skip to main content
10.1145/1993498.1993512acmconferencesArticle/Chapter ViewAbstractPublication PagespldiConference Proceedingsconference-collections
research-article

Caisson: a hardware description language for secure information flow

Published: 04 June 2011 Publication History

Abstract

Information flow is an important security property that must be incorporated from the ground up, including at hardware design time, to provide a formal basis for a system's root of trust. We incorporate insights and techniques from designing information-flow secure programming languages to provide a new perspective on designing secure hardware. We describe a new hardware description language, Caisson, that combines domain-specific abstractions common to hardware design with insights from type-based techniques used in secure programming languages. The proper combination of these elements allows for an expressive, provably-secure HDL that operates at a familiar level of abstraction to the target audience of the language, hardware architects.
We have implemented a compiler for Caisson that translates designs into Verilog and then synthesizes the designs using existing tools. As an example of Caisson's usefulness we have addressed an open problem in secure hardware by creating the first-ever provably information-flow secure processor with micro-architectural features including pipelining and cache. We synthesize the secure processor and empirically compare it in terms of chip area, power consumption, and clock frequency with both a standard (insecure) commercial processor and also a processor augmented at the gate level to dynamically track information flow. Our processor is competitive with the insecure processor and significantly better than dynamic tracking.

References

[1]
90nm generic CMOS library, Synopsys University program, Synopsys Inc.
[2]
Common critera evaluation and validation scheme. http://www.niap-ccevs.org/cc-scheme/cc_docs/.
[3]
Validated FIPS 140-1 and FIPS 140-2 cryptographic modules. http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.
[4]
What does CC EAL6 mean? http://www.ok-labs.com/blog/entry/what-does-cc-eal6-mean/.
[5]
O. Accigmez, J. pierre Seifert, and C. K. Koc. Predicting secret keys via branch prediction. In The Cryptographers' Track at the RSA Conference, pages 225--242. Springer-Verlag, 2007.
[6]
O. Aciiçmez. Yet another microarchitectural attack: Exploiting i-cache. In CCS Computer Security Architecture Workshop, 2007.
[7]
O. Aciiçmez, J.-P. Seifert, and C. K. Koc. Micro-architectural cryptanalysis. IEEE Security and Privacy, 5:62--64, July 2007.
[8]
J. Agat. Transforming out timing leaks. In Proceedings of the 27th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL '00, pages 40--53, New York, NY, USA, 2000. ACM.
[9]
G. Barthe, T. Rezk, and M. Warnier. Preventing Timing Leaks Through Transactional Branching Instructions. Electronic Notes Theoretical Computer Science, 153:33--55, May 2006.
[10]
G. Boudol and I. Castellani. Noninterference for concurrent programs. pages 382--395, 2001.
[11]
E. M. Clarke, O. Grumberg, and D.Peled. Model Checking. MIT Press, 2000.
[12]
J. R. Crandall and F. T. Chong. Minos: Control data attack prevention orthogonal to memory model. In Micro, pages 221--232, 2004.
[13]
M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: A flexible information flow architecture for software security. In ISCA, pages 482--493, 2007.
[14]
D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Communications of the ACM, 20(7):504--513, 1977.
[15]
F. A. A. (FAA). Boeing model 787-8 airplane; systems and data networks security-isolation or protection from unauthorized passenger domain systems access. http://cryptome.info/faa010208.htm.
[16]
A. Filinski. Linear continuations. In Proceedings of the 19th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL '92, pages 27--38, New York, NY, USA, 1992. ACM.
[17]
C. Fournet and T. Rezk. Cryptographically sound implementations for typed information-flow security. In POPL, pages 323--335, 2008.
[18]
J. A. Goguen and J. Meseguer. Security policies and security models. In IEEE Symposium on Security and Privacy, 1982.
[19]
C. Hankin. Program analysis tools. International Journal on Software Tools for Technology Transfer, 2(1), 1998.
[20]
D. Harel. Statecharts: A visual formalism for complex systems. Science of Computer Programming 8, 1987.
[21]
D. Hedin and D. Sands. Timing aware information flow security for a javacard-like bytecode. 141(1):163--182, 2005.
[22]
C. Hymans. Checking safety properties of behavioral VHDL descriptions by abstract interpretation. In International Static Analysis Symposium, pages 444--460. Springer, 2002.
[23]
C. Hymans. Design and implementation of an abstract interpreter for VHDL. D.Geist and E.Tronci, editors, CHARME, 2860 of LNCS, 2003.
[24]
G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: formal verification of an OS kernel. In SOSP, pages 207--220, 2009.
[25]
P. C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, pages 388--397, 1999.
[26]
J. Kong, O. Aciiçmez, J.-P. Seifert, and H. Zhou. Deconstructing new cache designs for thwarting software cache-based side channel attacks. In Proc. of the 2nd ACM workshop on Computer security architectures, pages 25--34, 2008.
[27]
K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, and S. Savage. Experimental security analysis of a modern automobile. IEEE Symposium on Security and Privacy, pages 447--462, 2010.
[28]
M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. Frans, K. Eddie, and K. R. Morris. Information flow control for standard OS abstractions. In SOSP, 2007.
[29]
L. C. Lam and T.-c. Chiueh. A general dynamic information flow tracking framework for security applications. In Proceedings of the 22nd Annual Computer Security Applications Conference, pages 463--472, 2006.
[30]
P. Li, Y. Mao, and S. Zdancewic. Information integrity policies. In Proceedings of the Workshop on Formal Aspects in Security and Trust, 2003.
[31]
X. Li, M. Tiwari, B. Hardekopf, T. Sherwood, and F. T. Chong. Secure information flow analysis for hardware design: Using the right abstraction for the job. The Fifth ACM SIGPLAN Workshop on Programming Languages and Analysis for Security(PLAS), June 2010.
[32]
O. Mutlu and T. Moscibroda. Stall-time fair memory access scheduling for chip multiprocessors. In Micro, pages 146--160, 2007.
[33]
A. C. Myers, N. Nystrom, L. Zheng, and S. Zdancewic. Jif: Java information flow. Software release. http://www.cs.cornell.edu/jif, July 2001.
[34]
J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS, 2005.
[35]
C. Percival. Cache missing for fun and profit. In Proc. of BSDCan, 2005.
[36]
F. Qin, C. Wang, Z. Li, H.-s. Kim, Y. Zhou, and Y. Wu. Lift: A low-overhead practical information flow tracking system for detecting security attacks. In Micro, pages 135--148, 2006.
[37]
A. Russo, J. Hughes, D. Naumann, and A. Sabelfeld. Closing internal timing channels by transformation. pages 120--135, 2007.
[38]
O. Ruwase, P. B. Gibbons, T. C. Mowry, V. Ramachandran, S. Chen, M. Kozuch, and M. Ryan. Parallelizing dynamic information flow tracking. In SPAA, pages 35--45, 2008.
[39]
A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1), Jan. 2003.
[40]
M. Schlickling and M. Pister. A framework for static analysis of VHDL code. 7th International Workshop on Worst-Case Execution Time (WCET) Analysis, 2007.
[41]
O. Sibert, P. A. Porras, and R. Lindell. An analysis of the intel 80x86 security architecture and implement ations. IEEE Transactions on Software Engineering, 22(5):283--293, 1996.
[42]
G. Smith and D. Volpano. Secure information flow in a multi-threaded imperative language. pages 355--364, 1998.
[43]
G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In ASPLOS, pages 85--96, 2004.
[44]
E. Technologies. The Esterel v7 Reference Manual, version v7.30 - initial IEEE standardization proposal edition. 2005.
[45]
M. Tiwari, X. Li, H. Wassel, F. Chong, and T. Sherwood. Execution leases: A hardware-supported mechanism for enforcing strong non-interference. In Micro, 2009.
[46]
M. Tiwari, H. Wassel, B. Mazloom, S. Mysore, F. Chong, and T. Sherwood. Complete information flow tracking from the gates up. In ASPLOS, March 2009.
[47]
T. K. Tolstrup. Language-based Security for VHDL. PhD thesis, Technical University of Denmark, 2006.
[48]
T. K. Tolstrup, F. Nielson, and H. R. Nielson. Information flow analysis for VHDL. volume 3606 of LNCS, 2005.
[49]
N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. A. Reis, M. Vachharajani, and D. I. August. Rifle: An architectural framework for user-centric information-flow security. In Micro, pages 243--254, 2004.
[50]
G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. FlexiTaint: A programmable accelerator for dynamic taint propagation. In HPCA, pages 196--206, 2008.
[51]
D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. J. Comput. Secur., 4:167--187, January 1996.
[52]
D. Volpano and G. Smith. Eliminating covert flows with minimum typings. page 156, 1997.
[53]
D. Volpano and G. Smith. A type-based approach to program security. In In Proceedings of the 7th International Joint Conference on the Theory and Practice of Software Devel-opment, pages 607--621. Springer, 1997.
[54]
Z. Wang and R. B. Lee. New cache designs for thwarting software cache-based side channel attacks. In ISCA, pages 494--505, New York, NY, USA, 2007. ACM.
[55]
S. Zdancewic and A. C. Myers. Secure information flow via linear continuations. 15(2--3):209--234, 2002.
[56]
S. Zdancewic and A. C. Myers. Observational determinism for concurrent program security. pages 29--43, 2003.
[57]
N. Zeldovich, S. Boyd-Wickizer, and D.Mazieres. Security distributed systems with information flow control. In NSDI, pages 293--308, Apr. 2008.
[58]
N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making information flow explicit in HiStar. In OSDI, 2006.
[59]
N. Zeldovich, H. Kannan, M. Dalton, and C. Kozyrakis. Hardware enforcement of application security policies using tagged memory. In OSDI, Dec. 2008.

Cited By

View all

Index Terms

  1. Caisson: a hardware description language for secure information flow

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation
    June 2011
    668 pages
    ISBN:9781450306638
    DOI:10.1145/1993498
    • General Chair:
    • Mary Hall,
    • Program Chair:
    • David Padua
    • cover image ACM SIGPLAN Notices
      ACM SIGPLAN Notices  Volume 46, Issue 6
      PLDI '11
      June 2011
      652 pages
      ISSN:0362-1340
      EISSN:1558-1160
      DOI:10.1145/1993316
      Issue’s Table of Contents
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 04 June 2011

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. hardware description language
    2. non-interference
    3. state machine

    Qualifiers

    • Research-article

    Conference

    PLDI '11
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 406 of 2,067 submissions, 20%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)30
    • Downloads (Last 6 weeks)5
    Reflects downloads up to 01 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media