CN113138721B - Bypass attack vulnerability formal verification method and device - Google Patents

Bypass attack vulnerability formal verification method and device Download PDF

Info

Publication number
CN113138721B
CN113138721B CN202110481070.3A CN202110481070A CN113138721B CN 113138721 B CN113138721 B CN 113138721B CN 202110481070 A CN202110481070 A CN 202110481070A CN 113138721 B CN113138721 B CN 113138721B
Authority
CN
China
Prior art keywords
cache
model
state machine
access operation
state
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110481070.3A
Other languages
Chinese (zh)
Other versions
CN113138721A (en
Inventor
王海霞
吕勇强
忽朝俭
汪东升
徐子涵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Huawei Technologies Co Ltd
Original Assignee
Tsinghua University
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University, Huawei Technologies Co Ltd filed Critical Tsinghua University
Priority to CN202110481070.3A priority Critical patent/CN113138721B/en
Publication of CN113138721A publication Critical patent/CN113138721A/en
Application granted granted Critical
Publication of CN113138721B publication Critical patent/CN113138721B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0655Vertical data movement, i.e. input-output transfer; data movement between one or more hosts and one or more storage devices
    • G06F3/0656Data buffering arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Abstract

The invention provides a bypass attack vulnerability formal verification method and a device, wherein the method comprises the following steps: describing cache bypass attacks as combinations of access and storage operations to establish an access and storage operation model; establishing a cache model as a cache state machine; and performing formal verification on the cache state machine according to the security specification, the time result and the first path specification to determine whether the cache state machine has a cache bypass attack vulnerability. The device is used for executing the method. The bypass attack vulnerability formal verification method and the device provided by the invention model the access operation and the cache design of the processor, have expandability in the modeling mode, are suitable for various hardware or software cache designs, can efficiently and automatically carry out comprehensive analysis and automatic verification on whether the cache design has the bypass attack vulnerability or not only by compiling the cache design model to be tested, and can be suitable for different processors and instruction set platforms.

Description

Bypass attack vulnerability formal verification method and device
Technical Field
The invention relates to the technical field of computer system security, in particular to a method and a device for verifying a bypass attack vulnerability form.
Background
Processor caches, which are located between the computer processor and main memory, are essential components of modern processors for temporarily storing data in main memory to speed up memory access. However, the presence of processor caches may also present a potential safety hazard. For a processor with a cache, the execution time of the access instruction may differ according to the cache state. An attacker can initiate a cache bypass attack by utilizing the execution time difference of the access instructions. For example, for an access-type memory access instruction, if a corresponding memory address is stored in the cache, the main memory does not need to be accessed, and the instruction execution speed is high. Otherwise, the memory access request needs to be initiated to the main memory, and the instruction execution speed is lower. By utilizing the time difference of the access operation, an attacker can identify the internal state of the cache and steal the secret information of the attacked process.
Recently, the emergence of a series of new vulnerabilities discovered by researchers, such as spectrum, meltdown, etc., exploiting processor cache bypass attacks, has posed a serious threat to processor security. For this reason, protection against cache bypass attacks has become an important factor in processor design. In order to protect against cache bypass attacks, various cache protection designs have been proposed to protect against specific types of cache bypass attack vulnerabilities. However, these cache protection designs can only protect against certain types of cache bypass attacks, and cannot prove whether they can protect against all types of cache bypass attacks.
Currently, there is no way in academia and industry to formally verify a particular processor cache design, determine if it can protect against any processor cache bypass attacks, and find out all possible cache bypass attacks. Therefore, it is necessary to design a verification method that can fully analyze the processor cache bypass attack.
Disclosure of Invention
The bypass attack vulnerability formal verification method provided by the invention is used for overcoming the problems in the prior art and can carry out comprehensive analysis and formal verification on the processor cache bypass attack.
The invention provides a bypass attack vulnerability formal verification method, which comprises the following steps:
describing the cache bypass attack as the combination of the access operation to establish an access operation model;
establishing a cache model as a cache state machine;
performing formal verification on the cache state machine according to a security specification, a time result and a first path specification to determine whether the cache state machine has a cache bypass attack vulnerability;
the cache state machine is used for receiving a cache behavior instruction, outputting the time result and describing the cache bypass attack as the first path specification;
the cache behavior instruction is determined according to the cache behavior of the cache model facing the access operation;
the first path specification is a memory access operation sequence which can reach a target state node, and the memory access operation has a judgeable time difference under the target state node;
the safety specification is that no access operation sequence capable of reaching a target state node exists, and the access operation has a judgeable time difference under the target state node;
the judgeable time difference is that for different relative relationships, the time result is determined and the time result is different.
According to the method for verifying the bypass attack vulnerability formality provided by the invention,
the method for describing the cache bypass attack as the combination of the access and storage operation to establish the access and storage operation model comprises the following steps:
describing the cache bypass attack as a combination of the memory access operation comprising an operator, an operation type and an operation address to establish a memory access operation model;
wherein the operator comprises an attacker process and a victim process;
the operation types comprise various operations performed by the processor and instruction behavior types for accessing the cache;
the operation address is a set of addresses operated by the attacker process and the victim process.
According to the method for verifying the bypass attack vulnerability formally, the cache model is modeled into the cache state machine, and the method comprises the following steps:
modeling the cache model as the cache state machine comprising a cache behavior model, a parallel cache model and a submodel:
establishing the cache behavior model according to the cache behavior presented by the cache model facing the access operation;
establishing the parallel cache model according to different cache states and time results in the initial state of the cache line;
establishing the sub-model according to the different relative relations and the cache lines to which the relative relations belong;
wherein the relative relationship is that the relative position to the probe address differs in architecture and results in a minimal indistinguishable classification that is time consuming for different access operations.
According to the formal verification method for the bypass attack vulnerability provided by the invention, the relative relationship comprises the following steps:
a first relative relationship with the same address as the detection address;
a second relative relationship with the probe address being a different address of the same cache line;
a third relative relationship with the probe address being a different address of a different cache line.
According to the formal verification method for the bypass attack vulnerability provided by the invention, the formal verification is carried out on the cache state machine according to the security specification, the time result and the first path specification so as to determine whether the cache state machine has the cache bypass attack vulnerability, and the method comprises the following steps:
and performing formal verification on the cache state machine according to the security specification, the time result and the first path specification, and determining that a cache bypass attack vulnerability exists in the cache state machine when determining that a memory access operation sequence capable of reaching a target state node exists and the memory access operation has a judgeable time difference under the target state node.
According to the formal verification method for the bypass attack vulnerability provided by the invention, after the cache state machine is determined to have the cache bypass attack vulnerability, the method further comprises the following steps:
acquiring a shortest path graph of paths on the cache state machine, and determining a non-redundant counterexample path based on the shortest path graph;
wherein the non-redundant counter-example path is the shortest path to a new counter-example state, and the new counter-example state cannot be reached with shorter cache state transition times.
According to the bypass attack vulnerability formal verification method provided by the invention, the step of obtaining the shortest path graph of the path on the cache state machine and determining the non-redundant counterexample path based on the shortest path graph comprises the following steps:
starting from the initial state set, continuously expanding the current reachable state node set by using the reachable state nodes of the next step until no new reachable state nodes exist, so as to determine a forward shortest path tree starting from the initial state set;
starting from an initial state set, continuously expanding a first state set by using state nodes which can reach the first state set in the previous step until no new state node can reach the first state set, and determining a reverse shortest path tree which can reach the first state set;
determining a node of a second preset layer of the shortest path graph according to an intersection of a second preset layer of the forward shortest path tree and a third preset layer of the reverse shortest path tree;
performing path search on the shortest path graph according to a breadth-first search algorithm to obtain the non-redundant counterexample path;
the first state set is a set of state nodes with the cache bypass attack vulnerability;
the third preset layer = the first preset layer-the second preset layer.
The present invention also provides a bypass attack vulnerability formal verification apparatus, comprising: the device comprises an operation model establishing module, a cache state machine establishing module and a formal verification module;
the operation model establishing module is used for describing the cache bypass attack as the combination of the access operation so as to establish an access operation model;
the cache state machine establishing module is used for establishing a cache model as a cache state machine;
the formal verification module is used for performing formal verification on the cache state machine according to a security specification, a time result and a first path specification so as to determine whether a cache bypass attack vulnerability exists in the cache state machine;
the cache state machine is used for receiving a cache behavior instruction, outputting the time result and describing the cache bypass attack as the first path specification;
the cache behavior instruction is determined according to the cache behavior of the cache model facing the memory access operation;
the first path specification is a memory access operation sequence which can reach a target state node, and the memory access operation has a judgeable time difference under the target state node;
the safety specification is a memory access operation sequence without a reachable target state node, and the memory access operation has a judgeable time difference under the target state node;
the judgeable time difference is that for different relative relationships, the time result is determined and the time result is different.
The invention also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the steps of the bypass attack vulnerability formal verification method.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method for verifying in the form of a bypass attack vulnerability as described in any of the above.
The bypass attack vulnerability formal verification method and device provided by the invention are used for solving the problem that a plurality of cache models provided in the prior art can only defend specific types of cache bypass attack vulnerabilities, the modeling is carried out by using the memory access operation of a processor, the modeling mode has expandability and is suitable for various hardware or software cache models, the comprehensive analysis and automatic verification can be carried out on various cache models efficiently and automatically only by compiling simple regular description, and the method and device can be suitable for different processors and instruction set platforms.
Drawings
In order to more clearly illustrate the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a flow chart illustrating a method for verifying a bypass attack vulnerability form according to the present invention;
FIG. 2 is a block diagram of the overall architecture of the cache behavior model provided by the present invention;
FIG. 3 is a schematic diagram of the present invention providing modeling without additional cache models;
fig. 4 is a schematic structural diagram of a bypass attack vulnerability formalization verification apparatus provided by the present invention;
fig. 5 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
Fig. 1 is a schematic flow chart of a method for verifying a vulnerability form of a bypass attack, which is provided by the present invention, and as shown in fig. 1, the method includes:
s1, describing cache bypass attacks as a combination of access and storage operations to establish an access and storage operation model;
s2, establishing a cache model as a cache state machine;
s3, performing formal verification on the cache state machine according to the security specification, the time result and the first path specification to determine whether a cache bypass attack vulnerability exists in the cache state machine;
the cache state machine is used for receiving a cache behavior instruction, outputting a time result and describing a cache bypass attack as a first path specification;
the cache behavior instruction is determined according to the cache behavior presented by the cache model facing the access operation;
the first path specification is a memory access operation sequence which can reach a target state node, and the memory access operation has a judgeable time difference under the target state node;
the safety specification is that no access operation sequence capable of reaching the target state node exists, and the access operation has a judgeable time difference under the target state node;
the time difference can be judged as that for different relative relations, the time result is determined and the time result has difference.
It should be noted that the execution subject of the method may be a computer device.
Optionally, the cache bypass attack is described as a combination of a series of access operations, an access operation model is established, the cache model is modeled as a cache state machine which receives a cache behavior instruction and outputs a time result, the cache bypass attack is described as a first path specification on the cache state machine, and the cache state machine is formally verified according to the security specification, the time result and the first path specification to judge whether a cache bypass attack vulnerability exists.
As described above, in the cache bypass attack, for a certain probe address a, through a series of operations of accessing the memory by an attacker, by observing the time difference of the cache behavior instruction, the association between the probe address a and the unknown address u held by the victim process is determined, and the behavior of stealing information related to the unknown address u accessed by the victim process is realized.
As above, where unknown address u is an address unknown to the attacker process, the unknown address is located in some sensitive set of addresses X.
As above, where the probe address a is a specific address known to the attacker process, a is located in the sensitive address set X. In the cache bypass attack, an attacker aims to judge the relationship between the address a and the address u, and the attacker process can enumerate the value of the address a in multiple attacks, so that the effect of the actual value of u is obtained.
As above, the time difference is the difference between the time consumption of different operations that may be generated by the same memory access instruction due to different internal states of the cache. For example, for a processor with a one-level cache model, depending on whether a cache hit occurs, both the faster and slower times are generated, resulting in a time difference between the fast and slow times.
As above, the first path specification describing the cache bypass attack is: there is a sequence of memory access operations that can reach a certain state node (target state node), and the memory access operations have judgeable time differences.
As above, formal verification of the cache state machine is a class of algorithms that verify that it meets a certain path specification for a particular model, by verifying that a path meeting a certain condition will appear on a certain cache model, proving that it is not possible to generate such a path at a given state transition anyway, or finding a counterexample path.
As above, the path specification of the cache model is: there is no access operation sequence which can reach a certain state node, and the access operation has a judgeable time difference in the state.
And establishing safety specifications required by the safety cache. The security specification is that no access operation sequence which can reach a node in a specific state exists, and the access operation has a judgeable time difference in the state. The time difference that can be judged is defined as that for different values of the relative relationship, the time result is determined, and the time result has difference.
It should be noted that, the formal verification method for the side attack vulnerability provided by the present invention can be used for a model verification tool to perform formal verification on a cache state machine by writing a cache model and a security specification into a model code. The secure cache model and the security specification are described using the Kripkre structure and CTL languages, respectively, but may be used in other model and specification description manners.
The model checking tool herein may use any model checking tool that supports verification of CTLs, such as using the NuSMV model checking tool.
The bypass attack vulnerability formal verification method provided by the invention is used for solving the problem that a plurality of cache models provided in the prior art can only defend specific types of cache bypass attack vulnerabilities, the modeling is carried out by using the memory access operation of a processor, the modeling mode has expandability and is suitable for various hardware or software cache models, the comprehensive analysis and the automatic verification can be carried out on various cache models efficiently and automatically only by compiling simple regular description, and the method can be suitable for different processors and instruction set platforms.
Further, in an embodiment, the step S1 may specifically include:
s11, describing the cache bypass attack as a combination of access and storage operations including an operator, an operation type and an operation address so as to establish an access and storage operation model;
wherein the operator comprises an attacker process and a victim process;
the operation types comprise various operations performed by the processor and instruction behavior types for accessing the cache;
the operation addresses are the set of addresses operated on by the attacker process and the victim process.
Optionally, the memory access operation is a triple of (operator, operation type, operation address), which indicates that a process performs a series of memory access operations on an address, and is described as a combination of the memory access operations including the operator, the operation type, and the operation address through cache bypass attack, so as to establish a memory access operation model.
As above, wherein the operator is an attacker process or a victim process.
As above, the operation types include, among other things, the various operations that the processor may perform and the behavior types of instructions that access the cache. For example, in most processor designs, the operation types typically include a load/store class access instruction and a clflush class cache flush instruction.
As above, among other things, the operation addresses are the set of addresses that the aggressor and victim processes can operate on. Wherein the time of the address of the operation is only related to its relative relation to the unknown address u, and not to the specific address of this address.
According to the method for verifying the bypass attack vulnerability formality, the cache bypass attack is described as the combination of the access operation, the access operation model is established, and a foundation is laid for obtaining the cache behavior instruction based on the access operation subsequently, and further establishing a cache state machine subsequently and carrying out formal verification on the cache bypass attack.
Further, in an embodiment, the step S2 may specifically include:
s21, modeling the cache model into a cache state machine comprising a cache behavior model, a parallel cache model and a sub model:
s22, establishing a cache behavior model according to a cache behavior shown by a cache model facing a memory access operation;
s23, establishing the parallel cache model according to different cache states and time results in the initial state of the cache line;
s24, establishing the sub-model according to different relative relations and cache lines to which the relative relations belong;
the relative relationship is that the relative position of the probe address and the probe address is different in architecture, and different access and storage operations are time-consuming and have the smallest indistinguishable classification.
Further, in an embodiment, the relative relationship may specifically include:
a first relative relationship with the same address as the probe address;
a second relative relationship with a probe address being a different address of the same cache line;
a third relative relationship to the probe address being a different address of a different cache line.
Alternatively, the relative relationship is architecturally different from the relative position of probe address a, and may result in different memory access operations that are time consuming, with minimal indistinguishable classifications. In the design of a partitioned cache consisting of multiple cache lines, a first relative relationship a with the same address as the detection address a and a second relative relationship a' with the same detection address a and different addresses of the same cache line are in the sensitive address set X. The relative relationship d represents a different address in the same cache line as the probe address a and is not in the sensitive address set X. A third relative relationship NIB with the probe address a being a different address of a different cache line.
The cache state machine comprises a three-layer structure of a cache behavior model, a parallel cache model and a sub-model. The establishment of the cache state machine comprises the following substeps:
step 211: establishment of cache behavior model
The cache behavior model represents the behavior of a certain cache model in the face of the access operation. Due to the possibly different values of the initial state u of the cache line (u = a, u = a', u = NIB), the cache behavior model consists of three parallel cache behavior models. The cache behavior model performs time analysis, and summarizes the time result output by the sub-model after time summarization, and determines whether a cache bypass attack exists, as shown in fig. 2.
Step 212: establishment of parallel cache behavior model
The parallel cache behavior model represents different cache states and time results in different initial states of the system, and each initial state corresponds to the initial state (S) of one sub-model 0 ~S n ). And according to the fast and slow time results obtained by each submodel, if the time results of different initial states are consistent, a result of determining fast or full time can be obtained. Otherwise, an uncertain time result is obtained.
Step 213: creation of sub-models
The submodels represent possible internal states of the cache. Because the operation delay is only related to the relative relationship of each memory address, the invention only needs to establish the internal state of the cache corresponding to different relative relationships. Specifically, for a cache design without extra protection, the present application needs to model two cache lines for each sub-model, which respectively represent the cache line to which a belongs and the cache line to which NIB belongs, as shown in fig. 3 (where inv represents an invalid state), which represents a sub-model state machine established for the cache model without extra protection.
As above, wherein the cache behavior model is a finite state machine describing the operation latency information of the cache under a specific memory access operation sequence. Because u may have different values, the cache state machine is composed of a plurality of parallel cache behavior models, and each parallel cache behavior model represents one value of the unknown address u.
As above, the unknown address u may take three relative values, i.e., a' and NIB.
As above, the parallel cache behavior model describes the cache behavior of u at a certain value. Because the initial state of the cache is unknown to an attacker, the parallel cache behavior model consists of a plurality of submodels, and when the initial state of the cache output by each submodel is a certain specific state, the operation time after the access operation sequence is carried out is shortened.
As above, where the time result is fast or slow for the submodel. For the parallel cache behavior model, the time result is the summary of the operation time of each sub-model, and the determination is fast, slow or uncertain.
According to the method for verifying the bypass attack vulnerability form, the cache state machine is established to receive the cache behavior instruction, the time result is output, and the cache bypass attack is described as the first path specification, so that various cache models can be automatically verified efficiently.
Further, in an embodiment, the step S3 may specifically include:
s31, performing formal verification on the cache state machine according to the security specification, the time result and the first path specification, and determining that a cache bypass attack vulnerability exists in the cache state machine when determining that a memory access operation sequence capable of reaching a target state node exists and the memory access operation has a judgeable time difference under the target state node.
If the verification is successful, the cache model is output to be safe, and if the verification fails, the cache model has a bug.
In practical applications, the present invention provides verification experiments performed on a Cache design without extra protection, an SP × Cache model and a Random Fill Cache model, specifically, as shown in table 1:
TABLE 1
Figure BDA0003049289580000121
Figure BDA0003049289580000131
Table 1 shows the results of verifying the three cache models by using the bypass attack vulnerability formal verification method provided by the present invention, performing formal verification on the cache state machine according to the security specification, the time result, and the first path specification, and determining that the cache bypass attack vulnerability exists in the cache state machine when determining that the access operation sequence capable of reaching the target state node exists, and determining that the access operation has a time difference that can be determined in the target state node. New holes in 1120, 3978 and 144, not mentioned in the previous work, were found in the three models together. Wherein newly discovered vulnerabilities may be classified into 3 new vulnerability classifications not described in the previous work, in addition to the discovered vulnerability types.
The bypass attack vulnerability formal verification method provided by the invention applies three cache design attack scenes with practical significance, analyzes and formally verifies the protection attribute of the corresponding cache model, and realizes systematic analysis of the cache vulnerability.
Further, in an embodiment, after step S3, the method may further include:
s4, acquiring a shortest path graph of paths on the cache state machine, and determining a non-redundant counterexample path based on the shortest path graph;
the non-redundant counterexample path is the shortest path to the new counterexample state, and the new counterexample state can not be reached by the shorter transition times of the cache state.
Optionally, the present invention provides that counter-example enumeration is performed to find out all non-redundant counter-example paths when a bypass cache attack vulnerability exists, and specifically, a shortest path graph of paths established on a cache state machine is provided to perform efficient counter-example enumeration.
The counter example path is a path which does not meet the target specification of the model test and is used for diagnosing the problem of the design corresponding to the cache model. In the processor cache bypass attack, one counterexample path corresponds to an attack formed by a series of access operations, and finally, a state node with different operation time differences is reached when u is in different address classifications.
As above, where a non-redundant counter-example path is the shortest path that can reach a new counter-example state, the state cannot be reached with a shorter number of state transitions, for example, the non-redundant counter-example path may correspond to a most simplified attack scheme.
As above, the shortest graph is a graph of the shortest component of the initial state leading to the set of counter-example states. All points and edges on the shortest path occur at least in one shortest path from the initial state to the set of counter-example states. Any path on the shortest path graph leading from the initial state to the counter-example state set is a shortest path from the starting point to the end point of the path. Any shortest path must also appear on the shortest graph.
As above, the shortest-path graph may be obtained by taking a union of the shortest-path tree starting from the initial state and the reverse shortest-path tree starting from the node of the target state.
The bypass attack vulnerability formal verification method provided by the invention verifies whether the cache model can defend any cache bypass attack vulnerability or not, analyzes and lists all cache attack vulnerabilities existing in the cache model.
Further, in an embodiment, step S4 may specifically include:
s41, starting from the initial state set, continuously expanding the current reachable state node set by using the state nodes reachable in the next step until no new reachable state nodes exist, and determining a forward shortest path tree starting from the initial state set;
s42, starting from the initial state set to the first state set which can be reached through the first preset step, continuously expanding the first state set by using the state nodes which can reach the first state set in the previous step until no new state node can reach the first state set, and determining a reverse shortest path tree which can reach the first state set;
s43, determining a node of a second preset layer of the shortest path graph according to the intersection of the second preset layer of the forward shortest path tree and a third preset layer of the reverse shortest path tree; s44, performing path search on the shortest path graph according to a breadth-first search algorithm to obtain a non-redundant counterexample path;
the first state set is a set of state nodes with cache bypass attack vulnerabilities;
third preset layer = first preset layer-second preset layer.
In particular, upon completion of the verification of a processor bypass cache attack, the process is further described with respect to generating all non-redundant counter-example paths.
Starting from the initial state set, continuously expanding the current reachable state node set by using nodes reachable next time until no new reachable state node exists, and solving the forward shortest path tree starting from the initial state set.
For a first state set T which is reachable from an initial state through a first preset step, such as k steps, and has a vulnerability k Starting from this, the reachable T is continuously extended by the nodes which can reach these states in the previous step k Until there are no new state nodes to reach T k Finding a reachable T k Reverse shortest path tree.
Solving the intersection of a second preset layer, such as the ith layer, of the forward shortest path tree and a third preset layer, such as the k-i layer, of the reverse shortest path tree, namely obtaining the shortest path graph G M Nodes of the i-th layer.
In the shortest route graph G M And performing width-first search, wherein each found path is a non-redundant counterexample path, and no other non-redundant counterexample path with the length of k exists.
Through the process, all non-redundant counterexample paths can be found out without repetition and omission, and all non-redundant bypass attack vulnerabilities are listed correspondingly, namely all possible bypass attacks are listed correspondingly.
The above process can be performed using modified NuSMV toolchain source code and using BDD-based boolean operations instead of set operations.
The method for verifying the bypass attack vulnerability form extends the counterexample generation capability of a NuSMV model inspection tool, the counterexample generation algorithm used by the NuSMV counterexample generation tool in the model inspection has the limitation that only a single counterexample path can be generated, only a single cache bypass attack vulnerability can be found, and the protection attribute of a cache model cannot be comprehensively analyzed.
The following describes the bypass attack vulnerability formal verification apparatus provided by the present invention, and the below-described bypass attack vulnerability formal verification apparatus and the above-described bypass attack vulnerability formal verification method can be referred to in a corresponding manner.
Fig. 4 is a schematic structural diagram of the bypass attack vulnerability formalization verification apparatus provided by the present invention, as shown in fig. 4, including: an operation model establishing module 410, a cache state machine establishing module 411 and a formal verification module 412;
an operation model establishing module 410, configured to describe the cache bypass attack as a combination of access operations to establish an access operation model;
a cache state machine establishing module 411, configured to establish a cache model as a cache state machine;
a formal verification module 412, configured to perform formal verification on the cache state machine according to the security specification, the time result, and the first path specification, so as to determine whether a cache bypass attack vulnerability exists in the cache state machine;
the cache state machine is used for receiving the cache behavior instruction, outputting a time result and describing the cache bypass attack as a first path specification;
the cache behavior instruction is determined according to the cache behavior presented by the cache model facing the access operation;
the first path specification is a memory access operation sequence which can reach a target state node, and memory access operation has a judgeable time difference under the target state node;
the safety specification is that no access operation sequence capable of reaching the target state node exists, and the access operation has a judgeable time difference under the target state node;
the time difference can be judged as that for different relative relations, the time result is determined and the time result has difference.
The bypass attack vulnerability formalized verification device provided by the invention is used for solving the problem that a plurality of cache models provided in the prior art can only defend cache bypass attack vulnerabilities of specific types, the modeling is carried out by using the access operation of a processor, the modeling mode has expandability and is suitable for a plurality of hardware or software cache models, the comprehensive analysis and the automatic verification can be efficiently and automatically carried out on various cache models only by compiling simple regular description, and the device can be suitable for different processors and instruction set platforms. Fig. 5 is a schematic physical structure diagram of an electronic device provided in the present invention, and as shown in fig. 5, the electronic device may include: a processor (processor) 510, a communication interface (communication interface) 511, a memory (memory) 512 and a bus (bus) 513, wherein the processor 510, the communication interface 511 and the memory 512 complete communication with each other through the bus 513. Processor 510 may call logic instructions in memory 512 to perform the following method:
describing the cache bypass attack as the combination of the access operation to establish an access operation model;
establishing a cache model as a cache state machine;
performing formal verification on the cache state machine according to the security specification, the time result and the first path specification to determine whether a cache bypass attack vulnerability exists in the cache state machine;
the cache state machine is used for receiving the cache behavior instruction, outputting a time result and describing the cache bypass attack as a first path specification;
the cache behavior instruction is determined according to the cache behavior presented by the cache model facing the access operation;
the first path specification is a memory access operation sequence which can reach a target state node, and memory access operation under the target state node has a judgeable time difference;
the safety specification is that no access operation sequence capable of reaching the target state node exists, and the access operation has a judgeable time difference under the target state node;
the time difference can be judged as that for different relative relations, the time result is determined and the time result has difference.
In addition, the logic instructions in the memory may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention or a part thereof which substantially contributes to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer power screen (which may be a personal computer, a server, or a network power screen) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and various media capable of storing program codes.
Further, the present invention discloses a computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions, which when executed by a computer, the computer is capable of executing the method for verifying a vulnerability form of a bypass attack provided by the above-mentioned method embodiments, for example, comprising:
describing the cache bypass attack as the combination of the access operation to establish an access operation model;
establishing a cache model as a cache state machine;
performing formal verification on the cache state machine according to the security specification, the time result and the first path specification to determine whether a cache bypass attack vulnerability exists in the cache state machine;
the cache state machine is used for receiving the cache behavior instruction, outputting a time result and describing the cache bypass attack as a first path specification;
the cache behavior instruction is determined according to the cache behavior shown by the cache model facing the access operation;
the first path specification is a memory access operation sequence which can reach a target state node, and memory access operation under the target state node has a judgeable time difference;
the safety specification is that no access operation sequence capable of reaching the target state node exists, and the access operation has a judgeable time difference under the target state node;
the time difference can be judged as that for different relative relations, the time result is determined and the time result has difference.
In another aspect, the present invention further provides a non-transitory computer readable storage medium, on which a computer program is stored, the computer program, when executed by a processor, implementing a method for verifying a bypass attack vulnerability format provided by the foregoing embodiments, for example, the method including:
describing the cache bypass attack as the combination of the access operation to establish an access operation model;
establishing a cache model as a cache state machine;
performing formal verification on the cache state machine according to the security specification, the time result and the first path specification to determine whether a cache bypass attack vulnerability exists in the cache state machine;
the cache state machine is used for receiving a cache behavior instruction, outputting a time result and describing a cache bypass attack as a first path specification;
the cache behavior instruction is determined according to the cache behavior shown by the cache model facing the access operation;
the first path specification is a memory access operation sequence which can reach a target state node, and memory access operation under the target state node has a judgeable time difference;
the safety specification is that no access operation sequence capable of reaching the target state node exists, and the access operation has a judgeable time difference under the target state node;
the time difference can be judged as that for different relative relations, the time result is determined and the time result has difference.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment may be implemented by software plus a necessary general hardware platform, and may also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., and includes instructions for causing a computer power supply screen (which may be a personal computer, a server, or a network power supply screen, etc.) to execute the methods described in the embodiments or some portions of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (7)

1. A method for verifying vulnerability formalization of a bypass attack, comprising:
describing cache bypass attacks as combinations of access and storage operations to establish an access and storage operation model;
establishing a cache model as a cache state machine;
performing formal verification on the cache state machine according to a security specification, a time result and a first path specification to determine whether the cache state machine has a cache bypass attack vulnerability;
the cache state machine is used for receiving a cache behavior instruction, outputting the time result and describing the cache bypass attack as the first path specification;
the cache behavior instruction is determined according to the cache behavior of the cache model facing the access operation;
the first path specification is a memory access operation sequence which can reach a target state node, and the memory access operation has a judgeable time difference under the target state node;
the safety specification is a memory access operation sequence without a reachable target state node, and the memory access operation has a judgeable time difference under the target state node;
the judgeable time difference is that for different relative relations, the time result is determined and the time result has difference;
modeling a cache model as a cache state machine, comprising:
modeling the cache model as the cache state machine comprising a cache behavior model, a parallel cache model and a submodel:
establishing the cache behavior model according to the cache behavior presented by the cache model facing the memory access operation;
establishing the parallel cache model according to different cache states and time results in the initial state of the cache line;
establishing the sub-model according to the different relative relations and the cache lines to which the relative relations belong;
the relative relation is that the relative position of the detection address is different in architecture, different memory access operations are time-consuming, and the minimum indistinguishable classification is caused;
the performing formal verification on the cache state machine according to the security specification, the time result and the first path specification to determine whether the cache state machine has a cache bypass attack vulnerability includes:
and performing formal verification on the cache state machine according to the security specification, the time result and the first path specification, and determining that cache bypass attack holes exist in the cache state machine when determining that a memory access operation sequence capable of reaching a target state node exists and the memory access operation has a judgeable time difference under the target state node.
2. The method for verifying the form of the bypass attack vulnerability according to claim 1, wherein describing the cache bypass attack as a combination of the memory access operation to establish a memory access operation model comprises:
describing the cache bypass attack as a combination of the memory access operation comprising an operator, an operation type and an operation address to establish a memory access operation model;
wherein the operator comprises an attacker process and a victim process;
the operation types comprise various operations performed by the processor and instruction behavior types for accessing the cache;
the operation address is a set of addresses operated by the attacker process and the victim process.
3. The method for formal verification of a bypass attack according to claim 1, wherein the relative relationship comprises:
a first relative relationship with the same address as the detection address;
a second relative relationship with the probe address being a different address of the same cache line;
a third relative relationship with the probe address being a different address of a different cache line.
4. The formal verification method of a bypass attack bug according to claim 1, further comprising, after the determining that the cache state machine has a cache bypass attack bug:
acquiring a shortest path graph of paths on the cache state machine, and determining a non-redundant counterexample path based on the shortest path graph;
wherein the non-redundant counter-example path is the shortest path to a new counter-example state, and the new counter-example state cannot be reached with a shorter number of cache state transitions;
the obtaining a shortest graph of paths on the cache state machine and determining a non-redundant counterexample path based on the shortest graph includes:
starting from the initial state set, continuously expanding the current reachable state node set by using the reachable state nodes of the next step until no new reachable state nodes exist, so as to determine a forward shortest path tree starting from the initial state set;
starting from an initial state set, continuously expanding a first state set by using state nodes which can reach the first state set in the previous step until no new state node can reach the first state set, and determining a reverse shortest path tree which can reach the first state set;
determining a node of a second preset layer of the shortest path graph according to the intersection of the second preset layer of the forward shortest path tree and a third preset layer of the reverse shortest path tree;
performing path search on the shortest path graph according to a breadth-first search algorithm to obtain the non-redundant counterexample path;
the first state set is a set of state nodes with the cache bypass attack vulnerability;
the third preset layer = first preset layer-the second preset layer.
5. A bypass attack vulnerability formal verification apparatus, comprising: the device comprises an operation model establishing module, a cache state machine establishing module and a formal verification module;
the operation model establishing module is used for describing the cache bypass attack as the combination of the access operation so as to establish an access operation model;
the cache state machine establishing module is used for establishing a cache model as a cache state machine;
the formal verification module is used for performing formal verification on the cache state machine according to a security specification, a time result and a first path specification so as to determine whether a cache bypass attack vulnerability exists in the cache state machine;
the cache state machine is used for receiving a cache behavior instruction, outputting the time result and describing the cache bypass attack as the first path specification;
the cache behavior instruction is determined according to the cache behavior of the cache model facing the access operation;
the first path specification is a memory access operation sequence which can reach a target state node, and the memory access operation has a judgeable time difference under the target state node;
the safety specification is a memory access operation sequence without a reachable target state node, and the memory access operation has a judgeable time difference under the target state node;
the judgeable time difference is determined for different relative relations, and the time result is different;
modeling a cache model as a cache state machine, comprising:
modeling the cache model as the cache state machine comprising a cache behavior model, a parallel cache model and a submodel:
establishing the cache behavior model according to the cache behavior presented by the cache model facing the access operation;
establishing the parallel cache model according to different cache states and time results in the initial state of the cache line;
establishing the sub-model according to the different relative relations and the cache lines to which the relative relations belong;
the relative relation is that the relative position of the detection address is different in architecture, different access and storage operations are time-consuming, and the classification is indistinguishable to the minimum;
the formalized verification of the cache state machine according to the security specification, the time result and the first path specification to determine whether the cache state machine has a cache bypass attack vulnerability includes:
and performing formal verification on the cache state machine according to the security specification, the time result and the first path specification, and determining that cache bypass attack holes exist in the cache state machine when determining that a memory access operation sequence capable of reaching a target state node exists and the memory access operation has a judgeable time difference under the target state node.
6. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the method for verifying a vulnerability form of a bypass attack according to any one of claims 1 to 4 when executing the computer program.
7. A non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method for verifying a form of a bypass attack vulnerability according to any one of claims 1 to 4.
CN202110481070.3A 2021-04-30 2021-04-30 Bypass attack vulnerability formal verification method and device Active CN113138721B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110481070.3A CN113138721B (en) 2021-04-30 2021-04-30 Bypass attack vulnerability formal verification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110481070.3A CN113138721B (en) 2021-04-30 2021-04-30 Bypass attack vulnerability formal verification method and device

Publications (2)

Publication Number Publication Date
CN113138721A CN113138721A (en) 2021-07-20
CN113138721B true CN113138721B (en) 2022-11-29

Family

ID=76816520

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110481070.3A Active CN113138721B (en) 2021-04-30 2021-04-30 Bypass attack vulnerability formal verification method and device

Country Status (1)

Country Link
CN (1) CN113138721B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115618801B (en) * 2022-12-01 2023-04-07 北京智芯微电子科技有限公司 Cache consistency checking method and device and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101047542A (en) * 2006-03-31 2007-10-03 中国科学院软件研究所 Method for analysing large scale network safety
CN104363236A (en) * 2014-11-21 2015-02-18 西安邮电大学 Automatic vulnerability validation method
CN110062009A (en) * 2019-05-21 2019-07-26 杭州逍邦网络科技有限公司 A kind of formalization detection method of information physical emerging system defence
CN112153030A (en) * 2020-09-15 2020-12-29 杭州弈鸽科技有限责任公司 Internet of things protocol security automatic analysis method and system based on formal verification
WO2021057053A1 (en) * 2019-09-29 2021-04-01 南京大学 Security verification method and apparatus for attacked smart home internet of things system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101047542A (en) * 2006-03-31 2007-10-03 中国科学院软件研究所 Method for analysing large scale network safety
CN104363236A (en) * 2014-11-21 2015-02-18 西安邮电大学 Automatic vulnerability validation method
CN110062009A (en) * 2019-05-21 2019-07-26 杭州逍邦网络科技有限公司 A kind of formalization detection method of information physical emerging system defence
WO2021057053A1 (en) * 2019-09-29 2021-04-01 南京大学 Security verification method and apparatus for attacked smart home internet of things system
CN112153030A (en) * 2020-09-15 2020-12-29 杭州弈鸽科技有限责任公司 Internet of things protocol security automatic analysis method and system based on formal verification

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于有限状态机的多阶段网络攻击方法研究;王英梅等;《空军工程大学学报(自然科学版)》;20060225(第01期);全文 *

Also Published As

Publication number Publication date
CN113138721A (en) 2021-07-20

Similar Documents

Publication Publication Date Title
Van Eijk Sequential equivalence checking without state space traversal
Van Eijk Sequential equivalence checking based on structural similarities
JP4418353B2 (en) Circuit verification using multiple engines
US11138357B1 (en) Formal verification with EDA application and hardware prototyping platform
US20130297280A1 (en) Verification of Design Derived From Power Intent
CN113138721B (en) Bypass attack vulnerability formal verification method and device
US20160292307A1 (en) Temporal logic robustness guided testing for cyber-physical systems
US9483595B2 (en) Method for scalable liveness verification via abstraction refinement
US8978001B1 (en) Enhanced case-splitting based property checking
US8219376B2 (en) Verification using directives having local variables
Sargsyan et al. Directed fuzzing based on program dynamic instrumentation
Delzanno et al. Attacking symbolic state explosion
Kiesl et al. Local redundancy in SAT: generalizations of blocked clauses
US10380301B1 (en) Method for waveform based debugging for cover failures from formal verification
Jiang et al. Functional dependency for verification reduction
JP2019016335A (en) Systems and methods for preventing data loss in computer system
US20050005251A1 (en) Method and apparatus for cut-point frontier selection and for counter-example generation in formal equivalence verification
US7428712B1 (en) Design optimization using approximate reachability analysis
US8397189B2 (en) Model checking in state transition machine verification
US11514219B1 (en) System and method for assertion-based formal verification using cached metadata
US9600616B1 (en) Assuring chip reliability with automatic generation of drivers and assertions
US10769333B1 (en) System, method, and computer program product for debugging one or more observable failures in a formal verification
US10546083B1 (en) System, method, and computer program product for improving coverage accuracy in formal verification
US20110071809A1 (en) Model generation based on a constraint and an initial model
US10540467B1 (en) System, method, and computer program product for handling combinational loops associated with the formal verification of an electronic circuit design

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant