### Identifying Security Critical Properties for the Dynamic Verification of a Processor

Rui Zhang, Natalie Stanley, Christopher Griggs, Andrew Chi, Cynthia Sturton



THE UNIVERSITY of NORTH CAROLINA at CHAPEL HILL

## Processor Bugs can Create Security Vulnerabilities





### Dynamic Verification for Security



### **Research Question**

How to find the security properties we should protect for a processor?

## The State of the Art: Human Expertise and Judgment



**Instruction Set Architecture** 

**Security-Critical Assertions** 

## Vulnerability Example: DoS Attack

Normal

Syscall in Delay Slot



EPCR = PC + 4

EPCR = PC

## Vulnerability Example: DoS Attack

Normal

Syscall in Delay Slot



EPCR = PC + 4

EPCR = PC

## Observation

### **Observation:**

 Security-critical bugs are vulnerabilities precisely because they violate some underlying security property

### Goal:

• Identify security properties for a processor



# Our Approach



Security-Critical Bugs















16



#### Simulation Tools:

Icarus Verilog

. . . . . .

**Execution Traces:** 



#### **Program Counter**

Instruction

EXECUTED( GPR 0: 00000000 GPR 1: 00000001 GPR 2: 00000000 GPR 3: 00002640 GPR 4: 00000040 GPR 5: 00001000 GPR 6: 00000750 GPR 7: 00000008 GPR 8: 00000001 GPR 9: 00002038 GPR10: 00000000 GPR11: 00000000 GPR12: 0000000 GPR13: 00000100 GPR14: 00000010 GPR15: 0000000 GPR16: 0000000 GPR17: 0000000 GPR18: 0000000 GPR19: 0000000 GPR20: 0000000 GPR21: 0000000 GPR22: 0000000 GPR23: 0000000 GPR24: 0000000 GPR25: 0000000 GPR26: 0000000 GPR27: 0000000 GPR28: 0000000 GPR29: 0000000 GPR30: 0000000 GPR31: 0000000 SR : 00008211 EPCR0: 0000000 EEAR0: 0000000 ESR0 : 00008001

#### **ISA-level Variables**



#### Daikon:

- A dynamic invariant detection tool
- An instrumenter: records information about variable values as a program executes
- An inference engine: reads the traces produced by the instrumenter to generate invariants



#### Adaptation:

- New Daikon Instrumenter: adapt Daikon to processor execution traces
- ISA-level variables: registers and signals visible to software



#### Adaptation:

- New Daikon Instrumenter: adapt Daikon to processor execution traces
- ISA-level variables: registers and signals visible to software
- Configurable: patterns unknown to Daikon, such as bit-packing

#### Supervision Register: 32-bit special-purpose supervisor-level register

| 31-28                           | 27-17                   | 16                               | 15                                | 14                         | 13                           | 12                            |
|---------------------------------|-------------------------|----------------------------------|-----------------------------------|----------------------------|------------------------------|-------------------------------|
| Context<br>ID                   | Reserved                | SPRs User<br>Mode Read<br>Access | Fixed One                         | Exception<br>Prefix High   | Delay Slot<br>Exception      | Overflow<br>Flag<br>Exception |
| 11                              | 10                      | 9                                | 8                                 | 7                          | 6                            | 5                             |
| Overflow<br>Flag                | Carry<br>Flag           | Flag                             | CID<br>Enable                     | Little<br>Endian<br>Enable | Instruction<br>MMU<br>Enable | Data MMU<br>Enable            |
| 4                               | 3                       | 2                                | 1                                 | 0                          |                              |                               |
| Instructio<br>n Cache<br>Enable | Data<br>Cache<br>Enable | Interrupt<br>Exception<br>Enable | Tick Timer<br>Exception<br>Enable | Supervisor<br>Mode         |                              |                               |



#### Adaptation:

- New Daikon Instrumenter: adapt Daikon to processor execution traces
- ISA-level variables: registers and signals visible to software ٠
- Configurable: patterns unknown to Daikon, such as bit-packing
- Carefully handle processor optimizations •

#### **Delay Slot**:

100 foo: 104 l.nop 108 l.j r9 200 main: l.j foo 204

208 I.add

I.j NPC = PC + 4

I.j NPC = Target Address





#### **Invariant Format:**

•  $I \doteq risingEdge(INSN) \rightarrow EXPR$ 

#### **Invariant Example:**

•  $I \doteq risingEdge(I.rfe) \rightarrow SR = orig(ESR0)$ 

# Manually Classifying Bugs





Collected Bugs (185) Security-Critical Bugs (25, reproduced 17)

#### Sources:

- Processors' bug tracker or Bugzilla sites
- Developers' mail archives
- Commits to the source repository
- Comments in the source code
- Published list of errata

## Security-Critical Invariant Identification



#### **Key Observation:**

• Security-critical bugs are vulnerabilities precisely because they violate some underlying security property



## Security-Critical Invariant Inference





### The constructed model can:

- Predict whether a given invariant is likely an SCI
- Help hardware designers understand which features are critical to security



#### Sources:

• Generate an invariant that isn't truly an invariant





#### Sources:

• Generate an invariant that isn't truly an invariant

#### Solutions:

• Rely on human experts to manually remove them





#### Sources:

- Generate an invariant that isn't truly an invariant
- Classify a non-SCI as security-critical

#### Solutions:

• Rely on human experts to manually remove them







#### Sources:

- Generate an invariant that isn't truly an invariant
- Classify a non-SCI as security-critical

#### Solutions:

- Rely on human experts to manually remove them
- Draw a fine line between SCI and non-SCI, add more labeled data, refine machine learning model





## **Evaluation Methodology**

### Gather Real-world Security Vulnerabilities:

- Reproduce 17 security-critical bugs from open source processors
- Write attack programs that exploit the vulnerabilities

### **Generate Security-Critical Properties:**

- Run normal programs and attack programs on affected processors
- Record execution traces
- Use SCIFinder to generate SCI

### **Compare with Prior Work:**

- Collect 22 manually written security-critical properties from prior work
- Compare SCI generated by SCIFinder with manually written ones
- Add assertions to detect unknown bugs

### Main Results



Manual Effort: classifying bugs, validating the reported SCI

| No. | Security Property Description                                                     | Found?       |
|-----|-----------------------------------------------------------------------------------|--------------|
| p1  | Execution privilege matches page privilege                                        | √            |
| p2  | SPR equals GPR in register move instruction                                       | b12          |
| рЗ  | Updates to exception registers make sense                                         | b4 b9 b15    |
| p4  | Destination matches the target                                                    | √            |
| p5  | Memory value in equals register value out                                         | b14          |
| p6  | Register value in equals memory value out                                         | b16 b17      |
| p7  | Memory address equals effective address                                           | $\checkmark$ |
| p8  | Privilege escalates correctly                                                     | √            |
| p9  | Privilege deescalates correctly                                                   | √            |
| p10 | Jumps update the PC correctly                                                     | ×            |
| p11 | Jumps update the LR correctly                                                     | b13          |
| p12 | Instruction is in a valid format                                                  | b11          |
| p13 | Continuous Control Flow                                                           | b5           |
| p14 | Exception return updates state correctly                                          | b1 b5        |
| p15 | Register change implies that it is the instruction target                         | √            |
| p16 | SR is not written to a GPR in user mode                                           | X            |
| p17 | Interrupt implies handled                                                         | b8           |
| p18 | Instruction unchanged in pipeline                                                 |              |
| p19 | SPR modified only in supervisor mode                                              | √            |
| p20 | Enter supervisor mode is on reset or exception                                    | √            |
| p21 | Exception handling implies exception mechanism activated                          | b8           |
| p22 | Unspecified custom instructions are not allowed                                   | X            |
| p23 | Exception handler accessed only during exception, in supervisor mode, or on reset | b8           |
| p24 | Page fault generated if MMU detects an access control violation                   |              |
| p25 | UART output changes on a write command from CPU                                   |              |
| p26 | Only transmit command or initialization change Ethernet data output               |              |
| p27 | Debug Unit's value and control registers only accessible from supervisor mode     |              |

### Properties from SPECS

[H.S.K. ASPLOS 2015]

### **Properties from Security-Checker**

[B.H.I. HOST 2011]

| No. | Security Property Description                                                     | Found?       |
|-----|-----------------------------------------------------------------------------------|--------------|
| p1  | Execution privilege matches page privilege                                        | $\checkmark$ |
| p2  | SPR equals GPR in register move instruction                                       | b12          |
| рЗ  | Updates to exception registers make sense                                         | b4 b9 b15    |
| p4  | Destination matches the target                                                    | $\checkmark$ |
| р5  | Memory value in equals register value out                                         | b14          |
| p6  | Register value in equals memory value out                                         | b16 b17      |
| р7  | Memory address equals effective address                                           | $\checkmark$ |
| p8  | Privilege escalates correctly                                                     | √            |
| p9  | Privilege deescalates correctly                                                   | √            |
| p10 | Jumps update the PC correctly                                                     | X            |
| p11 | Jumps update the LR correctly                                                     | b13          |
| p12 | Instruction is in a valid format                                                  | b11          |
| p13 | Continuous Control Flow                                                           | b5           |
| p14 | Exception return updates state correctly                                          | b1 b5        |
| p15 | Register change implies that it is the instruction target                         | $\checkmark$ |
| p16 | SR is not written to a GPR in user mode                                           | X            |
| p17 | Interrupt implies handled                                                         | b8           |
| p18 | Instruction unchanged in pipeline                                                 |              |
| p19 | SPR modified only in supervisor mode                                              | $\checkmark$ |
| p20 | Enter supervisor mode is on reset or exception                                    | $\checkmark$ |
| p21 | Exception handling implies exception mechanism activated                          | b8           |
| p22 | Unspecified custom instructions are not allowed                                   | X            |
| p23 | Exception handler accessed only during exception, in supervisor mode, or on reset | b8           |
| p24 | Page fault generated if MMU detects an access control violation                   |              |
| p25 | UART output changes on a write command from CPU                                   |              |
| p26 | Only transmit command or initialization change Ethernet data output               |              |
| p27 | Debug Unit's value and control registers only accessible from supervisor mode     |              |

### **Properties Outside** of Processor Core

| No. | Security Property Description                                                     | Found?       |                    |
|-----|-----------------------------------------------------------------------------------|--------------|--------------------|
| p1  | Execution privilege matches page privilege                                        | $\checkmark$ |                    |
| p2  | SPR equals GPR in register move instruction                                       | b12          |                    |
| рЗ  | Updates to exception registers make sense                                         | b4 b9 b15    |                    |
| p4  | Destination matches the target                                                    | $\checkmark$ |                    |
| р5  | Memory value in equals register value out                                         | b14          |                    |
| р6  | Register value in equals memory value out                                         | b16 b17      |                    |
| р7  | Memory address equals effective address                                           | $\checkmark$ |                    |
| p8  | Privilege escalates correctly                                                     | $\checkmark$ |                    |
| р9  | Privilege deescalates correctly                                                   | $\checkmark$ |                    |
| p10 | Jumps update the PC correctly                                                     | ×            |                    |
| p11 | Jumps update the LR correctly                                                     | b13          |                    |
| p12 | Instruction is in a valid format                                                  | b11          |                    |
| p13 | Continuous Control Flow                                                           | b5           |                    |
| p14 | Exception return updates state correctly                                          | b1 b5        |                    |
| p15 | Register change implies that it is the instruction target                         | $\checkmark$ |                    |
| p16 | SR is not written to a GPR in user mode                                           | X            |                    |
| p17 | Interrupt implies handled                                                         | b8           |                    |
| p18 | Instruction unchanged in pipeline                                                 |              |                    |
| p19 | SPR modified only in supervisor mode                                              | $\checkmark$ | Droportion Nooding |
| p20 | Enter supervisor mode is on reset or exception                                    | $\checkmark$ | Properties Needing |
| p21 | Exception handling implies exception mechanism activated                          | b8           | Micro-architectura |
| p22 | Unspecified custom instructions are not allowed                                   | X            | Ctatao             |
| p23 | Exception handler accessed only during exception, in supervisor mode, or on reset | b8           | States             |
| p24 | Page fault generated if MMU detects an access control violation                   |              |                    |
| p25 | UART output changes on a write command from CPU                                   |              |                    |
| p26 | Only transmit command or initialization change Ethernet data output               |              |                    |
| p27 | Debug Unit's value and control registers only accessible from supervisor mode     |              |                    |

35

| NO.                                                                                                   | Security Property Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | Found?                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
|-------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| p1                                                                                                    | Execution privilege matches page privilege                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| p2                                                                                                    | SPR equals GPR in register move instruction                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | b12                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| р3                                                                                                    | Updates to exception registers make sense                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | b4 b9 b15                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| p4                                                                                                    | Destination matches the target                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | $\checkmark$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| р5                                                                                                    | Memory value in equals register value out                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | b14                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| p6                                                                                                    | Register value in equals memory value out                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | b16 b17                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| р7                                                                                                    | Memory address equals effective address                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | $\checkmark$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| p8                                                                                                    | Privilege escalates correctly                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | $\checkmark$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| р9                                                                                                    | Privilege deescalates correctly                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | $\checkmark$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| p10                                                                                                   | Jumps update the PC correctly                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | X                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| p11                                                                                                   | Jumps update the LR correctly                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | b13                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| p12                                                                                                   | Instruction is in a valid format                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | b11                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| p13                                                                                                   | Continuous Control Flow                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | b5                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| n14                                                                                                   | Exception return updates state correctly                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | b1 b5                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| P                                                                                                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | a president of the Section of the Se |
| p15                                                                                                   | Register change implies that it is the instruction target                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | $\checkmark$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| p15<br>p16                                                                                            | Register change implies that it is the instruction target<br>SR is not written to a GPR in user mode                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | √<br>X                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| p15<br>p16<br><b>p17</b>                                                                              | Register change implies that it is the instruction target<br>SR is not written to a GPR in user mode.<br>Interrupt implies handled                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | √<br><i>x</i><br>b8                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| p15<br>p16<br><b>p17</b><br>p18                                                                       | Register change implies that it is the instruction target<br>SR is not written to a GPR in user mode.<br>Interrupt implies handled<br>Instruction unchanged in pipeline                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | √<br>X<br>b8<br>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| p15<br>p16<br><b>p17</b><br>p18<br>p19                                                                | Register change implies that it is the instruction target<br>SR is not written to a GPR in user mode.<br>Interrupt implies handled<br>Instruction unchanged in pipeline<br>SPR modified only in supervisor mode                                                                                                                                                                                                                                                                                                                                                                                                                                              | √<br>X<br>b8<br><br>√                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| p15<br>p16<br><b>p17</b><br>p18<br>p19<br>p20                                                         | Register change implies that it is the instruction target<br>SR is not written to a GPR in user mode.<br>Interrupt implies handled<br>Instruction unchanged in pipeline<br>SPR modified only in supervisor mode<br>Enter supervisor mode is on reset or exception                                                                                                                                                                                                                                                                                                                                                                                            | √<br>X<br>b8<br><br>√<br>√                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| p15<br>p16<br><b>p17</b><br>p18<br>p19<br>p20<br><b>p21</b>                                           | Register change implies that it is the instruction target<br>SR is not written to a GPR in user mode.<br>Interrupt implies handled<br>Instruction unchanged in pipeline<br>SPR modified only in supervisor mode<br>Enter supervisor mode is on reset or exception<br>Exception handling implies exception mechanism activated                                                                                                                                                                                                                                                                                                                                | √<br>X<br>b8<br><br>√<br>√<br>√<br>b8                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| p15<br>p16<br><b>p17</b><br>p18<br>p19<br>p20<br><b>p21</b><br>p22                                    | Register change implies that it is the instruction target<br>SR is not written to a GPR in user mode.<br>Interrupt implies handled<br>Instruction unchanged in pipeline<br>SPR modified only in supervisor mode<br>Enter supervisor mode is on reset or exception.<br>Exception handling implies exception mechanism activated<br>Unspecified custom instructions are not allowed                                                                                                                                                                                                                                                                            | √<br>X<br>b8<br><br>√<br>√<br>↓<br>b8<br>X                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| p15<br>p16<br><b>p17</b><br>p18<br>p19<br>p20<br><b>p21</b><br>p22<br><b>p23</b>                      | Register change implies that it is the instruction target<br>SR is not written to a GPR in user mode<br>Interrupt implies handled<br>Instruction unchanged in pipeline<br>SPR modified only in supervisor mode<br>Enter supervisor mode is on reset or exception.<br>Exception handling implies exception mechanism activated<br>Unspecified custom instructions are not allowed<br>Exception handler accessed only during exception, in supervisor mode, or on                                                                                                                                                                                              | √<br>X<br>b8<br><br>√<br>√<br>b8<br>X<br>b8                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| p15<br>p16<br><b>p17</b><br>p18<br>p19<br>p20<br><b>p21</b><br>p22<br><b>p23</b><br>p24               | Register change implies that it is the instruction target<br>SR is not written to a GPR in user mode<br>Interrupt implies handled<br>Instruction unchanged in pipeline<br>SPR modified only in supervisor mode<br>Enter supervisor mode is on reset or exception.<br>Exception handling implies exception mechanism activated<br>Unspecified custom instructions are not allowed<br>Exception handler accessed only during exception, in supervisor mode, or on<br>Page fault generated if MMU detects an access control violation                                                                                                                           | √<br>X<br>b8<br><br>√<br>√<br>b8<br>X<br>b8<br>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| p15<br>p16<br><b>p17</b><br>p18<br>p19<br>p20<br><b>p21</b><br>p22<br><b>p23</b><br>p24<br>p25        | Register change implies that it is the instruction target<br>SR is not written to a GPR in user mode.<br>Interrupt implies handled<br>Instruction unchanged in pipeline<br>SPR modified only in supervisor mode<br>Enter supervisor mode is on reset or exception<br>Exception handling implies exception mechanism activated<br>Unspecified custom instructions are not allowed<br>Exception handler accessed only during exception, in supervisor mode, or on<br>Page fault generated if MMU detects an access control violation<br>UART output changes on a write command from CPU                                                                        | √<br>X<br>b8<br><br>√<br>√<br>b8<br>X<br>b8<br>X<br>b8<br><br>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| p15<br>p16<br><b>p17</b><br>p18<br>p19<br>p20<br><b>p21</b><br>p22<br><b>p23</b><br>p24<br>p25<br>p26 | Register change implies that it is the instruction target<br>SR is not written to a GPR in user mode<br>Interrupt implies handled<br>Instruction unchanged in pipeline<br>SPR modified only in supervisor mode<br>Enter supervisor mode is on reset or exception.<br>Exception handling implies exception mechanism activated<br>Unspecified custom instructions are not allowed<br>Exception handler accessed only during exception, in supervisor mode, or on<br>Page fault generated if MMU detects an access control violation<br>UART output changes on a write command from CPU<br>Only transmit command or initialization change Ethernet data output | √<br>X<br>b8<br><br>√<br>√<br>↓<br>b8<br>X<br>b8<br><br><br><br>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |

# Properties Found in the Identification Step

| No.                                                  | Security Property Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | Found?                                                  |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| p1                                                   | Execution privilege matches page privilege                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | √                                                       |
| p2                                                   | SPR equals GPR in register move instruction                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | b12                                                     |
| р3                                                   | Updates to exception registers make sense                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | b4 b9 b15 👈                                             |
| p4                                                   | Destination matches the target                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | $\checkmark$                                            |
| р5                                                   | Memory value in equals register value out                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | b14                                                     |
| p6                                                   | Register value in equals memory value out                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | b16 b17                                                 |
| р7                                                   | Memory address equals effective address                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | $\checkmark$                                            |
| p8                                                   | Privilege escalates correctly                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | $\checkmark$                                            |
| р9                                                   | Privilege deescalates correctly                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | $\checkmark$                                            |
| p10                                                  | Jumps update the PC correctly                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | X                                                       |
| p11                                                  | Jumps update the LR correctly                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | b13                                                     |
| p12                                                  | Instruction is in a valid format                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | b11                                                     |
| p13                                                  | Continuous Control Flow                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | b5                                                      |
| p14                                                  | Exception return updates state correctly                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | b1 b5                                                   |
| p15                                                  | Register change implies that it is the instruction target                                                                                                                                                                                                                                                                                                                                                                                                                                                       | $\checkmark$                                            |
| p16                                                  | SR is not written to a GPR in user mode                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | V                                                       |
| Mail Strategical                                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | X                                                       |
| p17                                                  | Interrupt implies handled                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | x<br>b8                                                 |
| <b>p17</b><br>p18                                    | Interrupt implies handled<br>Instruction unchanged in pipeline                                                                                                                                                                                                                                                                                                                                                                                                                                                  | x<br>b8<br>                                             |
| <b>p17</b><br>p18<br>p19                             | Interrupt implies handled<br>Instruction unchanged in pipeline<br>SPR modified only in supervisor mode                                                                                                                                                                                                                                                                                                                                                                                                          | ×<br>b8<br><br>√                                        |
| <b>p17</b><br>p18<br>p19<br>p20                      | Interrupt implies handled<br>Instruction unchanged in pipeline<br>SPR modified only in supervisor mode<br>Enter supervisor mode is on reset or exception                                                                                                                                                                                                                                                                                                                                                        | ×<br>b8<br><br>√<br>√                                   |
| <b>p17</b><br>p18<br>p19<br>p20<br><b>p21</b>        | Interrupt implies handled<br>Instruction unchanged in pipeline<br>SPR modified only in supervisor mode<br>Enter supervisor mode is on reset or exception<br>Exception handling implies exception mechanism activated                                                                                                                                                                                                                                                                                            | ×<br>b8<br><br>√<br>√<br>↓<br>b8                        |
| <b>p17</b><br>p18<br>p19<br>p20<br><b>p21</b><br>p22 | Interrupt implies handled<br>Instruction unchanged in pipeline<br>SPR modified only in supervisor mode<br>Enter supervisor mode is on reset or exception.<br>Exception handling implies exception mechanism activated<br>Unspecified custom instructions are not allowed                                                                                                                                                                                                                                        | x<br>b8<br><br>√<br>√<br>↓<br>b8<br>x                   |
| p17<br>p18<br>p19<br>p20<br>p21<br>p22<br>p22        | Interrupt implies handled<br>Instruction unchanged in pipeline<br>SPR modified only in supervisor mode<br>Enter supervisor mode is on reset or exception<br>Exception handling implies exception mechanism activated<br>Unspecified custom instructions are not allowed<br>Exception handler accessed only during exception, in supervisor mode, or on                                                                                                                                                          | ×<br>b8<br><br>√<br>√<br>↓<br>b8<br>×<br>b8             |
| p17 p18 p19 p20 p21 p22 p23 p24                      | Interrupt implies handled<br>Instruction unchanged in pipeline<br>SPR modified only in supervisor mode<br>Enter supervisor mode is on reset or exception<br>Exception handling implies exception mechanism activated<br>Unspecified custom instructions are not allowed<br>Exception handler accessed only during exception, in supervisor mode, or on<br>Page fault generated if MMU detects an access control violation                                                                                       | x<br>b8<br><br>√<br>√<br>↓<br>b8<br>x<br>b8<br>         |
| p17 p18 p19 p20 p21 p22 p23 p24 p25                  | Interrupt implies handled Instruction unchanged in pipeline SPR modified only in supervisor mode Enter supervisor mode is on reset or exception Exception handling implies exception mechanism activated Unspecified custom instructions are not allowed Exception handler accessed only during exception, in supervisor mode, or on Page fault generated if MMU detects an access control violation UART output changes on a write command from CPU                                                            | x<br>b8<br><br>√<br>√<br>↓<br>b8<br>x<br>b8<br><br>     |
| p17 p18 p19 p20 p21 p22 p23 p24 p25 p26              | Interrupt implies handledInstruction unchanged in pipelineSPR modified only in supervisor modeEnter supervisor mode is on reset or exceptionException handling implies exception mechanism activatedUnspecified custom instructions are not allowedException handler accessed only during exception, in supervisor mode, or onPage fault generated if MMU detects an access control violationUART output changes on a write command from CPUOnly transmit command or initialization change Ethernet data output | x<br>b8<br><br>√<br>√<br>↓<br>b8<br>x<br>b8<br><br><br> |

One property can be identified from different bugs

| No. | Security Property Description                                                 | Found?       |
|-----|-------------------------------------------------------------------------------|--------------|
| p1  | Execution privilege matches page privilege                                    | √            |
| p2  | SPR equals GPR in register move instruction                                   | b12          |
| р3  | Updates to exception registers make sense                                     | b4 b9 b15    |
| p4  | Destination matches the target                                                | $\checkmark$ |
| р5  | Memory value in equals register value out                                     | b14          |
| p6  | Register value in equals memory value out                                     | b16 b17      |
| р7  | Memory address equals effective address                                       | $\checkmark$ |
| p8  | Privilege escalates correctly                                                 | $\checkmark$ |
| р9  | Privilege deescalates correctly                                               | $\checkmark$ |
| p10 | Jumps update the PC correctly                                                 | X            |
| p11 | Jumps update the LR correctly                                                 | b13          |
| p12 | Instruction is in a valid format                                              | b11          |
| p13 | Continuous Control Flow                                                       | b5 👈         |
| p14 | Exception return updates state correctly                                      | b1 b5 📩      |
| p15 | Register change implies that it is the instruction target                     | $\checkmark$ |
| p16 | SR is not written to a GPR in user mode                                       | X            |
| p17 | Interrupt implies handled                                                     | b8           |
| p18 | Instruction unchanged in pipeline                                             |              |
| p19 | SPR modified only in supervisor mode                                          | $\checkmark$ |
| p20 | Enter supervisor mode is on reset or exception                                | √            |
| p21 | Exception handling implies exception mechanism activated                      | b8           |
| p22 | Unspecified custom instructions are not allowed                               | X            |
| p23 | Exception handler accessed only during exception, in supervisor mode, or on   | b8           |
| p24 | Page fault generated if MMU detects an access control violation               |              |
| p25 | UART output changes on a write command from CPU                               |              |
| p26 | Only transmit command or initialization change Ethernet data output           |              |
| p27 | Debug Unit's value and control registers only accessible from supervisor mode |              |

One property can be identified from different bugs

Different properties can be identified from the same bug

| No. | Security Property Description                                                 | Found?       |
|-----|-------------------------------------------------------------------------------|--------------|
| p1  | Execution privilege matches page privilege                                    | √            |
| p2  | SPR equals GPR in register move instruction                                   | b12          |
| р3  | Updates to exception registers make sense                                     | b4 b9 b15    |
| p4  | Destination matches the target                                                | $\checkmark$ |
| р5  | Memory value in equals register value out                                     | b14          |
| p6  | Register value in equals memory value out                                     | b16 b17      |
| р7  | Memory address equals effective address                                       | $\checkmark$ |
| p8  | Privilege escalates correctly                                                 | $\checkmark$ |
| р9  | Privilege deescalates correctly                                               | $\checkmark$ |
| p10 | Jumps update the PC correctly                                                 | X            |
| p11 | Jumps update the LR correctly                                                 | b13          |
| p12 | Instruction is in a valid format                                              | b11          |
| p13 | Continuous Control Flow                                                       | b5           |
| p14 | Exception return updates state correctly                                      | b1 b5        |
| p15 | Register change implies that it is the instruction target                     | $\checkmark$ |
| p16 | SR is not written to a GPR in user mode                                       | X            |
| p17 | Interrupt implies handled                                                     | b8 👈         |
| p18 | Instruction unchanged in pipeline                                             |              |
| p19 | SPR modified only in supervisor mode                                          | $\checkmark$ |
| p20 | Enter supervisor mode is on reset or exception                                | √            |
| p21 | Exception handling implies exception mechanism activated                      | b8 👈         |
| p22 | Unspecified custom instructions are not allowed                               | X            |
| p23 | Exception handler accessed only during exception, in supervisor mode, or on   | b8 👈         |
| p24 | Page fault generated if MMU detects an access control violation               |              |
| p25 | UART output changes on a write command from CPU                               |              |
| p26 | Only transmit command or initialization change Ethernet data output           |              |
| p27 | Debug Unit's value and control registers only accessible from supervisor mode |              |

One property can be identified from different bugs

Different properties can be identified from the same bug

A single SCI can concisely represent multiple manually written properties

| Security Property Description                                                     | Found?                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|-----------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Execution privilege matches page privilege                                        | $\checkmark$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| SPR equals GPR in register move instruction                                       | b12                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| Updates to exception registers make sense                                         | b4 b9 b15                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| Destination matches the target                                                    | $\checkmark$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| Memory value in equals register value out                                         | b14                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| Register value in equals memory value out                                         | b16 b17                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| Memory address equals effective address                                           | ✓                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| Privilege escalates correctly                                                     | √                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| Privilege deescalates correctly                                                   | 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| Jumps update the PC correctly                                                     | X                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| Jumps update the LR correctly                                                     | b13                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| Instruction is in a valid format                                                  | b11                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| Continuous Control Flow                                                           | b5                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| Exception return updates state correctly                                          | b1 b5                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| Register change implies that it is the instruction target                         | √                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| SR is not written to a GPR in user mode                                           | X                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| Interrupt implies handled                                                         | b8                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| Instruction unchanged in pipeline                                                 |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| SPR modified only in supervisor mode                                              | √                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| Enter supervisor mode is on reset or exception                                    | 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| Exception handling implies exception mechanism activated                          | b8                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| Unspecified custom instructions are not allowed                                   | X                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| Exception handler accessed only during exception, in supervisor mode, or on reset | b8                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| Page fault generated if MMU detects an access control violation                   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| UART output changes on a write command from CPU                                   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| Only transmit command or initialization change Ethernet data output               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| Debug Unit's value and control registers only accessible from supervisor mode     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|                                                                                   | Security Property Description<br>Execution privilege matches page privilege<br>SPR equals GPR in register move instruction<br>Updates to exception registers make sense<br>Destination matches the target<br>Memory value in equals register value out<br>Register value in equals memory value out<br>Memory address equals effective address<br>Privilege escalates correctly<br>Privilege descalates correctly<br>Jumps update the PC correctly<br>Jumps update the PC correctly<br>Jumps update the LR correctly<br>Instruction is in a valid format<br>Continuous Control Flow<br>Exception return updates state correctly<br>Register change implies that it is the instruction target<br>SR is not written to a GPR in user mode<br>Interrupt implies handled<br>Instruction unchanged in pipeline<br>SPR modified only in supervisor mode<br>Enter supervisor mode is on reset or exception<br>Exception handling implies exception mechanism activated<br>Unspecified custom instructions are not allowed<br>Exception handler accessed only during exception, in supervisor mode, or on reset<br>Page fault generated if MMU detects an access control violation<br>UART output changes on a write command from CPU<br>Only transmit command or initialization change Ethernet data output<br>Debug Unit's value and control registers only accessible from supervisor mode |

### Properties Found in the Inference Step

| No.        | Security Property Description                                                     | Found?       |
|------------|-----------------------------------------------------------------------------------|--------------|
| p1         | Execution privilege matches page privilege                                        | $\checkmark$ |
| p2         | SPR equals GPR in register move instruction                                       | b12          |
| рЗ         | Updates to exception registers make sense                                         | b4 b9 b15    |
| p4         | Destination matches the target                                                    | $\checkmark$ |
| р5         | Memory value in equals register value out                                         | b14          |
| p6         | Register value in equals memory value out                                         | b16 b17      |
| р7         | Memory address equals effective address                                           | $\checkmark$ |
| p8         | Privilege escalates correctly                                                     | $\checkmark$ |
| <u>9</u>   | Privilege deescalates correctly                                                   | 1            |
| p10        | Jumps update the PC correctly                                                     | X            |
| p11        | Jumps update the LR correctly                                                     | b13          |
| p12        | Instruction is in a valid format                                                  | b11          |
| p13        | Continuous Control Flow                                                           | b5           |
| p14        | Exception return updates state correctly                                          | b1 b5        |
| p15        | Register change implies that it is the instruction target                         | √            |
| p16        | SR is not written to a GPR in user mode                                           | X            |
| p17        | Interrupt implies handled                                                         | b8           |
| p18        | Instruction unchanged in pipeline                                                 |              |
| p19        | SPR modified only in supervisor mode                                              | $\checkmark$ |
| p20        | Enter supervisor mode is on reset or exception                                    | $\checkmark$ |
| p21        | Exception handling implies exception mechanism activated                          | b8           |
| p22        | Unspecified custom instructions are not allowed                                   | X            |
| p23        | Exception handler accessed only during exception, in supervisor mode, or on reset | b8           |
| p24        | Page fault generated if MMU detects an access control violation                   |              |
| n25        | LIADT output changes on a write command from CDL                                  |              |
| μ25        | UART output changes on a write command from CPU                                   |              |
| p23<br>p26 | Only transmit command or initialization change Ethernet data output               |              |

#### **Properties Not Found**

### Results: New Security Properties Found

| Security Property Description                               | Found?                                                                                                                                                                                                               |
|-------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Flags that influence control flow should be set correctly   | b6 b7                                                                                                                                                                                                                |
| Calculation of memory address or memory data is correct     | b3 b10                                                                                                                                                                                                               |
| Link address is not modified during function call execution | $\checkmark$                                                                                                                                                                                                         |
|                                                             | Security Property Description<br>Flags that influence control flow should be set correctly<br>Calculation of memory address or memory data is correct<br>Link address is not modified during function call execution |

### Results: Stopping New Bugs



Result of detecting 14 AMD errata from SPECS project (bugs not used in the development of the assertions).

# Summary

### SCIFinder:

- Generates security-critical invariants semi-automatically
- Requires a list of known security-critical bugs and a processor design

### Main Results:

- The final SCI set covers 86.4% of the manually crafted security properties
- We identify 3 new properties not seen in prior work

### Website:

• <u>https://cs.unc.edu/~csturton/SCIFinder/</u>