Primula · Principled Microarchitectural Security with Leakage Contracts

Microarchitectural attacks exploit hardware side-effects to compromise otherwise secure programs. These attacks rely on microarchitectural leaks, which reveal information about a program's execution through indirect observations (e.g., by measuring a program's execution time) of a CPU internal state. Through these leaks, attackers can, for instance, stealthily recover encryption keys and secret passwords from security-critical software.To prevent leaks, software developers need to reason about the interactions between software and a CPU's microarchitecture. For this, they rely on program-level models describing how information might leak microarchitecturally and they modify their implementations accordingly to ensure the absence of leaks.This way of building leak-free systems, however, has one fundamental flaw: current models are unsound for modern multi-core CPUs. They have no precise relation with a CPU's microarchitecture and may ignore actual leaks. This results in insecure programs that leak information despite being secure with respect to the model.Primula's goal is to establish foundations for security against microarchitectural leaks in modern multi-core CPUs. For this, Primula will develop a new theory of hardware-software leakage contracts for multi-core CPUs together with tools for applying these contracts to hardware and software. Primula will close the gap between program-level models and CPUs by inferring sound contracts directly from a processor's microarchitecture. These contract will be used to automatically secure software against microarchitectural leaks. Primula is high risk since it requires developing novel verification and synthesis techniques, targeting both hardware and software, that need to scale to modern CPUs and software systems. Yet, Primula is high gain since it allows tackling security-critical microarchitectural leaks, once and for all, rather than relying on ad-hoc patches whenever new leaks are discovered.