Dejun Mu

Theoretical Fundamentals of Gate Level Information Flow Tracking

Information flow tracking is an effective tool in computer security for detecting unintended information flows. However, software based information flow tracking implementations have drawbacks in preciseness and performance. As a result, researchers have begun to explore tracking information flow in hardware, and more specifically, understanding the interference of individual bits of information through logical functions. Such gate level information flow tracking (GLIFT) can track information flow in a system at the granularity of individual bits. However, the theoretical basis for GLIFT, which is essential to its adoption in real applications, has never been thoroughly studied. This paper provides fundamental analysis of GLIFT by introducing definitions, properties, and the imprecision problem with a commonly used shadow logic generation method. This paper also presents a solution to this imprecision problem and provides results that show this impreciseness can be tolerated for the benefit of lower area and delay.

On the Complexity of Generating Gate Level Information Flow Tracking Logic

Hardware-based side channels are known to expose hard-to-detect security holes enabling attackers to get a foothold into the system to perform malicious activities. Despite this fact, security is rarely accounted for in hardware design flows. As a result, security holes are often only identified after significant damage has been inflicted. Recently, gate level information flow tracking (GLIFT) has been proposed to verify information flow security at the level of Boolean gates. GLIFT is able to detect all logical flows including hardware specific timing channels, which is useful for ensuring properties related to confidentiality and integrity and can even provide real-time guarantees on system behavior. GLIFT can be integrated into the standard hardware design, testing and verification process to eliminate unintended information flows in the target design. However, generating GLIFT logic is a difficult problem due to its inherent complexity and the potential losses in precision. This paper provides a formal basis for deriving GLIFT logic which includes a proof on the NP-completeness of generating precise GLIFT logic and a formal analysis of the complexity and precision of various GLIFT logic generation algorithms. Experimental results using IWLS benchmarks provide a practical understanding of the computational complexity.

A bottom-up approach to verifiable embedded system information flow security

With the wide deployment of embedded systems and constant increase in their inter-connections, embedded systems tend to be confronted with attacks through security holes that are hard to predict using typical security measures such as access control or data encryption. To eliminate these security holes, embedded security should be accounted for during the design phase from all abstraction levels with effective measures taken to prevent unintended interference between different system components caused by harmful flows of information. This study proposes a bottom-up approach to designing verifiably information flow secure embedded systems. The proposed method enables tight information flow controls by monitoring all flows of information from the level of Boolean gates. It lays a solid foundation to information flow security in the underlying hardware and exposes the ability to prove security properties to all abstraction levels in the entire system stack. With substantial amounts of modifications made to the instruction set architecture, operating system, programming language and input/output architecture, the target system can be designed to be verifiably information flow secure.

Gate-Level Information Flow Tracking for Security Lattices

High-assurance systems found in safety-critical infrastructures are facing steadily increasing cyber threats. These critical systems require rigorous guarantees in information flow security to prevent confidential information from leaking to an unclassified domain and the root of trust from being violated by an untrusted party. To enforce bit-tight information flow control, gate-level information flow tracking (GLIFT) has recently been proposed to precisely measure and manage all digital information flows in the underlying hardware, including implicit flows through hardware-specific timing channels. However, existing work in this realm either restricts to two-level security labels or essentially targets two-input primitive gates and several simple multilevel security lattices. This article provides a general way to expand the GLIFT method for multilevel security. Specifically, it formalizes tracking logic for an arbitrary Boolean gate under finite security lattices, presents a precise tracking logic generation method for eliminating false positives in GLIFT logic created in a constructive manner, and illustrates application scenarios of GLIFT for enforcing multilevel information flow security. Experimental results show various trade-offs in precision and performance of GLIFT logic created using different methods. It also reveals the area and performance overheads that should be expected when expanding GLIFT for multilevel security.

Imprecise security: quality and complexity tradeoffs for hardware information flow tracking

Secure hardware design is a challenging task that goes far beyond ensuring functional correctness. Important design properties such as non-interference cannot be verified on functional circuit models due to the lack of essential information (e.g., sensitivity level) for reasoning about security. Hardware information flow tracking (IFT) techniques associate data objects in the hardware design with sensitivity labels for modeling security-related behaviors. They allow the designer to test and verify security properties related to confidentiality, integrity, and logical side channels. However, precisely accounting for each bit of information flow at the hardware level can be expensive. In this work, we focus on the precision of the IFT logic. The key idea is to selectively introduce only one sided errors (false positives); these provide a conservative and safe information flow response while reducing the complexity of the security logic. We investigate the effect of logic synthesis on the quality and complexity of hardware IFT and reveal how different logic synthesis optimizations affect the amount of false positives and design overheads of IFT logic. We propose novel techniques to further simplify the IFT logic while adding no, or only a minimum number of, false positives. Additionally, we provide a solution to quantitatively introduce false positives in order to accelerate information flow security verification. Experimental results using IWLS benchmarks show that our method can reduce complexity of GLIFT by 14.47% while adding 0.20% of false positives on average. By quantitatively introducing false positives, we can achieve up to a 55.72% speedup in verification time.

Expanding Gate Level Information Flow Tracking for Multilevel Security

Embedded systems found in critical infrastructures require tight information flow controls to prevent unintended interference between different system components. These critical systems require extensive testing and verification to ensure strict enforcement of information flow policy. To assist in this process, gate level information flow tracking (GLIFT) has been proposed to expose all flows of information through Boolean gates. However, the current work in this realm only considers a two-level security lattice (LOW ⊏ HIGH). In this letter, we expand the GLIFT method to multilevel security lattices and provide an analysis of the overheads using IWLS benchmarks. Results show that expanding GLIFT to multilevel security lattices produces overheads and we discuss potential research on its applications.

Quantifying Timing-Based Information Flow in Cryptographic Hardware

Cryptographic function implementations are known to leak information about private keys through timing information. By using statistical analysis of the variations in runtime required to encrypt different messages, an attacker can relatively easily determine the key with high probability. There are many mitigation techniques to combat these side channels; however, there are limited metrics available to quantify the effectiveness of these mitigation attacks. In this work, we employ information theoretic ideas to quantify the amount of leakage that can be extracted from runtime measurements and reveal the influence of individual key bits on the timing observations across a variety of hardware implementations. By studying different RSA hardware architectures (each with different performance optimizations and mitigation techniques), we determine the effectiveness of these information theoretic techniques against the success of attacks. Our experimental results show that mutual information is a promising metric to quantify timing-based information leakage and it also correlates to the attack-ability of a cryptographic implementation.

Symbolic execution based test-patterns generation algorithm for hardware Trojan detection

Abstract Hardware Trojan detection is a very difficult challenge. However, the combination of symbolic execution and metamorphic testing is useful for detecting hardware Trojans in Verilog code. In this paper, symbolic execution and metamorphic testing were combined to detect internal conditionally triggered hardware Trojans in the register-transfer level design. First, control flow graphs of Verilog code were generated. Next, parallel symbolic execution and satisfiability modulo theories solver generated test patterns. Finally, metamorphic testing detected the hardware Trojans. The work used Trust-Hub benchmarks in experiments.

Gate Level Information Flow analysis for multi-valued logic system

As the scale of integrated circuits continuously increasing, guaranteeing intensity of testing and coverage rate of verification in the design phase absolutely is becoming severe challenges. As a solution, Gate Level Information Flow Tracking (GLIFT) method is able to precisely measure all the logical information flows in the underlying hardware to prevent information leakage resulting from these harmful flows of information. However, preliminary research work for GLIFT mainly focused on the basic theories as well as the generation algorithms, which only can track logic formalization under the Boolean logic system. These approaches ignored that digital circuits are typically described by multi-valued logic during hardware design and verification. To address that issue, we present to expand the GLIFT method for multi-valued logic system. In this paper, the label propagation rule set is respectively derived for four-valued and nine-valued logic systems by extending the label propagation set for Boolean logic. Moreover, in order to support the characteristics of multi-valued logic in label propagation, the formal descriptions of GLIFT logic for primitive gates are improved in computing hardware as well. The experimental results demonstrate that the extended method is consistent with the label propagation rule of the multi-valued logic system.

A Simplifying Logic Approach for Gate Level Information Flow Tracking

With the increase of design scale and complexity, security vulnerabilities residing in hardware designs become hard to detect. Existing functional testing and verification methods cannot guarantee test and verification coverage in design phase. Fortunately, gate level information flow tracking (GLIFT) has been proposed to enforce bit-tight information flow security from the gate level to detect security vulnerabilities and prevent information leakage effectively. However, there is a significant limitation that the inherent high complexity of GLIFT logic causes significant overheads in static verification and physical implementation. In order to address the limitation, we propose a simplified GLIFT method that incorporates more detailed optimization logic routes to reduce its complexity and allow don’t care to simplify original GLIFT logic. Experimental results have demonstrated that the simplified GLIFT method can reduce the design overhand in several gates by sacrificing a fraction of GLIFT precision.