formal verification and computer architecture
play

Formal Verification and Computer Architecture A Validated Formal - PowerPoint PPT Presentation

Jan 19, 2023 •344 likes •1.14k views

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

  1. Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc.

  2. Software and Reliability Can we rely on our software systems? Recent example of a serious bug: CVE-2016-5195 or “Dirty COW” • Privilege escalation vulnerability in Linux • E.g.: allowed a user to write to files intended to be read only • Copy-on-Write (COW) breakage of private read-only memory mappings • Existed since around v2.6.22 ( 2007 ) and was fixed on Oct 18, 2016 2

  3. Formal Verification Formal Verification: Proving or disproving that the implementation of a program meets its specification using mathematical techniques 3

  4. Formal Verification Formal Verification: Proving or disproving that the implementation of a program meets its specification using mathematical techniques Suppose you needed to count the number of 1s in the binary representation of a natural number v (i.e., v ’s population count ) . E.g.,: Population count of 15 (0b1111) = 4 Population count of 8 (0b1000) = 1 Specification: popcountSpec (v): [v: natural number] if v <= 0 then return 0 else lsb = v & 1 v = v >> 1 return (lsb + popcountSpec (v)) endif 3

  5. Pop-Count Computation Specification: popcountSpec (v): [v: natural number] if v <= 0 then return 0 else lsb = v & 1 v = v >> 1 return (lsb + popcountSpec (v)) endif Source: Sean Anderson’s Bit-Twiddling Hacks 4

  6. Pop-Count Computation Specification: popcountSpec (v): [v: natural number] if v <= 0 then return 0 else lsb = v & 1 v = v >> 1 return (lsb + popcountSpec (v)) endif Implementation: int popcount_32 (unsigned int v) { v = v - ((v >> 1) & 0x55555555); v = (v & 0x33333333) + ((v >> 2) & 0x33333333); v = ((v + (v >> 4) & 0xF0F0F0F) * 0x1010101) >> 24; return(v); } Source: Sean Anderson’s Bit-Twiddling Hacks 4

  7. Pop-Count Computation Specification: popcountSpec (v): [v: natural number] if v <= 0 then return 0 else lsb = v & 1 v = v >> 1 return (lsb + popcountSpec (v)) endif Implementation: int popcount_32 (unsigned int v) { v = v - ((v >> 1) & 0x55555555); v = (v & 0x33333333) + ((v >> 2) & 0x33333333); v = ((v + (v >> 4) & 0xF0F0F0F) * 0x1010101) >> 24; return(v); } Do the specification and the implementation behave the same way for all relevant inputs? Source: Sean Anderson’s Bit-Twiddling Hacks 4

  8. Specification and Implementation Two very crucial points: 5

  9. Specification and Implementation Two very crucial points: 1. The specification should be simple ! - Its correctness should be obvious . 5

  10. Specification and Implementation Two very crucial points: 1. The specification should be simple ! - Its correctness should be obvious . 2. The specification and the implementation should not be the same! - Proving x == x isn’t useful. 5

  11. Inspection of a Program’s Behavior • Testing: x�� Exhaustive testing is infeasible ‣ The pop-count program would require 4,294,967,296 (2 32 ) tests! ‣ A binary function of two 32-bit numbers would require 18,446,744,073,709,551,616 (2 64 ) tests! 6

  12. Inspection of a Program’s Behavior • Testing: x�� Exhaustive testing is infeasible ‣ The pop-count program would require 4,294,967,296 (2 32 ) tests! ‣ A binary function of two 32-bit numbers would require 18,446,744,073,709,551,616 (2 64 ) tests! • Formal Verification: ✓ Wide variety of techniques ‣ Lightweight: e.g., checking if array indices are within bounds ‣ Heavyweight: e.g., proving functional correctness 6

  13. The Pop-Count Program: x86 Version int popcount_32 (unsigned int v) { v = v - ((v >> 1) & 0x55555555); v = (v & 0x33333333) + ((v >> 2) & 0x33333333); v = ((v + (v >> 4) & 0xF0F0F0F) * 0x1010101) >> 24; return(v); } 7

  14. The Pop-Count Program: x86 Version popcount_32: 89 fa mov %edi ,%edx 89 d1 mov %edx,%ecx d1 e9 shr %ecx 81 e1 55 55 55 55 and $0x55555555,%ecx 29 ca sub %ecx,%edx 89 d0 mov %edx,%eax c1 ea 02 shr $0x2,%edx 25 33 33 33 33 and $0x33333333,%eax 81 e2 33 33 33 33 and $0x33333333,%edx 01 c2 add %eax,%edx 89 d0 mov %edx,%eax c1 e8 04 shr $0x4,%eax 01 c2 add %eax,%edx 48 89 f8 mov %rdi,%rax 48 c1 e8 20 shr $0x20,%rax 81 e2 0f 0f 0f 0f and $0xf0f0f0f,%edx 89 c1 mov %eax,%ecx d1 e9 shr %ecx 81 e1 55 55 55 55 and $0x55555555,%ecx 29 c8 sub %ecx,%eax 89 c1 mov %eax,%ecx c1 e8 02 shr $0x2,%eax 81 e1 33 33 33 33 and $0x33333333,%ecx 25 33 33 33 33 and $0x33333333,%eax 01 c8 add %ecx,%eax 89 c1 mov %eax,%ecx c1 e9 04 shr $0x4,%ecx 01 c8 add %ecx,%eax 25 0f 0f 0f 0f and $0xf0f0f0f,%eax 69 d2 01 01 01 01 imul $0x1010101,%edx,%edx 69 c0 01 01 01 01 imul $0x1010101,%eax,%eax c1 ea 18 shr $0x18,%edx c1 e8 18 shr $0x18,%eax 01 d0 add %edx, %eax c3 retq 7

  15. The Pop-Count Program: x86 Version popcount_32: 89 fa mov %edi ,%edx 89 d1 mov %edx,%ecx d1 e9 shr %ecx 81 e1 55 55 55 55 and $0x55555555,%ecx 29 ca sub %ecx,%edx Functional Correctness: 89 d0 mov %edx,%eax c1 ea 02 shr $0x2,%edx Final EAX = popcountSpec ( Initial EDI) 25 33 33 33 33 and $0x33333333,%eax 81 e2 33 33 33 33 and $0x33333333,%edx 01 c2 add %eax,%edx 89 d0 mov %edx,%eax specification function c1 e8 04 shr $0x4,%eax 01 c2 add %eax,%edx 48 89 f8 mov %rdi,%rax 48 c1 e8 20 shr $0x20,%rax popcountSpec (v): 81 e2 0f 0f 0f 0f and $0xf0f0f0f,%edx [v: unsigned int] 89 c1 mov %eax,%ecx d1 e9 shr %ecx 81 e1 55 55 55 55 and $0x55555555,%ecx if v <= 0 then 29 c8 sub %ecx,%eax 89 c1 mov %eax,%ecx return 0 c1 e8 02 shr $0x2,%eax else 81 e1 33 33 33 33 and $0x33333333,%ecx 25 33 33 33 33 and $0x33333333,%eax lsb = v & 1 01 c8 add %ecx,%eax 89 c1 mov %eax,%ecx v = v >> 1 c1 e9 04 shr $0x4,%ecx return (lsb + popcountSpec (v)) 01 c8 add %ecx,%eax 25 0f 0f 0f 0f and $0xf0f0f0f,%eax endif 69 d2 01 01 01 01 imul $0x1010101,%edx,%edx 69 c0 01 01 01 01 imul $0x1010101,%eax,%eax c1 ea 18 shr $0x18,%edx c1 e8 18 shr $0x18,%eax 01 d0 add %edx, %eax c3 retq 7

  16. x86 Pop-Count: A Formal Statement of Correctness Let: 1. x86 i denote a well-formed initial x86 state ; 2. EDI(x86 i ) == v , where v is a 32-bit unsigned integer; 3. the entire pop-count program be located at a good memory location in x86 i ; 4. PC(x86 i ) == the first instruction of this program. Then: Let x86 f denote the final x86 state obtained after the pop-count program runs to completion. EAX( x86 f ) == popcountSpec(v) 8

  17. x86 Pop-Count: A Formal Statement of Correctness Pre-conditions Let: 1. x86 i denote a well-formed initial x86 state ; 2. EDI(x86 i ) == v , where v is a 32-bit unsigned integer; 3. the entire pop-count program be located at a good memory location in x86 i ; 4. PC(x86 i ) == the first instruction of this program. Then: Let x86 f denote the final x86 state obtained after the pop-count program runs to completion. EAX( x86 f ) == popcountSpec(v) 8

  18. x86 Pop-Count: A Formal Statement of Correctness Pre-conditions Let: 1. x86 i denote a well-formed initial x86 state ; 2. EDI(x86 i ) == v , where v is a 32-bit unsigned integer; 3. the entire pop-count program be located at a good memory location in x86 i ; 4. PC(x86 i ) == the first instruction of this program. Then: Let x86 f denote the final x86 state obtained after the pop-count program runs to completion. EAX( x86 f ) == popcountSpec(v) Post-condition 8

  19. What Else Can You Specify and Verify? • What do you care about? 9

  20. What Else Can You Specify and Verify? • What do you care about? • For example: - Resource usage: ‣ How much memory is consumed during program execution? Is it a function of the inputs? [ performance analysis ] 9

  21. What Else Can You Specify and Verify? • What do you care about? • For example: - Resource usage: ‣ How much memory is consumed during program execution? Is it a function of the inputs? [ performance analysis ] - Program’s side-effects: ‣ What values are left on the stack after the program terminates? Does the program “clean-up” after itself? [ security analysis ] 9

  22. Why x86 Machine-Code Verification? • Why not high-level code verification? x�� Sometimes, high-level code is unavailable (e.g., malware) x�� High-level verification frameworks do not address compiler bugs ✓ Verified/verifying compilers can help x�� But these compilers typically generate inefficient code x� Need to build verification frameworks for many high-level languages • Why x86? ✓ x86 is in widespread use 10

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal Verification of x86 Machine-Code Programs Computer Architecture and Program Analysis

Formal Verification of x86 Machine-Code Programs Computer Architecture and Program Analysis

Formal Verification of x86 Machine-Code Programs Computer Architecture and Program Analysis Shilpi Goel shigoel@cs.utexas.edu Department of Computer Science The University of Texas at Austin Software and Reliability Can we rely on our

891 views • 65 slides
Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
An Overview of The Time Triggered Architecture (TTA) And its Formal Verification John Rushby

An Overview of The Time Triggered Architecture (TTA) And its Formal Verification John Rushby

An Overview of The Time Triggered Architecture (TTA) And its Formal Verification John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I TTA Overview: 1 The Time-Triggered Architecture: What

838 views • 71 slides
Formal Methods Chapter 21 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

Formal Methods Chapter 21 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

Formal Methods Chapter 21 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-1 Outline Formal verification techniques Design verification languages Bell-LaPadula and SPECIAL Current verification systems

911 views • 63 slides
End-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf About

End-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf About

End-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf About RISC-V RISC-V is an Open Instruction Set Architecture (ISA) Can be freely used for any purpose Many implementations are available from

677 views • 22 slides
FTRTFT Oldenburg Sep 12, 2002 An Overview of Formal Verification For The Time Triggered

FTRTFT Oldenburg Sep 12, 2002 An Overview of Formal Verification For The Time Triggered

FTRTFT Oldenburg Sep 12, 2002 An Overview of Formal Verification For The Time Triggered Architecture John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I FTRTFT02: 1

826 views • 69 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry 1 Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal verification Machine-checked proof Automatic and interactive approaches HOL Light Floating point

366 views • 25 slides
Formal Verification of Computer Switch Networks Sharad Malik ; Department of Electrical

Formal Verification of Computer Switch Networks Sharad Malik ; Department of Electrical

Formal Verification of Computer Switch Networks Sharad Malik ; Department of Electrical Engineering; Princeton Univeristy (with Shuyuan Zhang (Princeton), Rick McGeer (HP Labs)) 1 SDN: So what changes for verification? SDN: So what changes for

665 views • 34 slides
Formal verification of low-level execution platforms Roberto Guanciale Assistant professor

Formal verification of low-level execution platforms Roberto Guanciale Assistant professor

Roberto Guanciale Estonian Winter School Day 01 Formal verification of low-level execution platforms Roberto Guanciale Assistant professor Computer Security Department of Theoretical Computer Science @KTH Research interest in Formal

895 views • 71 slides
Formal modeling and verification of the Java Card security architecture Eduardo Gimnez

Formal modeling and verification of the Java Card security architecture Eduardo Gimnez

VERIFICARD Formal modeling and verification of the Java Card security architecture Eduardo Gimnez Olivier Ly Trusted Logic SchlumbergerSema SchlumbergerSema January 8th, 2002 SchlumbergerSema &amp; Trusted

800 views • 38 slides
Abstract Interpretationbased Formal Verification of Complex Computer Systems Patrick

Abstract Interpretationbased Formal Verification of Complex Computer Systems Patrick

Abstract Interpretationbased Formal Verification of Complex Computer Systems Patrick Cousot Jerome C. Hunsaker Visiting Professor Department of Aeronautics and Astronautics Massachusetts Institute of Technology cousot mit edu

486 views • 4 slides
Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic 1 Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal verification Machine-checked proof Automatic and interactive approaches HOL Light

539 views • 19 slides
Formal Verification of Gate-Level Computer Systems: ECU Sergey Tverdyshev Saarland University,

Formal Verification of Gate-Level Computer Systems: ECU Sergey Tverdyshev Saarland University,

Introduction Computer System Computer System Examples Summary Formal Verification of Gate-Level Computer Systems: ECU Sergey Tverdyshev Saarland University, Saarbruecken, Germany November 18, 2009 Introduction Computer System Computer

655 views • 40 slides
Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms 1 Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of bugs Formal verification Levels of verification HOL Light Formalizing mathematics

353 views • 19 slides
Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA http://www.clifford.at/papers/2018/riscv-formal/ About assertion based formal verification (formal ABV) Assertion based verification (ABV) Uses

781 views • 39 slides
ADC Stuck Code Feature Jonathan Insler LSU July 29, 2015 ADC Stuck Code Issue 1 Linearity

ADC Stuck Code Feature Jonathan Insler LSU July 29, 2015 ADC Stuck Code Issue 1 Linearity

ADC Stuck Code Feature Jonathan Insler LSU July 29, 2015 ADC Stuck Code Issue 1 Linearity study of 35t ADC ASICs found that 6 LSBs frequently stick at 000000 (0x00) or 111111 (0x3F) Brian Kirby presented these slides at LAr-FD Cold

362 views • 9 slides
Machine Learning for Computational Linguistics Distributed representations ar ltekin

Machine Learning for Computational Linguistics Distributed representations ar ltekin

Machine Learning for Computational Linguistics Distributed representations ar ltekin University of Tbingen Seminar fr Sprachwissenschaft June 14, 2016 Introduction SVD June 14, 2016 SfS / University of Tbingen .

958 views • 32 slides
Automated Extraction of Threat Signatures from Network Flows Piotr Kijewski CERT Polska/NASK

Automated Extraction of Threat Signatures from Network Flows Piotr Kijewski CERT Polska/NASK

Automated Extraction of Threat Signatures from Network Flows Piotr Kijewski CERT Polska/NASK FIRST 2006 Conference, Baltimore, USA 25-30th June 2006 Agenda Identifying the problem Definition of a network threat signature

583 views • 32 slides
Fast Multi-Level Locks for Java Khilan Gudka Imperial College London Supervised by Susan

Fast Multi-Level Locks for Java Khilan Gudka Imperial College London Supervised by Susan

Fast Multi-Level Locks for Java Khilan Gudka Imperial College London Supervised by Susan Eisenbach Sophia Drossopoulou Tuesday, 20 July 2010 Hierarchical Data Structures Databases - tables, rows, cells Trees - subtree, leaf Hashtables -

964 views • 37 slides
CS640: Introduction to Computer Networks Aditya Akella Lecture 15 TCP II - Connection

CS640: Introduction to Computer Networks Aditya Akella Lecture 15 TCP II - Connection

CS640: Introduction to Computer Networks Aditya Akella Lecture 15 TCP II - Connection Set-up and Congestion Control TCP Packet Reliable, In-order, Connection oriented, Byte stream abstraction Source port

133 views • 9 slides
Statistics and Steganalysis CSM25 Secure Information Hiding Dr Hans Georg Schaathun University

Statistics and Steganalysis CSM25 Secure Information Hiding Dr Hans Georg Schaathun University

Statistics and Steganalysis CSM25 Secure Information Hiding Dr Hans Georg Schaathun University of Surrey Spring 2009 Week 2 Dr Hans Georg Schaathun Statistics and Steganalysis Spring 2009 Week 2 1 / 54 Learning Outcomes After this

1.51k views • 104 slides
LISA ( 3 10 -15 ms -2 Hz -1/2 @ 0.1 mHz) Spacecraft Interferometer (no mechanical contact) ( 40

LISA ( 3 10 -15 ms -2 Hz -1/2 @ 0.1 mHz) Spacecraft Interferometer (no mechanical contact) ( 40

2/24/2009 Free falling particles LTP LTP LISA ( 3 10 -15 ms -2 Hz -1/2 @ 0.1 mHz) Spacecraft Interferometer (no mechanical contact) ( 40 pm Hz -1/2 @ 3 mHz) GW detection by macroscopic test- mass laser tracking: LISA, LISA Pathfinder and

262 views • 25 slides
The ATLAS Level-1 Central Trigger Processor Core Module (CTP_CORE) Introduction Central

The ATLAS Level-1 Central Trigger Processor Core Module (CTP_CORE) Introduction Central

The ATLAS Level-1 Central Trigger Processor Core Module (CTP_CORE) Introduction Central Trigger Processor (CTP) Core Module (CTP_CORE) Testbeam Results On behalf of P. Borrego Amaral 1 , N. Ellis 1 , P. Farthouat 1 , P. Gallno

356 views • 21 slides

More recommend