# orm

A Formal Model of Cache Speculation Side-Channels

> Catalin Marinas TLA<sup>+</sup> Community Event 2020

© 2020 Arm Limited (or its affiliates)

#### Introduction

Why a formal model of cache speculation side-channels:

- A (simpler) way to reason about the behaviour of a system and its security properties
- Allows exploring similar vulnerabilities at an abstract level in a unified way
  - Same specification can cover Spectre variants and Meltdown

Aim for the formal model:

 Does the CPU specification guarantee the security properties under speculative execution for *any* code sequence?

Not covered:

• Is a *specific* code sequence vulnerable under the CPU specification?

#### Spectre v1 Example

• Bypassing software checking of untrusted values (64-bit ARM assembly)

| LDR    | X1, [X2]                    |
|--------|-----------------------------|
| CMP    | <b>XO,</b> X1               |
| BGE    | <pre>out_of_range</pre>     |
| LDRB   | <b>W4,</b> [X5, <b>X0</b> ] |
| AND    | <b>X4, X4,</b> #1           |
| LSL    | <b>X4, X4,</b> #8           |
| ADD    | <b>X4, X4,</b> #0x200       |
| LDRB   | X7, [X8, <b>X4</b> ]        |
| franca |                             |

- // X2 is a pointer to kernel\_array->length
- // X0 holds untrusted\_offset\_from\_user
- // X5 holds kernel\_array->data
- // arithmetic ops on potentially private data

// X8 holds user\_array->data, X4 secret-derived

out\_of\_range

#### Abstract Machine – State

• Constants (sets) and operation tables

 $LADDRS \triangleq \{l1, l2, ...\}$  $HADDRS \triangleq \{h1, h2, ...\}$  $DATA \triangleq \{d1, d2, ...\}$  $REGS \triangleq \{r1, r2, ...\}$ 

 $ADDRS \triangleq LADDRS \cup HADDRS$  $VALUES \triangleq ADDRS \cup DATA \cup \{"zero"\}$ 

 $OPTABLES \triangleq [VALUES \times VALUES \rightarrow VALUES]$ 

• CPU security/privilege mode

```
mode ∈ {"low", "high"}
```

• CPU registers (array/function)



| Register | r1 | r2 | r3 | r4 |  |
|----------|----|----|----|----|--|
| Value    | d2 | d1 | 11 | h1 |  |

• Memory (array/function)

## $mem \in [ADDRS \rightarrow VALUES]$ $cached \in [ADDRS \rightarrow BOOLEAN]$

...

...

...

| Address | 11 | 12 | ••• | h1 | h2 | _ |
|---------|----|----|-----|----|----|---|
| Value   | d2 | 11 | ••• | d3 | h1 |   |
| Cached  | Т  | F  | ••• | F  | Т  |   |

#### Abstract Machine – Actions (state transitions)

• Sets of *valid* instructions (*tuples* of mnemonic and arguments)

 $\begin{aligned} & Havoc \triangleq \{ \langle "SET", r, v \rangle : r \in REGS, v \in VALUES \} \\ & Move \triangleq \{ \langle "MOV", rt, rm \rangle : rt, rm \in REGS \} \\ & Load \triangleq \{ \langle "LDR", rt, rm \rangle : rt, rm \in REGS \land AccessOK(regs[rm]) \} \\ & Store \triangleq \{ \langle "STR", rt, rm \rangle : rt, rm \in REGS \land AccessOK(regs[rm]) \} \\ & Op \triangleq \{ \langle "OP", rt, rm, rn, op \rangle : rt, rm, rn \in REGS, op \in OPTABLES \} \\ & Exception \triangleq IF mode = "low" THEN \{ \langle "HCALL" \rangle \} ELSE \{ \langle "LRET" \rangle \} \end{aligned}$ 

• The set of all possible *valid* instructions

Instructions  $\triangleq$  Havoc  $\cup$  Move  $\cup$  Load  $\cup$  Store  $\cup$  Op  $\cup$  Exception

• Instruction dispatch/execution: *Execute(instr)* 

#### **Program Execution as Succession of States**

• Initial *SimpleCPU* state

 $Init \triangleq \land mode = "low" \\ \land regs = [r \in REGS \mapsto "zero"] \\ \land mem \in [ADDRS \rightarrow VALUES] \\ \land cached = [a \in ADDRS \mapsto FALSE]$ 

• Next SimpleCPU step

*Next* ≜ ∃*instr* ∈ *Instructions* : *Execute*(*instr*)



#### **Abstract Model of Speculative Execution**

 Speculative execution modelled as a "shadow" abstract machine (CPU) sharing the mem and cached states with the executing machine but with a separate regs state
 Speculating machine supports a subset of instructions of a Load U On.



#### TLA<sup>+</sup> Specification of Speculative Execution

- Speculating machine has its own registers
   ExecCPU ≜ INSTANCE SimpleCPU
   SpecCPU ≜ INSTANCE SimpleCPU WITH regs ← specregs
- Speculating registers state discarded on (committed) instruction execution
   Exec(instr) ≜ ExecCPU! Execute(instr) ∧ specregs' = regs'
   Spec(instr) ≜ SpecCPU! Execute(instr) ∧ UNCHANGED (regs, mem)
- Only certain instructions are available under speculation
   *ExecInstr* ≜ *Havoc* ∪ *Move* ∪ *Load* ∪ *Store* ∪ *Op* ∪ *Exception SpecInstr* ≜ *Load* ∪ *Op*
- Either execution or speculation

 $Next \triangleq \lor \exists instr \in ExecInstr : Exec(instr)$  $\lor \exists instr \in SpecInstr : Spec(instr)$ 

#### **Roles, States and Observations**

Victim: high security mode (e.g. OS kernel)

• High *mode* state consists of CPU registers and high security memory

 $HighState \triangleq \langle regs, [addr \in HADDRS \mapsto mem[addr]] \rangle$ 

• High *mode* input and output consist of CPU registers and low security memory

 $Input \triangleq \langle regs, [addr \in LADDRS \mapsto mem[addr]] \rangle$ 

 $Output \triangleq \langle regs, [addr \in LADDRS \mapsto mem[addr]] \rangle$ 

#### **Roles, States and Observations**

Attacker: low security mode (e.g. user application)

• Low *mode* state consists of CPU registers and user memory:

*LowState*  $\triangleq \langle regs, [addr \in LADDRS \mapsto mem[addr]] \rangle$ 

• Without *side-channels*, the attacker can only observe the values in low memory:

 $LowObs \triangleq [addr \in LADDRS \mapsto \langle mem[addr] \rangle]$ 

• With *cache side-channels*, the attacker can additionally observe the *cached* state of a memory location (e.g. by measuring the access time)

 $LowObs \triangleq [addr \in LADDRS \mapsto \langle mem[addr], cached[addr] \rangle ]$ 

#### Security Properties – Confidentiality

- The *attacker*'s observations (*LowObs*) is a deterministic function of the initial *LowState*, the *victim*'s *Output* (same as *LowState*) and its own actions
  - The attacker cannot observe anything other than what the victim explicitly allows in its output
- Formal model: any two *LowState-identical* behaviours of a system *P*, with the same initial *LowObs*, have identical *LowObs* observations

 $\forall \sigma_{1}, \sigma_{2} \vDash P :$  $(LowObs(\sigma_{1}^{0}) = LowObs(\sigma_{2}^{0}) \land$  $\forall i \in Nat : LowState(\sigma_{1}^{i}) = LowState(\sigma_{2}^{i})) \Rightarrow$  $\forall i \in Nat : LowObs(\sigma_{1}^{i}) = LowObs(\sigma_{2}^{i})$ 

(not valid TLA<sup>+</sup> syntax)

#### Security Properties – Integrity

- The *victim*'s state is a deterministic function of the initial *HighState*, *victim*'s *Input* and its own actions
  - Victim's execution (sequence of states) is not affected by the attacker beyond the Input provided
- Formal model: any two behaviours of a system *P*, with the same initial *HighState* and same *Input*, have identical *HighState* and *Output*

```
 \forall \sigma_{1}, \sigma_{2} \models P : 
 (HighState(\sigma_{1}^{0}) = HighState(\sigma_{2}^{0}) \land 
 \forall i \in Nat : Input(\sigma_{1}^{i}) = Input(\sigma_{2}^{i})) \Rightarrow 
 \forall i \in Nat : (HighState(\sigma_{1}^{i}) = HighState(\sigma_{2}^{i}) \land 
 Output(\sigma_{1}^{i}) = Output(\sigma_{2}^{i}))
```

(not valid TLA<sup>+</sup> syntax)

#### Confidentiality in TLA<sup>+</sup>

• Hyperproperties not supported directly, creating a new specification for two behaviours

*Init* ≜ ∧ *CPU*1! *Init* ∧ *CPU*2! *Init* ∧ *CPU*1! *LowState* = *CPU*2! *LowState* ∧ *CPU*1! *LowObs* = *CPU*2! *LowObs* 

 $Next \triangleq \lor \exists instr \in ExecInstr : (CPU1! Exec(instr) \land CPU2! Exec(instr) \land regs1' = regs2') \\ \lor \exists instr \in SpecInstr : CPU1! Spec(instr) \land CPU2! Spec(instr)$ 

 $Spec = Init \land \Box[Next]_{vars}$ 

**THEOREM** Spec  $\Rightarrow \Box(CPU1!LowObs = CPU2!LowObs)$ 

#### Confidentiality under Speculative Execution (high mode)



#### arm

#### Security Vulnerabilities in the Abstract Machine

- **Spectre v1**: *confidentiality property* violated by the *speculating machine (SpecCPU)* 
  - Software workarounds aim to make *speculative execution* deterministic of only non-confidential state
- **Spectre v2**: *integrity* of the victim's *speculating machine* affected through branch predictor training by the attacker
  - Software workarounds to make the *speculative execution trace* deterministic of the high state and high *mode* input only
- Meltdown (v3): address space isolation not guaranteed by the *speculating machine* (AccessOK in a low mode speculated Load instruction is TRUE for high addresses)
  - Software workaround to enforce AccessOK by other means like KPTI (kernel page table isolation)
- **Spectre v4** (Speculative Store Bypass): similar to Spectre v1 where the *speculating machine* can read older instances of *mem* (prior to *executed Store* instructions)
  - SSBD as hardware workaround, fine-grained SSBB as software workaround

### Effects of (ARM) Barriers on the Abstract Machine

- CSDB (Consumption of Speculative Data Barrier): disallows the *Havoc* set of instructions (or part of – data value prediction) in the *speculating machine*
- **SSBB** (Speculative Store Bypass Barrier): prevents *Load* instructions in the *speculating machine* from reading older instances of *mem* prior to an *executed Store* instruction
- **SB** (Speculation Barrier): prevents subsequent instructions in the *speculating machine* from changing the output of an *observation function* (e.g. *LowObs*)

#### Notable References

- Arm Limited. Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism whitepaper
- Lamport. *Specifying Systems*
- Subramanyan et al. A Formal Foundation for Secure Remote Execution of Enclaves
- Guarnieri et al. SPECTECTOR: Principled Detection of Speculative Information Flows
- Several other papers on non-interference and observational determinism
- Catalin Marinas. TLA<sup>+</sup> model of the cache speculation side-channels <u>http://procode.org/cachespec/</u>

| + | + | + | + | + | + | + | + | + | + | + | + | + | + . | + |
|---|---|---|---|---|---|---|---|---|---|---|---|---|-----|---|
|   |   |   |   |   |   |   |   |   |   |   |   |   |     |   |
|   |   |   |   |   |   |   |   |   |   |   |   |   |     |   |

+

|            | r'n            |               |  | + |  | + | <sup>*</sup> Thảnk Yỏu<br>Danke        |
|------------|----------------|---------------|--|---|--|---|----------------------------------------|
|            |                |               |  |   |  |   | * <sup>*</sup> Merci                   |
|            |                |               |  |   |  |   | ↓ り<br>・ 谢谢<br>ありがとう                   |
|            |                |               |  |   |  |   | + Gracias                              |
|            |                |               |  |   |  |   | Kiitos<br>감사합니다                        |
|            |                |               |  |   |  |   | धन्यवाद<br>• • • • • • • • • • • • • • |
|            |                |               |  |   |  |   | شَخَرًا                                |
|            |                |               |  |   |  |   | תודה                                   |
| © 2020 Arm | Limited (or it | s affiliates) |  |   |  |   |                                        |