©2017ArmLimited
Specifications:TheNextVerificationBottleneck
AlastairReid
ArmResearch
@alastair_d_reid
©2017ArmLimited2
Overview
1. Whatspecificationsdoweneed?
2. ARM’sformalprocessorspecifications
3. ThreestepsItooktocreategoodspecifications
©2017ArmLimited3
ARM
Designsprocessors,designsarchitecture,licensesarchitecture
16Bprocessors/year
(alsoGPUs,IoT,…)
SecurityResearchGroup
-Developandanalysesecurityextensions
-Createframeworkforverifyingproducts
-Wearehiring:fulltime,researchinternships
©2017ArmLimited4
Applications
Libraries
Runtimes
SecureServices CCompiler/Linker
MicroKernel
HAL
Architecture
MicroArchitecture
RTLD
©2017ArmLimited5
Specificationsweneed
LinuxsyscallsCstdlib
ISOCGcc/LLVMextensionsInlineassemblyELF/linkerscriptWeakmemorymodel
ProcessorpagetablesInterrupthandlerDevicedriverAPIFilesystemformat
TCP/IP,UDP,…TSLNTP,DNS,NFS,…WiFi,Bluetooth,Zigbee,…USB,SDcard,…
X11/Gtk+/…Javascript,CSS,SVG,…PHP,…
©2017ArmLimited6
TrustedComputingBase(!=TrustworthyComputingBase)
a small amount of software and hardware that security depends on and that we distinguish from a much larger amount that can misbehave without affecting security
— Lampson
the totality of protection mechanisms within it, including hardware, firmware, and software, the combination of which is responsible for enforcing a computer security policy
— Orange Book (US DoD)
©2017ArmLimited7
Specificationsforrealworldsoftware/hardware
Unavoidable
Multipleimplementations
Multipleversionsofeachimplementation
Specmustincludeallquirksofrecentversionsofmajorimplementationstobeuseful
Existingspecification=English+Tables+Pseudocode
Existingcommunitymaynotvalueformalspecatfirst
©2017ArmLimited
Creatingtrustworthyspecifications
“TrustworthySpecificationsoftheARMv8-Aandv8-Marchitecture,”FMCAD2016
©2017ArmLimited9
Thestateofmostprocessorspecifications
Large(1000sofpages)
Broad(10+yearsofimplementations,multiplemanufacturers)
Complex(exceptions,weakmemory,…)
Informal(mostlyEnglishprose)
Wearealljustlearninghowto(retrospectively)formalizespecifications
©2017ArmLimited10
ArmProcessorSpecifications
A-class(phones,tablets,servers,…) M-class(microcontrollers,IoT)
6,000pages40,000lineformalspecification
Instructions(32/64-bit)Exceptions/InterruptsMemoryprotectionPagetablesMultipleprivilegelevelsSystemcontrolregistersDebug/trace
1,200pages15,000lineformalspecification
Instructions(32-bit)Exceptions/InterruptsMemoryprotectionPagetablesMultipleprivilegelevelsSystemcontrolregistersDebug/trace
©2017ArmLimited11
Englishprose
©2017ArmLimited12
Pseudocode
ARMResearch
System Architecture Specification
13
©2017ArmLimited14
ArmArchitectureSpecificationLanguage(ASL)
Indentation-basedsyntax
Imperative
First-order
Stronglytyped(typeinference,polymorphism,dependenttypes)
Bit-vectors
Unboundedintegers
Infiniteprecisionreals
Arrays,Records,Enumerations
Exceptions
ARMResearch 15
v8-A v8-MInstructions
Int/FP/SIMD26,000 6,000
Exceptions 4,000 3,000Memory 3,000 1,000Debug 3,000 1,000Misc 5,500 2,000
(Test support) 1,500 2,000Total 43,000 15,000
ARM Spec (lines of code)
ARMResearch
System Register Spec
16
v8-A v8-M
Registers 586 186Fields 3951 622 Constant aoe
985 177 Reserved 940 208 Impl. Defined 70 10 Passive 1888 165 Active 68 62Operations 112 10
ARMResearch
Trustworthiness
17
ARMResearch
Trustworthiness
ARM’s specification is correct by definition
17
ARMResearch
Trustworthiness
ARM’s specification is correct by definition
17
ARMResearch
Trustworthiness
Does the specification match the behaviourof all ARM processors?
18
©2017ArmLimited19
Interpreter
CBackend
ASLSpecLexerParser
Typechecker
©2017ArmLimited20
ArchitecturalConformanceSuite
Processorarchitecturalcompliancesign-off
Large
• v8-A11,000testprograms,>2billioninstructions
• v8-M3,500testprograms,>250millioninstructions
Thorough
• Testsdarkcornersofspecification
©2017ArmLimited21 ©2017ArmLimited
ProgressintestingArmspecification
- Doesnotparse,doesnottypecheck
- Can’tgetoutofreset
- Can’texecutefirstinstruction
- Can’texecutefirst100instructions
- …
- Passes90%oftests
- Passes99%oftests
- …
0
50
100
©2017ArmLimited22
Measuringarchitecturecoverageoftests
Untested: op1*op2 == -3.0, FPCR.RND=-Inf
ARMResearch
Creating a Virtuous Cycle
23
ARMSpec
FuzzingFirmware
ARMConformanceTestSuite
ProcessorVerificanon
BootOS
InformanonFlow
Analysis
RandomInstrucnonSequences
TestcaseGeneranon
SpecificanonVerificanon
©2017ArmLimited
Formalvalidationofprocessors
“EndtoEndVerificationofARMprocessorswithISAFormal,”CAV2016
ARMResearch
Checkinganinstrucnon
25
ADD
ARMResearch
Checkinganinstrucnon
25
ADDCMP LDR STR BNE
Context
©2017ArmLimited26
Memory
R0-
R15DecodeFetch
EX MEM WBIF ID
R0-
R15
©2017ArmLimited26
Memory
R0-
R15DecodeFetch
EX MEM WBIF ID
R0-
R15
πpre
πpost
©2017ArmLimited26
Memory
R0-
R15DecodeFetch
EX MEM WBIF ID
R0-
R15
πpre
πpost
Pre Post_spec
Post_cpu
Spec ==?
ARMResearch
Errors ISA-Formal can catch
• Errors in decode
• Errors in data path
• Errors in forwarding logic
• Errors in register renaming
• Errors in exception handling
• Errors in speculative execution
27
NoContext
Context
{{
ARMResearch
Specifying ADD
assign ADD_retiring = (pre.opcode & 16'b1111_1110_0000_0000) == 16'b0001_1000_0000_0000;assign ADD_result = pre.R[pre.opcode[8:6]] + pre.R[pre.opcode[5:3]];assign ADD_Rd = pre.opcode[2:0];
assert property (@(posedge clk) disable iff (~reset_n) ADD_retiring |-> (ADD_result == post.R[ADD_Rd]));
28
ARMResearch
ISA Formal
• Finds complex bugs in processor pipelines
• Applied to wide range of μArchitectures
• Uses translation of ARM’s internal ISA specification
29
ARMResearch 30
ARMResearch 30
ARMResearch
Challenges
• Complex Functional Units• FP• Memory
• Dual Issue• Instruction Fusion• Register Renaming• Out-of-order Retire
31
ARMResearch 32
Memory
R0-
R15DecodeFetch
EX MEM WBIF ID
R0-
R15
ARMResearch 33
ARMResearch 33
MemoryTLB
Prefetch
PTW
Coherence
Cache
ARMResearch 33
MemoryTLB
Prefetch
PTW
Coherence
Cache
FPUFMUL
FADD FDIV
FSQRT
ARMResearch 34
Memory
R0-
R15DecodeFetch
R0-
R15
Memory
FPU
ARMResearch
FP Subset Behaviour
35
-∞ -1 0 1 ∞-∞ -∞ -∞ -∞ -∞
-1 -∞ -1 0 ∞0 -∞ -1 0 1 ∞1 -∞ 0 1 ∞∞ ∞ ∞ ∞ ∞
FPAdd
ARMResearch
ISA Formal
• Finds complex bugs in processor pipelines
• Applied to wide range of μArchitectures
• Uses translation of ARM’s internal ISA specification
36
ARMResearch
ISA-Formal Properties
37
ADC ADD B … YIELDR[] ✔
NZCVSPPC
S[],D[],V[]FPSR
MemReadMemWriteSysRegRW
ELRESR…
ARMResearch
ISA-Formal Properties
38
ADC ADD B … YIELDR[] ✔
NZCVSP ✔
PCS[],D[],V[]
FPSRMemReadMemWriteSysRegRW
ELRESR…
ARMResearch
ISA-Formal Properties
39
ADC ADD B … YIELDR[] ✔ ✔
NZCVSP ✔
PC ✔
S[],D[],V[]FPSR
MemReadMemWriteSysRegRW
ELRESR…
ARMResearch
ISA-Formal Properties
40
ADC ADD B … YIELDR[] ✔ ✔ ✔
NZCV ✔
SP ✔ ✔
PC ✔
S[],D[],V[]FPSR
MemReadMemWriteSysRegRW
ELRESR…
ARMResearch
But this is slowand inconsistent
41
ARMResearch
ISA-Formal Properties
42
ADC ADD B … YIELDR[] ✔ ✔ ✔ ✔ ✔
NZCVSPPC
S[],D[],V[]FPSR
MemReadMemWriteSysRegRW
ELRESR…
ARMResearch
ISA-Formal Properties
43
ADC ADD B … YIELDR[] ✔ ✔ ✔ ✔ ✔
NZCV ✔ ✔ ✔ ✔ ✔
SP ✔ ✔ ✔ ✔ ✔
PC ✔ ✔ ✔ ✔ ✔
S[],D[],V[]FPSR
MemReadMemWriteSysRegRW
ELRESR…
ARMResearch
ISA-Formal Properties
44
ADC ADD B … YIELDR[] ✔ ✔ ✔ ✔ ✔
NZCV ✔ ✔ ✔ ✔ ✔
SP ✔ ✔ ✔ ✔ ✔
PC ✔ ✔ ✔ ✔ ✔
S[],D[],V[] ✔ ✔ ✔ ✔ ✔
FPSR ✔ ✔ ✔ ✔ ✔
MemReadMemWriteSysRegRW
ELRESR…
ARMResearch
ISA-Formal Properties
45
ADC ADD B … YIELDR[] ✔ ✔ ✔ ✔ ✔
NZCV ✔ ✔ ✔ ✔ ✔
SP ✔ ✔ ✔ ✔ ✔
PC ✔ ✔ ✔ ✔ ✔
S[],D[],V[] ✔ ✔ ✔ ✔ ✔
FPSR ✔ ✔ ✔ ✔ ✔
MemRead ✔ ✔ ✔ ✔ ✔
MemWrite ✔ ✔ ✔ ✔ ✔
SysRegRWELRESR…
ARMResearch
ISA-Formal Properties
46
ADC ADD B … YIELDR[] ✔ ✔ ✔ ✔ ✔
NZCV ✔ ✔ ✔ ✔ ✔
SP ✔ ✔ ✔ ✔ ✔
PC ✔ ✔ ✔ ✔ ✔
S[],D[],V[] ✔ ✔ ✔ ✔ ✔
FPSR ✔ ✔ ✔ ✔ ✔
MemRead ✔ ✔ ✔ ✔ ✔
MemWrite ✔ ✔ ✔ ✔ ✔
SysRegRW ✔ ✔ ✔ ✔ ✔
ELR ✔ ✔ ✔ ✔ ✔
ESR ✔ ✔ ✔ ✔ ✔
…
ARMResearch 47
CombinationalVerilog
ASL to Verilog
ArchitectureSpecification
SpecializeMonomorphize
ConstantPropagationWidthAnalysis
ExceptionHandling…
ARMResearch 48
©2017ArmLimited49
ArmCPUsverifiedwithISA-Formal
A-class
Cortex-A53
Cortex-A32
Cortex-A35
Cortex-A55
Nextgeneration
R-class
Cortex-R52
Nextgeneration
M-class
Cortex-M4
Cortex-M7
Cortex-M33
Nextgeneration
CambridgeProjects
Rollingoutgloballytootherdesigncentres
Sophia,France-Cortex-A75(partial)
Austin,USA-TBA
Chandler,USA-TBA
©2017ArmLimited
Formalvalidationofspecifications
“Whoguardstheguards?FormalValidationofARMv8-MSpecifications”OOPSLA2017
©2017ArmLimited51
OneSpecificationtorulethemall?
ArchitectureSpec
ComplianceTests
Processors
ReferenceSimulator
©2017ArmLimited52
Creatingaredundantspecification
Wheretogetalistofredundantpropertiesfrom?
Howtoformalisethislist?
Howtoformallyvalidatespecificationagainstproperties?
(Thismaylookfamiliarfromformalspecificationofsoftware)
©2017ArmLimited53
Rule JRJC Exit from lockup is by any of the following: • A Cold reset. • A Warm reset. • Entry to Debug state. • Preemption by a higher priority processor exception.
©2017ArmLimited53
Rule JRJC Exit from lockup is by any of the following: • A Cold reset. • A Warm reset. • Entry to Debug state. • Preemption by a higher priority processor exception.
StateChangeXEventAEventB
StateChangeCEventD
R
©2017ArmLimited53
Rule JRJC Exit from lockup is by any of the following: • A Cold reset. • A Warm reset. • Entry to Debug state. • Preemption by a higher priority processor exception.
StateChangeXEventAEventB
StateChangeCEventD
R
Andcannothappenanyotherway
©2017ArmLimited53
Rule JRJC Exit from lockup is by any of the following: • A Cold reset. • A Warm reset. • Entry to Debug state. • Preemption by a higher priority processor exception.
StateChangeXEventAEventB
StateChangeCEventD
R
RuleR:X→A∨B∨C∨D
Andcannothappenanyotherway
©2017ArmLimited54
StateChangeX Exit from lockup Fell(LockedUp)
EventA A Cold reset Called(TakeColdReset)
EventB A Warm reset Called(TakeReset)
StateChangeC Entry to Debug state Rose(Halted)
EventD Preemption by a higher priority processor exception
Called(ExceptionEntry)
©2017ArmLimited55
Fell(LockedUp)→Called(TakeColdReset)∨Called(TakeReset)∨Rose(Halted)∨Called(ExceptionEntry)
©2017ArmLimited56
Rule VGNW Entry to lockup from an exception causes • Any Fault Status Registers associated with the exception
to be updated. • No update to the exception state, pending or active. • The PC to be set to 0xEFFFFFFE. • EPSR.IT to become UNKNOWN.
In addition, HFSR.FORCED is not set to 1.
OutofdateMisleading
AmbiguousUntestable
©2017ArmLimited57
Counterexample
v8-M Spec
Rules
ProofZ3SMTSolver
©2017ArmLimited58
Fell(LockedUp)→Called(TakeColdReset)∨Called(TakeReset)∨Rose(Halted)∨Called(ExceptionEntry)
TemporalOperators EventOperators
©2017ArmLimited59
TemporalOperators
Fell(e)
Past(e)>e
Stable(e)
Past(e)=e
Rose(e)
Past(e)<e
©2017ArmLimited60
TemporalOperators
__Past_LockedUp = LockedUp;
FunctionUnderTest();
… __Past_LockedUp > LockedUp …
Fell(LockedUp)
©2017ArmLimited61
EventOperators
TakeReset() { __Called_TakeReset = TRUE; … }
Called(TakeReset)
©2017ArmLimited62
__Called_TakeColdReset = FALSE; __Called_TakeReset = FALSE; __Called_TakeExceptionEntry = FALSE; __Past_LockedUp = LockedUp; __Past_Halted = Halted;
FunctionUnderTest();
assert((__Past_LockedUp > LockedUp) ==> ( __Called_TakeColdReset || __Called_TakeReset || __Past_Halted < Halted || __Called_ExceptionEntry));
©2017ArmLimited63
Fell(LockedUp)→Called(TakeColdReset)∨Called(TakeReset)∨Rose(Halted)∨Called(ExceptionEntry)
Rule JRJC Exit from lockup is by any of the following:
• A Cold reset. • A Warm reset. • Entry to Debug state. • Preemption by a higher priority processor exception.
__Called_TakeColdReset = FALSE; __Called_TakeReset = FALSE; __Called_TakeExceptionEntry = FALSE; __Past_LockedUp = LockedUp; __Past_Halted = Halted;
assert((__Past_LockedUp > LockedUp) ==> ( __Called_TakeColdReset || __Called_TakeReset || __Past_Halted < Halted || __Called_ExceptionEntry));
©2017ArmLimited64
ArithmeticoperationsBooleanoperationsBitVectorsArraysFunctionsLocalVariablesStatements
AssignmentsIf-statementsLoopsExceptions
ArmSpecificationLanguage SMT
ArithmeticoperationsBooleanoperationsBitVectorsArraysFunctionsLocalVariablesStatements
AssignmentsIf-statementsLoopsExceptions
©2017ArmLimited65
Results(moreinOOPSLApaper)
Mostpropertiesprovedinunder100seconds
Found12bugsinspecification:
-debug,exceptions,systemregisters,security
FoundbugsinEnglishprose:
-ambiguous,imprecise,incorrect,…
©2017ArmLimited66
LexerParser
Typechecker
Interpreter
VerilogBackend
CBackend
TestCoverage
SimulationTrace
ASLSpec
SMTBackend
ARMTestSuite
ArchitectureProperties
BoundedModelChecker
SMTSolver
ArmProcessor
©2017ArmLimited67
PublicreleaseofmachinereadableArmspecification
Enableformalverificanonofsotwareandtools
Releases
April2017:v8.2
July2017:v8.3
WorkingwithCambridgeUniversityREMSgrouptoconverttoSAIL
BackendsforHOL,OCaml,Memorymodel,(hopefullyCoqtoo)
Specificanon:hvps://developer.arm.com/products/architecture/a-profile/exploranon-tools
Tools:hvps://github.com/alastairreid/mra_tools
(Seealso:hvps://github.com/herd/herdtools7/blob/master/herd/libdir/aarch64.cat)
TalktomeabouthowIcanhelpyouuseit
©2017ArmLimited68
Specifications:Thenextbottleneck
Testthespecificationsyoudependon
Formallyvalidate/verifyimplementations
Createredundantspecifications
Ensurespecificationshavemanyuses
Don’twritespecinCoq/HOL/ACL2/…
Trytoinfluenceofficialspecification
Spec
Wewillneedalotofspecs
Ofrealworlds/w+h/w
SpecsarealargepartofTCB
Howarewegoingtocreatethem?
Howarewegoingtotrustthem?
©2017ArmLimited69
Thanks
Alasdair Armstrong (Cambridge U.)Alex Chadwick (ARM)Ali Zaidi (ARM)Anastasios Deligiannis (ARM)Anthony Fox (Cambridge U.)Ashan Pathirane (ARM)Belaji Venu (ARM)Bradley Smith (ARM)Brian Foley (ARM)Curtis Dunham (ARM)David Gilday (ARM)David Hoyes (ARM)David Seal (ARM)Daniel Bailey (ARM)Erin Shepherd (ARM)Francois Botman (ARM)
George Hawes (ARM)Graeme Barnes (ARM)Isobel Hooper (ARM)Jack Andrews (ARM)Jacob Eapen (ARM)Jon French (Cambridge U.)Kathy Gray (Cambridge U.)Krassy Gochev (ARM)Lewis Russell (ARM)Matthew Leach (ARM)Meenu Gupta (ARM)Michele Riga (ARM)Milosch Meriac (ARM)Nigel Stephens (ARM)Niyas Sait (ARM)Peng Wang (ARM)
Peter Sewell (Cambridge U.)Peter Vrabel (ARM)Richard Grisenthwaite (ARM)Rick Chen (ARM)Simon Bellew (ARM)Thomas Grocutt (ARM)Will Deacon (ARM)Will Keen (ARM)Wojciech Meyer (ARM)(and others)
ThankYou!Danke!Merci!谢谢!ありがとう!Gracias!Kiitos!
©2017ArmLimited70
@alastair_d_reid
“TrustworthySpecificationsoftheARMv8-Aandv8-Marchitecture,”FMCAD2016
“Whoguardstheguards?FormalValidationofARMv8-MSpecifications,”OOPSLA2017
“EndtoEndVerificationofARMprocessorswithISAFormal,”CAV2016