specifications: the next verification bottleneck · © 2017 arm limited specifications: the next...

©2017ArmLimited

Specifications:TheNextVerificationBottleneck

AlastairReid

ArmResearch

@alastair_d_reid

©2017ArmLimited2

Overview

1. Whatspecificationsdoweneed?

2. ARM’sformalprocessorspecifications

3. ThreestepsItooktocreategoodspecifications

©2017ArmLimited3

ARM

Designsprocessors,designsarchitecture,licensesarchitecture

16Bprocessors/year

(alsoGPUs,IoT,…)

SecurityResearchGroup

-Developandanalysesecurityextensions

-Createframeworkforverifyingproducts

-Wearehiring:fulltime,researchinternships

©2017ArmLimited4

Applications

Libraries

Runtimes

SecureServices CCompiler/Linker

MicroKernel

HAL

Architecture

MicroArchitecture

RTLD

©2017ArmLimited5

Specificationsweneed

LinuxsyscallsCstdlib

ISOCGcc/LLVMextensionsInlineassemblyELF/linkerscriptWeakmemorymodel

ProcessorpagetablesInterrupthandlerDevicedriverAPIFilesystemformat

TCP/IP,UDP,…TSLNTP,DNS,NFS,…WiFi,Bluetooth,Zigbee,…USB,SDcard,…

X11/Gtk+/…Javascript,CSS,SVG,…PHP,…

©2017ArmLimited6

TrustedComputingBase(!=TrustworthyComputingBase)

a small amount of software and hardware that security depends on and that we distinguish from a much larger amount that can misbehave without affecting security

— Lampson

the totality of protection mechanisms within it, including hardware, firmware, and software, the combination of which is responsible for enforcing a computer security policy

— Orange Book (US DoD)

©2017ArmLimited7

Specificationsforrealworldsoftware/hardware

Unavoidable

Multipleimplementations

Multipleversionsofeachimplementation

Specmustincludeallquirksofrecentversionsofmajorimplementationstobeuseful

Existingspecification=English+Tables+Pseudocode

Existingcommunitymaynotvalueformalspecatfirst

©2017ArmLimited

Creatingtrustworthyspecifications

“TrustworthySpecificationsoftheARMv8-Aandv8-Marchitecture,”FMCAD2016

©2017ArmLimited9

Thestateofmostprocessorspecifications

Large(1000sofpages)

Broad(10+yearsofimplementations,multiplemanufacturers)

Complex(exceptions,weakmemory,…)

Informal(mostlyEnglishprose)

Wearealljustlearninghowto(retrospectively)formalizespecifications

©2017ArmLimited10

ArmProcessorSpecifications

A-class(phones,tablets,servers,…) M-class(microcontrollers,IoT)

6,000pages40,000lineformalspecification

Instructions(32/64-bit)Exceptions/InterruptsMemoryprotectionPagetablesMultipleprivilegelevelsSystemcontrolregistersDebug/trace

1,200pages15,000lineformalspecification

Instructions(32-bit)Exceptions/InterruptsMemoryprotectionPagetablesMultipleprivilegelevelsSystemcontrolregistersDebug/trace

©2017ArmLimited11

Englishprose

©2017ArmLimited12

Pseudocode

ARMResearch

System Architecture Specification

13

©2017ArmLimited14

ArmArchitectureSpecificationLanguage(ASL)

Indentation-basedsyntax

Imperative

First-order

Stronglytyped(typeinference,polymorphism,dependenttypes)

Bit-vectors

Unboundedintegers

Infiniteprecisionreals

Arrays,Records,Enumerations

Exceptions

ARMResearch 15

v8-A v8-MInstructions

Int/FP/SIMD26,000 6,000

Exceptions 4,000 3,000Memory 3,000 1,000Debug 3,000 1,000Misc 5,500 2,000

(Test support) 1,500 2,000Total 43,000 15,000

ARM Spec (lines of code)

ARMResearch

System Register Spec

16

v8-A v8-M

Registers 586 186Fields 3951 622 Constant aoe

985 177 Reserved 940 208 Impl. Defined 70 10 Passive 1888 165 Active 68 62Operations 112 10

ARMResearch

Trustworthiness

17

ARMResearch

Trustworthiness

ARM’s specification is correct by definition

17

ARMResearch

Trustworthiness

Does the specification match the behaviourof all ARM processors?

18

©2017ArmLimited19

Interpreter

CBackend

ASLSpecLexerParser

Typechecker

©2017ArmLimited20

ArchitecturalConformanceSuite

Processorarchitecturalcompliancesign-off

Large

• v8-A11,000testprograms,>2billioninstructions

• v8-M3,500testprograms,>250millioninstructions

Thorough

• Testsdarkcornersofspecification

©2017ArmLimited21 ©2017ArmLimited

ProgressintestingArmspecification

- Doesnotparse,doesnottypecheck

- Can’tgetoutofreset

- Can’texecutefirstinstruction

- Can’texecutefirst100instructions

- …

- Passes90%oftests

- Passes99%oftests

- …

0

50

100

©2017ArmLimited22

Measuringarchitecturecoverageoftests

Untested: op1*op2 == -3.0, FPCR.RND=-Inf

ARMResearch

Creating a Virtuous Cycle

23

ARMSpec

FuzzingFirmware

ARMConformanceTestSuite

ProcessorVerificanon

BootOS

InformanonFlow

Analysis

RandomInstrucnonSequences

TestcaseGeneranon

SpecificanonVerificanon

©2017ArmLimited

Formalvalidationofprocessors

“EndtoEndVerificationofARMprocessorswithISAFormal,”CAV2016

ARMResearch

Checkinganinstrucnon

25

ADD

ARMResearch

Checkinganinstrucnon

25

ADDCMP LDR STR BNE

Context

©2017ArmLimited26

Memory

R0-

R15DecodeFetch

EX MEM WBIF ID

R0-

R15

©2017ArmLimited26

Memory

R0-

R15DecodeFetch

EX MEM WBIF ID

R0-

R15

πpre

πpost

©2017ArmLimited26

Memory

R0-

R15DecodeFetch

EX MEM WBIF ID

R0-

R15

πpre

πpost

Pre Post_spec

Post_cpu

Spec ==?

ARMResearch

Errors ISA-Formal can catch

• Errors in decode

• Errors in data path

• Errors in forwarding logic

• Errors in register renaming

• Errors in exception handling

• Errors in speculative execution

27

NoContext

Context

{{

ARMResearch

Specifying ADD

assign ADD_retiring = (pre.opcode & 16'b1111_1110_0000_0000) == 16'b0001_1000_0000_0000;assign ADD_result = pre.R[pre.opcode[8:6]] + pre.R[pre.opcode[5:3]];assign ADD_Rd = pre.opcode[2:0];

assert property (@(posedge clk) disable iff (~reset_n) ADD_retiring |-> (ADD_result == post.R[ADD_Rd]));

28

ARMResearch

ISA Formal

• Finds complex bugs in processor pipelines

• Applied to wide range of μArchitectures

• Uses translation of ARM’s internal ISA specification

29

ARMResearch 30

ARMResearch

Challenges

• Complex Functional Units• FP• Memory

• Dual Issue• Instruction Fusion• Register Renaming• Out-of-order Retire

31

ARMResearch 32

Memory

R0-

R15DecodeFetch

EX MEM WBIF ID

R0-

R15

ARMResearch 33

ARMResearch 33

MemoryTLB

Prefetch

PTW

Coherence

Cache

ARMResearch 33

MemoryTLB

Prefetch

PTW

Coherence

Cache

FPUFMUL

FADD FDIV

FSQRT

ARMResearch 34

Memory

R0-

R15DecodeFetch

R0-

R15

Memory

FPU

ARMResearch

FP Subset Behaviour

35

-∞ -1 0 1 ∞-∞ -∞ -∞ -∞ -∞

-1 -∞ -1 0 ∞0 -∞ -1 0 1 ∞1 -∞ 0 1 ∞∞ ∞ ∞ ∞ ∞

FPAdd

ARMResearch

ISA Formal

• Finds complex bugs in processor pipelines

• Applied to wide range of μArchitectures

• Uses translation of ARM’s internal ISA specification

36

ARMResearch

ISA-Formal Properties

37

ADC ADD B … YIELDR[] ✔

NZCVSPPC

S[],D[],V[]FPSR

MemReadMemWriteSysRegRW

ELRESR…

ARMResearch


38

ADC ADD B … YIELDR[] ✔

NZCVSP ✔

PCS[],D[],V[]

FPSRMemReadMemWriteSysRegRW

ELRESR…

ARMResearch


39

ADC ADD B … YIELDR[] ✔ ✔

NZCVSP ✔

PC ✔

S[],D[],V[]FPSR


ELRESR…

ARMResearch


40

ADC ADD B … YIELDR[] ✔ ✔ ✔

NZCV ✔

SP ✔ ✔

PC ✔

S[],D[],V[]FPSR


ELRESR…

ARMResearch

But this is slowand inconsistent

41

ARMResearch


42

ADC ADD B … YIELDR[] ✔ ✔ ✔ ✔ ✔

NZCVSPPC

S[],D[],V[]FPSR


ELRESR…

ARMResearch


43


NZCV ✔ ✔ ✔ ✔ ✔

SP ✔ ✔ ✔ ✔ ✔

PC ✔ ✔ ✔ ✔ ✔

S[],D[],V[]FPSR


ELRESR…

ARMResearch


44


NZCV ✔ ✔ ✔ ✔ ✔

SP ✔ ✔ ✔ ✔ ✔

PC ✔ ✔ ✔ ✔ ✔

S[],D[],V[] ✔ ✔ ✔ ✔ ✔

FPSR ✔ ✔ ✔ ✔ ✔


ELRESR…

ARMResearch


45


NZCV ✔ ✔ ✔ ✔ ✔

SP ✔ ✔ ✔ ✔ ✔

PC ✔ ✔ ✔ ✔ ✔

S[],D[],V[] ✔ ✔ ✔ ✔ ✔

FPSR ✔ ✔ ✔ ✔ ✔

MemRead ✔ ✔ ✔ ✔ ✔

MemWrite ✔ ✔ ✔ ✔ ✔

SysRegRWELRESR…

ARMResearch


46


NZCV ✔ ✔ ✔ ✔ ✔

SP ✔ ✔ ✔ ✔ ✔

PC ✔ ✔ ✔ ✔ ✔

S[],D[],V[] ✔ ✔ ✔ ✔ ✔

FPSR ✔ ✔ ✔ ✔ ✔

MemRead ✔ ✔ ✔ ✔ ✔

MemWrite ✔ ✔ ✔ ✔ ✔

SysRegRW ✔ ✔ ✔ ✔ ✔

ELR ✔ ✔ ✔ ✔ ✔

ESR ✔ ✔ ✔ ✔ ✔

…

ARMResearch 47

CombinationalVerilog

ASL to Verilog

ArchitectureSpecification

SpecializeMonomorphize

ConstantPropagationWidthAnalysis

ExceptionHandling…

ARMResearch 48

©2017ArmLimited49

ArmCPUsverifiedwithISA-Formal

A-class

Cortex-A53

Cortex-A32

Cortex-A35

Cortex-A55

Nextgeneration

R-class

Cortex-R52

Nextgeneration

M-class

Cortex-M4

Cortex-M7

Cortex-M33

Nextgeneration

CambridgeProjects

Rollingoutgloballytootherdesigncentres

Sophia,France-Cortex-A75(partial)

Austin,USA-TBA

Chandler,USA-TBA

©2017ArmLimited

Formalvalidationofspecifications

“Whoguardstheguards?FormalValidationofARMv8-MSpecifications”OOPSLA2017

©2017ArmLimited52

Creatingaredundantspecification

Wheretogetalistofredundantpropertiesfrom?

Howtoformalisethislist?

Howtoformallyvalidatespecificationagainstproperties?

(Thismaylookfamiliarfromformalspecificationofsoftware)

©2017ArmLimited53

Rule JRJC Exit from lockup is by any of the following: • A Cold reset. • A Warm reset. • Entry to Debug state. • Preemption by a higher priority processor exception.

©2017ArmLimited54

StateChangeX Exit from lockup Fell(LockedUp)

EventA A Cold reset Called(TakeColdReset)

EventB A Warm reset Called(TakeReset)

StateChangeC Entry to Debug state Rose(Halted)

EventD Preemption by a higher priority processor exception

Called(ExceptionEntry)

©2017ArmLimited56

Rule VGNW Entry to lockup from an exception causes • Any Fault Status Registers associated with the exception

to be updated. • No update to the exception state, pending or active. • The PC to be set to 0xEFFFFFFE. • EPSR.IT to become UNKNOWN.

In addition, HFSR.FORCED is not set to 1.

OutofdateMisleading

AmbiguousUntestable

©2017ArmLimited60

TemporalOperators

__Past_LockedUp = LockedUp;

FunctionUnderTest();

… __Past_LockedUp > LockedUp …

Fell(LockedUp)

©2017ArmLimited62

__Called_TakeColdReset = FALSE; __Called_TakeReset = FALSE; __Called_TakeExceptionEntry = FALSE; __Past_LockedUp = LockedUp; __Past_Halted = Halted;

FunctionUnderTest();

assert((__Past_LockedUp > LockedUp) ==> ( __Called_TakeColdReset || __Called_TakeReset || __Past_Halted < Halted || __Called_ExceptionEntry));

©2017ArmLimited63


Rule JRJC Exit from lockup is by any of the following:

• A Cold reset. • A Warm reset. • Entry to Debug state. • Preemption by a higher priority processor exception.

__Called_TakeColdReset = FALSE; __Called_TakeReset = FALSE; __Called_TakeExceptionEntry = FALSE; __Past_LockedUp = LockedUp; __Past_Halted = Halted;

assert((__Past_LockedUp > LockedUp) ==> ( __Called_TakeColdReset || __Called_TakeReset || __Past_Halted < Halted || __Called_ExceptionEntry));

©2017ArmLimited64

ArithmeticoperationsBooleanoperationsBitVectorsArraysFunctionsLocalVariablesStatements

AssignmentsIf-statementsLoopsExceptions

ArmSpecificationLanguage SMT

ArithmeticoperationsBooleanoperationsBitVectorsArraysFunctionsLocalVariablesStatements

AssignmentsIf-statementsLoopsExceptions

©2017ArmLimited65

Results(moreinOOPSLApaper)

Mostpropertiesprovedinunder100seconds

Found12bugsinspecification:

-debug,exceptions,systemregisters,security

FoundbugsinEnglishprose:

-ambiguous,imprecise,incorrect,…

©2017ArmLimited66

LexerParser

Typechecker

Interpreter

VerilogBackend

CBackend

TestCoverage

SimulationTrace

ASLSpec

SMTBackend

ARMTestSuite

ArchitectureProperties

BoundedModelChecker

SMTSolver

ArmProcessor

©2017ArmLimited67

PublicreleaseofmachinereadableArmspecification

Enableformalverificanonofsotwareandtools

Releases

April2017:v8.2

July2017:v8.3

WorkingwithCambridgeUniversityREMSgrouptoconverttoSAIL

BackendsforHOL,OCaml,Memorymodel,(hopefullyCoqtoo)

Specificanon:hvps://developer.arm.com/products/architecture/a-profile/exploranon-tools

Tools:hvps://github.com/alastairreid/mra_tools

(Seealso:hvps://github.com/herd/herdtools7/blob/master/herd/libdir/aarch64.cat)

TalktomeabouthowIcanhelpyouuseit

https://developer.arm.com/products/architecture/a-profile/exploration-tools

https://github.com/alastairreid/mra_tools

https://github.com/herd/herdtools7/blob/master/herd/libdir/aarch64.cat

©2017ArmLimited68

Specifications:Thenextbottleneck

Testthespecificationsyoudependon

Formallyvalidate/verifyimplementations

Createredundantspecifications

Ensurespecificationshavemanyuses

Don’twritespecinCoq/HOL/ACL2/…

Trytoinfluenceofficialspecification

Spec

Wewillneedalotofspecs

Ofrealworlds/w+h/w

SpecsarealargepartofTCB

Howarewegoingtocreatethem?

Howarewegoingtotrustthem?

©2017ArmLimited69

Thanks

Alasdair Armstrong (Cambridge U.)Alex Chadwick (ARM)Ali Zaidi (ARM)Anastasios Deligiannis (ARM)Anthony Fox (Cambridge U.)Ashan Pathirane (ARM)Belaji Venu (ARM)Bradley Smith (ARM)Brian Foley (ARM)Curtis Dunham (ARM)David Gilday (ARM)David Hoyes (ARM)David Seal (ARM)Daniel Bailey (ARM)Erin Shepherd (ARM)Francois Botman (ARM)

George Hawes (ARM)Graeme Barnes (ARM)Isobel Hooper (ARM)Jack Andrews (ARM)Jacob Eapen (ARM)Jon French (Cambridge U.)Kathy Gray (Cambridge U.)Krassy Gochev (ARM)Lewis Russell (ARM)Matthew Leach (ARM)Meenu Gupta (ARM)Michele Riga (ARM)Milosch Meriac (ARM)Nigel Stephens (ARM)Niyas Sait (ARM)Peng Wang (ARM)

Peter Sewell (Cambridge U.)Peter Vrabel (ARM)Richard Grisenthwaite (ARM)Rick Chen (ARM)Simon Bellew (ARM)Thomas Grocutt (ARM)Will Deacon (ARM)Will Keen (ARM)Wojciech Meyer (ARM)(and others)

ThankYou!Danke!Merci!谢谢!ありがとう!Gracias!Kiitos!

©2017ArmLimited70

@alastair_d_reid

“TrustworthySpecificationsoftheARMv8-Aandv8-Marchitecture,”FMCAD2016

“Whoguardstheguards?FormalValidationofARMv8-MSpecifications,”OOPSLA2017

“EndtoEndVerificationofARMprocessorswithISAFormal,”CAV2016

specifications: the next verification bottleneck · © 2017 arm limited specifications: the next...

Documents