Physical Addressing on Real Hardware in Isabelle/HOL

Modern computing platforms are inherently complex and diverse: a heterogeneous collection of cores, interconnects, programmable memory translation units, and devices means that there is no single physical address space, and each core or DMA device may see other devices at different physical addresses. This is a problem because correct operation of system software relies on correct configuration of these interconnects, and current operating systems (and associated formal specifications) make assumptions about global physical addresses which do not hold. We present a formal model in Isabelle/HOL to express this complex addressing hardware that captures the intricacies of different real platforms or Systems-on-Chip (SoCs), and demonstrate its expressivity by showing, as an example, the impossibility of correctly configuring a MIPS R4600 TLB as specified in its documentation. Such a model not only facilitates proofs about hardware, but is used to generate correct code at compile time and device configuration at runtime in the Barrelfish research OS.

[1]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[2]  Dejan S. Milojicic,et al.  Not Your Parents' Physical Address Space , 2015, HotOS.

[3]  Alastair David Reid,et al.  Trustworthy specifications of ARM® v8-A and v8-M system level architecture , 2016, 2016 Formal Methods in Computer-Aided Design (FMCAD).

[4]  Christian Jacobi,et al.  Putting it all together – Formal verification of the VAMP , 2006, International Journal on Software Tools for Technology Transfer.

[5]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[6]  Matt Kaufmann,et al.  Industrial hardware and software verification with ACL2 , 2017, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[7]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[8]  Ali Sezgin,et al.  Modelling the ARMv8 architecture, operationally: concurrency and ISA , 2016, POPL.

[9]  Timothy Roscoe,et al.  Formalizing Memory Accesses and Interrupts , 2017, MARS@ETAPS.

[10]  Magnus O. Myreen,et al.  A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture , 2010, ITP.

[11]  Jade Alglave,et al.  A formal hierarchy of weak memory models , 2012, Formal Methods in System Design.

[12]  Michael Hamburg,et al.  Meltdown , 2018, meltdownattack.com.

[13]  Reto Achermann Message passing and bulk transport on heterogenous multiprocessors , 2014 .

[14]  Daniel Schwyn Hardware Configuration With Dynamically-Queried Formal Models , 2017 .