

### µCFI: Formal Verification of Microarchitectural Control-flow Integrity

Katharina Ceesay-Seitz, Flavien Solt, Kaveh Razavi

COMSEC, Computer Security Group, ETH Zurich

Verification Futures UK, 01.07.2025





https://www.linkedin.com/in/katharina-ceesay-seitz-ba521087/

Published at ACM Computer and Communications Security (CCS) 2024



Testing, e.g., fuzzing



Testing, e.g., fuzzing, is incomplete

Security: need guarantee of absence of bugs



Formal verification:

• Provides formal guarantees for all inputs



Formal verification:

• Provides formal guarantees for all inputs



• Often a CPU-specific, manual effort

### **Formal Property Verification**



### **Formal Property Verification**



### **Formal Property Verification**









Formal verification:

 Provides formal guarantees for all inputs

### **µCFI - Generalized security property**

- Easy application and reuse
- Independent of CPU's verification state

=> apply it early in the design cycle

• Captures multiple threat models

### **Definition: Architectural Control Flow**

|                                                           | Software program (assembly instructions) |          |              |            |  |  |  |
|-----------------------------------------------------------|------------------------------------------|----------|--------------|------------|--|--|--|
| Architectural<br>(software)<br>Program<br>Counter<br>(PC) | 80000000 <_start>:                       |          |              |            |  |  |  |
|                                                           | 80000000:                                | 00010337 | lui t1,0x10  |            |  |  |  |
|                                                           | 80000004:                                | 010eaf83 | lw t6,16(t4) |            |  |  |  |
|                                                           | 8000008:                                 | 01f32823 | sw t6,16(t1) |            |  |  |  |
|                                                           | 8000000c:                                | 400b0b13 | addi         | s6,s6,1024 |  |  |  |
|                                                           | 80000010:                                | 34319073 | csrw         | mtval,gp   |  |  |  |
|                                                           | 80000014:                                | 341020f3 | csrr         | ra,mepc    |  |  |  |
|                                                           | 80000018:                                | 0030c133 | xor sp,ra,gp |            |  |  |  |



Architectural PC decides the order of instructions

Software 'if' = Branch instruction

```
If condition
PC = Branch target = A
```

Else

PC = Branch target = PC + 4

### Definition: Microarchitectural Control Flow (µCF)

|                                                           | Software prog            | Software program (assembly instructions) |          |                             |  |  |
|-----------------------------------------------------------|--------------------------|------------------------------------------|----------|-----------------------------|--|--|
| Architectural<br>(software)<br>Program<br>Counter<br>(PC) | 80000000 <_<br>80000000: | start>:<br>00010337                      | lui +1 / | ∩√10                        |  |  |
|                                                           | 80000004:                | 010eaf83                                 | •        | lui t1,0x10<br>lw t6,16(t4) |  |  |
|                                                           | 8000008:                 | 01f32823                                 | sw t6,   | sw t6,16(t1)                |  |  |
|                                                           | 800000c:                 | 400b0b13                                 | addi     | s6,s6,1024                  |  |  |
|                                                           | 80000010:                | 34319073                                 | csrw     | mtval,gp                    |  |  |
|                                                           | 80000014:                | 341020f3                                 | csrr     | ra,mepc                     |  |  |
|                                                           | 80000018:                | 0030c133                                 | xor sp,  | xor sp,ra,gp                |  |  |



### Microarchitectural control flow (µCF)



Constant Time (CT) RISC-V program

Architectural control flow



reads secret data

14

#### Constant Time (CT) RISC-V program

#### Architectural control flow



#### Constant Time (CT) program

#### Architectural control flow





#### Constant Time (CT) program

#### Architectural control flow







operand: '1 csrrw nop addi csrrw jalr Clock Delayed PC update



Secret influences µCF

#### Constant Time (CT) program





Control-flow integrity secure program

#### Architectural control flow



#### Constant Time (CT) program

#### Architectural control flow





Control-flow integrity secure program

#### Architectural control flow





Input influences µCF by changing PC value



- Proof that the  $\mu CF$  has only ISA-specified data dependencies
- Detect non-ISA specified flows







- Proof that the  $\mu CF$  has only ISA-specified data dependencies
- Detect non-ISA specified flows





ISA = Instruction Set Architecture, PC = Program Counter

- Proof that the  $\mu CF$  has only ISA-specified data dependencies
- Detect non-ISA specified flows



- Proof that the  $\mu CF$  has only ISA-specified data dependencies
- Detect non-ISA specified flows





- Proof that the  $\mu CF$  has only ISA-specified data dependencies
- Detect non-ISA specified flows









- Proof that the µCF has only ISA-specified data dependencies
- **Detect non-ISA specified flows** ۲









data flows





- Proof that the  $\mu CF$  has only ISA-specified data dependencies
- Detect non-ISA specified flows









ISA = Instruction Set Architecture, PC = Program Counter



Information flow tracking with taint logic – CellIFT [1]

### taint = secret or attacker-controlled information

[1] F. Solt, B. Gras, K. Razavi, "CELLIFT: Leveraging Cells for Scalable and Precise Dynamic Information Flow Tracking in RTL", USENIX Security 2022 https://github.com/comsec-group/cellift-yosys

# CellIFT Yosys [1] pass



\*it is possible to add multiple independent taint instrumentations. Each in -/output gets a taint representation per instrumentation.

[2] F. Solt, B. Gras, K. Razavi, "CELLIFT: Leveraging Cells for Scalable and Precise Dynamic Information Flow Tracking in RTL", USENIX Security 2022

<sup>[1]</sup> Yosys Open SYnthesis Suite - https://github.com/YosysHQ/yosys

### CellIFT



Taint logic (CellIFT [1]) tracks information flows

#### Information flow tracking with taint logic – CellIFT [1]



taint = secret or attacker-controlled

[1] F. Solt, B. Gras, K. Razavi, "CELLIFT: Leveraging Cells for Scalable and Precise Dynamic Information Flow Tracking in RTL", USENIX Security 2022

### CellIFT



Taint logic (CellIFT [1]) tracks information flows

#### Information flow tracking with taint logic – CellIFT [1]



taint = secret or attacker-controlled

[1] F. Solt, B. Gras, K. Razavi, "CELLIFT: Leveraging Cells for Scalable and Precise Dynamic Information Flow Tracking in RTL", USENIX Security 2022







### Formally Verifying µCFI



### Formally Verifying µCFI



### Formally Verifying µCFI



### **Instruction Classification**

beq t1, t2, 20

control

#### **Control-influencing:**

direct branches, instructions with exceptions, ...

are expected to influence the program counter

```
If reg[t1] == reg[t2]
    Branch target = A
Else
    Branch target = PC + 4
```

branch N

target

PC

control

#### **Instruction Classification**





#### 

### CellIFT



data, 🚺

control & timing flows





**Non-influencing:** arithmetic, logic, ...



[1] F. Solt, B. Gras, K. Razavi, "CELLIFT: Leveraging Cells for Scalable and Precise Dynamic Information Flow Tracking in RTL", USENIX Security 2022

### **CellDFT – Data Flow Tracking**







μCFI



[1] F. Solt, B. Gras, K. Razavi, "CELLIFT: Leveraging Cells for Scalable and Precise Dynamic Information Flow Tracking in RTL", USENIX Security 2022

### **CellDFT – Data Flow Tracking**

#### CellDFT

- Only tracks data flows 🖡
- Blocks control flows

| Cell Name                                                             | Definition                                                                                                                                 |                       |
|-----------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|
| State elems. with enable ( <i>EN</i> ) 2-input mux, aldff cells [106] | $\begin{aligned} Q_n^t &= (EN \wedge D^t) \lor (\neg EN \wedge Q_{n-1}^t) \\ Y^t &= (\neg S \wedge A^t) \lor (S \wedge B^t) \end{aligned}$ | Data taint propagates |
| pmux cells [106]                                                      | $Y^t = A[S]^t$                                                                                                                             | _                     |
| Comparison/reduction cells                                            | $Y^t = 0$                                                                                                                                  | No taint propagates   |
| Shift cells                                                           | $Y^t = A^t \circ B$                                                                                                                        | Data taint is shifted |





#### Instruction classification μCFI information Non-influencing: add x4, x5, x6 $\sim$ PC PC Operand CellIFT arithmetic, logic, ... information **Control-influencing:** bne x1, x2, 20 Operand PC 🕓 PC CellDFT branches, exceptions control branch N data contro target Value-influencing: PC jalr ra, **x1**, **80** jumps data jump target



For communication with software engineers/tools:

• Security classification per instruction

Is a constant time (CT) software really CT on an actual CPU implementation?



For communication with software engineers/tools:

- Security classification per instruction,
- surrounded by arbitrary, potentially insecure, instructions



For communication with software:

• Security classification per instruction

To ease debugging:

• Identify the specific instruction that leaks



• For communication with software:

• Security classification per instruction

To ease debugging:

Identify the specific instruction that leaks

For strong security guarantees:

- consider influences on younger instructions
- over arbitrary, infinitely long programs











### **Precise Taint Injection**

#### x = (taint) logic abstraction



### **Precise Taint Injection**



### **Precise Taint Injection**









#### **Tracking Forwarded Data**







| Verified<br>RISC-V<br>CPUs | Microcontroller-clas | ss, in-order CPUs | used in<br>Root-of-Trust | Scarv<br>Scarv<br>Zk scalar<br>crypto<br>extensions |
|----------------------------|----------------------|-------------------|--------------------------|-----------------------------------------------------|
| State bits                 | 3.2k                 | 2.0k              | 2.5k                     | 2.3k                                                |
| Net bits                   | 1.6k                 | 1.4k              | 4.6k                     | 6.7k                                                |
| Cell-                      | IFT / DFT            | IFT / DFT         | IFT / DFT                | IFT / DFT                                           |
| Ø time to PROVE            | 17 h / 8m            | 16m / 30s         | 9h / 10m                 | 14.5h / 50 m                                        |
| Ø time to FAIL             | 1h / 8m              | 37s / 15s         | 2h / 3m                  | 11m / 34m                                           |

Model checker: Cadence Jasper Formal Property Verification App



### **New Discovered Security Vulnerabilities**

Kronos

Constant time violation:

CVE-2023-51974

#### Architectural control flow



Microarchitectural control flow reg: 0







Two control-flow hijacks:

CVE-2023-51973

#### CVE-2024-44927



### **New Discovered Security Vulnerabilities**

Constant time violation:

CVE-2023-51974

Architectural control flow



#### Microarchitectural control flow









Two control-flow hijacks: CVE-2023-51973

CVE-2024-44927



Constant time violation + data leakage:

CVE-2024-28365



#### Control-flow hijack



64

. . . . . . .

lbex

## Conclusion

• Introduced and formalized a generalized CPU security property



## Conclusion

• Introduced and formalized a generalized CPU security property



**µCFI - Microarchitectural Control-flow Integrity** 

- Automated verification method & implementation
- 4 open-source RISC-V CPUs verified
- Discovered 5 new vulnerabilities 4 CVEs





## Conclusion

• Introduced and formalized a generalized CPU security property



**µCFI - Microarchitectural Control-flow Integrity** 

- Automated verification method & implementation
- 4 open-source RISC-V CPUs verified
- Discovered 5 new vulnerabilities 4 CVEs

#### Video:

https://www.youtube.co m/watch?v=Kxp-5kNMt40&t

#### Information:





https://comsec.ethz.ch/ Comsec-group/mucfi

# Thank you! Questions?

Contact:



https://www.linkedin.com/in/katharina-ceesay-seitz-ba521087/

X@K\_Ceesay-Seitz, @FlavienSolt



kceesay@ethz.ch, flavien.solt@eecs.berkeley.edu







#### **Taint Start Condition**

**Update Condition Yosys Pass** 

**Read-from Condition** = the condition in which a signal is updated with <u>a chosen</u> signal's value.



yosys update\_condition -read-from-signals "cpuregs" -signal\_name "cpuregs\_rs1"

#### CPU code (PicoRV32):



#### **Generated Read-from Condition:**



### **Taint Stop Condition**

**Update Condition Yosys Pass** 

**Update Condition (UC)** = the condition in which a signal is updated with <u>another value than its own previous value</u>.



For example:

- enable condition of a flip flop
- '1' (True) for continuous assignments

### **Precise Taint Injection Conditions**



Simple & precise counter examples

### Update Condition (UC) / Read-from Condition (RC) Yosys Pass

s ... signal

a,b ... other internal signals 'past' = custom attribute



### Find Forwarding Multiplexer Yosys Pass

- Automatically identifies forwarding multiplexers
- Checks <u>declassification precondition</u>: all outgoing paths of declassified signals reach another declassified signal or data source without passing PC



- 1. Traverse outgoing paths of forwarded data output and check declassification precondition
- 2. If a mux uses forwarded data output, back-traverse multiplexers' other input's driving logic.
- 3. Is it directly assigned with operand's register data read signal?
  - No: continue at mux output
  - Yes: Forwarding mux found X --> return mux select signal

## **Taint Injection Assumptions**



### Introducing µCFI - Microarchitectural Control-flow Integrity

