#### TO APPEAR AT ACM CCS'22

# Power Contracts: Provably Complete Power Leakage Models for Processors

Roderick Bloem\* Graz University of Technology Graz, Austria Barbara Gigerl Graz University of Technology Graz, Austria Marc Gourjon Hamburg University of Technology Hamburg, Germany NXP Semiconductors Hamburg, Germany

Vedad Hadžić Graz University of Technology Graz, Austria

Stefan Mangard Graz University of Technology Graz, Austria Robert Primas Graz University of Technology Graz, Austria

| -  | 1  |
|----|----|
| -> | \$ |

Contract = dependable leakage model



Contract = dependable leakage model



Verify side-channel security



masked\_program.s





PUBLIC 4

-

-















Problem: Same program has differen t microarchitecture



Cause: Processor's implementation → microarchitecture



































































0

and rD, rN, rM <mark>leak</mark> HD(rN, rM)

leak HD(rN, rM)

xor rD, rN, rM

PUBLIC

NP









xor rD, rN, rM
 leak HD(rN, previous(rN))
 leak HD(rM, previous(rM))

```
and rD, rN, rM
    leak HD(rN, previous(rN))
    leak HD(rM, previous(rM))
```



xor rD, rN, rM leak HD(rN, rM)





## Formal leakage model in GENOA := SAIL DSL [1] + leak [2]



[2]: Masking in Fine-Grained Leakage Models: Construction, Implementation and Verification. Gilles Barthe, Marc Gourjon, Benjamin Grégoire, Maximilian Orlt, Clara Paglialonga, Lars Porth. CHES 2021.

# Formal leakage model in GENOA := SAIL DSL [1] + leak [2]



[2]: Masking in Fine-Grained Leakage Models: Construction, Implementation and Verification. Gilles Barthe, Marc Gourjon, Benjamin Grégoire, Maximilian Orlt, Clara Paglialonga, Lars Porth. CHES 2021.

# Formal leakage model in GENOA := SAIL DSL [1] + leak [2]



[2]: Masking in Fine-Grained Leakage Models: Construction, Implementation and Verification. Gilles Barthe, Marc Gourjon, Benjamin Grégoire, Maximilian Orlt, Clara Paglialonga, Lars Porth. CHES 2021.

# Formal leakage model in GENOA := SAIL DSL [1] + leak [2]

```
// see license in Listing L
// execute a XOR instruction
execute (XOR(rs2, rs1, rd)) = {
 let rs1 val = X(rs1);
                       // read register rs1
 let rs2 val = X(rs2);
                                 // read register rs2
 let result = rs1_val ^ rs2_val;
                                  // compute XOR operation
 leak(HD(X(rs1), X(rs2)));
                                  // leakage between operands
 leak( X(rs1), X(rs2) );
                          // leakage between operands
 leak( X(rd), result );
                                  // transition leakage, e.g., HD
 X(rd) = result;
                                  // write result to rd
 return RETIRE SUCCESS
```

[2]: Masking in Fine-Grained Leakage Models: Construction, Implementation and Verification. Gilles Barthe, Marc Gourjon, Benjamin Grégoire, Maximilian Orlt, Clara Paglialonga, Lars Porth. CHES 2021.

## Formal leakage model in GENOA := SAIL DSL [1] + leak [2]



[2]: Masking in Fine-Grained Leakage Models: Construction, Implementation and Verification. Gilles Barthe, Marc Gourjon, Benjamin Grégoire, Maximilian Orlt, Clara Paglialonga, Lars Porth. CHES 2021.



```
...
// see license in Listing L
                                                   // execute a XOR instruction, similar for AND
execute (XOR(rs2, rs1, rd)) = {
  let rs1_val = X(rs1);
  let rs2_val = X(rs2);
  let result = rs1_val ^ rs2_val;
 X(rd) = result;
 return RETIRE_SUCCESS
}
```









...
xor x1, x2, x3
 rf\_pA = x2
and x4, x5, x6
 leak (x5, rf\_pA)

```
...
// see license in Listing L
                                                   // execute a XOR instruction, similar for AND
execute (XOR(rs2, rs1, rd)) = {
  let rs1_val = X(rs1);
  let rs2_val = X(rs2);
  let result = rs1_val ^ rs2_val;
  leak( X(rs1), rf_pA); // leak of rs1 & previous rs1
  rf_pA = rs1_val; // leakage state to remember operand 1
  X(rd) = result;
  return RETIRE_SUCCESS
}
```



```
...
// see license in Listing L
                                                   // execute a XOR instruction, similar for AND
execute (XOR(rs2, rs1, rd)) = {
  let rs1_val = X(rs1);
  let rs2_val = X(rs2);
  let result = rs1_val ^ rs2_val;
  leak( X(rs1), rf_pA); // leak of rs1 & previous rs1
  leak( X(rs2), rf_pB);
  rf_pA = rs1_val; // leakage state to remember operand 1
  rf pB = rs2 val;
  X(rd) = result;
  return RETIRE_SUCCESS
}
```

```
...
xor x1, x2, x3
rf_pA = x2
and x4, x5, x6
leak (x5, rf_pA)
```

...

```
// see license in Listing L
                                                   .....
// execute a XOR instruction, similar for AND
execute (XOR(rs2, rs1, rd)) = {
  let rs1_val = X(rs1);
  let rs2_val = X(rs2);
  let result = rs1_val ^ rs2_val;
  leak( X(rs1), rf_pA); // leak of rs1 & previous rs1
  leak( X(rs2), rf pB);
  rf pA = rs1 val; // leakage state to remember operand 1
  rf pB = rs2 val;
  X(rd) = result;
  return RETIRE_SUCCESS
}
```

# // see license in Listing L // execute a XOR instruction execute (XOR(rs2, rs1, rd)) = { let rs1 val = X(rs1); let rs2\_val = X(rs2); let result = rs1\_val ^ rs2 val; leak( X(rs1), X(rs2) ); X(rd) = result;return RETIRE\_SUCCESS

### MODELING LEAKAGE (3) CONTRACT

## One contract for many processors

```
// see license in Listing L
                                       // execute a XOR instruction
                                            -
execute (XOR(rs2, rs1, rd)) = {
 let rs1_val = X(rs1);
                                       let rs2_val = X(rs2);
 let result = rs1_val ^ rs2_val;
 leak( X(rs1), rf_pA,
         X(rs2), rf_pB);
 rf_pA = rs1_val;
 rf_pB = rs2_val;
 X(rd) = result;
 return RETIRE_SUCCESS
}
```

### MODELING LEAKAGE (3) CONTRACT

## One contract for many processors





## POWER CONTRACT

- Contract enables to execute entire programs symbolically
- See License in Listing L

```
function step_ibex (op : bits(32)) -> bool = {
    nextPC = PC + 4;
    let instruction = encdec(op);
```

```
let ret = execute(instruction);
```

```
let success : bool =
    match ret {
        RETIRE_SUCCESS => true,
        RETIRE_FAIL => false
     };
    tick_pc();
    return success
}
function common_leakage(rs1_val, rs2_val) = {
    leak(rs1_val, rs2_val, rf_pA, rf_pB,
        mem_last_addr, mem_last_read);
    rf_pA = rs1_val;
    rf pB = rs2 val; /* update read ports */
```

mem last read = 0; /\* clear data memory port \*/

```
// decode or encode an ADD instruction
// add rd rs1 rs2 ==> RTYPE(rs2, rs1, rd, RISCV ADD)
mapping clause encdec = RTYPE(rs2, rs1, rd, RISCV ADD)
  <-> 0b0000000 @ rs2 @ rs1 @ 0b000 @ rd @ 0b0110011
// execute a decoded instruction
function clause execute (RTYPE(rs2, rs1, rd, op)) = {
  let rs1 val = X(rs1); // read register rs1
  let rs2 val = X(rs2);
  common leakage(rs1 val, rs2 val);
  let result = match op { // match-case
   RISCV ADD => rs1 val + rs2 val, // compute ADD operation
         • • •
   RISCV AND => rs1 val & rs2 val,
  };
  overwrite leakage(rd, result);
 X(rd) = result;
                                    // write result to rd
  return RETIRE SUCCESS
```



• E2E Security:















- Guarantee of contracts:
  - t-(S)NI @ Contract implies t-(S)NI @ any compliant HW for any program



- Guarantee of contracts:
  - t-(S)NI @ Contract implies t-(S)NI @ any compliant HW for any program
  - Holds also for threshold probing security, PINI, TI, ...



- Guarantee of contracts:
  - t-(S)NI @ Contract implies t-(S)NI @ any compliant HW for any program
  - Holds also for threshold probing security, PINI, TI, ...

**BIG PICTURE** 



NP

47

PUBLIC

[1]: Masking in Fine-Grained Leakage Models: Construction, Implementation and Verification. Gilles Barthe, Marc Gourjon, Benjamin Grégoire, Maximilian Orlt, Clara Paglialonga, Lars Porth. CHES 2021. **BIG PICTURE** 



[1]: Masking in Fine-Grained Leakage Models: Construction, Implementation and Verification. Gilles Barthe, Marc Gourjon, Benjamin Grégoire, Maximilian Orlt, Clara Paglialonga, Lars Porth. CHES 2021.



 E2E security reduction based on ability to model any HW probe from modeled leakage in the contract

$$[ [ P ] ]^c \left( \sigma_0^c \right)$$



 E2E security reduction based on ability to model any HW probe from modeled leakage in the contract

$$\begin{bmatrix} \mathbb{P} \end{bmatrix}^{c} \left( \sigma_{0}^{c} \right) : \qquad \sigma_{0}^{c} \xrightarrow{\mathcal{L}_{0}^{c}} \sigma_{1}^{c} \xrightarrow{\mathcal{L}_{1}^{c}} \dots \xrightarrow{\mathcal{L}_{n-1}^{c}} \sigma_{n}^{c}$$

$$\begin{bmatrix} \mathbb{P} \end{bmatrix}^{h} \left( \sigma_{0}^{h} \right) : \qquad \sigma_{0}^{h} \xrightarrow{\mathcal{L}_{0}^{h}} \sigma_{1}^{h} \xrightarrow{\mathcal{L}_{1}^{h}} \dots \xrightarrow{\mathcal{L}_{m-1}^{h}} \sigma_{m}^{h}$$

$$f$$
starting state

Definition 6 (Compliance:  $\llbracket \cdot \rrbracket^h \vdash_{\mathcal{M}} \llbracket \cdot \rrbracket^c$ ).

 E2E security reduction based on ability to model any HW probe from modeled leakage in the contract

$$\begin{bmatrix} \mathbf{P} \end{bmatrix}^{c} \left( \sigma_{0}^{c} \right) : \qquad \sigma_{0}^{c} \xrightarrow{\mathcal{L}_{0}^{c}} \sigma_{1}^{c} \xrightarrow{\mathcal{L}_{1}^{c}} \dots \xrightarrow{\mathcal{L}_{n-1}^{c}} \sigma_{n}^{c}$$

$$\begin{bmatrix} \mathbf{P} \end{bmatrix}^{h} \left( \sigma_{0}^{h} \right) : \qquad \sigma_{0}^{h} \xrightarrow{\mathcal{L}_{0}^{h}} \sigma_{1}^{h} \xrightarrow{\mathcal{L}_{1}^{h}} \dots \xrightarrow{\mathcal{L}_{m-1}^{h}} \sigma_{m}^{h}$$

$$\begin{bmatrix} \mathbf{P} \end{bmatrix}^{c} \left( \sigma_{0}^{h} \right) : \qquad \sigma_{0}^{h} \xrightarrow{\mathcal{L}_{0}^{h}} \sigma_{1}^{h} \xrightarrow{\mathcal{L}_{1}^{h}} \dots \xrightarrow{\mathcal{L}_{m-1}^{h}} \sigma_{m}^{h}$$

$$\begin{bmatrix} \mathbf{P} \end{bmatrix}^{c} \left( \sigma_{0}^{h} \right) : \qquad \mathbf{P} \end{bmatrix} \xrightarrow{\mathbf{P}} \left( \sigma_{0}^{h} \right) : \qquad \mathbf{P} \end{bmatrix} \xrightarrow{\mathbf{P}} \left( \sigma_{0}^{h} \right) : \qquad \mathbf{P}$$

NP

 E2E security reduction based on ability to model any HW probe from modeled leakage in the contract



 E2E security reduction based on ability to model any HW probe from modeled leakage in the contract



Definition 6 (Compliance:  $\llbracket \cdot \rrbracket^h \vdash_{\mathcal{M}} \llbracket \cdot \rrbracket^c$ ).



 E2E security reduction based on ability to model any HW probe from modeled leakage in the contract
 Modeled leakage





 E2E security reduction based on ability to model any HW probe from modeled leakage in the contract
 Modeled leakage



DEFINITION 6 (COMPLIANCE:  $\llbracket \cdot \rrbracket^h \vdash_{\mathcal{M}} \llbracket \cdot \rrbracket^c$ ).

PUBLIC 66

### VERIFYING COMPLETENESS IN A NUTSHELL (1) CHECKING THE ABILITY TO MODEL HW LEAKAGE FROM CONTRACT LEAKS

• Is there a function f(e1, e2) = y such that  $y = \lambda_g$  for all executions of a program?

$$\mathcal{L}_{i}^{c} := \{ \dots, \text{ leak}(\text{ e1, e2}), \dots \}$$



- Rationale:
  - If I know e1, e2 which are exposed in the contract, then
  - I can simulate the observation of leakage  $\lambda_g$  of gate g in HW which an adversary could make

Theorem 2 (Model Reduction).

### VERIFYING COMPLETENESS IN A NUTSHELL (1) CHECKING THE ABILITY TO MODEL HW LEAKAGE FROM CONTRACT LEAKS

• Is there a function  $f(e_1, e_2) = y$  such that  $y = \lambda_a$  for all executions of a program?

$$\begin{array}{c} \blacksquare & \mathcal{L}_{i}^{c} := \{ \dots, \text{leak}(\text{ e1, e2}), \dots \} \\ & \exists f(e1, e2) = \lambda_{g} ? \\ & \blacksquare & \mathcal{L}_{j}^{h} := \{ \dots, \lambda_{g}(\sigma_{j-1}^{h}, \sigma_{j}^{h}), \dots \} \end{array}$$

- Rationale:
  - If I know e1, e2 which are exposed in the contract, then
  - I can simulate the observation of leakage  $\lambda_g$  of gate g in HW which an adversary could make

Theorem 2 (Model Reduction).

#### VERIFYING COMPLETENESS IN A NUTSHELL (3) CHECKING THE ABILITY TO MODEL HW LEAKAGE FROM CONTRACT LEAKS

?  $\exists$  f(e1, e2) =  $\lambda_g$ 

Theorem 5 (Existence of Modeling Function).

# check on two pairs of executions

- starting in  $\sigma_0^c$ ,  $\sigma_0^h$  respectively,  $\sigma_0^{c\prime}$ ,  $\sigma_0^{h\prime}$
- Is there an execution leading to e1 = e1' and e2 = e2' but  $\lambda_g \neq \lambda'_g$ ?
- Then there is no single f since it would need to output different values for the same inputs
- Encode as SMT for automated check

## VERIFYING COMPLETENESS IN A NUTSHELL (4) VERIFICATION OVERVIEW

- Any single instruction
- Deal with pipelines

xor rD, rN, rM

•••

 $\sigma_{i}^{c} \xrightarrow{\mathcal{L}_{i}^{c}} \sigma_{i+1}^{c}$   $M \xrightarrow{\mathcal{L}_{j}^{h}} \xrightarrow{\mathcal{L}_{j}^{h}} \cdots \xrightarrow{\mathcal{L}_{j+k-1}^{h}} \sigma_{j+k}^{h}$ 

Constraints

- ...

- New instruction issued in cycle j
- Instruction successfully retires in cycle j + k
- Assert no exceptions, reset, debug or interrupt
- Memory access immediately granted, no errors
- Verify for instructions lengths k = 1 to max. length

$$\sigma_j^h \xrightarrow{\mathcal{L}_j^h} \cdots \xrightarrow{\mathcal{L}_{j+k-1}^h} \sigma_{j+k}^h$$

|    | Cycle -1 | Cycle 0 | Cycle 1 | Cycle 2 |
|----|----------|---------|---------|---------|
| ID |          | xor     | and     |         |
| EX |          |         | xor     | and     |
|    |          |         |         |         |













## SUMMARY OF CONTRIBUTIONS

- Contracts express precise leakage behavior
- Method & tool to
  - check functional correctness of contract
  - check completeness of leakage specification  $\rightarrow$  provably complete leakage models
- Proven end-to-end resilience
  - Proofs of security based on the contract also hold for adversaries attacking compliant hardware
  - "the execution of any program on any compliant HW is secure if security against the contract has been shown"
- Applied to IBEX processor
  - Open-source contract
- Contract can be compiled to fast emulator
  - E.g., for power trace simulator or statistical security assessment

#### LIMITATIONS

- HW leakage model
  - Tool does not (yet) support glitches / couplings / tech-mapped netlist
  - Methodology extends seamlessly
- Random probing security, Noisy leakage model
  - Contract does not (yet) carry information on leakage rates
  - Existing approaches to security reductions [1], [2]
  - Is it possible to augment contracts with leakage/noise rates and to verify these bounds against netlists?

[2]: The Mother of All Leakages: How to Simulate Noisy Leakages via Bounded Leakage (Almost) for Free. Gianluca Brian, Antonio Faonio, Maciej Obremski, João Ribeiro, Mark Simkin, Maciej Skórski, and Daniele Venturi. EUROCRYPT 2021. PUBLIC 8 3

#### LISTING L LICENSE OF SHOWN CODE-SNIPPETS

RISCV Sail Model

This Sail RISC-V architecture model, comprising all files and directories except for the snapshots of the Lem and Sail libraries in the prover\_snapshots directory (which include copies of their licences), is subject to the BSD two-clause licence below.

Copyright (c) 2017-2021 Prashanth Mundkur, Rishiyur S. Nikhil and Bluespec Inc., Jon French, Brian Campbell, Robert Norton-Wright, Alasdair Armstrong, Thomas Bauereiss, Shaked Flur, Christopher Pulte, Peter Sewell, Alexander Richardson, Hesham Almatary, Jessica Clarke, Microsoft, for contributions by Robert Norton-Wright and Nathaniel Wesley Filardo, Peter Rugg and Aril Computer Corp., for contributions by Scott Johnson.

Copyright 2020-2022 - TUHH, TU Graz

All rights reserved.

This software was developed by the above within the Rigorous Engineering of Mainstream Systems (REMS) project, partly funded by EPSRC grant EP/K008528/1, at the Universities of Cambridge and Edinburgh.

This software was developed by SRI International and the University of Cambridge Computer Laboratory (Department of Computer Science and Technology) under DARPA/AFRL contract FA8650-18-C-7809 ("CIFV"), and under DARPA contract HR0011-18-C-0016 ("ECATS") as part of the DARPA SSITH research programme.

This project has received funding from the European Research Council (ERC) under the European Union's Horizon 2020 research and innovation programme (grant agreement 789108, ELVER).

This software has received funding from the Federal Ministry of Education and Research (BMBF) as part of the VE-Jupiter project grant 16ME0231K.

This work was supported by the Austrian Research Promotion Agency (FFG) through the FERMION project (grant number 867542).

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.



# SECURE CONNECTIONS FOR A SMARTER WORLD

NXP, THE NXP LOGO AND NXP SECURE CONNECTIONS FOR A SMARTER WORLD ARE TRADEMARKS OF NXP B.V. ALL OTHER PRODUCT OR SERVICE NAMES ARE THE PROPERTY OF THEIR RESPECTIVE OWNERS. © 2022 NXP B.V.