Secure V – SecV

For decades, processors evolution has focused on improving their performance. In recent years, attacks directly exploiting optimization mechanisms have emerged. They typically exploit flaws in caches, performance counters or speculation units and jeopardize the safety and security of processors in industrial systems. We can cite Spectre and Meltdown as well-known examples.
The OpenHW approaches are now both an economic reality and an innovation opportunity for European actors in the field of processors architecture. The use of the open-source requires the design of secure processor cores, and therefore helps to make one more step towards greater independence in the field of cyber-security.
The SECURE-V project offers an innovative open-source, secure and high-performance processor core based on the ISA RISC-V. The originality of the approach lies in the integration of a dynamic code transformation unit covering 4 of the 5 NIST functions of cybersecurity, via monitoring (identify, detect), obfuscation (protect), and dynamic adaptation (reacting) in particular.
This dynamic management paves the way for online optimizations to improve the security and safety of the micro-architecture without revising the software or the silicon architecture of the chip.

As we work at the micro-architecture level, the SECURE-V architecture will be the cornerstone of the security kernel of future products.
The proposed innovative solution is built around three key ideas:

1) The dynamic code transformation unit is the core idea of this proposal. This unit will support on-the-fly modifications of the program instructions translation and decoding processes. These changes aim to provide security building blocks by either altering the processor pipeline datapath behavior or hiding the sensitive paths with data obfuscation. These two mechanisms are respectively possible using instructions operations rescheduling or with injections of additional operations into the pipeline. This unit will also allow the dynamic instrumentation of a code without modifying the original binary.
2) Advanced configurable memory management policies will add an additional level of obfuscation. We can cite for example alternatives to conventional caches such as scratchpads with dynamic management, dedicated memories (or TCM for Tightly Coupled Memory), partially reconfigurable caches in SRAM. New design and dynamic security-oriented cache management will also be investigated to avoid interference at this level or to supervise on demand information when identifying suspicious behaviors. Finally, as for the operations in the pipeline, we will also be able to insert (periodically or in a more controlled manner) access instructions to different memory areas aiming at different accesses activity to disrupt side-channel attacks.
3) In order to complete the approach and to control the dynamic changes in the behavior of the micro-architecture, a dynamic control block will be developed. By observing the state of the micro-architecture, this unit will determine when specific security properties are violated, denoting an abnormal behavior that may result from an attack or a sensitive context that needs to be secured. In reaction to the detected situation, it will trigger an adaptation event via the dynamic code transformation unit and/or the microarchitecture. The use of runtime verification, a lightweight formal method, to synthesize the monitors of security properties, will help to justify the confidence placed in this unit.

The main results of the project are a prototype of a complete architecture, based on the RISC-V CVA6 core, implemented on a FPGA comprising the secure blocks designed during the project and an analysis of the security level reached by the proposals.