A Hardware Design Language for Efficient Control of Timing Channels

Abstract

Timing channels pose a real security risk, but methods are lacking for building systems without timing leaks. One reason is that low-level hardware features create timing channels; for example, caches enable probing attacks. We introduce a new hardware design language, SecVerilog, that in conjunction with software-level enforcement makes it possible to build systems in which timing channels and other leakage are verifiably controlled. SecVerilog extends Verilog with annotations that support comprehensive, precise reasoning about information flows at the hardware level. Compared to previous methods for designing secure hardware, SecVerilog offers a better tradeoff between expressiveness and run-time overhead. We demonstrate that it is expressive enough to build complex hardware designs, including a MIPS processor, with low overhead in time, space, and programmer effort. Information flow checking is mostly static, permitting hardware designs that are largely unaffected by security enforcement mechanisms. SecVerilog also tracks information at fine granularity, allowing interleaving of instructions and data at different security levels throughout the processor. SecVerilog also comes with stronger formal assurance than previous hardware design methods: we prove that it enforces noninterference, ensuring secure information flow.