HyperFlow: A Processor Architecture for Timing-Safe Information-Flow Security Andrew Ferraiuolo, Mark Zhao, Andrew C. Myers, G. Edward Suh Cornell University Ithaca, NY 14850, USA [email protected], [email protected], [email protected], [email protected] Abstract—This paper presents HyperFlow, a processor that it is important for security to ensure that hardware implemen- enforces secure information flow, including control over timing tations are free of timing channels. channels. The design and implementation of HyperFlow offer se- Prior work has shown that hardware constructed with a curity assurance because it is implemented using a security-typed hardware description language that enforces secure information security-typed hardware description language (HDL) [20], [43] flow. Unlike prior information-flow secured processors that aim can provide strong security assurance. Security-typed HDLs to strictly enforce noninterference, HyperFlow supports complex can statically prove that the hardware prevents insecure infor- information flow policies that can be configured at run time, and mation flows: untrusted signals cannot affect trusted signals, provides support for secure interprocess communication (IPC) and secret signals cannot affect public ones. Because HDLs and system calls. The architecture also offers a new model for process isolation in which memory protection is provided via produce cycle-level descriptions of the hardware, security- information flow control with strong security assurance while typed HDLs can also prove that the hardware is free of timing allowing IPC and shared memory. HyperFlow is designed to sup- channels. Prior work has also shown that security-typed HDLs port practical applications and system architectures. It therefore catch real-world security vulnerabilities [14]. supports decentralized information flow mechanisms that allow This paper presents HyperFlow, a processor architecture and controlled communication among mutually distrusting processes, mediated by dynamic, fine-grained labels. Static information- implementation designed for information-flow security that is flow verification of such a complex processor architecture poses verified with a security-typed HDL at design time, providing significant challenges, which require contributions in both the strong security assurance about its design and implementation. hardware architecture and the security type system. The paper The HyperFlow architecture is carefully designed to remove discusses the architecture decisions that make the processor all disallowed information flows between security levels, in- secure and describes a new secure HDL, named ChiselFlow, that allows these decisions to be verified in a lightweight way. The cluding timing channels, and the information flows within the HyperFlow architecture is also prototyped on a fully-featured design are statically verified using a security type system. processor that offers a complete RISC-V instruction set, and is HyperFlow is also implemented as an extension of a fully shown to have moderate overhead on area and performance. featured processor with a complete (RISC-V) instruction set. HyperFlow security policies. Beyond being a practical, I. INTRODUCTION realistic processor, HyperFlow also innovates in the security In modern computer systems, hardware plays a central policies it enforces. Unlike prior processors with verified role in providing isolation for software modules. Protection information flow, which only supported simple, fixed 2-point rings are widely used to isolate supervisor processes from or 4-point policy lattices, HyperFlow can enforce complex user processes. Recent hardware security architectures such application-defined security policies directly in hardware, in as ARM TrustZone [23] and Intel SGX [8] aim to protect line with work on information-flow security in operating critical software even when the operating system is malicious systems and programming languages which suggests that real or compromised. However, the security of these processors applications need rich lattice policies that can capture complex relies on the assumption that the underlying hardware properly trust relationships among mutually distrusting principals [5], enforces necessary security properties. [12], [26], [41]. Unfortunately, microprocessors often contain vulnerabili- We show how to encode complex and dynamic security ties that allow security-critical software to be compromised policies involving both confidentiality and integrity even for by untrusted software. Software-exploitable vulnerabilities in applications built from communicating processes serving mu- SGX have already been found [24]. Previous studies found tually distrusting principals. By enforcing security policies in vulnerabilities in implementations of Intel VT-d [38] and hardware, the software component of the trusted computing system management mode (SMM) [37]. Moreover, the recent base is minimized, and strong security assurance is obtained. Spectre [19] and Meltdown [22] vulnerabilities show that even While practical tagged architectures have previously been built if the hardware is correct in a conventional sense—that it with the ability to encode information flow policies [11], [42], implements a specification—is not sufficient to ensure security. they do not handle timing channels, and their implementations Exploiting subtle timing channels in Intel microprocessors, have not been secured with an information flow HDL. Meltdown can be used to leak arbitrary kernel data. Therefore, HyperFlow represents rich lattice policies in hardware at the bit level by introducing hypercube labels, in which software- provides label inference that reduces programmer effort. The level labels are mapped to points in a hypercube. Hypercube hardware designer provides security labels for the inputs and labels enable efficient comparisons between security levels outputs of hardware modules, but labels of internal signals can directly in hardware, and they are amenable to static checking be omitted. ChiselFlow also supports multiple mechanisms for in the security-typed HDL. describing heterogeneously labeled data structures, which are Controlled downgrading. To be practical, systems based crucial for practical designs. Finally, ChiselFlow separates the on information-flow security must allow exceptions to non- confidentiality and integrity components of labels supporting interference [16]. For example, applications must be able controlled downgrading. to release the results of computing on secrets. This can be Prototype implementation. We implement HyperFlow as accomplished by downgrading, a mechanism for relaxing an extension to the RISC-V Rocket processor, and HyperFlow information-flow policies. Uncontrolled downgrading is dan- supports a complete RISC-V ISA. Our implementation allows gerous, so the HyperFlow ISA provides instructions for con- conventional virtual-memory protection to interoperate with trolled downgrading. Downgrading of confidentiality policies HyperFlow’s information flow protection. HyperFlow imple- (declassification) is permitted only when it is robust [39]— ments performance-critical features that were absent in prior secrets can be released only if the downgrade can be influenced processors secured with an IFC HDL. The prototype imple- only by the owners of these secrets. Dually, downgrading of mentation shows that the new security features in HyperFlow integrity policies (endorsement) is permitted only it when it add moderate area overhead, largely due to the additional stor- is transparent [4]: that is, if the party providing the endorsed age for security tags, and moderate performance overhead due data could have read it. Together, these conditions ensure that to timing-channel protection. The HyperFlow implementation information flow is nonmalleable. Nonmalleable information is also more fully-featured than prior information-flow secured flow is enforced not only at the ISA level but also at the processors. The timing-safe implementations of these features HDL level, providing similarly strong assurance about the also type-checks with ChiselFlow, providing strong assurance implementation. that the implementation is secure. Secure interprocess communication. Another novel and challenging feature of HyperFlow is its support for secure II. HDL-LEVEL INFORMATION FLOW CONTROL communication across trust domains. HyperFlow allows but Implementing hardware with security-typed hardware de- constrains interprocess communication (IPC) via shared mem- scription languages (HDLs) is a promising approach to en- ory. It also supports the secure communication via registers suring the hardware is secure. HDL-level information flow of arguments and return values of system calls. System calls control applies techniques from language-based security [29] and shared function libraries present another challenge that to hardware design [13], [20], [21], [43]. Variables in the code HyperFlow addresses—both scenarios require a mechanism that describe the hardware design are annotated with security by which untrusted code can invoke trusted code. HyperFlow labels, L, which are types describing restrictions on where introduces an information-flow secure call gate [31], [36] information contained in that signal can flow. The type system mechanism to make cross-domain control transfers secure. then enforces these restrictions. Memory protection. Conventional systems use virtual Type systems for information flow security can enforce memory to isolate pages that belong