



arm

# A Formal Model of Cache Speculation Side-Channels

Catalin Marinas

TLA<sup>+</sup> Community Event 2020

# Introduction

Why a formal model of cache speculation side-channels:

- A (simpler) way to reason about the behaviour of a system and its security properties
- Allows exploring similar vulnerabilities at an abstract level in a unified way
  - Same specification can cover Spectre variants and Meltdown

Aim for the formal model:

- Does the CPU specification guarantee the security properties under speculative execution for *any* code sequence?

Not covered:

- Is a *specific* code sequence vulnerable under the CPU specification?

# Spectre v1 Example

- Bypassing software checking of untrusted values (64-bit ARM assembly)

```
LDR    X1, [X2]          // X2 is a pointer to kernel_array->length  
CMP    X0, X1            // X0 holds untrusted_offset_from_user  
BGE    out_of_range  
LDRB   W4, [X5, X0]      // X5 holds kernel_array->data  
AND    X4, X4, #1         // arithmetic ops on potentially private data  
LSL    X4, X4, #8  
ADD    X4, X4, #0x200  
LDRB   X7, [X8, X4]      // X8 holds user_array->data, X4 secret-derived  
out_of_range
```

# Abstract Machine – State

- Constants (sets) and operation tables

$$LADDRS \triangleq \{l_1, l_2, \dots\}$$

$$HADDRS \triangleq \{h_1, h_2, \dots\}$$

$$DATA \triangleq \{d_1, d_2, \dots\}$$

$$REGS \triangleq \{r_1, r_2, \dots\}$$

$$ADDRS \triangleq LADDRS \cup HADDRS$$

$$VALUES \triangleq ADDRS \cup DATA \cup \{"zero"\}$$

$$OPTABLES \triangleq [VALUES \times VALUES \rightarrow VALUES]$$

- CPU security/privilege mode

$$mode \in \{"low", "high"\}$$

- CPU registers (array/function)

$$regs \in [REGS \rightarrow VALUES]$$

| Register | r1 | r2 | r3 | r4 | ... |
|----------|----|----|----|----|-----|
| Value    | d2 | d1 | l1 | h1 | ... |

- Memory (array/function)

$$mem \in [ADDRS \rightarrow VALUES]$$

$$cached \in [ADDRS \rightarrow BOOLEAN]$$

| Address | l1 | l2 | ... | h1 | h2 | ... |
|---------|----|----|-----|----|----|-----|
| Value   | d2 | l1 | ... | d3 | h1 | ... |
| Cached  | T  | F  | ... | F  | T  | ... |

# Abstract Machine – Actions (state transitions)

- Sets of *valid* instructions (*tuples* of mnemonic and arguments)

$$Havoc \triangleq \{("SET", r, v) : r \in REGS, v \in VALUES\}$$
$$Move \triangleq \{("MOV", rt, rm) : rt, rm \in REGS\}$$
$$Load \triangleq \{("LDR", rt, rm) : rt, rm \in REGS \wedge AccessOK(regs[rm])\}$$
$$Store \triangleq \{("STR", rt, rm) : rt, rm \in REGS \wedge AccessOK(regs[rm])\}$$
$$Op \triangleq \{("OP", rt, rm, rn, op) : rt, rm, rn \in REGS, op \in OPTABLES\}$$
$$Exception \triangleq IF \ mode = "low" \ THEN \ \{("HCALL")\} \ ELSE \ \{("LRET")\}$$

- The set of all possible *valid* instructions

$$Instructions \triangleq Havoc \cup Move \cup Load \cup Store \cup Op \cup Exception$$

- Instruction dispatch/execution: **Execute(instr)**

# Program Execution as Succession of States

- Initial *SimpleCPU* state

$\text{Init} \triangleq \wedge mode = "low"$   
 $\wedge regs = [r \in REGS \mapsto "zero"]$   
 $\wedge mem \in [ADDRS \rightarrow VALUES]$   
 $\wedge cached = [a \in ADDRS \mapsto FALSE]$

- Next *SimpleCPU* step

$\text{Next} \triangleq \exists instr \in Instructions : Execute(instr)$



# Abstract Model of Speculative Execution

- Speculative execution modelled as a “*shadow* abstract machine (CPU) sharing the **mem** and **cached** states with the *executing machine* but with a separate **regs** state
  - Speculating machine* supports a subset of *Instructions*, e.g. *Load*  $\cup$  *Op*



# TLA<sup>+</sup> Specification of Speculative Execution

- Speculating machine has its own registers

$$\text{ExecCPU} \triangleq \text{INSTANCE } \text{SimpleCPU}$$
$$\text{SpecCPU} \triangleq \text{INSTANCE } \text{SimpleCPU} \text{ WITH } \text{regs} \leftarrow \text{specregs}$$

- Speculating registers state discarded on (committed) instruction execution

$$\text{Exec(instr)} \triangleq \text{ExecCPU! Execute(instr)} \wedge \text{specregs}' = \text{regs}'$$
$$\text{Spec(instr)} \triangleq \text{SpecCPU! Execute(instr)} \wedge \text{UNCHANGED } \langle \text{regs}, \text{mem} \rangle$$

- Only certain instructions are available under speculation

$$\text{ExecInstr} \triangleq \text{Havoc} \cup \text{Move} \cup \text{Load} \cup \text{Store} \cup \text{Op} \cup \text{Exception}$$
$$\text{SpecInstr} \triangleq \text{Load} \cup \text{Op}$$

- Either execution or speculation

$$\text{Next} \triangleq \vee \exists \text{instr} \in \text{ExecInstr} : \text{Exec(instr)}$$
$$\vee \exists \text{instr} \in \text{SpecInstr} : \text{Spec(instr)}$$

# Roles, States and Observations

**Victim:** high security mode (e.g. OS kernel)

- High *mode* state consists of CPU registers and high security memory  
$$HighState \triangleq \langle regs, [addr \in HADDRS \mapsto mem[addr]] \rangle$$
- High *mode* input and output consist of CPU registers and low security memory

$$Input \triangleq \langle regs, [addr \in LADDRS \mapsto mem[addr]] \rangle$$
$$Output \triangleq \langle regs, [addr \in LADDRS \mapsto mem[addr]] \rangle$$

# Roles, States and Observations

**Attacker:** low security mode (e.g. user application)

- Low *mode* state consists of CPU registers and user memory:

$$LowState \triangleq \langle \text{regs}, [\text{addr} \in LADDRS \mapsto \text{mem}[\text{addr}]] \rangle$$

- Without *side-channels*, the attacker can only observe the values in low memory:

$$LowObs \triangleq [\text{addr} \in LADDRS \mapsto \langle \text{mem}[\text{addr}] \rangle]$$

- With *cache side-channels*, the attacker can additionally observe the *cached* state of a memory location (e.g. by measuring the access time)

$$LowObs \triangleq [\text{addr} \in LADDRS \mapsto \langle \text{mem}[\text{addr}], \text{cached}[\text{addr}] \rangle]$$

# Security Properties – Confidentiality

- The *attacker's observations* (*LowObs*) is a deterministic function of the initial *LowState*, the *victim's Output* (same as *LowState*) and its own actions
  - The *attacker* cannot observe anything other than what the *victim* explicitly allows in its *output*
- Formal model: any two *LowState-identical* behaviours of a system *P*, with the same initial *LowObs*, have identical *LowObs* observations

$\forall \sigma_1, \sigma_2 \models P :$

$$(\mathbf{LowObs}(\sigma_1^0) = \mathbf{LowObs}(\sigma_2^0) \wedge$$

$$\forall i \in \text{Nat} : \mathbf{LowState}(\sigma_1^i) = \mathbf{LowState}(\sigma_2^i)) \Rightarrow$$

$$\forall i \in \text{Nat} : \mathbf{LowObs}(\sigma_1^i) = \mathbf{LowObs}(\sigma_2^i)$$

(not valid TLA<sup>+</sup> syntax)

# Security Properties – Integrity

- The *victim's state* is a deterministic function of the initial *HighState*, *victim's Input* and its own actions
  - *Victim's execution* (sequence of states) is not affected by the *attacker* beyond the *Input* provided
- Formal model: any two behaviours of a system *P*, with the same initial *HighState* and same *Input*, have identical *HighState* and *Output*

$\forall \sigma_1, \sigma_2 \models P :$

$(\mathbf{HighState}(\sigma_1^0) = \mathbf{HighState}(\sigma_2^0) \wedge$

$\forall i \in \text{Nat} : \mathbf{Input}(\sigma_1^i) = \mathbf{Input}(\sigma_2^i)) \Rightarrow$

$\forall i \in \text{Nat} : (\mathbf{HighState}(\sigma_1^i) = \mathbf{HighState}(\sigma_2^i) \wedge$

$\mathbf{Output}(\sigma_1^i) = \mathbf{Output}(\sigma_2^i))$

(not valid TLA<sup>+</sup> syntax)

# Confidentiality in TLA<sup>+</sup>

- Hyperproperties not supported directly, creating a new specification for two behaviours

$$\begin{aligned} \mathbf{Init} &\triangleq \wedge CPU1!Init \wedge CPU2!Init \\ &\quad \wedge CPU1!LowState = CPU2!LowState \\ &\quad \wedge CPU1!LowObs = CPU2!LowObs \end{aligned}$$

$$\begin{aligned} \mathbf{Next} &\triangleq \vee \exists instr \in ExecInstr : (CPU1!Exec(instr) \wedge CPU2!Exec(instr) \wedge \\ &\quad \quad \quad \textcolor{orange}{regs1' = regs2'}) \\ &\quad \vee \exists instr \in SpecInstr : CPU1!Spec(instr) \wedge CPU2!Spec(instr) \end{aligned}$$

$$\mathbf{Spec} = \mathbf{Init} \wedge \square[\mathbf{Next}]_{vars}$$

$$\mathbf{THEOREM} \; \mathbf{Spec} \Rightarrow \square(CPU1!LowObs = CPU2!LowObs)$$

# Confidentiality under Speculative Execution (high mode)



# Security Vulnerabilities in the Abstract Machine

- **Spectre v1:** *confidentiality property violated by the speculating machine (SpecCPU)*
  - Software workarounds aim to make *speculative execution* deterministic of only non-confidential state
- **Spectre v2:** *integrity of the victim's speculating machine affected through branch predictor training by the attacker*
  - Software workarounds to make the *speculative execution trace* deterministic of the high state and high *mode* input only
- **Meltdown (v3):** address space isolation not guaranteed by the *speculating machine* (*AccessOK* in a low *mode* *speculated Load* instruction is *TRUE* for high addresses)
  - Software workaround to enforce *AccessOK* by other means like KPTI (kernel page table isolation)
- **Spectre v4 (Speculative Store Bypass):** similar to Spectre v1 where the *speculating machine* can read older instances of *mem* (prior to *executed Store* instructions)
  - SSBD as hardware workaround, fine-grained SSBB as software workaround

# Effects of (ARM) Barriers on the Abstract Machine

- **CSDB** (Consumption of Speculative Data Barrier): disallows the *Havoc* set of instructions (or part of – data value prediction) in the *speculating machine*
- **SSBB** (Speculative Store Bypass Barrier): prevents *Load* instructions in the *speculating machine* from reading older instances of *mem* prior to an *executed Store* instruction
- **SB** (Speculation Barrier): prevents subsequent instructions in the *speculating machine* from changing the output of an *observation function* (e.g. *LowObs*)

# Notable References

- Arm Limited. *Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism* whitepaper
- Lamport. *Specifying Systems*
- Subramanyan et al. *A Formal Foundation for Secure Remote Execution of Enclaves*
- Guarnieri et al. *SPECTECTOR: Principled Detection of Speculative Information Flows*
- Several other papers on non-interference and observational determinism
- Catalin Marinas. TLA<sup>+</sup> model of the cache speculation side-channels  
<http://procode.org/cachespec/>

arm

Thank You

Danke  
Merci

謝謝

ありがとう

Gracias

Kiitos

감사합니다

ধন্যবাদ

شَكْرًا

ধন্যবাদ

תודה