Formal Verification of Partition Management for the AAMP7G Microprocessor

The AAMP7G microprocessor, currently in use in Rockwell Collins high-assurance system products, uniquely supports strict time and space partitioning in hardware. In this chapter, we describe the formal modeling and proof effort that led to an NSA multiple independent levels of security (MILS) certification for the AAMP7G. The MILS certificate allows a single AAMP7G CPU to concurrently process Unclassified through Top Secret codeword information. We discuss the formal model architecture of the AAMP7G at several levels, including the microcode and instruction set levels. We describe how the ACL2 theorem prover was used to develop a formal security specification, called GWV, and outline a mathematical proof (machine-checked using ACL2) which established that the AAMP7G trusted microcode implements that security specification, in accordance with EAL 7 requirements. We also discuss the evaluation process, which validated that the formalizations accurately model what was actually designed and built. Finally, we provide an overview of a technique for compositional reasoning at the instruction set level, using a symbolic simulation-based technique.

[1]  David A. Greve,et al.  Information Security Modeling and Analysis , 2010, Design and Verification of Microprocessor Systems for High-Assurance Applications.

[2]  Matthew Wilding,et al.  Transforming the Theorem Prover into a Digital Design Tool: From Concept Car to Off-Road Vehicle , 1998, CAV.

[3]  David W. Best,et al.  An Advanced-Architectur CMOS/SOS Microprocessor , 1982, IEEE Micro.

[4]  Robert S. Boyer,et al.  Single-Threaded Objects in ACL2 , 2002, PADL.

[5]  Panagiotis Manolios,et al.  Computer-aided reasoning : ACL2 case studies , 2000 .

[6]  Sandip Ray,et al.  Verification Condition Generation Via Theorem Proving , 2006, LPAR.

[7]  D.S. Hardin,et al.  Invariant performance: a statement of task isolation useful for embedded application integration , 1999, Dependable Computing for Critical Applications 7.

[8]  John Rushby A Separation Kernel Formal Security Policy in PVS , 2004 .

[9]  Panagiotis Manolios,et al.  Computer-Aided Reasoning: An Approach , 2011 .

[10]  Raymond J. Richards Modeling and Security Analysis of a Commercial Real-Time Operating System Kernel , 2010, Design and Verification of Microprocessor Systems for High-Assurance Applications.

[11]  J. S. Moore,et al.  Inductive assertions and operational semantics , 2003, International Journal on Software Tools for Technology Transfer.

[12]  David S. Hardin Design and Verification of Microprocessor Systems for High-Assurance Applications , 2010 .

[13]  William D. Young,et al.  A robust machine code proof framework for highly secure applications , 2006, ACL2 '06.

[14]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[15]  Matthew Wilding,et al.  High-speed, analyzable simulators , 2000 .

[16]  V.A. Carreno,et al.  A case-study application of RTCA DO-254: design assurance guidance for airborne electronic hardware , 2000, 19th DASC. 19th Digital Avionics Systems Conference. Proceedings (Cat. No.00CH37126).