research-article

End-to-end automated exploit generation for validating the security of processor designs

Authors:

Calvin Deutschbein,

Cynthia SturtonAuthors Info & Claims

MICRO-51: Proceedings of the 51st Annual IEEE/ACM International Symposium on Microarchitecture

Pages 815 - 827

https://doi.org/10.1109/MICRO.2018.00071

Published: 20 October 2018 Publication History

Abstract

This paper presents Coppelia, an end-to-end tool that, given a processor design and a set of security-critical invariants, automatically generates complete, replayable exploit programs to help designers find, contextualize, and assess the security threat of hardware vulnerabilities. In Coppelia, we develop a hardware-oriented backward symbolic execution engine with a new cycle stitching method and fast validation technique, along with several optimizations for exploit generation. We then add program stubs to complete the exploit. We evaluate Coppelia on three CPUs of different architectures. Coppelia is able to find and generate exploits for 29 of 31 known vulnerabilities in these CPUs, including 11 vulnerabilities that commercial and academic model checking tools can not find. All of the generated exploits are successfully replayable on an FPGA board. Moreover, Coppelia finds 4 new vulnerabilities along with exploits in these CPUs. We also use Coppelia to verify whether a security patch indeed fixed a vulnerability, and to refine a set of assertions.

References

[1]

"Intel Skylake/Kaby Lake processors: broken hyper-threading," https://lists.debian.org/debian-devel/2017/06/msg00308.html, June 2017.

[2]

"Xen security advisory CVE-2015-5307,CVE-2015-8104 / XSA-156," http://xenbits.xen.org/xsa/advisory-156.html, Nov 2015.

[3]

"Intel Core i7-600, i5-500, i5-400 and i3-300 Mobile Processor Series," Specification Update, 2014. {Online}. Available: http://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/core-mobile-spec-update.pdf

[4]

"Revision Guide for AMD Family 16h Models 00h-0Fh Processors," Product Revision, 2013. {Online}. Available: http://support.amd.com/TechDocs/51810_16h_00h-0Fh_Rev_Guide.pdf

[5]

M. Hicks, C. Sturton, S. T. King, and J. M. Smith, "SPECS: A Lightweight Runtime Mechanism for Protecting Software from Security-Critical Processor Bugs," in Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, ser. ASPLOS '15. New York, NY, USA: ACM, 2015. {Online}. Available

Digital Library

[6]

K. Karnane and C. Goss, "Automating root-cause analysis to reduce time to find bugs by up to 50%," Cadence Design Systems, Tech. Rep., 2015. {Online}. Available: www.cadence.com/rl/Resources/whitepapers/indago_debug_platform_wp.pdf

[7]

D. Maksimovic, "Novel Directions in Debug Automation for Sequential Digital Designs in a Modern Verification Environment," Master's thesis, University of Toronto, Canada, 2015.

[8]

S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley, "Unleashing Mayhem on Binary Code," in Proceedings of the 2012 IEEE Symposium on Security and Privacy, ser. SP '12. Washington, DC, USA: IEEE Computer Society, 2012. {Online}. Available

Digital Library

[9]

R. Mukherjee, D. Kroening, and T. Melham, "Hardware Verification using Software Analyzers," in Proceedings of the IEEE Computer Society Annual Symposium on VLSI (ISVLSI). IEEE, 2015.

[10]

S. T. King, J. Tucek, A. Cozzie, C. Grier, W. Jiang, and Y. Zhou, "Designing and implementing malicious hardware," in Proceedings of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), April 2008.

Digital Library

[11]

D. Davidson, B. Moench, T. Ristenpart, and S. Jha, "FIE on firmware: Finding vulnerabilities in embedded systems using symbolic execution," in Proceedings of the 22nd USENIX Security Symposium. Washington, D.C.: USENIX, 2013. {Online}. Available: https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/davidson

Digital Library

[12]

R. Zhang, N. Stanley, C. Griggs, A. Chi, and C. Sturton, "Identifying Security Critical Properties for the Dynamic Verification of a Processor," in Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems, ser. ASPLOS '17. New York, NY, USA: ACM, 2017. {Online}. Available

Digital Library

[13]

C. Cadar, D. Dunbar, and D. Engler, "KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs," in USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2008. {Online}. Available: http://klee.github.io/

Digital Library

[14]

"Verilator," https://www.veripool.org/wiki/verilator.

[15]

"Clang: a C language family frontend for LLVM." {Online}. Available: https://clang.llvm.org/

[16]

B. Alpern and F. B. Schneider, "Recognizing safety and liveness," Distributed computing, vol. 2, 1987.

Digital Library

[17]

M. R. Clarkson and F. B. Schneider, "Hyperproperties," J. Comput. Secur., vol. 18, Sep. 2010. {Online}. Available: http://dl.acm.org/citation.cfm?id=1891823.1891830

Digital Library

[18]

W. Snyder, "Verilator," https://www.veripool.org/papers/verilator_philips_internals.pdf, 2005.

[19]

J. Bennett, "High Performance SoC Modeling with Verilator," http://www.embecosm.com/appnotes/ean6/embecosm-or1k-verilator-tutorial-ean6-issue-1.html, 2009.

[20]

M. Bilzor, T. Huffmire, C. Irvine, and T. Levin, "Security Checkers: Detecting processor malicious inclusions at runtime," in Hardware-Oriented Security and Trust (HOST), 2011 IEEE International Symposium on, June 2011.

[21]

"Comparison wrong for unsigned inequality with different MSB." {Online}. Available: http://bugzilla.opencores.org/show_bug.cgi?id=51

[22]

D. Lampret, "OpenRISC 1000 Architecture Manual," https://github.com/openrisc/doc/blob/master/openrisc-arch-1.1-rev0.pdf?raw=true, 2014.

[23]

D. Kroening and M. Purandare, "EBMC: The enhanced bounded model checker." {Online}. Available: http://www.cprover.org/ebmc/

[24]

D. M. Perry, A. Mattavelli, X. Zhang, and C. Cadar., "Accelerating Array Constraints in Symbolic Execution," in Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM, 2010.

Digital Library

[25]

K. A. Andrew Waterman, "The RISC-V Instruction Set Manual Volume II: Privileged Architecture Version 1.10," https://riscv.org/specifications/privileged-isa/, 2017.

[26]

D. Brumley, P. Poosankam, D. Song, and J. Zheng, "Automatic patch-based exploit generation is possible: Techniques and implications," in Proceedings of the 2008 IEEE Symposium on Security and Privacy, ser. SP '08. Washington, DC, USA: IEEE Computer Society, 2008. {Online}. Available

Digital Library

[27]

S. Heelan, "Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities," 2009. {Online}. Available: http://www.cprover.org/dissertations/thesis-Heelan.pdf

[28]

T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley, "AEG: Automatic Exploit Generation," in Network and Distributed System Security Symposium, Feb. 2011.

[29]

T. Avgerinos, S. K. Cha, A. Rebert, E. J. Schwartz, M. Woo, and D. Brumley, "Automatic Exploit Generation," Commun. ACM, vol. 57, Feb. 2014. {Online}. Available

Digital Library

[30]

T. Bao, R. Wang, Y. Shoshitaishvili, and D. Brumley, "Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits," in 2017 IEEE Symposium on Security and Privacy (SP), May 2017.

[31]

M. Dalton, H. Kannan, and C. Kozyrakis, "Raksha: A Flexible Information Flow Architecture for Software Security," in Proceedings of the 34th Annual International Symposium on Computer Architecture, ser. ISCA '07. New York, NY, USA: ACM, 2007. {Online}. Available

Digital Library

[32]

G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic, "FlexiTaint: A programmable accelerator for dynamic taint propagation," in 2008 IEEE 14th International Symposium on High Performance Computer Architecture, Feb 2008.

[33]

H. Chen, X. Wu, L. Yuan, B. Zang, P.-c. Yew, and F. T. Chong, "From Speculation to Security: Practical and Efficient Information Flow Tracking Using Speculative Hardware," in Proceedings of the 35th Annual International Symposium on Computer Architecture, ser. ISCA '08. Washington, DC, USA: IEEE Computer Society, 2008. {Online}. Available

Digital Library

[34]

M. Tiwari, H. M. Wassel, B. Mazloom, S. Mysore, F. T. Chong, and T. Sherwood, "Complete Information Flow Tracking from the Gates Up," in Proceedings of the 14th International Conference on Architectural Support for Programming Languages and Operating Systems, ser. ASPLOS XIV. New York, NY, USA: ACM, 2009. {Online}. Available

Digital Library

[35]

A. Ardeshiricham, W. Hu, J. Marxen, and R. Kastner, "Register Transfer Level Information Flow Tracking for Provably Secure Hardware Design," in Proceedings of the Conference on Design, Automation & Test in Europe, ser. DATE '17. 3001 Leuven, Belgium, Belgium: European Design and Automation Association, 2017. {Online}. Available: http://dl.acm.org/citation.cfm?id=3130379.3130775

Digital Library

[36]

H. Cherupalli, H. Duwe, W. Ye, R. Kumar, and J. Sartori, "Software-based Gate-level Information Flow Security for IoT Systems," in Proceedings of the 50th Annual IEEE/ACM International Symposium on Microarchitecture, ser. MICRO-50 '17. New York, NY, USA: ACM, 2017. {Online}. Available

Digital Library

[37]

X. Li, M. Tiwari, J. K. Oberg, V. Kashyap, F. T. Chong, T. Sherwood, and B. Hardekopf, "Caisson: A Hardware Description Language for Secure Information Flow," in Proceedings of the 32Nd ACM SIGPLAN Conference on Programming Language Design and Implementation, ser. PLDI '11. New York, NY, USA: ACM, 2011. {Online}. Available

Digital Library

[38]

X. Li, V. Kashyap, J. K. Oberg, M. Tiwari, V. R. Rajarathinam, R. Kastner, T. Sherwood, B. Hardekopf, and F. T. Chong, "Sapper: A Language for Hardware-level Security Policy Enforcement," in Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems, ser. ASPLOS '14. New York, NY, USA: ACM, 2014. {Online}. Available

Digital Library

[39]

D. Zhang, Y. Wang, G. E. Suh, and A. C. Myers, "A Hardware Design Language for Timing-Sensitive Information-Flow Security," in Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, ser. ASPLOS '15. New York, NY, USA: ACM, 2015. {Online}. Available

Digital Library

[40]

A. Ferraiuolo, R. Xu, D. Zhang, A. C. Myers, and G. E. Suh, "Verification of a Practical Hardware Security Architecture Through Static Information Flow Analysis," in Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems, ser. ASPLOS '17. New York, NY, USA: ACM, 2017. {Online}. Available

Digital Library

[41]

L.-T. Wang, Y.-W. Chang, and K.-T. Cheng, Electronic Design Automation: Synthesis, Verification, and Test. Morgan Kaufmann, 2009.

Digital Library

[42]

R. Brayton and A. Mishchenko, "ABC: An Academic Industrial-Strength Verification Tool," in Comuter Aided Verification (CAV). Lecture Notes in Computer Science, 2010.

Digital Library

[43]

D. Brand, "Verification of Large Synthesized Designs," in Proceedings of the IEEE/ACM International Conference on Computer Aided Design (ICCAD-93). IEEE, 1993.

Digital Library

[44]

D.Lin, E.Singh, C.Barrett, and S.Mitra, "A structured approach to post-silicon validation and debug using symbolic dquick error detection," in Proceedings of the IEEE International Test Conference, 2015.

[45]

H. Foster, Applied Assertion-Based Verification: An Industry Perspective, ser. Foundations and Trends(r) in Electronic Design Automation. Now Publishers, 2009. {Online}. Available: https://books.google.com/books?id=hL6d2t6Oh4EC

Digital Library

[46]

M. Abramovici and P. Bradley, "Integrated Circuit Security: New Threats and Solutions," in Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, ser. CSIIRW '09. New York, NY, USA: ACM, 2009. {Online}. Available

Digital Library

[47]

M. Bilzor, T. Huffmire, C. Irvine, and T. Levin, "Evaluating security requirements in a general-purpose processor by combining assertion checkers with code coverage," in Hardware-Oriented Security and Trust (HOST), 2012 IEEE International Symposium on. IEEE, 2012.

[48]

C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler, "EXE: Automatically Generating Inputs of Death," in Proceedings of the 13th ACM Conference on Computer and Communications Security, ser. CCS, 2006. {Online}. Available

Digital Library

[49]

P. Godefroid, M. Y. Levin, and D. Molnar, "SAGE: Whitebox Fuzzing for Security Testing," Queue, vol. 10, Jan. 2012. {Online}. Available

Digital Library

[50]

J. C. King, "Symbolic Execution and Program Testing," Communications of the ACM, vol. 19, Jul. 1976. {Online}. Available

Digital Library

[51]

L. Liu and S. Vasudevan, "STAR: Generating input vectors for design validation by static analysis of RTL," in IEEE International Workshop on High Level Design Validation and Test Workshop. IEEE, 2009.

Cited By

Dharsee KCriswell JCalandrino JTroncoso C(2023)JinnProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620627(6965-6982)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620627
Xu JLiu YHe SLin HZhou YWang CCalandrino JTroncoso C(2023)MorFuzzProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620311(1307-1324)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620311
Ryan KGregoire MSturton C(2023)SEIF: Augmented Symbolic Execution for Information Flow in Hardware DesignsProceedings of the 12th International Workshop on Hardware and Architectural Support for Security and Privacy10.1145/3623652.3623666(1-9)Online publication date: 29-Oct-2023
https://dl.acm.org/doi/10.1145/3623652.3623666
Show More Cited By

End-to-end automated exploit generation for validating the security of processor designs
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis

Recommendations

FAEG: Feature-Driven Automatic Exploit Generation
Internetware '23: Proceedings of the 14th Asia-Pacific Symposium on Internetware

Buffer overflow vulnerabilities are prevalent in software applications, and their automatic detection and exploitation are of great significance. Modern operating systems implement security mitigation to prevent the exploitation of these ...
Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications
SP '08: Proceedings of the 2008 IEEE Symposium on Security and Privacy

The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P, automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P. In this paper, we propose ...
System Service Call-oriented Symbolic Execution of Android Framework with Applications to Vulnerability Discovery and Exploit Generation
MobiSys '17: Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services

Android Application Framework is an integral and foundational part of the Android system. Each of the 1.4 billion Android devices relies on the system services of Android Framework to manage applications and system resources. Given its critical role, a ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

MICRO-51: Proceedings of the 51st Annual IEEE/ACM International Symposium on Microarchitecture

October 2018

1015 pages

ISBN:9781538662403

General Chairs:
Mark Oskin
University of Washington
,
Koji Inoue
Kyushu University

Sponsors

SIGMICRO: ACM Special Interest Group on Microarchitectural Research and Processing

Publisher

IEEE Press

Publication History

Published: 20 October 2018

Check for updates

Author Tags

Qualifiers

Research-article

Conference

MICRO-51

Sponsor:

SIGMICRO

MICRO-51: The 51st Annual IEEE/ACM International Symposium on Microarchitecture

October 20 - 24, 2018

Fukuoka, Japan

Acceptance Rates

Overall Acceptance Rate 484 of 2,242 submissions, 22%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
143
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)2

Reflects downloads up to 13 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Dharsee KCriswell JCalandrino JTroncoso C(2023)JinnProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620627(6965-6982)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620627
Xu JLiu YHe SLin HZhou YWang CCalandrino JTroncoso C(2023)MorFuzzProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620311(1307-1324)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620311
Ryan KGregoire MSturton C(2023)SEIF: Augmented Symbolic Execution for Information Flow in Hardware DesignsProceedings of the 12th International Workshop on Hardware and Architectural Support for Security and Privacy10.1145/3623652.3623666(1-9)Online publication date: 29-Oct-2023
https://dl.acm.org/doi/10.1145/3623652.3623666
Zuo GMa JQuinn AKasikci BAamodt TJerger NSwift M(2023)Vidi: Record Replay for Reconfigurable HardwareProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3582016.3582040(806-820)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3582016.3582040
Erata FDeng SZaghloul FXiong WDemir OSzefer J(2023)Survey of Approaches and Techniques for Security Verification of Computer SystemsACM Journal on Emerging Technologies in Computing Systems10.1145/356478519:1(1-34)Online publication date: 19-Jan-2023
https://dl.acm.org/doi/10.1145/3564785
Dai RYavuz T(2022)A Symbolic Approach to Detecting Hardware Trojans Triggered by Don’t Care TransitionsACM Transactions on Design Automation of Electronic Systems10.1145/355839228:2(1-31)Online publication date: 24-Dec-2022
https://dl.acm.org/doi/10.1145/3558392
Fu WYu HArias OYang KJin YYavuz TGuo XSavidis ISasan AThapliyal HDeMara R(2022)Graph Neural Network based Hardware Trojan Detection at Intermediate Representative for SoC PlatformsProceedings of the Great Lakes Symposium on VLSI 202210.1145/3526241.3530827(481-486)Online publication date: 6-Jun-2022
https://dl.acm.org/doi/10.1145/3526241.3530827
Ma JZuo GLoughlin KZhang HQuinn AKasikci BFalsafi BFerdman MLu SWenisch T(2022)Debugging in the brave new world of reconfigurable hardwareProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507701(946-962)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507701
Zhou ZReiter M(2021)Interpretable noninterference measurement and its application to processor designsProceedings of the ACM on Programming Languages10.1145/34855185:OOPSLA(1-30)Online publication date: 15-Oct-2021
https://dl.acm.org/doi/10.1145/3485518
Kabylkas NThorn TSrinath SXekalakis PRenau J(2021)Effective Processor Verification with Logic Fuzzer Enhanced Co-simulationMICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture10.1145/3466752.3480092(667-678)Online publication date: 18-Oct-2021
https://dl.acm.org/doi/10.1145/3466752.3480092
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents