ArticlePDF Available

Putting it all together — Formal Verification of the VAMP

Authors:

Abstract

In the VAMP (verified architecture microproces- sor) project we have designed, functionally verified, and sy n- thesized a processor with full DLX instruction set, delayed branch, Tomasulo scheduler, maskable nested precise inter- rupts, pipelined fully IEEE compatible dual precision float - ing point unit with variable latency, and separate instruct ion and data caches. The verification has been carried out in the theorem proving system PVS. The processor has been imple- mented on a Xilinx FPGA.
A preview of the PDF is not available
... This problem has received considerable attention lately. There are whitebox approaches such as the formal verification that a processor model matches a hardware design [10,18]. These approaches differ from ours in that they try to give a formal guarantee that a processor model is a valid abstraction of the actual hardware, and to achieve that they require the hardware to be accessible as a white box. ...
Chapter
Full-text available
Observational models make tractable the analysis of information flow properties by providing an abstraction of side channels. We introduce a methodology and a tool, Scam-V, to validate observational models for modern computer architectures. We combine symbolic execution, relational analysis, and different program generation techniques to generate experiments and validate the models. An experiment consists of a randomly generated program together with two inputs that are observationally equivalent according to the model under the test. Validation is done by checking indistinguishability of the two inputs on real hardware by executing the program and analyzing the side channel. We have evaluated our framework by validating models that abstract the data-cache side channel of a Raspberry Pi 3 board with a processor implementing the ARMv8-A architecture. Our results show that Scam-V can identify bugs in the implementation of the models and generate test programs which invalidate the models due to hidden microarchitectural behavior.
... This problem has received considerable attention lately. There are whitebox approaches such as the formal verification that a processor model matches a hardware design [18,10]. These approaches differ from ours in that they try to give a formal guarantee that a processor model is a valid abstraction of the actual hardware, and to achieve that they require the hardware to be accessible as a white box. ...
Preprint
Observational models make tractable the analysis of information flow properties by providing an abstraction of side channels. We introduce a methodology and a tool, Scam-V, to validate observational models for modern computer architectures. We combine symbolic execution, relational analysis, and different program generation techniques to generate experiments and validate the models. An experiment consists of a randomly generated program together with two inputs that are observationally equivalent according to the model under the test. Validation is done by checking indistinguishability of the two inputs on real hardware by executing the program and analyzing the side channel. We have evaluated our framework by validating models that abstract the data-cache side channel of a Raspberry Pi 3 board with a processor implementing the ARMv8-A architecture. Our results show that Scam-V can identify bugs in the implementation of the models and generate test programs which invalidate the models due to hidden microarchitectural behavior.
... It is also effective in establishing whole-system correctness across layers. Two notable examples are Verisoft [1], which provides formal guarantees for a microkernel from source code down to hardware at the gate level [9]; and Bedrock [24], which verifies web applications for robots down to the assembly level. ...
Conference Paper
This paper presents Serval, a framework for developing automated verifiers for systems software. Serval provides an extensible infrastructure for creating verifiers by lifting interpreters under symbolic evaluation, and a systematic approach to identifying and repairing verification performance bottlenecks using symbolic profiling and optimizations. Using Serval, we build automated verifiers for the RISC-V, x86--32, LLVM, and BPF instruction sets. We report our experience of retrofitting CertiKOS and Komodo, two systems previously verified using Coq and Dafny, respectively, for automated verification using Serval, and discuss trade-offs of different verification methodologies. In addition, we apply Serval to the Keystone security monitor and the BPF compilers in the Linux kernel, and uncover 18 new bugs through verification, all confirmed and fixed by developers.
Chapter
Modern computing platforms are inherently complex and diverse: a heterogeneous collection of cores, interconnects, programmable memory translation units, and devices means that there is no single physical address space, and each core or DMA device may see other devices at different physical addresses. This is a problem because correct operation of system software relies on correct configuration of these interconnects, and current operating systems (and associated formal specifications) make assumptions about global physical addresses which do not hold. We present a formal model in Isabelle/HOL to express this complex addressing hardware that captures the intricacies of different real platforms or Systems-on-Chip (SoCs), and demonstrate its expressivity by showing, as an example, the impossibility of correctly configuring a MIPS R4600 TLB as specified in its documentation. Such a model not only facilitates proofs about hardware, but is used to generate correct code at compile time and device configuration at runtime in the Barrelfish research OS.
Chapter
Die in eingebetteten Systemen eingesetzten Mikroprozessoren werden stetig komplexer und verhindern so die Konstruktion überprüfbar sicherer Systeme. Abhilfe schafft eine Mikroprozessorarchitektur, die gemäß dem Entwurfziel Einfachheit und Klarheit auf überflüssige Komplexität verzichtet. Zum Zwecke konsensualer Analyse und Verifizierung ist der komplette Entwurf öffentlich zugänglich. Wegen der fortwährenden Verkleinerung ihrer Strukturbreiten werden integrierte Schaltkreise immer empfindlicher gegenüber Umgebungseinflüssen wie Strahlung, was sich in steigender Wahrscheinlichkeit von Kontroll- und Datenflussfehlern auswirkt. Anstatt dem Trend zur Fehlererkennung durch immer komplexere Software zu folgen, werden hier neuartige Prozessorarchitekturen mit hardwarebasierten Fehlererkennungsmerkmalen vorgestellt. Diese erlauben einfache und zuverlässige Erkennung auftretender Kontroll- und Datenflussfehler und sind bisherigen Ansätzen deutlich überlegen.
This book constitutes the proceedings of the 19th International Conference on Formal Methods for Industrial Critical Systems, FMICS 2014, held in Florence, Italy, in September 2014. The 13 papers presented in this volume were carefully reviewed and selected from 26 submissions. They are organized in topical sections named: cyber-physical systems; computer networks; railway control systems; verification methods; and hardware and software testing.
Conference Paper
Full-text available
One obstacle to mathematical verification of industrial hardware designs is that the commercial hardware description languages in which they are usually encoded are too complicated and poorly specified to be readily susceptible to formal analysis. As an alternative to these commercial languages, AMD(1) has developed an RTL language for microprocessor designs that is simple enough to admit a clear semantic definition, providing a basis for formal verification. We describe a mechanical proof system for designs represented in this language, consisting of a translator to the ACL2 logical programming language and a methodology for verifiying properties of the resulting programs using the ACL2 prover. As an illustration, we present a proof of IEEE compliance of the floating-point adder of the AMD Athlon processor.
Conference Paper
We describe a framework for verifying a pipelined microprocessor whose implementation contains precise exceptions, external interrupts, and speculative execution. We present our correctness criterion which compares the state transitions of pipelined and non-pipelined machines in presence of external interrupts. To perform the verification, we created a table-based model of pipeline execution. This model records committed and in-flight instructions as performed by the microarchitecture. Given that certain requirements are met by this table-based model, we have mechanically verified our correctness criterion using the ACL2 theorem prover.
Article
Refinement of a directory based cache coherence protocol specification, to a pipelined hardware implementation is described. The hardware that is analyzed is the most complex part of a 1M-gate ASIC. The design consists of 30,000 lines of synthesizable register transfer-level verilog code, amounting to approximately 200,000 gates. The design contains a pipeline that is 5 levels deep and approximately 150 bits wide. It has a 16 entry, 150 bit wide, context addressable memory (CAM), and includes a 256 × 72 bit RAM. Refinement maps relate the behavior of the high-level protocol model to the hardware implementation. The Cadence Berkeley Labs SMV model checker was used to create the maps and to prove their correctness. There are approximately 1500 proof obligations. The formal model has been used for three tasks. First, to formally diagnose, and then fix broken features in a legacy version of the design. Second, to integrate the legacy sub-system design with a new system design. Finally, it has been used to formally design additional sub-system features required for the new system design. The same hardware designer enhanced the design, created the refinement maps, and formally proved the correctness of the refinements.