Who guards the guards? formal validation of the Arm v8-m architecture specification

Software and hardware are increasingly being formally verified against specifications, but how can we verify the specifications themselves? This paper explores what it means to formally verify a specification. We solve three challenges: (1) How to create a secondary, higher-level specification that can be effectively reviewed by processor designers who are not experts in formal verification; (2) How to avoid common-mode failures between the specifications; and (3) How to automatically verify the two specifications against each other. One of the most important specifications for software verification is the processor specification since it defines the behaviour of machine code and of hardware protection features used by operating systems. We demonstrate our approach on ARM's v8-M Processor Specification, which is intended to improve the security of Internet of Things devices. Thus, we focus on establishing the security guarantees the architecture is intended to provide. Despite the fact that the ARM v8-M specification had previously been extensively tested, we found twelve bugs (including two security bugs) that have all been fixed by ARM.

[1]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[2]  Magnus O. Myreen,et al.  A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture , 2010, ITP.

[3]  Xi Wang,et al.  An Empirical Study on the Correctness of Formally Verified Distributed Systems , 2017, EuroSys.

[4]  David A. Burke,et al.  Translating Formal Software Specifications to Natural Language A Grammar-Based Approach , 2005 .

[5]  George A. Constantinides,et al.  Automatically comparing memory consistency models , 2017, POPL.

[6]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[7]  A. Reid,et al.  End-to-End Verification of ARM ® Processors with ISA-Formal , 2016 .

[8]  Roberto Guanciale,et al.  Machine code verification of a tiny ARM hypervisor , 2013, TrustED '13.

[9]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[10]  Ali Sezgin,et al.  Modelling the ARMv8 architecture, operationally: concurrency and ISA , 2016, POPL.

[11]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[12]  Akash Lal,et al.  DAG inlining: a decision procedure for reachability-modulo-theories in hierarchical programs , 2015, PLDI.

[13]  Jade Alglave,et al.  Understanding POWER multiprocessors , 2011, PLDI '11.

[14]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[15]  Marco Pistore,et al.  Model checking early requirements specifications in Tropos , 2001, Proceedings Fifth IEEE International Symposium on Requirements Engineering.

[16]  Alistair Mavin,et al.  Easy Approach to Requirements Syntax (EARS) , 2009, 2009 17th IEEE International Requirements Engineering Conference.

[17]  Daniel Jackson,et al.  Alloy: a lightweight object modelling notation , 2002, TSEM.

[18]  Rick Chen,et al.  End-to-End Verification of Processors with ISA-Formal , 2016, CAV.

[19]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[20]  Ken Kennedy,et al.  Conversion of control dependence to data dependence , 1983, POPL '83.

[21]  David A. Burke,et al.  Translating Formal Software Specifications to Natural Language , 2005, LACL.

[22]  Alastair David Reid,et al.  Trustworthy specifications of ARM® v8-A and v8-M system level architecture , 2016, 2016 Formal Methods in Computer-Aided Design (FMCAD).

[23]  Matt Kaufmann,et al.  Simulation and formal verification of x86 machine-code programs that make system calls , 2014, 2014 Formal Methods in Computer-Aided Design (FMCAD).