Abstract
Software and hardware are increasingly being formally verified against specifications, but how can we verify the specifications themselves? This paper explores what it means to formally verify a specification. We solve three challenges: (1) How to create a secondary, higher-level specification that can be effectively reviewed by processor designers who are not experts in formal verification; (2) How to avoid common-mode failures between the specifications; and (3) How to automatically verify the two specifications against each other.
One of the most important specifications for software verification is the processor specification since it defines the behaviour of machine code and of hardware protection features used by operating systems. We demonstrate our approach on ARM's v8-M Processor Specification, which is intended to improve the security of Internet of Things devices. Thus, we focus on establishing the security guarantees the architecture is intended to provide. Despite the fact that the ARM v8-M specification had previously been extensively tested, we found twelve bugs (including two security bugs) that have all been fixed by ARM.
- Jade Alglave, Luc Maranget, and Michael Tautschnig. 2014. Herding Cats: Modelling, Simulation, Testing, and Data Mining for Weak Memory. ACM Trans. Program. Lang. Syst. 36, 2 (2014), 7:1–7:74. DOI: Google Scholar
Digital Library
- J. R. Allen, Ken Kennedy, Carrie Porterfield, and Joe Warren. 1983. Conversion of Control Dependence to Data Dependence. In Proceedings of the 10th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL ’83). ACM, New York, NY, USA, 177–189. DOI: Google Scholar
Digital Library
- ARM Ltd. 2013. ARM Architecture Reference Manual (ARMv8, for ARMv8-A architecture profile) (DDI0487). ARM Ltd. https: //developer.arm.com/docs/ddi0487/a/arm-architecture-reference-manual-armv8-for-armv8-a-architecture-profileGoogle Scholar
- ARM Ltd. 2016. ARMv8-M Architecture Reference Manual (DDI0553). ARM Ltd. https://developer.arm.com/docs/ddi0553/ latest/armv8-m-architecture-reference-manualGoogle Scholar
- Clark Barrett, Pascal Fontaine, and Cesare Tinelli. 2016. The Satisfiability Modulo Theories Library (SMT-LIB). www.SMT-LIB.org . (2016).Google Scholar
- D. A. Burke and K. Johannisson. 2005. Translating Formal Software Specifications to Natural Language / A Grammar-Based Approach. Logical Aspects of Computational Linguistics (LACL 2005) 3402 (2005), 51–66. DOI: Google Scholar
Digital Library
- Edmund Clarke, Daniel Kroening, and Flavio Lerda. 2004. A Tool for Checking ANSI-C Programs. Springer Berlin Heidelberg, Berlin, Heidelberg, 168–176. DOI: Google Scholar
Cross Ref
- Michael R. Clarkson and Fred B. Schneider. 2010. Hyperproperties. Journal of Computer Security 18, 6 (Sept. 2010), 1157–1210. DOI: Google Scholar
Cross Ref
- CompCert. 2016. Release Notes for CompCert 2.7 (Bugfixes). (29 June 2016). http://compcert.inria.fr/release/ChangelogGoogle Scholar
- Mads Dam, Roberto Guanciale, and Hamed Nemati. 2013. Machine Code Verification of a Tiny ARM Hypervisor. In Proc. Workshop on Trustworthy Embedded Devices (TrustED ’13) . ACM, 3–12. DOI: Google Scholar
Digital Library
- Leonardo de Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. Springer Berlin Heidelberg, 337–340. DOI: Google Scholar
Cross Ref
- George Dunlap. 2012. The Intel SYSRET Privilege Escalation (Xen Project Blog). (2012). https://blog.xenproject.org/2012/06/ 13/the-intel-sysret-privilege-escalation/Google Scholar
- Shaked Flur, Kathryn E. Gray, Christopher Pulte, Susmit Sarkar, Ali Sezgin, Luc Maranget, Will Deacon, and Peter Sewell. 2016. Modelling the ARMv8 architecture, operationally: Concurrency and ISA. In Proc. Principles of Programming Languages, POPL 2016 . ACM, 608–621. DOI: Google Scholar
Digital Library
- Pedro Fonseca, Kaiyuan Zhang, Xi Wang, and Arvind Krishnamurthy. 2017. An Empirical Study on the Correctness of Formally Verified Distributed Systems. In Proceedings of the Twelfth European Conference on Computer Systems (EuroSys ’17) . ACM, New York, NY, USA, 328–343. DOI: Google Scholar
Digital Library
- Anthony C. J. Fox and Magnus O. Myreen. 2010. A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture. In Proc. Interactive Theorem Proving ITP 2010 (LNCS), Vol. 6172. Springer, 243–258. DOI: Google Scholar
Digital Library
- Ariel Fuxman, Marco Pistore, John Mylopoulos, and Paolo Traverso. 2001. Model checking early requirements specifications in Tropos. In Requirements Engineering, 2001. Proceedings. Fifth IEEE International Symposium on. IEEE, IEEE, 174–181. DOI: Google Scholar
Cross Ref
- Shilpi Goel, Warren A. Hunt, Matt Kaufmann, and Soumava Ghosh. 2014. Simulation and formal verification of x86 machine-code programs that make system calls. In Formal Methods in Computer-Aided Design, FMCAD. 91–98. DOI: Google Scholar
Cross Ref
- IEEE. 2013. IEEE Standard for SystemVerilog - Unified Hardware Design, Specification, and Verification Language. IEEE Std. 1800-2012 (2013). DOI: Google Scholar
Cross Ref
- Daniel Jackson. 2002. Alloy: A Lightweight Object Modelling Notation. ACM Transactions on Software Engineering and Methodology (TOSEM) 11, 2 (April 2002), 256–290. DOI: Google Scholar
Digital Library
- Gregor Kiczales, John Lamping, Anurag Mendhekar, Chris Maeda, Cristina Lopes, Jean-Marc Loingtier, and John Irwin. 1997. Aspect-oriented programming. In Proceedings of the 11th European Conference on Object-Oriented Programming (ECOOP’97) , Mehmet Akşit and Satoshi Matsuoka (Eds.). Springer, Berlin, Heidelberg, 220–242. DOI: Google Scholar
Cross Ref
- Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal Verification of an OS Kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles (SOSP ’09) . ACM, New York, NY, USA, 207–220. DOI: Google Scholar
Digital Library
- Akash Lal and Shaz Qadeer. 2015. DAG Inlining: A Decision Procedure for Reachability-modulo-theories in Hierarchical Programs. In Programming Language Design and Implementation (PLDI), Vol. 50. ACM, New York, NY, USA, 280–290. DOI: Google Scholar
Digital Library
- Xavier Leroy. 2009. Formal verification of a realistic compiler. Commun. ACM 52, 7 (2009), 107–115. DOI: Google Scholar
Digital Library
- Alistair Mavin, Philip Wilkinson, Adrian Harwood, and Mark Novak. 2009. Easy Approach to Requirements Syntax (EARS). In 17th IEEE International Requirements Engineering Conference (RE’09). IEEE. DOI: Google Scholar
Digital Library
- Benjamin C. Pierce, Arthur Azevedo de Amorim, Chris Casinghino, Marco Gaboardi, Michael Greenberg, Cˇatˇalin Hriţcu, Vilhelm Sjöberg, and Brent Yorgey. 2016. Software Foundations. Electronic textbook. http://www.cis.upenn.edu/~bcpierce/ sf Version 4.0.Google Scholar
- Alastair Reid. 2016. Trustworthy Specifications of ARM v8-A and v8-M System Level Architecture. In Proceedings of Formal Methods in Computer-Aided Design, (FMCAD 2016), Mountain View, CA, USA . 161–168. DOI: Google Scholar
Cross Ref
- Alastair Reid, Rick Chen, Anastasios Deligiannis, David Gilday, David Hoyes, Will Keen, Ashan Pathirane, Owen Shepherd, Peter Vrabel, and Ali Zaidi. 2016. End-to-End Verification of ARM Processors with ISA-Formal, In Proceedings of the 2016 International Conference on Computer Aided Verification (CAV’16), S. Chaudhuri and A. Farzan (Eds.). CAV 2016, Part II, Lecture Notes in Computer Science 9780 (July 2016), 42–58. DOI: Google Scholar
Cross Ref
- Susmit Sarkar, Peter Sewell, Jade Alglave, Luc Maranget, and Derek Williams. 2011. Understanding POWER multiprocessors. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2011, San Jose, CA, USA, June 4-8, 2011 , Mary W. Hall and David A. Padua (Eds.). ACM, 175–186. DOI: Google Scholar
Digital Library
- John Wickerson, Mark Batty, Tyler Sorensen, and George A. Constantinides. 2017. Automatically Comparing Memory Consistency Models. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL 2017) . ACM, New York, NY, USA, 190–204. DOI: Google Scholar
Digital Library
- Christoph M. Wintersteiger. 2017. Private communication. (2017).Google Scholar
Index Terms
Who guards the guards? formal validation of the Arm v8-m architecture specification
Recommendations
Formal Specification of User Interfaces: A Comparison and Evaluation of Four Axiomatic Approaches
Annals of discrete mathematics, 24Few examples of formal specification of the semantics of user interfaces exist in the literature. This paper presents a comparison of four axiomatic approaches which we have applied to the specification of a commercial user interface-the line editor for ...
Trustworthy specifications of ARM® v8-A and v8-M system level architecture
FMCAD '16: Proceedings of the 16th Conference on Formal Methods in Computer-Aided DesignProcessor specifications are of critical importance for verifying programs, compilers, operating systems/hypervisors, and, of course, for verifying microprocessors themselves. But to be useful, the scope of these specifications must be sufficient for ...
Specification, Refinement and Verification of Concurrent Systems—An Integration of Object-Z and CSP
This paper presents a method of formally specifying, refining and verifying concurrent systems which uses the object-oriented state-based specification language Object-Z together with the process algebra CSP. Object-Z provides a convenient way of ...






Comments