# A Framework for Testing Hardware-Software Security Architectures<sup>\*</sup>

Jeffrey S. Dwoskin Princeton University Princeton, NJ, 08540 USA jdwoskin@princeton.edu Mahadevan

Gomathisankaran University of North Texas Denton, TX, 76203 USA mgomathi@unt.edu

Ruby B. Lee Princeton University Princeton, NJ, 08540 USA rblee@princeton.edu Yu-Yuan Chen Princeton University Princeton, NJ, 08540 USA yctwo@princeton.edu

# ABSTRACT

New security architectures are difficult to prototype and test at the design stage. Fine-grained monitoring of the interactions between hardware, the operating system and applications is required. We have designed and prototyped a testing framework, using virtualization, that can emulate the behavior of new hardware mechanisms in the virtual CPU and can perform a wide range of hardware and software attacks on the system under test.

Our testing framework provides APIs for monitoring hardware and software events in the system under test, launching attacks, and observing their effects. We demonstrate its use by testing the security properties of the Secret Protection (SP) architecture using a suite of attacks. We show two important lessons learned from the testing of the SP architecture that affect the design and implementation of the architecture. Our framework enables extensive testing of hardware-software security architectures, in a realistic and flexible environment, with good performance provided by virtualization.

# 1. INTRODUCTION

Designers of security architectures face the challenge of testing new designs to validate the required security properties. To provide strong guarantees of protection, it is often necessary and desirable to place low-level security mechanisms in the hardware or the operating system kernel, which the higher-level software layers can rely upon for a widerange of applications. The resulting architecture is a combination of hardware, kernel, and application software components which are difficult to test together. The security of the system as a whole relies on the combination of the correct design and implementation of the low-level security features, the correct and secure use of those features by the software layers, and the security of the software components themselves. Therefore, we need a framework that can comprehensively model the architecture and study the interactions between hardware and software components, running a realistic software stack with a full OS and applications, during normal operation and under attack.

We propose a testing framework that can emulate the hardware components of a security architecture and can provide a controlled environment with a full software stack, with which coordinated security attacks can be performed and observed. We have designed our testing framework with the initial goal of verifying the SP (Secret Protection) architecture [13, 24], while being generalizable to other security architectures. SP places roots of trust in the hardware which are used to protect security-critical software at the application layer, skipping over the operating system layer in the trust chain. The threat model includes attacks on software components as well as physical attacks, with only the processor chip itself trusted. The operating system remains untrusted and essentially unmodified. The "layer-skipping" feature of SP's minimalist trust chain is in contrast to traditional hierarchical trust chains, and testing with a commodity OS is necessary to verify that security-critical applications can be built on this type of architecture.

The testing environment — including the hardware implementation, software stack, threat models, and attack mechanisms — must be as realistic as possible. As far as we know, no existing testing methods provide a fast and convenient way to test both hardware and software security mechanisms simultaneously, running an unmodified commodity OS with a full microprocessor and hardware system, with full observability and controllability of coordinated hardware, software and network attacks.

Furthermore, our framework allows testing to be done during the design time; this gives confidence in the architecture before the complete system is built, at which point it is costly to make fundamental changes in response to security flaws.

<sup>\*</sup>This work was supported in part by NSF CCF-0917134 and NSF CNS-0430487 (co-sponsored by DARPA). Access to VMware was provided through the VMAP program.

 $<sup>^\</sup>dagger \mathrm{M.}$  Gomathisankaran was a postdoc at Princeton for this work.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

ACSAC '10 Dec. 6-10, 2010, Austin, Texas USA

Copyright 2010 ACM 978-1-4503-0133-6/10/12 ...\$10.00.

For example, we show two important lessons learned while testing the implementation of the SP architecture. Although this paper focuses on testing integrated hardware-software security architectures like SP, it is also useful for debugging and testing software-only architectures.

The primary contributions of this work are:

- a new flexible framework for design-time testing of the security properties of hardware-software architectures;
- enabling testing with a realistic software stack, using commodity operating systems, and different applications using the new security mechanisms;
- a flexible, fast, and low-cost method for emulating hardware security features, using virtualization, for the purpose of design validation — without costly and time-consuming fabrication of hardware prototypes;
- an improved architecture for SP's secure memory mechanism and its implementation; and
- the application of our framework toward the validation of the security properties of the SP architecture, by providing a suite of attacks on SP's security mechanisms, as well as general attacks on the system.

# 2. THREAT MODEL AND ASSUMPTIONS

We focus on hardware-software architectures where new hardware security mechanisms are added to a general-purpose computing platform to protect security-critical software and its critical data. The hardware in the architecture provides strong non-circumventable security protection, and the software provides flexibility to implement different security policies for specific applications and usage scenarios.

We assume a system with security-critical software applications running on a platform with new hardware security mechanisms added to the CPU (e.g., new instructions, registers, exceptions, and crypto engines). Sometimes the OS cannot be trusted, especially if it is a large monolithic OS like Windows or Linux. Other times, an architecture might trust parts of the operating system kernel (e.g., a microkernel [1]), but not the entire OS.

We consider three classes of attacks in our testing framework. First, malware or exploitable software vulnerabilities that can allow adversaries to take full control of the operating system to perform software attacks. They can access and modify all OS-level abstractions such as processes, virtual memory translations, file systems, system calls, kernel data structures, interrupt behavior and I/O.

Second, hardware attacks, which can be performed by adversaries with physical possession of a device, such as directly accessing data on the hard disk, probing physical memory, and intercepting data on the display and I/O buses. We can also model some software attacks as having the same impact as these physical attacks.

Third, network attacks that can be performed with either software or hardware access to the device, or with access to the network itself. Some network attack mechanisms act like software attacks (e.g., remote exploits on software), while others attack the network itself (e.g., eavesdropping attacks) or application-specific network protocols (e.g., modification attacks and man-in-the-middle attacks).

In order to adequately test a new security architecture, all of these attack mechanisms must be considered and tested, according to the threat model of the particular system. Our testing framework provides hooks into each relevant system component, and allows information and events at each level to be correlated to emulate the most knowledgeable attacker.

Overall, we consider the functional correctness of the new hardware security mechanisms and the security-critical software components, as well as the interaction between these hardware and software components. We do not consider timing or other side-channel attacks.

Buggy or malicious hardware is considered an orthogonal problem within the manufacturing process – and not part of our threat model. However, to the extent that the emulated system corresponds functionally to the real microarchitecture, our framework can be used to generate data for test cases to run against manufactured devices, or to provide inputs to other verification schemes.

# 3. TESTING FRAMEWORK

We first describe the overall architecture of our testing framework, followed by the technical details of the framework components. We then show the range of attacks and events we can model, and finally present our prototype implementation.

#### **3.1** Architecture

We build our testing framework on top of existing virtualization technology, which allows us to run a full set of commodity software efficiently. A virtual machine monitor (VMM) is the software that creates and isolates Virtual Machines (VMs), efficiently providing an execution environment in each VM which is almost identical to the original machine [33, 35]. By modifying an existing VMM's hardware virtualization, we can augment the virtual machine to have the additional hardware features of a new security architecture. Using virtualization allows the unmodified hardware and software components to run at near-native speed, while permitting our framework to intercept events and system state as needed.

Our Testing Framework is divided into two systems, as shown in Figure 1: the System Under Test (SUT) and the Testing System (TS), each running as a virtual machine on our modified VMM. The SUT is meant to behave as closely as possible to a real system which has the new security architecture. It can invoke the new hardware security primitives, along with the associated protected software for that architecture. In our current system, the SUT runs a full commodity operating system (Linux) as its guest OS, which is vulnerable to attack and is untrusted.

The TS machine simulates the attacker, who is trying to violate the security properties of the SUT. It is kept as a separate virtual machine so that the TS Controller can be outside of the SUT to launch hardware attacks. The virtualization isolates all testing activity and networking from the host machine.

The testing framework itself is independent of the threat model of the system being tested, and hence enables full controllability and observability of the SUT in both hardware and software. This makes it suitable for many purposes during the design phase of a new architecture. During the initial design and implementation of the system, the TS can act as a debugger, able to see the low-level behavior in hardware, all code behavior, and data in the software stack. When testing the supposedly correct system, the TS is the attacker, constrained by a threat model to certain attack vectors.



Figure 1: Testing Framework Design

A particular point of elegance of our framework is that the threat model can be easily changed, and the set of attack tools given to the attacker adjusted for each test. The framework can be used for arbitrary combinations of mechanisms: access to internal CPU state of the virtual processor, physical attacks on the virtual machine hardware (e.g. hardware probes on the buses, memory, or disk), software attacks on the operating system (e.g. a rootkit installed in the OS kernel), and network attacks (e.g. interception and modification of network packets and abuse of network protocols and application data). For example, in some cases, it might be desirable to perform black-box testing of a new design using only the network to gain access to the SUT, while in other cases, white-box testing will allow the attacker knowledge about the system's activities, such as precise timing of attacks with hardware interrupts or breakpoints into the application code, or observation of data structures in memory.

# **3.2 Testing Framework Components**

The main components of our Testing Framework are shown in Figure 1. The framework detects events in the SUT and provides the TS with access to the full system state using both hardware and software channels. The TS Controller, running in the TS, is the aggregation point that receives events from both hardware and software. It receives OS and Application level (software) events from the SUT via a network channel and receives hardware events from the VMM. It provides APIs to the Attack Scripts which can monitor or wait for specific events and adaptively mount a coordinated attack on the SUT.

The TS Proxy is added to the SUT to communicate with the TS Controller to receive commands and send events back. It simulates the effect of a compromised operating system for launching software attacks, allowing the OS to be fully controllable by the TS. It controls the application to be tested, and uses its corresponding kernel-level component to control and monitor OS behavior and the OS-level abstractions used by the application, including system calls, virtual memory, file systems, sockets, etc.

The TS Controller and TS Proxy are each divided into user-level and kernel-level components. Additional trusted entities of the security architecture that are not under test, such as network servers, may be hosted in the TS and report their activity directly to the TS Controller.

The modified VMM captures events and accesses system

state in the SUT. It monitors and controls the hardware with the Event & Attack Module providing hooks into the virtual CPU and virtual devices, as well as into the new Security Hardware Emulator for new hardware not present in the base CPU. The TS Proxy monitors and controls the applications and OS. Communication of events and data between the SUT and TS occurs asynchronously through a network channel for software events/attacks and through a custom channel within the VMM<sup>1</sup> for hardware events/attacks. When synchronization is necessary, either the application or the entire SUT machine can be frozen to preserve state, while the TS and attack scripts continue to execute. Within the virtual machines, the components communicate through a combination of new system calls (to kernel components), hyper-calls (direct to the VMM), signals, and virtual hardware interrupts.

Table 1 lists various events and attacks exposed by the framework for each layer of the system. The lower two layers show the hardware classified into the base hardware (x86 architecture in our work) and the new emulated security architecture.

Hardware events are monitored through the VMM hooks during execution and are as fine-grained as the execution of a single instruction or hardware operation in the SUT. The VMM freezes the SUT as it communicates each event over the inter-VM channel, allowing the TS to possibly change the result of that operation before it completes. Software events and attacks rely on hooks from the TS Proxy into the OS kernel through its kernel module, and to the testing application using its user-mode component. The TS Proxy can also function as a debugger tool reading the application's memory and accessing its symbol table to map variable and function names to virtual addresses. The application can optionally be instrumented to access its state and events.

#### **3.3** Attack Scripts

Attack Scripts reside on the TS and specify how particular attacks are executed on the SUT. They provide step-by-step instructions for monitoring events and dynamically responding to them in order to successfully launch attacks, or detect that an attack was prevented by the security architecture. The scripts act like a state-machine, acting on hardware and software events which are aggregated by the TS. Scripts can be written to form a library of generic attacks, that can be used to attack any application. Alternatively they can be specific to the behavior of the application being tested, written by the user of the framework. The TS Controller reads and executes these scripts and implements the communication mechanisms and control of the SUT as needed.

Table 2 lists the API which the TS Controller exports to the attack scripts. The first group are commands used to launch and control the execution of the application under test on the SUT. The second group of commands control event handling<sup>2</sup>, and the last group provides access to SUT state.

The security properties and attacks considered in the threat model do not need to detail the exact method of penetration, but can just focus on the impact of the attacks on the

 $<sup>^1\</sup>mathrm{The}$  hardware channel is implemented over shared memory between each VM's Event & Attack Module.

<sup>&</sup>lt;sup>2</sup>The watch list can wait for any of the event types in Table 1. Event parameters and data are either passed to the TS directly or are accessible via pointers with ACCESS\_MEM.

| Layer                 | Events Monitored                                                                                                                                                                                                               | Impact of Attack                                                                                                                                                                                                                                                                                   |
|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Protected Application | API function entry/exit, Library calls, User<br>authentication, Network messages, Other<br>application-specific events.                                                                                                        | Read/write application data structures, Trigger application API calls, Intercept/modify network messages, Other application-specific attacks.                                                                                                                                                      |
| OS                    | Memory access watchpoints, Virtual memory<br>paging, File system access, System calls, Pro-<br>cess scheduling, Instruction breakpoints, Device<br>driver access, Network socket access, Interrupt<br>handler invocation, etc. | Read/write virtual memory, Read/write kernel data<br>structures, Read/write file system, Intercept/modify<br>syscall parameters or return values, Read/write sus-<br>pended process state, Modify process scheduling, In-<br>tercept/modify network data, Modify virtual mem-<br>ory translations. |
| Base Hardware (x86)   | Privileged instruction execution, Triggering of page faults and other interrupts, Execution of an instruction pointer.                                                                                                         | Read/write general registers, Read/write physical<br>memory, Trigger interrupts, Intercept device I/O<br>(e.g. raw network & disk accesses).                                                                                                                                                       |
| Secure Hardware       | Execution of new instructions, Triggering of new faults, Accesses to new registers.                                                                                                                                            | Read/write new registers & state, Read/write pro-<br>tected memory plaintext.                                                                                                                                                                                                                      |

Table 1: Example Events and Attacks

| Function                                                                        | Description                                                                                                                                                                                                                                           |
|---------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| $h \leftarrow INIT()$                                                           | Initialize the Controller and return a handle $h$ to access resources.                                                                                                                                                                                |
| EXECUTE(h,app,params)                                                           | Execute the application <i>app</i> on SUT with the given parameters <i>params</i> .                                                                                                                                                                   |
| INTERRUPT(h,num)                                                                | Trigger an immediate virtual hardware interrupt number $num$ on the SUT.                                                                                                                                                                              |
| BREAKPOINT(h,addr)                                                              | Setup a breakpoint to interrupt the SUT at an address (addr).                                                                                                                                                                                         |
| EVENTADD(h,eventType)                                                           | Add the <i>eventType</i> to watch-list.                                                                                                                                                                                                               |
| EVENTDEL(h,eventType)                                                           | Delete the <i>eventType</i> from the watch-list.                                                                                                                                                                                                      |
| $\texttt{event} \ \leftarrow \ \texttt{WAIT(h)}$                                | Blocking call that <i>waits</i> for any event in the watch-list to occur in the SUT. Once an event is triggered, the SUT is paused and the TS continues running the attack script. An application exit in the SUT always causes a return from WAIT(). |
| $\texttt{event} \ \leftarrow \ \texttt{WAITFOR}(\texttt{h},\texttt{eventType})$ | Similar to WAIT() but waits for the specified event (or application exit), regardless of the watch-list.                                                                                                                                              |
| CONT(h)                                                                         | Execution of the SUT is resumed, after an event or interrupt.                                                                                                                                                                                         |
| ACCESS_GENREG(h,r/w,buf)<br>ACCESS_SPREG(h,r/w,buf)                             | Reads/writes $(r/w)$ the general registers or SP registers of the SUT to/from <i>buf</i> .                                                                                                                                                            |
| ACCESS_MEM(h,v/p,r/w,addr,sz,buf)<br>ACCESS_SPMEM()                             | Reads/writes $(r/w)$ sz bytes from virtual or physical memory $(v/p)$ of the SUT at address addr to/from the buffer <i>buf</i> . Can access memory regularly or as an SP secure region (accessing the plaintext of encrypted memory).                 |

SUT's state. This is preferred since (1) new attack penetration methods are frequently discovered after a system is deployed and often are not foreseen by the designer, (2) most real attacks result in or can be modeled by the impact of attacks which we provide in Table 1, and (3) the attack scripts themselves can be restricted to model specific penetration methods when testing for a more limited attacker. A detailed example using this TS Controller API in an attack script is given in Section 5 and Figure 3.

#### **3.4 Implementation**

We implemented our testing framework on VMware's virtualization platform [2], including all of the components in Figure 1, and events and attacks at each system layer. The Security HW Emulator, VMM Event & Attack Module, and inter-VM communication channel required modifying the source code of the VMware VMM. The kernel components of the TS Proxy and TS Controller are implemented as Linux kernel modules. The TS Proxy application is implemented as a Linux user process and controls the execution of the Application under test. The TS Controller application is implemented as a static library which is called by the Attack Scripts.

As a sample security architecture, we implement the SP architecture, described in Section 4. The Security Hardware Emulator emulates the SP architecture including its hardware roots of trust, secure memory, and interrupt protection. We have also implemented a library of protected software for SP, which is used for a remote key-management application as described in Section 5. Our Application under test uses this library to exercise the software, and in turn, the SP hardware.

Our framework, by using existing virtualization technology, enables reasonable performance while allowing our SUT to provide a realistic software stack and emulate new hardware. Other virtualization environments, like Xen [4], can also be used. Other simulation and emulation environments available, such as Bochs [28] and QEMU [5], could be used in place of virtualization to implement our framework as designed and described in this paper. We choose a virtualization environment for performance reasons, because only parts of the hardware and protected software need to be emulated, while the OS and other non-protected software can run virtualized. VMware provided an excellent development environment, under the VMAP program.

# 4. SP ARCHITECTURE AND EMULATION

We use the Secret Protection (SP) architecture [13, 24] to demonstrate the effectiveness of our framework. SP skips software layers in the conventional trust chain by using hardware to directly protect an application without trusting the underlying operating system. SP protects the confidentiality and integrity of cryptographic keys in its persistent storage which in turn protect sensitive user data through encryption and hashing. These security properties provided by SP need to be validated. Furthermore, it is important to write and test many secure software applications for SP in a realistic environment, where a compromised OS can be a powerful source of attacks.

Our testing framework emulates SP's hardware features using modifications to the VMM. While SP hardware primitives have already undergone a detailed security analysis on paper, the framework can test the robustness of the design and its implementation, as well as discover any potential flaws. Additionally, we modify SP's secure memory mechanisms and then show how our framework can be used to demonstrate that these new hardware features are also resilient to attack.

#### 4.1 Secret Protection (SP) Architecture

In the Secret Protection (SP) architecture (See Figure 2), the hardware primarily protects a Trusted Software Module (TSM), which protects the sensitive or confidential data of an application. Hence, a TSM plus hardware SP mechanisms form a minimalist trust chain for the application. Rather than protecting an entire application, only the securitycritical parts are made into a TSM, while the rest of the application can remain untrusted. Furthermore the operating system is not trusted; the hardware directly protects the TSM's execution and data.

Protecting the TSM's execution requires ensuring the integrity of its code and the confidentiality and integrity of its intermediate data. Code must be protected from the time it is stored on disk until execution in the processor. Data must be protected any time when the operating system or other software can access it. This includes storage on disk, in main memory, and in general registers when the TSM is interrupted. To provide this protection, SP provides new hardware mechanisms:

*Roots of Trust:* SP maintains its state using new processor registers; the threat model of SP assumes the processor chip to be the security boundary, safe from physical attacks which are very costly to mount on modern processors. As shown in Figure 2, SP uses two on-chip roots of trust: the Device Root Key and the Storage Root Hash.

*Code Integrity:* The Device Root Key is used to sign a MAC (a keyed cryptographic hash) of each block of TSM code on disk. When a TSM is executing, the processor enters a protected mode called Concealed Execution Mode (CEM). As the code is loaded into the processor for execution in the protected mode, the processor hardware verifies the MAC before executing each instruction.

Data Protection: For the TSM's intermediate data, while in protected mode, the TSM can designate certain memory accesses as "secure", which will cause the data to be encrypted and hashed before being evicted from on-chip caches to main memory. This secure data is verified and decrypted when it is loaded back into the processor from secure memory. Secure data and code are tracked with tag bits added to the on-chip caches.

Interrupt Protection: Additionally, the SP hardware intercepts all faults and interrupts that occur while in the protected mode before the OS gets control of the processor. SP encrypts the contents of the general registers in place, and keeps a hash of the registers on-chip; When the TSM is resumed, the hash is verified before decryption of the registers.



Figure 2: Secret Protection (SP) Architecture. Enlargements show (a) the Concealed Execution Mode (CEM) hardware, and (b) the application secrets protected by the TSM.

The TSM protects secret data belonging to the application in persistent storage. SP allows a TSM (and no other software) to derive new keys from the Device Root Key using a new hardware instruction, *DRK\_DeriveKey*. These derived keys are used by the TSM to protect the confidentiality of its persistent data. Furthermore, the TSM is the only software that can read and write the Storage Root Hash register, using it as the root of a hash tree to protect the integrity of this persistent secure data.

Hence, to emulate SP hardware we require the following components: new processor registers (including the protected mode and roots of trust); new instructions; hardware mechanisms for code integrity checking, secure memory and interrupt protection; and new hardware faults which these mechanisms generate.

#### 4.2 Emulation of the SP Architecture

Most of the time, code in a VM runs directly on the physical hardware, and the VMM only emulates components that are virtualized. It traps on privileged instructions, but ignores hardware effects that are transparent to software, such as cache memory. In order to implement and emulate new hardware architecture features, we take advantage of the VMM's virtualization methods. For example, the VMM maintains data structures for the virtual CPU state, which we expand to store new security registers. The VMM then emulates accesses that are made to those new registers. Other useful VMM behaviors include: interception of all hardware interrupts, dynamic binary translation of code, mapping of virtual memory translations, and virtualization of hardware devices.

To emulate the SP architecture, the Security Hardware Emulator Module implements the following:

*Protected Mode:* SP requires new registers to be added to the virtual CPU. This includes SP's two Roots of Trust and the new interrupt handling registers and mode bits for its Concealed Execution Mode [24]. New SP instructions are modeled as hypercalls, where the TSM running in the SUT is able to directly invoke the emulation module without going through the guest OS.

Interrupts and SP Faults: The SP architecture changes the hardware interrupt behavior when in protected mode. Since the VMM already emulates interrupt behavior, we simply detect that an interrupt has occurred during the protected mode and emulate the effect on the CPU, which includes suspending the protected mode and encrypting and hashing the general registers. To detect returning from an interrupt, the VMM inserts a breakpoint at the current instruction pointer where the interrupt occurs, so that it is invoked to emulate the return-from-interrupt behavior of SP. Additionally, when the emulated hardware generates a new fault, it first reports to the TS Controller and then translates the fault into a real x86 fault, such as a general protection fault, which is raised in the SUT causing the OS to detect the failure of the TSM.

Secure Memory: We change the SP abstraction of secure memory, as described in Section 4.3. Further, we use block sizes of virtual memory pages rather than individual cache lines, since the VMM does not intercept cache memory accesses. While this limits the ability to model a few low-level attacks on SP (such as the behavior of cache tags), the majority of the security properties of the hardware and all those of the software can still be tested.

*Code Integrity:* The TSM's code is signed with a keyed hash over each cache-line of code and the virtual address of that line, and is checked as each cache line is loaded into the processor during execution. We model this using the VMM's binary translator to execute the TSM code. Verified instructions are tagged as secure code fragments in the dynamic binary translator cache.

#### 4.3 Lesson Learned from SP Emulation: Secure Memory

The original SP architecture uses two new instructions for a TSM to access secure memory: *Secure Load* and *Secure Store*. With these, any virtual address can be accessed as secure memory, where cache lines are tagged as secure (accessible only to a TSM) and are encrypted and MACed upon eviction from cache. We introduce a new secure memory model, called *Secure Areas*, to replace *Secure Load/Store*.

There are a few drawbacks to the *Secure Load/Store* approach. First, while most new SP instructions can be used as inline-assembly, the compiler must be modified to emit the secure memory instructions whenever accessing protected data structures or the TSM's stack. This further requires programmers to annotate their code to indicate which data

structures and variables to protect, and which code and functions are part of a TSM. Second, while a RISC architecture need only supplement a few *Load* and *Store* instructions with their secure counterparts, a CISC architecture has many more instructions which access memory rather than general registers and need to support secure memory access. Third, while SP provides confidentiality and integrity for its secure memory, replay protection is also required to prevent manipulation of the TSM's behavior, but was not explicitly described. Rather, SP assumes a memory integrity tree [38, 14, 9] spanning the entire memory space, requiring significant overhead in on-chip storage and performance when only small amounts of memory need protection.

Secure Areas address these concerns by allowing the TSM to define certain regions of memory which are always treated as secure when accessed by a TSM. The programmer specifies the address range to protect explicitly, allowing the compiler to use regular memory instructions without modification. This is especially useful for our framework since the new architectural features can be tested during design-time without modifying the existing compilation toolchain. It also no longer requires duplicating all instructions in the instruction set which touch memory, a benefit for implementing SP on x86. Finally, it confines the secure memory to a few small regions which are more easily protected from memory replay attacks with less overhead.

Table 3 shows the new instructions added to SP to support Secure Areas, replacing the *Secure Load* and *Secure Store* instructions. The SP hardware offers a limited number of Secure Area regions, which the TSM can define using these instructions. Each region specifies an address range which is always treated as secure memory when accessed by the TSM, and is encrypted when accessed by any other software or hardware devices.

The on-chip secure cache tag bits (shown in Figure 2) are no longer needed; instead k \* 2 registers are added for defining the start-address and size of k Secure Areas. On-chip storage is also needed to store hashes for each block within the region. The block size for hashing can range from one cache line to one virtual memory page, and is determined by the hardware implementation. Upon defining a new region, the corresponding on-chip hashes are cleared. As secure data is written, it is tagged as secure in cache; when it is evicted from cache, the contents are encrypted and a hash is computed and stored in the on-chip storage for that block. It must be verified when the data is read back in from off-chip memory. Since the regions can be small relative to total memory (only tens to hundreds of kilobytes are needed for our prototype TSMs), only small amounts of on-chip storage are required. Alternatively, other memory integrity tree methods [14, 20, 38] can be integrated to store some hashes off-chip to permit replay protection of larger regions of secure memory.

While both the original SP *Secure Load* and *Secure Store* instructions and the currently proposed Secure Areas have their advantages and disadvantages, the latter is easier to emulate and validate, and requires simpler application software changes.

#### 4.4 Other Architectures

While this paper focused on testing the hardware and software mechanisms of the SP architecture, our testing framework is by no means limited to this architecture. Although

Table 3: New SP Instructions for Secure Areas (only available to TSM)

| Instruction                                                                                     | Description                                                                                                                                                                                                                                                                                            |
|-------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| SecureArea_Add Rs1,Rs2,num<br>Rs1 = start_addr<br>Rs2 = size<br>(must be aligned to block size) | Initialize the specified Secure Area (region num). On-chip hashes for the region are cleared. All TSM memory accesses for addr will be treated as secure if: (start_addr) $\leq addr < (start_addr + size)$ .                                                                                          |
| SecureArea_Relocate Rs1, num<br>Rs1 = start_addr                                                | Change the starting address of the specified Secure Area region. The size remains<br>unchanged. When TSM code in multiple process contexts share memory containing<br>a Secure Area, each may access it at a different address in their virtual address space;<br>this is used to relocate the region. |
| SecureArea_Remove num                                                                           | Disables and clears the specified Secure Area region. On-chip hashes for the region are<br>cleared and secure-tagged cache entries in its address range are invalidated, making<br>any data in the region permanently inaccessible in plaintext.                                                       |
| SecureArea_CheckAddr Rd, <i>num</i><br>SecureArea_CheckSize Rd, <i>num</i>                      | Retrieves the parameters of the specified Secure Area region. Used to verify whether<br>or not a region is setup for secure memory and where it is located.                                                                                                                                            |

other hardware security architectures such as XOM [25], AEGIS [39] and Arc3D [18] have somewhat different goals and assumptions from SP, they combine hardware and software in ways that also make them suitable for validation in our framework. Similarly, TPM [40] adds hardware to protect all software layers and provide cryptographic services. Rather than utilizing changes to the processor itself, TPM adds a separate hardware chip that integrates with the system board. This is still compatible with our testing framework, simply requiring a different set of modifications to the VMM to implement a virtual TPM device. In particular, the ability to observe and control the SUT by use of our components in the framework (TS controller, TS proxy and VMM modifications) can be applied to testing security architectures. Furthermore, software-only security architectures can benefit from analysis under attack in our framework, both during development and for security validation. Access to existing hardware state provides insight into attack impacts and possible flaws, and provides an additional vector for injecting attacks.

#### 5. TESTING OF SP

We now illustrate how we use the Testing Framework to validate a hardware-software architecture like SP, by testing the system's security properties while it is under attack. We also validate that the emulation of the SP mechanisms is correct and secure according to the design, as it forms the basis for the other tests.

Table 4 lists various attacks on the system's security properties. Data confidentiality is the primary purpose of the SP architecture. The attack generally checks to see if any sensitive data that should be protected by a TSM is ever leaked. We eavesdrop on the unprotected memory and check whether any known keys generated by the TSM, in addition to the Device Root Key (DRK) and any DRK-derived keys, are found. This is similar to the cold boot attack [19] which looks for sensitive keys left in physical memory. If the TSM properly uses secure memory for its intermediate data, and protects its persistent data, then no keys should ever leak.

The second section in Table 4 sets up a series of attacks on the basic mechanisms of SP, such as controlling access to the master secrets (e.g., Device Root Key), code integrity checking, and encryption of secure data in protected mode. These tests verify that the emulation is correct and also validate the original security analysis. For example, we attack SP's Concealed Execution Mode by attempting to modify registers during an interrupt. A non-TSM application's registers can be modified by a corrupted OS without detection, causing changes in the application's behavior. However, a TSM will have its registers encrypted and hashed by the SP hardware upon any interrupt, such that SP detects the modification when resuming the TSM.

The next section in Table 4 shows generic attacks on a TSM, which test security properties common to many TSMs (e.g., control flow, entry points). These attacks consider that a basic goal of many TSMs (and indeed of the SP architecture) is to provide confidentiality and integrity to any sensitive information and enforce access control.

We develop tests of the robustness of the TSM against future unknown vulnerabilities that might arise in the hardware or TSM code. Since the penetration mechanism is unknown, we instead model the effects of the attack. For example, the control flow of the TSM could be attacked in many different ways. When the TSM makes branching decisions, the jump targets and the input data for the branch conditions should be protected. If either is not stored in secure memory, or if secure data can be modified or replayed, then arbitrary changes to the TSM's control flow would be possible. We verify that a TSM only bases control flow decisions on data in its secure memory, and test how control flow violations could cause data to leak.

As another example, we consider control flow attacks that allow arbitrary entry points into a TSM. Since instructions to enter protected mode (*Begin\_TSM*) are not signed, *Begin\_TSM* could be injected into the TSM to create an entry point. We implement this as an attack script, crafting a case where the Testing System overwrites instructions and tries to enter in the middle of a TSM function without detection, bypassing access control checks.<sup>3</sup> To prevent this, we add a new security requirement to SP that it must distinguish entry points in TSM code from blocks of code that are not entry points. This can be achieved by adding an extra bit to the calculation of the signature of each block of TSM code, indicating whether or not it is an entry point.

The attack on TSM page mappings demonstrates a system-

 $<sup>^{3}</sup>$ In some cases, this attack would be detected by SP — if the injected instruction is not correctly aligned to the start of a block of signed code, or if later in execution the TSM jumps back to code before the injection site. A carefully crafted attack succeeds.

| Security Property                           | Attack                                                                                                                                                    |  |
|---------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| Data Confidentiality                        | Scan physical memory for leaks of Device Root Key, DRK-derived keys, and TSM's other sensitive information.                                               |  |
| Securing General Registers<br>on Interrupts | Attack the general registers during an interrupt of a TSM through eavesdropping, spoofing, splicing, and replay.                                          |  |
| Code Integrity                              | Attack TSM code during execution through spoofing and splicing; attack TSM code on disk.                                                                  |  |
| Secure Memory                               | Attack intermediate data of TSM through eavesdropping, spoofing, splicing and replay; attack the use of secure memory for TSM's data structures or stack. |  |
| Secure Storage                              | Attack the TSM's secure storage for persistent data (splicing, spoofing & replay).                                                                        |  |
| Control Flow Integrity                      | Attack TSM's indirect jump targets that are derived from unprotected memory. Arbitrarily modify jump targets within the TSM.                              |  |
|                                             | Attack the input data for branch conditions in the TSM from unprotected memory. Replay secure data to cause incorrect branch decisions.                   |  |
|                                             | Attack TSM entry points by entering CEM at arbitrary points in the code, skipping access control checks or initialization of secure memory.               |  |
| TSM Page Mappings                           | Remap TSM code pages and data pages, as a means to attack secure memory or control flow.                                                                  |  |
| Key-chain management                        | Spoof key add/delete message; replay key-add message after it is deleted; corrupt a key-management message in transit.                                    |  |
| Access control on keys                      | Exceed usage limits/expiration of keys; attempt to use a key that was deleted; attempt to perform a disallowed operation with a key.                      |  |

Table 4: Example Attacks on the SP Architecture Using the Testing Framework

level attack. Rather than attacking the TSM directly, the OS manipulates the system behavior to indirectly affect how the TSM executes. The OS can manipulate process scheduling, intercept all I/O operations, and in this case, modify how virtual addresses map to physical addresses.

The last section in Table 4 shows application-specific attacks for a particular TSM — in this case our Remote Keymanagement TSM. For remote key-management, we consider a trusted authority which owns multiple SP devices and wants to distribute sensitive data to them. The authority installs its remote key-management TSM on each device as well as the protected sensitive data, consisting of secrets and the cryptographic keys that protect those secrets. It also stores policies for each key which dictate how it may be used by the local user. During operation, the TSM will accept signed and encrypted messages from the authority to manage its stored keys, policies, and data. It also provides an interface to the application through which the local user can request access to data according to the policies attached to the keys. The TSM must authenticate the user, check the policy, and then decrypt and display the data as necessary. This TSM stores cryptographic keys, security policies, and secure data in its persistent secure storage, which it protects using SP's underlying hardware mechanisms. We test the confidentiality and integrity of the storage itself, the TSM's use of the storage to protect keys and key-chains, and its enforcement of the policies on accesses to data that the keys protect. We also test the protocols the TSM uses to communicate with a remote authority, managing the keychains.

Our system implements the SP hardware mechanisms, a full TSM providing an API to the application being tested, and a suite of attacks that test both the software and hardware components using our new testing framework. This is a major step towards the complete validation of the design of the SP architecture together with its applications. Furthermore, we demonstrate that TSMs must be carefully written to avoid serious security flaws, and that a security architecture can benefit from testing with many different applications. Our framework provides a platform for this necessary testing, significantly enhancing our ability to reason about the security provided.

#### **Testing Example**

Figure 3 shows a sample TSM on the left, and a corresponding attack script using the TS Controller API (Table 2) on the right. This demonstrates the interactions between the TS and SUT for event detection and modification of SUT state. The TSM derives a new key from a nonce it generates and SP's Device Root Key (DRK). It then encrypts a chunk of memory with this new key before sending the encrypted chunk to the network or to storage. The simple attack shown here verifies that secure data (here the derived AES key), placed on the stack by the TSM as a function parameter, is not leaked in physical memory where the OS could read it. This attack is very efficient, assuming a very knowledgeable attacker who is specifically looking for SP derived keys. It demonstrates precise coordination of software events (injected breakpoints) with access to the hardware (physical memory state), while the SUT is frozen to prevent clearing or overwriting of any data in memory. The script also requires access to the internal state of the SP hardware from the TS to verify the results of the attack. Less specific attacks can be constructed, by waiting for any event considered suspicious, then analyzing the event and examining the hardware and software state of the frozen SUT.

Attack scripts are typically longer and can involve many additional steps and interactions, along with a complete TSM and its corresponding application. The full range of events and attack mechanisms in Table 1 are available to the attack scripts, with the TS in full control over the applications, OS, and hardware running in the SUT.

# 5.1 Lesson Learned: Leaking Data Through the Stack

| Application with TSM (TSMapp)                                                                                                                                                                     | Attack Script (pseudocode)                                                                                                                                                                                                                                                                                                                                        |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| BEGIN_CEM                                                                                                                                                                                         | EXECUTE(TSMapp, params)                                                                                                                                                                                                                                                                                                                                           |
| $ \begin{array}{l} & \\ \text{nonce} \leftarrow \text{Hash(C\_ENC, KeyID)} \\ \text{Reg1} \leftarrow \text{DRK\_DeriveKey(nonce)} \\ \text{SecureMem.AESkey} \leftarrow \text{Reg1} \end{array} $ | // Wait for key generation<br>EVENTADD(DRK_DeriveKey)<br>EVT ← WAIT()<br>// Read the generated key<br>ACCESS_SPREG(r, SPRegs)<br>SPKey ← SPRegs.CEMBuffer                                                                                                                                                                                                         |
| <pre>// Attack script injects a breakpoint at start of Encrypt function Ciphertext</pre>                                                                                                          | <pre>// Inject breakpoint for Encrypt() BREAKPOINT("&amp;Encrypt"); CONT() // Wait for interrupt due to breakpoint EVT ← WAITFOR(Interrupt) // Scan phys. memory for leaked key for addr = 0 to 256M - 1 do ACCESS_MEM(PHYS, r, addr, 4096, buf) if strstr (buf, SPKey) then return "Derived Key Leaked in Memory" return "Derived Key Not Found in Memory"</pre> |

Figure 3: Example Application and Attack Script for Detecting Leaked Keys

In the process of testing how TSMs use SP mechanisms to protect intermediate and persistent data, we found that our new secure memory implementation failed to adequately protect the intermediate data on the stack for a TSM compiled with GCC. Our example TSM in Figure 3 derives a new key from the Device Root Key and uses it for encryption. The attack script freezes the SUT shortly after the key is derived and scans physical memory. It finds that the key has been leaked via parameter passing on the stack, violating data confidentiality. As a result, we have instrumented a new software mechanism to swap the TSM's stack to use memory in a designated Secure Area. The same attack script then verifies that this modified TSM correctly protects the confidentiality of the key when passed as a parameter. This demonstrates how a secure hardware mechanism (e.g., for secure memory) can be used incorrectly by a TSM, often inadvertently, leading to vulnerabilities.

The framework helped significantly in the debugging process, in particular for relocating the TSM's stack to a Secure Area. Even a very simple TSM, which only generates a derived key and saves that key in a secured data structure, manages to leak the key via the stack when using wrapper functions to access new SP instructions. The framework lets us interrupt after critical hardware operations to detect data leaked in plaintext in memory. When we find errors in the way our implementation reassigns stack pointers to use a Secure Area, we can correct the TSM code and the Secure Area setup accordingly, to ensure that all stack operations in a TSM access a valid Secure Area.

Using the framework, we also found a complication when relocating the stack to a Secure Area on an x86 platform. When an interrupt occurs in x86, the processor hardware pushes an exception frame onto the stack, using the stack pointer register; the operating system reads this frame to handle the interrupt. If an interrupt occurs while in CEM, with the stack pointer relocated to a Secure Area, the frame data will be written in the Secure Area region. If still in CEM at the time, this data will be protected as secure memory where the OS will not be able to read it. If CEM has already been suspended before the frame is written, the data will be written in plaintext and will overwrite part of the encrypted and hashed Secure Area data. When CEM is later resumed, the hash check of this region will fail. Therefore, we have developed a new mechanism to make the SP hardware aware of the stack swapping. The hardware saves the original stack pointer in an on-chip register when the stack is relocated. It will automatically restore this original stack pointer before the exception frame is written, saving the secure stack pointer on-chip. The secure stack pointer is then swapped back when CEM is resumed.

The lessons learned are that care must be taken in implementing new trusted software while attempting to use existing software conventions (e.g., for parameter passing through the stack). Also, our testing framework can be used effectively to expose and debug subtle interactions between the trusted and untrusted software and hardware in an implementation.

# 6. RELATED WORK

One related area of research is the formal verification of both hardware and software, in which mathematical specifications for computer hardware or software are written, and proof techniques are used to determine the validity of such specifications. The complexity of formal verification problems range from NP-hard to undecidable [22, 34, 23, 21]. The complexity of these formal verification mechanisms led to the use of hybrid techniques [7] which use some formal as well as informal methods. Some formal methods of verification include theorem provers (e.g., ACL2 [29], Isabelle/HOL [30]), model checkers [27], and satisfiability solvers [41, 12]. Some informal techniques used in practice are control circuit exploration, directed functional test generation [15], automatic test program generation [11], fuzz testing [17], and heuristic-based traversal [8]. The formal and hybrid techniques try to verify the hardware and software separately, unlike our holistic verification of a softwarehardware system.

The limitation of the formal verification techniques is that they must verify each component piece by piece. This is necessary since the complexity of both specification and verification explodes exponentially with the addition of more pieces to be tested. In our approach, we verify the system in an informal but systematic and efficient way, and consequently we can model both the security critical hardware and software together; we are thus better able to determine the security impacts of the interactions of the various components.

Virtual machine introspection [16, 31, 26] techniques, described previously, provide access to VM-state in similar ways to our framework. However, they focus mostly on observability of software configurations or low-level operating system and hardware behavior. Examples include intrusion detection and virus-scanning from non-vulnerable host systems, preventing execution of malware, and tracing memory or disk accesses. Instead, we strive to combine observability of the full-system state with controllability of those same components, actively during operation, to attack software thought to be secure. In the past work, the focus is on techniques for security monitoring of production machines, rather than design-time testing of new architectures or of new software systems to evaluate their potential vulnerabilities and flaws. Where some of these techniques provide improved hooks into the virtual machine monitor [32], the hooks could be integrated into our framework to make our attack scripts more robust and more flexible.

Chow et al. [10] use system emulation to passively trace data leaks in applications. However, our framework also performs active attacks and looks for violation of security properties. Chow's work also does not consider violations other than data leaks, while we consider more security properties, such as data integrity, policy enforcement, and control flow. Furthermore, we are looking for flaws in trusted code and hardware mechanisms that are specifically designed to protect security, unlike Chow where the applications are tested for properties they were not designed for, therefore leading to unexpected results.

Micro-architectural simulators like Simplescalar [3] are cycleaccurate and hence can be very useful in estimating performance metrics, but they cannot simulate a realistic software system with a full commodity OS. Thus it is impossible to test the security-critical interactions of a software-hardware security solution with such a simulator.

The efforts by IBM [6], Intel [36] and others [37] provide the functionality of a virtual TPM device to software, even when the physical device is not present. In contrast, we not only emulate the new hardware but also hook into the virtual device to observe and control its behavior for testing purposes, and study the interaction with other hardware and software components.

# 7. CONCLUSION

We have designed and implemented a virtualization-based framework for validation of new security architectures. This framework can realistically model and test a new system during the design phase, and draw useful conclusions about the operation of the new architecture and its software interactions. It also enables testing of various software applications using new security primitives in the hardware or in the OS kernel. Our framework serves as a rapid functional prototyping vehicle for black-box or white-box testing of security properties. It can utilize and *integrate* multiple event sources and attack mechanisms from the hardware and software layers of the system under test. These mechanisms can test both lowlevel components and high-level application behavior. As a result, a comprehensive set of attacks are realizable on the hardware, operating system, and applications.

We implement the SP architecture in our framework and test its security mechanisms thoroughly, studying the interactions of trusted software with the hardware protection mechanisms. We also improve the design and implementation of SP's architecture of both the secure memory and the way SP handles dynamic data on the stack. Using a suite of attacks on each layer of the architecture, we thoroughly test each component of SP's trust chain to show the effectiveness of our proposed framework for debugging software, for exposing subtle interactions between existing and new mechanisms and conventions in an implementation, and for reasoning about system security properties.

#### 8. **REFERENCES**

- OKL4 Microkernel. Open Kernel Labs, http://www.ok-labs.com.
- [2] VMware Workstation. VMware Inc., http://www.vmware.com.
- [3] T. Austin, E. Larson, and D. Ernst. SimpleScalar: An Infrastructure for Computer System Modeling. *Computer*, 35(2):59–67, February 2002.
- [4] P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In Proc. of the nineteenth ACM symposium on Operating systems principles, pages 164–177, 2003.
- [5] F. Bellard. QEMU, a Fast and Portable Dynamic Translator. In USENIX Annual Technical Conference, FREENIX Track, pages 41–46, 2005.
- [6] S. Berger, R. Caceres, K. A. Goldman, R. Perez, R. Sailer, and L. van Doorn. vTPM: Virtualizing the Trusted Platform Module. In 15<sup>th</sup> USENIX Security Symposium, July 2006.
- [7] J. Bhadra, M. S. Abadir, L.-C. Wang, and S. Ray. A Survey of Hybrid Techniques for Functional Verification. *IEEE Design & Test of Computers*, 24(2):112–122, 2007.
- [8] G. Cabodi, S. Nocco, and S. Quer. Improving SAT-Based Bounded Model Checking by Means of BDD-Based Approximate Traversals. In Proc. of the conference on Design, Automation and Test in Europe, pages 10898–10905, 2003.
- [9] D. Champagne, R. Elbaz, and R. B. Lee. The Reduced Address Space (RAS) for Application Memory Authentication. In Proc. of the 11th International Conference on Information Security, pages 47–63, 2008.
- [10] J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding Data Lifetime via Whole System Simulation. In USENIX Security Symposium, pages 321–336, 2004.
- [11] F. Corno, E. Sánchez, M. S. Reorda, and G. Squillero. Automatic Test Program Generation: A Case Study. *IEEE Design and Test of Computers*, 21:102–109,

2004.

- [12] G. Dennis, F. S.-H. Chang, and D. Jackson. Modular verification of code with sat. In Proc. of the ACM/SIGSOFT International Symposium on Software Testing and Analysis, pages 109–120, 2006.
- [13] J. S. Dwoskin and R. B. Lee. Hardware-rooted Trust for Secure Key Management and Transient Trust. In Proc. of the 14th ACM Conference on Computer and Communications Security, pages 389–400, October 2007.
- [14] R. Elbaz, D. Champagne, R. B. Lee, L. Torres, G. Sassatelli, and P. Guillemin. TEC-Tree: A Low-Cost, Parallelizable Tree for Efficient Defense Against Memory Replay Attacks. In Proc. of the 9th Cnternational Workshop on Cryptographic Hardware and Embedded Systems (CHES), pages 289–302, 2007.
- [15] S. Fine and A. Ziv. Coverage directed test generation for functional verification using bayesian networks. In *Proc. of the 40th annual Design Automation Conference*, pages 286–291, 2003.
- [16] T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proc. Network and Distributed Systems Security Symposium, pages 191–206, 2003.
- [17] P. Godefroid, M. Levin, D. Molnar, et al. Automated whitebox fuzz testing. In Proc. of the Network and Distributed System Security Symposium, 2008.
- [18] M. Gomathisankaran and A. Tyagi. Architecture Support for 3D Obfuscation. *IEEE Trans. Computers*, 55(5):497–507, 2006.
- [19] J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Lest We Remember: Cold Boot Attacks on Encryption Keys. In USENIX Security Symposium, pages 45–60, 2008.
- [20] W. E. Hall and C. S. Jutla. Parallelizable Authentication Trees. In *Selected Areas in Cryptography*, pages 95–109, 2005.
- [21] R. C. Ho, C. H. Yang, M. Horowitz, and D. L. Dill. Architecture Validation for Processors. In Proc. of the 22nd annual international symposium on Computer architecture, pages 404–413, 1995.
- [22] W. A. Hunt. Mechanical Mathematical Methods for Microprocessor Verification. In Intl. Conference on Computer Aided Verification, pages 523–533, 2004.
- [23] H. Iwashita, S. Kowatari, T. Nakata, and F. Hirose. Automatic test program generation for pipelined processors. In Proc. of the 1994 IEEE/ACM International Conference on Computer-aided design, pages 580–583, 1994.
- [24] R. B. Lee, P. C. S. Kwan, J. P. McGregor, J. S. Dwoskin, and Z. Wang. Architecture for Protecting Critical Secrets in Microprocessors. In Proc. of the 32nd Annual International Symposium on Computer Architecture, pages 2–13, 2005.
- [25] D. Lie, C. A. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. C. Mitchell, and M. Horowitz. Architectural Support for Copy and Tamper Resistant Software. In Proc. of the Ninth International Conference on Architectural Support for Programming Languages and Operating Systems, pages 168–177, 2000.

- [26] L. Litty, H. A. Lagar-Cavilla, and D. Lie. Hypervisor support for identifying covertly executing binaries. In the 17th USENIX Security symposium, pages 243–258, 2008.
- [27] A. Lomuscio, H. Qu, and F. Raimondi. MCMAS: A Model Checker for the Verification of Multi-Agent Systems. In *Computer Aided Verification*, 21st International Conference, pages 682–688, 2009.
- [28] D. Mihocka and S. Shwartsman. Virtualization Without Direct Execution or Jitting: Designing a Portable Virtual Machine Infrastructure. In 1<sup>st</sup> Workshop on Architectural and Microarchitectural Support for Binary Translation in ISCA-35, June 2008.
- [29] S. S. Moore. Symbolic Simulation: An ACL2 Approach. In Formal Methods in Computer-Aided Design, pages 334–350, 1998.
- [30] T. Nipkow, L. Paulson, and M. Wenzel. Isabelle's Logics: HOL, 2008.
- [31] B. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An Architecture for Secure Active Monitoring Using Virtualization. In *IEEE Symposium on Security and Privacy*, pages 233–247, May 2008.
- [32] B. Payne, M. de Carbone, and W. Lee. Secure and Flexible Monitoring of Virtual Machines. In Proc. of the 23rd Annual Computer Security Applications Conference (ACSAC 2007), pages 385–397, Dec. 2007.
- [33] G. Popek and R. P. Goldberg. Formal Requirements for Virtualizable 3rd Generation Architectures. *Communications of the A.C.M.*, 17(7):412–421, 1974.
- [34] S. Ray and W. A. Hunt. Deductive Verification of Pipelined Machines Using First-Order Quantification. In Intl. Conference on Computer Aided Verification, pages 31–43, 2004.
- [35] M. Rosenblum and T. Garfinkel. Virtual machine monitors: current technology and future trends. *IEEE Computer*, 38(5):39–47, 2005.
- [36] V. Scarlata, C. Rozas, M. Wiseman, D. Grawrock, and C. Vishik. *Trusted Computing*, chapter : TPM Virtualization: Building a General Framework, pages 43–56. 2008.
- [37] M. Strasser, H. Stamer, and J. Molina. Software-based TPM Emulator. http://tpm-emulator.berlios.de.
- [38] G. E. Suh, D. Clarke, B. Gassend, M. v. Dijk, and S. Devadas. Efficient Memory Integrity Verification and Encryption for Secure Processors. In *MICRO 36*, page 339, 2003.
- [39] G. E. Suh, D. E. Clarke, B. Gassend, M. van Dijk, and S. Devadas. AEGIS: Architecture for Tamper-evident and Tamper-resistant Processing. In *Intl. Conference* on Supercomputing, pages 160–171, 2003.
- [40] Truscted Computing Group. Trusted Platform Module Specification Version 1.2 Revision 103, July 2007.
- [41] M. N. Velev and R. E. Bryant. Effective Use of Boolean Satisfiability Procedures in the Formal Verification of Superscalar and VLIW Microprocessors. In Proc. of the 38th annual Design Automation Conference, pages 226–231, 2001.