

# Formalizing Hardware-Software Contracts in



THEOREM PROVER

29.11.2024

Haoyi Zeng



Thomas Bourgeat

**EPFL**



# SPECTRE



Hardware



# Some Scary News



## Researchers Disclose New Side-Channel Attacks Affecting All AMD CPUs

By Eduard Kovacs on October 15, 2021



s of new timing and power-based side-channel attacks against AMD, but the chipmaker says no new mitigations are

by researchers Moritz Lipp and Daniel Gruss of the University of Innsbruck and Stefan Schwarz of the CISPA Helmholtz Center for Information and Technology. Those researchers, along with those who discovered the original Meltdown and

BBC

Home News Sport Business Innovation Culture Arts Travel Earth Video Live

## Intel, ARM and AMD chip scare: What you need to know

4 January 2018

Share Save



# Spectre Attacks



**Timing side channels**  
+  
**Speculative execution**

# A Spectre Vulnerable program

Cannot access  $A[x]$  when  $x$  is out of bounds?

access “secret”  
 $A[x]$

```
if (x < size) {  
    tmp = A[x]  
    out = B[tmp]  
}
```

leak  $A[x]$  via  
data cache

size of array A

$(x < size) == true$  X



Hardware



# **How to formalize Spectre vulnerabilities?**

# How to formalize Spectre vulnerabilities?

Program  $\pi$  is **speculative non-interference (SNI)**:  $\forall \sigma, \sigma' : \text{states},$

$$\llbracket \pi \rrbracket^{seq}(\sigma) = \llbracket \pi \rrbracket^{seq}(\sigma') \implies \llbracket \pi \rrbracket^{spec}(\sigma) = \llbracket \pi \rrbracket^{spec}(\sigma')$$

Compare **leakage** without and with speculation

# Speculative Execution

$$\text{LOAD} \quad p(a(\mathbf{pc})) = \mathbf{load} \ x, e \quad x \neq \mathbf{pc} \quad n = \langle e \rangle(a)$$

$$\frac{}{\langle m, a \rangle \xrightarrow{\text{load}} \langle m, a[\mathbf{pc} \mapsto a(\mathbf{pc}) + 1, x \mapsto m(n)] \rangle}$$

$\llbracket \pi \rrbracket^{seq}(\sigma)$

Sequence execution with events

$$\text{LOAD} \quad p(a(\mathbf{pc})) = \mathbf{load} \ x, e \quad \langle m, a \rangle \xrightarrow{\text{load}} \langle m', a' \rangle$$

$$\frac{}{\langle m, a \rangle \xrightarrow{\text{load } \langle e \rangle(a) \text{ seq}} \langle m', a' \rangle}$$

$\llbracket \pi \rrbracket^{spec}(\sigma)$

Speculative execution with events



Branch predictor

BRANCH

$$p(\sigma(\mathbf{pc})) = \mathbf{beqz} \ x, \ell \quad \ell_{correct} = \begin{cases} \ell & \text{if } \sigma(x) = 0 \\ \sigma(\mathbf{pc}) + 1 & \text{otherwise} \end{cases} \quad \ell_{mispred} \in \{\ell, \sigma(\mathbf{pc}) + 1\} \setminus \ell_{correct} \quad \omega_{mispred} = \begin{cases} w & \text{if } \omega = \infty \\ \omega & \text{otherwise} \end{cases}$$


---


$$\langle \sigma, \omega + 1 \rangle \cdot s \xrightarrow[\text{ct}]{\mathbf{pc} \ \ell_{mispred} \ \text{spec}} \langle \sigma[\mathbf{pc} \mapsto \ell_{mispred}], \omega_{mispred} \rangle \cdot \langle \sigma[\mathbf{pc} \mapsto \ell_{correct}], \omega \rangle \cdot s$$

```

if  (x < size) {
    tmp = A[ x ]
    out = B[ tmp ]
}

```



$$\begin{aligned}\sigma_1 &= A + x \mapsto a \\ \sigma_2 &= A + x \mapsto b\end{aligned}$$

$$[\![\pi]\!]^{seq}(\sigma_1) = \text{start} \cdot \text{jump end}$$

$$[\![\pi]\!]^{seq}(\sigma_2) = \text{start} \cdot \text{jump end}$$

$$[\![\pi]\!]^{spec}(\sigma_1) = \text{start} \cdot \text{load } (A + x) \cdot \text{load } (a) \cdot \text{jump end}$$

$$[\![\pi]\!]^{spec}(\sigma_2) = \text{start} \cdot \text{load } (A + x) \cdot \text{load } (b) \cdot \text{jump end}$$

# **Demo**

Spectre-v1.lean

# Speculative Execution

But that's not true....



Hardware

There can be a huge gap between  
the **hardware** and the **model**



**Develop an abstract model of  
hardware leakage**

# Key idea



Hardware



Contract

$$[\![\pi]\!]^{seq}(\sigma) = [\![\pi]\!]^{seq}(\sigma') \implies$$

$$[\![\pi]\!]^{spec}(\sigma) = [\![\pi]\!]^{spec}(\sigma')$$

$$[\![\pi]\](\sigma) = [\![\pi]\](\sigma') \implies$$

$$(\langle \pi \rangle)(\sigma) = (\langle \pi \rangle)(\sigma')$$



Hardware Semantics

# Hardware Software Contracts

$$[\![ \cdot ]\!]$$

$[\![ \cdot ]\!] : \text{prog} \rightarrow \text{state} \rightarrow \text{List events}$

$$[\![ \cdot ]\!]$$

$= \text{Execution Mode} \times \text{Observer Mode}$

Execution Mode = {Seq, Spec, ...}

Observer Mode = {Arch, CT, ...}



# Using Hardware-Software Contracts

## From software side

$$\llbracket \pi \rrbracket^{seq}(\sigma) = \llbracket \pi \rrbracket^{seq}(\sigma') \implies \llbracket \pi \rrbracket(\sigma) = \llbracket \pi \rrbracket(\sigma')$$

```
if (x < size){  
    tmp = A[x]  
    out = B[tmp]  
}
```

```
start:  
%cond ← %x < %size  
br %cond, then, end  
  
then:  
load %tmp, %A + %x  
load %out, %B + %tmp  
br end
```



Spectector

Automatic detection of speculative information flows

Star 66

# Spectre attacks



$p$

start:

```
%cond ← ψ(%x, %size)
br %cond, then, end
```

then:

```
load %tmp, ψ(%A, %x)
load %out, ψ(%B, %tmp)
br end
```

$\varphi_p$

flow( $\psi(%x, %size)$ )

start(0)

block(*then*)

load( $\psi(%A, %x)$ )

**load( $\psi(%B, \text{read(mem, } \psi(%A, %x)))$ )**

block(*end*)

rollback(0)

block(*end*)

**Z3**    $\neg \text{Sat}(\varphi_p) \Rightarrow \text{SNI}(p)$

## KAWA: An Abstract Language for Scalable and Variable Detection of Spectre Vulnerabilities



Zheyuan Wu  
Saarland University  
Saarbrücken, Germany  
zhwu00001@stud.uni-saarland.de

Haoyi Zeng  
Saarland University  
Saarbrücken, Germany  
haze00001@stud.uni-saarland.de

Aaron Bies  
Saarland University  
Saarbrücken, Germany  
bies@cs.uni-saarland.de

### Abstract

Since the discovery of Spectre attacks, various detection methods for speculative vulnerabilities have been developed. Sound static analyses based on symbolic execution give precise results but lack scalability, while pattern-based analyses can accommodate large code bases but may be unsound and require manually crafted patterns for each microarchitecture.

We introduce KAWA, an abstract language designed to model control and data flows, allowing efficient analysis of Spectre vulnerabilities. KAWA's abstract nature also enables interpretation as schemata to capture entire classes of

chitectural state, e.g., in the cache state. In the prototypical Spectre v1 example below, arbitrary out-of-bounds array accesses to array A can be triggered if the attacker controls the input x and trains the branch predictor to mispredict the condition of the if-statement.

**Example 1.1.** The prototypical Spectre-v1 example [7]:

**if** ( $x < \text{size}$ )  $\text{out} = B[A[x] * 512]$ ; To address Spectre and related vulnerabilities, various countermeasures have been proposed, both at hardware [12, 18–20] and software level [4, 8–10, 15, 17, 21]. This work focuses on software-level defenses, where the main chal-

# Let's do everything using proof assistants



32

One more reason:

$\text{headConf}(\text{cr}(\text{corr}_{\text{cr}, \text{hr}}(i-1)(|\text{buf}_{i-1}|)))[\text{pc} \mapsto \ell]$  because  $\text{headConf}(\text{cr}(\text{corr}_{\text{cr}, \text{hr}}(i-1)(\ln(\text{hr}(i-1))))(x) = 0$ . From  $\langle m_{i-1}, a_{i-1} \rangle \uplus \text{buf}_{i-1} = \text{headConf}(\text{cr}(\text{corr}_{\text{cr}, \text{hr}}(i-1)(|\text{buf}_{i-1}|)))$ , we therefore get  $\text{headConf}(\text{rb}_{\text{cr}}(\text{corr}_{\text{cr}, \text{hr}}(i-1)(\ln(\text{hr}(i-1)))) = \langle m_{i-1}, a_{i-1} \rangle \uplus \text{buf}_{i-1}[\text{pc} \mapsto \ell]$ . By leveraging  $\cdot \uplus \cdot$ 's definition and  $\ell = \ell'$ , we get  $\text{headConf}(\text{rb}_{\text{cr}}(\text{corr}_{\text{cr}, \text{hr}}(i-1)(\ln(\text{hr}(i-1)))) = \langle m_{i-1}, a_{i-1} \rangle \uplus (\text{buf}_{i-1} \cdot \text{pc} \leftarrow \ell' @ \text{apl}(a_{i-1}, \text{buf}_{i-1})(\text{pc}))$ . From  $\text{buf}_i = \text{pc} \leftarrow \ell' @ \text{apl}(a_{i-1}, \text{buf}_{i-1})(\text{pc}) \cdot \text{buf}_{i-1}$ ,  $a_i = a_{i-1}$ , and  $m_i = m_{i-1}$ , we get  $\text{headConf}(\text{rb}_{\text{cr}}(\text{corr}_{\text{cr}, \text{hr}}(i-1)(\ln(\text{hr}(i-1)))) = \langle m_i, a_i \rangle \uplus \text{buf}_i$ . Finally, from  $\text{corr}_{\text{cr}, \text{hr}}(i) = \text{corr}_{\text{cr}, \text{hr}}(i-1)[\ln(\text{hr}(i-1)) + 1 \mapsto \text{rb}_{\text{cr}}(\text{corr}_{\text{cr}, \text{hr}}(i-1)(\ln(\text{hr}(i-1))))]$ ,  $|\text{buf}_i| = \ln(\text{hr}(i-1)) + 1$ ,  $\text{buf} = \text{buf}_i$ , we get  $\langle m_i, a_i \rangle \uplus \text{buf} = \text{headConf}(\text{cr}(\text{corr}_{\text{cr}, \text{hr}}(i)(|\text{buf}|)))$ .

(ii): We need to show  $\#mispr(\langle m_i, a_i \rangle, \text{buf}) + 1 \geq |\text{cr}(\text{corr}_{\text{cr}, \text{hr}}(i)(|\text{buf}|))|$ . From (H.3.a.ii) and  $\text{buf}_{i-1} \in \text{prefixes}(\text{buf}_{i-1})$ , we have  $\#mispr(\langle m_{i-1}, a_{i-1} \rangle, \text{buf}_{i-1}) + 1 \geq |\text{cr}(\text{corr}_{\text{cr}, \text{hr}}(i-1)(|\text{buf}_{i-1}|))|$ . From  $\text{buf} = \text{pc} \leftarrow \ell' @ \text{apl}(a_{i-1}, \text{buf}_{i-1})(\text{pc}) \cdot \text{buf}_{i-1}$  and  $\text{headConf}(\text{cr}(\text{corr}_{\text{cr}, \text{hr}}(i-1)(\ln(\text{hr}(i-1))))(x) = 0$ , we get that  $\#mispr(\langle m_{i-1}, a_{i-1} \rangle, \text{buf}) = \#mispr(\langle m_{i-1}, a_{i-1} \rangle, \text{buf}_{i-1})$ . From (2) and  $p(\text{apl}(a_{i-1}, \text{buf}_{i-1})(\text{pc})) = \text{beqz } x, \ell$ , we get that  $\text{cr}(\text{corr}_{\text{cr}, \text{hr}}(i-1)(|\text{buf}_{i-1}|) + 1)$  is obtained by executing the BRANCH rule of  $\text{spec}_{ct}$  starting from  $\text{cr}(\text{corr}_{\text{cr}, \text{hr}}(i-1)(|\text{buf}_{i-1}|))$ . From this and Lemma 2,  $|\text{rb}_{\text{cr}}(\text{corr}_{\text{cr}, \text{hr}}(i-1)(\ln(\text{hr}(i-1))))| = |\text{cr}(\text{corr}_{\text{cr}, \text{hr}}(i-1)(|\text{buf}_{i-1}|))|$ . Therefore, we get  $\#mispr(\langle m_{i-1}, a_{i-1} \rangle, \text{buf}) + 1 \geq |\text{rb}_{\text{cr}}(\text{corr}_{\text{cr}, \text{hr}}(i-1)(\ln(\text{hr}(i-1))))|$ . Finally, from  $a_i = a_{i-1}$ ,  $m_i = m_{i-1}$ ,  $\text{corr}_{\text{cr}, \text{hr}}(i) = \text{corr}_{\text{cr}, \text{hr}}(i-1)[\ln(\text{hr}(i-1)) + 1 \mapsto \text{rb}_{\text{cr}}(\text{corr}_{\text{cr}, \text{hr}}(i-1)(\ln(\text{hr}(i-1))))]$ , and  $|\text{buf}| = \ln(\text{hr}(i-1)) + 1$ , we get  $\#mispr(\langle m_i, a_i \rangle, \text{buf}) + 1 \geq |\text{cr}(\text{corr}_{\text{cr}, \text{hr}}(i)(|\text{buf}|))|$ .

(iii): We need to show  $\#mispr(\langle m_i, a_i \rangle, \text{buf}) = 0 \leftrightarrow \text{headWndw}(\text{cr}(\text{corr}_{\text{cr}, \text{hr}}(i)(|\text{buf}|))) = \infty$ . From (H.3.a.iii) and  $\text{buf}_{i-1} \in \text{prefixes}(\text{buf}_{i-1})$ , we have  $\#mispr(\langle m_{i-1}, a_{i-1} \rangle, \text{buf}_{i-1}) = 0 \leftrightarrow \text{headWndw}(\text{cr}(\text{corr}_{\text{cr}, \text{hr}}(i-1)(|\text{buf}_{i-1}|))) = \infty$ . From (2) and  $p(\text{apl}(a_{i-1}, \text{buf}_{i-1})(\text{pc})) = \text{beqz } x, \ell$ , we get that  $\text{cr}(\text{corr}_{\text{cr}, \text{hr}}(i-1)(|\text{buf}_{i-1}|) + 1)$  is obtained by executing the BRANCH rule

~ 80 pages

# Using Hardware-Software Contracts

## From hardware side

$$\llbracket \pi \rrbracket(\sigma) = \llbracket \pi \rrbracket(\sigma') \implies (\llbracket \pi \rrbracket)(\sigma) = (\llbracket \pi \rrbracket)(\sigma')$$



Given any

| Component                 | States             | Initial state | Functions                                                                  |
|---------------------------|--------------------|---------------|----------------------------------------------------------------------------|
| <i>Cache</i>              | <i>CacheStates</i> | $cs_0$        | $access : CacheStates \times Vals \rightarrow \{\text{Hit}, \text{Miss}\}$ |
| <i>Branch predictor</i>   | <i>BpStates</i>    | $bp_0$        | $predict : BpStates \times Vals \rightarrow Vals$                          |
| <i>Pipeline scheduler</i> | <i>ScStates</i>    | $sc_0$        | $next : ScStates \rightarrow Dir$                                          |

$(\cdot)$  :  $\text{prog} \rightarrow \text{hardware\_state} \rightarrow \text{List events}$

→ retire

→ execute

EXECUTE-BRANCH-COMMIT

$$\frac{\ell_0 \neq \varepsilon \quad p(\ell_0) = \mathbf{beqz} \, x, \ell'' \quad |buf| = i - 1 \quad a' = apl(buf, a) \quad \mathbf{spbarr}@T' \notin buf \quad (a'(x) = 0 \wedge \ell = \ell'') \vee (a'(x) \in Vals \setminus \{0, \perp\} \wedge \ell = \ell_0 + 1) \quad bp' = update(bp, \ell_0, \ell)}{\langle m, a, buf \cdot pc \leftarrow \ell @ \ell_0 \cdot buf', cs, bp \rangle \xrightarrow{\text{execute } i} \langle m, a, buf \cdot pc \leftarrow \ell @ \varepsilon \cdot buf', cs, bp' \rangle}$$

EXECUTE-BRANCH-ROLLBACK

$$\frac{|buf| = i - 1 \quad a' = apl(buf, a) \quad \mathbf{spbarr}@T' \notin buf \quad \ell_0 \neq \varepsilon \quad p(\ell_0) = \mathbf{beqz} \, x, \ell'' \quad (a'(x) = 0 \wedge \ell \neq \ell'') \vee (a'(x) \in Vals \setminus \{0, \perp\} \wedge \ell \neq \ell_0 + 1) \quad \ell' \in \{\ell'', \ell_0 + 1\} \setminus \{\ell\} \quad bp' = update(bp, \ell_0, \ell')}{\langle m, a, buf \cdot pc \leftarrow \ell @ \ell_0 \cdot buf', cs, bp \rangle \xrightarrow{\text{execute } i} \langle m, a, buf \cdot pc \leftarrow \ell' @ \varepsilon, cs, bp' \rangle}$$

Definition (Out-of-order scheduler)

$S_{ooo} := \text{fetch} \cdot \text{fetch} \cdot \text{execute} \cdot \text{fetch} \cdot \text{execute} \cdot \text{retire} \cdots$

Definition (Sequence scheduler)

$S_{seq} := \text{fetch} \cdot \text{execute} \cdot \text{retire} \cdot \text{fetch} \cdot \text{execute} \cdot \text{retire} \cdots$

# **Formalizing Hardware-Software Contracts**

# Goal

**Theorem 1** (Contract Satisfaction 1):

For any hardware model  $(\pi)$  instantiated by arbitrary cache, branch predictor, and scheduler, we have:

$$(\bullet) \models [\cdot]^{spec}$$

$$[\pi]^{seq}(\sigma) = [\pi]^{seq}(\sigma') \implies [\pi](\sigma) = [\pi](\sigma')$$

$$[\pi](\sigma) = [\pi](\sigma') \implies (\pi)(\sigma) = (\pi)(\sigma')$$

**Conclusion:** For any program  $\pi$ , if Spectector/Kawa shows that  $\pi$  is SNI, then  $\pi$  is secure against side-channel attacks on this machine model

## Fact 1 (Contract Satisfaction 1):

For any hardware model  $(\cdot)$  instantiated by arbitrary cache, branch predictor. If the scheduler is  $S_{seq}$ , we have:

$$(\cdot) \models [\cdot]^{seq}$$

**Proof by induction**

on contracts step

with an invariant



Because the scheduler  
is boring

# Future Work



- Challenge of contract satisfaction proof**
- A program logic for proving SNI**  
(Relational Hoare Logic, Hyper Hoare Logic)

# **Full stack verification**

- 1. More realistic examples** (Model Checking + Proof Assistant)
- 2. Secure compilation**