TY - GEN
T1 - Modular Verification of Secure and Leakage-Free Systems
T2 - 30th ACM Symposium on Operating Systems Principles, SOSP 2024
AU - Athalye, Anish
AU - Corrigan-Gibbs, Henry
AU - Kaashoek, Frans
AU - Tassarotti, Joseph
AU - Zeldovich, Nickolai
N1 - Publisher Copyright:
© 2024 Copyright held by the owner/author(s).
PY - 2024/11/15
Y1 - 2024/11/15
N2 - Parfait is a framework for proving that an implementation of a hardware security module (HSM) leaks nothing more than what is mandated by an application specification. Parfait proofs cover the software and the hardware of an HSM, which catches bugs above the cycle-level digital circuit abstraction, including timing side channels. Parfait's contribution is a scalable approach to proving security and non-leakage by using intermediate levels of abstraction and relating them with transitive information-preserving refinement. This enables Parfait to use different techniques to verify the implementation at different levels of abstraction, reuse existing verified components such as CompCert, and automate parts of the proof, while still providing end-to-end guarantees. We use Parfait to verify four HSMs, including an ECDSA certificate-signing HSM and a password-hashing HSM, on top of the OpenTitan Ibex and PicoRV32 processors. Parfait provides strong guarantees for these HSMs: for instance, it proves that the ECDSA-on-Ibex HSM implementation - -2,300 lines of code and 13,500 lines of Verilog - -leaks nothing more than what is allowed by a 40-line specification of its behavior.
AB - Parfait is a framework for proving that an implementation of a hardware security module (HSM) leaks nothing more than what is mandated by an application specification. Parfait proofs cover the software and the hardware of an HSM, which catches bugs above the cycle-level digital circuit abstraction, including timing side channels. Parfait's contribution is a scalable approach to proving security and non-leakage by using intermediate levels of abstraction and relating them with transitive information-preserving refinement. This enables Parfait to use different techniques to verify the implementation at different levels of abstraction, reuse existing verified components such as CompCert, and automate parts of the proof, while still providing end-to-end guarantees. We use Parfait to verify four HSMs, including an ECDSA certificate-signing HSM and a password-hashing HSM, on top of the OpenTitan Ibex and PicoRV32 processors. Parfait provides strong guarantees for these HSMs: for instance, it proves that the ECDSA-on-Ibex HSM implementation - -2,300 lines of code and 13,500 lines of Verilog - -leaks nothing more than what is allowed by a 40-line specification of its behavior.
UR - http://www.scopus.com/inward/record.url?scp=85215509249&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85215509249&partnerID=8YFLogxK
U2 - 10.1145/3694715.3695956
DO - 10.1145/3694715.3695956
M3 - Conference contribution
AN - SCOPUS:85215509249
T3 - SOSP 2024 - Proceedings of the 2024 ACM SIGOPS 30th Symposium on Operating Systems Principles
SP - 655
EP - 672
BT - SOSP 2024 - Proceedings of the 2024 ACM SIGOPS 30th Symposium on Operating Systems Principles
PB - Association for Computing Machinery, Inc
Y2 - 4 November 2024 through 6 November 2024
ER -