©2017ArmLimited

EngineeringandUseofLargeFormalSpecifications AlastairReid

ArmResearch

@alastair_d_reid

©2017ArmLimited�2

More Less

Data

Performance

MachineLearning

InternetofThings

SmartHomes

SelfDrivingCars

SocialMedia

Bugs

Crashes

Dataloss

Datacorruption

Dataleaks/theft

DDoSattacks

Cyber-Physicalattacks

©2017ArmLimited�3

BetterProgrammingLanguages

BetterSystemDesign

HardwareSecurity

Enforcement

AutomaticTest

Generation

FuzzTesting

ExploitDetection

BetterBug

Finding

FormalVerification

Legal/Regulatory

©2017ArmLimited�4

©2017ArmLimited�5

Specification

Specification Specification

Specification

Specification

©2017ArmLimited�6

What(formal)specificationsdoweneed?

Libraries:stdio.h,OpenGL,…

Languages:C,C++,ML,Javascript,Verilog,…

Network:TCP/IP,OAuth,DNS,TLS,WiFi,…

Filesystems:FAT32,NTFS,ext4,…

OSes:Posix/Linuxsystemcall,Linuxdevicedriver,KVM,UEFI,…

Hardware:CPU,PCIe,AMBA,NIC,…

©2017ArmLimited�7

Criticalpropertiesofspecifications

Scope-Completeness

-Notabstractingoutcriticaldetail

Applicability-Versionagnostic

-Vendoragnostic

Trustworthiness

©2017ArmLimited�8

OvercomingtheSpecificationBottleneck

CreatingformalspecificationsTestingspecificationsGettingbuyinUsingspecificationsFormalvalidationofspecificationsMakingyourspecificationspublic

“TrustworthySpecificationsoftheARMv8-Aandv8-Marchitecture,”FMCAD2016“EndtoEndVerificationofARMprocessorswithISAFormal,”CAV2016“Whoguardstheguards?FormalValidationofARMv8-MSpecifications,”OOPSLA2017“ISASemanticsforARMv8-A,,RISC-V,andCHERI-MIPS,”POPL2019

https://alastairreid.github.io/papers/

©2017ArmLimited�9

Creating formal specificationsTesting specificationsGetting buy in

“Trustworthy Specifications of the ARM v8-A and v8-M architecture,” FMCAD 2016

©2017ArmLimited�10

CreatingSpecifications

©2017ArmLimited�10

CreatingSpecifications

©2017ArmLimited�10

CreatingSpecifications

©2017ArmLimited�10

CreatingSpecifications

©2017ArmLimited�10

CreatingSpecifications

©2017ArmLimited�10

CreatingSpecifications

©2017ArmLimited�11

Pseudocode

©2017ArmLimited�12

ARMPseudocode

~40,000lines

-32-bitand64-bitmodes

-All4encodings:Thumb16,Thumb32,ARM32,ARM64

-Allinstructions(>1300encodings)

-All4privilegelevels(User,Supervisor,Hypervisor,SecureMonitor)

-BothSecuritymodes(Secure/NonSecure)

-MMU,Exceptions,Interrupts,Privilegechecks,Debug,TrustZone,…

©2017ArmLimited�13

Statusatthestart

- Nolanguagespec- Notools(parser,typechecker)- Incomplete(around15%missing)- Unexecuted,untested- Seniorarchitectsbelievedthatanexecutablespecwas

- Impossible- Notuseful- Lessreadable- Lesscorrect

©2017ArmLimited�14

ArchitecturalConformanceSuite

Processorarchitecturalcompliancesign-off

Large• v8-A32,000testprograms,billionsofinstructions• v8-M3,500testprograms,>250millioninstructions

Thorough• Testsdarkcornersofspecification

Hardtorun• Requiresadditionaltestinginfrastructure

©2017ArmLimited�15 ©2017ArmLimited

ProgressintestingArmspecification

- Doesnotparse,doesnottypecheck

- Can’tgetoutofreset

- Can’texecutefirstinstruction

- Can’texecutefirst100instructions

- …

- Passes90%oftests

- Passes99%oftests

- …

0

50

100

©2017ArmLimited�16

Measuringarchitecturecoverageoftests

Untested: op1*op2 == -3.0, FPCR.RND=-Inf

©2017ArmLimited�17

Creating a Virtuous Cycle

ARMSpec

©2017ArmLimited�18

Lessonslearnedaboutengineeringaspecification

Specificationscontainbugs

Hugevalueinbeingabletorunexistingtestsuites

-Needtobalanceagainstbenefitsofnon-executablespecs

Findwaystoprovidedirectbenefittootherusersofspec

-Theywilldosomeofthetesting/debuggingforyou

-Theywillsupportgettingyourchanges/specadoptedasmasterspec

-CreatesVirtuousCycle

©2017ArmLimited�19

Using Specifications

“End to End Verification of ARM processors with ISA Formal,” CAV 2016

©2017ArmLimited�20

VerificationofImplementations- BoundedModelChecking- Testing(GoldenReference)- DeductiveReasoning

VerificationofClients- FormallyverifyingOScode/etc.- VerifyingCompilers/Linkers

Generation- Testsuites(Concolic)- Simulators- PeepholeOptimisations- BinaryTranslators

Documentation- GeneratePDF/HTML- Interactivespecifications

SpecificationExtension- Testing/Exploration

StaticAnalysis- Abstractinterpretationofbinaries- Decompilationofbinaries- Reverseengineeringtools

InstrumentedExecution- MeasureCoverage- DrivingFuzzTesting

©2017ArmLimited�21

FormallyvalidatingARMprocessors-usinganexistingtool

ARM Specification

ARM Processor

TranslatetoVerilog

VerilogModelChecker

©2017ArmLimited�22

Checkinganinstrucpon

ADD

©2017ArmLimited�22

Checkinganinstrucpon

ADDCMP LDR STR BNE

Context

©2017ArmLimited�23

LessonsLearnedfromvalidatingprocessors

Veryeffectivewaytofindbugsinimplementations

Formallyvalidatingimplementationiseffectiveatfindingbugsinspec

-Trytofindmostofthebugsinyourspecbeforeyoustart

Hugevalueinbeingabletousespectovalidateimplementations

-Helpsgetformalspecificationadoptedaspartofofficialspec

Spec

©2017ArmLimited�24

Formal Validation of Specifications

“Who guards the guards? Formal Validation of ARM v8-M Specifications” OOPSLA 2017

©2017ArmLimited�25

OneSpecificationtorulethemall?

ArchitectureSpec

ComplianceTests

Processors

ReferenceSimulator

©2017ArmLimited�26

Rule JRJC Exit from lockup is by any of the following: • A Cold reset. • A Warm reset. • Entry to Debug state. • Preemption by a higher priority processor exception.

©2017ArmLimited�26

Rule JRJC Exit from lockup is by any of the following: • A Cold reset. • A Warm reset. • Entry to Debug state. • Preemption by a higher priority processor exception.

StateChangeXEventAEventB

StateChangeCEventD

R

©2017ArmLimited�26

Rule JRJC Exit from lockup is by any of the following: • A Cold reset. • A Warm reset. • Entry to Debug state. • Preemption by a higher priority processor exception.

StateChangeXEventAEventB

StateChangeCEventD

R

RuleR:X→A∨B∨C∨D

©2017ArmLimited�27

StateChange Exit from lockup Fell(LockedUp)

Event A Cold reset Called(TakeColdReset)

Event A Warm reset Called(TakeReset)

StateChange Entry to Debug state Rose(Halted)

Event Preemption by a higher priority processor exception

Called(ExceptionEntry)

©2017ArmLimited�28

“EyeballCloseness”Rule JRJC

Exit from lockup is by any of the following: • A Cold reset. • A Warm reset. • Entry to Debug state. • Preemption by a higher priority processor exception.

Fell(LockedUp)→Called(TakeColdReset)∨Called(TakeReset)∨Rose(Halted)∨Called(ExceptionEntry)

©2017ArmLimited�29

Rule VGNW Entry to lockup from an exception causes • Any Fault Status Registers associated with the exception

to be updated. • No update to the exception state, pending or active. • The PC to be set to 0xEFFFFFFE. • EPSR.IT to become UNKNOWN.

In addition, HFSR.FORCED is not set to 1.

OutofdateMisleading

AmbiguousUntestable

©2017ArmLimited�30

Counterexample

v8-M Spec

Rules

Convert Z3SMTSolver

+

~10,000lines ~1,000,000lines

©2017ArmLimited�31

LessonsLearnedfromvalidatingspecifications

Redundancyessentialfordetectingerrors

-Detectedsubtlebugsinsecurity,exceptions,debug,…

-FoundbugsinEnglishprose

Needsetof‘orthogonal’properties

-Invariants,Securityproperties,Reachabilityproperties,etc.

Eyeballcloseness

Neededtotranslatespecificationtoanotherlanguagetoletususeothertools

©2017ArmLimited�32

Making your specificationpublic

©2017ArmLimited�33

PublicreleaseofmachinereadableArmspecification

Enableformalverificaponofsotwareandtools

Machinereadable

Releases:

v8.2(4/2017)

v8.3(10/2017)

v8.4(6/2018)

v8.5(9/2018)hups://developer.arm.com/products/architecture/a-profile/explorapon-toolshups://github.com/alastairreid/mra_toolshups://github.com/herd/herdtools7/blob/master/herd/libdir/aarch64.cat

©2017ArmLimited�34

CambridgeUniversitySpecs/Tools

From“ISASemanticsforARMv8-A,,RISC-V,andCHERI-MIPS,”POPL2019UsedwithpermissionofREMSGroup,CambridgeUniversity

©2017ArmLimited�34

CambridgeUniversitySpecs/Tools

From“ISASemanticsforARMv8-A,,RISC-V,andCHERI-MIPS,”POPL2019UsedwithpermissionofREMSGroup,CambridgeUniversity

x86(ACL2)

Missing?

©2017ArmLimited�34

CambridgeUniversitySpecs/Tools

From“ISASemanticsforARMv8-A,,RISC-V,andCHERI-MIPS,”POPL2019UsedwithpermissionofREMSGroup,CambridgeUniversity

x86(ACL2)

Missing?

ACL2

Missing?

©2017ArmLimited�35

Work in Progress:Security of Architecture Specifications

©2017ArmLimited�36

Validatingsecurityofprocessorarchitectures

Scope

-Hardware-basedSecurityEnforcement(HSE)Mechanisms

-Confidentiality,Integrity,Availability

Challenges

-CompositionalAttacks

-CyclicdependenciesbetweenHSEs

-Microarchitecturalstorage/timingchannels

©2017ArmLimited�37

TheSpecificationBottleneck:ModellingRealWorldArtifacts

-Trustworthiness,ScopeandApplicability

-SignificantEngineeringEffort

-Importanceofsharingspecificationsacrossmanyusers

Spec

©2017ArmLimited�38

Thanks

Alasdair Armstrong (Cambridge U.)Alex Chadwick (ARM)Ali Zaidi (ARM)Anastasios Deligiannis (ARM)Anthony Fox (Cambridge U.)Ashan Pathirane (ARM)Belaji Venu (ARM)Bradley Smith (ARM)Brian Foley (ARM)Curtis Dunham (ARM)David Gilday (ARM)David Hoyes (ARM)David Seal (ARM)Daniel Bailey (ARM)Erin Shepherd (ARM)Francois Botman (ARM)

George Hawes (ARM)Graeme Barnes (ARM)Isobel Hooper (ARM)Jack Andrews (ARM)Jacob Eapen (ARM)Jon French (Cambridge U.)Kathy Gray (Cambridge U.)Krassy Gochev (ARM)Lewis Russell (ARM)Matthew Leach (ARM)Meenu Gupta (ARM)Michele Riga (ARM)Milosch Meriac (ARM)Nigel Stephens (ARM)Niyas Sait (ARM)Peng Wang (ARM)

Peter Sewell (Cambridge U.)Peter Vrabel (ARM)Richard Grisenthwaite (ARM)Rick Chen (ARM)Simon Bellew (ARM)Thomas Grocutt (ARM)Will Deacon (ARM)Will Keen (ARM)Wojciech Meyer (ARM)(and others)

ThankYou!Danke!Merci!谢谢!ありがとう!Gracias!Kiitos!

©2017ArmLimited�39

@alastair_d_reid

“TrustworthySpecificationsoftheARMv8-Aandv8-Marchitecture,”FMCAD2016“EndtoEndVerificationofARMprocessorswithISAFormal,”CAV2016“Whoguardstheguards?FormalValidationofARMv8-MSpecifications,”OOPSLA2017“ISASemanticsforARMv8-A,,RISC-V,andCHERI-MIPS,”POPL2019

https://alastairreid.github.io/papers/