David S. Hardin

High-speed, analyzable simulators

High-speed simulation models are routinely developed during the design of complex hardware systems in order to predict performance, detect design flaws, and allow hardware/software co-design. Writing such an executable model in ACL2 brings the additional benefit of formal analysis; however, much care is required to construct an ACL2 model that is both fast and analyzable. In this chapter, we develop techniques for the construction of high-speed formally analyzable simulators in ACL2, and demonstrate their utility on a simple processor model.

Formal Verification of Partition Management for the AAMP7G Microprocessor

The AAMP7G microprocessor, currently in use in Rockwell Collins high-assurance system products, uniquely supports strict time and space partitioning in hardware. In this chapter, we describe the formal modeling and proof effort that led to an NSA multiple independent levels of security (MILS) certification for the AAMP7G. The MILS certificate allows a single AAMP7G CPU to concurrently process Unclassified through Top Secret codeword information. We discuss the formal model architecture of the AAMP7G at several levels, including the microcode and instruction set levels. We describe how the ACL2 theorem prover was used to develop a formal security specification, called GWV, and outline a mathematical proof (machine-checked using ACL2) which established that the AAMP7G trusted microcode implements that security specification, in accordance with EAL 7 requirements. We also discuss the evaluation process, which validated that the formalizations accurately model what was actually designed and built. Finally, we provide an overview of a technique for compositional reasoning at the instruction set level, using a symbolic simulation-based technique.

Efficient Simulation of Formal Processor Models

Computer systems under development are routinely modeled by simulators, and formal verification can be integrated into conventional computer system development by reasoning directly about such simulators. Simulators must be extremely fast to be usable in a real development effort. We have crafted a model for a simple processor in the logic of the ACL2 theorem prover that supports both formal analysis and efficient execution, with performance near that of a simulator written in C. We demonstrate our approach using this simple model and indicate how we applied it to our latest microprocessor.

Invariant performance: a statement of task isolation useful for embedded application integration

We describe the challenge of embedded application integration and argue that the conventional formal verification approach of proving abstract behavior is not useful in this domain. We introduce invariant performance, a formulation of task isolation useful for application integration. We demonstrate invariant performance by formalizing it in the logic of PVS for a simple yet realistic embedded system.

Development of Security Software: A High Assurance Methodology

This paper reports on a project to exercise, evaluate and enhance a methodology for developing high assurance software for an embedded system controller. In this approach, researchers at the National Security Agency capture system requirements precisely and unambiguously through functional specifications in Z. Rockwell Collins then implements these requirements using an integrated, model-based software development approach. The development effort is supported by a tool chain that provides automated code generation and support for formal verification. The specific system is a prototype high speed encryption system, although the controller could be adapted for use in a variety of critical systems in which very high assurance of correctness, reliability, and security or safety properties is essential.

Development of a Translator from LLVM to ACL2

In our current work a library of formally verified software components is to be created, and assembled, using the Low-Level Virtual Machine (LLVM) intermediate form, into subsystems whose top-level assurance relies on the assurance of the individual components. We have thus undertaken a project to build a translator from LLVM to the applicative subset of Common Lisp accepted by the ACL2 theorem prover. Our translator produces executable ACL2 formal models, allowing us to both prove theorems about the translated models as well as validate those models by testing. The resulting models can be translated and certified without user intervention, even for code with loops, thanks to the use of the def::ung macro which allows us to defer the question of termination. Initial measurements of concrete execution for translated LLVM functions indicate that performance is nearly 2.4 million LLVM instructions per second on a typical laptop computer. In this paper we overview the translation process and illustrate the translators capabilities by way of a concrete example, including both a functional correctness theorem as well as a validation test for that example.

Invited Tutorial: Considerations in the Design and Verification of Microprocessors for Safety-Critical and Security-Critical Applications

In this tutorial, we will examine issues in the design and verification of microprocessors for safety-critical and security-critical applications. We will consider architectural and design alternatives to support high-assurance applications, and will describe techniques to improve secure system evaluation-measured in terms of completeness, human effort required, time, and cost-through the use of highly automated formal methods. We will describe practical techniques for creating executable formal computing platform models that can both be proved correct, and also function as high-speed simulators. This allows us to both verify the correctness of the models, as well as validate that the formalizations accurately model what was actually designed and built. As a case study, we will examine the design and verification of the Rockwell Collins AAMP7G microprocessor. The AAMP7G, currently in use in Rockwell Collins high-assurance system products, supports strict time and space partitioning in hardware, and has received an NSA MILS (Multiple Independent Levels of Security) certificate based in part on proofs of correctness. We will discuss the AAMP7G verification effort, focusing on the proof architecture that enabled us to show that the AAMP7G separation kernel microcode implements a particular security specification, using the ACL2 theorem prover.

Efficient, formally verifiable data structures using ACL2 single-threaded objects for high-assurance systems

Classical data structures such as stacks, queues, and double-ended queues (deques) find broad use in security-critical applications. At the highest Evaluation Assurance Level (EAL) of the Common Criteria, such data structures must be formally specified, and proven to meet their specifications. Formal verification systems can readily reason about unbounded, functional data structures. However, such data structures are in the main not appropriate for direct implementation in high-confidence software systems, both because of their unbounded nature, and also due to the complexity of the functional forms (e.g., the use of two lists, one reversed, to implement a deque). We will show how a formally verified data structure specified using the ACL2 single-threaded object facility can be much more readily translated into highassurance implementations expressed in conventional programming languages. Finally, we show how this translated data structure code can be compiled into efficient machine code for a common embedded microprocessor using a verified compiler, and executed on an EAL6+ verified operating system.

An Efficient Hardware Implementation of Java Bytecodes, Threads and Processes for Embedded and Real-Time Applications

The Java platform, with its target platform neutrality, simplified object model, strong notions of safety and security, as well as multithreading support, provides many advantages for a new generation of networked embedded and real-time systems. However, the large size, nondeterministic behavior, and poor performance of the first generation of embedded Java implementations have hampered the acceptance of Java in the real-time and embedded worlds. This chapter describes a low-power hardware implementation of the Java Virtual Machine (JVM) for real-time and embedded systems, including direct support for the entire JVM instruction set and thread model. This design approach obviates the need for a Java interpreter or Just-In-Time (JIT) compiler, as well as the traditional Real-Time Operating System (RTOS). The hardware implementation also supports multiple JVM contexts executing on the same CPU, enhancing safety and security by guaranteeing space and time allotments for multiple Java applications. Combined with a Java 2 Platform, Micro Edition (J2ME) runtime and a back-end target build tool, these technologies constitute an efficient platform for the development of real-time embedded applications entirely in the Java programming language.

Reasoning About LLVM Code Using Codewalker

This paper reports on initial experiments using J Moores Codewalker to reason about programs compiled to the Low-Level Virtual Machine (LLVM) intermediate form. Previously, we reported on a translator from LLVM to the applicative subset of Common Lisp accepted by the ACL2 theorem prover, producing executable ACL2 formal models, and allowing us to both prove theorems about the translated models as well as validate those models by testing. That translator provided many of the benefits of a pure decompilation into logic approach, but had the disadvantage of not being verified. The availability of Codewalker as of ACL2 7.0 has provided an opportunity to revisit this idea, and employ a more trustworthy decompilation into logic tool. Thus, we have employed the Codewalker method to create an interpreter for a subset of the LLVM instruction set, and have used Codewalker to analyze some simple array-based C programs compiled to LLVM form. We discuss advantages and limitations of the Codewalker-based method compared to the previous method, and provide some challenge problems for future Codewalker development.