A Verification Methodology for the Arm® Confidential Computing Architecture: From a Secure Specification to Safe Implementations-Reference-Cited by-同舟云学术

A Verification Methodology for the Arm® Confidential Computing Architecture: From a Secure Specification to Safe Implementations

Published:2023-04-06 Issue:OOPSLA1 Volume:7 Page:376-405
ISSN:2475-1421
Container-title:Proceedings of the ACM on Programming Languages
language:en
Short-container-title:Proc. ACM Program. Lang.

Author:

Fox Anthony C. J.¹^ORCID,Stockwell Gareth¹^ORCID,Xiong Shale¹^ORCID,Becker Hanno²^ORCID,Mulligan Dominic P.²^ORCID,Petri Gustavo²^ORCID,Chong Nathan³^ORCID

Affiliation:

1. ARM, UK

2. Amazon Web Services, UK

3. Amazon Web Services, USA

Abstract

We present Arm's efforts in verifying the specification and prototype reference implementation of the Realm Management Monitor (RMM), an essential firmware component of Arm Confidential Computing Architecture (Arm CCA), the recently-announced Confidential Computing technologies incorporated in the Armv9-A architecture. Arm CCA introduced the Realm Management Extension (RME), an architectural extension for Armv9-A, and a technology that will eventually be deployed in hundreds of millions of devices. Given the security-critical nature of the RMM, and its taxing threat model, we use a combination of interactive theorem proving, model checking, and concurrency-aware testing to validate and verify security and safety properties of both the specification and a prototype implementation of the RMM. Crucially, our verification efforts were, and are still being, developed and refined contemporaneously with active development of both specification and implementation, and have been adopted by Arm's product teams. We describe our major achievements, realized through the application of formal techniques, as well as challenges that remain for future work. We believe that the work reported in this paper is the most thorough application of formal techniques to the design and implementation of any current commercially-viable Confidential Computing implementation, setting a new high-water mark for work in this area.

Publisher

Association for Computing Machinery (ACM)

Subject

Safety, Risk, Reliability and Quality,Software

Link

https://dl.acm.org/doi/pdf/10.1145/3586040

Reference52 articles.

1. The existence of refinement mappings

2. Amazon Inc. . Last viewed June 2022 . AWS CBMC viewer. https://github.com/model-checking/cbmc-viewer Amazon Inc.. Last viewed June 2022. AWS CBMC viewer. https://github.com/model-checking/cbmc-viewer

3. Arm Ltd.. 2008. ARM Security Technology. Building a Secure System using TrustZone Technology. https://documentation-service.arm.com/static/5f212796500e883ab8e74531 Arm Ltd.. 2008. ARM Security Technology. Building a Secure System using TrustZone Technology. https://documentation-service.arm.com/static/5f212796500e883ab8e74531

4. Arm Ltd.. 2021. Arm Confidential Compute Architecture. https://www.arm.com/architecture/security-features/arm-confidential-compute-architecture Arm Ltd.. 2021. Arm Confidential Compute Architecture. https://www.arm.com/architecture/security-features/arm-confidential-compute-architecture

5. Arm Ltd .. 2022. Realm Management Monitor beta0 specification. https://developer.arm.com/documentation/den0137/a/ Accessed 25^ th October 2022 , final version to be published 2022 Arm Ltd.. 2022. Realm Management Monitor beta0 specification. https://developer.arm.com/documentation/den0137/a/ Accessed 25^ th October 2022, final version to be published 2022

Cited by 3 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. BarriCCAde: Isolating Closed-Source Drivers with ARM CCA;2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW);2024-07-08

2. Does Every Computer Scientist Need to Know Formal Methods?;Formal Aspects of Computing;2024-06-10

3. Formal Specification and Verification of Architecturally-Defined Attestation Mechanisms in Arm CCA and Intel TDX;IEEE Access;2024