Language-based Security for VHDL

Tolstrup, Terkel Kristian; Nielson, Hanne Riis; Nielson, Flemming

Publication date:  
2007

Document Version  
Publisher's PDF, also known as Version of record

Citation (APA):  
Language-based Security for VHDL

Terkel K. Tolstrup

Kongens Lyngby 2006
IMM-PHD-2006-174
The need for reliable performance of computerised systems is well-known, yet the security verification of hardware systems is often none-existing or applied in an ad-hoc manner. To overcome this issue, standards such as the Common Criteria has been successful in listing points of attention for a thorough investigation of a system. Hence in this thesis it is investigated how language-based security techniques can be adapted and applied to hardware specifications. The focus of the investigation is on the information flow security that is required by the standard. Information flow security provides a strong notion of end-to-end security in computing systems. However sometimes the policies for information flow security are limited in their expressive power, and this complicates the matter of specifying policies even for simple systems. These limitations often become apparent in contexts where confidential information is released under specific conditions.

This thesis presents a novel policy language for expressing permissible information flow using expressive constraints on the execution traces for programs. Based on the policy language a security property is proposed and shown to be a generalised intransitive non-interference condition. The security property is defined on a fragment of the hardware description language VHDL that is suitable for implementing the Advanced Encryption Standard algorithm.

The means to verify the property is provided in the terms of a static information flow analysis. The goal of the analysis is to identify the entire information flow through the VHDL program. The result of the analysis is presented as a non-transitive directed graph that connects those nodes (representing either variables or signals) where an information flow might occur. The approach is compared to traditional approaches and shown to allow for a greater precision.

Practical implementations of embedded systems are vulnerable to side channel attacks. In particular timing channels have had a great impact on the security
verification of algorithms for cryptography. In order to address this another
security property stating the absence of timing channels is presented. Again,
verification is provided by a static analysis, that identifies the timing behaviour
of a program. This analysis consists of a type system that identifies the delay
between when a value enters the system and when it leaves it again. Programs
accepted by our analysis are shown to have no timing channels.
Vigtigheden af pålidelig opførsel i computersystemer er velkendt, men stadigvæk bliver sikkerhedsverifikation af hardware-systemer ofte ikke udført, eller verifikationen bliver udført på en ustruktureret facon. For at overkomme dette problem, har standarder som Common Criteria været succesfulde ved at fremhæve vigtige punkter for en fuldstændig undersøgelse af et system. Derfor vil denne afhandling undersøge, hvorledes teknikker inden for sprog-baseret sikkerhed kan tilpasses og anvendes på hardware specifikationer. Fokus i denne undersøgelse vil være på information flow sikkerhed som det kræves af standarden. Information flow sikkerhed giver en stærk opfattelse af ende-til-end sikkerhed i et computersystem. Imidlertid sker det, at politiker for information flow sikkerhed kan være for begrænsede i deres udtrykskraft, og derfor kan de komplicere opgaven omkring at angive en politik for endda simple systemer. Disse begrænsninger bliver ofte fremhævet af systemer, hvor hemmelige oplysninger bliver frigivet ved opfyldelse af klare krav.

Denne afhandling præsenterer et nyt sprog for politiker, der muliggør at udtrykke information flow, der bliver tilladt under angivne krav til eksekveringsssekvensen ved afvikling af programmet. Baseret på sproget for politikerne foreslås en sikkerhedsegenskab, som vises at generaliserer intransitiv non-interference egenskaben. Sikkerhedsegenskaben defineres på et fragment af hardware beskrivelses sproget VHDL, der er tilstrækkeligt til at implementere en Advanced Encryption Standard algoritme.

En information flow analyse defineres efterfølgende. Målet med analysen er at identificere, hvorledes information flyder gennem hele VHDL programmet. Resultatet af analysen er en intransitiv orienteret graf, der forbinder de knuder (repræsenterende enten variable eller signaler), hvor informationen eventuelt kan flyde. Denne tilgang sammenlignes med traditionelle metoder og vises at muliggøre en analyse med større præcision.
Virkelige implementationer af indlejrede systemer er sårbare over for angreb gennem side channels. Specielt har side channels stor indflydelse på sikkerhedsverifikationen af kryptografiske algoritmer. Derfor foreslås en sikkerhedsegenskab, der angiver, hvornår et system er fri for timing channels. En statisk analyse til at identificere den tidsmæssige opførsel af et program bliver også præsenteret. Analysen består af et type system, der identificerer forsinkelser, mellem at en værdi kommer ind i systemet, og indtil den forlader systemer igen. Det bevises at programmer, der accepteres af analysen, ikke indeholder timing channels.
Preface

Whether you take the doughnut hole as a blank space or as an entity unto itself is a purely metaphysical question and does not affect the taste of the doughnut one bit
— Haruki Murakami

This thesis was prepared at the department for Informatics and Mathematical Modelling, Technical University of Denmark in partial fulfillment of the requirements for acquiring the Ph.D. degree in engineering. The Ph.D. study has been carried out under the supervision of Professor Hanne Riis Nielson and Professor Flemming Nielson.

Acknowledgements

I would like to thank my supervisors Hanne Riis Nielson and Flemming Nielson for continuous support and guidance. Furthermore I would like to thank them as well as the rest of the LBT Group, Han Gao, Christoffer Rosenkilde Nielsen, Henrik Pilegaard, Christian W. Probst and Ye Zhang for providing an inspiring and motivating working environment. Further gratitude must go to Henrik Pilegaard for enduring countless discussions, arguments and three years of sharing an office with me. I would to thank René Rydholf Hansen for numerous discussions and working together with me on [TNEH06], likewise thanks go to Sebastian Nanz for comments and suggestions.

For my visit at the Universität des Saarlandes, Saarbrücken, Germany, I would like to thank Reinhard Wilhelm for providing me with everything I needed during the three month I visited, and for always discussing, commenting and motivating my work on timing channels. Thanks go to Stephan Thesing for
discussions and suggestions and to Jörg Bauer for comments, proof reading and
never allowing me a boring weekend.

I would like to thank Andrei Sabelfeld for allowing me to visit him at Chalmers
during September 2005, for helping me with numerous issues - work related and
otherwise - and for being a inspiration, even after my return to Lyngby. Thanks
also go to David Sands, Aslan Askarov and Daniel Hedin for welcoming me to
the ProSec group, and for having daily discussions that have helped me shape
an understanding and intuition for bisimulations as security properties.

Finally I would like to thank my family, friends and in particular my wife for
unlimited patience, support and love, without which I could not have finished
this thesis.

Lyngby, October 2006

Terkel K. Tolstrup
Contents

Summary i

Resumé iii

Preface v

1 Introduction 1

1.1 Main thesis .................................. 4

1.2 Overview .................................. 5

1.3 Contributions .............................. 5

2 VHDL 7

2.1 CoreVHDL .................................. 8

2.2 Semantics .................................. 12

2.3 Properties of the Semantics ............... 20

2.4 Example: Advanced Encryption Standard 21
2.5 Discussion and Related Work ........................................ 23

3 Security Policies ................................................................ 29
  3.1 Locality-based security policies ..................................... 31
  3.2 History-based Release .................................................. 36
  3.3 Transitive Security Policies .......................................... 41
  3.4 Discussion ..................................................................... 44

4 Information Flow Analysis .................................................. 49
  4.1 Local dependencies in CoreVHDL ................................. 50
  4.2 Soundness .................................................................... 53
  4.3 History-based Release .................................................. 62
  4.4 Discussion ..................................................................... 71

5 Reaching Definitions Analysis .............................................. 73
  5.1 Analysing CoreVHDL ..................................................... 74
  5.2 Global dependencies ..................................................... 81
  5.3 Analysing Advanced Encryption Standard ........................ 86
  5.4 Discussion ..................................................................... 87

6 Timing Leaks .................................................................... 89
  6.1 CoreVHDL with Timing Behaviours ................................. 91
  6.2 Absence of Timing Leaks ............................................... 97
  6.3 Execution Path Analysis .............................................. 102
<table>
<thead>
<tr>
<th>Section</th>
<th>Title</th>
<th>Page</th>
</tr>
</thead>
<tbody>
<tr>
<td>6.4</td>
<td>Soundness</td>
<td>105</td>
</tr>
<tr>
<td>6.5</td>
<td>Analysing Advanced Encryption Standard</td>
<td>124</td>
</tr>
<tr>
<td>6.6</td>
<td>Discussion of practical issues</td>
<td>125</td>
</tr>
<tr>
<td>6.7</td>
<td>Summary</td>
<td>128</td>
</tr>
<tr>
<td>7</td>
<td>Conclusion</td>
<td>131</td>
</tr>
<tr>
<td>7.1</td>
<td>Final remarks</td>
<td>132</td>
</tr>
</tbody>
</table>
Every individual comes into contact with over a hundred embedded computer systems every day [Mat04]. Many exist in our homes and many more operate the commonplace items in the world around us. They are now common in households through cameras, televisions, video players, refrigerators, lawn sprinkler systems, and many other items. They are in the world around us controlling our street lighting, door openers, intruder alert systems, product theft security, speed cameras, and much more. Furthermore several embedded systems perform safety critical operations where malfunction might cause the loss of human lives, for example in pacemakers, steering aid for cars and fly-by-wire systems for airplanes.

Every day additional functionality are added to existing systems and new systems are integrated into more devices. In fact the growth in the complexity of embedded systems is said to be exponential, commonly referred to as Moore’s law, that state that the number of transistors in a integrated circuit is doubled every 18 months. At the same time the size and price of the circuit is halved. According to [MED04] the electronics industry totalled a $800 billion market in 2003. The main threat identified in [SEM03] to the growth of this market is the
cost connected to the design of systems. The fact that about 60% to 70% of the total development time of a circuit is spent on simulation [MED02] makes it of great concern.

The concept of security for these systems is traditionally very low because the designer has always been able to depend on the physical security of an enclosed box. However, as more of the ”boxes” are connected together networks come into being and opportunities for access and malfunction, whether through poor design, unforeseen circumstances, or foul play, become possible. Their security is at risk in many cases, much of it due to ”security through obscurity”. The simulation phase of the development cycle is rarely concerned with verifying security properties. Instead the focus is on validating the behaviour of the system on “standard” well-formed input, to make sure that the required functionality is implemented. However the security of systems is often compromised because of non-standard input, that might be the result of unforeseen usage of the system or hostile behaviour.

The need for reliable performance of computerised systems is well-known, yet the ad-hoc design of systems that become increasingly complex makes documenting and verifying security properties hard. Therefore to document the verification of a number of well-known security properties (e.g. authenticity, confidentiality and integrity) standards and frameworks have been proposed. In this thesis the focus will be on the Common Criteria [CC98] standard proposed and maintained by the International Standard Organization (ISO). The Common Criteria supersedes the Trusted Computer System Evaluation Criteria (TCSEC) [DOD85], the Information Technology Security Evaluation Criteria (ITSEC) [ITS91] and the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC). The Common Criteria standard greatly benefits from being an internationally accepted standard, e.g. the United Nations have chosen the standard for the documentation of the security of systems used by the military of member countries.

The Common Criteria standard is a collection of objectives describing security properties for all kinds of systems, descriptions of assurances to match each objective and assurance levels that define the kind of methods used to provide the assurances. When documenting a system’s security the designer needs to identify a set of reasonable objectives with respect to the setting and usage of the system. Based on these objectives assurances need to be given and documented. Each assurance is given within a level specifying the manner of the verification. Assurances given in the lower levels need to document details on the requirements for the system and the tests performed (for example by simulation) to ensure that the system behaves accordingly. Assurances in the higher levels require that formal methods are applied to verify the system.
In contrast to simulation, formal methods can be exhaustive, even for complex systems with infinitely many states, as they deal with proving the correctness of a system. One could prove the correctness of a system in the same fashion as theorems are proved. This would demand much time and effort. Hence assistance from automated theorem provers could aid the designers or evaluators. Still, the amount of expertise and knowledge required often result in only core functions of real-life systems being verified.

Another option is to validate the behaviour of the system by performing an exhaustive search on all possible input, model checking does so. However this approach might suffer from the complexity of systems, commonly referred to as the state explosion problem. Therefore many approaches based on model checking rely on techniques for reducing the state space, heuristics and randomisation. These techniques have shown to be powerful in finding flaws, but in general they are not suitable for proving the absence of flaws. However this would be a main goal for assuring a Common Criteria objective.

Therefore important properties of the formal methods assisting in the verification of Common Criteria assurances would have to be

**Automatic:** Demands a minimum of effort from the designer  
**Correctness:** Guarantees that verification implies assurance  
**Efficient:** Handles the complexity of realistic systems  
**Exhaustiveness:** Must cover all executions on all input  

To fulfill these properties we use static program analysis \[\text{[NNH99]}\]. Static program analysis benefits from being developed within well-founded frameworks with clear guidelines for their implementation, resulting in tools that are automatic and exhaustive. The limitation of static program analysis is that one is forced to sacrifice precision in return for efficiency. Precision is lost due to using abstractions of the analysed system. Still analyses can be designed to perform well on real-life systems, being both efficient and sufficiently precise. To achieve the correctness of the method it is therefore important that all abstractions introduced in the analysis still allow us to verify programs that fulfill the desired objectives.
1.1 Main thesis

The main thesis of this report is therefore to show that static program analyses can be designed and implemented, such that they result in tools that can automatically and efficiently verify specifications of integrated circuits and give exhaustive and correct assurances of Common Criteria objectives.

For this purpose we consider the objectives *Information flow control policy* (FDP, IFC) and *Information flow control functions* (FDP, IFF) from the Common Criteria standard, that deal with the confidentiality of information manipulated by the system. In this thesis the flow of information through a system is viewed as a directed graph and the definition of information flow policies is based on this view. This is contrary to much of the literature available in the field on information flow security (see SM03a for references). The traditional view is that information can be divided into hierarchical levels. This matches the intuition of military systems where information is labelled with security annotations such as Top Secret, Confidential and Unclassified. In the more general setting of multiple systems participating in collaborative transactions (e.g. online shopping, tax auditing and service oriented computing) a natural underlying hierarchical order is not always apparent. Hence in this thesis we will investigate the usage of graph-based policies for information flow security.

The flow of information is verified by a set of analyses dealing with different facets; first an analysis verifying the flow of information due to control- and data-flow during execution of the program and second an analysis that deals with covert channels introduced by differences in the timing behaviour of the system. Together, these analyses will give a large part of the assurance for a system needed when making the Common Criteria evaluation document.

Another main goal is that the designed analyses validate specifications of integrated circuits directly, rather than analysing on a process calculi, thereby forcing the developers to translate the system, and possibly introducing flaws in the process. The presented analyses are all specified on a fragment of VHSIC Hardware Description Language (VHDL). The fragment will be referred to as CoreVHDL and is expressive enough to deal with specifications of integrated circuits not designed for verification purposes.

---

1 Very High Speed Integrated Circuit
1.2 Overview

In the following chapters the investigation of information flow security in the hardware setting is investigated. First the semantical model for COREVHDL is defined in Chapter 2 which allows us to formalise the semantical meaning of the Locality-based security policies in Chapter 3. Chapter 3 also proposes a generalised non-interference property, named History-based Release, that permits information flows based on the execution history of the involved principals. Chapter 4 presents an Information Flow analysis that allows for the automatic verification of hardware specifications. The analysis is extended in Chapter 5 by a Reaching Definitions analysis, which tracks the control flow in the program. In Chapter 6 timing leaks in integrated circuits are investigated. A security property for the absence of timing leaks in a COREVHDL specification is proposed and an automated analysis for verifying programs is presented.

During the investigations presented is this thesis much of the work has been inspired by a real communications system sought to be verified within the Common Criteria. The communications system was developed by the Danish company Maersk Data Defence, as a contractor for the military sector. The presented analyses were successful in verifying the available parts of the system that were previously verified by a paper-and-pencil approach. Unfortunately due to contractual obligations the system can not be discussed in this thesis. Instead we will continuously consider a reference implementation of the Advanced Encryption Standard (AES) \cite{WBRF00}. This implementation will be a running example aiding in illustrating the techniques presented in the chapters.

1.3 Contributions

The main contributions of this thesis are:

Chapter 2 presents a detailed semantical model of VHDL. In particular, practical issues of the semantics for VHDL is treated formally in accordance with state-of-the-art simulators. These issues are previously neglected or formalised in an incorrect manner, i.e. with respect to the VHDL standard \cite{IEE01}. Parts of this contribution has previously been published in \cite{TNN05} and \cite{TN06}.

Chapter 3 investigates the usage of graph based security policies for information flow security. Furthermore the policies are extended with a notion of localities and execution history that results in a generalised non-
interference property, History-based Release. Parts of the graph based policies for information flow was originally published in [TNN05], while parts of the locality-based policies and the history-based release property for the process calculi Klaim [BBN+03] was published in [TNH06].

Chapter 4 presents the automated analysis of a VHDL subset for information flow security. Especially the treatment of synchronisation in VHDL leads to novel results. Furthermore the automated analysis for programs that comply with the History-based Release property. Parts of these contributions have previously been published in [TNN05, TNH06].

Chapter 5 motivates the need for control flow sensitive analyses for information flow security. The chapter presents a Reaching Definitions analysis, and discusses previously published approaches to static analysers for VHDL. The Reaching Definitions analysis was first published in [TNN05].

Chapter 6 considers timing leaks in hardware specifications. A novel property for the absence of timing leaks is presented together with an automated analysis for verification of systems. The property is the first of its kind that supports the composition with generalised non-interference properties. Parts of the work was first published in [TN06].

Furthermore nontrivial extensions and additions have been necessary to complete the work presented in this thesis. In particular the work presented in this thesis removes several simplifications made on the hardware setting in the published papers.
The difference between virtuality and life is very simple. In a construct you know everything is being run by an all-powerful machine. Reality doesn’t offer this assurance, so it’s very easy to develop the mistaken impression that you’re in control.
— Richard K. Morgan

Very High Speed Integrated Circuit Hardware Description Language, commonly referred to as VHSIC Hardware Description Language or VHDL, is one of the most widely used hardware description languages. Development was initiated in 1981 under a research programme initiated by the US Department of Defense to accommodate the rising need for documenting integrated circuits. Hence early on VHDL focussed on describing the behaviour of hardware in a manner that allowed specifications to be decomposed hierarchically while providing a well-defined interface for composing elements. With the details available in a VHDL description the possibility of simulating specifications became apparent. This possibility of simulating hardware descriptions before synthesising the circuit had great impact, as it severely cut the development cost and time, and therefore participated in shaping a new hardware design methodology. Finally, tools for automatic synthesis of descriptions were developed. During the mid-1980s all rights to the language definition were given to IEEE, who standardised the language as IEEE standard 1076-1987 [IEE87].

A problem not solved in the original standard was that of an electrical signal’s driving strength. This is a result of not only having the pure boolean values
true and false in digital hardware design, but also having the possibility of e.g. turning off a signal in the synthesised circuit. The IEEE standard 1164-1993 [IEE93a] introduced the multi-valued logic std_logic, not only including values for driving strengths but also an unknown value (primarily for simulation purposes). The VHDL standard was revised accordingly [IEE93b] while taking other issues into account as well, such as making the syntax more consistent and introducing more logical operators. Like all other IEEE standards the VHDL standard is revised every five years to ensure an ongoing relevance to the industry. The most recent revision is IEEE standard 1164-2001 [IEE01].

In this thesis we will focus on a subset of the latest revision. The subset is identified around the main concepts in register transfer level (RTL) VHDL, the interpretation of which common language simulators and synthesisers should agree on [IEC05]. The subset will be referred to as CoreVHDL and is presented in Section 2.1. Furthermore we will discuss some of the language constructs left out, and their pre-compilation into the CoreVHDL subset.

In order to reason about VHDL descriptions we first need to define their semantics. The semantics will be a cornerstone in the techniques presented later. Hence defining the semantics is the main goal of this chapter. The rest of the chapter will be structured as follows; the semantics is presented in Section 2.2. Section 2.4 presents the running example to be used throughout the thesis, which is based on an implementation of the Advanced Encryption Standard. Finally we discuss related work in Section 2.5.

2.1 CoreVHDL

Prior to the introduction of VHDL most hardware was documented in an ad-hoc manner. Hence with the introduction of VHDL it was important to have a description language with a well-defined syntax and semantics. The original syntax of VHDL was essentially a subset of the Ada programming language, where special constructs were added to handle the parallelism inherent in hardware design. A central issue in hardware design is the behaviour of the underlying circuit, which the hardware description should document with enough precision to allow simulation and automatic synthesis. However, since VHDL is primarily developed for documenting hardware, only a subset of the language can be simulated and synthesised automatically. While many simulators often support larger subsets their simulations are only required to agree on the Register Transfer Level subset [IEC05]. Thus our investigation is limited to a subset of RTL VHDL to give some assurance of compliance with tools for synthesis.
A VHDL description may contain a mixture of *behavioural* and *structural* specifications. A *behavioural* specification describes the functionality in much the same way as a program in a traditional programming language. A *structural* specification describes how structures are connected into a more complex architecture. For a specification to be *synthesizable* the behaviour of the program must be completely specified, i.e. all parts of the VHDL specification must be given by a *behavioural* specification or the specifications used in the *structural* specification are all present either as library structures or constructed of smaller *behavioural* specifications.

**COREVHDL** is a fragment of RTL VHDL that concentrates on the behavioural specification of models. A program in COREVHDL consists of *entities* and *architectures*, uniquely identified by indices \(i_e, i_a \in Id\). An entity describes a component’s interface to the environment. An architecture comprises the behavioural or structural specification of an entity.

An entity specifies a set of signals referred to as ports \((prt \in Prt)\), each port is represented by a signal \((s \in Sig)\) used for reference in the specification of the architecture; furthermore a notion of the intended usage of the signal is specified by the keywords *in* and *out* determining if the signals value can be altered or read by the environment, and the type of the signal’s value.

An architecture model is specified by a family of concurrent statements \((css \in Css)\) running in parallel; mainly processes, here the index \(i_p \in Id\) is a unique identifier in a finite set of process identifiers \((I_p \subseteq_{\text{fin}} Id)\). Each process has a statement \((ss \in Stmt)\) as body and may use logical values \((m \in LVal)\), local variables \((x \in Var)\) as well as signals \((s \in Sig, S \subseteq_{\text{fin}} Sig)\). When accessing variables and signals we always refer to their present value and when we assign to variables it is always the present value that is modified. However, when assigning to a signal its present value is *not modified*, rather its so-called active value is modified; this representation of signal’s values, as illustrated in Figure 2.1 is used to take care of the physical aspect of propagating an electrical current through a system, the time consumed by the propagation is usually called a *delta-delay*. The wait statements are synchronisation points, where the active values of signals are used to determine the new present values that will
\[ \text{pgm} \in \text{Pgm} \quad \text{programs} \]

\[
\text{pgm} \quad ::= \quad \text{ent} \mid \text{arch} \mid \text{pgm}_1 \text{ pgm}_2
\]

\[ \text{ent} \in \text{Ent} \quad \text{entities} \]

\[
\text{ent} \quad ::= \quad \text{entity } i_e \text{ is port(prt); end } i_e;
\]

\[ \text{prt} \in \text{Prt} \quad \text{ports} \]

\[
\text{prt} \quad ::= \quad s : \text{ in type} \mid s : \text{ out type} \mid \text{prt}_1\text{ prt}_2
\]

\[ \text{type} \in \text{Type} \quad \text{types} \]

\[
\text{type} \quad ::= \quad \text{std_logic}
\]

\[ \text{arch} \in \text{Arch} \quad \text{architectures} \]

\[
\text{arch} \quad ::= \quad \text{architecture } i_a \text{ of } i_e \text{ is begin css; end } i_a;
\]

\[ \text{css} \in \text{Css} \quad \text{concurrent statements} \]

\[
\text{css} \quad ::= \quad i_p : \text{ process decl; begin ss; end process } i_p
\]

\[
\mid i_b : \text{ block decl; begin css; end block } i_b
\]

\[
\mid \text{css}_1 \parallel \text{css}_2
\]

\[ \text{decl} \in \text{Decl} \quad \text{declarations} \]

\[
\text{decl} \quad ::= \quad \text{variable } x : \text{ type } ::= \text{ e}
\]

\[
\mid \text{signal } s : \text{ type } ::= \text{ e}
\]

\[
\mid \text{decl}_1; \text{decl}_2
\]

\[ \text{ss} \in \text{Stmt} \quad \text{statements} \]

\[
\text{ss} \quad ::= \quad \text{null} \mid \text{ss}_1; \text{ss}_2 \mid \text{if } e \text{ then } \text{ss}_1 \text{ else } \text{ss}_2
\]

\[
\mid x ::= e \mid s ::= e
\]

\[
\mid \text{wait on } S \text{ until } e
\]

\[ \text{e} \in \text{Exp} \quad \text{expressions} \]

\[
\text{e} \quad ::= \quad m \mid \text{op}^a e \mid e_1 \text{ op}^b e_2 \mid x \mid s
\]

---

**Figure 2.2:** The subset \text{CoreVHDL} of VHDL.

---

be common to all processes. This will be further discussed in Section 2.2.

Concurrent statements could also be block statements that allow local signal declarations for the use of internal communication between processes declared within the block. The index \( i_b \in \text{Id} \) is a unique identifier in a finite set of block identifiers \( (I_b \subseteq_{\text{fin}} \text{Id}) \). The scope of the local signals declared by a block definition is the concurrent statements specified inside the block.
Since VHDL describe digital hardware we are concerned with the details of electrical signals, and it is therefore necessary to include types to represent digitally encoded values. We consider logical values (LVal) of the standard logic type std_logic, that includes traditional boolean values as well as values for electrical properties.

The formal syntax is given in Figure 2.2. In VHDL it is allowed to omit components of wait statements. Writing FS(e) for the free signals in e, the effect of 'on FS(e)' may be obtained by omitting the 'on S' component, and the effect of 'until true' may be obtained by omitting the 'until e' component. (In other words, the default values of S and e are FS(e) and true, respectively.) Semantically, S is the set of signals waited on, i.e. at least one of the signals of S must have a new active value, and e is a condition on the resulting present values that must be fulfilled, in order to leave the wait statement.

The syntax does not include any loops. In general the loops in VHDL can not be synthesised, as the synthesising tool needs to produce timing guarantees on finishing the loop. Instead, looping behaviour is obtained using processes and iterator signals. However, loops aid in making high-level specifications succinct. Hence in Section 2.1.1 we discuss the unrolling of loops during pre-compilation.

In CoreVHDL the notion of signals is simplified with respect to full VHDL and does not allow references further ahead in time than the following delta-cycle. This correspond to the choice made in RTL VHDL and not only simplifies the analysis but also simplifies the definition of the semantics: Of the many accounts to be found in the literature [Goo95, TE01] we have found the one of [TE01] to best correspond to our practical experiments, based on test programs simulated with the ModelSim SE 5.7d VHDL simulator [Men03]. Even with this restriction CoreVHDL is sufficiently expressive to deal with the programs of the AES implementation.

2.1.1 Pre-compiling RTL VHDL to CoreVHDL

The CoreVHDL subset of RTL VHDL is restricted in its expressiveness. Here we discuss some commonly used syntactical constructs and their pre-compilation to CoreVHDL. The following operations are performed right after a RTL VHDL specification has been parsed.

Hierarchy flattening The VHDL standard [IEE01] describe how the hierarchical structure of a specification can be flattened. The pre-compiler instantiates
all the modules and in-line functions. This enables us to handle structural specifications by flattening them to elaborate behavioural specifications.

**Concurrent Assignment** Signal assignment can be performed as a concurrent statement, this corresponds to a process that is sensitive to the *free signals* in the right-hand side expression and that has the same assignment inside \([\text{Ash02}]\).

**Loop unrolling** Loops are also allowed at the level of concurrent statements, these are commonly used to produce a multitude of processes with similar behaviour. Furthermore loops can be applied within processes, with semantics similar to that of imperative languages, see e.g. \([\text{NN92}]\). If the specification is synthesizable all loops need to result in a finite execution \([\text{IEC05}]\). Hence when considering synthesizable specifications loops are unrolled.

**Scalarisation of vectors** Following the approach presented in \([\text{SV00}]\) vectors are scalarized and replace the new signals named like the vector and postfixed with the index, this is possible as only statically defined vectors are available in RTL VHDL \([\text{IEC05}]\).

### 2.2 Semantics

Before we can define the semantics for COREVHDL we need to understand how integrated circuits work. Most tools for synthesising circuits from VHDL descriptions support the configuration of *Field Programmable Gate Arrays (FPGA)*. A FPGA consist of Logical Blocks (LB) and Input/Output Blocks (IOB), the structure is illustrated in Figure 2.3. The blocks are connected by wires, that in switch points can be interconnected or not. The synthesising step of the hardware design methodology is to decide the configuration of the switch points, thus giving the paths between LBs and IOBs. IOBs are the interface to the environment. The IOBs can also connect an outgoing wire to an incoming wire.

One important aspect of the synthesis step is that signals are mapped down to the wires connecting LBs and IOBs. It is also important to observe that the FPGA does not *execute* the VHDL specification, but instead provides a layout of the switches. The value of each signal will therefore be carried to and from the LB on different wires. In VHDL this is captured by dividing the values of signals into an active value and an present value, these match the from and to
wire, respectively. The time spent on stabilising and propagating the electrical current over the gates is called a *delta-delay*.

Another important aspect is that the integrated circuit does not *stop* working or otherwise end, in fact whenever the input is modified the new currents are propagated through the FPGA until it has stabilised again. To capture this behaviour when simulating hardware specifications we consider a *simulation cycle* as consisting of two phases:

- the signal update phase, and
- the process execution phase

In the signal update phase, simulation time is advanced to the time of the next scheduled active value, then all active values are applied to the corresponding signals. This may cause events to occur. In the process execution phase, all processes that wait on these events are resumed and executed until again suspended at wait statements. The simulation cycle is then repeated.

The main idea when defining the semantics for COREVHDL programs is therefore to execute each process by itself until a synchronisation point is reached (i.e. a wait statement). When all processes of the program have reached a synchronisation point synchronisation is handled, while taking care of the resolution of signals in case a signal has been assigned different values by the processes. This
synchronisation will leave the processes in a state where they are ready either
to continue execution by themselves or wait for the next synchronisation.

**Basic semantic domains** The syntax of programs in **COREVHDL** is limited
to statements operating on a state of logical values. These logical values are
defined as $v \in LVal = \{ 'U', 'X', '0', '1', 'Z', 'W', 'L', 'H', '-' \}$ where the values
indicate the properties

<table>
<thead>
<tr>
<th>Logical</th>
<th>Property</th>
</tr>
</thead>
<tbody>
<tr>
<td>'U'</td>
<td>Uninitialised</td>
</tr>
<tr>
<td>'1'</td>
<td>Forcing one</td>
</tr>
<tr>
<td>'L'</td>
<td>Weak zero</td>
</tr>
<tr>
<td>'X'</td>
<td>Forcing Unknown</td>
</tr>
<tr>
<td>'Z'</td>
<td>High Impedance</td>
</tr>
<tr>
<td>'H'</td>
<td>Weak one</td>
</tr>
<tr>
<td>'W'</td>
<td>Weak Unknown</td>
</tr>
<tr>
<td>'-'</td>
<td>Don’t care</td>
</tr>
</tbody>
</table>

these logical values capture the behaviour of an electrical system better than
traditional boolean values. Hence they have been included in the VHDL stan-
dard from the second revision [IEE93b], see [Ash02] for further details. We
have a function mapping logicals in the syntax to logical values in the semantics
$L : LVal \rightarrow Value$.

**Constructed semantic domains** **COREVHDL** includes local variables and
signals. The values of the local variables are stored in a local state, which is a
mapping from variable names to logical values.

$$\sigma \in State = (Var \rightarrow Value)$$

The idea is that we have a local state for each process, keeping track of assign-
ments to local variables encountered in the execution of the process so far.

For communication between the processes we have signals, the values of which
are stored in local states. The processes communicate by synchronising the
signals of their local signal state with other processes.

$$\varphi \in Signals = (Sig \rightarrow (\{0,1\} \leftarrow Value))$$

The value assigned to a signal is available after the following synchronisation,
therefore we keep the present value of a signal $s$ in $\varphi s 0$. In $\varphi s 1$ we store the
assigned value, meaning that it is available in the following delta-cycle. Each
signal state has a time line for each signal. Values in the past are not used and
therefore forgotten by the semantics; in **COREVHDL** it is not possible to assign
values to signals further into the future than one delta-cycle.
2.2 Semantics

<table>
<thead>
<tr>
<th>Expression</th>
<th>Definition</th>
</tr>
</thead>
<tbody>
<tr>
<td>$E[m]\langle\sigma,\varphi\rangle$</td>
<td>$L[m]$</td>
</tr>
<tr>
<td>$E[x]\langle\sigma,\varphi\rangle$</td>
<td>$\sigma x$</td>
</tr>
<tr>
<td>$E[s]\langle\sigma,\varphi\rangle$</td>
<td>$\varphi s \theta$</td>
</tr>
<tr>
<td>$E[op\nu e]\langle\sigma,\varphi\rangle$</td>
<td>$\frac{\text{op}^{\nu} v}{\text{op}^{\nu}}$ where $E[e]\langle\sigma,\varphi\rangle = v$ and $\text{op}^{\nu} v$ defined</td>
</tr>
<tr>
<td>$E[e_1 \text{ op}\nu b e_2]\langle\sigma,\varphi\rangle$</td>
<td>$v_1 \frac{\text{op}\nu b}{\text{op}^{\nu}} v_2$ where $E[e_1]\langle\sigma,\varphi\rangle = v_1$ and $E[e_2]\langle\sigma,\varphi\rangle = v_2$ and $v_1 \frac{\text{op}\nu b}{\text{op}^{\nu}} v_2$ defined</td>
</tr>
</tbody>
</table>

Table 2.1: Semantics of Expressions

All signals have a present value, so $\varphi s \theta$ is defined for all $s$. Not all signals need to be *active* meaning they have a new value waiting in the following delta-cycle, i.e. $\varphi s \theta$ need not be defined. Hence we use $\{0, 1\} \hookrightarrow Value$ in the definition of the signal state to indicate that it is a partial function.

The semantics handles expressions following the ideas of [NN92]. For expressions

$$E : Exp \rightarrow (State \times Signals \hookrightarrow Value)$$

evaluates the expression. The function is defined in Table 2.1. Note that for signals we use the current value of the signal, i.e. $\varphi s \theta$.

2.2.1 Statements

The semantics of statements and concurrent statements are specified by transition systems, more precisely by structural operational semantics [Plo04]. For statements we shall use configurations of the form:

$$\langle ss', \sigma, \varphi \rangle \in Stmt' \times State \times Signals$$

Here $Stmt'$ refers to the statements from the syntactical category $Stmt$ with an additional statement (final) indicating that a final configuration has been reached. Therefore the transition relation for statements has the form:

$$\langle ss, \sigma, \varphi \rangle \Rightarrow \langle ss', \sigma', \varphi' \rangle$$

which specifies one step of computation. The transition relation is specified in Table 2.2 and briefly commented upon below.
[Local Variable Assignment]:

\[ \langle x := e, \sigma, \varphi \rangle \Rightarrow \langle \text{final}, \sigma[x \mapsto v], \varphi \rangle \]
where \( \mathcal{E}[e](\sigma, \varphi) = v \)

[Signal Assignment]:

\[ \langle s \leftarrow e, \sigma, \varphi \rangle \Rightarrow \langle \text{final}, \sigma, \varphi'[1][s \mapsto v] \rangle \]
where \( \mathcal{E}[e](\sigma, \varphi) = v \)

[Skip]:

\[ \langle \text{null}, \sigma, \varphi \rangle \Rightarrow \langle \text{final}, \sigma, \varphi \rangle \]

[Composition]:

\[ \langle ss_1, \sigma, \varphi \rangle \Rightarrow \langle ss'_1, \sigma', \varphi' \rangle \]
\[ \langle ss_1; ss_2, \sigma, \varphi \rangle \Rightarrow \langle ss'_1; ss_2, \sigma', \varphi' \rangle \]
where \( ss'_1 \in \text{Stmt} \)

\[ \langle ss_1, \sigma, \varphi \rangle \Rightarrow \langle \text{final}, \sigma', \varphi' \rangle \]
\[ \langle ss_1; ss_2, \sigma, \varphi \rangle \Rightarrow \langle ss_2, \sigma', \varphi' \rangle \]

[Conditional]:

\[ \langle \text{if } e \text{ then } ss_1 \text{ else } ss_2, \varphi \rangle \Rightarrow \langle ss_1, \sigma, \varphi \rangle \]
if \( \mathcal{E}[e](\sigma, \varphi) = '1' \)

\[ \langle \text{if } e \text{ then } ss_1 \text{ else } ss_2, \varphi \rangle \Rightarrow \langle ss_2, \sigma, \varphi \rangle \]
if \( \mathcal{E}[e](\sigma, \varphi) = '0' \)

\text{Table 2.2: Statements}

An assignment to a signal is defined as an update to the value at the delta-time, i.e. \( \varphi s 1 \). We use the notation \( \varphi^{[1]}[s \mapsto v] \) to mean \( \varphi[s \mapsto \varphi(s)[i \mapsto v]] \).

Because the wait statement is in fact a synchronisation point of the processes it is handled in Section 2.2.2 along with the handling of the concurrent processes.

2.2.2 Concurrent Statements

The semantics of concurrent statements handles the concurrent processes and the synchronisations of a CoreVHDL program. The transition system for concurrent statements has configurations of the form:

\[ \|_{i \in I} \langle css'_i, \sigma_i, \varphi_i \rangle \]
for $I \subseteq \text{fin} \ Id$ and $css'_i \in Css'$, $\sigma_i \in State$, $\varphi_i \in Signals$ for all $i \in Id$. Thus each process has a local variable and signal state. Here $Css'$ refers to the concurrent statements from the syntactical category $Css$ with the additional option of statement from the category $Stmt$ preceding a concurrent statement. This allows for a succinct semantics for process statements.

The initial configuration of a COREVHDL program is:

$$\|_{i \in I} \langle i : \text{process decl}_i; \begin{array}{c} \text{begin} \ ss_i; \ \text{end process} \ i, \sigma_i^0, \varphi_i^0 \rangle$$

The $i^{th}$ process uses an initial state for signals defined by the semantics for declarations of signals. If no initial value is specified the following are used:

$$\sigma_i^0 x = 'U' \quad \text{and} \quad \varphi_i^0 s 0 = 'U$$ for all signals used in the process $ss_i$. $\varphi_i^0 s 1$ is $\text{undef}$ for all signals used in the process $ss_i$.

The transition relation for concurrent statements has the form:

$$\|_{i \in I} \langle css'_i, \sigma_i, \varphi_i \rangle \Rightarrow \|_{i \in I} \langle css''_i, \sigma'_i, \varphi'_i \rangle$$

which specifies one step of computation.

The transition relation is specified in Table 2.3 and explained below.

As mentioned, the idea when defining the semantics of programs in COREVHDL is that we execute processes locally until they have all arrived at a wait statement; this is reflected in the rule [Handle non-waiting processes (H)].

When all processes are ready to execute a wait statement we perform a synchronisation covered by the rule [Active signals (A)]. If a signal waited for is active, the processes waiting for that signal may proceed; this is expressed using the predicate $active(\varphi)$ defined by

$$active(\varphi) \equiv \exists s \exists v : \varphi s 1 = v$$

The delta-delayed values of signals will be synchronised for all processes and in order to do this we use a resolution function $f_s$ of the form:

$$f_s : \text{multiset(Value)} \rightarrow \text{Value}$$

Thus $f_s$ combines the multi-set of values assigned to a signal into one value that then will be the new (unique) value of the signal. VHDL allow a resolution function to be specified in a syntax much like that of a process. We assume that
[Handle non-waiting processes (H)]:
\[
\langle ss_j, \sigma_j, \varphi_j \rangle \Rightarrow \langle ss'_j, \sigma'_j, \varphi'_j \rangle
\]
\[
\|_{i \in I \cup \{j\}} \langle ss'_i; css_i, \sigma_i, \varphi_i \rangle \equiv \|_{i \in I \cup \{j\}} \langle ss'_i; css_i, \sigma'_i, \varphi'_i \rangle
\]
where \(ss'_i = ss_i \land \sigma'_i = \sigma_i \land \varphi'_i = \varphi_i\) for all \(i \neq j\).

\[
\langle ss_j, \sigma_j, \varphi_j \rangle \Rightarrow \langle \text{final}, \sigma'_j, \varphi'_j \rangle
\]
\[
\|_{i \in I \cup \{j\}} \langle ss_i; css_i, \sigma_i, \varphi_i \rangle \equiv \|_{i \in I \cup \{j\}} \langle css'_i, \sigma'_i, \varphi'_i \rangle
\]
where \(css'_i = css_i\) for all \(i \neq j\) and \(css'_i = ss_i; css_i \land \sigma'_i = \sigma_i \land \varphi'_i = \varphi_i\) for all \(i \neq j\).

[Active signals (A)]:
\[
\|_{i \in I} (\text{wait on } S_i \text{ until } e_i; css_i, \sigma_i, \varphi_i) \equiv \|_{i \in I} \langle css'_i, \sigma_i, \varphi'_i \rangle
\]
if \(\exists i \in I. \text{ active}(\varphi_i)\)
where
\[
\varphi'_i s 0 = \begin{cases} f, \{U(\varphi_k, s) \mid k \in I\} & \text{if } \exists j \in I. \varphi_j s 1 \text{ is defined} \\ v & \text{otherwise, } \varphi_i s 0 = v \end{cases}
\]
\[
\varphi'_i s 1 = \text{undefined}
\]
\[
css'_i = \begin{cases} css_i & \text{if } ((\exists s \in S_i. \varphi_i s 0 \neq \varphi'_i s 0) \\ \land E[e_i](\sigma_i, \varphi'_i) = '1') \\ \text{wait on } S_i \text{ until } b_i; css_i & \text{otherwise} \end{cases}
\]

[Processes (P)]:
\[
\|_{i \in I} (i: \text{process decl}_i; \text{begin } ss_i; \text{end process } i, \sigma_i, \varphi_i) \Rightarrow \|_{i \in I} \langle ss_i; i: \text{process decl}_i; \text{begin } ss_i; \text{end process } i, \sigma_i, \varphi_i \rangle
\]

Table 2.3: Concurrent statements

all signals handled in resolution functions are in the argument of the function. The resolution function is applied to the active values of a signal, however if a signal is not active in a local signal state of a process the present value is used instead. We introduce the function

\[
U(\varphi_i, s) = \begin{cases} v & \text{if } \varphi_i s 1 = v \\ v & \text{otherwise, } \varphi_i s 0 = v \end{cases}
\]
to determine whether the active value or the present value is used.

The VHDL standard \[IEE01\] defines a resolution function for the type \texttt{std_logic} called \texttt{resolve}. The function is applied on a list of values for the signal. If the function is passed an empty list, it returns the value 'Z'. If there is only one driving value, the function returns that value unchanged. Otherwise, the func-
2.2 Semantics

Table 2.4: Resolution table $rt$

<table>
<thead>
<tr>
<th>$U'$</th>
<th>$U''$</th>
<th>$U'$</th>
<th>$U'$</th>
<th>$U'$</th>
<th>$U'$</th>
<th>$U'$</th>
<th>$U'$</th>
<th>$U'$</th>
<th>$U'$</th>
</tr>
</thead>
<tbody>
<tr>
<td>$X'$</td>
<td>$U'$</td>
<td>$X'$</td>
<td>$X'$</td>
<td>$X'$</td>
<td>$X'$</td>
<td>$X'$</td>
<td>$X'$</td>
<td>$X'$</td>
<td>$X'$</td>
</tr>
<tr>
<td>$0'$</td>
<td>$U'$</td>
<td>$X'$</td>
<td>$0'$</td>
<td>$0'$</td>
<td>$0'$</td>
<td>$0'$</td>
<td>$X'$</td>
<td>$X'$</td>
<td>$X'$</td>
</tr>
<tr>
<td>$1'$</td>
<td>$U'$</td>
<td>$X'$</td>
<td>$1'$</td>
<td>$1'$</td>
<td>$1'$</td>
<td>$1'$</td>
<td>$X'$</td>
<td>$X'$</td>
<td>$X'$</td>
</tr>
<tr>
<td>$Z'$</td>
<td>$U'$</td>
<td>$X'$</td>
<td>$0'$</td>
<td>$1'$</td>
<td>$Z'$</td>
<td>$W'$</td>
<td>$L'$</td>
<td>$H'$</td>
<td>$X'$</td>
</tr>
<tr>
<td>$W'$</td>
<td>$U'$</td>
<td>$X'$</td>
<td>$0'$</td>
<td>$1'$</td>
<td>$W'$</td>
<td>$W'$</td>
<td>$W'$</td>
<td>$W'$</td>
<td>$X'$</td>
</tr>
<tr>
<td>$L'$</td>
<td>$U'$</td>
<td>$X'$</td>
<td>$0'$</td>
<td>$1'$</td>
<td>$L'$</td>
<td>$W'$</td>
<td>$L'$</td>
<td>$W'$</td>
<td>$X'$</td>
</tr>
<tr>
<td>$H'$</td>
<td>$U'$</td>
<td>$X'$</td>
<td>$0'$</td>
<td>$1'$</td>
<td>$H'$</td>
<td>$W'$</td>
<td>$W'$</td>
<td>$H'$</td>
<td>$X'$</td>
</tr>
<tr>
<td>$0$</td>
<td>$U'$</td>
<td>$X'$</td>
<td>$X'$</td>
<td>$X'$</td>
<td>$X'$</td>
<td>$X'$</td>
<td>$X'$</td>
<td>$X'$</td>
<td>$X'$</td>
</tr>
</tbody>
</table>

Resolution uses a resolution table to resolve driving values

$$\text{resolve}(\{s_1, s_2, \ldots, s_n\}) = rt(s_1, rt(s_2, rt(\ldots, s_n \ldots)))$$

where the resolution table $rt$ is defined in Table 2.4.

Notice that even though a signal, which a wait statement is waiting for becomes active, it is not enough to guarantee that it proceeds with its execution. This is because we have the side condition 'until $e$'. This is reflected in the definition of the statement $css_i'$ of the next configuration. Notice that the state of local variables is unchanged.

Recall that it is the intention to repeat the statement $ss_i$ indefinitely in a process declaration $i$: **process decl; begin ss_i; end process i**, this is reflected in the rule [Processes (P)].

In the following chapters we will investigate security policies and mechanisms that dynamically change due to constraints on the history of execution. Therefore we will now define an execution trace. The point of interest is that specific executions take place prior to releasing specific information. Hence the semantics are annotated with the identifier of the process that gets to evaluate part of its body. Thus we write

$$\llbracket i \in I \langle ss_i; css_i, \sigma_i, \varphi_i \rangle \implies i \in I \langle ss_i'; css_i', \sigma_i', \varphi_i' \rangle \rrbracket$$

when an evaluation step with the rule [Handle non-waiting processes (H)] evaluated one step of process $i$. As a result an execution trace is then defined as the transitive reflexive closure of the semantics, and we write

$$\llbracket i \in I \langle ss_i; css_i, \sigma_i, \varphi_i \rangle \implies \omega \rrbracket^* \llbracket i \in I \langle ss_i'; css_i', \sigma_i', \varphi_i' \rangle \rrbracket$$
where \( \omega \) is a string of identifiers.

### 2.2.3 Architectures

The Semantics for architectures basically initialises the local variable and signal stores for each process. As no actual evaluation is taking place when handling the architectures, we merely consider specifications where the variable and signal declarations are stripped. Hence no further formal definitions are considered.

### 2.3 Properties of the Semantics

In this section we will state properties of the Semantics that will aid us in establishing correctness results of the analyses presented in later Chapters. One property of the Semantics is that the execution of a statement \( ss_1 \) is not influenced by the statement following.

**Lemma 2.1** If \( \langle ss_1, \sigma, \varphi \rangle \Rightarrow_k \langle \text{final}, \sigma', \varphi' \rangle \) then \( \langle ss_1; ss_2, \sigma, \varphi \rangle \Rightarrow_k \langle ss_2, \sigma', \varphi' \rangle \).

**Proof.** The proof proceeds by induction in the length of the derivation sequence. If \( k = 0 \) the result holds vacuously. For the induction step we assume that the lemma holds for \( k \leq k_0 \) and we shall prove it for \( k_0 + 1 \). So assume that

\[
\langle ss_1, \sigma, \varphi \rangle \Rightarrow_k \langle \text{final}, \sigma', \varphi' \rangle
\]

hence the derivation sequence can be written

\[
\langle ss_1, \sigma, \varphi \rangle \Rightarrow \gamma \Rightarrow_k \langle \text{final}, \sigma', \varphi' \rangle
\]

for some configuration \( \gamma \). Now we know that the rule [Composition] was used to obtain

\[
\langle ss_1, \sigma, \varphi \rangle \Rightarrow \gamma
\]

Hence we consider the two cases, first the case where statement \( ss_1 \) evaluates to \( ss'_1 \) in one step

\[
\langle ss_1, \sigma, \varphi \rangle \Rightarrow \langle ss'_1, \sigma'', \varphi'' \rangle
\]

\[
\langle ss_1; ss_2, \sigma, \varphi \rangle \Rightarrow \langle ss'_1; ss_2, \sigma'', \varphi'' \rangle
\]
2.4 Example: Advanced Encryption Standard

and get
\[
⟨ss_1; ss_2, σ, ϕ⟩ \Rightarrow ⟨ss'_1; ss_2, σ'', ϕ''⟩ \Rightarrow^{k_0} ⟨ss_2, σ', ϕ'⟩
\]
and we can apply the induction hypothesis on the derivation sequence
\[
⟨ss'_1; ss_2, σ'', ϕ''⟩ \Rightarrow^{k_0} ⟨ss_2, σ', ϕ'⟩
\]
The second case is when \(ss_1\) finish evaluation in one step
\[
⟨ss_1, σ, ϕ⟩ \Rightarrow ⟨\text{final}, σ'', ϕ''⟩
\]
\[
⟨ss_1; ss_2, σ, ϕ⟩ \Rightarrow ⟨ss_2, σ'', ϕ''⟩
\]
where the result follows immediately. \(\square\)

2.4 Example: Advanced Encryption Standard

The techniques presented in this thesis will be applied to the standard implementation of the Advanced Encryption Standard [WBRF00]. We shall consider the pipelined 128 bit version of the NSA Advanced Encryption Standard implementation of the algorithm. As the specification is rather substantial, and large parts are merely concerned with control signals and registers, we will present two subprograms, which will be used to illustrate the presented analyses.

The 128 bit version of the algorithm works on blocks of 128 bit, that are encrypted through 10 rounds. Each round consists of 4 stages that substitute, shift, mix and add a round key to the block, respectively. Decryption is done by reversing the order of the inverse stages in each round.

The first subprogram is the shift function that is part of an encryption or decryption round.

```plaintext
-- iteration no. 1
temp(0) := a(1)(1);
temp(1) := a(1)(2);
temp(2) := a(1)(3);
temp(3) := a(1)(0);
a(1)(0) := temp(0);
```
The second subprogram is the process that determines the control flow of round blocks, and decides whether the key is added before or after the 10 rounds. This is the difference between the encryption and the decryption algorithms. The implementation considered performs either encryption or decryption depending on the value of the incoming signal \texttt{ALG\_ENC}. For encryption this is done before the first round instead.

\begin{verbatim}
POST_ADD_KEY <= ALG\_KEY\_10;

POST\_ADD: process begin
  b(0)(0) := FINAL\_OUT\_REG(0)(0) xor POST\_ADD\_KEY(0)(0);
  b(0)(1) := FINAL\_OUT\_REG(0)(1) xor POST\_ADD\_KEY(0)(1);
  b(0)(2) := FINAL\_OUT\_REG(0)(2) xor POST\_ADD\_KEY(0)(2);
  b(0)(3) := FINAL\_OUT\_REG(0)(3) xor POST\_ADD\_KEY(0)(3);
  b(1)(0) := FINAL\_OUT\_REG(1)(0) xor POST\_ADD\_KEY(1)(0);
\end{verbatim}
b(1)(1) := FINAL_OUT_REG(1)(1) xor POST_ADD_KEY(1)(1);
b(1)(2) := FINAL_OUT_REG(1)(2) xor POST_ADD_KEY(1)(2);
b(1)(3) := FINAL_OUT_REG(1)(3) xor POST_ADD_KEY(1)(3);
b(2)(0) := FINAL_OUT_REG(2)(0) xor POST_ADD_KEY(2)(0);
b(2)(1) := FINAL_OUT_REG(2)(1) xor POST_ADD_KEY(2)(1);
b(2)(2) := FINAL_OUT_REG(2)(2) xor POST_ADD_KEY(2)(2);
b(2)(3) := FINAL_OUT_REG(2)(3) xor POST_ADD_KEY(2)(3);
b(3)(0) := FINAL_OUT_REG(3)(0) xor POST_ADD_KEY(3)(0);
b(3)(1) := FINAL_OUT_REG(3)(1) xor POST_ADD_KEY(3)(1);
b(3)(2) := FINAL_OUT_REG(3)(2) xor POST_ADD_KEY(3)(2);
b(3)(3) := FINAL_OUT_REG(3)(3) xor POST_ADD_KEY(3)(3);

POST_OUT_INT <= b;
end process POST_ADD;

ALG_DATA_LAST <= POST_OUT_INT when ALG_ENC = '0' else
    FINAL_OUT;

2.5 Discussion and Related Work

In this thesis focus will be on VHDL. However, other hardware description languages exists. The most predominant alternative to VHDL is the Verilog Hardware Description Language [IEE95]. The choice of VHDL was made because of the wide acceptance and support of the language in the industry. Still the common foundation of hardware description languages should allow for a fairly straightforward adaption of the techniques presented in the following chapters to other languages.

Another alternative might be the system description language SystemC [IEE05]. The SystemC language provides a greater freedom of expressiveness as it consists of libraries and macros for C++, hence allowing the C++ language facilities to be used in hardware descriptions. However, when synthesising designs, the procedure is normally to compile the SystemC descriptions to VHDL, where further development might be necessary. Therefore the analyses presented in this thesis can be applied at the VHDL level, to achieve similar results for SystemC specifications.
There exists alternative definitions of semantics for VHDL. In the following we will discuss these and argue for some of the choices, that make our semantics differ from others. The reason for these differences is primarily the ambiguity and complexity of the IEEE standard [IEE01], which allows for varying interpretations. To validate the choices made we therefore focus on the specification of synthesising RTL VHDL [IEC05] and the ModelSim SE 5.7d VHDL simulator [Men03].

The semantics presented in this chapter is based on the structural operational semantics presented by Goossens [Goo95], which aims to formalise the simulation algorithm described in the original VHDL standard [IEE87]. Thirunarayan and Ewing [TE01] extended this semantics to comply with the 1993 standard. The presented semantics is very close to these approaches, but still there are two issues that we address differently. First the progression of time at synchronisation points that update the present values of signals was erroneously formalised. Thirunarayan and Ewing points out the problem in their paper [TE01], however they correction does not solve the issue, but instead introduces a copying of the active value of signals whenever no processes can continue past their synchronisation points. Thereafter a process might mistakenly observe the signal as being active twice. Thirunarayan has acknowledged this issue and agreed to the solution presented in this thesis [Thi03].

The second issue has to do with the resolution of signals. In [Goo95, TE01] the resolution function is applied only on the active values of signals. However there is no distinction between the active and the present value in hardware and hence the resolution function should in fact be applied on both. This observation is supported by [Ash02] and ModelSim simulations of test specifications.

There are other alternatives. Many leave out important issues in the hardware model, such as

“For simplicity, delta-delayed signal assignments are not treated.” [BFK94], which allows Breuer et al. to define a clean semantics of VHDL. Van Tassel [vT93] makes similar simplification to the considered subset of VHDL. These semantics do not match the understanding of hardware design investigated in this thesis.

Van Tassel [vT93] embeds the semantics of a VHDL subset in HOL, in this manner allowing for proof assistance. In the same line of research Russinoff [Rus95] defines the semantics of a simple hardware description language, which is similar to a subset of VHDL, in Boyer-Moore logic. Another approach that defines the semantics of VHDL in a logical language (i.e. ACL) is [RBG00].
These embeddings into proof assistants aid the formal verification of VHDL specifications.

Several hardware description languages are focused completely on finite state machines, such as Esterel [Est05]. In fact most VHDL specification were focused on describing globally synchronous specifications, that can be mapped to finite state machines. This is still one of its primary usages. Hence much work has been done on compiling VHDL descriptions into finite state machines, see e.g. [BLPV94, DB93, DB95].

Hymans [Hym02] defines a semantics that is based on Goossens’ [Goo95] approach. The considered subset of VHDL is very close to the one at hand. The main differences is that Hymans introduces functions for random number generation to the language. These are not present in VHDL and are not synthesizable. Hymans’ reason for introducing them is to accommodate verification of systems. Hence only a test bench process would use the functions. The semantics, however, has been modified to not include resolution of active signals. Instead Hymans utilises a global state that allows signal assignments to overwrite each other. This forces Hymans to assume that each signal is only assigned to in one process.

To verify that the presented definition of the semantics is accurate several test specifications were made that support or reject design choices in the semantics. The test specifications were simulated with the ModelSim simulator [Men03]. Although this does not provide any formal guarantee, it does allow us to debug the formal specifications. Below we report on two of the example specifications and the results of simulation them.

**Waiting on signals** In the semantics of programs the condition for allowing a process to continue execution after waiting for a signal is limited to signals that have actually changed value. I.e. using the definition of active signals is not sufficient to determine if processes continue execution in the rule [Active signals (A)]. We see from the below described program that we need the condition \( \exists s \in S_t. \varphi_s. s 0 \neq \varphi'_s. s 0. \)

To illustrate this decision in the semantics we present a program, consisting of two processes. One process will continue to set the value of a signal to a constant value. The second process will wait on the signal set by the first process, and when allowed to continue execution it will alter another signal. This allows us to detect that the process is not halted while waiting on the signal. The signal \( \text{CLK} \) is a clock signal set by the simulator. It is inverted with a frequency of 500 ns.
The result of simulating the program with the ModelSim SE 5.7d VHDL simulator is presented in Figure 2.4. Since the value of the signal B only changes once, namely after 500 ns and not again after 1000 ns or 1500 ns, we observe that the second process can not continue execution at the wait statement even though the first process sets an active value for the signal A.

library IEEE;
use IEEE.STD_LOGIC_1164.all;

entity test is
  signal CLK : in STD_LOGIC;
end test;

architecture model of test is
  signal A : STD_LOGIC := '0';
  signal B : STD_LOGIC := '0';
begin

  process begin
    wait on CLK;
    A <= '1';
  end process;

  process begin
    wait on A;
    B <= not B;
  end process;

end test;

Resolution off signals  In the semantics of programs it is specified how signals are resolved with a resolution function. Different test programs have been
simulated and the behaviour corresponds to the resolution function specified in [Ash02].

The simulated programs are of a form similar to the program presented below. The program consists of two processes running in parallel, each of them setting the value of the signal A. When the processes synchronise at the wait statements the resolution of the signal is performed. By altering the values assigned to A each entry in the resolution table can be tested. As above the signal CLK is a clock signal set by the simulator. It is inverted with a frequency of 500 ns.

The result of simulating the test program is presented in Figure 2.5.

```vhdl
library IEEE;
use IEEE.STD_LOGIC_1164.all;

entity test is
  signal CLK : in STD_LOGIC;
end test;

architecture model of test is
  signal A : STD_LOGIC := '0';
begin
  process begin
    wait on CLK;
    A <= '1';
  end process;

  process begin
    wait on CLK;
    A <= '0';
  end process;

end model;
```
Security verification of a system is divided into two parts; a security policy and a security mechanism. The security policy is a high-level specification of the security properties that the given system should possess; typically it consists of statements describing goals of the security verification. These goals should be driven by our understanding of threats rather than how the system is implemented. Hence a policy might express goals regarding the access to objects or how information flows through the system. On the other hand the security mechanism enforces the security properties on the given system. In this chapter we investigate security policies for information flow. Security mechanisms matching the security policies are investigated in Chapter 4 and 5.

The concept of security policies came from the military sector. The first security policy model, Bell-LaPadula [BL73], was developed in 1973 to formalise the U.S. Department of Defense multilevel security policy. The model describes a set of access control rules through security labels on resources and clearances for users. Informally said, the model protects the confidentiality of information through a hierarchy of security levels. A user can not read information from levels higher than the users own, no read up, and the user can not write information to lower levels, no write down. This model became the standard military approach when evaluating systems, according to the U.S. Department of Defense “Orange
However for general usage the model has proved to be too restrictive, in particular due to it relying on dynamic security mechanisms that have problems with enforcing the policy in the presence of implicit flows. Here we make the distinction between explicit and implicit information flows; where explicit information flows are statements that directly affects one resource by reading another resource, e.g. 

\[ x := y \]

where the value of \( y \) is copied to \( x \). An implicit flow occurs in connection with statements that alter the control flow of the program based on reading a resource, e.g.

\[ y := 0; \text{ if } x \text{ then } y := 1 \text{ else null} \]

where the value of \( x \) will determine which branch will be taken and finally the value of \( y \). Observe that the implicit flow occur even when \( x \neq true \) as the attacker may observe that the value of \( y \) is 0.

Due to these issues investigation began on policies and mechanisms for preserving confidentiality in a system. On one hand Denning and Denning [Den76, DD77] developed static mechanisms for verifying the security of a system, while on the other hand Lampson [Lam73] and later Cohen [Coh77, Coh78] investigated notions for the confinement problem and strong secrecy. Goguen and Meseguer [GM82, GM84] introduced the security property, non-interference, that has later become the most influential property of information flow policies. Informally, non-interference means that an attacker of the system, who can view low confidentiality information, is not permitted to observe any differences after two executions of a program that only differ on its confidential inputs. Another weaker property, non-deducibility, was proposed by Sutherland [Sut86]. It was the first nondeterministic version of non-interference. It is weaker than non-interference as it allows the two executions of the program to modify the observable part of the resources as long as no connection between confidential information and resulting low confidentiality information can be made with complete certainty. The non-deducibility property has no practical usage, since a guarantee that allows the attacker to determine a secret with 99% probability is no better than no guarantee.

At about the same time Kemmerer [Kem82, Kem02] presented the shared resource matrix methodology aimed at identifying covert channels in real systems. The method is centred around the notion of a resource matrix, which is a matrix where the rows represent the resources available in the considered system and the columns represent the actions (referred to as primitives). Each field in the matrix state the access right for the action on the resource. In this model there are two access rights, read and modify. The resource matrix model allows
3.1 Locality-based security policies

the security analyst to abstract on the resources and actions, and hence include resources such as the process scheduler and the system clock, while grouping actions into processes and programs. The strength of the shared resource matrix approach is verifying real systems, which has been illustrated in several cases (e.g. HKMY86, KT96). One drawback of the approach is that it does not formalise a security property, instead it aims at identifying information flows (and more generally covert channels). Thus if no leaks occur we are left without any guarantees.

In this chapter we aim to combine the expressive power of the security policies in the shared resource matrix approach with the strong end-to-end guarantee of non-interference. Arguments regarding the inapplicability of non-interference in the setting of many real systems have been raised [RMMG01]. One approach that has been relatively successful in dealing with this issue is introducing trusted components that are allowed to break the security policies, often referred to as intransitive noninterference [HY86, Rus92, RG99]. The proposed policies and security property incorporate a notion of intransitive noninterference and extend it with constraints on the execution history of the program. Previously security policies for access control based on execution history [AF03, BN04, BDF05] have been investigated and shown to provide a natural approach to specifying security policies. Furthermore the proposed policies and security property must be placed within the setting of hardware descriptions. For this purpose we build on the semantics presented in Chapter 2.

3.1 Locality-based security policies

To protect confidentiality within a system, it is important to control how information flows so that secret information is prevented from being released on unintended channels. The allowed flow of information in a system is specified in a security policy. In this section we present a policy language based on graphs. Here vertices represent security domains, describing the resources available in the program. A security domain is related to sets of resources available in the considered system.

This model allows for the granularity of the mapping from resources to security domains to be very fine-grained. For example we can introduce a security domain for each resource. For improved precision we could partition the usage of a resource into lifetime periods and introduce a domain for each, hence having more than one security domain for each resource used in the program. This would allow us to abstract from e.g. reuse of limited resources in the implementation, instead of introducing new gates for each lifetime period of a signal, and
thereby potentially increasing the size of the gate layout quadratically [HS06].

In our setting the variables and signals are our resources, hence they are related to security domains. This allows us to reason about groups of resources together, as well as singling out specific resources and isolate these in their own security domains. The security policies therefore focus on the information flow between intended domains of resources. Consequently we assume that variables and signals can be uniquely mapped to security domains.

**Definition 3.1** (Security Domains) For a given program we have a mapping from variables and signals \( Var \cup Sig \) to security domains \( V \)

\[ \_ : Var \cup Sig \rightarrow V \]

We write \( x \) and \( s \) for the security domain of the variable \( x \) and signal \( s \), respectively.

As stated above the security policies are based on graphs. Therefore the edges specify permitted flows of information. Information flow between resources can be restricted subject to fulfillment of constraints with respect to certain events taking place prior to the flow. Formally we propose the following definition of security policies.

**Definition 3.2** (Locality-based security policies) A security policy is a labelled graph \( \mathcal{G} = (V, \lambda) \), consisting of a set of vertices \( V \) representing security domains and a total function \( \lambda \) mapping pairs of vertices to labels \( \lambda : V \times V \rightarrow \Delta \). We define \( \mathcal{G} \) to be the set of policies. The structure, \( \Delta \), of labels is defined below.

In a flow graph the set of vertices \( V \) represent security domains. A security domain indicates the usage of a resource in the system. The edges in the flow graph describe the allowed information flow between resources. Hence an edge from the vertex for security domain \( v_1 \) to the vertex for security domain \( v_2 \) indicates that information is allowed to flow between the resources in these domains subject to the label attached to the edge.

The edges are labelled with constraints that the program must fulfill in order for the flow of information to be permitted. These constraints will include restrictions with respect to localities in the program. Hence we will consider local flows permitted in specific processes or blocks. Each process and block is uniquely referenced by identifiers \( Id \) that we map to security localities.

**Definition 3.3** (Security Localities) For a given program we have a mapping
from identifiers $Id$ to security localities $L$

$$\equiv : Id \rightarrow L$$

A policy that restrict a information flow to a security location $l$ should permit information flows when the execution resulting in the flow takes place in a process $i_p$ or block $i_b$ that is in the location, i.e. $i_p = l$ or $i_b = l$, respectively.

We lift the mapping of identifiers to security localities such that we write $\omega$ when the mapping is in fact applied to each identifier in a execution trace, thus resulting in a string of locations.

The edges in the flow graph are described by the function $\lambda : V \times V \rightarrow \Delta$. We write $v_1 \xrightarrow{\delta} v_2$ for an edge from vertex $v_1$ to $v_2$ constrained by $\delta \in \Delta$, i.e. $\lambda(v_1, v_2) = \delta$. Information flow might be constrained by certain obligations that the system must fulfill before the flow can take place. Here we describe a novel constraint language that allows the security policy to be specific about intransitive information flows in the flow graph. Constraints are specified in the following syntax $\delta \in \Delta$:

$$\delta ::= true \mid false \mid l \mid \delta_1 \cdot \delta_2 \mid \delta_1 \land \delta_2 \mid \delta_1 \lor \delta_2 \mid \delta^*$$

A constraint may be trivially true or false. The constraint $l$ enforces that flows occur at specific locations, thus that the flow is only permitted at locations that is part of the security location $l$ (i.e. $i = l$). The constraint $\delta_1 \cdot \delta_2$ enforces that the flow is only allowed to occur if events described in $\delta_1$ precedes events described in $\delta_2$. Common logical operators $\land$ and $\lor$ are available to compose constraints. Finally Kleene’s star $*$ allows the policies to express cyclic behaviour.

We might omit the constraint, writing $v_1 \sim v_2$ for $v_1 \xrightarrow{true} v_2$. Similarly we might omit an edge in a flow graph indicating that the constraint can never be fulfilled, i.e. $v_1 \xrightarrow{false} v_2$.

**Example 3.1** To illustrate the usage of flow graphs as security policies we here discuss the three examples given in Figure 3.1. The first flow graph (a) allows a flow from $v_1$ to $v_2$ and $v_2$ to $v_3$ but not from $v_1$ to $v_3$. That is neither directly nor through $v_2$! In this manner the intransitive and temporal nature of the policies allow us to have constraints on the order of information flows and the further propagation of information.

The second flow graph (b) allows the flow from $v_1$ to $v_2$, $v_2$ to $v_3$ and from $v_1$ to $v_3$ as well. The flow can be directly from $v_1$ to $v_3$ or through $v_2$. If we
wish to restrict the flow to go through \( v_2 \) it could be done as in flow graph (c). We assume that \( i \) and \( i' \) map to security locations that no other processes or blocks are mapped to. Hence the last flow graph (c) restricts the flows between the security domains to certain locations. This ensures that for information to flow from \( v_1 \) to \( v_3 \) both locations need to participate.

To give intuition to the above example policies we relate them to a personal finance scenario. In the following we let \( v_1, v_2, \) and \( v_3 \) denote the resources of the user, the user’s financial advisor, and the tax authorities respectively. The first policy (Figure 3.1(a)) states that the user’s financial information may be accessed by the financial advisor but not by the tax authorities while still allowing the financial advisor to send (other) information to the tax authorities. The second policy (Figure 3.1(b)) then states that the user’s financial information may be accessed both by the financial advisor and by the tax authorities; this may be necessary during a tax audit. Finally the policy shown in (Figure 3.1(c)) defines a situation where the user’s financial information may be accessed by both the financial advisor and the tax authorities but only through the financial advisor; this security policy ensures that the financial advisor can review all relevant information from the user before the tax authorities gain access to it. These examples match the principle of separation of duty presented by Clark and Wilson [CW87], as one of the fundamental principles in the Clark-Wilson model. The principle states that in order to maintain integrity in a commercial system the concerns of each principal must be separated, and hence collaboration between principals becomes necessary to achieve the goals of the individuals, while malicious principals must not be allowed to circumvent the rights of the well-behaved principals.

A system is given by a program \( \|_{i \in I} \text{css}_i \) and a security policy \( G \) together with a domain mapping \( \cdot \) and a location mapping \( \cdot \) and might be written \( \|_{i \in I} \text{css}_i \) subject to \( (G, \cdot, \cdot) \). However, as the \( G, \cdot, \cdot \) components are clear from context we choose not to incorporate the policies in the syntax of COREVHDL.
3.1 Locality-based security policies

3.1.1 Semantics of constraints

In this subsection we present the semantics of our security policy language. The semantics is given as a translation to regular expressions over execution traces. The intuition is that if an execution trace is in the language of the regular expression derived by the semantics, then the constraint is fulfilled.

The main idea behind the locality-based security policies is that they specify constraints that must be fulfilled rather than the total behaviour of the system. This result in succinct policies. Therefore the semantics of constraints is based on an understanding of fulfilment of a constraint whenever an execution trace produces the locations specified. Hence if a trace that fulfils a constraint is preceded or succeeded by other traces the constraint remains fulfilled.

The true constraint is always fulfilled and hence is translated to the regular expression $L^\ast$ accepting all execution traces. Similarly the constraint false cannot be fulfilled for any trace, and hence the generated language is $\emptyset$. The constraint $l$ gives the language $L^\ast \cdot \{ l \} \cdot L^\ast$ as we wish to allow the flow only for executions taking place at $l$. The constraint $\delta_1 \cdot \delta_2$ indicates that the trace $\omega$ can be split into $\omega_1$ and $\omega_2$, where $\omega_1$ must be in the language of $\delta_1$, and respectively $\omega_2$ must be in the language of $\delta_2$. The constraints for $\delta_1 \land \delta_2$ and $\delta_1 \lor \delta_2$ are straightforward. One obvious definition of $[\delta^\ast]$ is $[\delta]^\ast$; however this choice would invalidate Lemma 3.4 below. Consequently, it is natural to define $[\delta^\ast] = L^\ast \cdot [\delta]^\ast \cdot L^\ast$ as then Lemma 3.4 continues to hold.

The semantics of the security policy language is given in Figure 3.2.

Lemma 3.4 The semantical interpretation of constraint $\delta$ does not change by preceding or succeeding it by other traces $\forall \delta : [\delta] = L^\ast \cdot [\delta] \cdot L^\ast$.

We define an ordering of constraints as the relation $\leq_\Delta \subseteq \Delta \times \Delta$, i.e. we say that $\delta$ is a restriction of $\delta'$ if $(\delta, \delta') \in \leq_\Delta$, normally we write $\delta \leq_\Delta \delta'$.

Definition 3.5 We say that a constraint $\delta$ is a restriction of $\delta'$, written $\delta \leq_\Delta \delta'$ if we have $[\delta] \subseteq [\delta']$.

Similarly we define a restriction relation between flow graphs.

Definition 3.6 We say that a flow graph $G = (V, \lambda)$ is a restriction of $G' = (V', \lambda')$, written $G \leq G'$ if we have that $V = V' \land \forall v_1, v_2 : \lambda(v_1, v_2) \leq_\Delta \lambda'(v_1, v_2)$.
3.2 History-based Release

To determine whether a program is secure or not, we need some condition for security. In this section we therefore present our definition of secure programs. The intuition is similar to that of non-interference, however we aim to generalise the traditional non-interference condition to permit release of confidential information, based on constraints on the history of the execution and it’s present location. We call this condition **History-based Release**.

3.2.1 Security Condition

Before we formalise the main security condition we need to formalise what an attacker can observe. Consider an attacker that has access to a subset $V$ of the variables and signals that are available in the program under consideration. We formalise the observable part of the resources by assuming that the attacker has knowledge of all the processes that exist in the program, and hence it is feasible to assume that two variable or signal states can be compared on all variables or signals, respectively. Thus for two programs $\parallel i \in I \text{ css}_i$ and $\parallel i \in I \text{ css}_i 2$ an attacker that observes at security domain $V$ can compare the observable parts of the variable states as $\sigma_1 \sim_V \sigma_2$.

**Definition 3.7** ($V$-observable equivalence) Two variable states $\sigma_1$ and $\sigma_2$ are for the resources in domain $V$ observably equivalent $\sigma_1 \sim_V \sigma_2$ iff

$$\forall x : x = V \Rightarrow \sigma_1 x = \sigma_2 x$$

We define the observable parts of signal states in the same manner.

**Definition 3.8** ($V$-observable equivalence) Two signal states $\varphi_1$ and $\varphi_2$ are for the resources in domain $V$ observably equivalent $\varphi_1 \sim_V \varphi_2$ iff

$$\forall s \forall j \in \{0, 1\} : s = V \Rightarrow \varphi_1 s j = \varphi_2 s j$$

Figure 3.2: Semantics of constraints
Where we overload the observational equivalence to consider both variable and signal states.

We define the function $\nabla: \mathcal{P}(V) \times G \times \Omega \to \mathcal{P}(V)$ for extending a set of security domains with the domains that are permitted to interfere with the observed domains due to the fulfilment of constraints by the execution trace $\omega$. The resulting set of security domains describe the permitted information flows during the execution.

**Definition 3.9** ($V$ Observable) For a security policy $G$ and a execution trace $\omega$ an observer at $V$ can observe the localities

$$\nabla(V, G, \omega) = V \cup \{v_1 \mid v_2 \in V \land \omega \in \lambda(v_1, v_2)\}$$

If the considered policy is changed to a less restrictive policy, $\nabla$ will never reduce the observable part of the variables and signals. This allows us to establish the following fact.

**Fact 1.** If $G \leq G'$ then $\nabla(V, G, \omega) \subseteq \nabla(V, G', \omega)$.

We consider a program secure if in no execution trace, neither a single step nor a series of steps, will an attacker observing the system at the level of a set of security domains $V$ be able to observe a difference on any resource, when all resources permitted to interfere with the resource are observably equivalent before the evaluation. We formalise the condition as a bisimulation over execution traces on programs.

**Definition 3.10** (Bisimulation) A $(G, V)$-bisimulation is a symmetric relation $R$ on programs whenever

$$\left\| \left( css'_{i1}, \sigma'_{i1}, \varphi'_{i1} \right) \right\|_{i \in I} \xrightarrow{\omega \rightarrow^*} \left\| \left( css''_{i1}, \sigma''_{i1}, \varphi''_{i1} \right) \right\|_{i \in I}$$

then there exists $\left\| \left( css''_{i2}, \sigma''_{i2}, \varphi''_{i2} \right) \right\|_{i \in I}$ such that

$$\left\| \left( css'_{i2}, \sigma'_{i2}, \varphi'_{i2} \right) \right\|_{i \in I} \xrightarrow{\omega' \rightarrow^*} \left\| \left( css''_{i2}, \sigma''_{i2}, \varphi''_{i2} \right) \right\|_{i \in I}$$
The bisimulation follows the approach of Sabelfeld and Sands [SS00] in utilising a resetting of the state between subtraces. This follows from modelling the attacker’s ability to modify signals concurrently with the execution. Furthermore it accommodates the dynamically changing nature of the security policies due to the fulfilment of constraints, as seen in [MS04]. The definition is transitive but not reflexive. That the definition is not reflexive follows from observing that the program

\[
\begin{align*}
p : & \text{process begin} \\
& l := h; \\
& \text{end process p}
\end{align*}
\]

is not self-similar whenever information is not permitted to flow from \(h\) to \(l\).

**Fact 2.** If \(G \leq G'\) and \(\mathcal{R}\) is a \((G, \mathcal{V})\)-bisimulation then \(\mathcal{R}\) is also a \((G', \mathcal{V})\)-bisimulation.

**Definition 3.11** A \(G\)-bisimulation is a relation \(\mathcal{R}\) such that for all \(\mathcal{V}\), \(\mathcal{R}\) is a \((G, \mathcal{V})\)-bisimulation. Denote the largest \(G\)-bisimulation \(\approx_G\).

Now we can define the security condition as a program being bisimilar to itself.

**Definition 3.12** (History-based Release) A program \(\parallel_{i \in I} \text{css}_i\) is secure wrt. the security policy \(G\) if and only if we have \(\parallel_{i \in I} \text{css}_i \approx_G \parallel_{i \in I} \text{css}_i\).

**Example 3.2** In the following we will consider a number of example programs that illustrate the strength of History-based Release. First consider the program

\[
\begin{align*}
p : & \text{process begin} \\
& y <= x; \\
& \text{end process p}
\end{align*}
\]

which reads the signal \(x\) and modifies \(y\). With the policy \(x \overset{p}{\rightsquigarrow} y\), the program is secure, while changing the policy to \(x \overset{p'}{\rightsquigarrow} y\) makes the program insecure. The reason that the program is insecure with the second policy is because the bisimulation forces us to consider all possible traces, so even if the above program was modified to execute a process named \(p'\) concurrently with the considered one, \(p\), the result would be the same. This corresponds to intransitive non-interference [MB05] (or lexically scoped flows according to [BS06]).
Example 3.3 History-based Release goes beyond lexically scoped flows as the policy might constrain the history of a process. This is illustrated by the following example. Consider the security policy in Fig. 3.1(c) and assume that \( x = v_1 \), \( y = v_2 \) and \( z = v_3 \), for which the program

\[
i : \text{process begin} \notag \\quad y \leftarrow x; \notag \\quad \text{end process } i
\]

\[
i' : \text{process begin} \notag \quad z \leftarrow y; \notag \quad \text{end process } i'
\]

is secure. On the other hand the program

\[
i : \text{process begin} \notag \quad y \leftarrow x; \notag \quad \text{end process } i
\]

\[
i' : \text{process begin} \notag \quad z \leftarrow x; \notag \quad \text{end process } i'
\]

is insecure because the process \( i' \) might evaluate prior to the process \( i \).

Example 3.4 Another concern is the handling of indirect flows. Consider the program

\[
p : \text{process begin} \notag \quad \text{if } x \text{ then } y \leftarrow \text{not } y \text{ else null} \notag \quad \text{end process } p
\]

and an attacker observing whether the signal \( y \) is modified or not. Based on this the attacker will know when the signal \( x \) carries the value '1'. Therefore History-based Release allows the program for the policy \( \underrightarrow{x}{p} \underrightarrow{y} \), but not for \( \underrightarrow{x}{\text{false}} \underrightarrow{y} \).

Example 3.5 Finally we wish to look at an example program that is insecure in the traditional setting where lattices are used as security policies. Consider the program
p : process begin
  \( y := '0'; \)
  \( z := y; \)
  \( y := x; \)
end process p

which is secure for the policy in Fig. 3.1(a) when \( x = v_1, \ y = v_2 \) and \( z = v_3 \).
This is because evaluating the program does not result in information flowing from \( x \) to \( z \).

### 3.2.2 Consistency of History-based Release

In this subsection we argue the consistency of the definition of History-based Release. In particular we will discuss two of the principles presented by Sabelfeld and Sands in [SS05]. In the following we consider declassification to refer to constraints that are not trivially evaluated to \( true \) or \( false \).

**Conservativity:** Security for programs with no declassification is equivalent to non-interference.

Limiting all constraints on edges in the flow graphs to only being of the simple form \( true \), \( false \) or \( l \) gives us intransitive non-interference. Removing all non-trivial constraints (i.e. only having the constraints \( true \) and \( false \)) results in traditional non-interference.

**Monotonicity of release:** Adding further declassifications to a secure program cannot render it insecure.

Adding declassifications to a program corresponds to making our security policies less restrictive. Hence we aim to show that a program will be secure for any policy at least as restrictive as the original policy, for which it can be shown secure.

**Lemma 3.13** (Monotonicity) If \( G \leq G' \) then

\[
\| i \in I \ css_i_1 \approx_G \| i \in I \ css_i_2
\]

implies

\[
\| i \in I \ css_i_1 \approx_{G'} \| i \in I \ css_i_2.
\]
3.3 Transitive Security Policies

Proof. It follows from Fact 1 that
\[ \forall i \in I : (\sigma_{i1} \sim_{(V,G',\omega)} \sigma_{i2}) \Rightarrow (\sigma_{i1} \sim_{(V,G,\omega)} \sigma_{i2}) \]
and
\[ \forall i \in I : (\varphi_{i1} \sim_{(V,G',\omega)} \varphi_{i2}) \Rightarrow (\varphi_{i1} \sim_{(V,G,\omega)} \varphi_{i2}). \]

The Lemma follows from Fact 2 and observing that to show \( \|_{i \in I} css_{i1} \approx_{G'} \|_{i \in I} css_{i2} \) we have either \( \forall i : \sigma_{i1} \sim_{(V,G',\omega)} \sigma_{i2} \) and \( \forall i : \varphi_{i1} \sim_{(V,G,\omega)} \varphi_{i2} \), in which case we can reuse the proof for \( \|_{i \in I} css_{i1} \approx_{G} \|_{i \in I} css_{i2} \), and otherwise the result holds trivially. \( \square \)

3.3 Transitive Security Policies

In this section we shall investigate a limited version of the locality-based security policies. The investigation will focus on transitively closed policies and compare them to the previously presented policies. The goal of the transitively closed policies is to find a subset of the locality-based policies that allows for a more direct approach to automatic analysis and verification of program security. The transitively closed policies will be utilised in the correctness result for the type based approach to verification of CoreVHDL programs presented in Chapter 4.

First let us define what a transitively closed Locality-based security policy is. The intuition is that if information is allowed to flow from one node to a second node and from the second node to a third node then information should also be allowed to flow from the first node to the third node. Formally this is defined in the following definition.

Definition 3.14 (Transitively Closed Locality-based Security Policies) A security policy \( G \) is transitively closed whenever
\[ \forall n_0 \xrightarrow{\delta_1} n_1 \xrightarrow{\delta_2} n_2 \xrightarrow{\delta_3} \cdots \xrightarrow{\delta_k} n_k \in G \]
implies
\[ n_0 \xrightarrow{\delta} n_k \in G \land [\delta_1 \cdot \delta_2 \cdots \delta_k] \subseteq [\delta] \]
Observe that this goes against our previous comments on information flows between principals, who are not allowed to forward each others information without explicit permission from the originating principal.

The transitively closed policies merely propose a restriction on the policies, and hence all previously presented results still hold. In particular we will apply Lemma 3.13 to give guarantees for policies that are not transitively closed whenever our analysed system can be verified to conform to History-based Release for a more restrictive transitively closed policy.

The goal of the transitively closed policies was to accommodate a simplified and more direct approach to analysing the considered programs. Hence we propose a simplified security condition, which match the intuition of the restricted policies. Furthermore for transitive closed policies, the condition will provide a guarantee that is equally strong to History-based Release. The condition will be centred around the following bisimulation.

**Definition 3.15 (Transitive Bisimulation)** A \((G, V)\)-bisimulation is a symmetric relation \(R\) on programs whenever

\[
\begin{align*}
\| i \in I \langle \text{css}_{i1}', \sigma_{i1}, \varphi_{i1} \rangle &\xrightarrow{\omega} \| i \in I \langle \text{css}_{i1}''', \sigma_{i1}', \varphi_{i1}' \rangle \land \\
\| i \in I \text{ css}_{i1}' \ x R \| i \in I \text{ css}_{i2}' \land \\
\sigma_{i1} &\sim V(G, \omega) \sigma_{i2} \land \\
\varphi_{i1} &\sim V(G, \omega) \varphi_{i2}
\end{align*}
\]

then there exists \(\| i \in I \text{ css}_{i2}''', \sigma_{i2}', \varphi_{i2}' \) and \(\omega'\) such that

\[
\begin{align*}
\| i \in I \langle \text{css}_{i2}'', \sigma_{i2}', \varphi_{i2}' \rangle &\xrightarrow{\omega'} \| i \in I \langle \text{css}_{i2}''''', \sigma_{i2}', \varphi_{i2}'' \rangle \land \\
\| i \in I \text{ css}_{i1}''' \ x R \| i \in I \text{ css}_{i2}'''' \land \\
\sigma_{i1}' &\sim V \sigma_{i2}' \land \\
\varphi_{i1}' &\sim V \varphi_{i2}'
\end{align*}
\]

Here we have limited the bisimulation game to one step evaluations of the first program. This will simplify the proof burden on programs under verification and aid us in establishing the correctness result of the static analyses presented in the following chapters.

Again the bisimulation follows the approach of Sabelfeld and Sands [SS00] in utilising a *resetting of the state* between subtraces. This follows from modelling the attacker’s ability to modify signals concurrently with the execution. The definition is transitive but not reflexive.
3.3 Transitive Security Policies

**Definition 3.16** A transitive $G$-bisimulation is a relation $\mathcal{R}$ such that for all $\mathcal{V}$, $\mathcal{R}$ is a transitive $(G, \mathcal{V})$-bisimulation. Denote the largest transitive $G$-bisimulation $\approx^+_G$.

Now we can define the transitive security condition as a program being bisimilar to itself.

**Definition 3.17** (Transitive History-based Release) A program $\|_i \in I \mathcal{css}_i$ is secure wrt. the security policy $G$ if and only if we have $\|_i \in I \mathcal{css}_i \approx^+_G \|_i \in I \mathcal{css}_i$.

One should observe that the temporal properties of having information flows that are due to collaboration of several principals are lost. This is due to the resetting of the state between execution steps. Hence the Transitive History-based Release condition is a weakened condition compared to History-based Release. We also observe that for a transitively closed security policies the two conditions coincide and are equally strong. We investigate this further in the following two lemmas. The first lemma states that History-based Release and Transitive History-based Release are equally strong for a transitively closed policy.

**Lemma 3.18** If a program conforms with Transitive History-based Release for a Transitively Closed Policy $G$ then the program also conforms with History-based Release for $G$.

**Proof.** The proof proceeds by induction in the length of the evaluation sequence of the program $\|_i \in I \langle \mathcal{css}_{11}, \sigma_{11}, \varphi_{11} \rangle$. Consider the evaluation sequence $\|_i \in I \langle \mathcal{css}_{11}, \sigma_{11}, \varphi_{11} \rangle \xrightarrow{w}^k \|_i \in I \langle \mathcal{css}_{11}', \sigma_{11}', \varphi_{11}' \rangle$

If $k = 0$ the result follows vacuously. For the induction step we assume that the result holds for $k \leq k_0$ and we shall prove it for $k_0 + 1$. Divide the evaluation sequence into the first step and the rest. Applying Definition 3.15 gives us that the program conforms with Transitive History-based Release after evaluating one step. The remaining evaluation sequence is shorter, hence we apply the induction hypothesis and get that the last steps conform with History-based Release. The evaluation sequence has the form $\|_i \in I \langle \mathcal{css}_{11}, \sigma_{11}, \varphi_{11} \rangle \xrightarrow{w_1} \|_i \in I \langle \mathcal{css}_{11}''', \sigma_{11}'', \varphi_{11}''' \rangle \xrightarrow{w_2}^{k_0} \|_i \in I \langle \mathcal{css}_{11}'', \sigma_{11}', \varphi_{11}' \rangle$

Thus we need to consider the changes of the states. If a variable or signal has changed its value in the final state, one of the following cases must hold; first if
the variable or signal is unobservable, the result follows. Second if the variable
or signal is observable then we know that any differences between the resulting
states are due to the first step modifying the states used in the rest of the
evaluation. Now as the policy is a Transitively Closed Policy we have that there
exists an edge annotated with a constraint $\delta$ such that $\omega' \cdot \omega'' \in [\delta]$ and hence
there can be no difference in the states that are observable. □

The second lemma state that there exist programs that are secure by Transitive
History-based Release and insecure by History-based Release with respect to a
(non-transitive) policy.

**Lemma 3.19** If a program conforms with Transitive History-based Release for
a policy $G$ that is not transitively closed then the program might not conform
with History-based Release for $G$.

**Proof.** The proof proceeds by counter example. The first program presented
in Example 3.3 conforms with Transitive History-based Release for the policy
given in Figure 3.1(a). However it does not conform with History-based Release
for the same policy. □

### 3.4 Discussion

Traditionally, policies for information flow security have been of the form of
security lattices $[BL73, Den76]$ where an underlying hierarchical structure on
the principals in the system is assumed and reflected in the security lattice.
Hence the principals are tied to security levels and an ordering of security levels
indicate what information is observable to a principal. Security lattices have
found a widespread usage in language-based approaches to information flow
security, see e.g. $[VSI96, SM03a]$.

The security policies presented in this chapter are base on labelled graphs, i.e.
without assigning an underlying ordering. Due to the lack of underlying or-
dering the expressiveness of the policies is increased, allowing for simplified
specifications of security policies for systems. One example is systems that let a
principal act on resources in different security domains without causing a flow
of information in between. The expressiveness gained is due to the lack of the
transitive nature of the ordering in a lattice. These policies relate back to re-
source matrices applied for e.g. covert channel identification $[Kem82, McH95]$.
A comparison [HKMY86] on the verification of a real systems, the Honeywell Secure Ada Target (SAT), using the non-interference approach [GM82] and the shared resource matrix approach [Kem82] highlighted issues with the transitivity of the non-interference property. Further investigation illustrated that information flow policies are in general not transitive [HY86, Rus92].

Clearly the translation of a policy specified as a lattice to a labelled graph is straightforward. For each security level a security domain is introduced. Edges (labelled true) are added between security domains according to the ordering of the corresponding security levels.

The Decentralized Label Model by Myers and Liskov [ML97, Mye99a] is a framework for security policies that allows owners of information to specify who is permitted to read that information. The basis model is still a lattice and does not provide expressiveness similar to what is presented in this chapter.

### 3.4.1 Semantical security conditions

The goal of specifying whether a system complies with an information flow policy has been formally stated as non-interference [Coh77, GM82]. Informally non-interference states that for all input to a system, that varies only on information not observable to the attacker, the resulting output will only vary on information not observable to the attacker. Since the original formalisation several generalised non-interference properties have been published. In Section 3.2.2 we showed that History-based Release generalises non-interference, so in this Section other properties will be discussed and compared to History-based Release.

**Non-Disclosure** by Matos and Boudol [MB05] proposes extending the syntax of a ML-like calculus with specific constructs for loosening the security policy. These constructs have the form

\[
\text{flow } A \prec B \text{ in } M
\]

where \(M\) is an expression and \(A\) and \(B\) are security levels. The construct extends the security relation to permit information to flow from \(A\) to \(B\) in \(M\) and thereby permits disclosure of confidential information in lexically scoped parts of programs. The policies presented in this chapter allow for flows to be scoped within specified locations, i.e. locations associated with a security domain. Clearly, by introducing a security domain tied to a fresh location for each flow construct and constraining the information flow to only happen in
execution traces containing the security location we get scoped flows. Finally
due to the transitive nature of underlying lattice structure in \[MB05\], we need
to perform a transitive closure on the resulting graph to achieve the same effect
in our policies. In this manner the Non-Disclosure property can be seen as
a specialisation of the History-based Release property. Obviously the Non-
Disclosure property does not have the expressiveness to handle constraints on
execution traces.

**Intransitive non-interference.** Goguen and Meseguer \[GMS4\] generalised
non-interference to intransitive non-interference while observing that informa-
tion flows might be permitted when properly filtered at specified security lev-
els. The property was further investigated in \[HY86, Rus92\] and adapted to a
language-based setting by Mantel and Sands \[MS04\]. Mantel and Sands \[MS04\]
formalise intransitive non-interference so that two goals are achieved. First, the
place in the program where information flow is limited through a syntactical
extension of the language. Second the security level where information flows
through is specified through an extension of the security lattice by an intransi-
tive component. History-based Release incorporates these concerns. The place in the program
where information flow is guaranteed in the same way as described above for
the non-disclosure property. Furthermore the locality-based security policies are
intransitive due to being based on graphs rather than lattices.

**Non-interference until** by Chong and Myers \[CM04\] propose adding condi-
tions to security policies based on lattices. This is done by introducing a special
annotated flow of the form \(\ell_0 \xrightarrow{c_1} \cdots \xrightarrow{c_k} \ell_k\) into the security policies, which
states that information can be gradually downgraded along with the fulfilment
of the conditions \(c_1, \ldots, c_k\). It is straightforward to represent the downgrading
condition with History-based Release.

However, observe that once the conditions are fulfilled, information can flow di-
rectly from \(\ell_0\) to any of the security levels \(\ell_1, \ldots, \ell_k\). Therefore non-interference until
does not provide the intransitive guarantees of History-based Release. An-
other point is the temporal constraints that History-based Release enforce on
execution traces. Non-interference until provides simple temporal guarantees,
namely that conditions are fulfilled prior to downgrading. However neither the
order of the fulfilment nor the conditions allow for temporal constraints.

Chong and Myers \[CM05\] extend the policies to consider erasure. This extension
go beyond the scope of this chapter. Yet, one can consider the erasure policies
to be lifetime partitionings of variables and signals, where the program must guarantee that the variable or signal that is to be erased is overwritten along with the fulfilment of the constraints in the security policy. Chapter 5 presents further investigation and discussion of partitioning of security domains.

Flow Locks. Recently Broberg and Sands [BS06] introduced the novel concept of flow locks as a framework for dynamic information flow policies. The policies are specified in syntactical constructs introduced in an ML-like calculus. The constructs are utilised in the opening and closing of flow locks, these locks are used in constraining the information flows in the policies. The policies have the form \( \{ \sigma_1 \Rightarrow A_1; \ldots; \sigma_n \Rightarrow A_n \} \) and are used to annotate declarations of variables in the programs. These policies correspond to ours, where a policy needs to specify where information might flow globally during execution and is hence not transitively closed. The major difference is that our policies can include temporal constraints which cannot be expressed in the flow locks policies.

Another major difference between [BS06] and the present work is the intuition behind the security condition. In the flow lock setting information can flow to security levels as specified in the policies, as long as necessary locks are opened beforehand. This differs from our definition in not being tied to the actual flow of information. E.g. once a lock is open information can flow from several levels and several times. Furthermore flow locks have no way of observing if a lock has been closed and opened again between two flows. In our setting the constraints on the execution trace must be fulfilled for every single flow, hence it is not sufficient that another process is executed at the right location, just before or after considered flow.
A main concern in computer security is confidentiality, the assurance that information is only available to authorised principals. The first approaches to enforcing confidentiality were access control mechanisms granting access to information only to authorised principals. Often discretionary access control mechanisms will not track the usage of information after access clearance is granted, and hence trusts the principal (or process acting for the principal) to propagate the information in a confidentiality preserving manner [Lam73]. This has lead to an increased attention on mechanisms for mandatory access control [BL73] and information flow analysis [Den76]. While dynamic approaches enforcing information flow control has been proposed [DOD85] their approaches to determining dependencies, including implicit ones, often make them overly restrictive and impractical [Mye99b]. Thus much investigation of static analysis for information flow control has been done. Volpano et al. [VSI96] developed an automatic static analysis and showed the coupling to the security property of non-interference. This resulted in numerous investigations of static information flow analysis for real programming languages, e.g. [Mye99a] and [HR98], concurrency, e.g. [SV98] and [SS01], covert channels, e.g. [Aga00], and declassification, e.g. [ML97], [ZM01] and [SM03b] — for a thorough overview see [SM03a].
This chapter develops a static information flow analysis for COREVHDL. The approach taken is that of Kemmerer [Kem82, Kem02], where the identification of local dependencies and the end-to-end dependencies are separated and computed in two steps. This is different from the approach taken in [VSI96, Mye99a] (and others [SM03a]) where the transitivity of the underlying lattice-based security policies makes checking of local dependencies sufficient. Taking this view we develop the analysis and prove that it enforces the security properties presented in Chapter 3. Hence the analysis presented in this chapter is *flow insensitive* meaning that the execution order is not taken into account by the analysis [NNH99]. In Chapter 5 we will investigate a *flow sensitive* analysis in order to strengthen the information flow analysis by guiding the transitive closure through the removal of spurious control flows.

### 4.1 Local dependencies in CoreVHDL

The Information Flow analysis is performed in two steps. First we identify the flow of information to a variable or signal locally at each assignment; this is specified in this section. However instead of performing a transitive closure of this information, as specified by Kemmerer [Kem82], we base our correctness result on the transitively closed security policies and the matching property, transitive History-based Release.

The result of the Information Flow analysis is given in the form of a directed graph. The graph has a node for each variable or signal used in the program, and an edge from the node $n_1$ to the node $n_2$ if information might flow from $n_1$ to $n_2$ in the program.

The analysis is based on an understanding of which statements cause information to flow between signals. It is clear that an assignment of a variable to another variable will cause a flow of information. As an example,

```
a := b
```

causes a flow of information from $b$ to $a$. We also need to consider implicit flows due to conditional statements. As an example,

```
if c then a := b else null
```

has an implicit flow from $c$ to $a$ because an observer could use the resulting value of $a$ to gain information about the value of $c$. Observe that the presented security
properties does not capture information leaking through covert channels. Thus we here ignore issues regarding e.g. termination and timing of the statements. These issues will be discussed in detail in Chapter 5.

In the presented analyses we are going to use a labelling scheme. The labelling scheme is defined so that each block has a label which is initially unique for the program. During execution the labels might not be unique within the processes, but the same label is not found in two different processes. Hence, we shall sometimes implicitly use that to each label \((l \in \text{lab})\) there is a unique process identifier \((i \in \text{id})\) in which it occurs. In fact we shall freely use labels instead of process identifiers. The syntax of statements with labelled blocks

\[
ss ::= [\text{null}]^l | ss_1; ss_2 | \text{if} [e]^l \text{ then } ss_1 \text{ else } ss_2 \\
| [x := e]^l | [s <= e]^l | [\text{wait on } S \text{ until } e]^l
\]

Often we will annotate the evaluation with the structural operational semantics of a statement by the label of the block that has been evaluated. Hence we write

\[
⟨ss, ς, ϕ⟩^l \Rightarrow ⟨ss′, ς′, ϕ′⟩
\]

when the block labelled \(l\) is evaluated.

Analysing a COREVHDL program is done by checking that neither explicit nor implicit flow are present. In this fashion we must consider all the statements of COREVHDL and determine how information might flow. For a COREVHDL program we define a set of structural rules that define the set of dependencies between local variables and signals. The analysis is defined using judgements of the form

\[
B \vdash ss : RM
\]

where \(B \subseteq (\text{Var} \cup \text{Sig})\), \(ss \in \text{Stmt}\) and \(RM \subseteq ((\text{Var} \cup \text{Sig}) \times \text{Lab} \times \{M_0, M_1, R_0, R_1\})\). Here \(ss\) is the statement analysed under the assumption that it is only reachable when values of variables and signals in \(B\) have certain values. The result is the set \(RM\) containing entries \((n, l, M_j)\) if the variable or signal \(n\) might be modified at label \(l\) in \(ss\); we use \(M_0\) for variables and present values of signals and \(M_1\) for active values of signals. Similarly, \(RM\) contains entries \((n, l, R_j)\) if the variable or signal \(n\) might be read at label \(l\) in \(ss\); we use \(R_0\) for variables and present values of signals and \(R_1\) for the synchronisation of active values of signals.

The local dependency analysis of the flow between variables and signals is specified in Table 4.1 and is explained below. Assignments to variables result in local
Local Variable Assignment:
\[ B \vdash [x := e] : \{ (x, l, M_0) \} \cup \{ (n, l, R_0) \mid n \in \text{FV}(e) \cup \text{FS}(e) \cup B \} \]

Signal Assignment:
\[ B \vdash [s <= e] : \{ (s, l, M_1) \} \cup \{ (n, l, R_0) \mid n \in \text{FV}(e) \cup \text{FS}(e) \cup B \} \]

Skip:
\[ B \vdash [\text{null}] : \emptyset \]

Composition:
\[ B \vdash ss_1 : RM_1 \quad B \vdash ss_2 : RM_2 \]
\[ B \vdash ss_1 ; ss_2 : RM_1 \cup RM_2 \]

Conditional:
\[ B' \vdash ss_1 : RM_1 \quad B' \vdash ss_2 : RM_2 \]
\[ B \vdash \text{if } [e] \text{ then } ss_1 \text{ else } ss_2 : RM_1 \cup RM_2 \]
where \( B' = B \cup \text{FV}(e) \cup \text{FS}(e) \)

Synchronization:
\[ B \vdash [\text{wait on } S \text{ until } e] : \{ (s, l, R_1) \mid s \in \text{FS}(ss_i) \} \cup \{ (n, l, R_0) \mid n \in B \cup S \cup \text{FV}(e) \cup \text{FS}(e) \} \]
where \( ss_i \) is the body of process \( i \) in which \( l \) resides

Table 4.1: Structural rules for constructing a Resource Matrix for the process
\[ i : \text{process decl}_i \begin{block-set} ss_i \end{block-set} \text{ end process } i \]

dependencies, there are no other statements that causes information to flow into variables.

Observe that for the active signals in a program information can only flow to the signal through signal assignment. Hence only the signal assignment contributes dependencies to the resulting set. Notice that the information flowing to active signals \((M_1)\) might come from both local variables and the present value of signals, but never from the active value of signals.

The variables and signals used in the evaluation of conditions within if statements are collected in the block-set \( B \) as they might implicitly flow into assigned variables or signals in the branches. This is taken care of in rule [Conditional]. Again notice that this rule does not handle timing channels that might occur, timing channels will be discussed in Chapter 6.

The synchronisation statement (i.e. \text{wait}) causes information about the active signals to flow to the present value of the same signals. Hence we will update
(writing $R_1$) all signals present in the process considered.

4.2 Soundness

Before showing that the analysis provides the necessary static guarantee for the security properties presented in Chapter 3 the typical soundness result of subject reduction [NNH99] is shown. This result give some insight in the technical details of semantical soundness for COREVHDL as well as serving as a sanity check on the specification of the type system. When stating a subject reduction result it is imperative to determine a relation between typing environments before and after a semantical evaluation of a considered specification. In this matter the issues of the block component $B$ for tracking implicit flows in the static analysis is seen to be neither covariant nor contravariant. This is seen by observing that when analysing a conditional statement the block component is extended with the variables and signals branched on. However, when leaving a branch the block components is reduced accordingly. To overcome this issue the semantics is instrumented with a similar component for tracking the branching context. The instrumented semantics is defined on configurations of the form

$$B \vdash \langle ss^B, \sigma, \varphi \rangle \in (Var \cup Sig) \times Stmt^B \times State \times Signals$$

where $Stmt^B$ is an extension of the syntactical category for statements including the special construct $[B]ss^B$ that impose a lexically scoped block component on the statement $ss^B$. The $Stmt'$ category is extended in the same manner to $Stmt^{B'}$.

The instrumented semantics for COREVHDL is presented in Table 4.2 where we include the locality labels and the context in the notation of the statements. The instrumented semantics introduce two new rules, [Branch] for evaluating statements within a context. Notice that the instrumented semantics is limited to evaluate specifications that do not contain wait statements nested within conditionals.

Observe that the block component in the instrumented semantics collect precise information, opposite to the block component in the type system. Furthermore the block component has no influence on the evaluation of the statement.

**Lemma 4.1** If $ss = [ss^B]_B$ and $ss' = [ss^{B'}]_B$ then

$$\langle ss, \sigma, \varphi \rangle \Rightarrow \langle ss', \sigma', \varphi' \rangle \text{ iff. } B \vdash \langle ss^B, \sigma, \varphi \rangle \Rightarrow \langle ss^{B'}, \sigma', \varphi' \rangle$$
Local Variable Assignment:
\[ B \vdash \langle x := e \rangle, \sigma, \varphi \Rightarrow \langle \text{final}, \sigma[x \mapsto v] \rangle \text{ where } E[e] \langle \sigma, \varphi \rangle = v \]

Signal Assignment:
\[ B \vdash \langle s <:= e \rangle, \sigma, \varphi \Rightarrow \langle \text{final}, \sigma \{ s \mapsto v \} \rangle \text{ where } E[e] \langle \sigma, \varphi \rangle = v \]

Skip:
\[ B \vdash \langle \text{null} \rangle, \sigma, \varphi \Rightarrow \langle \text{final} \rangle \]

Composition:
\[ B \vdash \langle \text{ss}\ B_1 \rangle, \sigma, \varphi \Rightarrow \langle \text{ss}\ B_1', \sigma', \varphi' \rangle \quad \text{where } ss^{B_1'} \in Stmt^B \]
\[ B \vdash \langle \text{ss}\ B_1; \text{ss}\ B_2 \rangle, \sigma, \varphi \Rightarrow \langle \text{ss}\ B_2, \sigma', \varphi' \rangle \]

Conditional:
\[ B \vdash \langle \text{if } \epsilon \text{ then } ss^{B_1} \text{ else } ss^{B_2}, \varphi \rangle \Rightarrow \langle (\text{FV}(\epsilon) \cup \text{FS}(\epsilon)) ss^{B_1}, \sigma, \varphi \rangle \]
if \( E[e] \langle \sigma, \varphi \rangle = '1' \)
\[ B \vdash \langle \text{if } \epsilon \text{ then } ss^{B_1} \text{ else } ss^{B_2}, \varphi \rangle \Rightarrow \langle (\text{FV}(\epsilon) \cup \text{FS}(\epsilon)) ss^{B_2}, \sigma, \varphi \rangle \]
if \( E[e] \langle \sigma, \varphi \rangle = '0' \)

Branch:
\[ B \cup \tilde{B} \vdash \langle \text{ss}\ B, \sigma, \varphi \rangle \Rightarrow \langle \text{ss}\ B', \sigma', \varphi' \rangle \]
\[ B \vdash \langle [\tilde{B}]\text{ss}\ B, \sigma, \varphi \rangle \Rightarrow \langle [\tilde{B}]\text{ss}\ B', \sigma', \varphi' \rangle \]
\[ B \cup \tilde{B} \vdash \langle \text{ss}\ B, \sigma, \varphi \rangle \Rightarrow \langle \text{final}, \sigma', \varphi' \rangle \]
\[ B \vdash \langle [\tilde{B}]\text{ss}\ B, \sigma, \varphi \rangle \Rightarrow \langle \text{final}, \sigma', \varphi' \rangle \]

Table 4.2: Statements

The function \( \lceil \cdot \rceil_B \) removes locally scoped block components.

**Proof.** The proof proceeds by a two way induction in the shape of the derivation tree and follows by simply inspecting the semantical rules and applying the induction hypothesis. □

To handle the new syntactical construct introduced above we add the following
two rules to the Local Dependencies Analysis for CoreVHDL

\[
B \vdash \text{final} : \emptyset \\
B \cup B' \vdash ss^B : RM \\
B \vdash [B]ss^B : RM
\]

The instrumented semantics allows us to keep the block component invariant during evaluation of specifications. Therefore we are now ready to show the subject reduction result.

**Lemma 4.2** For every statement \( ss^B \) of CoreVHDL, where the Semantics changes the state in one step as \( B \vdash \langle ss^B, \sigma, \varphi \rangle \Rightarrow \langle ss^B', \sigma', \varphi' \rangle \), we have

\[
B \vdash ss^B : RM \Rightarrow \left\{ \begin{array}{l}
\exists B' : \exists RM' : \\
B' \vdash ss^{B'} : RM'
\wedge RM' \subseteq RM
\wedge B' = B
\end{array} \right. 
\]

**Proof.** The proof proceeds by induction on the shape of the derivation tree for the Local Dependencies analysis on statement \( ss^B \).

**Case \([x := e]^l\):** For assignment the Semantics evaluate the statement as

\[
B \vdash \langle \langle x := e \rangle^l, \sigma, \varphi \rangle \Rightarrow \langle \text{final}, \sigma[x \mapsto v], \varphi \rangle \text{ where } E[e][\sigma, \varphi] = v
\]

and the Local Dependencies analysis gives

\[
B \vdash [x := e]^l : RM
\]

where \( RM = \{(x, l, M_0) \cup \{(n, l, R_0) \mid n \in FV(e) \cup FS(e) \cup B\} \) according to Table 4.1. Now choose \( B = B' \). Then applying the analysis to the statement after evaluating one step of the Semantics

\[
B' \vdash \text{final} : RM' = \emptyset
\]

Now it follows

\[
RM' \subseteq RM
\]
Case \([s <= e]^l\): Straightforward as above.

Case \([\text{null}]^l\): Evaluating a null statement in the Semantics gives

\[ B \vdash \langle [\text{null}]^l, \sigma, \varphi \rangle \Rightarrow \langle \text{final}, \sigma, \varphi \rangle \]

and the result of the analysis is

\[ B \vdash [\text{null}]^l : RM \]

where \(RM = \emptyset\). Again we choose \(B = B'\), for which applying the analysis gives

\[ B' \vdash \text{final} : RM' = \emptyset \]

From which it follows that

\[ RM' \subseteq RM \]

Case \(ss_1^B; ss_2^B\): There are two possibilities for the Semantics, we consider them separately. First we consider the case where \(ss_1^B\) is not evaluated in a single step

\[
\frac{B \vdash \langle ss_1^B, \sigma, \varphi \rangle \Rightarrow \langle ss_1^{B'}, \sigma', \varphi' \rangle}{B \vdash \langle ss_1^B; ss_2^B, \sigma, \varphi \rangle \Rightarrow \langle ss_1^{B'}; ss_2^B, \sigma', \varphi' \rangle} \quad \text{where } ss_1^{B'} \in Stmt^B
\]

So the result of the analysis when applied to the original statement

\[
\frac{B \vdash ss_1^B : RM_1 \quad B \vdash ss_2^B : RM_2}{B \vdash ss_1^B; ss_2^B : RM_1 \cup RM_2}
\]

we apply the induction hypothesis on \(B \vdash \langle ss_1^B, \sigma, \varphi \rangle \Rightarrow \langle ss_1^{B'}, \sigma', \varphi' \rangle\) which gives
Now choose \( B' = B'_1 \). The result of applying the analysis after evaluating one step of the Semantics is

\[
B' \vdash ss_{1}^{B'} : RM_{1} \quad B' \vdash ss_{2}^{B'} : RM_{2}
\]

\[
\frac{B' \vdash ss_{1}^{B'} : RM_{1} \quad B' \vdash ss_{2}^{B'} : RM_{2}}{B' \vdash ss_{1}^{B'}, ss_{2}^{B'} : RM_{1} \cup RM_{2}}
\]

and it follows

\[
RM_{1}' \cup RM_{2} \subseteq RM_{1} \cup RM_{2}
\]

Secondly we consider the case where \( ss_{1}^{B} \) is completely evaluated in a single step

\[
B \vdash (ss_{1}^{B}, \sigma, \varphi) \Rightarrow (\text{final}, \sigma', \varphi')
\]

\[
B \vdash (ss_{1}^{B}, ss_{2}^{B}, \sigma, \varphi) \Rightarrow (ss_{2}^{B}, \sigma', \varphi')
\]

and for the original statement the analysis gives

\[
\frac{B \vdash ss_{1}^{B} : RM_{1} \quad B \vdash ss_{2}^{B} : RM_{2}}{B \vdash ss_{1}^{B}, ss_{2}^{B} : RM_{1} \cup RM_{2}}
\]

Choose \( B = B' \). Then applying the analysis gives

\[
B' \vdash ss_{2}^{B'} : RM'
\]

where \( RM' = RM_{2} \). Therefore it follows

\[
RM' \subseteq RM_{1} \cup RM_{2}
\]
Case if \([e]_{l}\) then \(ss_1^B\) else \(ss_2^B\): For a given \(\sigma\) and \(\varphi\) we consider the cases where \(e\) evaluates to '1' and '0'.

If \(E[e](\sigma, \varphi) = '1'\) : One step of the Semantics give

\[
B \vdash (\text{if } e \text{ then } ss_1^B \text{ else } ss_2^B, \sigma, \varphi) \Rightarrow ([FV(e) \cup FS(e)]ss_1^B, \sigma, \varphi)
\]

Applying the analysis gives

\[
\frac{B'' \vdash ss_1^B : RM_1 \quad B'' \vdash ss_2^B : RM_2}{B \vdash \text{if } [e]_{l} \text{ then } ss_1^B \text{ else } ss_2^B : RM_1 \cup RM_2}
\]

where \(B'' = B \cup FV(e) \cup FS(e)\). We choose \(B' = B\) and apply the analysis

\[
\frac{B' \cup FV(e) \cup FS(e) \vdash ss_1^B : RM'}{B' \vdash [FV(e) \cup FS(e)]ss_1^B : RM'}
\]

where \(RM' = RM_1\), it follows that

\[
RM' \subseteq RM_1 \cup RM_2
\]

If \(E[e](\sigma, \varphi) = '0'\) : One step of the Semantics give

\[
B \vdash (\text{if } e \text{ then } ss_1^B \text{ else } ss_2^B, \sigma, \varphi) \Rightarrow (ss_2^B, \sigma, \varphi)
\]

Applying the analysis gives

\[
\frac{B'' \vdash ss_1^B : RM_1 \quad B'' \vdash ss_2^B : RM_2}{B \vdash \text{if } [e]_{l} \text{ then } ss_1^B \text{ else } ss_2^B : RM_1 \cup RM_2}
\]

where \(B'' = B \cup FV(e) \cup FS(e)\). We choose \(B' = B\) and apply the analysis
where \( RM' = RM_2 \) therefore

\[
RM' \subseteq RM_1 \cup RM_2
\]

**Case** \([\bar{B}]ss^B\): There are two cases for evaluating the statement in the Semantics. First assume that the Semantics give

\[
B' \cup \text{FV}(e) \cup \text{FS}(e) \vdash ss^B : RM'
\]

applying the analysis on the statement before taking one step in the Semantics gives us

\[
B' \vdash \langle \text{ss}^B, \sigma, \varphi \rangle \Rightarrow \langle \text{ss}^B', \sigma', \varphi' \rangle
\]

now we choose \( B' = B \), then applying the analysis on the statement after the step in the Semantics gives us

\[
B' \cup \bar{B} \vdash ss^B : RM
\]

if we apply the Induction Hypothesis on \( B' \cup \bar{B} \vdash ss^B, \sigma, \varphi \Rightarrow (ss^B', \sigma', \varphi') \) we get

\[
B' \cup \bar{B} \vdash ss^B : RM \Rightarrow \exists B'' : \exists RM' : \begin{align*}
B'' & \vdash ss^B' : RM' \\
\land \ RM' & \subseteq RM \\
\land \ B'' & = B \cup \bar{B}
\end{align*}
\]

and therefore
\[ RM' \subseteq RM \]

Now assume that the Semantics give

\[
B \cup \tilde{B} \vdash \langle ss^B, \sigma, \varphi \rangle \Rightarrow \langle \text{final}, \sigma', \varphi' \rangle \\
B \vdash \langle [\tilde{B}]ss^B, \sigma, \varphi \rangle \Rightarrow \langle \text{final}, \sigma', \varphi' \rangle
\]

applying the analysis on the statement before taking one step in the Semantics gives us

\[
B \cup \tilde{B} \vdash ss^B : RM \\
\Rightarrow B \vdash [\tilde{B}]ss^B : RM
\]

no we choose \( B' = B \), then applying the analysis on the statement after the step in the Semantics gives us

\[
B' \vdash \text{final} : \emptyset
\]

clearly

\[
\emptyset \subseteq RM
\]

This proves the Lemma. \( \square \)

Similarly we wish to prove the following Lemma for the correctness of CoreVHDL programs.

**Lemma 4.3** For every set of concurrent statements \( css \) of CoreVHDL, where the Semantics changes the state in one step as \( ||_{i \in I} \langle ss_i^B, \sigma_i, \varphi_i \rangle \Rightarrow ||_{i \in I} \langle ss_i^{B_i}, \sigma'_i, \varphi'_i \rangle \), we have

\[
B_i \vdash ss_i^B : RM_i \Rightarrow \left\{ \exists B'_1, \ldots, B'_n : \exists RM'_1, \ldots, RM'_n : \\
B'_i \vdash ss_i^{B'_i} : RM'_i \\
\wedge RM'_i \subseteq RM_i \\
\wedge B'_i = B_i \right\}
\]

**Proof.** The proof proceeds by inspection of the two cases in the Semantics of Concurrent statements.
4.2 Soundness

Case Handle non-waiting processes (H): If none of the processes are waiting the Semantics evaluates one step as

\[ \emptyset \vdash \langle ss_j^B, \sigma_j, \varphi_j \rangle \Rightarrow \langle ss_j'^B, \sigma_j', \varphi_j' \rangle \]

\[ \parallel_{i \in I \cup \{j\}} \langle ss_i^B; css_i, \sigma_i, \varphi_i \rangle \Rightarrow \parallel_{i \in I \cup \{j\}} \langle ss_i'^B; css_i, \sigma_i', \varphi_i' \rangle \]

where \( ss_i'^B = ss_i^B \), \( \sigma_i' = \sigma_i \) and \( \varphi_i' = \varphi_i \) for all \( i \neq j \). For the \( j \)th statement the result follows from Lemma 4.2. For the \( i \)th statement, i.e. \( i \neq j \), \( ss_i^B = ss_i'^B \), so assume

\[ B_i \vdash ss_i^B : RM_i \]

now choose \( B_i' = B_i \), then the analysis of \( ss_i'^B \) gives

\[ B_i' \vdash ss_i'^B : RM_i' \]

it follows that \( RM_i' \subseteq RM_i \).

Case Active signals (A): If all processes are waiting the Semantics considers the active signals

\[ \parallel_{i \in I} (\text{wait on } S_i \text{ until } e_i; ss_i^B, \sigma_i, \varphi_i) \Rightarrow \parallel_{i \in I} (ss_i'^B, \sigma_i, \varphi_i') \]

where \( ss_i'^B \) is defined depending on

\[ ss_i'^B = \begin{cases} ss_i^B & \text{if } \left( (\exists s \in S_i. \varphi_i \ s 0 \neq \varphi'_i \ s 0) \land \ E[e_i](\sigma_i', \varphi_i') = 1' \right) \\ \text{wait on } S_i \text{ until } b_i; ss_i^B & \text{otherwise} \end{cases} \]

We consider the two cases in turn.
If \((\exists s \in S_i. \varphi_i \neq \varphi'_i s 0) \land \mathcal{E}[e_i](\sigma'_i, \varphi'_i) \Rightarrow 1')\): The Semantics continues execution, i.e. \(ss_i^{B'} = ss_i^B\). Assume that the analyses of the process before evaluating the wait statement is

\[
\frac{B_i \vdash \text{[wait on } S \text{ until } e_i]\!^l : RM_{i_1}}{B_i \vdash \text{[wait on } S \text{ until } e_i]\!^l; ss_i^B : RM_{i_2} \cup RM_{i_2}}
\]

where \(RM_{i_1} = \{(s, l, R_1) \mid s \in FS(ss_i^{B''})\} \cup \{(n, l, R_0) \mid n \in B \cup FV(e) \cup FS(e)\}\) and \(ss_i^{B''}\) is the body of process \(i\) in which \(l\) resides. Choose \(B'_i = B_i\) then

\[
B'_i \vdash ss_i^B : RM'_i
\]

where \(RM'_i = RM_{i_2}\). Now it follows

\[
RM'_i \subseteq RM_{i_1} \cup RM_{i_2}
\]

Otherwise: Trivial as \(ss_i^{B'} = \text{wait on } S_i \text{ until } e_i; ss_i^B\).

Case Processes (P): Holds vacuously.

\square

### 4.3 History-based Release

The main result in this chapter is to show that the developed information flow analysis provides static guarantees for the security property History-based Release for a considered Locality-based security policy. In the formal results we make the assumption that the security policies are transitively closed. This restriction and how to lift it will be discussed in detail in Chapter 5. Hence we aim to show that analysing a program with the above presented analysis result in a static guarantee that match the transitive History-based release property presented in Section 3.3. Thus it follows from Lemma 3.18 that for a transitively closed security policy the analysis guarantee History-based Release.

First we state when the result of the Information Flow Analysis of a program is secure wrt. a security policy. We need to do this because the analysis will not
reject insecure programs (as it is often done by other information flow analyses, e.g. [VSI96, SM03a]), instead we choose to analyse the flow of information in a program, and afterwards compare the result with the security policy. This is merely a technicality as the related analyses could most often be modified to infer the security types.

**Definition 4.4 (Secure Analysis Result)** A \textsc{CoreVHDL} program \( ||_{i \in I} ss_i \) has a secure analysis result wrt. to a security policy \((V, \lambda)\) if the result of the Information Flow analysis \(RM_{lo}\) satisfies

\[
\forall n, n', l, i : \{(n, l, M_i), (n', l, R_0)\} \subseteq RM_{lo} \Rightarrow l \leq \Delta \lambda(n', n)
\]

and

\[
\forall n, n', l : \{(n, l, R_1), (n', l, R_0)\} \subseteq RM_{lo} \Rightarrow l \leq \Delta \lambda(n', n)
\]

When verifying a program we sometimes need to consider conditionals that depend on variables and signals which are not observable to an attacker, in this case it is imperative that branches do not give away information about the result of evaluating the condition, thus resulting in an implicit flow of information. Therefore we consider the class of statements that have the property of never modifying the observable part of the states. We shall classify this class of statements as being *operationally unobservable*.

**Definition 4.5 (Operationally unobservable statement)** A statement \( ss \) is said to be operationally unobservable for an observer \( V \) if

\[
\langle ss, \sigma, \varphi \rangle \Rightarrow^* \langle ss', \sigma', \varphi' \rangle
\]

implies

\[
\sigma \sim_V \sigma' \text{ and } \varphi \sim_V \varphi'
\]

Observe that this definition allows the statement to contain assignments to observable variables and signals, as long as they are either never evaluated or guaranteed to result in the same states (e.g. \( x := x \)).

In the resource matrix used when analysing a statement we can gain information that allows us to determine whether the statement might modify the observable part of the states. Hence we say that a statement is *syntactically unobservable* when the resource matrix used by the analysis of the statement does not contain any modifications \((M_0 \text{ or } M_1)\) of an observable variable or signal.
**Definition 4.6** (Syntactically unobservable statement) A statement $ss$ is said to be *syntactically unobservable* for an observer $V$ if
\[ B \vdash ss : RM \]
implies
\[ \{ (n, l, i) \mid n \in V \land l \in Lab(ss) \land i \in \{0, 1\} \} \cap RM = \emptyset \]

Now we can show that syntactically unobservable statements are also operationally unobservable. First we show that evaluating one step of the statement is not observable.

**Lemma 4.7** If a statement $ss$ is *syntactically unobservable* for $V$ then we have
\[ \langle ss, \sigma, \phi \rangle \Rightarrow \langle ss', \sigma', \phi' \rangle \]
implies
\[ \sigma \sim_V \sigma' \text{ and } \phi \sim_V \phi' \]

**Proof.** The proof proceeds by induction in the shape of the analysis.

**Case $[x := e]^l$:** Analysing the statement gives
\[ B \vdash [x := e]^l : RM \]
where $RM = \{(x, l, M_0)\} \cup \{(n, l, R_0) \mid n \in FV(e) \cup FS(e) \cup B\}$. Applying the semantics on the assignment gives
\[ \langle [x := e]^l, \sigma, \phi \rangle \Rightarrow \langle \text{final}, \sigma[x \mapsto v], \varphi \rangle \]
where $E[e]\langle \sigma_1, \varphi_1 \rangle = v$. Because the statement is *syntactically unobservable* it follows from Definition 4.6 that $x \notin V$. Hence we have that $\sigma \sim_V \sigma'$ and $\phi \sim_V \phi'$ holds vacuously.

**Case $[s <= e]^l$:** Straightforward as above.

**Case $[\text{null}]^l$:** Holds trivially.
Case $ss; ss'$: The analysis of the statement gives

\[
\begin{align*}
B \vdash ss_1 &: RM_1 \\
B \vdash ss_2 &: RM_2 \\
B \vdash ss_1; ss_2 &: RM_1 \cup RM_2
\end{align*}
\]

Now $RM_1$ is a valid resource matrix for $ss_1$. Hence from Definition 4.6 and by observing that $RM_1 \subseteq RM_1 \cup RM_2$ we can conclude that $ss_1$ is syntactically unobservable for $V$. Now assume that applying the semantics on the statement $ss_1$ gives

\[
\langle ss_1, \sigma, \varphi \rangle \Rightarrow \langle ss'_1, \sigma', \varphi' \rangle
\]

hence applying the induction hypothesis gives $\sigma \sim_V \sigma'$ and $\varphi \sim_V \varphi'$. We need to consider two cases. First if $ss_1 = \text{final}$ we can apply the rule

\[
\begin{align*}
\langle ss_1, \sigma, \varphi \rangle &\Rightarrow \langle \text{final}, \sigma', \varphi' \rangle \\
\langle ss_1; ss_2, \sigma, \varphi \rangle &\Rightarrow \langle ss'_1; ss_2, \sigma', \varphi' \rangle
\end{align*}
\]

and the case follows. Similar if $ss_1 \neq \text{final}$ we can apply the rule

\[
\begin{align*}
\langle ss_1, \sigma, \varphi \rangle &\Rightarrow \langle ss'_1, \sigma', \varphi' \rangle \\
\langle ss_1; ss_2, \sigma, \varphi \rangle &\Rightarrow \langle ss'_1; ss_2, \sigma', \varphi' \rangle
\end{align*}
\]

which concludes the proof of this case.

Case if $[e]'$ then $ss_1$ else $ss_2$: Holds trivially as evaluating one step in the semantics does not modify the states.

We can now show that evaluating any number of steps does not result in the attacker gaining information.

Lemma 4.8. If a statement $ss$ is syntactically unobservable for $V$ then it is also operationally unobservable for $V$.

Proof. The Lemma follows from the transitive reflexive closure of Lemma 4.7.

To show the main result we can build a symmetric relation between statements. The binary relation is defined such that two statement when evaluated will
modify the same observable variables and signals. The relation is called $T_{G,V}$, and state that two statements can either be equal or have prefixes that are syntactically unobservable.

**Definition 4.9** ($T_{G,V}$) Define $T_{G,V}$ as a relation on statement where we have that $ss_1 T_{G,V} ss_2$ if one of the following holds

- $ss_1 = ss_2$, or
- $ss_1 = \overline{ss_1}; ss'_1$ and $ss_2 = \overline{ss_2}; ss'_2$ where $\overline{ss_1}$ and $\overline{ss_2}$ are operationally unobservable for $V$ and $ss'_1 T_{G,V} ss'_2$, or
- $ss_1$ and $ss_2$ are operationally unobservable for $V$.

Now we are ready to show that two statements, which are related by $T_{G,V}$ and are secure by Definition 4.4, will also be related during each step of computation.

**Lemma 4.10** If two CoreVHDL statements $ss_1$ and $ss_2$ are secure wrt. $G$ and $V$, when analysed in context $B$ and we have that

\[
\langle ss_1, \sigma_1, \varphi_1 \rangle \xrightarrow{l} \langle ss'_1, \sigma'_1, \varphi'_1 \rangle \land \\
ss_1 T_{G,V} ss_2 \land \\
\sigma_1 \sim \nabla(V,G,l) \sigma_2 \land \\
\varphi_1 \sim \nabla(V,G,l) \varphi_2
\]

then there exists $ss'_2$, $\sigma'_2$ and $\varphi'_2$ such that

\[
\langle ss'_2, \sigma_2, \varphi_2 \rangle \xrightarrow{l} \langle ss'_2, \sigma'_2, \varphi'_2 \rangle \land \\
ss'_1 T_{G,V} ss'_2 \land \\
\sigma'_1 \sim \nabla \sigma'_2 \land \\
\varphi'_1 \sim \nabla \varphi'_2
\]

**Proof.** We need to consider each of the cases following from the clauses of Definition 4.9. First consider the case where $ss_1 = \overline{ss_1}; ss$ and $\overline{ss_1}$ is operationally unobservable for $V$. Assume that semantics evaluate $\overline{ss_1}$ as

\[
\langle \overline{ss_1}, \sigma_1, \varphi_1 \rangle \Rightarrow \langle \text{final}, \sigma'_1, \varphi'_1 \rangle
\]

Applying the semantical rule [Composition] gives us

\[
\langle \overline{ss_1}; ss, \sigma_1, \varphi_1 \rangle \Rightarrow \langle ss, \sigma'_1, \varphi'_1 \rangle
\]
We know from Definition 4.9 that $ss_2 = \overline{ss}_2; ss$, Now choose the evaluation sequence

$$(\overline{ss}_2, \sigma_2, \varphi_2) \Rightarrow^k (\text{final}, \sigma'_2, \varphi'_2)$$

and from Lemma 2.1 we get that

$$(\overline{ss}_2; ss, \sigma_2, \varphi_2) \Rightarrow^k (ss, \sigma'_2, \varphi'_2)$$

and the result follows from Definition 4.5.

Now, assume that the semantics did not evaluate $\overline{ss}_1$ completely in one step then we choose not to evaluate $ss_2$. Hence Definition 4.5 and observing that the relation between the resulting statements are preserved gives the result.

If $ss_1$ is operationally unobservable for $\mathcal{V}$, we execute one step as

$$(ss_1, \sigma_1, \varphi_1) \Rightarrow (ss'_1, \sigma'_1, \varphi'_1)$$

now if $ss'_1 = \text{final}$ then we evaluate $ss_2$ completely and the result follows from Definition 4.5 otherwise we do not apply the semantics on $ss_2$ and the result follows.

Finally we need to show the result when $ss_1 = ss_2$. The proof proceeds by induction in the shape of the derivation tree for the Structural Operational Semantics on the statement $ss_1$.

**Case** $[x := e]^l$: There are two subcases. First if $x \in \mathcal{V}$, we have that the semantics evaluate one step as

$$([x := e]^l, \sigma_1, \varphi_1) \Rightarrow ([\text{final}, \sigma_1[x \mapsto v]], \varphi_1)$$

where $E[e] \langle \sigma_1, \varphi_1 \rangle = v$. Applying the analysis gives us

$$B \vdash [x := e]^l : RM$$

where $RM = \{(x, l, M_0)\} \cup \{(n, l, R_0) \mid n \in \text{FV}(e) \cup \text{FS}(e) \cup B\}$. Because the statement is secure and following from Definition 3.9 and Fact 1 we know that

$$E[e] \langle \sigma_1, \varphi_1 \rangle = E[e] \langle \sigma_2, \varphi_2 \rangle$$
Therefore we get $\sigma_1 \sim_\nu \sigma_2$, while $\varphi_1 \sim_\nu \varphi_2$ and final $T_{G, \nu}$ final follows vacuously.

If $x \notin \nu$ the case follow immediately by observing that evaluating one step in the semantics on both $ss_1$ and $ss_2$ in respective states fulfils the requirement directly.

**Case** $[s <= e]$: Straightforward as above.

**Case** $[null]$: Holds trivially.

**Case** $ss; ss''$: Evaluating one step in the semantics results in two cases first assume that the evaluation has the form

$$
\langle ss, \sigma_1, \varphi_1 \rangle \Rightarrow \langle ss'_1, \sigma'_1, \varphi'_1 \rangle
$$

Now it follows from applying the induction hypothesis that there exists $ss'_2, \sigma'_2$ and $\varphi'_2$ such that

$$
\langle ss, \sigma_2, \varphi_2 \rangle \Rightarrow^* \langle ss'_2, \sigma'_2, \varphi'_2 \rangle \land
ss'_1 \vdash_{G, \nu} ss'_2 \land
\sigma'_1 \sim_\nu \sigma'_2 \land
\varphi'_1 \sim_\nu \sigma'_2
$$

The case follows from observing that $ss'_1; ss'' \vdash_{G, \nu} ss'_2; ss''$.

Now assume that the semantics evaluate one step as

$$
\langle ss, \sigma_1, \varphi_1 \rangle \Rightarrow \langle \text{final}, \sigma'_1, \varphi'_1 \rangle
$$

Hence it follows from applying the induction hypothesis that there exists $ss'_2, \sigma'_2$ and $\varphi'_2$ such that

$$
\langle ss, \sigma_2, \varphi_2 \rangle \Rightarrow^* \langle ss'_2, \sigma'_2, \varphi'_2 \rangle \land
\text{final} \vdash_{G, \nu} ss'_2 \land
\sigma'_1 \sim_\nu \sigma'_2 \land
\varphi'_1 \sim_\nu \sigma'_2$$
4.3 History-based Release

Definition 4.9 gives us that \( ss' \) is operationally unobservable for \( V \). In the second case we apply the semantics as

\[
(ss'_2, \sigma'_2, \varphi'_2) \Rightarrow^* (\text{final}, \sigma''_2, \varphi''_2)
\]

Where we have that \( \sigma'_2 \sim_V \sigma''_2 \) and \( \varphi'_2 \sim_V \varphi''_2 \). Now we know the \( ss'' \) \( T_{G,V} ss'' \) and the case follows.

Case if \([e]^l \) then \( ss \) else \( ss' \): We apply the semantics as

\[
(\text{if } [e]^l \text{ then } ss \text{ else } ss', \sigma_1, \varphi_1) \Rightarrow (ss'_1, \sigma_1, \varphi_1)
\]

We need to consider two cases. First if

\[
\forall n : n \in \text{FV}(e) \cup \text{FS}(e) \Rightarrow n \in \nabla(G, l)
\]

then we know that

\[
E[e](\sigma_1, \varphi_1) = E[e](\sigma_2, \varphi_2)
\]

and hence we can choose to apply the semantics as

\[
(\text{if } [e]^l \text{ then } ss \text{ else } ss', \sigma_2, \varphi_2) \Rightarrow (ss'_1, \sigma_2, \varphi_2)
\]

and the result follows immediately.

However, if

\[
\exists n : n \in \text{FV}(e) \cup \text{FS}(e) \land n \notin \nabla(G, l)
\]

we know from Definition 4.4 and Lemma 4.8 that \( ss \) and \( ss' \) are operationally unobservable for \( V \) and hence \( ss \) \( T_{G,V} ss' \) so no matter which branch we choose by applying the semantics the result holds.

Finally we can show the main result. To do so we lift the relation \( T_{G,V} \) to \( \text{COREVHDL} \) programs.

Definition 4.11 \( (U_{G,V}) \) Define \( U_{G,V} \) as a relation on programs where we have that \( \|i \in I css_{i1} U_{G,V} \|i \in I css_{i2} \) if for all \( i \in I \) one of the following holds
• \(css_{i_1} = css_{i_2}\), or

• \(css_{i_1} = ss_1; css'_{i_1}\) and \(css_{i_2} = ss_2; css'_{i_2}\) where \(\overline{ss}_1 \cup \overline{ss}_2\) and \(css'_{i_1} U_G css'_{i_2}\).

Now, when two programs are analysed and considered secure, and each statement in the body of the processes can be related by \(U_G, V\), we have that the statements and states resulting of evaluating one step by the semantical relation preserves the secrecy of unobservable information.

**Theorem 4.12** If two CoreVHDL programs \(\| i \in I css_{i_1}\) and \(\| i \in I css_{i_2}\) are secure wrt. \(G\) and \(V\), when analysed in context \(B\) and we have that

\[
\| i \in I \langle css_{i_1}', \sigma_{i_1}, \varphi_{i_1} \rangle \implies \| i \in I \langle css_{i_1}''', \sigma'_{i_1}, \varphi'_{i_1} \rangle \wedge \| i \in I css_{i_1} U_G V \| i \in I css_{i_2} \wedge \sigma_{i_1} \sim V (\sigma_{i_2}) \wedge \sigma'_{i_1} \sim V (\sigma'_{i_2}) \wedge \varphi_{i_1} \sim V (\varphi_{i_2})
\]

then there exists \(ss'_{i_2}, \sigma'_{i_2}\) and \(\varphi'_{i_2}\) such that

\[
\| i \in I \langle css_{i_2}', \sigma_{i_2}, \varphi_{i_2} \rangle \implies \| i \in I \langle css_{i_2}''', \sigma'_{i_2}, \varphi'_{i_2} \rangle \wedge \| i \in I css_{i_1} U_G V \| i \in I css_{i_2}' \wedge \sigma'_{i_1} \sim V (\sigma'_{i_2}) \wedge \sigma'_{i_1} \sim V (\sigma'_{i_2}) \wedge \varphi'_{i_1} \sim V (\varphi'_{i_2})
\]

**Proof.** The proof proceeds by induction in the shape of the derivation tree for the Structural Operational Semantics on the concurrent statement \(css_{i_1}\).

**Case Handle non-waiting processes (H):** This case follows from Lemma 4.10

**Case Active signals (A):** The states are modified by clearing the active values, while moving the active values to the present values. Finally the condition on the synchronisation point (until \(e\)) must evaluate to the same because the analysis result for the program is secure.

**Case Processes (P):** This case holds vacuously.
4.4 Discussion

A result of Theorem 4.12 is that $U_{G,Y}$ is a bisimulation of satisfying Definition 3.15 for programs that can be analysed as secure. Furthermore $U_{G,Y}$ can be seen as satisfying Definition 3.10 for transitively closed security policies.

Figure 4.1: Result of the Information Flow Analysis for programs (a) and (b).

In this chapter transitively closed security policies have been investigated. However, a security policy is given in the form of a directed graph. This graph will in general be non-transitive. To illustrate this point consider the following programs:

(a): $[c := b]; [b := a]$

(b): $[b := a]; [c := b]$

In program (a) there is a flow from $b$ to $c$ and a flow from $a$ to $b$ and therefore the security policy shown in Figure 4.1(a) has an edge from node $b$ to node $c$ and an edge from node $a$ to node $b$. There is no flow from $a$ to $c$ and indeed there is no edge from $a$ to $c$. In program (b) on the other hand there is a flow from $a$ to $c$ and the security policy shown in Figure 4.1(b) indeed has an edge from $a$ to $c$. Analysing the two program (a) and (b) result in the same flow graph (i.e. Figure 4.1(b)), hence not allowing us to verify program (a) with respect to the security policy given in Figure 4.1(a). This is due to the flow insensitivity in the presented information flow analysis. Keeping this in mind we observe most investigations of information flow analyses are flow-insensitive e.g. [Den76, VSI96, Mye99a] and many more, see [SM03a] for an overview. In comparison the flow-sensitivity approaches are far more limited in numbers: [CHH02, AB04, HS06]. However all except for [AB04] rely on lattice-based (and hence transitively closed) security policies. This seems surprising as one can not express a transitively closed policy for program (a) without having to transform the program. Therefore we will continue the investigation of the information flow analysis in the following chapter, and discuss a flow sensitive extension and the benefit in expressing policies with it.
Chapter 5

Reaching Definitions Analysis

Reviling a locust tree when pointing at a mulberry tree.
— Chinese proverb

The previous chapter presented an flow insensitive analysis, that provided static guarantees sufficient for verifying systems when their security policies were transitively closed. This approach follows the tradition of information flow analysis [VSI96, ML97, Mye99a, Mye99b, SS00, SS01, SM03a]. Yet, investigations by Kemmerer [Kem82] have consider the information flows found by these approaches to be only the first step in the analysis of information flow. Indeed Kemmerer divides the analysis into two phases; first the local dependencies are identified, and second the global dependencies are calculated. In the previous chapter we proved that the analysis of local dependencies are sufficient to verify a program compliance with a transitively closed policy. Which match the results for the earlier presented analyses, due to their lattice based policies. However for our graph based policies this limitation seems to hinder the full expressiveness. In fact, previous investigations have shown the need for control flow sensitive mechanisms in information flow analyses [McH83]. Hence we aim to lift this constraint by extending the analysis by a flow sensitive component.

The approach taken will not be to modify the existing analysis, instead we choose to develop an analysis tracking the data flow in the program, and use it to remove the unwanted edges introduced in the security policy by restricting it to be transitively closed. The investigation will focus on the classical data flow analysis Reaching Definitions. In the following we will adapt a Reaching Definitions analysis to the setting of hardware descriptions. Some of the main issues
concerning the synchronisation and timing in hardware specifications make this to be a nontrivial task.

5.1 Analysing CoreVHDL

The main purpose of the Reaching Definitions analysis is to gather information about which assignments may have been made and not overwritten, when the execution reaches each point in the program.

The semantics divides signal states into two parts, namely the present value of a signal and the active value of a signal. Following this the analysis is divided into two parts as well, one for the active value of a signal and one for local variables and the present value of a signal. The two parts are connected since the active values of a signal influence the present value of the signal after the following synchronisation. Therefore we will first define the analysis of active signals in Section 5.1.2 and then, that of the local variables and present values of signals in Section 5.1.3.

The analysis for active signals is concerned only with a single process, and thus has no information about the other processes. It collects information about which signals might be active in order to gather all the influences on the present value; this information is gathered for the process $i$ by an over-approximation analysis of the active signals $RD^\cup_i \varphi$. It also collects information about which signals must be active so that the overwritten signals can be removed from the analysis result; this information is gathered for the process $i$ by an under-approximation analysis of the active signals $RD^\cap_i \varphi$.

The analysis of the local variables and present values of signals will be an over-approximation. It is concerned with the entire program and thus collects information for all processes at the same time.

5.1.1 Common analysis domains

The analyses use a labelling scheme, a block definition and a flow relation, similar to the ones described in [NNH99], the only difference being the wait statements which are given labels and treated as blocks. For each process $i$ in a program

\[
\| i \in I \quad i : \text{process decl}_i; \begin{align*}
\begin{align*}
\end{align*}
\end{align*}
\end{align*}
\]

end process $i$
5.1 Analysing CoreVHDL

the set of blocks is denoted blocks(ss_i) and the flow relation is denoted flow(ss_i). Similarly we use init(ss_i) to denote the label of the initial block when executing the process i.

Data flow analyses are defined by pairs of functions that map labels to the appropriate sets; one function in each pair specifies information that is true on the entry to block, the second specifies information that is true at the exit. To aid us in defining these functions we will first define a number of simple operations on programs and labels. These are all simple adaptations of the operations specified in the classical data flow analyses [NNH99].

First we define a operation that returns the initial label of a statement

\[
\text{init} : \text{Stmt} \rightarrow \text{Lab}
\]

\[
\begin{align*}
\text{init}([x := e]_l) &= l \\
\text{init}([s <= e]_l) &= l \\
\text{init}([\text{null}]_l) &= l \\
\text{init}(ss_1; ss_2) &= \text{init}(ss_1) \\
\text{init}(\text{if } e \text{ then } ss_1 \text{ else } ss_2) &= l \\
\text{init}([\text{wait on } S \text{ until } e]_l) &= l
\end{align*}
\]

We also need to define a operation which returns the set of final labels in a statement; contrary to the fact that a sequence of statements has an isolated initial label, it may have multiple final labels, this is due to the conditionals.

\[
\text{final} : \text{Stmt} \rightarrow \mathcal{P}(\text{Lab})
\]

\[
\begin{align*}
\text{final}([x := e]_l) &= \{l\} \\
\text{final}([s <= e]_l) &= \{l\} \\
\text{final}([\text{null}]_l) &= \{l\} \\
\text{final}(ss_1; ss_2) &= \text{final}(ss_2) \\
\text{final}(\text{if } e \text{ then } ss_1 \text{ else } ss_2) &= \text{final}(ss_1) \cup \text{final}(ss_2) \\
\text{final}([\text{wait on } S \text{ until } e]_l) &= \{l\}
\end{align*}
\]

The Blocks in a program or statement is the labelled elements, e.g. \([x := e]\) or \([e]\). Therefore to access the Blocks, i.e. the statements, tests or synchronisation
points associated with a label, in a program we define the operation

\[
blocks : \text{Stmt} \rightarrow \mathcal{P}(\text{Blocks})
\]

\[
blocks([x := e]^l) = \{[x := e]^l\}
\]
\[
blocks([s <= e]^l) = \{[s <= e]^l\}
\]
\[
blocks([\text{null}]^l) = \{[\text{null}]^l\}
\]
\[
blocks(ss_1; ss_2) = blocks(ss_1) \cup blocks(ss_2)
\]
\[
blocks(\text{if } [e]^l \text{ then } ss_1 \text{ else } ss_2) = ([e]^l) \cup blocks(ss_1) \cup blocks(ss_2)
\]
\[
blocks([\text{wait on } S \text{ until } e]^l) = \{[\text{wait on } S \text{ until } e]^l\}
\]

Finally we define an operation on the flow between labels in a statement

\[
flow : \text{Stmt} \rightarrow \mathcal{P}(\text{Lab} \times \text{Lab})
\]

\[
flow([x := e]^l) = \emptyset
\]
\[
flow([s <= e]^l) = \emptyset
\]
\[
flow([\text{null}]^l) = \emptyset
\]
\[
flow(ss_1; ss_2) = flow(ss_1) \cup flow(ss_2) \cup \{(l, \text{init}(ss_2)) | l \in \text{final}(ss_1)\}
\]
\[
flow(\text{if } [e]^l \text{ then } ss_1 \text{ else } ss_2) = flow(ss_1) \cup flow(ss_2) \cup \{(l, \text{init}(ss_1)), (l, \text{init}(ss_2))\}
\]
\[
flow([\text{wait on } S \text{ until } e]^l) = \emptyset
\]

We define the cross flow relation \(cf\) for a program as the set of all possible synchronisations, i.e. \(cf\) is the Cartesian product of the set of labels of wait statements in each process.

The analyses are presented in a simplified way, following the tradition of the literature (see \[NNH99\]), where all programs considered are assumed to have so-called isolated entries (meaning that the entry nodes cannot be reentered once left). This is reasonable as each process in COREVHDL can be considered as a skip statement followed by a loop with an always true condition around the statement defining the process. We shall write \(FV(ss)\) for the set of free variables of the statement \(ss\) and similarly \(FS(ss)\) for the set of free signals.

5.1.2 Analysis of active signals

The Reaching Definitions analysis takes the form of a Monotone Framework as given in \[NNH99\]. It is a forward Data Flow analysis, with both an over-
5.1 Analysing CoreVHDL

(RD\textsubscript{i} \cup ϕ) and an under- (RD\textsubscript{i} \cap ϕ) approximation part; it operates over a complete lattice \(\mathcal{P}(\text{Sig}_* \times \text{Lab}_*)\) where \(\text{Sig}_*\) is the set of signals and \(\text{Lab}_*\) is the set of labels present in the program.

In both cases we shall introduce functions recording the required information at the entry and at the exit of the program points. So for the over-approximation we have

\[
RD\textsubscript{i} \cup \phi_{\text{entry}}, RD\textsubscript{i} \cup \phi_{\text{exit}} : \text{Lab}_* \rightarrow \mathcal{P}(\text{Sig}_* \times \text{Lab}_*)
\]

and similarly for the under-approximation

\[
RD\textsubscript{i} \cap \phi_{\text{entry}}, RD\textsubscript{i} \cap \phi_{\text{exit}} : \text{Lab}_* \rightarrow \mathcal{P}(\text{Sig}_* \times \text{Lab}_*)
\]

To define the analysis we define in Table 5.1 a function

\[
\text{kill}^i_{RD\phi} : \text{Blocks}_* \rightarrow \mathcal{P}(\text{Sig}_* \times \text{Lab}_*)
\]

which produces a set of pairs of signals and labels corresponding to the assignments that are killed by the block. A signal assignment can be killed for two reasons: Another block in the same process assigns a new value to the already active signal, or a wait statement in the same process will synchronise all active signals, and therefore kill all signal assignments.

In Table 5.1 we also define the function

\[
\text{gen}^i_{RD\phi} : \text{Blocks}_* \rightarrow \mathcal{P}(\text{Sig}_* \times \text{Lab}_*)
\]

that produces a set of pairs of signals and labels corresponding to the assignments generated by the block.

The over-approximation part of the analysis is defined in terms of the information that may be available at the entry of the statement. Therefore the over-approximation part considers a union of the information available at the exit of all statements that have a flow directly to the statement considered. In terms of the scenario of Figure 5.1(a) we have:

\[
RD\textsubscript{i} \cup \phi_{\text{entry}}(l) = RD\textsubscript{i} \cup \phi_{\text{exit}}(l_1) \cup RD\textsubscript{i} \cup \phi_{\text{exit}}(l_2)
\]

The under-approximation part of the analysis is defined in terms of the information that must be available at the entry of the statement. Therefore the under-approximation part considers an intersection of the information available
For the under-approximation analysis we define a special intersection operator; \( \bigcap \emptyset = \emptyset \), and \( \bigcap X = \bigcap X \) for \( X \neq \emptyset \), to guarantee that \( RD^\cap_i \) will hold for the smallest solution to the equation systems.

### 5.1.3 Analysis of local variables and present values of signals

The Reaching Definitions analysis for the local variables corresponds to the Reaching Definitions analysis given in [NNH99]. For the present value of signals it will use the result of the Reaching Definitions analysis for active signals. The idea is that if a signal has an active value when execution of the program arrives at a synchronisation point, then the active value of the signal will become the present value of the signal after the synchronisation.

The result of the Reaching Definitions analysis for active signals can be computed before we perform the Reaching Definitions analysis for local variables and signals. Hence the result can be considered a static set, and therefore the Reaching Definitions analysis for local variables and signals remains an instance of a Monotone Framework.
5.1 Analysing CoreVHDL

kill and gen functions for the process

\[ i : \text{process decl}_i; \begin{align*} \quad \text{begin} & ss_i; \quad \text{end process } i \end{align*} \]

\[
\begin{align*}
\text{kill}^i_{RD\varphi}(s \leq e)^l_i & = \{(s', l')|B'_l \text{ assigns to } s \text{ in process } i\} \\
\text{kill}^i_{RD\varphi}([\text{wait on } S \text{ until } e])^l_i & = \{(s, l')|B'_l \text{ assigns to } s \text{ in process } i\} \\
\text{kill}^i_{RD\varphi}([\ldots]^l_i) & = \emptyset \text{ otherwise} \\
\text{gen}^i_{RD\varphi}(s \leq e)^l_i & = \{(s, l)\} \\
\text{gen}^i_{RD\varphi}([\ldots]^l_i) & = \emptyset \text{ otherwise}
\end{align*}
\]

Table 5.1: Reaching Definitions Analysis for active signals; labels \( l \) are implicitly assumed to occur in process \( i : \text{process decl}_i; \begin{align*} \quad \text{begin} & ss_i; \quad \text{end process } i \end{align*} \)

The Reaching Definitions analysis for present values of signals operates over the complete lattice \( \mathcal{P}(\text{Sig}_\star \times \text{Lab}_\star) \) and is a forward data flow analysis. It yields an over-approximation of the assignments that might have influenced the present value of the signal. Its goal is to define two functions holding the information at the entry and exit of a given label in the program:

\[
\begin{align*}
\text{RD}^f_{\text{entry}}(l) & = \begin{cases} \emptyset & \text{if } l = \text{init}(ss_i) \\
\cup \{\text{RD}^f_{\text{entry}}(l')(l', l) \in \text{flow}(ss_i)\} & \text{otherwise} \\
\end{cases} \\
\text{RD}^f_{\text{exit}}(l) & = (\text{RD}^f_{\text{entry}}(l) \setminus \text{kill}_{RD\varphi}(B^l_i)) \cup \text{gen}_{RD\varphi}(B^l)
\end{align*}
\]

The Reaching Definitions analysis for local variables and signals is given in Table 5.2 and makes use of two auxiliary functions. One is

\[
\begin{align*}
\text{kill}^f_{RD} \text{ : Blocks}_\star & \rightarrow \mathcal{P}((\text{Var}_\star \cup \text{Sig}_\star) \times \text{Lab}_\star)
\end{align*}
\]


**Reaching Definitions Analysis**

- **Kill and Gen functions**

  
  \[ \text{kill}^f_{RD}([x := e] l) = \begin{cases} 
  \{(x, ?)\} & \text{if } l = \text{init}(ss_i) \\
  \{(x, l') | B^l \text{ assigns to } x \text{ in process } i\} \cup \bigcup_{j=1}^{m} \text{fst}(RD_{\varphi entry}^j(l_j)) \times wS(ss_i) & \text{otherwise}
  \end{cases} \]

  
  \[ \text{kill}_{RD}^f([\text{wait on } S \text{ until } e] l) = \bigcap_{(l_1, ..., l_n) \in \text{cf, s.t. } l_i = l} \bigcup_{j=1}^{n} \text{fst}(RD_{\varphi entry}^j(l_j)) \times \{l\} \]

  
  \[ \text{gen}_{RD}^f([x := e] l) = \bigcup_{(l_1, ..., l_n) \in \text{cf, s.t. } l_i = l} \bigcup_{j=1}^{n} \text{fst}(RD_{\varphi entry}^j(l_j)) \times \{l\} \]

  
  \[ \text{gen}_{RD}^f([\ldots] l) = \emptyset \text{ otherwise} \]

- **Data flow equations: \( RD \)**

  \[ RD_{\text{entry}}^f(l) = \begin{cases} 
  \{(x, ?) \mid x \in \text{FV}(ss_i)\} \cup \{(s, ?) \mid s \in \text{FS}(ss_i)\} & \text{if } l = \text{init}(ss_i) \\
  \bigcup \{RD_{\text{exit}}^f(l') \mid (l', l) \in \text{flow}(ss_i)\} & \text{otherwise}
  \end{cases} \]

  \[ \text{where } B \text{ and } i \text{ is uniquely given by } B^l \in \text{blocks}(ss_i) \]

  \[ RD_{\text{exit}}^f(l) = RD_{\text{entry}}^f(l) \backslash \text{kill}_{RD}^f(B^l) \cup \text{gen}_{RD}^f(B^l) \]

Table 5.2: Reaching Definitions Analysis for the local variables and present value of signals, for all labels \( l \) in the program \( \|i \in I \ i : \text{process } \text{decl}_i; \text{begin } ss_i; \text{end process } i \).
The other auxiliary function is

$$\text{gen}_{RD}^i : \text{Blocks}_i \to \mathcal{P}((\text{Var}_i \cup \text{Sig}_i) \times \text{Lab}_i)$$

that produces a set of pairs of variables or signals, and labels corresponding to the assignments generated by the block. Only assignments to local variables generate definitions of a variable. Only wait statements are capable of changing a signal’s value at present time. This means that in our analysis signals will get their present value at wait statements in the processes. The result of the over-approximation analysis ($RD_{i+1}^j$) contains all the signals that might be active and thus defines the present value after the synchronisation. Therefore we perform a union over all the signals that might be active in any process, that might be synchronised with.

Finally, all signals are considered to have an initial value in CoreVHDL hence a special label (?) is introduced to indicate that the initial value might be the one defining a signal at present time. The operator $\text{fst}$ is defined by $\text{fst}(D) = \{s \mid (s, l) \in D\}$ and extracts the first components of pairs.

### 5.2 Global dependencies

Using the local dependencies defined above we can construct a Resource Matrix specifying for each point in the program which resources (i.e. a variable or signal) was modified and which resources were read meanwhile [McH95]. First we apply the local dependency analysis on each process in the considered program the result is collected in $RM_{lo} = \bigcup_i RM_i$ where $\emptyset \vdash ss_i : RM_i$. Then we need to compute the global dependencies; one way to do this is to take the transitive closure of the local dependencies; this method is attributed to Kemmerer and is described in [McH95] in case of traditional programming languages.

Let us evaluate the traditional method for constructing the Resource Matrix. For this we consider the program (a) presented in Section 4.1. The result of the transitive closure will correspond to the graph presented in Figure 4.1(b), but not to the true behaviour of the program as depicted in the graph in Figure 4.1(a). This is due to the flow-insensitivity of the transitive closure method: The imprecision is a result of the method failing to consider information about the flow between labels in the programs.
5.2.1 Closure based on Reaching Definitions.

This motivates modifying the closure condition to make use of Reaching Definitions information. Indeed the Reaching Definitions analysis specified in this Chapter supplies us with the needed information to exclude some of the “spurious flows” when performing the transitive closure.

Before doing so we specialise in Table 5.3 the result of the Reaching Definitions analysis to allow a better precision in the closure of the Resource Matrix. The specialisation ensures that definitions are only considered to reach a labelled construct if they are actually used in the labelled construct. This is done by

### Table 5.3: Specialisation of \( RD^{ij}_{\varphi_{entry}} \) and \( RD^{cf}_{entry} \)

<table>
<thead>
<tr>
<th>Usage Case</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>[RD for active signals]</td>
<td>((s, l_i, R_1) \in RM_{l_{0}} \land (s, l) \in RD_{\varphi_{entry}}^{ij}(l_i) \Rightarrow (s, l) \in RD_{\varphi_{entry}}^{ij}(l)) if (\exists l \in cf : l_i \text{ occurs in } \overline{l})</td>
</tr>
<tr>
<td>[RD for present signals and local variables]</td>
<td>((n, l', R_0) \in RM_{l_{0}} \land (n, l) \in RD_{entry}^{cf}(l') \Rightarrow (n, l) \in RD_{entry}^{cf}(l'))</td>
</tr>
</tbody>
</table>

### Table 5.4: Transitive closure of Resource Matrix, based on \( RD^{\dagger} \) and \( RD^{\dagger}_{\varphi} \)

<table>
<thead>
<tr>
<th>Usage Case</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>[Initialisation]</td>
<td>((n, l, A) \in RM_{l_{0}} \Rightarrow (n, l, A, [\overline{l}]) \in RM_{gl} ) where (A \in {R_0, R_1, M_0, M_1})</td>
</tr>
<tr>
<td>[Present values and local variables]</td>
<td>((n', l, R_0, \delta'') \in RM_{gl} \land (n', l') \in RD^{\dagger}(l) \Rightarrow (n', l', R_0, \delta') \in RM_{gl} \land \delta' \cdot \delta'' \subseteq \delta)</td>
</tr>
<tr>
<td>[Synchronised values]</td>
<td>((s', l_i) \in RD^{\dagger}(l) \land (s', l'') \in RD^{\dagger}<em>{\varphi}(l_j) \Rightarrow (s, l, R_0, \delta) \in RM</em>{gl} \land \delta' \subseteq \delta) if (\exists l \in cf : l_i \text{ and } l_j \text{ occur in } \overline{l})</td>
</tr>
</tbody>
</table>
5.2 Global dependencies

Figure 5.2: Result of the Information Flow Analysis for program (b).

considering the result of the local dependency analysis; notice the usage of the cross flow relation in rule [RD for active signals] which determines if the signal might in fact be synchronised.

We can now update the specification of the transitive closure using the result of the Reaching Definitions analysis, as is done in Table 5.4. We specify a rule for initialising the Global Resource Matrix [Initialisation]. Observe that we add an extra element in the resource matrix. This element is a regular language over execution traces (where we take the freedom of expressing them by their program labels rather than process identifiers). The regular language define the execution traces that might lead to a flow of information.

The closure is done by rule [Present values and local variables] considering the result of the Reaching Definitions analyses for the program. For the present value of a signal and for local variables we consider each entry in the Resource Matrix, if the present value of a variable or signal is read (\(R_0\)) we can use the information of the Reaching Definitions analysis to find the label where the variable or signal was defined. Therefore we copy all the entries about variables and signals read at this label in the Resource Matrix. This rule also handles the case where information flows from the variables and signals in a condition on a synchronisation point.

The rule [Synchronised values] uses the result of the Reaching Definitions analysis to determine which signals were read in the Resource Matrix and follow them to their definition. When synchronising signals the matter is complicated as the signal is defined at a synchronisation point, therefore the rule needs to consider all the information about signals flowing into the synchronisation points that might be synchronised with. Which synchronisation points the definition point synchronises with is gathered in the \(cf\) predicate, hence we apply the Reaching Definitions analysis for active signals on all the synchronisation points and copy all the entries indicating variables and signals being read from the
point the signal could be defined.

### 5.2.2 Improvement of the Information Flow Analysis

For the example program (b) (i.e. \( b := a \); \( c := b \)) we previously described how the Information Flow Analysis would yield the result presented in Figure 5.2(a). In fact the resulting graph indicates that the resulting value of the variable \( b \) can be read from the resulting value of the variable \( c \), which is entirely correct. However, the initial value of the variable \( b \) cannot be read from the variable \( c \); to see this consider a scenario where \( b \) initially contained a value, this value would never flow to \( c \), as the first assignment would overwrite the variable.

The Information Flow Analysis based on the Reaching Definitions Analysis can be improved to handle the initial and outgoing values of signals with greater accuracy. The idea is to add a node to the graph for each incoming signal, annotating the incoming node of a variable with a ◦, and for each outgoing signal, annotating the outgoing node with a •. Using this scheme a more precise result for program (b) can be constructed as shown in Figure 5.2(b), where we consider the last statement to be outcoming and therefore update the Resource Matrix in the same fashion as for wait statements.

The extension of the analysis is based on adding special variables and signals for incoming and outgoing values. The rules for improving the information flow analysis are presented in Table 5.5 and explained below.

In a traditional sequential programming language the improvement could be handled by adding assignments of the form \( x := x◦ \) for each variable read in front of the program, and similarly adding assignments \( x• := x \) in the end for handling the outgoing values. Having this in mind we introduce the rule [Initial values] that uses the special symbol (?) from the Reaching Definitions analysis to propagate the initial value of a variable or locally defined signal.

COREVHDL consists of processes running as infinite loops in parallel with other processes and under the influence of the environment. Therefore signals might carry incoming values at any synchronisation point, similarly a process might communicate values out of the system at any synchronisation point. We introduce a new process \( π \) to illustrate how the incoming and outgoing signals are handled. The process has the form

\[
π : \text{process begin } [s^{in}_1 <= s^0_1]; \ldots [\text{wait on } S^π]; [s^*_1 <= s^{out}_1]; \ldots \text{end process } π
\]
5.3 Analysing Advanced Encryption Standard

\[ (n, ?) \in RD^n(l) \]
\[ (n^o, l, R_0, [true]) \in RM_{gl} \]

[Incoming values]
\[ (n, l') \in RD^n(l) \quad l' \in WS \]
\[ (n^o, l, R_0, [true]) \in RM_{gl} \]

[Outgoing values]
\[ n \in Sig^{out} \]
\[ (n^*, l_n^*, M_1, [true]) \in RM_{gl} \]

[Outcoming values]
\[ l \in WS \quad (n, l') \in RD^n(l) \quad (n', l', R_0, \delta') \in RM_{gl} \quad \delta' \subseteq \delta \]
\[ (n', l_n^*, R_0, \delta) \in RM_{gl} \]

Table 5.5: Rules for the improved Information Flow Analysis

where \( s_1^{in}, s_2^{in}, \ldots \) are the incoming signals, \( s_1^{out}, s_2^{out}, \ldots \) are the outgoing signals and \( S^n \) is the set of all incoming and outgoing signals, as specified in the entity declaration of the program.

The assignments prior to the synchronisation point in process \( \pi \) can be synchronised into the system at each wait statement and this is handled by rule [Incoming values] where \( WS = \bigcup_i WS(s_{si}) \) are all the wait statements in the program.

We add two rules for the outgoing values to the closure method. The first rule [Outgoing values] specifies a special label for each signal (i.e. the label of the assignment to \( n^* \) in process \( \pi \)) used on the left-hand side in an assignment, at which the signal is set to be modified in the Resource Matrix. The second rule [Outcoming values] handles the right-hand side of the outgoing assignments in process \( \pi \) by considering all active signals coming into a wait statement, the values read when these active signals were modified are the signals that influence the outgoing value. \( Sig^{out} \) is the set of signals that are declared as outgoing (i.e. with the keyword \textbf{out} in the entity declaration).
5.3 Analysing Advanced Encryption Standard

For comparison between Kemmeres method and the one presented in this paper we consider part of the NSA Advanced Encryption Standard test implementation of the 128 bit version of the encryption algorithm Rijndael (i.e. rijndael_pkg.vhd1) [WBRF00]. In particular we consider the part of the encryption algorithm performing the shift of a state. It is implemented using a number of temporary local variables. These are overwritten several times and therefore Kemmeres method mixes all the values up as shown in figure 5.3(a). Our implementation of the presented method computes the precise result as shown in figure 5.3(b).

The NSA Advanced Encryption Standard test implementation use temporary
local variables in many parts of the program, therefore the correct handling of
overwritten signals presented in our analysis is needed to analyse the implement-
tation precise enough.

5.4 Discussion

Modern technical equipment often depends on the reliable performance of em-
bedded systems. The verification of these systems have often relied on adapting
existing techniques developed for software in to the setting of hardware speci-
fications. The following three papers are some examples where static program
analyses have been adapted for hardware, Hsieh and Levitan use data flow
analyses for semantical extraction [HL98], Clarke et al. adapt a program slicing
tool for verification of VHDL descriptions [CFR99], and Hymans present an
abstract interpretation for verification of safety properties [Hym02].

The paper by Hsieh and Levitan [HL98] considers a similar fragment of VHDL
and is concerned with optimising the synthesis process by avoiding the genera-
tion of circuits needed to store values of signals. One component of the required
analyses is a Reaching Definitions analysis with a similar scope to ours although
specified in a rather different manner. Comparing the precision of their approach
(to the extent actually explained in the paper) with the present one, it is clear
that the present analysis is more precise in that it allows also to kill signals be-
ingen set in other processes than where they are used. Furthermore the presented
analysis is only correct for processes with one synchronisation point, because
definition sets are only influenced by definitions in other processes at the end
(or beginning) of a process. Therefore definitions are lost if they are present at
a synchronisation point within the process but overwritten before the end of the
process.

The paper by Clarke et al. [CFR99] adapt the program slicing tool for ver-
ification of VHDL descriptions. The approach taken is mapping the language
constructs to constructs in a traditional programming language. This approach
allows the authors to consider an almost complete subset of the VHDL lan-
guage, and provides professional user interfaces on the developed tool. However
the mapping seems to disregard certain important aspects of the VHDL ex-
ecution model, ignoring e.g. the subtleties regarding the timing behaviour of
signals.

The paper by Hymans [Hym02] uses abstract interpretation to give an over-
approximation of the set of reachable configurations for a fragment of VHDL
not unlike ours. However there are some issues with the presented semantics
as mentioned in Section 2.6. The presented analyses suffices for checking safety
properties: if the safety property is true on all states in the over-approximation it will be true for all executions of the VHDL program. Hence when synthesising the VHDL specification one does not need to generate circuits for enforcing the reference monitor (called an observer in [Hym02]).

The presented approach is based around adapting a Reaching Definitions analysis (along the lines of [NNH99]) to the setting of CoreVHDL. A novel feature of the analysis is that it has two components for tracking the flow of values of active signals: one is the traditional over-approximation whereas the other is an under-approximation. Finally, a Reaching Definitions analysis tracks the flow of variables and present values of signals. This combination of analyses enables us to deal with the special semantics found in VHDL and other hardware description languages due to the underlying timing model of the synthesised circuits.

The author is unaware of any other approach that using static analyses investigate Kemmerer’s approach, including the method of identifying local and global dependencies. Previous investigations have considered using theorem provers for identifying information flow and covert channels, see e.g. [McH95] for an overview.

Furthermore extending the approach to include execution traces has not been presented before. The constraints on execution traces found in the security policy can be used in the closure condition. However, the constraints can be automatically inferred using the textbook approach for transforming a finite automaton into a regular expression. The approach, commonly referred to as the Pigeon Hole Principle [HMU01], is applied to each set of nodes in the resource matrix, and the resulting regular expression is the constraint on the resulting edge between the two nodes. In a similar fashion the prototype implementation of the system uses a textbook algorithm for determining the inclusion of constraints in the resource matrix and the related constraints used in the security policy.
A security issue closely related to information flow and noninterference is separability [Lam73], originally dating back before noninterference. Separability is a very strong confidentiality property, that deal not only with the information flow through overt channels but also with information flow through covert channels. A covert channel is a channel that in the systems specification is meant included for a given purpose but can be exploited to leak information contrary to the security policy for the system. Traditionally two kinds of covert channels were identified; i.e. timing channels and storage channels. In this chapter we will investigate the first kind in the hardware setting. In cryptographic algorithms these channels are often referred to as side channels. Side channels focus only on how information flow occur outside the semantical specification of a system, rather than covert channels that focus on the information flows that occurs in the semantical model as well. Since the flows that occur in the semantical model have already been investigated in the previous chapter, this investigation will be focused on the side channels.

Practical implementations of embedded systems and synthesised circuits are vulnerable to side channel attacks. Side channels are often introduced at time of implementation, where information flow is added that was not originally described in the specification of the system. A key component is the security of the cryptographic algorithms often used in embedded systems. Much work
has been done to verify the security of such algorithms at specification level. However, Kocher \cite{Koc96} showed that by observing physical aspects of implementations, like input-dependent differences in the execution time of a program, one could determine information that was considered secure in the specifications of cryptographic algorithms.

Several other side-channel attacks have been presented and shown to leak enough information to break commonly used cryptographic algorithms: power consumption \cite{KJJ99}, fault-based \cite{KWMK01} and electromagnetic \cite{QS01} channels. Timing channels have gotten most attention as they have been shown to be relevant in many practical settings, e.g. in smart cards \cite{DKL98}.

This chapter presents a method for automatically verifying whether specifications in CoreVHDL\(^\text{®}\) contain timing leaks. We consider a subset of VHDL allowing synthesizable synchronous specifications. Meaning that the specification will have a global synchronisation signal, or a clock signal. The subset is similar to CoreVHDL except for the restriction on the synchronisation points. This restriction is motivated by observing that most VHDL specifications are of this kind, including our test specification of the AES algorithm. We present a structural operational semantics for the considered subset of VHDL in Section 6.1. The semantics differs from the previously presented semantics for CoreVHDL by a novel component for recording timing delays.

The problem of eliminating timing leaks has already been addressed in the literature. Several informal methods and guidelines for implementing algorithms without timing leaks have been presented, but here we focus on the ones presenting an automatic method for identifying the timing leaks.

Volpano and Smith \cite{VS99} adapt a notion of protected branches of conditionals with atomic execution time. To do so, the programs considered are not allowed to include loops in conditionals depending on secret values. This approach guarantees the removal of timing channels leaking internally in the program; however Volpano and Smith note that for an external observer timing leaks might still occur.

Agat \cite{Aga00} presents a method that transform programs so that both branches of a conditional depending on secret values will have the same execution time. This is based on a filler-statement that has the same timing properties as the corresponding statement, but that has no effect on the state of the system. The programs are transformed such that in each branch, the original branch and a filler-statement corresponding to the other branch is executed. Sabelfeld and Sands \cite{SS00, Sab01} extend the method for a concurrent language with synchronisation points by running the statement and filler-statement in parallel.
and synchronising them in the end.

Guaranteeing the absence of timing leaks in hardware introduces different issues. The differences between timing leaks in software and hardware systems are discussed in Section 6.2 where we propose a security condition for the absence of timing leaks in hardware specifications. In Section 6.3 we present a type based static analysis, that computes the different paths from input to output, allowing us to determine the absence of timing leaks in a VHDL specification.

In Section 6.5 we report on our experience from using the method on the Advanced Encryption Standard (AES).

6.1 CoreVHDL with Timing Behaviours

CoreVHDL is a fragment of VHDL that concentrates on synthesizable specifications only. Hence all processes synchronise on the global clock.

The syntax is similar to that of CoreVHDL where a program is specified by an indexed family of processes or concurrent statements \( (css \in Css) \) running in parallel; here the index \( i \in Id \) is a unique identifier in a finite set of process identifiers \( (I \subseteq \text{fin} \ Id) \). Each process has a statement \( (ss \in Stmt) \) as body and may use logical values \( (m \in LVal) \), local variables \( (x \in Var) \) as well as signals \( (s \in Sig) \). The main difference from CoreVHDL is that in CoreVHDL all synchronisation points are at the end of processes and synchronisation is with respect to the clock edge \( (clk) \).

Observe that VHDL processes, although seeming sequential in their specification, are concurrent in their execution. Because of the delay from a signal assignment to the new value taking effect (i.e. the delta-cycle), one can in fact freely exchange the order of execution of the signal assignments within a process, as long as they are not dependent on variables assigned in the process. For signals the value to be used is held in memory cells, which are updated along with the clock edge. Hence signal assignments are not dependent on the other signal assignments in the process, but rather the signal assignments executed in the previous cycle of the process.

The synthesising tools guarantee that processes will be ready for synchronisation with the clock edge. In reality the clock frequency is determined by measuring the worst case stabilising time of the electrical current through the gates synthesised from the VHDL specification. This worst case time can be measured by tools like SPICE [Tui92], IRSIM [SH89] and VSIM [VSI93]. Since the future
Timing Leaks

\[
\text{css} \in \text{Css} \quad \text{concurrent statements}
\]

\[
\text{css} \ := \ i : \text{process} \ (\text{clk}) \ \text{begin} \ \text{ss} ; \ \text{end process} \ i \\
\ | \ (\text{css}_1 \ | \ | \text{css}_2)
\]

\[
\text{ss} \in \text{Stmt} \quad \text{statements}
\]

\[
\text{ss} \ := \ \text{null} \ | \ x := e \ | \ s <= e \ | \ ss_1 ; ss_2 \\
\ | \ \text{if} \ e \ \text{then} \ ss_1 \ \text{else} \ ss_2 \ | \ [t]ss
\]

\[
\text{e} \in \text{Exp} \quad \text{expressions}
\]

\[
\text{e} \ := \ m \ | \ x \ | \ s \ | \ \text{not} \ e \ | \ e_1 \ \text{and} \ e_2 \\
\ | \ e_1 \ \text{or} \ e_2 \ | \ e_1 \ \text{xor} \ e_2
\]

Table 6.1: The subset \text{CoreVHDL} of VHDL.

Values are stored in memory cells not accessible before the synchronisation we can measure the delay from a value enters the system until a certain point by counting the synchronisation points on its execution path.

The syntax of \text{CoreVHDL} is given in Table 6.1 where we omit the structural part of the syntax as it is the same as for CoreVHDL.

6.1.1 Semantics of CoreVHDL

We adapt the approach used in Chapter 2 when defining the structural operational semantics for CoreVHDL where we add a notion of timing of signals to the semantics; this will prove crucial for developing our analysis.

The main idea is to execute each process by itself until a synchronisation point is reached. When all processes of the program have reached a synchronisation point we perform the system-wide synchronisation, while taking care of the resolution of signals in case a signal has been assigned different values by different processes.

Basic semantic domains. The syntax of specifications in CoreVHDL operate on a state of logical values:

\[
v \in \text{LVal} = \{\text{U}, \text{X}, \text{0}, \text{1}, \text{Z}, \text{W}, \text{L}, \text{H}, \text{?}\}
\]

We assume the existence of a function mapping logicals in the syntax to logical
One goal of the semantics is to capture the timing delays of the evaluated systems, to do so we introduce a notion of time. Timing delays are specified relative to incoming signals (in the set $\text{Sig}_{IN}$) and the time measured as delays (in integers $\mathbb{Z}$) they have flowed through the system

$$t \in \text{Time} = \mathcal{P}(\text{Sig}_{IN} \times \mathbb{Z})$$

If a timing delay $t$ includes the pair $(s, z)$ then $t$ indicates that there is a dependency on the incoming signal $s$ with a delay of $|z|$ clock cycles (where $z \leq 1$).

**Constructed semantic domains.** CoreVHDL includes local variables and signals. The values and the timing delays of the local variables are stored in a local state. The local state is a mapping from variable names to logical values and timing delays.

$$\sigma \in \text{State} = (\text{Var} \rightarrow \text{Value} \times \text{Time})$$

Signals are used for communication between processes and their values and timing delays are stored in local states.

$$\varphi \in \text{Store} = (\text{Sig} \rightarrow (\{0, 1\} \hookrightarrow \text{Value} \times \text{Time}))$$

The value assigned to a signal is available after the following synchronisation, therefore we keep the present value and timing delay of a signal $s$ in $\varphi s 0$. In $\varphi s 1$ we store the assigned value and its timing delay, meaning that it is available after a delta-cycle.

All signals have a present value, so $\varphi s 0$ is defined for all $s$. Not all signals need to be active meaning they have a new value waiting in the following delta-cycle, thus $\varphi s 1$ need not be defined; hence we use $\{0, 1\} \hookrightarrow \text{Value} \times \text{Time}$ in the definition of the signal state to indicate that it is a partial function.

The semantics handles expressions following the ideas of [NN92]. For expressions

$$\mathcal{E} : \text{Expr} \rightarrow (\text{State} \times \text{Signals} \rightarrow \text{Value} \times \text{Time})$$

evaluates the expression. The function is defined in Table 6.2. Note that for signals we use the current value and timing delay of the signal, i.e. $\varphi s 0$. 
\[ E[m]\langle \sigma, \varphi \rangle = (L[m], \emptyset) \]
\[ E[x]\langle \sigma, \varphi \rangle = \sigma x \]
\[ E[s]\langle \sigma, \varphi \rangle = \varphi s 0 \]
\[ E[\text{not } e]\langle \sigma, \varphi \rangle = (\text{not } v, t) \quad \text{where } E[e]\langle \sigma, \varphi \rangle = (v, t) \]
\[ E[e_1 \text{ and } e_2]\langle \sigma, \varphi \rangle = (v_1 \text{ and } v_2, t_1 \cup t_2) \quad \text{where } E[e_1]\langle \sigma, \varphi \rangle = (v_1, t_1) \quad \text{and } E[e_2]\langle \sigma, \varphi \rangle = (v_2, t_2) \]
\[ E[e_1 \text{ or } e_2]\langle \sigma, \varphi \rangle = (v_1 \text{ or } v_2, t_1 \cup t_2) \quad \text{where } E[e_1]\langle \sigma, \varphi \rangle = (v_1, t_1) \quad \text{and } E[e_2]\langle \sigma, \varphi \rangle = (v_2, t_2) \]
\[ E[e_1 \text{ xor } e_2]\langle \sigma, \varphi \rangle = (v_1 \text{ xor } v_2, t_1 \cup t_2) \quad \text{where } E[e_1]\langle \sigma, \varphi \rangle = (v_1, t_1) \quad \text{and } E[e_2]\langle \sigma, \varphi \rangle = (v_2, t_2) \]

Table 6.2: Semantics of Expressions

### 6.1.2 Statements

The semantics of statements and concurrent statements is given as a structural operational semantics. For statements we shall use configurations of the form

\[ t \vdash \langle ss', \sigma, \varphi \rangle \in \text{Time} \times \text{Stmt}' \times \text{State} \times \text{Signals} \]

Here \textit{Stmt}' refers to the statements from the syntactical category \textit{Stmt} with an additional statement (\texttt{final}) indicating that a final configuration has been reached. Therefore the transition relation for statements has the form

\[ t \vdash \langle ss, \sigma, \varphi \rangle \Rightarrow \langle ss', \sigma', \varphi' \rangle \]

which specifies one step of computation. Here \( t \) is the context that might influence the timing delay of evaluated statements. The transition relation is specified in Table 6.3 and briefly commented upon below.

An assignment to a signal is defined as an update to the value and timing delay at the delta-time, i.e. \( \varphi s 1 \). We use the notation \( \varphi[i] [s \mapsto (v, t)] \) to mean \( \varphi[s \mapsto \varphi(s)[i \mapsto (v, t)]] \). Conditionals influence the timing delay of signals assigned in the branches, therefore we use \( [t] \) in front of a statement to indicate that the execution of the statement depends on the timing delay \( t \).

### 6.1.3 Concurrent Statements

The semantics for concurrent statements handles the concurrent processes and their synchronisations of a \texttt{COREVHDL} program. The transition system for
concurrent statements has configurations of the form
\[ \parallel_{i \in I} \langle css'_i, \sigma_i, \varphi_i \rangle \]
for \( I \subseteq Id \) and \( css'_i \in \{ ss'; css | ss' \in Stmt' \land css \in Css \} \cup Css, \ \sigma_i \in State, \ \varphi_i \in Signals \) for all \( i \in Id \). Thus each process has a local variable and signal state. The transition relation for concurrent statements has the form
\[ \parallel_{i \in I} \langle css'_i, \sigma_i, \varphi_i \rangle \Rightarrow \parallel_{i \in I} \langle css''_i, \sigma'_i, \varphi'_i \rangle \]
which specifies one step of computation. The transition relation is specified in Table 6.4 and explained below.

As mentioned before we execute processes locally until they have all arrived at a synchronisation point; this is reflected in the rule \([\text{Handle non-waiting processes (H)}]\). The body of a process is executed in an empty timing context, as the execution does not depend on the timing delay of any signal.

When all processes finish execution we perform a synchronisation covered by the rule \([\text{Active signals (A)}]\). Applications of this rule indicate the coming clock edge. This rule is explained in the sequel.

The delta-time values and timing delays of signals will be synchronised for all processes and in order to do this we use a resolution function \( f_s \) of the form:
\[ f_s : \text{multiset}(Value \times Time) \rightarrow Value \times Time \]

Thus \( f_s \) combines the multi-set of values assigned to a signal and their timing delays into one value and timing delay that then will be the new (unique) value and timing delay of the signal. VHDL allow a resolution function to be specified in a syntax much like that of a process. We assume that all signals (and their timing delays) handled in resolution functions are in the argument of the function
\[ f_s(\mathcal{R}_s) = (v, t) \quad \land \quad t = \bigcup_{(v', t') \in \mathcal{R}_s} t' \]

where \( \mathcal{R}_s \) is the multi-set of values and timing delays used to perform the resolution of the new present value for \( s \). The resolution function is applied to the active values of a signal, however if a signal is not active in a local signal state of a process the present value is used instead. We introduce the function
\[ U(\varphi_i, s) = \begin{cases} (v, t) & \text{if } \varphi_i s 1 = (v, t) \\ (v, t) & \text{otherwise, } \varphi_i s 0 = (v, t) \end{cases} \]
[Local Variable Assignment]:

\[ t \vdash (x := e, \sigma, \varphi) \Rightarrow (\text{final}, \sigma[x \mapsto (v, t \cup t')], \varphi) \]

where \( E[e](\sigma, \varphi) = (v, t') \)

[Signal Assignment]:

\[ t \vdash (s <= e, \sigma, \varphi) \Rightarrow (\text{final}, \sigma, \varphi[1] [s \mapsto (v, t \cup t')]) \]

where \( E[e](\sigma, \varphi) = (v, t') \)

[Skip]:

\[ t \vdash (\text{null}, \sigma, \varphi) \Rightarrow (\text{final}, \sigma, \varphi) \]

[Composition]:

\[
\begin{align*}
  t \vdash (ss_1, \sigma, \varphi) & \Rightarrow (ss'_1, \sigma', \varphi') \\
  t \vdash (ss_1; ss_2, \sigma, \varphi) & \Rightarrow (ss'_1; ss_2, \sigma', \varphi') \\
\end{align*}
\]

where \( ss'_1 \in Stmt \)

[Conditional]:

\[
\begin{align*}
  t \vdash (\text{if } e \text{ then } ss_1 \text{ else } ss_2, \sigma, \varphi) & \Rightarrow ([t']ss_1, \sigma, \varphi) \\
  \text{if } E[e](\sigma, \varphi) = (1', t') \ & \Rightarrow ([t']ss_1, \sigma, \varphi) \\
  t \vdash (\text{if } e \text{ then } ss_1 \text{ else } ss_2, \sigma, \varphi) & \Rightarrow ([t']ss_2, \sigma, \varphi) \\
  \text{if } E[e](\sigma, \varphi) = (0', t') \ & \Rightarrow ([t']ss_2, \sigma, \varphi) \\
\end{align*}
\]

[Branch]:

\[
\begin{align*}
  t \cup t' \vdash (ss, \sigma, \varphi) & \Rightarrow (ss', \sigma', \varphi') \\
  t \vdash ([t']ss, \sigma, \varphi) & \Rightarrow ([t']ss', \sigma', \varphi') \\
  t \cup t' \vdash (ss, \sigma, \varphi) & \Rightarrow (\text{final}, \sigma', \varphi') \\
  t \vdash ([t']ss, \sigma, \varphi) & \Rightarrow (\text{final}, \sigma', \varphi') \\
\end{align*}
\]

Table 6.3: Semantics of Statements

to determine whether the active value or the present value is used.

Incoming signals interact with the processes at synchronisation points. The incoming values can be modelled as a signal state of the environment which has the timing delay \( \{(s_{in}, 1)\} \) for all active values of incoming signals \( s_{in} \) because after synchronisation we then obtain the desired timing delay \( \{(s_{in}, 0)\} \) for the incoming signals.
6.2 Absence of Timing Leaks

[Handle non-waiting processes (H)]:

\[\emptyset \vdash \langle ss_j, \sigma_j, \varphi_j \rangle \Rightarrow \langle ss'_j, \sigma'_j, \varphi'_j \rangle\]

\[\| i \in I \cup \{j\} \langle ss_i; css_i, \sigma_i, \varphi_i \rangle \Rightarrow \| i \in I \cup \{j\} \langle ss'_i; css_i, \sigma'_i, \varphi'_i \rangle\]

where \(ss'_i = ss_i \land \sigma'_i = \sigma_i \land \varphi'_i = \varphi_i\) for all \(i \neq j\).

\[\emptyset \vdash \langle ss_j, \sigma_j, \varphi_j \rangle \Rightarrow \langle \text{final}, \sigma'_j, \varphi'_j \rangle\]

\[\| i \in I \cup \{j\} \langle ss_i; css_i, \sigma_i, \varphi_i \rangle \Rightarrow \| i \in I \cup \{j\} \langle css'_i, \sigma'_i, \varphi'_i \rangle\]

where \(css'_i = css_i\) for all \(i = j\) and \(css'_i = ss_i; css_i \land \sigma'_i = \sigma_i \land \varphi'_i = \varphi_i\) for all \(i \neq j\).

[Active signals (A)]:

\[\| i \in I \langle i: \text{process (clk)} \begin{array}{c}
ss_i; \\
end process i
\end{array}, \sigma_i, \varphi_i \rangle \Rightarrow \| i \in I \langle css'_i, \sigma_i, \varphi'_i \rangle\]

where

\[\varphi'_i s 0 = \begin{cases} f_s \{(v, t^-) \mid U(\varphi_k, s) = (v, t) \land k \in I\} & \text{if } \exists j \in I. \varphi_j s 1 \text{ is defined} \\ (v, t^-) & \text{otherwise, } \varphi_i s 0 = (v, t) \end{cases}\]

\[\varphi'_i s 1 = \text{undef}\]

\[css'_i = ss_i; i: \text{process (clk)} \begin{array}{c}
ss_i; \\
end process i
\end{array}\]

Table 6.4: Semantics of Concurrent statements

Synchronisation of signals will modify the time-line in the signal states, therefore we need to change the timing delays accordingly. Thus if a timing delay includes \((s, z)\) at the time of synchronisation then the signal \(s\) is also synchronised moving the referred value to \((s, z - 1)\). Therefore we introduce the function \(\mathbb{S}\):

\[t^- = \{(s, z - 1) \mid (s, z) \in t\}\]

Notice that the state of local variables is unchanged.

6.2 Absence of Timing Leaks

To argue whether a program is secure or not, we need some condition for security. Many of the related methods for handling timing leaks base their security condition on a kind of non-interference. This deals with all kinds of information flow including side channels but its view is usually limited to considering
only the input and output of programs. Timing channels are often exhibited by cryptographic algorithms, for which non-interference between the secret plain text and the public cipher text is hard to establish. Here we focus on timing channels, and therefore we concentrate on formulating our security condition for this problem. Before we can define the security condition let us consider some requirements for programs.

Timing channels are defined as differences in the timing delay introduced by handling of secret information. In software programming languages an example of such a channel could be

\[
\text{if } h = 1 \text{ then sleep 100 } \quad (*)
\]

where \( h \) is a secret variable. The timing channel allows an observer to gain information about the value of \( h \), by measuring the execution time of the program.

In hardware the setting is different. Any statement is encapsulated in a process synchronised with time. Therefore if a statement as \((*)\) is placed within a process, the synthesis of the specification must guarantee that the process is ready for synchronisation at the time of the clock edge. Since the memory cells hold the previous value for each signal, the value will always be present at exactly the same time. Furthermore processes loop infinitely, so measuring the overall execution time of a VHDL specification makes no sense.

In our setting we consider an external observer that can measure the time (measured in clock cycles) between modifications of ingoing and outgoing signals. By doing this the observer might gain secret information. As an example, consider a network of sensors where the sensors communicate with each other by encrypted messages. The timing delay of the encryption scheme depends on the value of the plain text as well as the secret key. Messages will be routed through other sensors to allow communication between all sensors. Now assume that one sensor is hostile, and wishes to gain information about the messages passed between other sensors. The hostile sensor takes the following actions: it sends a message to another sensor, that it shares a key with, then it measures the time spent by the receiving sensor on decrypting the message and encrypting it again and passing it on to yet another sensor. Since the hostile sensor knows the key with which the messages were originally encrypted it could also calculate the time spent on the decryption, and hence get some idea of the time spent on the encryption. By continuously sending messages that vary only on single bits the hostile sensor can use the timing channel to learn the key shared by the other two sensors.
Example 6.1 (Selector) Consider a program that selects between the newest and the previous value of the incoming signal \( a \), based on the incoming signal \( \text{sel} \). The specification consists of two processes, i.e. \textbf{buffer} and \textbf{selector}; the first is a buffer setting the previous incoming signal on the internal signal \( b \). The second process branches on the incoming signal \( \text{sel} \) and assigns either the incoming signal \( a \) or the internal signal \( b \) to the outgoing signal \( o \). The \textsc{CoreVHDL} specification is given in Figure 6.1.

Now the timing delay of \( o \) depends on \( \text{sel} \). If \( \text{sel} \) is true then the value of \( a \) flows to \( o \) after one clock cycle, and we write \( o \mapsto \{(a, -1)\} \), however if \( \text{sel} \) is false then \( a \) is delayed two clock cycles before flowing to \( o \), and we write \( o \mapsto \{(a, -2)\} \). Since only one branch is executed the timing delay of \( o \) can be used to determine the value of \( \text{sel} \). Therefore the specification is considered to have a timing leak.

The timing delays can also be found by considering dependency diagrams, like the one in Figure 6.1 for the selector program. Here the ovals containing signal names are the incoming and outgoing signals (i.e. \( a, \text{sel} \) and \( o \)). However \( b \) is not drawn in a oval, as it is an internal signal and therefore does not appear in the timing delays. Instead the arrow between the boxes \textbf{buffer} and \textbf{selector} represent \( b \). The processes in the specification are illustrated as boxes (i.e. \textbf{buffer} and \textbf{selector}). Finding the timing delay of the outgoing signal \( o \) can be done by finding the paths through the diagram, increasing the delay (i.e. decreasing the timing delay) whenever passing a process box. The specification has a timing leak because there are paths of different length from the incoming signal \( a \) to the outgoing signal \( o \). One is through both \textbf{buffer} and \textbf{selector}, and the other is only through \textbf{selector}. 
Unfortunately finding paths of different length in a dependency diagram is not enough. Modify the selector to perform the computation \( o \leq a \oplus b \oplus \text{sel} \). The dependency graph is the same, but no timing leak is present. The difference between the two specifications is that in the unmodified specification the signal \( o \) can depend on only one of the paths, while in the modified specification \( o \) depends on both paths.

We say a program is **timing secure** if on no input should an observer be able to differentiate between two executions of the program, by considering the number of clock cycles elapsed until the outgoing signals change their values. We formalise this condition by using the timing delay computed in the semantics for COREVHDL\(^\text{\textregistered}\). Therefore the program is **timing secure** if two executions of a program in different states always have the same timing delay for all signals.

In the definition of a timing secure program we write \( \implies^*_H \) as the transitive reflexive closure of applying rule [Handle non-waiting processes (H)] and we write \( \implies_A \) for applying rule [Active signals (A)]. The projection on the time component \( |\text{Time} \) is defined as \( (v, t)|\text{Time} = t \). Later we will similarly write \( |\text{Value} \) for the projection on the value component \( (v, t)|\text{Value} = v \).

**Definition 6.1** (Timing secure program) A COREVHDL\(^\text{\textregistered}\) program \( \langle \text{css}_i, \sigma_i^1, \varphi_i^1 \rangle \) is **timing secure** if

\[
\begin{align*}
\langle \text{css}_i, \sigma_i^1, \varphi_i^1 \rangle &\implies^*_H \langle \text{css}_i', \sigma_i^1', \varphi_i^1' \rangle \\
\langle \text{css}_i, \sigma_i^2, \varphi_i^2 \rangle &\implies^*_H \langle \text{css}_i', \sigma_i^2', \varphi_i^2' \rangle \\
\forall i, x : \sigma_i^1 \land x|\text{Time} = \sigma_i^2 \land x|\text{Time} \\
\forall i, j, s : \varphi_i^1 \land s j|\text{Time} = \varphi_i^2 \land s j|\text{Time}
\end{align*}
\]

where for each index \( i \) the two branches produce the same statement \( \text{css}_i' \) implies

\[
\forall i, j, s : \varphi_i^1 \land s j|\text{Time} = \varphi_i^2 \land s j|\text{Time}
\]

**Observation.** The definition of **timing secure** programs follows from the observation that processes execute their body and then wait for synchronisation. Therefore for a program to be **timing secure** all execution traces of a process’ body must change the timing delay of the affected signals uniformly. Notice that the timing delay of a variable or signal is changed even when the value is unmodified, see [Local Variable Assignment] and [Signal Assignment].

In Example 6.1 we presented a program and showed how an observer could gain knowledge from observing the timing delays of assignments to a signal. Now
we introduce a notion of security thresholds, that allow us to argue whether an observer can gain information outside some threshold $L : \text{Sig} \rightarrow \mathcal{P}(\text{Sig})$ from timing delays, where $L(s) \subseteq \text{Sig}_{IN}$ for all $s \in \text{Sig}$. This corresponds to the observer knowing the values of the signals in the threshold. Hence the above given program will be timing secure for observers that hold the signal $sel$ in their threshold.

This leads to considering a program secure for an observer of signal $s^*$ with threshold $L(s^*)$ if the observer cannot observe different values of the signal when no signal within the threshold differ on their incoming value by observing the timing delays.

**Definition 6.2** ($L, s^*$)-Timing secure program) A CoreVHDL/E9 program $\parallel i \in I css_i$ is $(L, s^*)$-timing secure if

\[
\begin{align*}
\forall i, x : \sigma_{1i} \parallel x |_{\text{Time}} = \sigma_{2i} \parallel x |_{\text{Time}} \\
\forall i, j, \varphi_{1i} s^* j |_{\text{Value}} = \varphi_{2i} s^* j |_{\text{Value}}
\end{align*}
\]

where for each index $i$ the two branches produce the same statement $css'_i$ implies

\[
\forall i, j : \varphi'_{1i} s^* j |_{\text{Time}} = \varphi'_{2i} s^* j |_{\text{Time}}
\]

A specification is timing secure if it is secure for observation on all signals. Hence the security property of a timing secure specification with respect to the threshold $L$ is defined as follows.

**Definition 6.3** ($L$-Timing secure program) A CoreVHDL/E9 program $\parallel i \in I css_i$ is $L$-timing secure if it is $(L, s^*)$-timing secure for all $s^* \in \text{Sig}$.

The definition presented resembles that of [SS00], as we apply a kind of mutation or resetting of the states after each synchronisation point for longer execution sequence (i.e. between each clock cycle). This allows us to focus on the observable values without dealing with the values that flow directly from higher to lower security classes. It follows that we permit controlled declassification without making more information observable through timing channels.
6.3 Execution Path Analysis

This section presents an automatic type-based analysis for certifying secure programs. The analysis is an over-approximation, where a type describing the timing delay of variables and signals manipulated can only be inferred for programs that can be guaranteed to comply with the security condition presented in Section 6.2. We prove the correctness of the analysis in Section 6.4.

The aim of the analysis is to determine the different paths along which an input signal can flow through a system until it reaches an outgoing signal. With this knowledge one can decide if all the paths have the same length with respect to timing delays. For each point in the program the analysis checks that all information flows introduced have the same timing delay. As said, the timing of different execution paths in a COREVHDL\textsuperscript{8} program is determined by the number of synchronisation points passed. The analysis developed here is limited to handling programs where all paths are of finite length, i.e. no process depends on its own output. This limitation follow the tradition of [VS99, Aga00, SS00, Sab01].

The analysis of an expressions $e$ has the form

$$\Gamma \vdash e : \delta$$

where $\Gamma$ is an environment that holds the timing effect of variables and signals ($\Gamma : (Sig \cup Var) \hookrightarrow P(Time)$). The timing effect $\delta$ ($\delta \in P(Time)$) is the set of timing delays of the evaluated expression. The analysis of expressions is presented in Table 6.5.

For the environment $\Gamma$ it holds that

$$\forall s \in Sig_{IN} : \Gamma(s) = \{(s,0)\}$$

indicating that for all in-coming signals, the delay from their entry to the system and to the point where used is always zero clock cycles. This matches the notion of time presented in the semantics, where the incoming signals are introduced as active values in the environment, and then become present values when synchronised. Notice that a program is not allowed to write to an in-coming signal in VHDL [IEE87].

For combining paths we introduce the operator $\otimes$ as

$$\delta \otimes \delta' = \{t \cup t' | t \in \delta \land t' \in \delta'\}$$
6.3 Execution Path Analysis

The analysis of a statement $ss$ has the form

$$\Gamma, \delta \vdash ss : \tau$$

where $\Gamma$ is the environment that holds the timing effect of variables and signals, identical to the one used for analysing expressions. The timing effect $\delta$ ($\delta \in \mathcal{P}(\text{Time})$) might affect the manipulated signals' timing delays due to control flow in the program. The timing behaviour $\tau$ is a map of variables and signals manipulated by $ss$, and their timing effect ($\tau : (\text{Var} \cup \text{Sig}) \rightarrow \mathcal{P}(\text{Time})$).

When analysing assignments to variables and signals we need to take into account the timing delays of variables and signals that determine the control flow of the process. Hence we collect these timing delays in the $\delta$ component. The types of variables and signals therefore need to include this component, and we check that the Cartesian product of the paths are equal to the type (i.e. $\delta \otimes \delta' = \Gamma(x)$ for the variable $x$). Furthermore we need to handle the delay from assignment of a signal to the value becomes the present value of the signal. The modification of a signal cannot be observed before the following clock edge, so in the rule for signal assignment the type is modified accordingly. This is done by overloading the function $-\neg$ to apply on all timing delays in a timing effect.

For the composition of statements and concurrent statements we introduce the operator $\otimes$ on two timing behaviours by

$$(\tau_1 \otimes \tau_2)(n) = \begin{cases} 
\tau_2(n) & \text{if } n \in \text{dom}(\tau_2) \\
\tau_1(n) & \text{otherwise}
\end{cases}$$
### Local Variable Assignment

$$\Gamma \vdash e : \delta' \quad \delta \otimes \delta' = \Gamma(x)$$

$$\Gamma, \delta \vdash x := e : [x \mapsto \delta \otimes \delta']$$

### Signal Assignment

$$\Gamma \vdash e : \delta' \quad (\delta \otimes \delta')^- = \Gamma(s)$$

$$\Gamma, \delta \vdash s <= e : [s \mapsto (\delta \otimes \delta')^-]$$

### Skip

$$\Gamma, \delta \vdash \text{null} : \bot$$

### Final

$$\Gamma, \delta \vdash \text{final} : \bot$$

### Composition

$$\Gamma, \delta \vdash ss_1 : \tau_1 \quad \Gamma, \delta \vdash ss_2 : \tau_2$$

$$\Gamma, \delta \vdash ss_1 ; ss_2 : \tau_1 \uplus \tau_2$$

### Low Conditional

$$\text{FV}(e) \cup \text{FS}(e) \subseteq \mathcal{L} \quad \Gamma \vdash e : \delta'$$

$$\Gamma, \delta \otimes \delta' \vdash ss_1 : \tau_1 \quad \Gamma, \delta \otimes \delta' \vdash ss_2 : \tau_2$$

$$\Gamma, \delta \vdash \text{if } e \text{ then } ss_1 \text{ else } ss_2 : \tau_1 \uplus \tau_2$$

where $\forall n : n \in \text{dom}(\tau) \land |\tau n| \leq 1$

### High Conditional

$$\text{FV}(e) \cup \text{FS}(e) \not\subseteq \mathcal{L} \quad \Gamma \vdash e : \delta'$$

$$\Gamma, \delta \otimes \delta' \vdash ss_1 : \tau \quad \Gamma, \delta \otimes \delta' \vdash ss_2 : \tau$$

$$\Gamma, \delta \vdash \text{if } e \text{ then } ss_1 \text{ else } ss_2 : \tau$$

### Branch

$$\Gamma, \delta \otimes \{t'\} \vdash ss : \tau$$

$$\Gamma, \delta \vdash [t']ss : \tau$$

where $\text{dom}(\tau_1) \cap \text{dom}(\tau_2) = \emptyset$

### Process

$$\Gamma, \emptyset \vdash ss_1 : \tau$$

$$\Gamma \vdash_c i : \text{process } S \text{ begin } ss_1 ; \text{ end process } i : \tau$$

### Concurrency

$$\Gamma \vdash_c css_1 : \tau_1 \quad \Gamma \vdash_c css_2 : \tau_2$$

$$\Gamma \vdash_c css_1 \parallel css_2 : \tau_1 \uplus \tau_2$$

where $\text{dom}(\tau_1) \cap \text{dom}(\tau_2) = \emptyset$

---

Table 6.6: Typing rules for statements and concurrent statements
Conditionals might introduce differences in the timing effect of signals, therefore if the condition contains signals outside the security threshold \( \mathcal{L} \), the analysis verifies that both branches modify signals based on the same timing behaviours. We add to constraint \( \forall n : n \in \text{dom}(\tau) \land |\tau n| \leq 1 \) to make sure nested conditionals do not mask timing channels through statements that is unreachable. If the condition does not contain any signals above the observers threshold \( (FV(e) \cup FS(e) \subseteq \mathcal{L} \), where \( FV \) and \( FS \) are the free variables and signals in the expression \( e \), respectively) we know that information does not become observable. Thus we can allow both paths even when they are different. We unite the paths by the operator \( \uplus \) defined as

\[
(\tau_1 \uplus \tau_2) \ n = (\tau_1 \ n) \cup (\tau_2 \ n)
\]

The analysis of concurrent statements has the form

\[
\Gamma \vdash css : \tau
\]

using the same elements as the analysis of statements, except for the timing effects introduced by conditionals. The analysis verifies the body of each process. The analysis of statements and concurrent statements is presented in Table 6.6.

6.4 Soundness

We prove the soundness of the analysis with respect to the semantics presented in Section 6.1. The analysis checks that the points in time where a signal (or variable) is modified matches the timing effect, so we prove that for any program evaluated in the semantics, and if a type effect can be verified with the analysis then the variable and signal states hold the same timing behaviour as the type for all variables and signals.

First, we define an ordering \( \sqsupseteq \) over the types as

\[
\tau \sqsupseteq \tau' \equiv \forall : n \in \text{dom}(\tau') \Rightarrow \tau \ n \sqsupseteq \tau' \ n
\]

The first result we aim to show is that expressions evaluated in states, that have well-formed timing behaviours for all variables and signals, also have resulting timing behaviours that match the result of the analysis.

**Lemma 6.4** (Secure Expressions) For every expression \( e \) where the semantics evaluates the expression in the states \( \sigma_1 \) and \( \varphi_1 \) as \( \mathcal{E}[e](\sigma_1, \varphi_1) = (v_1, t_1) \), and
in the states $\sigma_2$ and $\varphi_2$ as $E[[e]](\sigma_2, \varphi_2) = (v_2, t_2)$ we have

$$\Gamma \vdash e : \delta \land \\
\sigma_1 \ x \mid _{Time} \in \Gamma \ x \land \sigma_2 \ x \mid _{Time} \in \Gamma \ x \land \varphi_1 \ s \ 0 \mid _{Time} \in \Gamma \ s \land \varphi_2 \ s \ 0 \mid _{Time} \in \Gamma \ s \quad \text{(6.4.1)}$$

$\Rightarrow t_1 \in \delta \land t_2 \in \delta$

Proof. The proof proceeds by induction on the shape of the derivation sequence.

Case m : The semantics evaluates the expression as

$$E[[m]](\sigma_1, \varphi_1) = (L[m], \emptyset)$$

and

$$E[[m]](\sigma_2, \varphi_2) = (L[m], \emptyset)$$

The analysis gives

$$\Gamma \vdash m : \emptyset$$

and the case follows.

Case x : The semantics evaluates the expression as

$$E[[x]](\sigma_1, \varphi_1) = \sigma_1 \ x$$

and

$$E[[x]](\sigma_2, \varphi_2) = \sigma_2 \ x$$

The analysis gives

$$\Gamma \vdash x : \Gamma(x)$$

and the case follows from condition (6.4.1).

Case s : The semantics evaluates the expression as

$$E[[s]](\sigma_1, \varphi_1) = \varphi_1 \ s \ 0$$
6.4 Soundness

and

\[ \mathcal{E}[s] \langle \sigma_2, \varphi_2 \rangle = \varphi_2 s 0 \]

The analysis gives

\[ \Gamma \vdash s : \Gamma(s) \]

and the case follows from condition (6.4.2).

**Case not e**: The semantics evaluates the expression as

\[ \mathcal{E}[\text{not } e] \langle \sigma_1, \varphi_1 \rangle = (\text{not } v_1, t_1) \]

where \( \mathcal{E}[e] \langle \sigma_1, \varphi_1 \rangle = (v_1, t_1) \), and

\[ \mathcal{E}[\text{not } e] \langle \sigma_2, \varphi_2 \rangle = (\text{not } v_2, t_2) \]

where \( \mathcal{E}[e] \langle \sigma_2, \varphi_2 \rangle = (v_2, t_2) \). The analysis gives

\[ \Gamma \vdash e : \delta \]

\[ \Gamma \vdash \text{not } e : \delta \]

the case follows from the induction hypothesis.

**Case e_1 and e_2**: The semantics evaluates the expression as

\[ \mathcal{E}[e_1 \text{ and } e_2] \langle \sigma_1, \varphi_1 \rangle = (v_1 \text{ and } v'_1, t_1 \cup t'_1) \]

where \( \mathcal{E}[e_1] \langle \sigma_1, \varphi_1 \rangle = (v_1, t_1) \) and \( \mathcal{E}[e_2] \langle \sigma_1, \varphi_1 \rangle = (v'_1, t'_1) \), and

\[ \mathcal{E}[e_1 \text{ and } e_2] \langle \sigma_2, \varphi_2 \rangle = (v_2 \text{ and } v'_2, t_2 \cup t'_2) \]

where \( \mathcal{E}[e_1] \langle \sigma_2, \varphi_2 \rangle = (v_2, t_2) \) and \( \mathcal{E}[e_2] \langle \sigma_2, \varphi_2 \rangle = (v'_2, t'_2) \). The analysis gives

\[ \Gamma \vdash e_1 : \delta \]

\[ \Gamma \vdash e_2 : \delta' \]

\[ \Gamma \vdash e_1 \text{ and } e_2 : \delta \otimes \delta' \]

We have \( t_1 \in \delta, t_2 \in \delta, t'_1 \in \delta' \) and \( t'_2 \in \delta' \) from the induction hypothesis. Hence \( t_1 \cup t'_1 \in \delta \otimes \delta' \) and \( t_2 \cup t'_2 \in \delta \otimes \delta' \).
Proof. The proof proceeds by induction on the shape of the execution tree.

Case \( e_1 \) or \( e_2 \) : The semantics evaluates the expression as
\[
\mathcal{E}[e_1 \ or \ e_2] \langle \sigma_1, \varphi_1 \rangle = (v_1 \ or \ v'_1, t_1 \cup t'_1)
\]
where \( \mathcal{E}[e_1] \langle \sigma_1, \varphi_1 \rangle = (v_1, t_1) \) and \( \mathcal{E}[e_2] \langle \sigma_1, \varphi_1 \rangle = (v'_1, t'_1) \), and
\[
\mathcal{E}[e_1 \ or \ e_2] \langle \sigma_2, \varphi_2 \rangle = (v_2 \ or \ v'_2, t_2 \cup t'_2)
\]
where \( \mathcal{E}[e_1] \langle \sigma_2, \varphi_2 \rangle = (v_2, t_2) \) and \( \mathcal{E}[e_2] \langle \sigma_2, \varphi_2 \rangle = (v'_2, t'_2) \). The analysis gives
\[
\Gamma \vdash e_1 : \delta \quad \Gamma \vdash e_2 : \delta'
\]
\[
\therefore \Gamma \vdash e_1 \ or \ e_2 : \delta \otimes \delta'
\]
We have \( t_1 \in \delta, t_2 \in \delta, t'_1 \in \delta' \) and \( t'_2 \in \delta' \) from the induction hypothesis. Hence \( t_1 \cup t'_1 \in \delta \otimes \delta' \) and \( t_2 \cup t'_2 \in \delta \otimes \delta' \).

Case \( e_1 \ xor \ e_2 \) : The semantics evaluates the expression as
\[
\mathcal{E}[e_1 \ xor \ e_2] \langle \sigma_1, \varphi_1 \rangle = (v_1 \ xor \ v'_1, t_1 \cup t'_1)
\]
where \( \mathcal{E}[e_1] \langle \sigma_1, \varphi_1 \rangle = (v_1, t_1) \) and \( \mathcal{E}[e_2] \langle \sigma_1, \varphi_1 \rangle = (v'_1, t'_1) \), and
\[
\mathcal{E}[e_1 \ xor \ e_2] \langle \sigma_2, \varphi_2 \rangle = (v_2 \ xor \ v'_2, t_2 \cup t'_2)
\]
where \( \mathcal{E}[e_1] \langle \sigma_2, \varphi_2 \rangle = (v_2, t_2) \) and \( \mathcal{E}[e_2] \langle \sigma_2, \varphi_2 \rangle = (v'_2, t'_2) \). The analysis gives
\[
\Gamma \vdash e_1 : \delta \quad \Gamma \vdash e_2 : \delta'
\]
\[
\therefore \Gamma \vdash e_1 \ xor \ e_2 : \delta \otimes \delta'
\]
We have \( t_1 \in \delta, t_2 \in \delta, t'_1 \in \delta' \) and \( t'_2 \in \delta' \) from the induction hypothesis. Hence \( t_1 \cup t'_1 \in \delta \otimes \delta' \) and \( t_2 \cup t'_2 = \delta \otimes \delta' \). \( \square \)

The correctness of the analysis for statements is stated in the following subject reduction result.

Lemma 6.5 (Subject Reduction) For a statement \( ss \) that is evaluated by the semantics in the states \( \sigma \) and \( \varphi \) as \( t \vdash (ss, \sigma, \varphi) \Rightarrow (ss', \sigma', \varphi') \) we have
\[
\begin{align*}
\Gamma, \delta \vdash ss : \tau \wedge t \in \delta \wedge \\
\forall x : \sigma \ x|_{\text{Time}} \in \Gamma x \wedge \\
\forall s : \varphi \ s|_{\text{Time}} \in \Gamma s
\end{align*}
\]
\[
\Rightarrow \begin{cases} \\
\exists \tau' : \Gamma, \delta \vdash ss' : \tau' \wedge \\
\tau \sqsubseteq \tau'
\end{cases}
\]

Proof. The proof proceeds by induction on the shape of the execution tree.
Case Local Variable Assignment: The semantics evaluates the statement as

\[ t \vdash (x := e, \sigma, \varphi) \Rightarrow (\text{final}, \sigma', \varphi) \]

where \( E[e][\sigma, \varphi] = (v, t') \) and \( \sigma' = \sigma[x \mapsto (v, t \cup t')] \). The analysis gives

\[
\Gamma \vdash e : \delta' \quad \delta \otimes \delta' \subseteq \Gamma(x) \\
\Gamma, \delta \vdash x := e : [x \mapsto \delta \otimes \delta']
\]

and

\[
\Gamma, \delta \vdash \text{final} : \bot
\]

now \( \tau = [x \mapsto \delta \otimes \delta'] \) and \( \tau' = \bot \), hence \( \tau \supseteq \tau' \).

Case Signal Assignment: The semantics evaluates the statement as

\[ t \vdash (s <= e, \sigma, \varphi) \Rightarrow (\text{final}, \sigma, \varphi') \]

where \( E[e][\sigma, \varphi] = (v, t') \) and \( \varphi' = \varphi[1][s \mapsto (v, t \cup t')] \). The analysis gives

\[
\Gamma \vdash e : \delta' \quad \delta \otimes \delta' \subseteq \Gamma(s) \\
\Gamma, \delta \vdash s <= e : [s \mapsto \delta \otimes \delta']
\]

and

\[
\Gamma, \delta \vdash \text{final} : \bot
\]

now \( \tau = [s \mapsto \delta \otimes \delta'] \) and \( \tau' = \bot \), hence \( \tau \supseteq \tau' \).

Case Skip: The semantics evaluates the statement as

\[ t \vdash (\text{null}, \sigma, \varphi) \Rightarrow (\text{final}, \sigma, \varphi) \]

The analysis gives

\[
\Gamma, \delta \vdash \text{null} : \bot
\]

and

\[
\Gamma, \delta \vdash \text{final} : \bot
\]

now \( \tau = \bot \) and \( \tau' = \bot \), and the case follows as \( \tau = \tau' \).
Case Composition: In one rule the semantics evaluates the statement as

\[
t \vdash (ss_1, \sigma, \varphi) \Rightarrow (ss'_1, \sigma', \varphi')
\]

where \( ss'_1 \in Stmt \). The analysis gives

\[
\Gamma, \delta \vdash ss_1 : \tau_1 \quad \Gamma, \delta \vdash ss_2 : \tau_2
\]

and the analysis of \( ss'_1 \) gives \( \Gamma, \delta \vdash ss'_1 : \tau'_1 \). Now applying the rule for composition we can derive

\[
\Gamma, \delta \vdash ss'_1 : \tau'_1 \quad \Gamma, \delta \vdash ss_2 : \tau_2
\]

now it follows from the induction hypothesis for \( t \vdash (ss_1, \sigma, \varphi) \Rightarrow (ss'_1, \sigma', \varphi') \) and \( \Gamma, \delta \vdash ss_1 : \tau_1 \) that we can choose \( \tau'_1 \) such that \( \Gamma, \delta \vdash ss'_1 : \tau'_1 \) and \( \tau_1 \supseteq \tau'_1 \), and clearly \( \tau_1 \uplus \tau_2 \supseteq \tau'_1 \uplus \tau_2 \) which proves the rule. In the other rule the semantics evaluates the statement as

\[
t \vdash (ss_1, \sigma, \varphi) \Rightarrow (\text{final}, \sigma', \varphi')
\]

The analysis gives

\[
\Gamma, \delta \vdash ss_1 : \tau_1 \quad \Gamma, \delta \vdash ss_2 : \tau_2
\]

and

\[
\Gamma, \delta \vdash ss_2 : \tau_2
\]

now \( \tau_1 \uplus \tau_2 \supseteq \tau_2 \).

Case Low Conditional: The semantics evaluates the statement as

\[
t \vdash \langle \text{if } e \text{ then } ss_1 \text{ else } ss_2, \sigma, \varphi \rangle \Rightarrow ( [t \cup \text{te}] ss', \sigma, \varphi ), \text{ where } ss' = ss_1 \text{ when } E[e](\sigma, \varphi) = (1', t^e) \text{ and } ss' = ss_2 \text{ when } E[e](\sigma, \varphi) = (0', t^e). \text{ The analysis gives}
\]

\[
FV(e) \cup FS(e) \subseteq L \quad \Gamma \vdash e : \delta^e \quad \Gamma, \delta \uplus \delta^e \vdash ss_1 : \tau_1 \quad \Gamma, \delta \uplus \delta^e \vdash ss_2 : \tau_2
\]
and
\[
\Gamma, \delta \otimes \{t^e\} \vdash ss' : \tau' \\
\Gamma, \delta \vdash [t^e]ss' : \tau'
\]
from Lemma 6.4 we get that \(t^e \in \delta^e\). Thus \(\delta \otimes \{t^e\} \subseteq \delta \otimes \delta^e\) and we get that either \(\tau_1 \supseteq \tau'\) or \(\tau_2 \supseteq \tau'\). Now it follows that \(\tau_1 \uplus \tau_2 \supseteq \tau'\).

**Case High Conditional:** The semantics evaluates the statement as
\[
t \vdash (\text{if } e \text{ then } ss_1 \text{ else } ss_2, \sigma, \varphi) \Rightarrow \langle [t \cup t^e]ss', \sigma, \varphi \rangle,
\]
where \(ss' = ss_1\) when \(E[e] \langle \sigma, \varphi \rangle = (t', t^e)\) and \(ss' = ss_2\) when \(E[e] \langle \sigma, \varphi \rangle = (0', t^e)\). The analysis gives
\[
FV(e) \cup FS(e) \not\subseteq L \\
\Gamma \vdash e : \delta' \\
\Gamma, \delta \otimes \delta' \vdash ss_1 : \tau \\
\Gamma, \delta \otimes \delta' \vdash ss_2 : \tau
\]
where \(\forall n : n \in \text{dom}(\tau) \land |\tau n| \leq 1\). Now from Lemma 6.4 we get that \(t^e \in \delta^e\) and
\[
\Gamma, \delta \otimes \{t^e\} \vdash ss' : \tau' \\
\Gamma, \delta \vdash [t^e]ss' : \tau'
\]
it follows that \(\tau \supseteq \tau'\).

**Case Branch:** In one rule the semantics evaluates the statement as
\[
t \cup t^e \vdash (ss, \sigma, \varphi) \Rightarrow (ss', \sigma', \varphi')
\]
\[
t \vdash (\langle t \cup t^e \rangle ss, \sigma, \varphi) \Rightarrow (ss', \sigma', \varphi')
\]
where \(ss' \in Stmt\). The analysis gives
\[
\Gamma, \delta \otimes \{t^e\} \vdash ss : \tau \\
\Gamma, \delta \vdash [t^e]ss : \tau
\]
and
\[
\Gamma, \delta \otimes \{t^e\} \vdash ss' : \tau' \\
\Gamma, \delta \vdash [t^e]ss' : \tau'
\]
and the case follows from applying the induction hypothesis. In the other rule the semantics evaluates the statement as
\[
t \cup t^e \vdash (ss, \sigma, \varphi) \Rightarrow (\text{final}, \sigma', \varphi')
\]
\[
t \vdash (\langle t \cup t^e \rangle ss, \sigma, \varphi) \Rightarrow (\text{final}, \sigma', \varphi')
\]
again the analysis gives

\[ \Gamma, \delta \subseteq \{ t^e \} \vdash ss : \tau \]

\[ \Gamma, \delta \vdash [t^e]ss : \tau \]

and

\[ \Gamma, \delta \vdash \text{final} : \bot \]

and the case follows because \( \tau' = \bot \), hence \( \tau \subseteq \tau' \).

Now we stated that the result of the analysis of a program contain all possible modifications of timing behaviours in the associated states. First it is shown for semantical evaluations in one step. Below we generalise for executions of arbitrary length.

**Lemma 6.6** (One step semantic correctness of time delays) For a statement \( ss \) that is evaluated by the semantics in the states \( \sigma \) and \( \phi \) as \( t \vdash \langle ss, \sigma, \phi \rangle \Rightarrow \langle ss', \sigma', \phi' \rangle \) we have

\[
\begin{align*}
\Gamma, \delta \vdash ss : \tau & \wedge \\
\Gamma, \delta \vdash ss' : \tau' & \wedge \\
t \in \delta & \wedge \\
\sigma |_{\text{Time}} & \in \Gamma \ w \end{align*}
\]

\[
\Rightarrow \begin{cases}
\sigma' \ x |_{\text{Time}} \in \Gamma \ w \wedge \phi' \ s |_{\text{Time}} \in \Gamma \ w \\
\forall x' : x' \not\in \text{dom}(\tau) \setminus \text{dom}(\tau') \Rightarrow \sigma \ w \ w \wedge \\
\forall x'' : x'' \not\in \text{dom}(\tau) \setminus \text{dom}(\tau') \Rightarrow \sigma' \ w \ w \\
\forall s' : s' \not\in \text{dom}(\tau) \setminus \text{dom}(\tau') \Rightarrow \phi \ s |_{\text{Time}} \in \tau \ s'' \wedge \\
\forall s'' : s'' \not\in \text{dom}(\tau) \setminus \text{dom}(\tau') \Rightarrow \phi' \ s' |_{\text{Time}} \in \tau \ s''
\end{cases}
\]

**Proof.** By induction on the shape of the derivation tree.

**Case Local Variable Assignment:** The semantics evaluates the statement as

\[ t \vdash \langle x := e, \sigma, \phi \rangle \Rightarrow \langle \text{final}, \sigma', \phi' \rangle \]

where \( E[e](\sigma, \phi) = (v, t') \) and \( \sigma' = \sigma[x \mapsto (v, t \cup t')] \), while the analysis gives

\[ \Gamma \vdash e : \delta' \]

\[ \delta \cup \delta' \subseteq \Gamma(x) \]

and

\[ \Gamma, \delta \vdash \text{final} : \tau' \]

where \( \tau = [x \mapsto \delta \oplus \delta'] \) and \( \tau' = \bot \). From Lemma \[6.4\] it follows that \( t' \in \delta' \). Now \( \sigma' |_{\text{Time}} \in \Gamma \ w \ w \ w \ w \). From \( \text{dom}(\tau) = \{ x \} \), \( \text{dom}(\tau') = \emptyset \) and \( \text{dom}(\tau) \setminus \text{dom}(\tau') = \{ x \} \).
6.4 Soundness

Case Signal Assignment: The semantics evaluates the statement as
\[ t \vdash \langle s <= e, \sigma, \varphi \rangle \Rightarrow \langle \text{final}, \sigma, \varphi' \rangle \]
where \( E[e](\sigma, \varphi) = (v, t') \) and \( \varphi' = \varphi^{[1]}[s \mapsto (v, t \cup t')] \), while the analysis gives
\[
\Gamma \vdash e : \delta' (\delta \otimes \delta')^- \subseteq \Gamma(s) \\
\Gamma, \delta \vdash s <= e : \tau
\]
and
\[
\Gamma, \delta \vdash \text{final} : \tau'
\]
where \( \tau = [s \mapsto (\delta \otimes \delta')^-] \) and \( \tau' = \bot \). From Lemma 6.4 it follows that \( t' \in \delta' \).
Now \( \varphi' s 1_{\text{Time}} \delta \Gamma s = \tau s, \text{dom}(\tau) = \{s\}, \text{dom}(\tau') = \emptyset \) and \( \text{dom}(\tau) \setminus \text{dom}(\tau') = \{s\} \).

Case Skip: The semantics evaluates the statement as
\[ t \vdash \langle \text{null}, \sigma, \varphi \rangle \Rightarrow \langle \text{final}, \sigma, \varphi \rangle \]
while the analysis gives
\[
\Gamma, \delta \vdash \text{null} : \bot
\]
and
\[
\Gamma, \delta \vdash \text{final} : \bot
\]
so that the case follows.

Case Composition: There are two subcases. One is where the semantics evaluates the statement as
\[
\begin{align*}
\Gamma, \delta \vdash ss_1, \sigma, \varphi \Rightarrow ss_1', \sigma', \varphi' \\
\Gamma, \delta \vdash ss_1; ss_2, \sigma, \varphi \Rightarrow ss_1', ss_2, \sigma', \varphi'
\end{align*}
\]
where \( ss_1' \in Stmt \), while the analysis give
\[
\Gamma, \delta \vdash ss_1 : \tau_1 \\
\Gamma, \delta \vdash ss_2 : \tau_2 \\
\Gamma, \delta \vdash ss_1; ss_2 : \tau_1 \uplus \tau_2
\]

Now assuming that $\Gamma, \delta \vdash ss_1 : \tau_1'$ we can apply rule $[\text{Composition}]$ with the same derivation tree as above for $ss_2$ and get

$$\frac{\Gamma, \delta \vdash ss_1 : \tau_1' \quad \Gamma, \delta \vdash ss_2 : \tau_2}{\Gamma, \delta \vdash ss_1; ss_2 : \tau_1' \uplus \tau_2}$$

Applying the induction hypothesis on $t \vdash \langle ss_1, \sigma, \varphi \rangle \Rightarrow \langle ss_1', \sigma', \varphi' \rangle$ we get

$$\sigma' x |_{Time} \in \Gamma \quad \varphi' s 1 |_{Time} \in \Gamma$$

$$\forall x : x \notin dom(\tau_1) \setminus dom(\tau_1') \Rightarrow \sigma x = \sigma' x$$

$$\forall x : x \in dom(\tau_1) \setminus dom(\tau_1') \Rightarrow \sigma' x |_{Time} \in \tau_1 x$$

$$\forall s : s \notin dom(\tau_1) \setminus dom(\tau_1') \Rightarrow \varphi s 1 = \varphi' s 1$$

$$\forall s : s \in dom(\tau_1) \setminus dom(\tau_1') \Rightarrow \varphi' s 1 |_{Time} \in \tau_1 s$$

and since $dom(\tau_1 \uplus \tau_2) \setminus dom(\tau_1') = dom(\tau_1) \setminus dom(\tau_1')$ the case follows. The other subcase is where the first step in the derivation sequence was evaluated as

$$t \vdash \langle ss_1, \sigma, \varphi \rangle \Rightarrow \langle \text{final}, \sigma', \varphi' \rangle$$

and again the analysis gives

$$\Gamma, \delta \vdash ss_1 : \tau_1$$

$$\Gamma, \delta \vdash ss_2 : \tau_2$$

and

$$\Gamma, \delta \vdash ss_2 : \tau_2$$

Applying the induction hypothesis on $t \vdash \langle ss_1, \sigma, \varphi \rangle \Rightarrow \langle \text{final}, \sigma', \varphi' \rangle$ we get

$$\sigma' x |_{Time} \in \Gamma \quad \varphi' s 1 |_{Time} \in \Gamma$$

$$\forall x : x \notin dom(\tau_1) \setminus dom(\tau_1') \Rightarrow \sigma x = \sigma' x$$

$$\forall x : x \in dom(\tau_1) \setminus dom(\tau_1') \Rightarrow \sigma' x |_{Time} \in \tau_1 x$$

$$\forall s : s \notin dom(\tau_1) \setminus dom(\tau_1') \Rightarrow \varphi s 1 = \varphi' s 1$$

$$\forall s : s \in dom(\tau_1) \setminus dom(\tau_1') \Rightarrow \varphi' s 1 |_{Time} \in \tau_1 s$$

where $\tau_1' = \bot$ because $\Gamma, \delta \vdash \text{final} : \bot$. Since $dom(\tau_1 \uplus \tau_2) \setminus dom(\tau_2) = dom(\tau_1)$ the case follows.
Case Low Conditional: The semantics evaluates the statement as
\[
t ⊩ (\text{if } e \text{ then } s_{s1} \text{ else } s_{s2}, σ, ϕ) \Rightarrow \langle [t \cup t'] s_{s'}, σ, ϕ \rangle,
\]
where \(s_{s'} = s_{s1}\) when \(E[e]⟨σ, ϕ⟩ = (\prime', t')\) and \(s_{s'} = s_{s2}\) when \(E[e]⟨σ, ϕ⟩ = (0', t')\). The analysis gives
\[
FV(e) ∪ FS(e) ⊆ L
\]
\[
Γ ⊩ e : δ' \quad Γ, δ ⊗ δ' ⊩ s_{s1} : τ_1 \quad Γ, δ ⊗ δ' ⊩ s_{s2} : τ_2
\]
\[
Γ, δ ⊩ \text{if } e \text{ then } s_{s1} \text{ else } s_{s2} : τ_1 ∪ τ_2
\]
now as the states are unchanged and the case follows.

Case High Conditional: The semantics evaluates the statement as
\[
t ⊩ (\text{if } e \text{ then } s_{s1} \text{ else } s_{s2}, σ, ϕ) \Rightarrow \langle [t \cup t'] s_{s'}, σ, ϕ \rangle,
\]
where \(s_{s'} = s_{s1}\) when \(E[e]⟨σ, ϕ⟩ = (\prime', t')\) and \(s_{s'} = s_{s2}\) when \(E[e]⟨σ, ϕ⟩ = (0', t')\). The analysis gives
\[
FV(e) ∪ FS(e) \not⊆ L
\]
\[
Γ ⊩ e : δ' \quad Γ, δ ⊗ δ' ⊩ s_{s1} : τ \quad Γ, δ ⊗ δ' ⊩ s_{s2} : τ
\]
\[
Γ, δ ⊩ \text{if } e \text{ then } s_{s1} \text{ else } s_{s2} : τ
\]
where \(∀n : n ∈ dom(τ) ∧ |τ n| ≤ 1\). Now as the states are unchanged and the case follows.

Case Branch: There are two subcases. One is where the semantics evaluates the statement
\[
t \cup t' ⊩ \langle s_{s}, σ, ϕ⟩ \Rightarrow \langle s_{s}', σ', ϕ'⟩
\]
while the analysis gives
\[
Γ, δ ⊗ \{t'\} ⊩ s_{s} : τ
\]
\[
Γ, δ ⊩ [t'] ss : τ
\]
and
\[
Γ, δ ⊗ \{t'\} ⊩ s_{s}' : τ'
\]
\[
Γ, δ ⊩ [t'] ss' : τ'
\]
The desired result then follows from applying the induction hypothesis. In the other subcase the semantics evaluates the statement as
\[
t \cup t' ⊩ \langle s_{s}, σ, ϕ⟩ \Rightarrow \langle final, σ', ϕ'⟩
\]
\[
t ⊩ \langle [t'] ss, σ, ϕ⟩ \Rightarrow \langle final, σ', ϕ'⟩\]
and again the analysis
\[
\Gamma, \delta \otimes \{t\} \vdash ss : \tau
\]
\[
\Gamma, \delta \vdash [t']ss : \tau
\]
and
\[
\Gamma, \delta \vdash \text{final} : \bot
\]
The desired result follows from applying the induction hypothesis on \( t \cup t' \vdash \langle ss, \sigma, \varphi \rangle \Rightarrow \langle \text{final}, \sigma', \varphi' \rangle \). Where the analysis for \( t \cup t' \vdash \langle \text{final}, \sigma', \varphi' \rangle \) gives \( \Gamma, \delta \otimes \{t'\} \vdash \text{final} : \bot \). This completes the proof of Lemma 6.6. □

We generalise the result above by showing that the result of the analysis of a program contain all modifications of timing behaviours in executions of arbitrary length.

Lemma 6.7 (Semantic correctness of time delays) For a statement \( ss \) that is evaluated by the semantics in the states \( \sigma \) and \( \varphi \) as \( t \vdash \langle ss, \sigma, \varphi \rangle \Rightarrow^* \langle \text{final}, \sigma', \varphi' \rangle \) we have
\[
\Gamma, \delta \vdash ss : \tau \land t \in \delta \land \\
\sigma x|_{\text{Time}} \in \Gamma x \land \\
\varphi s 0|_{\text{Time}} \in \Gamma s
\]
\[
\Rightarrow \left\{ \begin{array}{l}
\forall x' : x' \not\in \text{dom}(\tau) \Rightarrow \sigma x' = \sigma' x' \land \\
\forall x'' : x'' \in \text{dom}(\tau) \Rightarrow \sigma' x''|_{\text{Time}} \in \tau x'' \land \\
\forall s' : s' \not\in \text{dom}(\tau) \Rightarrow \varphi s' 1 = \varphi' s' 1 \land \\
\forall s'' : s'' \in \text{dom}(\tau) \Rightarrow \varphi' s'' 1 = \varphi'' s'' 1
\end{array} \right. \\
\end{array}
\]

Proof. The Lemma follows from the transitive closure of Lemma 6.6. □

In the below results of secure statements we need to consider the first coming statement in the evaluation. This is defined in the following definition.

Definition 6.8 (First statement) The function \( \text{first} \) on a statements is defined as
\[
\text{first}_t(x := e) = x := e
\]
\[
\text{first}_t(s <= e) = s <= e
\]
\[
\text{first}_t(\text{null}) = \text{null}
\]
\[
\text{first}_t(ss_1; ss_2) = \text{first}_t(ss_1)
\]
\[
\text{first}_t(\text{if } e \text{ then } ss_1 \text{ else } ss_2) = [t']\text{if } e \text{ then } ss_1 \text{ else } ss_2
\]
\[
\text{first}_t([t']ss) = \text{first}_{t \cup t'}(ss)
\]

Now we stated that the successful analysis of a program provides the guarantees stated in the absence of timing leaks property. First it is shown for semantical evaluations in one step. Below we generalise for executions of arbitrary length.
Lemma 6.9 (One step Secure Statements) For every statement ss where
\( \text{first}_t(ss) \neq [t'] \text{if } e \text{ then } ss_1 \text{ else } ss_2 \) or \( \text{FV}(e) \cup \text{FS}(e) \subseteq L \) then if the semantics evaluates the statement in the states \( \sigma_1 \) and \( \varphi_1 \) as \( t \vdash \langle ss, \sigma_1, \varphi_1 \rangle \Rightarrow \langle ss_1', \sigma_1', \varphi_1' \rangle \) and in states \( \sigma_2 \) and \( \varphi_2 \) as \( t \vdash \langle ss, \sigma_2, \varphi_2 \rangle \Rightarrow \langle ss_2', \sigma_2', \varphi_2' \rangle \) we have
\[
\Gamma, \delta \vdash ss : \tau \land t \in \delta \land \\
\sigma_1 \ x | \text{Time} = \sigma_2 \ x | \text{Time} \in \Gamma \ x \land \quad (6.9.1) \\
\varphi_1 \ s \ 0 | \text{Time} = \varphi_2 \ s \ 0 | \text{Time} \in \Gamma \ s \land \quad (6.9.2) \\
\forall s : s \in L \Rightarrow \varphi_1 \ s \ 0 = \varphi_2 \ s \ 0 \quad (6.9.3)
\]
\[
\implies \\
ss_1' = ss_2' \land \quad (6.9.4) \\
\sigma_1' \ x | \text{Time} = \sigma_2' \ x | \text{Time} \land \quad (6.9.5) \\
\varphi_1' \ s \ 1 | \text{Time} = \varphi_2' \ s \ 1 | \text{Time} \quad (6.9.6)
\]
otherwise if \( \text{first}_t(ss) = [t'] \text{if } e \text{ then } ss_1 \text{ else } ss_2 \) and \( \text{FV}(e) \cup \text{FS}(e) \nsubseteq L \) then if the semantics evaluates the statement in the states \( \sigma_1 \) and \( \varphi_1 \) as \( t' \vdash \langle \text{if } e \text{ then } ss_1 \text{ else } ss_2, \sigma_1, \varphi_1 \rangle \Rightarrow^* (\text{final}, \sigma_1', \varphi_1') \) and in states \( \sigma_2 \) and \( \varphi_2 \) as \( t' \vdash \langle \text{if } e \text{ then } ss_1 \text{ else } ss_2, \sigma_2, \varphi_2 \rangle \Rightarrow^* (\text{final}, \sigma_2', \varphi_2') \) we have
\[
\Gamma, \delta \vdash ss : \tau \land t \in \delta \land \\
\sigma_1 \ x | \text{Time} = \sigma_2 \ x | \text{Time} \in \Gamma \ x \land \quad (6.9.7) \\
\varphi_1 \ s \ 0 | \text{Time} = \varphi_2 \ s \ 0 | \text{Time} \in \Gamma \ s \land \quad (6.9.8) \\
\forall s : s \in L \Rightarrow \varphi_1 \ s \ 0 = \varphi_2 \ s \ 0 \quad (6.9.9)
\]
\[
\implies \\
\sigma_1' \ x | \text{Time} = \sigma_2' \ x | \text{Time} \land \quad (6.9.10) \\
\varphi_1' \ s \ 1 | \text{Time} = \varphi_2' \ s \ 1 | \text{Time} \quad (6.9.11)
\]
\begin{proof}
The proof proceeds by induction on the shape of the derivation sequence.
\end{proof}

\begin{case}
Local Variable Assignment: The semantics evaluates the statement as
\[
t \vdash \langle x := e, \sigma_1, \varphi_1 \rangle \Rightarrow \langle \text{final}, \sigma_1[x \mapsto (v_1, t \cup t_1)], \varphi_1 \rangle
\]
where \( \mathcal{E}[e] \langle \sigma_1, \varphi_1 \rangle = (v_1, t_1) \), and
\[
t \vdash \langle x := e, \sigma_2, \varphi_2 \rangle \Rightarrow \langle \text{final}, \sigma_2[x \mapsto (v_2, t \cup t_2)], \varphi_2 \rangle
\]
\end{case}
where $E[e][\sigma_2, \varphi_2] = (v_2, t_2)$. The analysis gives
\[
\Gamma \vdash e : \delta' \quad \delta \otimes \delta' \subseteq \Gamma(x) \\
\Gamma, \delta \vdash x := e : [x \mapsto \delta \otimes \delta']
\]

and from Lemma 6.4 we get $t_1 = t_2 \in \delta'$ and $t \cup t_1 = t \cup t_2 \in \delta \otimes \delta'$. Hence $\sigma_1' x|\text{Time} = \sigma_2' x|\text{Time}$ which proves (6.9.5). Finally, (6.9.4) and (6.9.6) follow directly from the evaluation and the analysis.

**Case Signal Assignment:** The semantics evaluates the statement as
\[
t \vdash \langle s <= e, \sigma_1, \varphi_1 \rangle \Rightarrow \langle \text{final}, \sigma_1, \varphi_1'[s \mapsto (v_1, t \cup t_1)] \rangle
\]
where $E[e][\sigma_1, \varphi_1] = (v_1, t_1)$, and
\[
t \vdash \langle s <= e, \sigma_2, \varphi_2 \rangle \Rightarrow \langle \text{final}, \sigma_2, \varphi_2'[s \mapsto (v_2, t \cup t_2)] \rangle
\]
where $E[e][\sigma_2, \varphi_2] = (v_2, t_2)$. The analysis gives
\[
\Gamma \vdash e : \delta' \quad (\delta \otimes \delta')^\perp \subseteq \Gamma(s) \\
\Gamma, \delta \vdash s <= e : [s \mapsto (\delta \otimes \delta')^\perp]
\]
and from Lemma 6.4 we get $t_1 = t_2 \in \delta'$, and $t \cup t_1 = t \cup t_2 \in \delta \otimes \delta'$. Hence $\varphi_1' s|\text{Time} = \varphi_2' s|\text{Time}$ which proves (6.9.6). Finally, (6.9.4) and (6.9.5) follow directly from the evaluation and the analysis.

**Case Skip:** The semantics evaluates the statement as
\[
t \vdash \langle \text{null}, \sigma_1, \varphi_1 \rangle \Rightarrow \langle \text{final}, \sigma_1, \varphi_1 \rangle
\]
and
\[
t \vdash \langle \text{null}, \sigma_2, \varphi_2 \rangle \Rightarrow \langle \text{final}, \sigma_2, \varphi_2 \rangle
\]
The analysis gives
\[
\Gamma, \delta \vdash \text{null} : \bot
\]
and the case follows.
**Case Composition:** There are two subcases. One is where the semantics evaluates the statement as

\[
\begin{align*}
t &\vdash \langle ss_1, \sigma_1, \varphi_1 \rangle \Rightarrow \langle \tau_1, \sigma_1', \varphi_1' \rangle \\
t &\vdash \langle ss_1; ss_2, \sigma_1, \varphi_1 \rangle \Rightarrow \langle \tau_1', \sigma_1', \varphi_1' \rangle
\end{align*}
\]

and

\[
\begin{align*}
t &\vdash \langle ss_1, \sigma_2, \varphi_2 \rangle \Rightarrow \langle \tau_2, \sigma_2', \varphi_2' \rangle \\
t &\vdash \langle ss_1; ss_2, \sigma_2, \varphi_2 \rangle \Rightarrow \langle \tau_2', \sigma_2', \varphi_2' \rangle
\end{align*}
\]

where ss' \in Stmt. The analysis gives

\[
\Gamma, \delta \vdash ss_1 : \tau_1 \quad \Gamma, \delta \vdash ss_2 : \tau_2
\]

and the case follows from applying the induction hypothesis. In the other subcase the semantics evaluates the statement as

\[
\begin{align*}
t &\vdash \langle ss_1, \sigma_1, \varphi_1 \rangle \Rightarrow \langle \text{final}, \sigma_1', \varphi_1' \rangle \\
t &\vdash \langle ss_1; ss_2, \sigma_1, \varphi_1 \rangle \Rightarrow \langle \tau_1', \sigma_1', \varphi_1' \rangle
\end{align*}
\]

and

\[
\begin{align*}
t &\vdash \langle ss_1, \sigma_2, \varphi_2 \rangle \Rightarrow \langle \text{final}, \sigma_2', \varphi_2' \rangle \\
t &\vdash \langle ss_1; ss_2, \sigma_2, \varphi_2 \rangle \Rightarrow \langle \tau_2', \sigma_2', \varphi_2' \rangle
\end{align*}
\]

again the analysis gives

\[
\Gamma, \delta \vdash ss_1 : \tau_1 \quad \Gamma, \delta \vdash ss_2 : \tau_2
\]

and the case follows from applying the induction hypothesis.

**Case Low Conditional:** The semantics evaluates the statement as

\[
\begin{align*}
t &\vdash \langle \text{if } e \text{ then } ss_1 \text{ else } ss_2, \sigma_1, \varphi_1 \rangle \Rightarrow \langle [t'][ss', \sigma_1', \varphi_1'] \rangle
\end{align*}
\]

and

\[
\begin{align*}
t &\vdash \langle \text{if } e \text{ then } ss_1 \text{ else } ss_2, \sigma_2, \varphi_2 \rangle \Rightarrow \langle [t''][ss'', \sigma_2', \varphi_2'] \rangle
\end{align*}
\]

The analysis gives

\[
\begin{align*}
FV(e) \cup FS(e) &\subseteq \mathcal{L} \\
\Gamma &\vdash e : \delta' \\
\Gamma &\vdash ss_1 : \tau_1 \\
\Gamma &\vdash ss_2 : \tau_2
\end{align*}
\]

\[
\begin{align*}
\Gamma, \delta &\vdash \text{if } e \text{ then } ss_1 \text{ else } ss_2 : \tau_1 \uplus \tau_2
\end{align*}
\]
now it follow from $FV(e) \cup FS(e) \subseteq \mathcal{L}$ and \[\text{(6.9.3)}\] that $\mathcal{E}[e] \langle \sigma_1, \varphi_1 \rangle = \mathcal{E}[e] \langle \sigma_2, \varphi_2 \rangle$. Therefore we have $t' = t''$ and $ss' = ss''$. Because the states are unchanged the case follows.

**Case High Conditional:** The semantics evaluates the statement as

$$t \vdash (\text{if } e \text{ then } ss_1 \text{ else } ss_2, \sigma_1, \varphi_1) \Rightarrow^* (\text{final}, \sigma_1', \varphi_1')$$

and

$$t \vdash (\text{if } e \text{ then } ss_1 \text{ else } ss_2, \sigma_2, \varphi_2) \Rightarrow^* (\text{final}, \sigma_2', \varphi_2')$$

The analysis gives

$$FV(e) \cup FS(e) \not\subseteq \mathcal{L} \quad \Gamma \vdash e : \delta' \quad \Gamma, \delta \otimes \delta' \vdash ss_1 : \tau \quad \Gamma, \delta \otimes \delta' \vdash ss_2 : \tau$$

where $\forall n : n \in \text{dom}(\tau) \land |\tau n| \leq 1$ and from Lemma 6.7 we get

(i) $x' \not\in \text{dom}(\tau) \Rightarrow \sigma_1 x' = \sigma_1' x' \land$

(ii) $x \in \text{dom}(\tau) \Rightarrow \sigma_1' x \big|_{\text{Time} \in \tau} x \land$

(iii) $s' \not\in \text{dom}(\tau) \Rightarrow \varphi_1' s' 1 = \varphi_1' s' 1 \land$

(iv) $s \in \text{dom}(\tau) \Rightarrow \varphi_1' s \big|_{\text{Trm} \in \tau} s$ 

and

(v) $x' \not\in \text{dom}(\tau) \Rightarrow \sigma_2 x' = \sigma_2' x' \land$

(vi) $x \in \text{dom}(\tau) \Rightarrow \sigma_2' x \big|_{\text{Time} \in \tau} x \land$

(vii) $s' \not\in \text{dom}(\tau) \Rightarrow \varphi_2' s' 1 = \varphi_2' s' 1 \land$

(viii) $s \in \text{dom}(\tau) \Rightarrow \varphi_2' s \big|_{\text{Trm} \in \tau} s$

Since the timing behaviour for each branch is identical $\tau$, each timing effect has a unique timing delay for all variables and signals (due to the condition $\forall n : n \in \text{dom}(\tau) \land |\tau n| \leq 1$), and the states projected on to the timing delays are equivalent $\sigma_1 x \big|_{\text{Trm} = \tau} = \sigma_2 x \big|_{\text{Trm}}$, we can combine (i) and (v) to obtain

$$\forall x' : x' \not\in \text{dom}(\tau) \Rightarrow \sigma_1' x' \big|_{\text{Time} = \sigma_2} x' \big|_{\text{Time}}$$

and similarly (ii) and (vi) to obtain

$$\forall x : x \in \text{dom}(\tau) \Rightarrow \{\sigma_1' x \big|_{\text{Time}}\} = \tau x = \{\sigma_2' x \big|_{\text{Time}}\}$$
combining these we get

$$\forall x : \sigma'_1 \ x|_{\text{Time}} = \sigma'_2 \ x|_{\text{Time}}$$

In a similar way one can combine \((iii), (iv), (vii)\) and \((viii)\) to get

$$\forall s : \varphi'_1 \ s \mid_{\text{Time}} = \varphi'_2 \ s \mid_{\text{Time}}$$

Hence the case follows.

**Case Branch:** There are two subcases. One is where the semantics evaluates the statement as

$$t \cup t' \vdash \langle ss, \sigma_1, \varphi_1 \rangle \Rightarrow \langle ss'_1, \sigma'_1, \varphi'_1 \rangle$$

$$t \vdash ([t']ss, \sigma_1, \varphi_1) \Rightarrow \langle ss'_1, \sigma'_1, \varphi'_1 \rangle$$

and

$$t \cup t' \vdash \langle ss, \sigma_2, \varphi_2 \rangle \Rightarrow \langle ss'_2, \sigma'_2, \varphi'_2 \rangle$$

$$t \vdash ([t']ss, \sigma_2, \varphi_2) \Rightarrow \langle ss'_2, \sigma'_2, \varphi'_2 \rangle$$

The analysis gives

$$\frac{\Gamma, \delta \odot \{t'\} \vdash ss : \tau}{\Gamma, \delta \vdash [t']ss : \tau}$$

and the case follows from applying the induction hypothesis. In the other subcase the semantics evaluates the statement as

$$t \cup t' \vdash \langle ss, \sigma_1, \varphi_1 \rangle \Rightarrow \langle \text{final}, \sigma'_1, \varphi'_1 \rangle$$

$$t \vdash ([t']ss, \sigma_1, \varphi_1) \Rightarrow \langle \text{final}, \sigma'_1, \varphi'_1 \rangle$$

and

$$t \cup t' \vdash \langle ss, \sigma_2, \varphi_2 \rangle \Rightarrow \langle \text{final}, \sigma'_2, \varphi'_2 \rangle$$

$$t \vdash ([t']ss, \sigma_2, \varphi_2) \Rightarrow \langle \text{final}, \sigma'_2, \varphi'_2 \rangle$$

and again the analysis gives

$$\frac{\Gamma, \delta \odot \{t'\} \vdash ss : \tau}{\Gamma, \delta \vdash [t']ss : \tau}$$

now the case follows from applying the induction hypothesis. \(\square\)
We generalise the static security guarantee of the analysis of statements for executions of arbitrary length.

**Lemma 6.10** (Secure Statements) For every statement $ss$ that is evaluated by the semantics in the states $\sigma_1$ and $\varphi_1$ as $t \vdash \langle ss, \sigma_1, \varphi_1 \rangle \Rightarrow^* \langle \text{final}, \sigma'_1, \varphi'_1 \rangle$ and in the states $\sigma_2$ and $\varphi_2$ as $t \vdash \langle ss, \sigma_2, \varphi_2 \rangle \Rightarrow^* \langle \text{final}, \sigma'_2, \varphi'_2 \rangle$ we have

$$\Gamma, \delta \vdash ss : \tau \land t \in \delta \land$$

$$\sigma_1 x|\text{Time} = \sigma_2 x|\text{Time} \in \Gamma x \land \tag{6.10.1}$$

$$\varphi_1 s 0|\text{Time} = \varphi_2 s 0|\text{Time} \in \Gamma s \tag{6.10.2}$$

implies

$$\sigma'_1 x|\text{Time} = \sigma'_2 x|\text{Time} \land \tag{6.10.3}$$

$$\varphi'_1 s 1|\text{Time} = \varphi'_2 s 1|\text{Time} \tag{6.10.4}$$

**Proof.** The proof proceeds by induction on the length of the derivation sequence.

**Case Local Variable Assignment, Signal Assignment, Skip and Conditional** follow from Lemma 6.9.

**Case Composition:** From Lemma 6.6 we have for the first evaluation step for both semantical rules for composition that $\sigma'_1 x|\text{Time} = \sigma'_2 x|\text{Time} \in \Gamma x$. As the semantics for statements does not modify the present value of signals we have $\varphi'_1 s 0|\text{Time} = \varphi'_2 s 0|\text{Time} \in \Gamma s$. Both subcases follows from the induction hypothesis to the remaining part of the derivation sequence, which is obviously shorter.

**Case Branch:** There are two cases. The case where the semantics evaluated the statement in one step the case follows from Lemma 6.9. The case where the branch statement is not evaluated in one step the we have that $\sigma'_1 x|\text{Time} = \sigma'_2 x|\text{Time} \in \Gamma x$ from Lemma 6.6. As the semantics for statements does not modify the present value of signals we have $\varphi'_1 s 0|\text{Time} = \varphi'_2 s 0|\text{Time} \in \Gamma s$. The case follows from the induction hypothesis to the remaining part of the derivation sequence, which is obviously shorter. □

Finally, we show the main result for processes.

**Theorem 6.11** (Secure Process) For every concurrent statement $css$ where the semantics evaluates each process $i$ in the states $\sigma_{1i}$ and $\varphi_{1i}$ as $\parallel_{i \in I} \langle css_i, \sigma_{1i}, \varphi_{1i} \rangle$
6.4 Soundness

and because evaluating the configuration with the rule \( [\text{Active signals} (A)] \) gives

\[
\| \| \in I \langle css''_1, \sigma''_1, \varphi''_1 \rangle \implies A \| \| \in I \langle css''_2, \sigma''_2, \varphi''_2 \rangle
\]

implies

\[
css'_1 = css'_2, \quad \sigma''_1 x|_{\text{Time}} = \sigma''_2 x|_{\text{Time}} \in \Gamma \ x \ \land
\]

\[
\varphi''_1 s 0|_{\text{Time}} = \varphi''_2 s 0|_{\text{Time}} \in \Gamma \ s \ \land
\]

\[
\varphi''_1 s 1|_{\text{Time}} = \varphi''_2 s 1|_{\text{Time}} \land
\]

\[
\forall s : s \in L \Rightarrow \varphi_1 s 0 = \varphi_2 s 0
\]

Proof. We introduce a configuration on the evaluation sequences, such that

\[
\| \| \in I \langle css_1, \sigma_1, \varphi_1 \rangle \implies \| \| \in I \langle css''_1, \sigma''_1, \varphi''_1 \rangle \implies A \| \| \in I \langle css''_2, \sigma''_2, \varphi''_2 \rangle
\]

and

\[
\| \| \in I \langle css_1, \sigma_1, \varphi_1 \rangle \implies \| \| \in I \langle css''_1, \sigma''_1, \varphi''_1 \rangle \implies A \| \| \in I \langle css''_2, \sigma''_2, \varphi''_2 \rangle
\]

For the evaluation sequences \( \| \| \in I \langle css_1, \sigma_1, \varphi_1 \rangle \implies \| \| \in I \langle css''_1, \sigma''_1, \varphi''_1 \rangle \) and

\[
\| \| \in I \langle css_1, \sigma_1, \varphi_1 \rangle \implies \| \| \in I \langle css''_2, \sigma''_2, \varphi''_2 \rangle
\]

applying Lemma \[6.10\] give

\[
\sigma''_1 x|_{\text{Time}} = \sigma''_2 x|_{\text{Time}} \land \quad (6.10 \ 3)
\]

\[
\varphi''_1 s 1|_{\text{Time}} = \varphi''_2 s 1|_{\text{Time}} \land \quad (6.10 \ 4)
\]

furthermore it follows that \( css''_1 = css''_2 \). Now from Lemma \[6.6\] we have

\[
\sigma''_1 x|_{\text{Time}} = \Gamma \ x \ \land \ \varphi''_1 s 1|_{\text{Time}} = \Gamma \ s
\]

and because evaluating the configuration with the rule \([\text{Active signals} (A)]\) gives

\[
\| \| \in I i : \text{process} (clk) \begin{cases} ss_i; \end{cases} \text{ end process } i, \sigma_i, \varphi_i \implies \| \| \in I \langle ss'_i, \sigma_i, \varphi_i \rangle
\]

where

\[
\varphi_i s 0 = \begin{cases} f_s \{ (v, t^-) | U(\varphi, s) = (v, t) \land k \in I \} & \text{if } \exists j \in I. \ \varphi_j s 1 \text{ is defined} \\ (v, t^-) & \text{otherwise, } \varphi_i s 0 = (v, t) \end{cases}
\]

\[
\varphi_i s 1 = \text{undef}
\]

\[
ss'_i = ss_i ; i : \text{process} (clk) \begin{cases} ss_i; \end{cases} \text{ end process } i
\]
Now \( css'_1 = css'_2 \), \( \sigma'_1 x|_{Time} = \sigma'_2 x|_{Time} \in \Gamma x \) and \( \varphi'_1 s 1|_{Time} = \varphi'_2 s 1|_{Time} = \text{undef} \) follow directly from the rule. Finally, \( \varphi'_1 s 0|_{Time} = \varphi'_2 s 0|_{Time} \in \Gamma s \) follow from the two cases; first when \( \exists j \in I. \varphi_j s 1 \) is defined we have the result of the analysis \( \varphi'_1 s 1|_{Time} = \varphi'_2 s 1|_{Time} \in \Gamma s \), and since the rule modify the signal stores as \( \varphi'_i s 0 = f_s \{ \{ (v, t^-) \mid U(\varphi_k, s) = (v, t) \land k \in I \} \} \) we get the result for all active signals. The other case is when the signal is not active. From Lemma [6.7] we observe that if a signal is not active in one execution it will never be in any execution that can be typed with the same behaviour, \( \tau \). Hence no execution path will modify the signals timing delay, therefore it will be \( \emptyset \), and the case follows.

### 6.5 Analysing Advanced Encryption Standard

In this Section we briefly summarise the application of our prototype implementation of the analysis to verify the AES standard pipelined implementation [WBRF00]. The 128 bit version of the algorithm works on blocks of 128 bit, that are encrypted through 10 rounds. Each round consists of 4 stages that substitute, shift, mix and add a **round key** to the block, respectively. Decryption is done by reversing the order of the inverse stages in each round. The implementation considered performs either encryption or decryption depending on the value of the incoming signal \( \text{ALG}_\text{ENC} \). The implementation uses the concurrent statement

\[
\text{ALG}_\text{DATA}_\text{LAST} <= \text{POST}_\text{OUT}_\text{INT} \text{ when } \text{ALG}_\text{ENC} = '0' \text{ else } \text{FINAL}_\text{OUT};
\]

to transfer the result of either encryption or decryption from an internal signal to the final register before the outgoing signal is set. Observe that only one of the signals \( \text{POST}_\text{OUT}_\text{INT} \) and \( \text{FINAL}_\text{OUT} \) influences the signal \( \text{ALG}_\text{DATA}_\text{LAST} \), depending on the value of the signal \( \text{ALG}_\text{ENC} \). In the case of decryption the algorithm specifies that the key should be added to the final state. For encryption this is done before the first round instead. Figure [6.2] shows the flow of information from the process performing the last round in the AES algorithm to the \( \text{ALG}_\text{DATA}_\text{LAST} \) signal is set.

The implementation of the analysis starts by pre-processing VHDL programs to COREVHDL\(^{b}\). For the statement considered it is rewritten into a conditional using the rule presented in [Ash02]. It turns out that our analysis does not accept the program because the process \( \text{ARRAY}_\text{REG128} \) will spend one clock cycle to stabilise the signal for the adder \( \text{POST}_\text{ADD} \) that then add the final
key to the block. This difference might cause a timing leak, as it could leak the value of ALG\_ENC.

Observing the signal ALG\_ENC tells whether the system is performing encryption or decryption, and hence carry no secret information. Therefore to verify the implementation we added the signal to the threshold of our observer ($\mathcal{L} = \{\text{ALG\_ENC}\}$). This allow us to verify that the system is timing secure, as an observer can learn no additional information by observing the timing delays of the outcoming signals.

### 6.6 Discussion of practical issues

The presented semantics for COREVHDL extended with timing behaviours capture the delays introduced by execution paths found in the specification. Alternative execution paths have been illustrated to have the capability to result in timing channels, yet a couple of practical issues remain to be investigated. Hence in this section two practical issues that could result in timing channels are discussed. Observe that they have no impact on the analysis of the AES example, and thus our results for the example program remain valid.

---

**Figure 6.2: Process dependencies of part of AES**

---
6.6.1 Stabilising signals

The VHDL Standard [IEE01] specifies that all signals should carry stable values before the next synchronisation. Therefore for synchronous specifications it is safe to assume that all signals will have a stable value no later than the rising clock edge. But all signals are not assigned a value at exactly the time of the clock, rather all signals are assigned their value in the interval between two clock edges. In our model of systems an observer can measure this interval, and with specific knowledges about the layout at gate level the observer might use the stabilising time to differentiate between secret input values.

Example 6.2 For a VHDL specification the synthesiser tool will generate the electrical circuit. Consider the program

\[ d <= a \ or (b \ and c) \]

assume that \( d \) is an outgoing signal and that the synthesiser tool would generate a circuit corresponding to the gates illustrated in Figure 6.3(a). For the input \( [a = 1, b = 0, c = 1] \)

the circuit will stabilise its value at the time \( t_{or} \), since the or gate stabilises because of the value of \( a \), without waiting for the and gate to stabilise. However if the input was \( [a = 0, b = 1, c = 1] \)

then the value of \( d \) would not stabilise before the time of the or gate and the and gate (i.e. \( t_{or} + t_{and} \)). The times are illustrated in the graph in Figure 6.3(b), where the time \( t_{clock} \) is the clock the system synchronises on.

To handle this possible difference in stabilising speeds we transform the VHDL specification in such a manner that all secret outgoing signals go through a buffer. Technically this is done by rewriting the program so that all assignments to an outgoing signal are altered to assignment to our buffer signal. Then we introduce a process of the form
6.6 Discussion of practical issues

Figure 6.3: Stabilising times for a small circuit; (a) the considered circuit, (b) timing of signals changes

\[ \text{buf}_s : \text{process (clk)} \begin{array}{l} \text{begin} \ s <= s_{buf}; \ \\ \text{end process;} \end{array} \]

where \( s \) is the outgoing signal, \( s_{buf} \) is an internal signal specified within the block, and \( clk \) is the signal carrying the global clock. The buffer process will delay the signal one clock cycle, and then uniformly transfer the value from the memory cell to the outgoing wire.

While this buffering method handles the potential differences in time intervals of stabilising signals, it is not sufficient for eliminating timing channels completely. Timing channels caused by different paths through a program are considered in the following Section.

6.6.2 Shortest circuit evaluation

In this Section we introduce an alternative semantics for the logical operators \texttt{and} and \texttt{or}. This extension is based on the observation that when applying the operators, one side of the expression might be disregarded as the value of the other side might dominate the value of evaluating the expression. This observation has previously been exploited in e.g. short circuit evaluation of boolean expression in compilers [WM95].

The semantics are extended with a set of specialised rules that apply to the cases
where a shorter circuit is available instead of evaluating the whole expression.

\[ E[e_1 \text{ or } e_2] \langle \sigma, \varphi \rangle = \begin{cases} (\'1', t_1) & \text{where } E[e_1] \langle \sigma, \varphi \rangle = (\'1', t_1) \\ (\'1', t_2) & \text{where } E[e_2] \langle \sigma, \varphi \rangle = (\'1', t_2) \\ (v_1 \overline{\text{or}} v_2, t_1 \cup t_2) & \text{where } E[e_1] \langle \sigma, \varphi \rangle = (v_1, t_1) \text{ and } E[e_2] \langle \sigma, \varphi \rangle = (v_2, t_2) \end{cases} \]

\[ E[e_1 \text{ and } e_2] \langle \sigma, \varphi \rangle = \begin{cases} (\'0', t_1) & \text{where } E[e_1] \langle \sigma, \varphi \rangle = (\'0', t_1) \\ (\'0', t_2) & \text{where } E[e_2] \langle \sigma, \varphi \rangle = (\'0', t_2) \\ (v_1 \text{ and } v_2, t_1 \cup t_2) & \text{where } E[e_1] \langle \sigma, \varphi \rangle = (v_1, t_1) \text{ and } E[e_2] \langle \sigma, \varphi \rangle = (v_2, t_2) \end{cases} \]

The analysis can be modified to accommodate the alternative semantics. The rules for \texttt{and} and \texttt{or} can be modified as

\[
\Gamma \vdash e_1 : t_1 \quad \Gamma \vdash e_2 : t_2 \quad t_1 \triangleq t_2 \quad \Gamma \vdash e_1 : t_1 \quad \Gamma \vdash e_2 : t_2 \\
\Gamma \vdash e_1 \text{ and } e_2 : t_1 \cup t_2 \quad \Gamma \vdash e_1 \text{ or } e_2 : t_1 \cup t_2
\]

We introduce the binary operator \( \triangleq \) for comparing the types of two expression

\[ t_1 \triangleq t_2 \iff \{ (n, z_1) \mid \exists z_2 : (n, z_1) \in t_1 \land (n, z_2) \in t_2 \} = \{ (n', z_2) \mid \exists z_1 : (n', z_1) \in t_1 \land (n', z_2) \in t_2 \} \]

which is used to make sure that if the evaluation of an expression might depend on only part of the values manipulated, then the timing delay of each part is the same. As an example for the operators \texttt{and} and \texttt{or} the evaluation of the first operand might determine the value of the whole expression, thereby rendering the other operand without influence of the result and the timing delay of dependent signals. Notice that the evaluation of \texttt{xor} always need to evaluate both operands to determine the resulting value, therefore we don't need to restrict the operands timing delay.

### 6.7 Summary

A semantics for a synchronous synthesizable subset of VHDL has been presented, with a novel component for describing the timing delay of programs. It was argued that when considering specifications of hardware a new model for the absence of timing leaks is needed. This is needed because for hardware systems an outgoing signal has a value at all times, and an observer therefore might
observe modifications rather than termination or difference in execution time. A model was proposed and formalised with respect to the semantics.

To verify the absence of timing leaks in a specification of a system an automatic type based analysis have been presented. A novel point of the analysis is that it focuses on the problem of timing leaks. This allows us to argue the absence of timing channels in such systems as cryptographic algorithms, even when information flow analyses would not permit it. Furthermore the result of the analysis can be composed with the information flow analyses for COREVHDL to achieve a timing sensitive bisimulation-based confidentiality property. Finally the analysis was used it to verify the AES standard implementation.
Chapter 7

Conclusion

In the Kamigata area they have a sort of tiered lunchbox they use for a single day when flower viewing. Upon returning, they throw them away, trampling them underfoot. The end is important in all things. — Yamamoto Tsunetomo

In this thesis the semantical model of VHDL has been investigated and formalised. As a result we have been able to present formal security properties for VHDL programs that guarantee them to preserve the confidentiality of secret information by not allowing channels observable to different principals to interfere. In fact, the investigated security properties generalise noninterference, yet in a controlled fashion, allowing systems, through the execution of specified parts of the program, to dynamically release sensitive information. Our security properties are supported by static analyses, that allow for automatic verification of systems.

Previously the need for static mechanisms has been argued [Vol99], and the analyses proposed here fulfill the requirements stated in Chapter 1.

**Automatic:** The analyses are specified so that the process of validating a security policy for a given program is fully automated. Furthermore the prototype implementation of the analyses provide automated inference algorithms.
Correctness: The semantic correctness of the analyses, shown in Chapter 4 and 6, demonstrates how the analyses are tied to the semantics of VHDL and the security properties. The extensions presented in Chapter 5 are based on existing analysis approaches and hence the correctness is believed to be adaptable from the similar results presented in [NNH99].

Efficient: The analyses for verifying the flow of information are divided into several components, and the correctness results are stated such that the local dependencies are sufficient for verifying most systems. Hence the global dependency analysis is a means to trade in efficiency for precision.

Exhaustiveness: By their nature the analyses clearly provide an exhaustive approach to verifying programs, as we do not rely on the extraction of a model of the essential part of the program, program transformations, or similar abstractions. Instead the analyses are applied directly to the verification target.

Another main achievement is the verification of the reference implementation of the Advanced Encryption Standard. This allows us to conclude that the primary goal of this thesis, namely to accommodate the verification of hardware specifications, has been achieved. The prototype implementation has also been successful in analysing the systems provided by Maersk Data Defence. Although the full Common Criteria report considers aspects of the system that has not been discussed in this thesis, the objectives regarding the identification of information flow and covert channels stated in the Chapter 13.1 Objective: Covert Channel Analysis (AVA_{CCA}), have been achieved.

### 7.1 Final remarks

Throughout the thesis we have investigated the reference implementation of the Advanced Encryption Standard. Verifying a cryptographic algorithm in the information flow setting is not straightforward, and we have assumed that the irreversibility of the cipher text is indeed provided by the implementation. History-based Release has merely allowed us to guarantee that all rounds are applied, and that each round gradually lowers the confidentiality level of texts.

The correctness of the implementation has previously been argued by the developers in [WBRF00] and related publications. Their correctness result relies on mathematical observations and testing through a test-bench, following the Monte Carlo approach where the output is fed back into the program for the next round. This approach clearly does not provide an exhaustive correctness result.
Other approaches include the correctness guarantees of the algorithm in the information flow analysis. Laud [Lau03] presents an information flow analysis that considers the computations and by doing this can verify systems that protect the secrecy of the input with a given complexity of the reversibility of the outputs. Recently, Askarov et al. [AS05, AHS06] have investigated the information flow in systems where cryptographic functions are available. However the cryptographic functions are considered as black boxes that correctly implement the cryptographic algorithms and hence provide the necessary guarantees.

The issue of timing channels have been investigated by several researchers [VS99, Aga00, SS00, Sab01, KM05, KB06], yet the security properties proposed are all strong noninterference properties. In this thesis we have specialised the absence of timing leaks to deal with timing channels. Hence the property becomes orthogonal to the generalised noninterference properties that we might choose to use for verifying the flow of information through the system. This flexibility also allows us to specify that information is allowed to flow on a channel, yet not being observable by observations on the timing behaviour of this channel. This is of utmost importance when considering cryptographic systems, as timing channels have often been exploited in order to reduce the search space of secret key or plain text attacks.

The analyses presented throughout this thesis have been implemented using the Succinct Solver v. 1.0 [NNS02, NNS+04], which has made it possible to verify the AES implementation and the Maersk Data Defence program. The prototype implementation has shown very good running times on the discussed programs, taking only a few minutes. However, for the analysis of large-scale, complex systems Mantel [Man01, Man02] have argued in favour of compositional properties and analyses. In this thesis we have taken an approach that allows for a great deal of compositionality. First, the local dependencies are analysed at process level, without regard for the rest of the system. Second, the global dependencies are derived from the local dependencies and strengthened by the Reaching Definitions analysis. This means that during a development process where the system goes through several stages, the analysis result for each unmodified process can be reused when verifying the complete system.

Future investigations might consider the possibility of deciding the need for applying the Reaching Definitions analysis automatically, by a pre-analysis of the security policy. This would also allow for a fine-grained trade off between precision and efficiency, where necessary.
Bibliography


[BBN+03] Lorenzo Bettini, Viviana Bono, Rocco De Nicola, Gian Luigi Ferrari, Daniele Gorla, Michele Loreti, Eugenio Moggi, Rosario


[KM05] Boris Köpf and Heiko Mantel. Eliminating implicit information
leaks by transformational typing and unification. In Proc. Workshop
on Formal Aspects in Security and Trust, volume 3866 of Lecture
Notes in Computer Science, pages 47–62. Springer-Verlag, July
2005.

[Koc96] Paul C. Kocher. Timing attacks on implementations of Diffie-
Hellman, RSA, DSS, and other systems. In Proc. CRYPTO’96,
volume 1109 of Lecture Notes in Computer Science, pages 104–113.
Springer-Verlag, 1996.

[KT96] Richard A. Kemmerer and Tad Taylor. A modular covert chan-
nel analysis methodology for trusted dg/ux/sup tm/. In Proc.
IEEE Annual Computer Security Applications Conference, pages

Fault-based side-channel cryptanalysis tolerant rijndael symmetric


[Lau03] Peeter Laud. Handling encryption in an analysis for secure infor-
mation flow. In Proc. European Symposium on Programming, vol-
ume 2618 of Lecture Notes in Computer Science, pages 159–173.

[Man01] Heiko Mantel. Information flow control and applications - bridging
a gap. In FME, volume 2021 of Lecture Notes in Computer Science,


[MB05] Ana Almeida Matos and Gérard Boudol. On declassification and
the non-disclosure policy. In Proc. IEEE Computer Security Foun-
dations Workshop, pages 226–240. IEEE Computer Society Press,
June 2005.


[Thi03] Personal communication with Krishnaprasad Thirunarayan, August 2003.


