# arm

# Verifying Components of ARM Confidential Computing Architecture with ESBMC (NEAT paper) \_\_\_\_\_

Tong Wu [1], Shaole Xiong [2], Edoardo Manino [1], Gareth Stockwell [2], Lucas C. Cordeiro [1,3]

[1] The University of Manchester, UK[2] ARM[3] Federal University of Amazonas, Brasil

© 2023 Arm

# What is confidential computing?

#### Secure Cloud Computing

- Challenges
  - Sensitive data sent to third party
  - Timesharing of computational resources
  - Severe security risks
  - e.g. Facebook user data leak on AWS (2019)
- Vision
  - Secure Execution Environment
  - Confidentiality & integrity of data & code
  - CPU-level isolation
- But how?



# What is confidential computing?

#### Main Idea

- Classic architecture
  - Timesharing of computational resources
  - Supervisor/scheduler does the time sharing
  - It can access data & code
- Secure Architecture
  - Split management rights...
  - ...from access rights
  - Supervisor/scheduler cannot see data & code

#### ARM solution

- ARM Confidential Computing Architecture (CCA)
- Beyond "just" virtual machines
- Concept of "realm" as secure environment



# CIM × × × × × × × ×

 $\times$   $\times$   $\times$   $\times$   $\times$   $\times$   $\times$   $\times$ 

# Realm Management Monitor (RMM)

arm



5

© 2023 Arm

## ARM Confidential Computing Architecture

Three crucial components

- Realm Services Interface (RSI)
  - Secure monitor interface called by Realm
  - Measurement and attestation
  - Handshakes involved in some memory management flows
- Realm Management Monitor (RMM)
  - Contains no policy
  - Performs no dynamic memory allocation
  - Provides services to Host and Realm



- Realm Management Interface (RMI)
  - Secure monitor interface called by Host
  - Create / destroy Realms
  - Manage Realm memory, manipulating stage 2 translation tables
  - Context switch between Realm VCPUs

# Realm Management Interface (RMI)

Discovery RMI\_VERSION RMI\_FEATURES

Realm memory management RMI\_DATA\_CREATE RMI\_DATA\_CREATE\_UNKNOWN RMI\_DATA\_DESTROY

> Realm lifecycle RMI\_REALM\_CREATE RMI\_REALM\_DESTROY RMI\_REALM\_ACTIVATE

RMI\_RTT\_READ\_ENTRY
RMI\_RTT\_INIT\_RIPAS
RMI\_RTT\_SET\_RIPAS
RMI\_RTT\_MAP\_UNPROTECTED

RMI RTT UNMAP UNPROTECTED

Stage 2 table management

RMI RTT CREATE

RMI RTT DESTROY

RMI RTT FOLD

Realm VCPU lifecycle RMI\_REC\_CREATE RMI\_REC\_DESTROY RMI\_REC\_AUX\_COUNT RMI\_PSCI\_COMPLETE



#### Monitor

Realm VCPU scheduling RMI\_REC\_ENTER

Memory delegation RMI\_GRANULE\_DELEGATE RMI\_GRANULE\_UNDELEGATE



## Machine-readable specification

| Content                                                                                                                                                                                                     | Presentation format                                                                                                                                                   |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Abstract model<br>• Attributes of Realm, Granule, REC, RTT                                                                                                                                                  | <ul><li>Rules-based writing</li><li>MRS</li></ul>                                                                                                                     |
| <ul> <li>Commands</li> <li>Pre-requisites for successful execution</li> <li>Effect on system state</li> </ul>                                                                                               | <ul> <li>MRS</li> <li>(Mostly) formal pre / post-conditions</li> <li>Failure partial ordering</li> <li>Footprint</li> <li>Data types (layout and encoding)</li> </ul> |
| <ul> <li>Non-command behavior</li> <li>Exception model</li> <li>Aborts and routing</li> <li>Interrupts and timers</li> <li>Measurement and attestation</li> <li>Debug and performance monitoring</li> </ul> | <ul> <li>Rules-based writing</li> <li>Diagrams and tables</li> </ul>                                                                                                  |

# Verifying the ARM Confidential Computing Architecture

#### Previous work

- Harnesses
  - Pick a RMM function
  - And its safety specification
  - Produce C code with assume/assert
  - And non-deterministic inputs
- Verification engine
  - CBMC for model checking
  - Coq for interactive proving

#### Reference

• Li, at al., *Design and Verification of the ARM CCA*, USENIX 2022.

#### This work

- Can we trust the existing guarantees?
  - Reproducibility effort
  - When can we say it is safe enough?
- Compare against a different verifier
  - ESBMC for model checking
  - Manual loop bound annotations
  - Multi-property checks
  - 23 new violations found

arm

# ESBMC vs CBMC

 $\times \quad \times \quad \times \quad \times \quad \times \quad \times \quad \times$  $\times$   $\times$   $\times$   $\times$   $\times$   $\times$  $\times \qquad \times \qquad \times$ 

© 2023 Arm

# **ESBMC: A Logic-based Verification Platform**

Logic-based automated verification for checking safety and liveness properties in AI and software systems



#### Differences with CBMC

| Feature                              | CBMC                                                               | ESBMC                                                                               |
|--------------------------------------|--------------------------------------------------------------------|-------------------------------------------------------------------------------------|
| Concurrency<br>Support               | Symbolic encoding in one <b>SAT</b><br>formula.                    | Encode each interleaving into <b>SMT</b> formula with context-bounded verification. |
| Parser                               | Modified C parser & C++ parser based on <b>OpenC++.</b>            | Clang front-end.                                                                    |
| Additional<br>Supported<br>Languages | Java via JBMC.                                                     | Solidity grammar, Python and Kotlin programs.                                       |
| K-induction                          | Requires three calls. No forward condition for state reachability. | Handles in a single call.                                                           |



#### Competition on Software Verification (SV-COMP)



#### **ESBMC K-induction**

#### Induction-Based Verification for Software

k-induction checks loop-free programs...

- base case (base<sub>k</sub>): find a counter-example with up to k loop unwindings (plain BMC)
- forward condition (*fwd<sub>k</sub>*): check that P holds in all states reachable within k unwindings
- inductive step (step<sub>k</sub>): check that whenever P holds for k unwindings, it also holds after next unwinding
  - havoc variables
  - assume loop condition
  - run loop body (k times)
  - assume loop termination
- ⇒ iterative deepening if inconclusive

Gadelha et al.: Handling loops in bounded model checking of C programs via k-induction. STTT 19(1): 97-114 (2017)

# orm × × × × × × × ×

# 

- $\times \quad \times \quad \times \quad \times \quad \times \quad \times \quad \times \quad \times$
- $\times \quad \times \quad \times$ 
  - - arm

### **Bounded verification**

#### Incremental BMC

- Automatic loop unrolling up to k
- Uniform bound across the whole program
- If bound too small -> lots of time wasted

#### Manual annotations

- ARM engineers provide annotations
- Custom bound for each loop
- Clear advantage over automated approach



# Multi-property checks

Challenge

- Real-world programs have multiple asserts
- What's the best encoding strategy?

Option 1 (single)

- Encode them in a single SMT formula
- Larger formula, no repetitions

Option 2 (multiple)

- Encode them in a separate SMT formulas
- The other assertions are ignored
- Repeated work, separate counterexamples

```
#include <assert.h>
extern int nondet_int();
int main() {
    int a = nondet_int();
    switch (a) {
    case 0: assert(a > 0); break;
    case 1: assert(a > 1); break;
    default: return 0;
    }
}
```



### Safety violations in RMM

| Command                | Assert Fail<br>ESBMC CBMC |                 |         |        | VCCs/Sc<br>ESBMC | olver Calls<br>CBMC |
|------------------------|---------------------------|-----------------|---------|--------|------------------|---------------------|
| RMI_REC_DESTROY        | 20                        | 20              | 113/113 | 142/19 |                  |                     |
| RMI_GRANULE_DELEGATE   | safe                      | safe            | 54/54   | 132/2  |                  |                     |
| RMI_GRANULE_UNDELEGATE | 1                         | 1               | 45/45   | 132/1  |                  |                     |
| RMI_REALM_ACTIVATE     | 3                         | $\mathbf{safe}$ | 53/53   | 140/1  |                  |                     |
| RMI_REALM_DESTROY      | 17                        | 1               | 114/114 | 148/2  |                  |                     |
| RMI_REC_AUX_COUNT      | 1                         | 1               | 48/48   | 139/2  |                  |                     |
| RMI_FEATURES           | safe                      | safe            | 21/21   | 125/1  |                  |                     |
| RMI_DATA_DESTROY       | >=26                      | <b>22</b>       | 82/82   | 151/18 |                  |                     |

## Safety violations in RMM

|                                                   | Command                | Assert Fail<br>ESBMC CBMC | VCCs/Solver Calls<br>ESBMC CBMC |  |
|---------------------------------------------------|------------------------|---------------------------|---------------------------------|--|
| RMI Realm Destroy                                 | RMI_REC_DESTROY        | 20 20                     | 113/113 $142/19$                |  |
|                                                   | RMI_GRANULE_DELEGATE   | safe safe                 | 54/54 $132/2$                   |  |
| <ul> <li>Confirmed bug</li> </ul>                 | RMI_GRANULE_UNDELEGATE | 1 1                       | 45/45 $132/1$                   |  |
| 0                                                 | RMI_REALM_ACTIVATE     | 3 safe                    | 53/53 $140/1$                   |  |
| <ul> <li>Pointer-to-integer conversion</li> </ul> | RMI_REALM_DESTROY      | 17 1                      | 114/114 $148/2$                 |  |
| <ul> <li>Already patched!</li> </ul>              | RMI_REC_AUX_COUNT      | 1 1                       | 48/48 $139/2$                   |  |
| • Alleady patched:                                | RMI_FEATURES           | safe safe                 | 21/21 $125/1$                   |  |
|                                                   | RMI_DATA_DESTROY       | >=26 22                   | 82/82 151/18                    |  |

RMI Realm Activate & RMM Data Destroy

Not confirmed yet, ARM engineers are working on it 

Take away message

DO not trust any **single** verification tool! 

#### Time breakdown



#### Syntax errors

```
...
case SMC_RMM_RTT_READ_ENTRY:
    struct smc_result rst;
    smc_rtt_read_entry(*X1, *X2, *X3, &rst);
    result = rst.x[0]; *X1 = rst.x[1]; *X2 = rst.x[2];
    *X3 = rst.x[3]; *X4 = rst.x[4];
    break;
...
```

#### **CBMC** Parser

- Based on OpenC++
- Does not spot the issue

#### **ESBMC** Parser

- Based on Clang
- Spots the missing brackets

arm

Questions?

|  |          |          |          |          |          | arm |  |
|--|----------|----------|----------|----------|----------|-----|--|
|  |          |          |          |          |          |     |  |
|  |          |          |          | $\times$ | $\times$ |     |  |
|  | $\times$ | $\times$ | $\times$ | $\times$ | $\times$ |     |  |
|  | $\times$ | $\times$ | $\times$ | $\times$ | $\times$ |     |  |
|  |          | $\geq$   | $\times$ | $\geq$   | $\times$ |     |  |
|  | $\times$ | $\times$ | $\times$ | $\times$ |          |     |  |
|  |          |          |          |          |          |     |  |
|  |          |          |          |          |          |     |  |