{"id":13774402,"url":"https://github.com/morenes/AutoCC","last_synced_at":"2025-05-11T06:33:01.025Z","repository":{"id":186138588,"uuid":"673768057","full_name":"morenes/AutoCC","owner":"morenes","description":"Methodology that leverages FPV to automatically discover covert channels in hardware that is time-shared between processes. AutoCC operates at RTL to exhaustively examine any machine state left by a process after a context switch that creates an execution difference.","archived":false,"fork":false,"pushed_at":"2024-10-25T03:55:13.000Z","size":73,"stargazers_count":11,"open_issues_count":0,"forks_count":5,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-10-26T17:24:56.431Z","etag":null,"topics":["covert-channel","formal-verification","fpv","hardware","security"],"latest_commit_sha":null,"homepage":"https://parallel.princeton.edu/papers/marcelo_autocc_camera_ready.pdf","language":"Standard ML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/morenes.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2023-08-02T11:30:43.000Z","updated_at":"2024-10-25T03:55:17.000Z","dependencies_parsed_at":"2024-01-17T07:59:58.695Z","dependency_job_id":"34351503-4afe-4517-a8b4-7d586c9d0c6e","html_url":"https://github.com/morenes/AutoCC","commit_stats":null,"previous_names":["morenes/autocc"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/morenes%2FAutoCC","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/morenes%2FAutoCC/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/morenes%2FAutoCC/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/morenes%2FAutoCC/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/morenes","download_url":"https://codeload.github.com/morenes/AutoCC/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225022148,"owners_count":17408566,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["covert-channel","formal-verification","fpv","hardware","security"],"created_at":"2024-08-03T17:01:26.375Z","updated_at":"2024-11-17T09:30:47.848Z","avatar_url":"https://github.com/morenes.png","language":"Standard ML","funding_links":[],"categories":["Formal Verification"],"sub_categories":[],"readme":"\n![LOGO](https://github.com/morenes/AutoCC/assets/55038083/6f578a9e-36ae-4641-8585-ca38cf50346f)\n\n# Requirements\n\n- **JasperGold (JG) 2019.12 or newer** (tested with 2019.12 and 2021.03). To run the Formal Testbenches.\n- **VCS Simulator** (tested with vcs-mx/O-2018.09-SP2). Only for the MAPLE use case to reproduce the covert-channel in RTL simulation.\n- **Python 2+.** To run AutoCC and also for the RTL simulation.\n\n# Installation\n\n git clone https://github.com/morenes/AutoCC.git;\n git checkout v1.0;\n cd AutoCC;\n export AUTOCC_ROOT=$PWD;\n\n which jg;\n alias jg='\u003cLICENSE_PATH\u003e/jasper_2021.03/bin/jg'; # Or the version that you are using\n\n# Use cases\n\n## **Vscale 32-bit core:** *Generating testbench and fixing underconstrains*\n\nClone the VSCALE repo\n\n cd $AUTOCC_ROOT\n git clone https://github.com/LGTMCU/vscale.git\n\n\nFixes a combinational loop in the original RTL that prevents JasperGold (JG) from running.\n\n export DUT_ROOT=$PWD/vscale/src/main/verilog;\n ./fixes/fix_combo_loop_vscale_rtl.sh\n\nGenerate the Vscale Formal Testbench (FT) using AutoCC.\n\n python3 autocc.py -f vscale_core.v -i vscale_ctrl_constants.vh;\n\n\nRun JG on the generated testbench.\n\n jg ft_vscale_core/FPV.tcl -proj projs/vscale_init \u0026\n\n**CEX.** The tool should find a CEX (of at least 6 cycles) to the assertion *as__dmem_hwrite*\n\n**GUI.** Clicking on the assertion the GUI opens a waveform window. To visualize the CEX, we add a list of signals to the waveform window. We can use the signal list in the file vscale.sig. To load the signal list, go to **File \u003e Load Signal List**, and select vscale.sig from the sigs folder.\n\n**Waveform.** In the waveform we would see spy_mode starting in cycle 5. Then, hwrite signal is different in the last cycle because the opcode was different a cycle before (ctrl.opcode).\nThis is because the PC is different (PC_IF), since the branch was taken in one universe and not in the other, because the register file data was different (regfile.data).\n\n**FIX.** \nAs described in the paper, this is an underconstraint in the testbench, since the testbench does not constrain the register file data to be the same in both universes when the spy_mode starts. We fix this by adding conditions to the testbench and re-running JG.\n\n ./fixes/fix_underconstrain_vscale.sh;\n jg ft_vscale_core/FPV.tcl -proj projs/vscale_fixed \u0026\n\n\n\n## **CVA6 application-class RISCV-64 core:** *Uncovering and fixing hardware bugs*\n\nClone the CVA6 repo and checkout the commit without fixes\n\n cd $AUTOCC_ROOT;\n git clone -b autocc https://github.com/morenes/cva6.git\n\nRun JG on the CVA6 testbench:\n\n jg ft_cva6/FPV.tcl -proj projs/cva6_orig \u0026\n\n\n### CEX1 - Leaks invalid I-Cache data to the next PC\n\nThe tool should have found a CEX to the assertion *as__AXI_ar_valid_equal*\nin under 30 minutes with a depth of 76 cycles.\n\n**GUI.** Clicking on the assertion the GUI opens a waveform window. To visualize the CEX, we add the list of signals cva6_c1.sig from the sigs folder.\n\n**Waveform.** In the waveform we would see the PC being different because instr_compressed had a different value. This propagated based on garbagged data being read from the icache during an exception.\n\n**FIX.** \nZero out data coming from the i-cache if the line is not a hit.\nWe apply the fix by checking out a branch with the patch already included.\n\n cd cva6; git checkout autocc_fix_cex1; cd ..;\n jg ft_cva6/FPV.tcl -proj projs/cva6_fix_cex1 \u0026\n\n### CEX2 - Wrong transition in the FSM of the PTW\n\nThe tool should have found a CEX to the assertion *as__AXI_ar_valid_equal*\nin under 6 hours with a depth of 80 cycles.\n\n**GUI.** We add the list of signals cva6_c2.sig from the sigs folder.\n\n**Waveform.** In the waveform we would see ariane1.ex_stage_i.lsu_i.gen_mmu_sv39.i_cva6_mmu.i_ptw.state_q transitioning from *WAIT_VALID* to *IDLE*, which is an illegal FSM transition caused by ariane1.ex_stage_i.lsu_i.gen_mmu_sv39.i_cva6_mmu.i_ptw.flush_i being set while the PTW is waiting for a response.\n\n**FIX.**\nUpdate the FSM to remain in *WAIT_VALID* even when flush_i is set.\nFix applied to upstream CVA6 (github.com/openhwgroup/cva6/pull/1184)\nWe apply the fix by checking out a branch with the patch already included.\n\n cd cva6; git checkout autocc_fix_cex2; cd ..;\n jg ft_cva6/FPV.tcl -proj projs/cva6_fix_cex2 \u0026\n\nThe previous CEX trace should not be found anymore due to the fix. We have not continued debugging possible CEXs that may appear to this or other assertions.\n\n\n\n## **MAPLE memory-engine:** *Uncovering, reproducing in RTL Simulation and fixing a covert channel*\n\n### Installing OpenPiton with MAPLE inside it\n\nClone and building the OpenPiton repo\n\n cd $AUTOCC_ROOT\n git clone -b openpiton-maple https://github.com/PrincetonUniversity/openpiton.git\n cd openpiton;\n source piton/ariane_setup.sh;\n source piton/ariane_build_tools.sh; # Takes ~5-10 minutes\n\nClone and build the MAPLE repo\n\n source ../maple_setup_build.sh # Takes ~1 minute\n\n### Run MAPLE's Formal Testbench (FT)\n\nTo run JG on MAPLE's FT, we do:\n\n cd $AUTOCC_ROOT\n jg ft_maple/FPV.tcl -proj projs/maple_not_fixed \u0026\n\nWhile JG is running, we can reproduce the covert channel (that we will find with the CEX) in RTL Simulation at the system-level using OpenPiton.\n\n\n### Reproducing the covert channel in RTL Simulation\n\nTo run the attack that reveal the secret key, we do the following:\n\n cd openpiton/maple;\n ./run_test.sh 4;\n\nThe recovered secret should be 0xdeadbeef.\nThe reported cycle count should be less than 6000 cycles.\n\n\nWe now apply the fixes to close the covert channel.\n\n git checkout fa614fc;\n source ../../maple_setup_build.sh\n ./run_test.sh 4;\n\nThe recovered secret should be 0x00000000. This indicates that the secret cannot be extracted using this channel anymore\n\n### CEX on the FT\n\nIn the meantime, we have been running JG on MAPLE's Formal Testbench with the Design-under-test (DUT) being MAPLE's RTL before applying the fixes.\nIn less than 30 minutes we should find a CEX at depth 21, where the assertion *as__dev1_merger_vr_noc1_val* fails.\n\n\n\n\n\n## **AES encryption accelerator.** *Achieving full-proof*\n\nClone the AES repo:\n\n cd $AUTOCC_ROOT\n git clone https://github.com/morenes/aes.git\n git checkout AutoCC-AE\n\nWe run JG on the AES testbench, with the DUT being the RTL of the AES accelerator.\nThis testbench already includes the architectural modeling described in Section 4.4 of the paper, to avoid spurious CEXs.\nThe result of this run should be full-proof, i.e., no CEXs found, in less than 6 hours.\n\n jg ft_aes/FPV.tcl -proj projs/aes \u0026\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmorenes%2FAutoCC","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmorenes%2FAutoCC","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmorenes%2FAutoCC/lists"}