SemPat: Using Hyperproperty-based Semantic Analysis to Generate Microarchitectural Attack Patterns

TL;DR

This paper introduces SemPat, a method that automatically generates microarchitectural attack patterns from semantic security hyperproperties, combining formal verification with scalable pattern detection to improve security analysis.

Contribution

It presents a novel technique that automatically derives attack patterns from hyperproperties, enhancing scalability and coverage in microarchitectural security verification.

Findings

Successfully generated attack patterns for Spectre variants.

Improved scalability over traditional hyperproperty verification.

Demonstrated ability to produce new attack patterns.

Abstract

Microarchitectural security verification of software has seen the emergence of two broad classes of approaches. The first is based on semantic security properties (e.g., non-interference) which are verified for a given program and a specified abstract model of the hardware microarchitecture. The second is based on attack patterns, which, if found in a program execution, indicates the presence of an exploit. While the former uses a formal specification that can capture several gadget variants targeting the same vulnerability, it is limited by the scalability of verification. Patterns, while more scalable, must be currently constructed manually, as they are narrower in scope and sensitive to gadget-specific structure. This work develops a technique that, given a non-interference-based semantic security hyperproperty, automatically generates attack patterns up to a certain complexity parameter (called the skeleton size). Thus, we combine the advantages of both approaches: security can be specified by a hyperproperty that uniformly captures several gadget variants, while automatically generated patterns can be used for scalable verification. We implement our approach in a tool and demonstrate the ability to generate new patterns, (e.g., for SpectreV1, SpectreV4) and improved scalability using the generated patterns over hyperproperty-based verification.