# **VeriCHERI: Exhaustive Formal Security Verification** of CHERI at the RTL

Anna Lena Duque Antón<sup>1</sup>, Johannes Müller<sup>1</sup>, Philipp Schmitz<sup>1</sup>, Tobias Jauch<sup>1</sup>, Alex Wezel<sup>1</sup>, Lucas Deutschmann<sup>1</sup>, Mohammad R. Fadiheh<sup>2</sup>, Dominik Stoffel<sup>1</sup> and Wolfgang Kunz<sup>1</sup>

RPTU Kaiserslautern-Landau, Germany<sup>2</sup> Stanford University, USA

### **CHERI** Protection

- Memory protection via capabilities
- Address pointers are enhanced with bounds, permissions, valid tag and an object type
- Legal memory accesses require valid and matching capabilities
- Security verification of CHERI designs is necessary, but creating trust for the entire system stack is challenging



Memory

# **Formal Model**

- In our model, two tasks only differ in the compartmentalization of the memory *M* into a set of accessible addresses ( $M_{pub}$ ) and a set of protected addresses  $(M_{prot})$
- Compartmentalization of *M* into *M*<sub>pub</sub> and *M*<sub>prot</sub> is enforced by CHERI capabilities
- We introduce a symbolic memory address that can be chosen freely by the solver Symbolic



protected

Memory

address

■ M<sub>prot</sub>

M<sub>pub</sub>

# **Attacker Model**

- Capability-enhanced single-core processor executing mutually distrusting tasks
- A trusted entity securely manages context switches
- An **attacker task** tries to break memory protection



- Capabilities of an attacker task are fully symbolic, except for the fact that they deny access to the symbolic address
- Confidentiality 1-safety property:

 $AG(cheri_protected(symbolic_addr) \rightarrow (read_mem_access \rightarrow mem_addr \neq symbolic_addr))$ 

Integrity 1-safety property:

 $AG(cheri_protected(symbolic_addr) \rightarrow (write_mem_access \rightarrow mem_addr \neq symbolic_addr))$ 

# **Verification Flow**

t: cheri\_protected(symbolic\_addr)

implies

t: !read\_mem || mem\_addr != symbolic\_addr

Integrity Interval Property:

t: cheri\_protected(symbolic\_addr) implies

t: !write\_mem || mem\_addr != symbolic\_addr

# **Case Study on CHERIOT Ibex**

32-bit RISC-V microcontroller implementing RV32IMCB and the CHERIOT ISA extension in a 2-stage pipeline

| Property                       | Iteration | Result | Runtime       | Memory | Description                                                     |
|--------------------------------|-----------|--------|---------------|--------|-----------------------------------------------------------------|
| 1-safety-integrity             | 1         | fail   | < 1 min       | 4.3 GB | <i>Bug</i> : setup guide specification of protection enable pin |
|                                | 2         | fail   | < 1 min       | 4.7 GB | Bug: capability stores across capability bounds                 |
|                                | 3         | hold   | 7 min         | 4.8 GB | -                                                               |
| Monotonicity                   | 1-9       | fail   | $\leq 1 \min$ | 4-5 GB | Missing capability register or pipeline buffer                  |
|                                | 10        | hold   | 15 min        | 6.2 GB | -                                                               |
| 1-safety-confidentiality       |           |        |               |        |                                                                 |
| → data                         | 1         | hold   | 7 min         | 7.3 GB | -                                                               |
| $\longrightarrow$ instructions | 1         | fail   | < 1 min       | 4.8 GB | Instruction fetched from outside PCC bounds                     |
| UPEC-CHERI                     | 1         | fail   | 31 min        | 3.7 GB | Side channel: exception timing depends on fetched data          |
|                                | 2         | hold   | 18 min        | 6.3 GB | -                                                               |

| Monotonicity Interval Property:                      | UPEC-CHERI Interval Property:                                                        |
|------------------------------------------------------|--------------------------------------------------------------------------------------|
| <pre>t: cheri_protected(symbolic_addr)</pre>         | <pre>t: cheri_protected(symbolic_addr)</pre>                                         |
| <pre>implies t: cheri_protected(symbolic_addr)</pre> | <pre>t: \$M<sub>pub</sub> == \$M'<sub>pub</sub> &amp;&amp; \$P == \$P' implies</pre> |
|                                                      | t + k: \$P <sub>arch</sub> == \$P' <sub>arch</sub>                                   |

| • |                                                             |
|---|-------------------------------------------------------------|
|   | <pre>t: cheri_protected(symbolic_addr)</pre>                |
|   | t: \$M <sub>pub</sub> == \$M' <sub>pub</sub> && \$P == \$P' |
|   | implies                                                     |
|   | t + k: \$P <sub>arch</sub> == \$P' <sub>arch</sub>          |



- VeriCHERI detected a Transient Execution Attack vulnerability
  - Branch to address **outside of PCC bounds**
  - Illegal instruction fetch raises an exception
  - Exception is delayed depending on two bits of the fetched data
  - **Performance counter change** depending on the two bits
- → Measure the execution time to **probe two bits** for an **arbitrary** protected address

#### Conclusion

- VeriCHERI detected several security issues including a vulnerability to a Transient Execution Attack, which is not detectable by previous methods
- Formulating the security objectives as single-cycle interval properties allows us to introduce a scalable iterative verification flow
- The developed invariants are implemented as symbolic verification IPs which may be reused for other CHERI designs

*RISC-V Summit Europe, Paris* May 12<sup>th</sup> – May 15<sup>th</sup> 2025



