Automatized High-Level Evaluation of Security Properties ...

www.iti.tugraz.at

Automatized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller1, Armin Krieg2, Christopher Preschern1, Christian Steger1, Christian Kreiner1, Holger Bock2 and Josef Haid2 1 Institute for Technical Informatics, Graz University of Technology, Austria 2 Infineon Technologies Austria AG, Design Center Graz, Austria

8th Workshop on Embedded Systems Security (WESS 2013)

Montreal, September 29, 2013

Outline

Introduction

System Analysis and FSM Extraction Methodology

Model-Based Fault Injection

Experimental Results

Conclusions and Future Work

Automatized High-Level Evaluation of Security Properties for RTL Hardware Designs

Automized High-Level Evaluation of Security Properties for RTL Hardware Designs Andrea Höller ([email protected])

2

Outline

Introduction







3

The Formal Verification Gap

Common Criteria − Standard for computer security − EALs: measure of quality − Formal methods to verify security properties

Implementation of security properties neglected Translation of the RTL implementation

for model checkers

Introduction

4


[Beckert2010]

Model Checking

• Model in own language • Automated extracting of FSMs from RTL

[Brayton1996, Moundanos1996, Graf1997, Déharbe1998, Bei1999, Lahiri2002, Andraus2004]

Related Work

5

Adapted from [Boulé2008]


Formal Verification and Common Criteria

Related Work

6

Functional Requirement

Functional Specification

Target Design Description

Implementation

Sec

urity

P

olic

y M

odel

Assurance Class

Development Model Checking the Policy Model

[Beuster2011]

LTL Properties

FSM Model

FSM Model

Model Checker

Proposed Extension

Extraction

Model Checker

[Beckert2010, Beuster2011]

=

=

Verified Specification / Counterexample

Verified FSM implementation/ Counterexamplex


Outline

Introduction / Related Work







7

Global Model-Checking Based Flow System Analysis and FSM Extraction Methodology

8

Java-based framework NuSMV model checker



9

Synthesizeable Control dominated



10

Synthesizeable Control dominated



11

1. VHDL structure parsing Extract system-internal

structures Dependency lists

2. Translation into CFG Description [Lohse1994]

Nodes for branches Condition List of transitions One parent

VHDL Structural Analysis



12

3. FSM Identification Realization

Find state register 1. Find all registers - Synchronous register: reacts on active clock edge 2. Decide, which of them are state register - State signal depends on itself - Dependency list search for circular dependency

VHDL Structural Analysis



13



14

FSM Extraction

Next-state logic − Find next-state signal − Collect transitions and conditions

Initial Values

Input Signals − Signals in the dependency list of the state

Output Signals − Signals that depend on the state − Collect transitions



01.10.2013 Institut für Technische Informatik

15

Translation to the NuSMV language

(1) Variable declarations



16

Translation to NuSMV

(2) Translation of FSMs into NuSMV

(3) FSM interconnection

MODULE main VAR shared_input : boolean; fsm1 : FSM1(shared_input, fsm2.output); fsm2 : FSM2(shared_input, fsm1.output);


17


Outline

Introduction / Related Work







18


19 Model-Based Fault Injection

• Common Criteria requirement

FRU FLT.1.1: The TOE Security Functionality (TSF) shall ensure the operation of [assignment: list of TOE capabilities] when the following failures occur: [assignment: list of type of failures].

• Advantages + Completeness

+ No manipulation of original design


Outline

Introduction







20

Model-based Fault Injection VHDL modulo counter


21

VHDL code

Automatic translation and fault injection

generated NuSMV model


Model-based Fault Injection LTL Specification Result


22

Robust design support


Outline

Introduction







23

Conclusion Conclusions and Future Work

24


Step towards filling the Common Criteria verification gap

Automatic generation of high-level representation of RTL implementation

Evaluation of fault-attack robustness

Model-based fault injection for the safety domain

Future Work

Thank you very much for your attention!

Any questions?

25


Sources

[CommonCriteria2012]Common Criteria for Information Technology Security Evaluation Part 2 Version 3.1, 2012. [Andraus2004] Z. Andraus and K. Sakallah. Automatic abstraction and verification of Verilog models. In Proceedings of the 41st annual Design Automation Conference, 2004. . [Bar-El2006] H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, and C. Whelan. The sorcerer’s apprentice guide to fault attacks. Proceedings of the IEEE, 2006. [Beckert2010] B. Beckert, D. Bruns, and S. Grebing. Mind the gap: Formal verification and the Common Criteria. International Verification Workshop, 2010. [Bei1999] J. Bei, H. Li, J. Bian, H. Xue, and X. Hong. Fsm modeling of synchronous vhdl design for symbolic model checking. In Proceedings of the ASP-DAC’99, 1999. [Beuster2011] G. Beuster and K. Greimel. Developing a Formal Security Policy Model for a Smart Card EAL6 Evaluation. Presentation, 2011. International Common Criteria Conference. [Boulé2008] M. Boulé and Z. Zilic. Generating hardware assertion checkers: for hardware verification, emulation, post-fabrication debugging and on-line monitoring. Springer Verlag, 2008. [Brayton1996] R. Brayton, G. Hachtel, A. Sangiovanni-Vincentelli, F. Somenzi, A. Aziz, S. Cheng, S. Edwards, S. Khatri, Y. Kukimoto, A. Pardo, et al. VIS: A system for verification and synthesis. In Computer Aided Verification, pages 428–432. Springer, 1996. [Déharbe1996] D. Déharbe, S. Shankar, and E. Clarke. Model checking VHDL with CV. In Formal Methods in Computer-Aided Design. Springer, 1998. [Ezekiel2009] J. Ezekiel and A. Lomuscio. Combining fault injection and model checking to verify fault tolerance in multi-agent systems. In Proceedings of The 8th International Conference on Autonomous Agents and Multiagent Systems-Volume 1, 2009.


26


27

FSM Extraction

Next-state logic − Find next-state signal − Collect transitions and conditions

state signal

state signal

next-state signal

one-segment code styling

multi-segment code styling


Verification of Security Policies

• Verification of security requirements − Common Criteria property

− LTL specification

Verified property


28

FIA SOS.2.2: The TOE Security Function (TSF) shall be able to enforce the use of TSF generated secrets for [assignment: list of TSF functions]


Verification of Security Policies UART control logic with password feature


29

Automatic translation


Initial Values

Reset Patterns


30

--synchronous reset

process(clk, reset) if rising_edge(clk) then if (reset) then …initial value assig.… else … logic… end if end process;

--asynchronous reset

process(clk, reset) if (reset) then … initial value assig.… else if rising_edge(clk) then … logic… end if end process;

Automatized High-Level Evaluation of Security Properties ...

Documents

Transcript of Automatized High-Level Evaluation of Security Properties ...