extracting behaviour from an executable instruction set
play

Extracting behaviour from an executable instruction set model Ian - PowerPoint PPT Presentation

May 12, 2023 •120 likes •436 views

Extracting behaviour from an executable instruction set model Ian Stark Brian Campbell REMS project rems.io EPSRC grant EP/K008528/1 FMCAD, October 6 2016 1 / 31 Introduction Previously developed automated test generation for executable

  1. Extracting behaviour from an executable instruction set model Ian Stark Brian Campbell REMS project rems.io EPSRC grant EP/K008528/1 FMCAD, October 6 2016 1 / 31

  2. Introduction Previously developed automated test generation for executable ISA models in HOL4 [FMICS 2014]. Want to automate extraction of instruction behaviour— 1. constraints for execution 2. results of execution —from model in HOL4 theorem prover for new targets. Successfully implement symbolic execution in HOL4, reusing its standard symbolic evaluation features. Applied to simple MIPS model and experimental CHERI processor 2 / 31

  3. Motivation: testing ISA models Automatic randomised test generation in HOL4: Generate instruction sequence ↓ Extract instruction behaviour from model ↓ Calculate sequence’s constraints and effects ↓ Solve constraints to build test (SMT) ↓ Add test harness 3 / 31

  4. Motivation: testing ISA models Automatic randomised test generation in HOL4: Generate instruction sequence ↓ Extract instruction behaviour from model ↓ Calculate sequence’s constraints and effects ↓ Solve constraints to build test (SMT) ↓ Add test harness Previously: + Reused stepLib verification library for instruction behaviour − Library needs to be written for new models − Library skips some behaviour (exceptions, unaligned accesses) 4 / 31

  5. Motivation: Testing CHERI Experimental MIPS-compatible design with capability security extensions: ◮ Lots of new instructions, exceptions ◮ ISA model used for architectural exploration ◮ Bluespec design for processor provide motivation for testing Plain MIPS model has stepLib ◮ CHERI more than twice as large ◮ also more complete (e.g., memory) ◮ stepLib not ported 5 / 31

  6. Model example: MIPS 32-bit signed immediate addition L3 domain specific language, compiled to HOL4: dfn’ADDI (rs,rt,immediate) = ( λ state. (let s = if NotWordValue (FST (GPR rs state)) then SND (raise’exception (UNPREDICTABLE "ADDI: NotWordValue") state) else state in let v = (32 >< 0) (FST (GPR rs s)) + sw2sw immediate in if word_bit 32 v � = word_bit 31 v then SignalException Ov s else write’GPR (sw2sw ((31 >< 0) v),rt) s)) ◮ State threaded through definition 6 / 31

  7. Model example: MIPS 32-bit signed immediate addition L3 domain specific language, compiled to HOL4: dfn’ADDI (rs,rt,immediate) = ( λ state. (let s = if NotWordValue (FST (GPR rs state)) then SND (raise’exception (UNPREDICTABLE "ADDI: NotWordValue") state) else state in let v = (32 >< 0) (FST (GPR rs s)) + sw2sw immediate in if word_bit 32 v � = word_bit 31 v then SignalException Ov s else write’GPR (sw2sw ((31 >< 0) v),rt) s)) ◮ State threaded through definition ◮ 64-bit behaviour unspecified ◮ Overflow processor exception 7 / 31

  8. Pre-existing library: addiu $1,$2,3 [ ¬ if word_bit 31 (s.gpr 2w) then (63 >< 32) (s.gpr 2w) � = 0xFFFFFFFFw else (63 >< 32) (s.gpr 2w) � = 0w, s.MEM s.PC = 36w, s.MEM (s.PC + 1w) = 65w, s.MEM (s.PC + 3w) = 3w, s.MEM (s.PC + 2w) = 0w, (1 >< 0) s.PC = 0w, s.exception = NoException] ⊢ NextStateMIPS s = SOME (s with <|PC := s.PC + 4w; gpr := (1w =+ sw2sw ((31 >< 0) (s.gpr 2w) + 3w)) s.gpr|>) ◮ Hypotheses contain assumptions, well-definedness constraints ⊢ Stylised conclusion: next = series of record updates ◮ One theorem per branch A rough rule-based operational semantics 8 / 31

  9. Pre-existing library implementation Semi-automatic ◮ Assumptions and cases fed in manually ◮ Primarily uses symbolic evaluation ◮ Builds up results for ◮ each instruction implementation ◮ instruction fetch ◮ decode then combines them into next step function For faster development, we want to ◮ Avoid writing per-instruction information ◮ Case split automatically ◮ Avoid specifying intermediate results 9 / 31

  10. Symbolic execution in HOL4 Symbolic evaluation ◮ general computation rules (including bitvectors, . . . ) ◮ specialisation, e.g., restricting memory accesses ◮ single result, leaves the structure intact Symbolic state ◮ Set of rewrites, one per field Symbolic execution ◮ follows threading of state ◮ case splits at conditionals, pattern matching ◮ discard unspecified/uninteresting cases ◮ keeps path condition in hypotheses ◮ one result per path 10 / 31

  11. Symbolic evaluation Uses ◮ HOL4 theories for booleans, bitvectors, naturals, integers, datatypes, . . . ◮ custom conversions to ◮ FOR loops only once bound known ◮ extra bitvector simplification ◮ model-specific conversions which ⋆ may introduce hypotheses to limit behaviour ◮ simplify memory mapping ◮ inject instructions into memory Instruction injection uses rewrite generated by applying symbolic execution to instruction fetch function. 11 / 31

  12. Symbolic execution Recursive procedure; described below with rules: H , S ⊢ t � ( H ′ , t ′ ) H General hypotheses incorporates path condition S Per-field state information (equations) t Source term (also u , v below) One result ( H ′ , t ′ ) per path State always appears to the right: H , S ⊢ u � ( H ′ , u ′ ) Pair H , S ⊢ ( t , u ) � ( H ′ , ( t , u ′ )) 12 / 31

  13. Symbolic execution For let, separate ordinary data from state: H ′ i , S ⊳ s ′ i ⊢ u [ t ′ H , S ⊢ t � ( H ′ , ( t ′ , s ′ )) ∀ i . i / x ] � ( H ′′ i , u ′ i ) Let � H , S ⊢ let ( x , s ) = t in u � ( H ′′ i , u ′ i ) i S has per-field state information, S ⊳ s updates symbolic state ( H , t ) , S ⊢ u � ( H ′ , u ′ ) ( H , ¬ t ) , S ⊢ v � ( H ′′ , v ′ ) Cond H , S ⊢ if t then u else v � ( H ′ , u ′ ) ∪ ( H ′′ , v ′ ) Similar rule for pattern matching 13 / 31

  14. Symbolic execution Function application unfolds the definition c x 1 . . . x n +1 := t H , S ⊢ v � ( H ′ , v ′ ) H ′ i , S ⊢ t [ u 1 / x 1 , . . . , u n / x n , v ′ ∀ i . i / x n +1 ] � ( H ′′ i , t ′ i ) App � H , S ⊢ c u 1 . . . u n v � ( H ′′ i , t ′ i ) i Undef H , S ⊢ raise’exception t u � ∅ Other unwanted constants are handled similarly 14 / 31

  15. Soundness and (in)completeness Soundness ◮ By construction: H , S ⊢ t � ( H ′ , t ′ ) produces theorems for each i , H ′ i ⊢ t = t ′ i Completeness Incomplete by construction: ◮ e.g., deliberately simplify memory accesses Complete up to specialisation? ◮ No formal results ◮ Systematic construction avoids overly strong assumptions about cases 15 / 31

  16. Example: addi $1,$2,3 Hypotheses Term dfn’ADDI (2w,1w,3w) s State only changes at the end 16 / 31

  17. Example: addi $1,$2,3 Hypotheses Term let s = if NotWordValue (FST (GPR 2w state)) then SND (raise’exception (UNPREDICTABLE "ADDI: NotWordValue") state) else state in let v = (32 >< 0) (FST (GPR 2w s)) + 3w in if word_bit 32 v � = word_bit 31 v then SignalException Ov s else write’GPR (sw2sw ((31 >< 0) v),1w) s 17 / 31

  18. Example: addi $1,$2,3 Hypotheses Term if NotWordValue (FST (GPR 2w state)) then SND (raise’exception (UNPREDICTABLE "ADDI: NotWordValue") state) else state (First part of let, rest on stack) 18 / 31

  19. Example: addi $1,$2,3 Hypotheses NotWordValue (s.c_gpr 2w) Term SND (raise’exception (UNPREDICTABLE "ADDI: NotWordValue") state) (First branch of if, first part of let, rest on stack) 19 / 31

  20. Example: addi $1,$2,3 Hypotheses NotWordValue (s.c_gpr 2w) Term raise’exception (UNPREDICTABLE "ADDI: NotWordValue") state (First part of if, let, rest on stack) Undefined - discard case 20 / 31

  21. Example: addi $1,$2,3 Hypotheses ¬ NotWordValue (s.c_gpr 2w) Term state (Second part of if, first of let, rest on stack) 21 / 31

  22. Example: addi $1,$2,3 Hypotheses ¬ NotWordValue (s.c_gpr 2w) Term let v = (32 >< 0) (FST (GPR 2w state)) + 3w in if word_bit 32 v � = word_bit 31 v then SignalException Ov state else write’GPR (sw2sw ((31 >< 0) v),1w) state (Second part of let) 22 / 31

  23. Example: addi $1,$2,3 Hypotheses ¬ NotWordValue (s.c_gpr 2w) Term if word_bit 32 ((32 >< 0) (s.c_gpr 2w) + 3w) � = word_bit 31 ((32 >< 0) (s.c_gpr 2w) + 3w) then SignalException Ov state else write’GPR (sw2sw ((31 >< 0) ((32 >< 0) (s.c_gpr 2w) + 3w)),1w) state (let evaluated) 23 / 31

  24. Example: addi $1,$2,3 Hypotheses ¬ NotWordValue (s.c_gpr 2w), word_bit 32 ((32 >< 0) (s.c_gpr 2w) + 3w) � = word_bit 31 ((32 >< 0) (s.c_gpr 2w) + 3w) Term SignalException Ov state (First branch) Processor exception - choose to discard case (Can do processor exceptions, but not on one slide) 24 / 31

  25. Example: addi $1,$2,3 Hypotheses ¬ NotWordValue (s.c_gpr 2w), word_bit 32 ((32 >< 0) (s.c_gpr 2w) + 3w) = word_bit 31 ((32 >< 0) (s.c_gpr 2w) + 3w) Term write’GPR (sw2sw ((31 >< 0) ((32 >< 0) (s.c_gpr 2w) + 3w)),1w) state (Second branch) 25 / 31

  26. Example: addi $1,$2,3 Hypotheses ¬ NotWordValue (s.c_gpr 2w), word_bit 32 ((32 >< 0) (s.c_gpr 2w) + 3w) = word_bit 31 ((32 >< 0) (s.c_gpr 2w) + 3w) Term ((), state with c_gpr := (1w =+ sw2sw ((31 >< 0) ((32 >< 0) (s.c_gpr 2w) + 3w))) state.c_gpr) Final result: register 1 updated by signed addition 26 / 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

EXECUTABLE UML AND MBSE What Executable UML does, how it is totally di ff erent from UML, and

EXECUTABLE UML AND MBSE What Executable UML does, how it is totally di ff erent from UML, and

EXECUTABLE UML AND MBSE What Executable UML does, how it is totally di ff erent from UML, and how it fits with other Executable languages Leon Starr leon_starr@modelint.com MODEL INTEGRATION LLC www.modelint.com 1 LiU Seminar xUML MBSE -

527 views • 39 slides
Executable File Formats Portable Executable (PE) Executable

Executable File Formats Portable Executable (PE) Executable

Executable File Formats Portable Executable (PE) Executable file format of choice for Windows Executable and Linkable Format (ELF) Executable file

330 views • 16 slides
Assessment of Library Instruction: the Influence on Search Behaviour of First and Third year

Assessment of Library Instruction: the Influence on Search Behaviour of First and Third year

Assessment of Library Instruction: the Influence on Search Behaviour of First and Third year Students. By Torunn Skofsrud Boger, Hanne Dybvik, Anne-Lise Eng and Else Helene Norheim Dybvik &amp; Norheim | stfold University College 20.06.2016

549 views • 25 slides
CSEE 3827: Fundamentals of Computer Systems Instruction Set Architectures / MIPS and the rest

CSEE 3827: Fundamentals of Computer Systems Instruction Set Architectures / MIPS and the rest

CSEE 3827: Fundamentals of Computer Systems Instruction Set Architectures / MIPS and the rest of the semester (software) Source code (e.g., *.java, *.c) Compiler MIPS instruction set architecture Application executable Single-cycle

694 views • 66 slides
Session 14 Introduction to Behaviour that Challenges SECTION 5: 1 Behaviour Behaviour that is

Session 14 Introduction to Behaviour that Challenges SECTION 5: 1 Behaviour Behaviour that is

Session 14 Introduction to Behaviour that Challenges SECTION 5: 1 Behaviour Behaviour that is challenging We used to talk about problem behaviour or behavioural difficulties Now we see this as behaviour that challenges services.

314 views • 7 slides
Instruction Set 2 Architecting a vocabulary for the HW INSTRUCTION SET OVERVIEW 3 Instruction

Instruction Set 2 Architecting a vocabulary for the HW INSTRUCTION SET OVERVIEW 3 Instruction

1 EE 109 Unit 13 MIPS Instruction Set 2 Architecting a vocabulary for the HW INSTRUCTION SET OVERVIEW 3 Instruction Set Architecture (ISA) Defines the software interface of the processor and memory system Instruction set is the

915 views • 52 slides
Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data Accelerometers Accelerometers Andr DIAS a,b,c , Lukas GORZELNIAK b , Angela DRING c , Gunnar HARTVIGSEN a,d , Alexander HORSCH b,d a Norwegian Centre for

582 views • 15 slides
anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable

anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable

anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable 2 last time anti-virus: heuristic: malware messing up executables? key idea: wrong segment of executable? switching segments of the executable?

1.14k views • 102 slides
1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting

1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting

1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting essential oils is using steam distillation. Solvents are often used in extracting oils that are waxy The most expensive method is using CO2 which does not

358 views • 16 slides
Executable Formal Models in Rewriting Logic Carolyn Talcott RTA 2015 1 Formal Executable Models

Executable Formal Models in Rewriting Logic Carolyn Talcott RTA 2015 1 Formal Executable Models

Executable Formal Models in Rewriting Logic Carolyn Talcott RTA 2015 1 Formal Executable Models For design, prototyping, analysis. To clarify ideas, squash insidious bugs early on many bugs / flaws can be found by just formalizing

669 views • 50 slides
Extracting Tables from PDFs Extracting Tables from PDFs Using Camelot and Excalibur to

Extracting Tables from PDFs Extracting Tables from PDFs Using Camelot and Excalibur to

Extracting Tables from PDFs Extracting Tables from PDFs Using Camelot and Excalibur to automate PDF table extraction and export Dimiter Naydenov @dimitern 1 . 1 Overview Overview PDF: brief history, structure, representing tables Camelot

355 views • 13 slides
ANTI SOCIAL BEHAVIOUR WHAT IS ANTISOCIAL WHAT IS ANTISOCIAL BEHAVIOUR BEHAVIOUR Bullying

ANTI SOCIAL BEHAVIOUR WHAT IS ANTISOCIAL WHAT IS ANTISOCIAL BEHAVIOUR BEHAVIOUR Bullying

ANTI SOCIAL BEHAVIOUR WHAT IS ANTISOCIAL WHAT IS ANTISOCIAL BEHAVIOUR BEHAVIOUR Bullying in School &amp; out of School Vandalism or graffiti Playing music too loudly Shouting, screaming or swearing Drinking alcohol

121 views • 10 slides
t n e m Behaviour Influences Behaviour u c o D y c a g e L g n i Pearlcatchers

t n e m Behaviour Influences Behaviour u c o D y c a g e L g n i Pearlcatchers

t n e m Behaviour Influences Behaviour u c o D y c a g e L g n i Pearlcatchers Ltd n r a e L Objectives Header here max 30 characters t n e m u c o Raise awareness of the importance of leadership behaviours and D

469 views • 23 slides
Format (ELF) Why Executable Formats? - All code in one file - But libraries! - We need a way

Format (ELF) Why Executable Formats? - All code in one file - But libraries! - We need a way

Executable and Linkable Format (ELF) Why Executable Formats? - All code in one file - But libraries! - We need a way to combine files Distribute as binary (object files) - - Linkers - We need a way to control how our programs run

281 views • 13 slides
Catherine Lennox EDPS 650 What is prosocial behaviour? How is prosocial behaviour related to

Catherine Lennox EDPS 650 What is prosocial behaviour? How is prosocial behaviour related to

Catherine Lennox EDPS 650 What is prosocial behaviour? How is prosocial behaviour related to altruism and empathy? Is prosocial behaviour innate, learned, or both? What is the role of school in developing prosocial behaviour?

448 views • 22 slides
Textual, executable, translatable UML Gergely Dvai, Gbor Ferenc Kovcs, dm Ancsin

Textual, executable, translatable UML Gergely Dvai, Gbor Ferenc Kovcs, dm Ancsin

Textual, executable, translatable UML Gergely Dvai, Gbor Ferenc Kovcs, dm Ancsin Etvs Lornd University, Budapest, Hungary OCL and textual modeling workshop, 2014-09-30, Valencia Executable UML All aspects of the software, from

481 views • 12 slides
ECE232: Hardware Organization and Design Lecture 29: Computer Input/Output Adapted from Computer

ECE232: Hardware Organization and Design Lecture 29: Computer Input/Output Adapted from Computer

ECE232: Hardware Organization and Design Lecture 29: Computer Input/Output Adapted from Computer Organization and Design , Patterson &amp; Hennessy, UCB Announcements ECE Honors Exhibition Wednesday, April 30 3:00-4:00 PM M5

633 views • 24 slides
Chapter 5 A Closer Look at Instruction Set Architectures Chapter 5 Objectives Understand

Chapter 5 A Closer Look at Instruction Set Architectures Chapter 5 Objectives Understand

Chapter 5 A Closer Look at Instruction Set Architectures Chapter 5 Objectives Understand the factors involved in instruction set architecture design. Gain familiarity with memory addressing modes. Understand the concepts of

1.05k views • 63 slides
Interrupts Chapter 20 S. Dandamudi Outline Exceptions What are interrupts?

Interrupts Chapter 20 S. Dandamudi Outline Exceptions What are interrupts?

Interrupts Chapter 20 S. Dandamudi Outline Exceptions What are interrupts? Single-step example Types of interrupts Hardware interrupts Software interrupts Accessing I/O Hardware interrupts Exceptions

1.13k views • 60 slides
CSE 141L: Building a Microprocessor Steven Swanson Adrian Caulfield Trevor Bunker Meenakshi

CSE 141L: Building a Microprocessor Steven Swanson Adrian Caulfield Trevor Bunker Meenakshi

CSE 141L: Building a Microprocessor Steven Swanson Adrian Caulfield Trevor Bunker Meenakshi Sundaram 1 You will design and implement a microprocessor this quarter! 2 Course Goals Apply what youll learn in 141 Design

567 views • 17 slides
CPSC 213 - news, admin details, schedule and readings - lecture slides (always posted before

CPSC 213 - news, admin details, schedule and readings - lecture slides (always posted before

About the Course it's all on the web page ... http://www.ugrad.cs.ubc.ca/~cs213/winter10t1/ CPSC 213 - news, admin details, schedule and readings - lecture slides (always posted before class) - 213 Companion (free PDF) - course wiki

825 views • 8 slides
Previous lecture stalls reduce performance but are required to get correct results

Previous lecture stalls reduce performance but are required to get correct results

Previous lecture stalls reduce performance but are required to get correct results compiler arranges code to avoid hazards and stalls requires knowledge of the pipeline structure dt10 2011 13.1 Branch hazards

599 views • 28 slides
Phantom OS Fosdem 2020 Why new OS The only OS concept that exists is Unix. Even Win NT is Unix

Phantom OS Fosdem 2020 Why new OS The only OS concept that exists is Unix. Even Win NT is Unix

Phantom OS Fosdem 2020 Why new OS The only OS concept that exists is Unix. Even Win NT is Unix like, more or less. Unix is based on what was possible half a century ago Unix is based on what was possible, not what is needed Traditional big

539 views • 28 slides
Chapter 8 Digital Design and Computer Architecture , ARM Edi)on

Chapter 8 Digital Design and Computer Architecture , ARM Edi)on

Chapter 8 Digital Design and Computer Architecture , ARM Edi)on David Money Harris and Sarah L. Harris Chapter 8 &lt;1&gt; Chapter 8 :: Topics

1.22k views • 87 slides

More recommend