©2017ArmLimited

HowCanYouTrustFormallyVerified

Software?AlastairReid

ArmResearch@alastair_d_reid

©2017ArmLimited2

Bufferover-readvulnerabilities

Logicerrorvulnerabil

ities

Bufferover-readvulnerabilitiesNullpointerdereference

Useafterfree

Bufferoverflowvulnerabilities

©2017ArmLimited3

Formalverification

Oflibrariesandapps Ofcompilers Ofoperatingsystems

©2017ArmLimited4

FormallyVerifiedSoftware

VerificationTool

FormalSpecifications

ShimCode

Fonsecaetal.,AnEmpiricalStudyontheCorrectnessofFormallyVerifiedDistributedSystems,Eurosys‘17

©2017ArmLimited5

Takeaway#1:3keyquestionstoask

1. Whatspecificationsdoesyourproofrelyon?

2. Whydoyoutrustthosespecifications?

3. Doesanybodyelseusethesespecifications?

©2017ArmLimited6

Takeaway#2:Specificationsmusthavemultipleuses

©2017ArmLimited7

Takeaway#2:Specificationsmusthavemultipleuses

©2017ArmLimited8

Howcanyoutrustformallyverifiedsoftware?

Howcanyoutrustformallyverifiedsoftware?

SpecificationsarepartoftheTCB

3keyquestions

Specificationsmusthavemultipleusers

Howcanyoutrustformalspecifications?

Testingspecifications

Verifyingprocessors

Verifyingspecifications

Howcanyoutrustformallyverifiedsoftware?

©2017ArmLimited9

ArmArchitectureReferenceManual(ARMARM)

32-bit/64-bitInstructionsExceptions/InterruptsPrivilege/SecurityVirtualMemorySystemregistersDebug/Trace

Profiling…

Pages

0

1600

3200

4800

6400

1996 2007 2018

©2017ArmLimited10

Englishprose

©2017ArmLimited11

Pseudocode

©2017ArmLimited12

ArmArchitectureSpecificationLanguage(ASL)

Indentation-basedsyntax

Imperative

First-order

Stronglytyped(typeinference,polymorphism,dependenttypes)

Bit-vectors

Unboundedintegers

Infiniteprecisionreals

Arrays,Records,Enumerations

Exceptions

©2017ArmLimited13

Interpreter

CBackend

ASLSpecLexerParser

Typechecker

©2017ArmLimited14

ArchitecturalConformanceSuite

Processorarchitecturalcompliancesign-off

Large• v8-A11,000testprograms,>2billioninstructions

• v8-M3,500testprograms,>250millioninstructions

Thorough• Testsdarkcornersofspecification

©2017ArmLimited15

TesdngPassRate

0

25

50

75

100

ISA Supervisor Hypervisor/Security

(ArdstsImpression)

Time

15

©2017ArmLimited16

v8-A

0%

25%

50%

75%

100%

16

©2017ArmLimited17

Measuringarchitecturecoverageoftests

Untested: op1*op2 == -3.0, FPCR.RND=-Inf

©2017ArmLimited18

©2017ArmLimited

Formalverificationofprocessors

“EndtoEndVerificationofARMprocessorswithISAFormal,”CAV2016

ARMResearch

Checkinganinstrucdon

20

ADDCMPLDR STRBNE

Context

©2017ArmLimited21

Memory

R0-

R15DecodeFetch

EX MEM WBIF ID

R0-

R15

πpre

πpost

Pre Post_spec

Post_cpu

Spec ==?

ARMResearch 22

CombinationalVerilog

ASL to Verilog

ArchitectureSpecification

SpecializeMonomorphize

ConstantPropagationWidthAnalysis

ExceptionHandling…

©2017ArmLimited23

ArmCPUsverifiedwithISA-Formal

A-class

Cortex-A53Cortex-A32Cortex-A35Cortex-A55Nextgeneration

R-class

Cortex-R52Nextgeneration

M-class

Cortex-M4Cortex-M7Cortex-M33Nextgeneration

CambridgeProjects

Rollingoutgloballytootherdesigncentres

Sophia,France-Cortex-A75(partial)Austin,USA-TBAChandler,USA-TBA

©2017ArmLimited24

©2017ArmLimited

Formalvalidationofspecifications

“Whoguardstheguards?FormalValidationofARMv8-MSpecifications”OOPSLA2017

©2017ArmLimited26

Suppose…

Lastyear:auditedallaccessestoprivilegedregisters

• Specification:Addedmissingprivilegechecks

• Testsuite:Addednewteststotesteveryprivilegecheck

• Formaltestbench:Verifyeverycheck

Thisyear:addnewinstructionbutaccidentallyomitprivilegecheck

Howmanytestsinthetestsuitewillfailonnewspecification?

©2017ArmLimited27

Canweformallyverifyspecification?

SpecificationofthespecificationDisallowedbehaviour

Invariants

Cross-cuttingproperties

ToolsthatcanprovepropertiesofASLspecifications

©2017ArmLimited

State

OutputInput

State

28

ExceptionEntry

TakeReset

©2017ArmLimited29

rule lockup_exit

assume Fell(LockedUp);

Called(TakeColdReset)

∨ Called(TakeReset)

∨ Rose(InDebugState())

∨ Called(ExceptionEntry);

©2017ArmLimited30

ConvertingASLtoSMT

FunctionsLocalVariablesStatements

AssignmentsIf-statements

ExceptionsArithmeticoperationsBooleanoperationsBitVectorsArrays

FunctionsLocalVariablesStatements

AssignmentsIf-statements

ExceptionsArithmeticoperationsBooleanoperationsBitVectorsArrays

©2017ArmLimited

BuginSpec

12BugsFoundsofar

31

FormallyValidatingSpecifications

v8-M Spec

Verification

CEX

Property Proof

©2017ArmLimited

rulelockupentryassumeRose(LockedUp);assume¬Called(TakeReset);

propertyaHaveMainExt()⇒CFSR!=0;propertyb1Stable(ExnPending);propertyb2Stable(ExnActive);propertycPC==0xEFFFFFFE;propertyeHFSR.FORCED==0;

32

Debug view of

is not changed.

Stable(HFSR.FORCED);

©2017ArmLimited33

©2017ArmLimited34

PublicreleaseofmachinereadableArmspecification

Enableformalverificadonofsomwareandtools

Releases

April2017:v8.2

July2017:v8.3

WorkingwithCambridgeUniversityREMSgrouptoconverttoSAIL

BackendsforHOL,OCaml,Memorymodel,(Coqjuststarted)

Tools:hpps://github.com/alastairreid/mra_tools

TalktomeabouthowIcanhelpyouuseit

©2017ArmLimited

Howcanyoutrustformallyverifiedsoftware?

©2017ArmLimited36

Howcanyoutrustformalspecifications?

Testthespecificationsyoudependon

Ensurespecificationshavemultipleuses

Createmeta-specifications

https://xkcd.com/1416/

ThankYou!Danke!Merci!谢谢!ありがとう!Gracias!Kiitos!

©2017ArmLimited37

@alastair_d_reid

“TrustworthySpecificationsoftheARMv8-Aandv8-Marchitecture,”FMCAD2016

“Whoguardstheguards?FormalValidationofARMv8-MSpecifications”OOPSLA2017“EndtoEndVerificationofARMprocessorswithISAFormal,”CAV2016