David A. Greve

Symbolic Simulation of the JEM1 Microprocessor

Symbolic simulation is the simulation of the execution of a computer system on an incompletely defined, or symbolic, state. This process results in a set of expressions that define the final machine state symbolically in terms of the initial machine state. We describe our use of symbolic simulation in conjunction with the development of the JEM1, the worlds first Java processor. We demonstrate that symbolic simulation can be used to detect microcode design errors and that it can be integrated into our current design process.

High-speed, analyzable simulators

High-speed simulation models are routinely developed during the design of complex hardware systems in order to predict performance, detect design flaws, and allow hardware/software co-design. Writing such an executable model in ACL2 brings the additional benefit of formal analysis; however, much care is required to construct an ACL2 model that is both fast and analyzable. In this chapter, we develop techniques for the construction of high-speed formally analyzable simulators in ACL2, and demonstrate their utility on a simple processor model.

Specification and Checking of Software Contracts for Conditional Information Flow

Information assurance applications providing Multi-Level Secure(MLS) solutions must often implement information flow policies that are conditionalin the sense that data is allowed to flow between system components only when the system satisfies certain state predicates. However, existing specification and verification environments, such as SPARK, used to develop such applications, are capable of capturing only unconditional information flows. Motivated by the need to better formally specify and certify MLS applications in industrial contexts, we present an enhancement of the SPARK system that enables specification, inference, and compositional checking of conditional information flow contracts. We report on the use of this framework for a collection of SPARK examples.

Efficient execution in an automated reasoning environment

We describe a method that permits the user of a mechanized mathematical logic to write elegant logical definitions while allowing sound and efficient execution. In particular, the features supporting this method allow the user to install, in a logically sound way, alternative executable counterparts for logically defined functions. These alternatives are often much more efficient than the logically equivalent terms they replace. These features have been implemented in the ACL2 theorem prover, and we discuss several applications of the features in ACL2.

Formal Verification of Partition Management for the AAMP7G Microprocessor

The AAMP7G microprocessor, currently in use in Rockwell Collins high-assurance system products, uniquely supports strict time and space partitioning in hardware. In this chapter, we describe the formal modeling and proof effort that led to an NSA multiple independent levels of security (MILS) certification for the AAMP7G. The MILS certificate allows a single AAMP7G CPU to concurrently process Unclassified through Top Secret codeword information. We discuss the formal model architecture of the AAMP7G at several levels, including the microcode and instruction set levels. We describe how the ACL2 theorem prover was used to develop a formal security specification, called GWV, and outline a mathematical proof (machine-checked using ACL2) which established that the AAMP7G trusted microcode implements that security specification, in accordance with EAL 7 requirements. We also discuss the evaluation process, which validated that the formalizations accurately model what was actually designed and built. Finally, we provide an overview of a technique for compositional reasoning at the instruction set level, using a symbolic simulation-based technique.

Efficient Simulation of Formal Processor Models

Computer systems under development are routinely modeled by simulators, and formal verification can be integrated into conventional computer system development by reasoning directly about such simulators. Simulators must be extremely fast to be usable in a real development effort. We have crafted a model for a simple processor in the logic of the ACL2 theorem prover that supports both formal analysis and efficient execution, with performance near that of a simulator written in C. We demonstrate our approach using this simple model and indicate how we applied it to our latest microprocessor.

Transforming the Theorem Prover into a Digital Design Tool: From Concept Car to Off-Road Vehicle

As digital designs grow evermore complex and design cycles become ever shorter, traditional informal methods of design verification are proving inadequate. Design teams are increasingly turning to formal techniques to address this “verification crunch”. The theorem prover, with its emphasis on establishing correctness, is arguably the dream design verification tool; however, theorem provers are rarely used in digital design. Much like automotive industry “concept cars”, theorem provers provide a compelling vision of the future, but in the real world of industrial design they have proven to be difficult to drive and expensive to maintain. We suggest ways that the theorem prover “concept cars” of today can be adapted to become the “off-road vehicles” necessary to negotiate the rough-and-tumble terrain of digital design in the 21st century.

Invariant performance: a statement of task isolation useful for embedded application integration

We describe the challenge of embedded application integration and argue that the conventional formal verification approach of proving abstract behavior is not useful in this domain. We introduce invariant performance, a formulation of task isolation useful for application integration. We demonstrate invariant performance by formalizing it in the logic of PVS for a simple yet realistic embedded system.

Model Checking Information Flow

Information flow modeling describes how information can be transferred between different locations within a software and/or hardware system. In this chapter, we define a notion of information flow based on traces that is useful for describing flow relations for synchronous dataflow languages such as SimulinkⓇ (The Mathworks, Inc.) and SCADE™ (Esterel Technologies, Inc.) that are often used for hardware/software codesign. We then define an automated method for analyzing information flow properties of Simulink models using model checking. This method is based on creating a flow model that tracks information flow throughout the model. Often, information flow properties are defined in terms of some form of noninterference, which states informally that objects in one security domain cannot perceive the actions of objects within another domain. We demonstrate that this method preserves the GWV functional notion of noninterference. We then describe how this proof relates to the GWV theorem and provide some insight into the relationship of the flow model and the flow graphs used in GWVr1. Finally, we demonstrate our analysis technique by analyzing the architecture of the Turnstile high-assurance cross-domain guard platform using our Gryphon translation framework and the Prover™ model checker.

Information Security Modeling and Analysis

The question of how best to model and analyze systems with information security requirements has been of interest to the Rockwell Collins Advanced Technology Center since the beginning of the AAMP7G certification effort [Wilding et al. (in press) Design and verification of microprocessor systems for high-assurance applications]. Of particular interest are techniques that are amenable to automated formal reasoning, especially in a generic theorem proving or model checking context. In this chapter, we document research results that pertain to the GWV class of information flow theorems [Greve et al. (2003) Proceedings of ACL2’03; Greve et al. (2005) Proceedings of SSTC 2005]. We provide a mathematical underpinning for the theorems, explore some of their properties, demonstrate their application to selected examples, and describe their evolutionary history. We conclude by establishing a connection between our models of information flow and the classical notion of noninterference originally proposed by Goguen and Meseguer [Proceedings of the 1982 IEEE symposium on security and privacy (1982)].