AUTOMATED FIRMWARE VERIFICATION USING FIRMWARE-HARDWARE INTERACTION PATTERNS

Firmware refers to low-level software that is tied to a specific hardware platform. For instance, low-level drivers that physically interface with the peripherals are an example of firmware. An emerging trend in system design is to implement complex system management functions in firmware rather than hardware. For example, firmware has grown to include software that manages critical hardware platform functions such as power management. As the scale and the importance of firmware is increasing, its validation becomes a critical part of system validation. Firmware validation relies on having good models of the interacting hardware components because firmware needs to be shipped with the hardware and shares many of the same critical design concerns as the hardware. This is generally addressed through cosimulating C/C++ based firmware code and HDL (including SystemC) hardware models, which are usually not available until the late design stages. However, co-simulation tends to be slow, and is further exacerbated by the large number of possible interleavings between the concurrent firmware and hardware threads. Typically, in co-simulation, the thread scheduler, such as the SystemC scheduler, only explores a small number of possible firmware-hardware interleavings and thus may miss critical bugs. A firmware function is mostly reactive: it continuously provides a service, with a clear start and end, in response to inputs from its interacting software or hardware layer (i.e., the environment). Thus, a firmware function is often inherently associated with an infinite loop structure. This often makes it impossible to guarantee the completeness of the verification results. To this end, I address two key problems in this thesis. First, I describe how to co-design firmware with the system components at the service function level, also referred to as the transaction level. Second, I discuss how to validate firmware interactions with their connected hardware modules while pruning the verification search space and ensuring com-

[1]  Luciano Lavagno,et al.  Formal Models for Communication-Based Design , 2000, CONCUR.

[2]  Cezary Dubnicki,et al.  VMMC-2 : Efficient Support for Reliable, Connection-Oriented Communication , 1997 .

[3]  H. Meyr,et al.  Compiled HW/SW co-simulation , 1996, 33rd Design Automation Conference Proceedings, 1996.

[4]  Patrice Godefroid,et al.  Model checking for programming languages using VeriSoft , 1997, POPL '97.

[5]  Archana Ganapathi,et al.  Windows XP Kernel Crash Analysis , 2006, LISA.

[6]  David B. Whalley,et al.  Bounding loop iterations for timing analysis , 1998, Proceedings. Fourth IEEE Real-Time Technology and Applications Symposium (Cat. No.98TB100245).

[7]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[8]  Koushik Sen,et al.  CUTE and jCUTE: Concolic Unit Testing and Explicit Path Model-Checking Tools , 2006, CAV.

[9]  Matthew B. Dwyer,et al.  Bandera: extracting finite-state models from Java source code , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[10]  Jack Donovan,et al.  SystemC: From the Ground Up , 2004 .

[11]  David A. Patterson An approach to firmware engineering , 1978, AFIPS National Computer Conference.

[12]  Gérard Berry,et al.  The Esterel Synchronous Programming Language: Design, Semantics, Implementation , 1992, Sci. Comput. Program..

[13]  Asim Kadav,et al.  Understanding modern device drivers , 2012, ASPLOS XVII.

[14]  P. Stravers Embedded system design , 1994 .

[15]  Cliff B. Jones,et al.  Specification and Design of (Parallel) Programs , 1983, IFIP Congress.

[16]  Christian B. Spear,et al.  SystemVerilog for Verification: A Guide to Learning the Testbench Language Features , 2007 .

[17]  D. Gajski,et al.  Transaction Level Modeling in System Level Design , 2003 .

[18]  Patrice Godefroid,et al.  Automatic partial loop summarization in dynamic test generation , 2011, ISSTA '11.

[19]  Xiang Yu,et al.  ESP: a language for programmable devices , 2001, PLDI '01.

[20]  Klaus Havelund,et al.  Model checking JAVA programs using JAVA PathFinder , 2000, International Journal on Software Tools for Technology Transfer.

[21]  Christian Haubelt,et al.  SystemCoDesigner—an automatic ESL synthesis approach by design space exploration and behavioral synthesis for streaming applications , 2009, TODE.

[22]  Daniel Gajski,et al.  Transaction level modeling: an overview , 2003, First IEEE/ACM/IFIP International Conference on Hardware/ Software Codesign and Systems Synthesis (IEEE Cat. No.03TH8721).

[23]  Lambert Spaanenburg,et al.  Embedded Systems Roadmap 2002 , 2002 .

[24]  Rishiyur S. Nikhil,et al.  Bluespec System Verilog: efficient, correct RTL from high level specifications , 2004, Proceedings. Second ACM and IEEE International Conference on Formal Methods and Models for Co-Design, 2004. MEMOCODE '04..

[25]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[26]  Daniel D. Gajski,et al.  SPECC: Specification Language and Methodology , 2000 .

[27]  Sharad Malik,et al.  Automated firmware testing using firmware-hardware interaction patterns , 2014, 2014 International Conference on Hardware/Software Codesign and System Synthesis (CODES+ISSS).

[28]  Xiao Qu,et al.  A Case Study of Concolic Testing Tools and their Limitations , 2011, 2011 International Symposium on Empirical Software Engineering and Measurement.

[29]  Kenneth L. McMillan,et al.  Applying SAT Methods in Unbounded Symbolic Model Checking , 2002, CAV.

[30]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[31]  Koushik Sen,et al.  A Race-Detection and Flipping Algorithm for Automated Testing of Multi-threaded Programs , 2006, Haifa Verification Conference.

[32]  Kwang-Ting Cheng,et al.  Automatic Functional Test Generation Using The Extended Finite State Machine Model , 1993, 30th ACM/IEEE Design Automation Conference.

[33]  Takeshi Yoshimura,et al.  A fast hardware/software co-verification method for systern-on-a-chip by using a C/C++ simulator and FPGA emulator with shared register communication , 2004, Proceedings. 41st Design Automation Conference, 2004..

[34]  Thomas W. Reps,et al.  Reducing Concurrent Analysis Under a Context Bound to Sequential Analysis , 2008, CAV.

[35]  Florence Maraninchi,et al.  Full simulation coverage for SystemC transaction-level models of systems-on-a-chip , 2009, Formal Methods Syst. Des..

[36]  Daniel Kroening,et al.  Predicate Abstraction of ANSI-C Programs Using SAT , 2004, Formal Methods Syst. Des..

[37]  Eitan Farchi,et al.  Multithreaded Java program test generation , 2002, IBM Syst. J..

[38]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[39]  Ahmed Amine Jerraya,et al.  Programming models and HW-SW interfaces abstraction for multi-processor SoC , 2006, 2006 43rd ACM/IEEE Design Automation Conference.

[40]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[41]  Sharad Malik,et al.  Verification Driven Formal Architecture and Microarchitecture Modeling , 2007, 2007 5th IEEE/ACM International Conference on Formal Methods and Models for Codesign (MEMOCODE 2007).

[42]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[43]  Willem Visser,et al.  Efficient Testing of Concurrent Programs with Abstraction-Guided Symbolic Execution , 2009, SPIN.

[44]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[45]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[46]  Daniel Kroening,et al.  Formal co-validation of low-level hardware/software interfaces , 2013, 2013 Formal Methods in Computer-Aided Design.

[47]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[48]  David L. Kuck,et al.  The Structure of Computers and Computations , 1978 .

[49]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[50]  Moshe Y. Vardi Formal Techniques for SystemC Verification; Position Paper , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[51]  Edward A. Lee,et al.  Hierarchical finite state machines with multiple concurrency models , 1999, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[52]  Sagar Chaki,et al.  Time-bounded analysis of real-time systems , 2011, 2011 Formal Methods in Computer-Aided Design (FMCAD).

[53]  Sandeep K. Shukla,et al.  Verifying Compiler Based Refinement of BluespecTM , 2008, SPIN.

[54]  Sriram K. Rajamani,et al.  SLAM and Static Driver Verifier: Technology Transfer of Formal Methods inside Microsoft , 2004, IFM.

[55]  Christian Haubelt,et al.  Integrating Hardware/Firmware Verification Efforts Using SystemC High-Level Models , 2010, MBMV.

[56]  Philippe Schnoebelen,et al.  A parametric analysis of the state-explosion problem in model checking , 2006, J. Comput. Syst. Sci..

[57]  Patrice Godefroid,et al.  Software Model Checking: The VeriSoft Approach , 2005, Formal Methods Syst. Des..

[58]  Dinghao Wu,et al.  KISS: keep it simple and sequential , 2004, PLDI '04.

[59]  Lori A. Clarke,et al.  A Formal Model of Program Dependences and Its Implications for Software Testing, Debugging, and Maintenance , 1990, IEEE Trans. Software Eng..

[60]  Sharad Malik,et al.  Modeling Firmware as Service Functions and Its Application to Test Generation , 2013, Haifa Verification Conference.

[61]  Madan Musuvathi,et al.  CHESS: Systematic Stress Testing of Concurrent Software , 2006, LOPSTR.

[62]  Thomas A. Henzinger,et al.  Thread-Modular Abstraction Refinement , 2003, CAV.

[63]  Kai Li,et al.  Using model checking to debug device firmware , 2002, OSDI '02.

[64]  Thomas A. Henzinger,et al.  Software Verification with BLAST , 2003, SPIN.

[65]  Amir Pnueli,et al.  Symbolic model checking with rich assertional languages , 2001, Theor. Comput. Sci..

[66]  Abhijit Ghosh,et al.  Methodology for hardware/software co-verification in C/C++ , 2000, Proceedings 2000. Design Automation Conference. (IEEE Cat. No.00CH37106).

[67]  Daniel Kroening,et al.  Over-Approximating Boolean Programs with Unbounded Thread Creation , 2006, 2006 Formal Methods in Computer Aided Design.

[68]  Albert R. Wang,et al.  Logic verification using binary decision diagrams in a logic synthesis environment , 1988, [1988] IEEE International Conference on Computer-Aided Design (ICCAD-89) Digest of Technical Papers.

[69]  Frank Ghenassia Transaction-Level Modeling with SystemC: TLM Concepts and Applications for Embedded Systems , 2010 .

[70]  Sagar Chaki,et al.  Compositional Sequentialization of Periodic Programs , 2013, VMCAI.

[71]  Gerard J. Holzmann,et al.  State Compression in SPIN: Recursive Indexing and Compression Training Runs , 2002 .

[72]  Nikolai Tillmann,et al.  Fitness-guided path exploration in dynamic symbolic execution , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[73]  Kenneth L. McMillan,et al.  Interpolation and SAT-Based Model Checking , 2003, CAV.

[74]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[75]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[76]  Kenneth L. McMillan,et al.  Symbolic model checking , 1992 .

[77]  Rupak Majumdar,et al.  Hybrid Concolic Testing , 2007, 29th International Conference on Software Engineering (ICSE'07).

[78]  Patrice Godefroid,et al.  Partial-Order Methods for the Verification of Concurrent Systems , 1996, Lecture Notes in Computer Science.

[79]  Daniel Kroening,et al.  Race analysis for SystemC using model checking , 2008, ICCAD 2008.

[80]  Jürgen Teich,et al.  Hardware/Software Codesign: The Past, the Present, and Predicting the Future , 2012, Proceedings of the IEEE.

[81]  Luciano Lavagno,et al.  Embedded UML: a merger of real-time UML and co-design , 2001, Ninth International Symposium on Hardware/Software Codesign. CODES 2001 (IEEE Cat. No.01TH8571).

[82]  Gerard J. Holzmann,et al.  Model checking with bounded context switching , 2010, Formal Aspects of Computing.

[83]  Stefan Heinen,et al.  Firmware Development for Evolving Digital Communication Technologies , 2009 .

[84]  Sofia Cassel,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 2012 .

[85]  Bruce D. Shriver,et al.  An Overview of Firmware Engineering , 1978, Computer.

[86]  Stuart Swan,et al.  SystemC transaction level models and RTL verification , 2006, 2006 43rd ACM/IEEE Design Automation Conference.