## Complete Information Flow Tracking from Gates Up

Mohit Tiwari, Xun Li, Hassan M G Wassel, Frederic T Chong, Timothy Sherwood

Presented by Mengjia Yan
Based on slides from Mohit Tiwari



 Non-Interference: a change in a High input can never be observed or inferred from changes in the Low output. That is, High data should never leak to Low



- Non-Interference: a change in a High input can never be observed or inferred from changes in the Low output. That is, High data should never leak to Low
- Confidentiality-Integrity Duality: "High" is more conservative label. Secret or Tainted/Untrusted.



- Non-Interference: a change in a High input can never be observed or inferred from changes in the Low output. That is, High data should never leak to Low
- Confidentiality-Integrity Duality: "High" is more conservative label. Secret or Tainted/Untrusted.



#### **Information Flow for Privacy**

- General lattice policies
- Secret vs. Unclassified Data
  - Secret: data with restricted access permission
  - Unclassified: data with unrestricted access



#### **Information Flow for Privacy**

- General lattice policies
- Secret vs. Unclassified Data
  - Secret: data with restricted access permission
  - Unclassified: data with unrestricted access
- Enforce the property of non-interference:
  - Verify information never flows from high to low.
  - Secret information is never used to modify unclassified data



#### **Information Flow for Integrity**

- Trusted vs. Untrusted Tasks
  - Trusted: processes which are critical to the correct functionality of the space vehicle systems
  - Untrusted: mission processes, diagnostics, anything whose malfunction will not cause a vehicle loss



#### **Information Flow for Integrity**

- Trusted vs. Untrusted Tasks
  - Trusted: processes which are critical to the correct functionality of the space vehicle systems
  - Untrusted: mission processes, diagnostics, anything whose malfunction will not cause a vehicle loss
- Enforce the property of non-interference:
  - Verify information never flows from high to low.
  - Untrusted information is never used to make critical (trusted) decisions nor to determine the schedule (real-time)

#### **Threat Model**

- Low output can include
  - Program output
  - Timing
  - Contention on system resources

#### **Threat Model**

- Low output can include
  - Program output
  - Timing
  - Contention on system resources

- Not include
  - Untrusted hardware component problem
  - Physical attacks that may tamper with memory
  - Non-digital side-channel attacks (power distribution and RF signals)

6.888 Fall 2020

#### Highlights

• A secure SW/HW co-design which is verifiable

- Gate-level information flow tracking
  - More precise than conventional IFT

- ISA restrictions to prevent taint explosion
  - Handling conditional branch
  - Handling loops
  - Handling loads/stores

6.888 Fall 2020 6

#### Highlights

• A secure SW/HW co-design which is verifiable

- Gate-level information flow tracking
  - More precise than conventional IFT

A new way to look at IFT from a new perspective.

- ISA restrictions to prevent taint explosion
  - Handling conditional branch
  - Handling loops
  - Handling loads/stores

6.888 Fall 2020 6

#### Highlights

• A secure SW/HW co-design which is verifiable

- Gate-level information flow tracking
  - More precise than conventional IFT

A new way to look at IFT from a new perspective.

- ISA restrictions to prevent taint explosion
  - Handling conditional branch
  - Handling loops
  - Handling loads/stores

Usage: GLIFT + Information Flow Policy

6.888 Fall 2020





**Applications** 

Language

Compiler/OS

Instruction Set (ISA)

Microarchitecture

**Logic Gates** 

Security Properties

Hardware/Software

Design for Verifiable

Security

# Security Properties

## The Vision: Hardware Design for Software Security Verification

**Applications** 

Language

Compiler/OS

Instruction Set (ISA)

Microarchitecture

**Logic Gates** 

**Applications** Language Compiler/OS Security Properties Instruction Set (ISA) Microarchitecture **Logic Gates** 

- Information flows through Space
  - Registers, Memory, Micro-architectural state etc.

- Information flows through Space
  - Registers, Memory, Micro-architectural state etc.

$$out1 = ld(high)$$

(explicit flow)

- Information flows through Space
  - Registers, Memory, Micro-architectural state etc.

```
out1 = ld(high) if (high == 1)
out1 = 1
else
out2 = 0
```

(explicit flow)

(implicit flow)

#### Static and Dynamic Information Flow Tracking

$$out1 = ld(high)$$

$$out2 = Id(low)$$

(implicit flow)

#### Static and Dynamic Information Flow Tracking

- Static analysis is conservative (need alias analysis for precise results)
- Dynamic analysis has difficulty in analyzing implicit flow

```
out1 = ld(high)
out1 = ld(low)
out2 = ld(low)
out2 = ld(low)
out2 = 0
(explicit flow)
(implicit flow)
```

5.888 Fall 2020

9

#### Static and Dynamic Information Flow Tracking

- Static analysis is conservative (need alias analysis for precise results)
- Dynamic analysis has difficulty in analyzing implicit flow

```
out1 = ld(high)
out2 = ld(low)
out2 is tainted if the address or the memory value is tainted (explicit flow)
```

if (high == 1)
 out1 = 1
else
 out2 = 0

(implicit flow)

9

6.888 Fall 2020

- Information flows through Space
  - Registers, Memory, Micro-architectural state etc.

- Information flows through Time
  - Observable events such as PC, I/O channels etc.

- Information flows through Space
  - Registers, Memory, Micro-architectural state etc.

- Information flows through Time
  - Observable events such as PC, I/O channels etc.



• How to account for all information flows in a system?

How to construct practical systems that won't leak?

6.888 Fall 2020 11

- How to account for all information flows in a system?
  - → So that the security property can be verifiable

How to construct practical systems that won't leak?

388 Fall 2020 11

- How to account for all information flows in a system?
  - → So that the security property can be verifiable
  - → Avoid taint explosion

How to construct practical systems that won't leak?

888 Fall 2020 11

- How to account for all information flows in a system?
  - → So that the security property can be verifiable
  - → Avoid taint explosion
- How to construct practical systems that won't leak?
  - → Use the concept of GLIFT to guide the design

888 Fall 2020 11



Secure System



• Flatten design to a (giant) state machine



- Flatten design to a (giant) state machine
- Does every output have desired label?



- Flatten design to a (giant) state machine
- Does every output have desired label?

## **High-level View: Track all flows**



Insight: All flows explicit at the gate level

## **High-level View: Track all flows**



- Outputs: Logic function of state and inputs
- Output Labels: Logic func. of state, inputs, and labels



**AND** 





**AND** 

Shadow AND for labels





Conservative.

If one of a and b is tainted, the output is tainted.

**AND** 

Shadow AND for labels



• Conventional OR-ing of labels *monotonic* 



• Conventional OR-ing of labels *monotonic* 



Conventional OR-ing of labels monotonic



• Conventional OR-ing of labels *monotonic* 



Conventional OR-ing of labels monotonic



Conventional OR-ing of labels monotonic



untainted tainted

| а | b | 0 |
|---|---|---|
| 0 | 0 | 0 |
|   |   |   |
|   |   |   |
|   |   |   |
|   |   |   |
|   |   |   |



untainted tainted

| а | b | O |
|---|---|---|
| 0 | 0 | 0 |
| 0 | 1 | 0 |
|   |   |   |
|   |   |   |
|   |   |   |
|   |   |   |



untainted tainted

| а | b | O |
|---|---|---|
| 0 | 0 | 0 |
| 0 | 1 | 0 |
|   |   |   |
|   |   |   |
|   |   |   |
|   |   |   |

When a=0, b can not affect the value of the output.

→ no-interference



untainted tainted

| а | b | О |
|---|---|---|
| 0 | 0 | 0 |
| 0 | 1 | 0 |
| 1 | 0 | 0 |
| 1 | 1 | 1 |
| 0 | 0 | 0 |
| 0 | 1 | 0 |

When a=0, b can not affect the value of the output.

→ no-interference



untainted tainted

| а | b | О |
|---|---|---|
| 0 | 0 | 0 |
| 0 | 1 | 0 |
| 1 | 0 | 0 |
| 1 | 1 | 1 |
| 0 | 0 | 0 |
| 0 | 1 | 0 |

When a=0, b can not affect the value of the output.

→ no-interference

Use both inputs and input labels







# **Sound Composition of Shadow Logic**



# **Sound Composition of Shadow Logic**



# **MUX:** Gatekeeper of trust



# **MUX:** Gatekeeper of trust



# **MUX:** Gatekeeper of trust







```
if (secret==1)
out = 1
tmp = 5
```



```
if (secret==1)
  out = 1
tmp = 5
```























#### **Convert Implicit Flow to Explicit Flow**



#### **Convert Implicit Flow to Explicit Flow**



#### **Convert Implicit Flow to Explicit Flow**



## Similar Mechanisms for Loop/Load/Store

- Variable length loops → fixed size loops (bounding)
- Indirect loads/stores → Direct loads/stores

## Similar Mechanisms for Loop/Load/Store

- Variable length loops → fixed size loops (bounding)
- Indirect loads/stores → Direct loads/stores
  - Harder to program and inefficient
  - + Verifiable system

## Similar Mechanisms for Loop/Load/Store

- Variable length loops → fixed size loops (bounding)
- Indirect loads/stores → Direct loads/stores
  - Harder to program and inefficient
  - + Verifiable system
- Recommend to read their follow-on work:
  - Execution Leases: A Hardware-Supported Mechanism for Enforcing Strong Non-Interference; Tiwari et al.; MICRO'09

#### **Evaluation**

- + Security
- Area overhead/Power consumption
- Performance overhead
- Programmability

#### **Evaluation**

- + Security
- Area overhead/Power consumption
- Performance overhead
- Programmability

#### Appropriate use cases:

• When critical or sensitive operations need to be performed, a *co-processor* augmented with these abilities could be an attractive option.

# **Discussion Questions**

#### **Discussion Questions on Taint Tracking**

• Who designates an input as untrusted/trusted? Where in the architecture/implementation does an input first get marked as untrustworthy?

#### **Discussion Questions on Taint Tracking**

• Who designates an input as untrusted/trusted? Where in the architecture/implementation does an input first get marked as untrustworthy?

 Can/should there be a method of promoting data from untrusted to trusted? (from High to Low)

#### Discussion Questions on Taint Tracking

• Who designates an input as untrusted/trusted? Where in the architecture/implementation does an input first get marked as untrustworthy?

 Can/should there be a method of promoting data from untrusted to trusted? (from High to Low)

• How does the GLIFT method handle optimizations such as out-of-order execution, speculation etc? Will the proposed architecture be able to detect covert and side channel attacks such as Meltdown and Spectre?

Example Satellite Application. [Tzvetan Metodi, Aerospace Corp.]



Example Satellite Application. [Tzvetan Metodi, Aerospace Corp.]



Note: Since this is not a real schedule, the processes are not in any sensible execution order

Example Satellite Application. [Tzvetan Metodi, Aerospace Corp.]



Note: Since this is not a real schedule, the processes are not in any sensible execution order

Example Satellite Application. [Tzvetan Metodi, Aerospace Corp.]



Note: Since this is not a real schedule, the processes are not in any sensible execution order

Non-sensitiveSensitive

**Untrusted & Secret** 



**Untrusted & Secret** 



**Untrusted & Secret** 



**Untrusted & Secret** 



#### **Untrusted & Secret**

Libraries (e.g. encryption) that operate on Secret data



• One specific use case: What if we needed to load in a new firmware blob to compute a new function. Could we send it in encrypted and have a way of validating and then trusting it?

- One specific use case: What if we needed to load in a new firmware blob to compute a new function. Could we send it in encrypted and have a way of validating and then trusting it?
- In the end, it seems the ISA is the secure step, and the trust bits are just useful in validating the design. (Does the restricted ISA make program secure against side channels?)

- One specific use case: What if we needed to load in a new firmware blob to compute a new function. Could we send it in encrypted and have a way of validating and then trusting it?
- In the end, it seems the ISA is the secure step, and the trust bits are just useful in validating the design. (Does the restricted ISA make program secure against side channels?)
- This kind of processor would be a pain to program. If most applications on it are small, important kernels, such as AES, would it not be better to produce a specially tuned ASIC/IP core?

- One specific use case: What if we needed to load in a new firmware blob to compute a new function. Could we send it in encrypted and have a way of validating and then trusting it?
- In the end, it seems the ISA is the secure step, and the trust bits are just useful in validating the design. (Does the restricted ISA make program secure against side channels?)
- This kind of processor would be a pain to program. If most applications on it are small, important kernels, such as AES, would it not be better to produce a specially tuned ASIC/IP core?
- Are there any programs or algorithms that are rendered impossible (or extremely difficult) to write as a result of the limitations that they've placed on loops?

#### **Discussion Questions on Future Work**

 Rather than implementing a CPU with this restricted ISA, since this is used only for edge case computation, could an FPGA-based enclave in a traditional CPU be used with this ISA instead as a cost-effective implementation?

#### **Discussion Questions on Future Work**

- Rather than implementing a CPU with this restricted ISA, since this is used only for edge case computation, could an FPGA-based enclave in a traditional CPU be used with this ISA instead as a cost-effective implementation?
- Rather than apply the concept of gate level flow tracking to the ISA, I envision further work that could apply the same concepts to FPGA tooling.

#### **Discussion Questions on Future Work**

- Rather than implementing a CPU with this restricted ISA, since this is used only for edge case computation, could an FPGA-based enclave in a traditional CPU be used with this ISA instead as a cost-effective implementation?
- Rather than apply the concept of gate level flow tracking to the ISA, I envision further work that could apply the same concepts to FPGA tooling.

Great idea.

Read "HyperFlow: A Processor Architecture for Nonmalleable, Timing-Safe Information Flow Security"; Ferraiuolo et al. CCS'18

 How does the GLIFT detect a side channel/covert channel? What is the "sink" of taint tracking in such cases?

 How does the GLIFT detect a side channel/covert channel? What is the "sink" of taint tracking in such cases?



- How does the GLIFT detect a side channel/covert channel? What is the "sink" of taint tracking in such cases?
- If we do not plan to use GLIFT to track side channel leakage, do we need to ISA restriction on indirect loads? (not indirect stores)



- How does the GLIFT detect a side channel/covert channel? What is the "sink" of taint tracking in such cases?
- If we do not plan to use GLIFT to track side channel leakage, do we need to ISA restriction on indirect loads? (not indirect stores)
- How GLIFT different from static taint analysis and traditional dynamic taint analysis?

