formal co validation of low level hardware software
play

Formal Co-Validation of Low-Level Hardware/Software Interfaces Alex - PowerPoint PPT Presentation

Dec 03, 2023 •344 likes •719 views

Formal Co-Validation of Low-Level Hardware/Software Interfaces Alex Horn 1 Michael Tautschnig 1 Celina Val 2 Lihao Liang 1 Tom Melham 1 Jim Grundy 3 Daniel Kroening 1 1 University of Oxford 2 University of British Columbia 3 Intel Corporation

  1. Formal Co-Validation of Low-Level Hardware/Software Interfaces Alex Horn 1 Michael Tautschnig 1 Celina Val 2 Lihao Liang 1 Tom Melham 1 Jim Grundy 3 Daniel Kroening 1 1 University of Oxford 2 University of British Columbia 3 Intel Corporation October 22, 2013

  2. Motivation The$New$Product$ Firmware$ Consider this scenario: • The product won’t function unless there is firmware! So ideally ... • But the hardware won’t be available until shortly before release. Our focus: how can we formalize hardware/software interfaces?

  3. Current techniques Well-known firmware development techniques in industry include: • Using an older version of the hardware (if any!) ◦ hard to debug, can hide latent firmware bugs, no guarantee • Virtual platforms ◦ faster turnaround times, easier to debug and test ◦ but generally too big to formally analyze

  4. Current techniques Well-known firmware development techniques in industry include: • Using an older version of the hardware (if any!) ◦ hard to debug, can hide latent firmware bugs, no guarantee • Virtual platforms ◦ faster turnaround times, easier to debug and test ◦ but generally too big to formally analyze Idea: Verifiable Virtual Platform

  5. Current techniques Well-known firmware development techniques in industry include: • Using an older version of the hardware (if any!) ◦ hard to debug, can hide latent firmware bugs, no guarantee • Virtual platforms ◦ faster turnaround times, easier to debug and test ◦ but generally too big to formally analyze Idea: Verifiable Virtual Platform How to model hardware/software interfaces so existing software engineering principles apply but also formal methods (See also question posed by Per Bjesse (Synopsys) during FMCAD 2010)

  6. VVP: Verifiable Virtual Platform realis4c ¡ Ÿ ¡open ¡source ¡ Ÿ ¡concurrent ¡ Hardware/So*ware ¡Interface ¡ Φ 1 ! Φ 2 ? ψ ?!? Interrupt! Φ ... ! Low-­‑level ¡So*ware ¡ QEMU ¡Hardware ¡ assert(…) ¡ from ¡GNU/Linux ¡ Model ¡in ¡C ¡ So*ware ¡threads ¡model ¡un4med ¡delays ¡

  7. Outline An Ethernet MAC concurrency bug A real bug firmware developers care about Problem statement and contribution Technical details Few glimpses at a verifiable virtual platform Experiments and conclusion Download Me!

  8. GNU/Linux + Open Cores Ethernet MAC Explain known kernel bug due to concurrency (i.e. asynchronous operations) in the hardware/software interface.

  9. Concurrency bug Interrupt source : Interrupt mode? 0 a 0 x Buffer descriptors : w 0 0 0 0 0 0 0 0 0 r Initially, assume the firmware is in polling mode (i.e. 0 x ) and “there are no new RX frames” (yet).

  10. Concurrency bug Interrupt source : Interrupt mode? 1 b 0 x Buffer descriptors : w 1 0 0 0 0 0 0 0 0 r A new RX frame arrives changing the interrupt source from 0 a to 1 b . The arrival of an RX frame gives us a “nonempty” buffer descriptor.

  11. Concurrency bug Interrupt source : Interrupt mode? 1 c 0 x Buffer descriptors : w 1 1 0 0 0 0 0 0 0 r Repeat but notice that the Open Cores Ethernet MAC always sets the interrupt source register as new RX frames arrive (1 b has become 1 c ).

  12. Concurrency bug Interrupt source : Interrupt mode? 1 c 0 x Buffer descriptors : w 0 1 0 0 0 0 0 0 0 r The firmware reads one “nonempty” buffer descriptor changing it to be “empty” again.

  13. Concurrency bug Interrupt source : Interrupt mode? 1 d 0 x Buffer descriptors : w 0 1 1 0 0 0 0 0 0 r But simultaneously new RX frames can arrive.

  14. Concurrency bug Interrupt source : Interrupt mode? 1 d 0 x Buffer descriptors : w 0 0 1 0 0 0 0 0 0 r As before, the firmware continues to consume these ...

  15. Concurrency bug Interrupt source : Interrupt mode? 1 d 0 x Buffer descriptors : w 0 0 0 0 0 0 0 0 0 r ... until it detects that there aren’t any more RX frames to consume. So assume it initiates a procedure now to switch to interrupt mode.

  16. Concurrency bug Interrupt source : Interrupt mode? 1 e 0 x Buffer descriptors : w 0 0 0 1 0 0 0 0 0 r Asynchronous operation: a fraction of a second later a new RX frame arrives and changes 1 d to 1 e as well as the buffer descriptor.

  17. Concurrency bug Interrupt source : Interrupt mode? 0 f 0 x Buffer descriptors : w 0 0 0 1 0 0 0 0 0 r Since firmware is not in interrupt mode yet, it fails to detect the intermittent RX frame; it continues by clearing interrupt sources (0 f ).

  18. Concurrency bug Interrupt source : Interrupt mode? 0 f 1 y Buffer descriptors : w 0 0 0 1 0 0 0 0 0 r The firmware continues by enabling interrupts (1 y ). But an interrupt is only raised once another RX frame arrives, problem .

  19. Polling to interrupt mode switch (bug) Firmware Ethernet MAC Wire New RX frame? No New RX frame! Clear interrupt source! Enable interrupt mode!

  20. Polling to interrupt mode switch (fix) Firmware Ethernet MAC Wire New RX frame? No New RX frame! Clear interrupt source! New RX frame? Yes Stay in polling mode

  21. Problem statement and contribution Problem: • Many firmware bugs can go undetected when hardware and software are verified in isolation. Contribution: • Three realistic and open-source benchmarks to scientifically study firmware verification . • Practical evidence that a verifiable virtual platform is a feasible concept to verify hardware/software interfaces.

  22. Benchmarks to study firmware verification MC146818A: ¡Real-­‑<me ¡clock ¡ TMP105: ¡Temperature ¡Sensor ¡ Ethernet ¡MAC ¡

  23. Experimental setup Overview of work flow: 1. Extract QEMU hardware model and Linux driver 2. Manually add runtime assertions in C 3. If necessary, introduce concurrency in QEMU + Linux code ◦ Use new CBMC concurrency source code annotations ◦ Encode any concurrency as symbolic partial orders (CAV’13) 4. SAT solver finds satisfying assignment (i.e. bug) or not.

  24. Real-time clock (RTC) Special-purpose registers that require an ancillary manipulation of bits to read and write time, date and alarm data.

  25. RTC benchmark code Project Files LOC ∼ 14 , 000 (.h) ∼ 10 7 Linux Kernel 3.6 ∼ 17 , 000 (.c) ∼ 600 (.h) QEMU 1.2 ∼ 700 , 000 ∼ 1 , 500 (.c) 5 (.h) QEMU hardware model of RTC ∼ 1 , 000 5 (.c) ∼ 300 (.h) Linux x86 RTC driver and model ∼ 20 , 000 8 (.c) 0 (.h) Combined RTC benchmark ∼ 6 , 000 1 (.c)

  26. Example Assertion assert(…) ¡ 1 void cmos ioport write ( void ∗ opaque, uint32 t addr, uint32 t data) 2 3 { RTCState ∗ s = opaque; 4 if ((addr & 1) == 0) { 5 s– > io info = OUTB 0x70; // for temporal property 6 s − > cmos index = data & 0x7f; 7 } else { 8 switch (s − > cmos index) { 9 case RTC SECONDS ALARM: 10 12 #ifdef RTC BENCHMARK PROP 9 assert((s– > cmos data[RTC REG B] & REG B SET) 13 == REG B SET); 14 15 #endif ... 17

  27. Example Assertion assert(…) ¡ 1 void cmos ioport write ( void ∗ opaque, uint32 t addr, uint32 t data) 2 3 { RTCState ∗ s = opaque; 4 if ((addr & 1) == 0) { 5 s– > io info = OUTB 0x70; // for temporal property 6 s − > cmos index = data & 0x7f; 7 } else { 8 switch (s − > cmos index) { 9 case RTC SECONDS ALARM: 10 12 #ifdef RTC BENCHMARK PROP 9 assert((s– > cmos data[RTC REG B] & REG B SET) 13 == REG B SET); 14 15 #endif ... 17

  28. Example Assertion assert(…) ¡ 1 void cmos ioport write ( void ∗ opaque, uint32 t addr, uint32 t data) 2 3 { RTCState ∗ s = opaque; 4 if ((addr & 1) == 0) { 5 s– > io info = OUTB 0x70; // for temporal property 6 s − > cmos index = data & 0x7f; 7 } else { 8 switch (s − > cmos index) { 9 case RTC SECONDS ALARM: 10 12 #ifdef RTC BENCHMARK PROP 9 assert((s– > cmos data[RTC REG B] & REG B SET) 13 == REG B SET); 14 15 #endif ... 17

  29. Found bug in RTC hardware model

  30. Also found bug in TMP105 hardware model

  31. Experiments Hardware/software interface properties formally checked on an individual basis: • 11 RTC properties within a few minutes • 17 TMP105 properties in less than 15 minutes • 3 Ethernet MAC properties in sequential code within a few minutes • 7 Ethernet MAC properties in concurrent code within a few hours 1 1 After publication, we found a bug in CBMC’s implementation of the partial order concurrency encoding but continue to improve the code. At the present time, we cannot reproduce the results with CBMC for the concurrent model of the Ethernet MAC.

  32. Download Me! Conclusion: • Formal verification of hardware/software interface properties written in C code ◦ Executable code leverages well-established testing principles in industry ◦ Apply multi-path (i.e. CBMC-style) symbolic execution and symbolic partial order encodings to handle concurrency in hardware/software • Open-source prototype of a verifiable virtual platform (VVP) ◦ Provides an object of study for software engineers All code and documentation is openly available now . Source code, data sheets and experiments can be downloaded at http://www.cprover.org/firmware/ .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5.

Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5.

1. Introduction 2. Binary Representation Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5. Standard input and output Hardware has been defined as 6. Operators, expression and statem ents the

238 views • 3 slides
Seminar Term Paper Certification of Hardware and Software Formal Methods for Fun and Profit

Seminar Term Paper Certification of Hardware and Software Formal Methods for Fun and Profit

Seminar Term Paper Certification of Hardware and Software Formal Methods for Fun and Profit Summer Semester 2005 Theme: Certification of Hardware and Software Supervisor: Jr. Prof. Beckert Presented by: Kiptoo A. Kiprop Registration

1.02k views • 20 slides
Formal Hardware Verification (some key ideas) Mary Sheeran Idealised Flow High level Not

Formal Hardware Verification (some key ideas) Mary Sheeran Idealised Flow High level Not

4/3/2008 Formal Hardware Verification (some key ideas) Mary Sheeran Idealised Flow High level Not formal 1 4/3/2008 Idealised Flow High level Not formal Equally high level Formal spec. Math, expressive logic Idealised Flow High level

402 views • 22 slides
Software Verification/Validation Methods and Tools . . . or Practical Formal Methods John Rushby

Software Verification/Validation Methods and Tools . . . or Practical Formal Methods John Rushby

Software Verification/Validation Methods and Tools . . . or Practical Formal Methods John Rushby Computer Science Laboratory SRI International Menlo Park, CA John Rushby, SR I Practical Formal Methods: 1 Need: Growing Importance and Cost of

278 views • 12 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
Formal verification of low-level execution platforms Apps OS Hardware Host 1 Motivations

Formal verification of low-level execution platforms Apps OS Hardware Host 1 Motivations

Roberto Guanciale Estonian Winter School Day 02 Formal verification of low-level execution platforms Apps OS Hardware Host 1 Motivations Apps Crypto Service OS Hypervisor/ Separation Kernel Hardware Host 1 Motivations Separation

850 views • 63 slides
Effective Word-Level Interpolation for Software Verification Alberto Griggio FBK-IRST

Effective Word-Level Interpolation for Software Verification Alberto Griggio FBK-IRST

FMCAD 2011 Effective Word-Level Interpolation for Software Verification Alberto Griggio FBK-IRST Motivations Craig interpolation applied succesfully for Formal Verification of both hardware and software Ongoing research (at least for

572 views • 41 slides
Hardware Model and Software Validation for AcoustiGLASS (Autonomous Wearable Alert Device based

Hardware Model and Software Validation for AcoustiGLASS (Autonomous Wearable Alert Device based

Hardware Model and Software Validation for AcoustiGLASS (Autonomous Wearable Alert Device based on Sound Pattern Recognition) Kei Kojima March 2016 OBJECTIVE &amp; DESIGN CRITERIA The objective is to build an autonomous hearing glass

644 views • 16 slides
Chapter 5 Analysis: Four Level for Validation Vis/Visual Analytics, Chap 5 Validation 1 CGGM

Chapter 5 Analysis: Four Level for Validation Vis/Visual Analytics, Chap 5 Validation 1 CGGM

Chapter 5 Analysis: Four Level for Validation Vis/Visual Analytics, Chap 5 Validation 1 CGGM Lab., CS Dept., NCTU Jung Hong Chuang Contents Why Validate? Validation Approaches Domain Why is Validation Abstraction

724 views • 47 slides
Application of CADP to Hardware Validation Abderahman KRIOUILE and Massimo ZENDRI

Application of CADP to Hardware Validation Abderahman KRIOUILE and Massimo ZENDRI

Application of CADP to Hardware Validation Abderahman KRIOUILE and Massimo ZENDRI STMicroelectronics Forum Mthodes Formelles &quot;Le Model-Checking en action&quot; Toulouse, France, Oct 2014 Agenda 2 20 years of Hardware Validation

569 views • 33 slides
software and hardware for the Internet of Things. Choose hardware Design hardware Design

software and hardware for the Internet of Things. Choose hardware Design hardware Design

Zeidman Technologies has created a fundamentally new way to develop embedded software and hardware for the Internet of Things. Choose hardware Design hardware Design software Initial hardware choices determine Integrate functionality and

185 views • 15 slides
What Top-Level Software Engineers Tackle after Learning Formal Methods: Experiences from the Top

What Top-Level Software Engineers Tackle after Learning Formal Methods: Experiences from the Top

Fuyuki Ishikawa, Kenji Taguchi, Nobukazu Yoshioka, Shinichi Honiden GRACE Center/TopSE Project National Institute of Informatics, Japan What Top-Level Software Engineers Tackle after Learning Formal Methods: Experiences from the Top SE Project

425 views • 24 slides
Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal

Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal

Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal verification uses algorithms to rigorously prove properties of hardware or software design. 20 years ago, we had the FDIV bug: 42.0 / 7.0 = 8.0 Formal

576 views • 6 slides
Flexible Hardware Design at Flexible Hardware Design at Low Levels of Abstraction Low Levels of

Flexible Hardware Design at Flexible Hardware Design at Low Levels of Abstraction Low Levels of

Flexible Hardware Design at Flexible Hardware Design at Low Levels of Abstraction Low Levels of Abstraction Emil Axelsson Hardware Description and Verification May 2009 Why low-level? Why low-level? Related question: Why is some software

908 views • 51 slides
High Assurance Spiral 18-847E Spiral: Formal Approaches to Hardware &amp; Software Design &amp;

High Assurance Spiral 18-847E Spiral: Formal Approaches to Hardware &amp; Software Design &amp;

Carnegie Mellon Carnegie Mellon DARPA HACMS High Assurance Spiral 18-847E Spiral: Formal Approaches to Hardware &amp; Software Design &amp; Algorithm Verification Franz Franchetti Carnegie Mellon University www.ece.cmu.edu/~franzf Lecture

684 views • 52 slides
Formal software engineering for computational modelling Formal software engineering Focus on

Formal software engineering for computational modelling Formal software engineering Focus on

Formal software engineering for computational modelling Formal software engineering Focus on the formal, mathematical side of software Ex. Algebra Three problems What are the concepts that have to be used for the construction of

110 views • 7 slides
Urban Violence Dr. Tom Goodfellow and Dr. Paula Meth Sheffield Institute of International

Urban Violence Dr. Tom Goodfellow and Dr. Paula Meth Sheffield Institute of International

Urban Violence Dr. Tom Goodfellow and Dr. Paula Meth Sheffield Institute of International Development Department of Town and Regional Planning Zainab Usman Oxford Department of International Development Around three times more people die each

375 views • 16 slides
prof. Fiorella de Cindio Computer Science Department, Universit degli Studi di Milano President

prof. Fiorella de Cindio Computer Science Department, Universit degli Studi di Milano President

CAPS Information Day, Pisa, Sept. 19, 2012 Collective environmental awareness as leverage for a sustainable future: Italian cities as a lab for social, civic and political innovation prof. Fiorella de Cindio Computer Science Department,

84 views • 7 slides
Magnetic monopoles in high temperature QCD Nucl. Phys. B 799 (2008), 241 2 , M. DElia 1 A.

Magnetic monopoles in high temperature QCD Nucl. Phys. B 799 (2008), 241 2 , M. DElia 1 A.

Magnetic monopoles in lattice QCD Results Open problems Summary Magnetic monopoles in high temperature QCD Nucl. Phys. B 799 (2008), 241 2 , M. DElia 1 A. DAlessandro 1 1 Universit di Genova &amp; INFN 2 Speaker at the conference

492 views • 31 slides
Pricing according to cost Cost-based pricing Cost of a service = value of economic means used in

Pricing according to cost Cost-based pricing Cost of a service = value of economic means used in

Pricing according to cost Cost-based pricing Cost of a service = value of economic means used in order to provide the service Cost is a relative notion! Tariffs must cover some notion of cost related to service provisioning Cost

652 views • 46 slides
DMA - Direct Memory Access Part of Microprocessor course, Sharif U of Tech. This report can be

DMA - Direct Memory Access Part of Microprocessor course, Sharif U of Tech. This report can be

DMA - Direct Memory Access Part of Microprocessor course, Sharif U of Tech. This report can be used as a source for the DMA topic I introduced in the last session of the class. In a modern computer system, data transfer between a device (for

387 views • 4 slides
Languages General Discussion of Properties The Pumping Lemma Membership, Emptiness, Etc.

Languages General Discussion of Properties The Pumping Lemma Membership, Emptiness, Etc.

Decision Properties of Regular Languages General Discussion of Properties The Pumping Lemma Membership, Emptiness, Etc. 1 Properties of Language Classes A language class is a set of languages. Example: the regular languages. Language

920 views • 77 slides
xtlhazard : Linear discrete time hazard estimation using Stata Harald Tauchmann 1 , 2 , 3 1 FAU, 2

xtlhazard : Linear discrete time hazard estimation using Stata Harald Tauchmann 1 , 2 , 3 1 FAU, 2

xtlhazard : Linear discrete time hazard estimation using Stata Harald Tauchmann 1 , 2 , 3 1 FAU, 2 RWI, 3 CINCH May 24 th 2019 2019 German Stata Users Group Meeting work in progress Outline Motivation 1 Theory 2 Monte Carlo Simulations 3

535 views • 32 slides
eSignature Overview Send questions to: eConstruct@pa.gov 1 11/4/2015 eSignature: Topics

eSignature Overview Send questions to: eConstruct@pa.gov 1 11/4/2015 eSignature: Topics

11/4/2015 eSignature Overview Send questions to: eConstruct@pa.gov 1 11/4/2015 eSignature: Topics Topics: Introduction How to apply for eSignature participation Creating a digital certificate using Adobe Reader How to sign a

607 views • 21 slides

More recommend