Abstract
There is no such thing as high assurance without high assurance hardware. High assurance hardware is essential because any and all high assurance systems ultimately depend on hardware that conforms to, and does not undermine, critical system properties and invariants. And yet, high assurance hardware development is stymied by the conceptual gap between formal methods and hardware description languages used by engineers. This article advocates a semantics-directed approach to bridge this conceptual gap. We present a case study in the design of secure processors, which are formally derived via principled techniques grounded in functional programming and equational reasoning. The case study comprises the development of secure single- and dual-core variants of a single processor, both based on a common semantic specification of the ISA. We demonstrate via formal equational reasoning that the dual-core processor respects a “no-write-down” information flow policy. The semantics-directed approach enables a modular and extensible style of system design and verification. The secure processors require only a very small amount of additional code to specify and implement, and their security verification arguments are concise and readable. Our approach rests critically on ReWire, a functional programming language providing a suitable foundation for formal verification of hardware designs. This case study demonstrates both ReWire’s expressiveness as a programming language and its power as a framework for formal, high-level reasoning about hardware systems.
- Christiaan Baaij and Jan Kuper. 2014. Using rewriting to synthesize functional languages to digital circuits. In Proceedings of the 2014 International Symposium on Trends in Functional Programming (TFP’14). 17--33. Google Scholar
Digital Library
- J. Bachrach, Huy Vo, B. Richards, Yunsup Lee, A. Waterman, R. Avizienis, J. Wawrzynek, and K. Asanovic. 2012. Chisel: Constructing hardware in a scala embedded language. In Proceedings of the 2012 49th ACM/EDAC/IEEE Design Automation Conference (DAC’12). 1212--1221. Google Scholar
Digital Library
- Per Bjesse, Koen Claessen, and Mary Sheeran. 1998. Lava: Hardware design in Haskell. In ICFP’98. 174--184. Google Scholar
Digital Library
- David Cock, Gerwin Klein, and Thomas Sewell. 2008. Secure microkernels, state monads and scalable refinement. In Proceedings of the 21st International Conference on Theorem Proving in Higher Order Logics (TPHOLs’08). 167--182. Google Scholar
Digital Library
- Stephen A. Edwards. 2006. The challenges of synthesizing hardware from C-like languages. IEEE Design and Test of Computers 23, 5 (2006), 375--386. Google Scholar
Digital Library
- Anthony Fox and Magnus O. Myreen. 2010. A trustworthy monadic formalization of the ARMv7 instruction set architecture. In Proceedings of the 1st International Conference on Interactive Theorem Proving (ITP’10). 243--258. Google Scholar
Digital Library
- Nithin George, Hyoukjoong Lee, David Novo, Tiark Rompf, Kevin Brown, Arvind Sujeeth, Martin Odersky, Kunle Olukotun, and Paolo Ienne. 2014. Hardware system synthesis from domain-specific languages. In Proceedings of 24th Internation Conference on Field Programmable Logic and Applications (FPL’14). Google Scholar
Cross Ref
- Andy Gill. 2011. Declarative FPGA circuit synthesis using Kansas Lava. In ERSA’11.Google Scholar
- Andy Gill. 2014. Domain-specific languages and code synthesis using Haskell. ACM Queue 12, 4, Article 30 (April 2014), 14 pages. Google Scholar
Digital Library
- Carlos Eduardo Giménez. 1996. Un Calcul De Constructions Infinies Et Son Application A La Verification De Systemes Communicants. Ph.D. Dissertation. L’École Normale Supérieure de Lyon.Google Scholar
- Joseph A. Goguen and José Meseguer. 1990. Security policies and security models. In Proceedings of the 1982 Symposium on Security and Privacy (SSP’82). IEEE Computer Society Press, 11--20.Google Scholar
- S. Goncharov and L. Schröder. 2011. A coinductive calculus for asynchronous side-effecting processes. In Proceedings of the 18th International Conference on Fundamentals of Computation Theory. 276--287. Google Scholar
Digital Library
- Ian Graves. 2015. Device-Level Composition in ReWire. Ph.D. Dissertation. University of Missouri.Google Scholar
- W. Harrison, A. Procter, J. Agron, G. Kimmel, and G. Allwein. 2009. Model-driven engineering from modular monadic semantics: Implementation techniques targeting hardware and software. In Proceedings of the IFIP TC 2 Working Conference on Domain-Specific Languages. 20--44. Google Scholar
Digital Library
- W. L. Harrison. 2006. Proof abstraction for imperative languages. In Proceedings of the 4th Asian Conference on Programming Languages and Systems (APLAS’06). 97--113. Google Scholar
Digital Library
- W. L. Harrison and James Hook. 2009. Achieving information flow security through monadic control of effects. Journal of Computer Security 17, 5 (2009), 599--653. Google Scholar
Digital Library
- William L. Harrison and Adam Procter. 2015. Cheap (but functional) threads. Submitted to the Journal of Functional Programming.Google Scholar
- William L. Harrison, Adam Procter, and Gerard Allwein. 2012. The confinement problem in the presence of faults. In Proceedings of the 14th International Conference on Formal Engineering Methods (ICFEM’12). 182--197. Google Scholar
Digital Library
- HyoukJoong Lee, Kevin Brown, Arvind Sujeeth, Hassan Chafi, Tiark Rompf, Martin Odersky, and Kunle Olukotun. 2011. Implementing domain-specific languages for heterogeneous parallel computing. IEEE Micro 31, 5 (Sept. 2011), 42--53. Google Scholar
Digital Library
- Xun Li, Mohit Tiwari, Jason K. Oberg, Vineeth Kashyap, Frederic T. Chong, Timothy Sherwood, and Ben Hardekopf. 2011. Caisson: A hardware description language for secure information flow. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’11). ACM, New York, NY, 109--120. Google Scholar
Digital Library
- Sheng Liang. 1998. Modular Monadic Semantics and Compilation. Ph.D. Dissertation. Yale University. Google Scholar
Digital Library
- Sheng Liang, Paul Hudak, and Mark Jones. 1995. Monad transformers and modular interpreters. In Proceedings of the 22nd ACM Symposium on Principles of Programming Languages. Google Scholar
Digital Library
- E. Moggi. 1991. Notions of computation and monads. Information and Computation 93, 1 (July 1991), 55--92. Google Scholar
Digital Library
- Gerald J. Popek and Robert P. Goldberg. 1974. Formal requirements for virtualizable third generation architectures. Communications of the ACM 17, 7 (July 1974), 412--421. Google Scholar
Digital Library
- Adam Procter. 2014. Semantics-Driven Design and Implementation of High-Assurance Hardware. Ph.D. Dissertation. University of Missouri.Google Scholar
- Adam Procter, William L. Harrison, Ian Graves, Michela Becchi, and Gerard Allwein. 2015b. Online supplement accompanying “A Principled Approach to Secure Multi-Core Processor Design in ReWire”. Retrieved from http://adamprocter.com/tecs15. Google Scholar
Digital Library
- Adam Procter, William L. Harrison, Ian Graves, Michela Becchi, and Gerard Allwein. 2015a. Semantics driven hardware design, implementation, and verification with ReWire. In Proceedings of the 16th ACM SIGPLAN/SIGBED Conference on Languages, Compilers and Tools for Embedded Systems (LCTES’15). Article 13, 13:1--13:10 pages. Google Scholar
Digital Library
- John Reynolds. 1972. Definitional interpreters for higher order programming languages. ACM’72: Proceedings of the ACM Annual Conference. Vol. 2, 717--740. Google Scholar
Digital Library
- Ingo Sander and Axel Jantsch. 2004. System modeling and transformational design refinement in ForSyDe. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 23, 1 (2004), 17--32. Google Scholar
Digital Library
- Susmit Sarkar, Peter Sewell, Francesco Zappa Nardelli, Scott Owens, Tom Ridge, Thomas Braibant, Magnus O. Myreen, and Jade Alglave. 2009. The semantics of x86-CC multiprocessor machine code. In Proceedings of the 36th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’09). 379--391. Google Scholar
Digital Library
- Walid Taha and Tim Sheard. 2000. MetaML and multi-stage programming with explicit annotations. Theoretical Computer Science 248, 12 (2000), 211--242. Google Scholar
Digital Library
- Dennis Volpano, Cynthia Irvine, and Geoffrey Smith. 1996. A sound type system for secure flow analysis. Journal of Computer Security 4, 2--3 (1996), 167--187. Google Scholar
Digital Library
- Matthew Wilding, David Greve, Raymond Richards, and David Hardin. 2010. Formal verification of partition management for the AAMP7G microprocessor. In Design and Verification of Microprocessor Systems for High-Assurance Applications, David S. Hardin (Ed.). 175--191. Google Scholar
Cross Ref
- Xilinx. 2011. PicoBlaze 8-bit Embedded Microcontroller User Guide. Xilinx, Inc.Google Scholar
- Kuangya Zhai, Richard Townsend, Lianne Lairmore, Martha A. Kim, and Stephen A. Edwards. 2015. Hardware synthesis from a recursive functional language. In Proceedings of the International Conference on Hardware/Software Codesign and System Synthesis (CODES+ISSS). Google Scholar
Digital Library
Index Terms
A Principled Approach to Secure Multi-core Processor Design with ReWire
Recommendations
A Reconfigurable Processor Architecture Combining Multi-core and Reconfigurable Processing Unit
CIT '10: Proceedings of the 2010 10th IEEE International Conference on Computer and Information TechnologyIt’s a promising way to improve performance significantly by adding reconfigurable processing unit to a general purpose processor. In this paper, a Reconfigurable Multi-Core (RMC) architecture combining general multi-core and reconfigurable logic is ...
A Many-Core Co-Processor for Embedded Parallel Computing on FPGA
DSD '15: Proceedings of the 2015 Euromicro Conference on Digital System DesignSingle processor architectures are unable to provide the required performance of high performance embedded systems. Parallel processing based on general-purpose processors can achieve these performances with a considerable increase of required ...
A reconfigurable processor architecture combining multi-core and reconfigurable processing units
It's a promising way to improve performance significantly by adding reconfigurable processing unit (RPU) to a general purpose processor. In this paper, a Reconfigurable Multi-Core (RMC) architecture combining general multi-core and reconfigurable logic ...






Comments