Engineering a Formal, Executable x86 ISA Simulator for Software Verification

Construction of a formal model of a computing system is a necessary practice in formal verification. The results of formal analysis can only be valued to the same degree as the model itself. Model development is error-prone, not only due to the complexity of the system being modeled, but also because it involves addressing disparate requirements. For example, a formal model should be defined using simple constructs to enable efficient reasoning but it should also be optimized to offer fast concrete simulations. Models of large computing systems are themselves large software systems and must be subject to rigorous validation. We describe our formal, executable model of the x86 instruction-set architecture; we use our model to reason about x86 machine-code programs. Validation of our x86 ISA model is done by co-simulating it regularly against a physical x86 machine. We present design decisions made during model development to optimize both validation and verification, i.e., efficiency of both simulation and reasoning. Our engineering process provides insight into the development of a software verification and model animation framework from the points of view of accuracy, efficiency, scalability, maintainability, and usability.

[1]  Robert S. Boyer,et al.  Automated proofs of object code for a widely used microprocessor , 1996, JACM.

[2]  Jun Sawada,et al.  ACL2SIX: A Hint used to Integrate a Theorem Prover and an Automated Verification Tool , 2006, 2006 Formal Methods in Computer Aided Design.

[3]  Francesco Zappa Nardelli,et al.  The semantics of power and ARM multiprocessor machine code , 2009, DAMP '09.

[4]  Konrad Slind,et al.  Decompilation into logic — Improved , 2012, 2012 Formal Methods in Computer-Aided Design (FMCAD).

[5]  Ulan Degenbaev,et al.  Formal specification of the x86 instruction set architecture , 2012 .

[6]  Raúl Rojas,et al.  Konrad Zuse's Legacy: The Architecture of the Z1 and Z3 , 1997, IEEE Ann. Hist. Comput..

[7]  Warren A. Hunt,et al.  Automated Code Proofs on a Formal Model of the X86 , 2013, VSTTE.

[8]  A. Turing On Computable Numbers, with an Application to the Entscheidungsproblem. , 1937 .

[9]  Anthony C. J. Fox,et al.  Formal Specification and Verification of ARM6 , 2003, TPHOLs.

[10]  J Strother Moore Stateman: Using Metafunctions to Manage Large Terms Representing Machine States , 2015, ACL2.

[11]  J. Strother Moore Piton: A Mechanically Verified Assembly-Level Language , 1996 .

[12]  Tom Ridge,et al.  The semantics of x86-CC multiprocessor machine code , 2009, POPL '09.

[13]  Sol Otis Swords A verified framework for symbolic execution in the ACL2 theorem prover , 2010 .

[14]  Jun Sawada,et al.  Verification of FM9801: An Out-of-Order Microprocessor Model with Speculative Execution, Exceptions, and Program-Modifying Capability , 2002, Formal Methods Syst. Des..

[15]  Peter Sewell,et al.  A Better x86 Memory Model: x86-TSO , 2009, TPHOLs.

[16]  Sol Swords,et al.  Bit-Blasting ACL2 Theorems , 2011, ACL2.

[17]  Jun Sawada,et al.  Mechanical Verification of a Square Root Algorithm Using Taylor's Theorem , 2002, FMCAD.

[18]  Francesco Zappa Nardelli,et al.  x86-TSO , 2010, Commun. ACM.

[19]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[20]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[21]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[22]  Panagiotis Manolios,et al.  Computer-Aided Reasoning: An Approach , 2011 .

[23]  A. M. Turing,et al.  Checking a large routine , 1989 .

[24]  John von Neumann,et al.  First draft of a report on the EDVAC , 1993, IEEE Annals of the History of Computing.

[25]  William D. Young,et al.  A mechanically verified code generator , 1989, Journal of Automated Reasoning.

[26]  Jared Davis,et al.  Industrial-Strength Documentation for ACL2 , 2014, ACL2.

[27]  William D. Young,et al.  A robust machine code proof framework for highly secure applications , 2006, ACL2 '06.

[28]  Jun Sawada,et al.  Combining ACL2 and an automated verification tool to verify a multiplier , 2006, ACL2 '06.

[29]  Matt Kaufmann,et al.  A formal model of a large memory that supports efficient execution , 2012, 2012 Formal Methods in Computer-Aided Design (FMCAD).

[30]  Robert S. Boyer,et al.  Single-Threaded Objects in ACL2 , 2002, PADL.

[31]  Yu Guo,et al.  Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads , 2009, Journal of Automated Reasoning.

[32]  Matt Kaufmann,et al.  Simulation and formal verification of x86 machine-code programs that make system calls , 2014, 2014 Formal Methods in Computer-Aided Design (FMCAD).

[33]  Konrad Slind,et al.  Machine-Code Verification for Multiple Architectures - An Application of Decompilation into Logic , 2008, 2008 Formal Methods in Computer-Aided Design.

[34]  David M. Russinoff A Case Study in Fomal Verification of Register-Transfer Logic with ACL2: The Floating Point Adder of the AMD AthlonTM Processor , 2000, FMCAD.

[35]  Zhong Shao Clean-Slate Development of Certified OS Kernels , 2015, CPP.

[36]  Sandip Ray,et al.  Integrating external deduction tools with ACL2 , 2006, J. Appl. Log..

[37]  David M. Russinoff,et al.  Modeling Algorithms in SystemC and ACL2 , 2014, ACL2.

[38]  David A. Greve Symbolic Simulation of the JEM1 Microprocessor , 1998, FMCAD.

[39]  Warren A. Hunt,et al.  Microprocessor design verification , 1989, Journal of Automated Reasoning.

[40]  Magnus O. Myreen Formal verification of machine-code programs , 2011 .

[41]  Matthew Wilding,et al.  Efficient Simulation of Formal Processor Models , 2001, Formal Methods Syst. Des..

[42]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[43]  Matthew Wilding,et al.  High-speed, analyzable simulators , 2000 .

[44]  David M. Russinoff Computation and Formal Verification of SRT Quotient and Square Root Digit Selection Tables , 2013, IEEE Transactions on Computers.

[45]  M. de Rijke,et al.  The Boyer-Moore theorem prover , 2000 .

[46]  Kevin P. Lawton Bochs: A Portable PC Emulator for Unix/X , 1996 .

[47]  Magnus O. Myreen,et al.  A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture , 2010, ITP.

[48]  Xiaomu Shi,et al.  Certification of an Instruction Set Simulator , 2013 .

[49]  Anna Slobodová,et al.  Microcode Verification - Another Piece of the Microprocessor Verification Puzzle , 2014, ITP.

[50]  Matt Kaufmann,et al.  Abstract Stobjs and Their Application to ISA Modeling , 2013, ACL2.

[51]  Jason Baumgartner,et al.  Hybrid verification of a hardware modular reduction engine , 2011, 2011 Formal Methods in Computer-Aided Design (FMCAD).

[52]  Alessandro Coglio,et al.  Second-Order Functions and Theorems in ACL2 , 2015, ACL2.

[53]  Robert S. Boyer,et al.  The Boyer-Moore theorem prover and its interactive enhancement , 1995 .

[54]  M. Gordon,et al.  Introduction to HOL: a theorem proving environment for higher order logic , 1993 .

[55]  José-Luis Ruiz-Reina,et al.  Efficient execution in an automated reasoning environment , 2008, J. Funct. Program..

[56]  J. Gregory Morrisett Scalable Formal Machine Models , 2012, APLAS.

[57]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[58]  Zhong Shao,et al.  Verification of safety properties for concurrent assembly code , 2004, ICFP '04.

[59]  Eric Smith,et al.  Polymorphic Types in ACL2 , 2014, ACL2.

[60]  Warren A. Hunt,et al.  Towards a Formal Model of the X86 ISA , 2012 .