties manually which is always error-prone. The proposed framework can help teams working on datapaths to verify and make decisions in an early stage of the verification flow.

Hardware Architecture,Artificial Intelligence

Zohra Sbaï,Mohamed Escheikh

DOI: https://doi.org/10.48550/arXiv.1305.4247

2013-05-18

Logic in Computer Science

Abstract:In this paper, we deal with the formal verification of an encryption scheme for Wireless Sensor Networks (WSNs). Especially, we present our first results on building a framework dedicated to modelling and verification of WSNs aspects. To achieve our goal, we propose to specify WSNs models written in Petri nets using Promela constructs in order to verify correctness properties of them using SPIN Model checker. We first specify in Promela a Petri net description of an encryption scheme for WSNs that describes its behavior. Then, correctness properties that express requirements on the system's behavior are formulated in Linear Temporal Logic (LTL). Finally, SPIN model checker is used to check if a specific correctness property holds for the model, and, if not, to provide a counterexample: a computation that does not satisfy this property. This counterexample will help to detect the source of the eventual problem and to correct it.

Rajesh JayashankaraShridevi,Dean Michael Ancajas,Koushik Chakraborty,Sanghamitra Roy

DOI: https://doi.org/10.1007/s41635-017-0008-z

2017-05-30

Journal of Hardware and Systems Security

Abstract:Network-on-chip facilitates glueless interconnection of various on-chip components in the forthcoming system-on-chips. As in the case of any new technology, security is a major concern in network-on-chip (NoC) design too. In this work, we explore a covert threat model for multiprocessor system-on-chips (MPSoCs) stemming from the use of malicious third-party network-on-chips (NoCs). We illustrate that a rogue NoC (rNoC) can selectively disrupt the perceived availability of on-chip resources, thereby causing large performance bottlenecks for the applications running on the MPSoC platform. Further, to counter the threat posed by rNoC, we propose a runtime latency auditor that enables an MPSoC integrator to monitor the trustworthiness of the deployed NoC throughout the chip lifetime. We also discuss measures that can be taken to minimize the impact of a rNoC, once it is detected. Our comprehensive cross-layer analysis of our novel detection technique indicates modest overheads of 12.73% in area, 9.844% in power, and 5.4% in terms of network latency.

English Else

Kaled Alshmrany,Lucas Cordeiro

DOI: https://doi.org/10.48550/arXiv.2001.09592

2020-01-27

Cryptography and Security

Abstract:Implementations of network protocols are often prone to vulnerabilities caused by developers' mistakes when accessing memory regions and dealing with arithmetic operations. Finding practical approaches for checking the security of network protocol implementations has proven to be a challenging problem. The main reason is that the protocol software state-space is too large to be explored. Here we propose a novel verification approach that combines fuzzing with symbolic execution to verify intricate properties in network protocol implementations. We use fuzzing for an initial exploration of the network protocol, while symbolic execution explores both the program paths and protocol states, which were uncovered by fuzzing. From this combination, we automatically generate high-coverage test input packets for a network protocol implementation. We surveyed various approaches based on fuzzing and symbolic execution to understand how these techniques can be effectively combined and then choose a suitable tool to develop further our model on top of it. In our preliminary evaluation, we used ESBMC, Map2Check, and KLEE as software verifiers and SPIKE as fuzzer to check their suitability to verify our network protocol implementations. Our experimental results show that ESBMC can be further developed within our verification framework called \textit{FuSeBMC}, to efficiently and effectively detect intricate security vulnerabilities in network protocol implementations.

Abhishek Basak,Swarup Bhunia,Thomas Tkacik,Sandip Ray

DOI: https://doi.org/10.1109/tifs.2017.2658544

IF: 7.231

2017-07-01

IEEE Transactions on Information Forensics and Security

Abstract:Modern system-on-chip (SoC) designs involve integration of a large number of intellectual property (IP) blocks, many of which are acquired from untrusted third-party vendors. An IP containing a security vulnerability-whether inadvertent or malicious-may compromise the trustworthiness of the entire SoC, e.g., by leaking sensitive information or causing execution failures at key points. Existing functional validation approaches, post-manufacturing tests, and IP trust verification techniques are inadequate to accomplish comprehensive system-level security assurance in the presence of untrusted IPs. In this paper, we analyze security issues at the SoC level caused by untrusted IPs. We also propose a novel, resilient SoC security architecture to ensure trusted SoC operation with untrusted IPs. Our architecture realizes fine-grained IP-trust aware security policies in an efficient security policy checker that enables run-time monitoring of security issues arising from untrusted IPs. It also exploits on-chip design-for-debug architecture to ensure trusted information flow from IP blocks to the security policy checker. Unlike existing solutions to the untrusted IP problem, which rely on verification of IP trust before they are integrated into an SoC, the proposed approach follows a fundamentally different architecture-level solution based on run-time resilience. We demonstrate the effectiveness of this framework for system protection using several illustrative practical use cases. We also provide experimental results to show that the overhead of the proposed architecture is modest on representative SoC designs.

computer science, theory & methods,engineering, electrical & electronic

Sudeep Pasricha,John Jose,Sujay Deb

DOI: https://doi.org/10.48550/arXiv.2208.09070

2022-08-19

Abstract:Networks-on-chips (NoCs) are an integral part of emerging manycore computing chips. They play a key role in facilitating communication among processing cores and between cores and memory. To meet the aggressive performance and energy-efficiency targets of machine learning and big data applications, NoCs have been evolving to leverage emerging paradigms such as silicon photonics and wireless communication. Increasingly, these NoC fabrics are becoming susceptible to security vulnerabilities, such as from hardware trojans that can snoop, corrupt, or disrupt information transfers on NoCs. This article surveys the landscape of security challenges and countermeasures across electronic, wireless, and photonic NoCs.

Hardware Architecture,Cryptography and Security

Z ZANG,G LUO,C YIN,臧志远,罗贵明,殷翀元

DOI: https://doi.org/10.1016/S1007-0214(09)70011-2

2009-01-01

Abstract:In networks, the stable path problem (SPP) usually results in oscillations in interdomain systems and may cause systems to become unstable. With the rapid development of internet technology, the occurrence of SPPs in interdomain systems has quite recently become a significant focus of research. A framework for checking SPPs is presented in this paper with verification of an interdomain routing system using formal methods and the NuSMV software. Sufficient conditions and necessary conditions for determining SPP occurrence are presented with proof of the method's effectiveness. Linear temporal logic was used to model an interdomain routing system and its properties were analyzed. An example is included to demonstrate the method's reliability.

Ruiyang Ma,Jiayi Huang,Shijian Zhang,Yuan Xie,Guojie Luo

DOI: https://doi.org/10.1109/tcad.2024.3430195

IF: 2.9

2024-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Network-on-Chip (NoC) has surfaced as a crucial interconnection strategy in modern digital systems, thereby demanding meticulous verification. Due to its multiple nodes and high concurrency, verifying a NoC is labor-intensive, making it complex to generate a multitude of test cases. Recently, hardware fuzzing has been identified as a promising automated approach for hardware verification. However, when we tried to apply these fuzzing techniques to our internally developed NoC design, we discovered that they were incompatible with the specificities of NoC. Additionally, they are also incompatible with the standard IC verification workflow and Universal Verification Methodology (UVM) environment. In this work, we aim to automate our verification process of NoC with fuzzing. We propose a fuzzing strategy specifically tailored for industrial NoC UVM verification. We employ fuzzing in NoC verification at multiple levels, including router verification, network verification and stress testing. As a case study we apply our approach to an open-source NoC component in OpenPiton. Remarkably, our fuzzing methods automatically achieved complete code and functional coverage in the router and mesh network. We also effectively detect injected starvation bugs with fuzzing. The evaluation results clearly demonstrate the practicability of our fuzzing approach to considerably reduce the manpower required for test case generation compared with traditional NoC verification.

Peng Liu,Chunchang Xiang,Xiaohang Wang,Binjie Xia,Yangfan Liu,Weidong Wang,Qingdong Yao

DOI: https://doi.org/10.1109/ITNG.2009.197

2009-01-01

Abstract:The emulation and functional validation are essential to assessment of the correctness and performance of networks-on-chip architecture. A flexible hardware/software networks-on-chip open platform (NoCOP) emulation framework is designed and implemented for exploring the on-chip interconnection networks architecture. An instruction set simulator and universal serial bus communicator control and configure the emulation parameters and process that are running on the host computer as active elements in the emulation framework. The experimental results show that the proposed emulation/verification framework can speed up the simulation, preserve the cycle accuracy, and decrease usage of the resource of field programmable gate array.

Jnanamurthy H K,Vijay Varadharajan

DOI: https://doi.org/10.48550/arXiv.2004.04425

2020-04-09

Abstract:In cloud computing, software-defined network (SDN) gaining more attention due to its advantages in network configuration to improve network performance and network monitoring. SDN addresses an issue of static architecture in traditional networks by allowing centralised control of a network system. SDN contains centralised network intelligence module which separates a process of forwarding packets (data plane) from packet routing process (control plane). It is essential to ensure the correctness of SDN due to secure data transmitting in it. In this paper. Model-checking is chosen to verify an SDN network. The Computation Tree Logic (CTL) and Linear Temporal Logic (LTL) used as a specification to express properties of an SDN. Then complete SDN structure is defined formally along with its Kripke structure. Finally, temporal properties are analysed against the SDN Kripke model to assure the properties of SDN is correct.

Software Engineering

Zhe Chen,Daqiang Zhang,Rongbo Zhu,Yinxue Ma,Ping Yin,Feng Xie

DOI: https://doi.org/10.1166/sl.2013.2653

2014-08-26

Abstract:This paper surveys how formal verification can be used to prove the correctness of ad hoc routing protocols, which are fundamental infrastructure of wireless sensor networks. The existing techniques fall into two classes: verification on small-scale networks and verification on unbounded networks. The former one is always fully automatic and easy to use, thanks to the limited state space generated in verification. However, it cannot prove the correctness over all cases. The latter one can provide a complete proof based on abstractions of unbounded network. However, it usually needs user intervention and expertise in verification. The two kinds of technique are illustrated by verifications against some key properties such as stability, loop-freedom and deadlock-freedom. To conclude, they can be used to find faults and prove correctness, respectively. We believe that they can together aid the development of correct ad hoc routing protocols and their reliable implementations.

Networking and Internet Architecture,Logic in Computer Science

Kaiping Xue,Jiayu Yang,Qiudong Xia,David S. L. Wei,Jian Li,Qibin Sun,Jun Lu

DOI: https://doi.org/10.1109/tnsm.2021.3136547

2021-01-01

IEEE Transactions on Network and Service Management

Abstract:As a new architecture of Internet infrastructure, Information-Centric Networking (ICN) is mainly designed to effectively handle the rapidly increasing user demand for content delivery through in-network caching. While facilitating the dissemination of content to users and making better use of the network resources, ICN is also vulnerable in that attackers can inject poisoned content into the network and isolate users from valid content sources. The introduction of signature verification in each router can effectively prevent this attack, but it also introduces great computation overhead. Existing schemes in ICN reduce verification overhead from a single routing perspective but do not consider integrating resources within ICN for collaborative content authentication and cyber self-defense. In this paper, we propose a collaborative, secure, and efficient content validation protection framework, named CSEVP, to implement a multi-router collaborative defense mechanism for ICN. On the one hand, we conduct content verification by probabilistically choosing one router involved in the transmission path to offload the computation overhead of content verification from a single router to multiple ones. On the other hand, we adopt bloom filters for routers to record and share verification results to further facilitate a more efficient content validity verification. The security and efficiency analysis shows that our proposed CSEVP can achieve efficient content validity verification among multiple routers with acceptable low communication and storage overhead.

Vuk Lesi,Zivana Jakovljevic,Miroslav Pajic

DOI: https://doi.org/10.1109/tase.2021.3106335

IF: 6.636

2021-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Internet of Things (IoT) technologies enable development of reconfigurable manufacturing systems—a new generation of modularized industrial equipment suitable for highly customized manufacturing. Sequential control in these systems is largely based on discrete events, whereas their formal execution semantics is specified as control interpreted Petri nets (CIPN). Despite industry-wide use of programming languages based on the CIPN formalism, formal verification of such control applications in the presence of adversarial activity is not supported. Consequently, in this article, we introduce security-aware modeling and verification techniques for CIPN-based sequential control applications. Specifically, we show how CIPN models of networked industrial IoT controllers can be transformed into time Petri net (TPN)-based models and composed with plant and security-aware channel models in order to enable system-level verification of safety properties in the presence of network-based attacks. Additionally, we introduce realistic channel-specific attack models that capture adversarial behavior using nondeterminism. Moreover, we show how verification results can be utilized to introduce security patches and facilitate design of attack detectors that improve system resiliency and enable satisfaction of critical safety properties. Finally, we evaluate our framework on an industrial case study. Note to Practitioners—Our main goal is to provide formal security guarantees for distributed sequential controllers. Specifically, we target smart automation controllers geared toward Industrial IoT applications that are typically programed in C/C++ and are running applications originally designed in, for example, GRAFCET (IEC 60848)/SFC (IEC 61131-3) automation programming languages. Since existing tools for the design of distributed automation do not support system-level verification of relevant safety properties- we show how security-aware transceiver and communication models can be developed and composed with distributed controller models. Then, we show how existing tools for verification of time Petri nets can be used to verify relevant properties including safety and liveness of the distributed automation system in the presence of network-based attacks. To provide an end-to-end analysis as well as security patching, results of our analysis can be used to deploy suitable firmware updates during the stage when executable code for target controllers (e.g., in C/C++) is generated based on GRAFCET/SFC control models. We also show that security guarantees can be improved as the relevant safety/liveness properties can be verified after corresponding security patches are deployed. Finally, we show applicability of our framework on a realistic distributed pneumatic manipulator.

automation & control systems