skip to main content
research-article
Open Access

Who guards the guards? formal validation of the Arm v8-m architecture specification

Published:12 October 2017Publication History
Skip Abstract Section

Abstract

Software and hardware are increasingly being formally verified against specifications, but how can we verify the specifications themselves? This paper explores what it means to formally verify a specification. We solve three challenges: (1) How to create a secondary, higher-level specification that can be effectively reviewed by processor designers who are not experts in formal verification; (2) How to avoid common-mode failures between the specifications; and (3) How to automatically verify the two specifications against each other.

One of the most important specifications for software verification is the processor specification since it defines the behaviour of machine code and of hardware protection features used by operating systems. We demonstrate our approach on ARM's v8-M Processor Specification, which is intended to improve the security of Internet of Things devices. Thus, we focus on establishing the security guarantees the architecture is intended to provide. Despite the fact that the ARM v8-M specification had previously been extensively tested, we found twelve bugs (including two security bugs) that have all been fixed by ARM.

References

  1. Jade Alglave, Luc Maranget, and Michael Tautschnig. 2014. Herding Cats: Modelling, Simulation, Testing, and Data Mining for Weak Memory. ACM Trans. Program. Lang. Syst. 36, 2 (2014), 7:1–7:74. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. J. R. Allen, Ken Kennedy, Carrie Porterfield, and Joe Warren. 1983. Conversion of Control Dependence to Data Dependence. In Proceedings of the 10th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL ’83). ACM, New York, NY, USA, 177–189. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. ARM Ltd. 2013. ARM Architecture Reference Manual (ARMv8, for ARMv8-A architecture profile) (DDI0487). ARM Ltd. https: //developer.arm.com/docs/ddi0487/a/arm-architecture-reference-manual-armv8-for-armv8-a-architecture-profileGoogle ScholarGoogle Scholar
  4. ARM Ltd. 2016. ARMv8-M Architecture Reference Manual (DDI0553). ARM Ltd. https://developer.arm.com/docs/ddi0553/ latest/armv8-m-architecture-reference-manualGoogle ScholarGoogle Scholar
  5. Clark Barrett, Pascal Fontaine, and Cesare Tinelli. 2016. The Satisfiability Modulo Theories Library (SMT-LIB). www.SMT-LIB.org . (2016).Google ScholarGoogle Scholar
  6. D. A. Burke and K. Johannisson. 2005. Translating Formal Software Specifications to Natural Language / A Grammar-Based Approach. Logical Aspects of Computational Linguistics (LACL 2005) 3402 (2005), 51–66. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Edmund Clarke, Daniel Kroening, and Flavio Lerda. 2004. A Tool for Checking ANSI-C Programs. Springer Berlin Heidelberg, Berlin, Heidelberg, 168–176. DOI: Google ScholarGoogle ScholarCross RefCross Ref
  8. Michael R. Clarkson and Fred B. Schneider. 2010. Hyperproperties. Journal of Computer Security 18, 6 (Sept. 2010), 1157–1210. DOI: Google ScholarGoogle ScholarCross RefCross Ref
  9. CompCert. 2016. Release Notes for CompCert 2.7 (Bugfixes). (29 June 2016). http://compcert.inria.fr/release/ChangelogGoogle ScholarGoogle Scholar
  10. Mads Dam, Roberto Guanciale, and Hamed Nemati. 2013. Machine Code Verification of a Tiny ARM Hypervisor. In Proc. Workshop on Trustworthy Embedded Devices (TrustED ’13) . ACM, 3–12. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Leonardo de Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. Springer Berlin Heidelberg, 337–340. DOI: Google ScholarGoogle ScholarCross RefCross Ref
  12. George Dunlap. 2012. The Intel SYSRET Privilege Escalation (Xen Project Blog). (2012). https://blog.xenproject.org/2012/06/ 13/the-intel-sysret-privilege-escalation/Google ScholarGoogle Scholar
  13. Shaked Flur, Kathryn E. Gray, Christopher Pulte, Susmit Sarkar, Ali Sezgin, Luc Maranget, Will Deacon, and Peter Sewell. 2016. Modelling the ARMv8 architecture, operationally: Concurrency and ISA. In Proc. Principles of Programming Languages, POPL 2016 . ACM, 608–621. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Pedro Fonseca, Kaiyuan Zhang, Xi Wang, and Arvind Krishnamurthy. 2017. An Empirical Study on the Correctness of Formally Verified Distributed Systems. In Proceedings of the Twelfth European Conference on Computer Systems (EuroSys ’17) . ACM, New York, NY, USA, 328–343. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Anthony C. J. Fox and Magnus O. Myreen. 2010. A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture. In Proc. Interactive Theorem Proving ITP 2010 (LNCS), Vol. 6172. Springer, 243–258. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Ariel Fuxman, Marco Pistore, John Mylopoulos, and Paolo Traverso. 2001. Model checking early requirements specifications in Tropos. In Requirements Engineering, 2001. Proceedings. Fifth IEEE International Symposium on. IEEE, IEEE, 174–181. DOI: Google ScholarGoogle ScholarCross RefCross Ref
  17. Shilpi Goel, Warren A. Hunt, Matt Kaufmann, and Soumava Ghosh. 2014. Simulation and formal verification of x86 machine-code programs that make system calls. In Formal Methods in Computer-Aided Design, FMCAD. 91–98. DOI: Google ScholarGoogle ScholarCross RefCross Ref
  18. IEEE. 2013. IEEE Standard for SystemVerilog - Unified Hardware Design, Specification, and Verification Language. IEEE Std. 1800-2012 (2013). DOI: Google ScholarGoogle ScholarCross RefCross Ref
  19. Daniel Jackson. 2002. Alloy: A Lightweight Object Modelling Notation. ACM Transactions on Software Engineering and Methodology (TOSEM) 11, 2 (April 2002), 256–290. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Gregor Kiczales, John Lamping, Anurag Mendhekar, Chris Maeda, Cristina Lopes, Jean-Marc Loingtier, and John Irwin. 1997. Aspect-oriented programming. In Proceedings of the 11th European Conference on Object-Oriented Programming (ECOOP’97) , Mehmet Akşit and Satoshi Matsuoka (Eds.). Springer, Berlin, Heidelberg, 220–242. DOI: Google ScholarGoogle ScholarCross RefCross Ref
  21. Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal Verification of an OS Kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles (SOSP ’09) . ACM, New York, NY, USA, 207–220. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Akash Lal and Shaz Qadeer. 2015. DAG Inlining: A Decision Procedure for Reachability-modulo-theories in Hierarchical Programs. In Programming Language Design and Implementation (PLDI), Vol. 50. ACM, New York, NY, USA, 280–290. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Xavier Leroy. 2009. Formal verification of a realistic compiler. Commun. ACM 52, 7 (2009), 107–115. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Alistair Mavin, Philip Wilkinson, Adrian Harwood, and Mark Novak. 2009. Easy Approach to Requirements Syntax (EARS). In 17th IEEE International Requirements Engineering Conference (RE’09). IEEE. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Benjamin C. Pierce, Arthur Azevedo de Amorim, Chris Casinghino, Marco Gaboardi, Michael Greenberg, Cˇatˇalin Hriţcu, Vilhelm Sjöberg, and Brent Yorgey. 2016. Software Foundations. Electronic textbook. http://www.cis.upenn.edu/~bcpierce/ sf Version 4.0.Google ScholarGoogle Scholar
  26. Alastair Reid. 2016. Trustworthy Specifications of ARM v8-A and v8-M System Level Architecture. In Proceedings of Formal Methods in Computer-Aided Design, (FMCAD 2016), Mountain View, CA, USA . 161–168. DOI: Google ScholarGoogle ScholarCross RefCross Ref
  27. Alastair Reid, Rick Chen, Anastasios Deligiannis, David Gilday, David Hoyes, Will Keen, Ashan Pathirane, Owen Shepherd, Peter Vrabel, and Ali Zaidi. 2016. End-to-End Verification of ARM Processors with ISA-Formal, In Proceedings of the 2016 International Conference on Computer Aided Verification (CAV’16), S. Chaudhuri and A. Farzan (Eds.). CAV 2016, Part II, Lecture Notes in Computer Science 9780 (July 2016), 42–58. DOI: Google ScholarGoogle ScholarCross RefCross Ref
  28. Susmit Sarkar, Peter Sewell, Jade Alglave, Luc Maranget, and Derek Williams. 2011. Understanding POWER multiprocessors. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2011, San Jose, CA, USA, June 4-8, 2011 , Mary W. Hall and David A. Padua (Eds.). ACM, 175–186. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. John Wickerson, Mark Batty, Tyler Sorensen, and George A. Constantinides. 2017. Automatically Comparing Memory Consistency Models. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL 2017) . ACM, New York, NY, USA, 190–204. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Christoph M. Wintersteiger. 2017. Private communication. (2017).Google ScholarGoogle Scholar

Index Terms

  1. Who guards the guards? formal validation of the Arm v8-m architecture specification

            Recommendations

            Comments

            Login options

            Check if you have access through your login credentials or your institution to get full access on this article.

            Sign in

            Full Access

            • Published in

              cover image Proceedings of the ACM on Programming Languages
              Proceedings of the ACM on Programming Languages  Volume 1, Issue OOPSLA
              October 2017
              1786 pages
              EISSN:2475-1421
              DOI:10.1145/3152284
              Issue’s Table of Contents

              Copyright © 2017 Owner/Author

              Publisher

              Association for Computing Machinery

              New York, NY, United States

              Publication History

              • Published: 12 October 2017
              Published in pacmpl Volume 1, Issue OOPSLA

              Permissions

              Request permissions about this article.

              Request Permissions

              Check for updates

              Qualifiers

              • research-article

            PDF Format

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader
            About Cookies On This Site

            We use cookies to ensure that we give you the best experience on our website.

            Learn more

            Got it!