Relational Models of Microarchitectures for Formal Security Analyses

TL;DR

This paper introduces leakage containment models (LCMs), a formal framework for defining and analyzing microarchitectural security guarantees, enabling automatic detection of hardware leakage and vulnerabilities like Spectre in software.

Contribution

It presents a novel axiomatic vocabulary for formal microarchitectural leakage models, supporting automated security analysis and practical vulnerability detection.

Findings

LCMs accurately model hardware leakage scenarios

The framework detects known microarchitectural attacks

A static analysis tool identifies Spectre vulnerabilities in real code

Abstract

There is a growing need for hardware-software contracts which precisely define the implications of microarchitecture on software security-i.e., security contracts. It is our view that such contracts should explicitly account for microarchitecture-level implementation details that underpin hardware leakage, thereby establishing a direct correspondence between a contract and the microarchitecture it represents. At the same time, these contracts should remain as abstract as possible so as to support efficient formal analyses. With these goals in mind, we propose leakage containment models (LCMs)-novel axiomatic security contracts which support formally reasoning about the security guarantees of programs when they run on particular microarchitectures. Our core contribution is an axiomatic vocabulary for formally defining LCMs, derived from the established axiomatic vocabulary used to formalize processor memory consistency models. Using this vocabulary, we formalize microarchitectural leakage-focusing on leakage through hardware memory systems-so that it can be automatically detected in programs. To illustrate the efficacy of LCMs, we present two case studies. First, we demonstrate that our leakage definition faithfully captures a sampling of (transient and non-transient) microarchitectural attacks from the literature. Second, we develop a static analysis tool based on LCMs which automatically identifies Spectre vulnerabilities in programs and scales to analyze realistic-sized codebases, like libsodium.