# A Correct (and secure) Silver Pipelined Processor

Ning Dong, Roberto Guanciale, Mads Dam, Andreas Lööw

#### Method for correctness

- Silver ISA model
  - Simple RISC processor
- Processor design modeled as list of stage functions
  - $\circ$   $c^2 = f_i(c^1, e^1)$
- Verification of f<sub>1</sub> ... f<sub>n</sub> w.r.t. ISA
- Verilog HOL4 library
  - Library generates a Verilog design and proves a simulation theorem:
    - if  $(c^1, e^1) \rightarrow (c^2, e^2)$  then  $c^2 = f_1 \dots f_n(c^1, e^1)$
  - Library exports Verilog design

#### **Processor Design**

- Data hazard
- Mispredicted PC
  - Target addresses computed by EX
- Self modifying code
  - SW must take countermeasures



#### When a processor is correct?

Usage of a scheduling function: I(j)(stage) = n



#### When a processor is correct?

- Scheduling function is defined inductively, e.g.
  - o if  $t^{j}$ .EX.enabled then I(j)(EX) = I(j-1)(ID)
  - $\circ$  if  $t^{j}$ .EX.disabled then I(j)(EX) = I(j-1)(EX)
- Pipeline may be processing (in IF and ID) wrong instructions due to JMP
  - o  $I(t^{j}.EX) = n$  and  $s_{n}$  takes a JMP then  $I(j)(IF) = \bot$
  - $\circ$  I(t<sup>j</sup>.ID) = n and s<sub>n</sub> takes a JMP then I(j)(IF) =  $\bot$
- two traces are related
  - $\circ \quad (\mathsf{t}^1,\mathsf{e}^1) \ \rightarrow \ (\mathsf{t}^2,\mathsf{e}^2) \ \rightarrow \ ... \ (\mathsf{t}^j,\mathsf{e}^j) \ \sim^\mathsf{I} \ \mathsf{s}^1 \ \rightarrow \ \mathsf{s}^2 \ \rightarrow \ ... \ \mathsf{s}^n$
  - o iff for every cycle j, and every circuit field f of each stage
    - if I(j)(stage) =  $\bot$  then  $t^{j}$ .stage.f =  $t^{j-1}$ .stage..f
    - if I(j)(stage) = i then  $t^{j}.stage.f = F(s^{i})$

#### When a processor is correct?

- Proof establishes that
  - o if  $(c1,e1) \rightarrow (c2,e2) \rightarrow ... (cj,ej)$  and
  - o if s<sup>i</sup> writes in address a then for i < k < i+5: s<sup>k</sup>.pc ≠ a
  - o then  $(c^1, e^1) \rightarrow (c^2, e^2) \rightarrow \dots (c^j, e^j) \sim^I s^1 \rightarrow s^2 \rightarrow \dots s^n$
- Proof done by induction



#### **Evaluation and Future work**

\_\_\_\_

|               | hello(ms) | count(ms) | sort(ms) | checker(min) |
|---------------|-----------|-----------|----------|--------------|
| non-pipelined | 23.17     | 62.03     | 78.53    | 8.98         |
| pipelined     | 17.94     | 48.48     | 67.19    | 7.28         |

- 45 vs 65 Mhz :Main bottleneck I-cache design
- Future work
  - (done) Data Forward
  - Integration with CakeML for full stack correctness (security)
  - Mechanised proof of security

## When a processor is secure?

\_\_\_\_

• There is no standard specification of information flows

- We extend ISA with observations that should overapproximate information leakage: obs(s)
  - Execution path: s.pc
  - o Executed instruction: s.mem[s.pc]
  - Memory operation and address:
    - op(s.mem[s.pc]), addr(s.mem[s.pc], s.regs)



- We extend ISA with observations that should overapproximate information leakage: obs(s)
  - o Execution path: s.pc
  - o Executed instruction: s.mem[s.pc]
  - Memory operation and address:
    - op(s.mem[s.pc]), addr(s.mem[s.pc], s.regs)
- obs are used to define when a SW is non-interferent
  - o if  $a^1 \rightarrow a^2 \rightarrow \dots a^n, b^1 \rightarrow b^2 \rightarrow \dots b^n$ , and  $a^1 = low b^1$
  - o then obs(a<sup>i</sup>) = obs(b<sup>i</sup>)





- We extend ISA with observations that should overapproximate information leakage: obs(s)
  - Execution path: s.pc
  - o Executed instruction: s.mem[s.pc]
  - Memory operation and address:
    - op(s.mem[s.pc]), addr(s.mem[s.pc], s.regs)
- obs are used to define when a SW is non-interferent
  - o if  $a^1 \rightarrow a^2 \rightarrow \dots a^n, b^1 \rightarrow b^2 \rightarrow \dots b^n$ , and  $a^1 = low b^1$
  - o then obs(a<sup>i</sup>) = obs(b<sup>i</sup>)

#### Is the processor secure?

- Conditional non-interference
  - o if obs( $\sigma^1$ ) = obs( $\sigma^2$ ),  $\phi^1 \sim^{\mathbf{I}} \sigma^1$ , and  $\phi^2[0] \sim^{\mathbf{I}} \sigma^1[0]$
  - $\circ$  then  $\phi^2 \sim^{\mathbf{I}} \sigma^2$





#### Is the processor secure?

- Conditional non-interference
  - o if obs( $\sigma^1$ ) = obs( $\sigma^2$ ),  $\phi^1 \sim^{\mathbf{I}} \sigma^1$ , and  $\phi^2[0] \sim^{\mathbf{I}} \sigma^1[0]$
  - $\circ$  then  $\phi^2 \sim^{\mathbf{I}} \sigma^2$





#### Is the processor secure?

- Conditional non-interference
  - o if obs $(\sigma^1)$  = obs $(\sigma^2)$ ,  $\phi^1 \sim^{\mathbf{I}} \sigma^1$ , and  $\phi^2[0] \sim^{\mathbf{I}} \sigma^1[0]$
  - $\circ$  then  $\phi^2 \sim^{\mathbf{I}} \sigma^2$
- To verify this we need assumption on the environment:
  - if for add i<j</p>
    - $\Phi^1(i)$ .t.cmd =  $\Phi^2(i)$ .t.cmd
    - $\Phi^1(i)$ .t.out\_pc =  $\Phi^2(i)$ .t.out\_pc
    - $\Phi^1(i)$ .t.cmd = ld/st then
      - $\phi^{1}(i)$ .t.adr =  $\phi^{2}(i)$ .t.adr
  - then
- Memory subsystem
  - can have caches, different access times, preloads, different replacement policies
  - but if it receives the same sequence of commands for the same addresses must reply in at the same time

|   |     | IF      | ID      | EX      | MEM     | WB |
|---|-----|---------|---------|---------|---------|----|
| П | t   | i4(JMP) | i3      | i2      | i1      | i0 |
| Ш | t+1 | i4'     | i4(JMP) | i3      | i2      | i1 |
|   | t+2 | i4"     | i4'     | i4(JMP) | i3      | i2 |
|   | t+3 | i5      | NOP     | NOP     | i4(JMP) | i3 |

#### Are all processor secure?

- Conditional noninterference
  - o if obs( $\sigma^1$ ) = obs( $\sigma^2$ ),  $\phi^1 \sim^I \sigma^1$ , and  $\phi^2[0] \sim^I \sigma^1[0]$ o then  $\phi^2 \sim^I \sigma^2$
- i3: R0:=0;
- i4: JMP I5;
- i4':
- i4'': ?
- i5: INTR;

|   |     | IF      | ID      | EX      | MEM     | WB |
|---|-----|---------|---------|---------|---------|----|
| П | t   | i4(JMP) | i3      | i2      | i1      | i0 |
| Ш | t+1 | i4'     | i4(JMP) | i3      | i2      | i1 |
|   | t+2 | i4"     | i4'     | i4(JMP) | i3      | i2 |
|   | t+3 | i5      | NOP     | NOP     | i4(JMP) | i3 |

#### Are all processor secure?

```
    Conditional noninterference
```

```
o if obs(\sigma^1) = obs(\sigma^2), \phi^1 \sim^I \sigma^1, and \phi^2[0] \sim^I \sigma^1[0]
o then \phi^2 \sim^I \sigma^2
```

|     | IF      | ID      | EX      | MEM     | WB |
|-----|---------|---------|---------|---------|----|
| t   | i4(JMP) | i3      | i2      | i1      | i0 |
| t+1 | i4'     | i4(JMP) | i3      | i2      | i1 |
| t+2 | i4"     | i4'     | i4(JMP) | i3      | i2 |
| t+3 | i5      | NOP     | NOP     | i4(JMP) | i3 |

#### Are all processor secure?

```
NOP:R0+1
NOP:0
```

- Conditional noninterference
   if obs(σ¹) = obs(σ²), φ¹ ~¹ σ¹, and φ²[0] ~¹ σ¹[0]
   then φ² ~¹ σ²
- i3: R0:=0;
- 100
- i4: JMP I5;
- i4':
- i4'': R2:=R0+1 or R2:=0
- i5: INTR;

### Questions?