v Faat von Neumann Formal Analysis and Annotation

  • Slides: 30
Download presentation
v. Faat: von Neumann Formal Analysis and Annotation Tool David Greve Dr. Matthew Wilding

v. Faat: von Neumann Formal Analysis and Annotation Tool David Greve Dr. Matthew Wilding Rockwell Collins Advanced Computing Systems Cedar Rapids, IA dagreve@rockwellcollins. com mmwildin@rockwellcollins. com April 2003 Advanced Technology Center HCSS 03 – April 2003 Page 1

Overview l Rockwell Collins History – Have 10+ years experience in applying Formal Methods

Overview l Rockwell Collins History – Have 10+ years experience in applying Formal Methods • Have embraced and extended a variety of techniques l Observations – Advantages to Accurate Low-Level Models • Abstraction can be tedious – Domain knowledge • Missing from generic theorem provers • Can be codified – Techniques generalize to • Different Verification Targets • Different Theorem Provers l Conclusion v. Faat: A collection of tools and techniques to help simplify reasoning about complex systems” – Judicious use of automation simplifies verification task • Improve Productivity, Extend Scope Advanced Technology Center HCSS 03 – April 2003 Page 2

Outline l l l Motivating History Observations Future Directions Advanced Technology Center HCSS 03

Outline l l l Motivating History Observations Future Directions Advanced Technology Center HCSS 03 – April 2003 Page 3

RC Formal Methods Projects l l l AAMP 5/AAMP-FV JEM 1: Symbolic Simulation JEM

RC Formal Methods Projects l l l AAMP 5/AAMP-FV JEM 1: Symbolic Simulation JEM 2: Executable Formal Models CAPS: High-Assurance Processor AAMP 7: Intrinsic Partitioning Advanced Technology Center HCSS 03 – April 2003 Page 4

AAMP 5/AAMP-FV “Formal Verification of the AAMP 5 Microprocessor”, NASA Report 1995 “Formal Verification

AAMP 5/AAMP-FV “Formal Verification of the AAMP 5 Microprocessor”, NASA Report 1995 “Formal Verification of the AAMP-FV Microcode”, NASA Report 1999 l Goal – Demonstrate use of Formal Methods in Industrial Setting l Project – – – Sponsored by NASA Langley Used PVS and teamed with SRI Abstract representation of instruction execution created Functionally described Microarchitecture Standard Commuting Diagram Proof Advanced Technology Center HCSS 03 – April 2003 Page 5

AAMP 5/AAMP-FV l Inspections connected model to implementation – Found variety of errors in

AAMP 5/AAMP-FV l Inspections connected model to implementation – Found variety of errors in formal specification l Was there a better way to validate the model? – Better Integration with design process? l Verified a number of instructions – Even found a few bugs l Brute Force Formalization – Microcode specified by hand – “Clock functions” crafted by hand l Automated microcode specification an obvious next step Advanced Technology Center HCSS 03 – April 2003 Page 6

JEM 1: Symbolic Simulation “Symbolic Simulation of the JEM 1 Microprocessor”, FMCAD-98 l Goals

JEM 1: Symbolic Simulation “Symbolic Simulation of the JEM 1 Microprocessor”, FMCAD-98 l Goals – Integration of Formal Models into Design Process – Leverage Automated Analysis – Detect Microcode Errors (Bug Finding) l Project – Specified JEM 1 Microarchitecture in PVS – Used PVS to execute symbolically the model • Generated Symbolic Results for Microcode Basic Blocks – Analyzed Symbolic Results as part of Microcode Inspections Advanced Technology Center HCSS 03 – April 2003 Page 7

JEM 1: Symbolic Simulation l Symbolic Results Difficult to Read – Good for detecting

JEM 1: Symbolic Simulation l Symbolic Results Difficult to Read – Good for detecting data-flow errors (Definition/Use) • Unexpected Side-Effects • Unexpected Data-Dependencies l Demonstrated Effective Use of Automation – Codified knowledge of problem domain • Control Flow Analysis Dictated Proof Architecture – Employed Automatic Generation of: • Function Definitions (u. Code) • Theorems and Theory Structure (Proof Architecture) • Symbolic Results (batch mode PVS) Advanced Technology Center HCSS 03 – April 2003 Page 8

JEM 2: Executable Formal Models “Efficient Simulation of Formal Processor Models”, FMSD 2002 l

JEM 2: Executable Formal Models “Efficient Simulation of Formal Processor Models”, FMSD 2002 l Goals – Integration of Formal Models into Design Process – Improve Model Validation Technique • Replace Microcode Simulator with Executable Formal Model l Project – Modeled JEM 2 in logic of ACL 2 • Subset of Common Lisp – Compiled model to C and linked into GUI development environment Advanced Technology Center HCSS 03 – April 2003 Page 9

JEM 2: Executable Formal Models l Impressive Results – Final simulator ran as fast

JEM 2: Executable Formal Models l Impressive Results – Final simulator ran as fast as original • No penalty to developers for using formal model – Successfully executed regression tests • Guaranteed validity of formal model l Exposed ACL 2 tool limitations – Model was large and complex – Is it possible to reason about such models? Advanced Technology Center HCSS 03 – April 2003 Page 10

CAPS: High-Assurance Processor “Evaluatable, High-Assurance Microprocessors”, HCSS-02 l Goals – Reason about an Executable

CAPS: High-Assurance Processor “Evaluatable, High-Assurance Microprocessors”, HCSS-02 l Goals – Reason about an Executable Formal Model – Perform Instruction Level Proofs of CAPS processor l Project – – Modeled Microarchitecture of CAPS in ACL 2 Executed Standard Regression Tests to Validate Model Formalized a set of CAPS instructions Constructed Instruction Level Proofs Advanced Technology Center HCSS 03 – April 2003 Page 11

CAPS Microarchitecture Model The ACL 2 CAPS uarch model replaces the C model in

CAPS Microarchitecture Model The ACL 2 CAPS uarch model replaces the C model in the CAPS microcode simulator. The replacement is not observable to users. CAPS ACL 2 uarch model passes 3 -hr standard CAPS regression test! High-speed, formal models provide for evaluatability (looks like C, passes regression tests, integrated into dev process, proofs checked) Advanced Technology Center HCSS 03 – April 2003 Page 12

CAPS Correctness Theorem Start state I - CAPS Instruction Set Model End state How

CAPS Correctness Theorem Start state I - CAPS Instruction Set Model End state How do we decompose the proof of this theorem into manageable pieces? M - CAPS Microarchitecture Model End state Start state Advanced Technology Center HCSS 03 – April 2003 Page 13

Decomposing the Proof Microcode sequences can be specified and verified in steps. microcode line

Decomposing the Proof Microcode sequences can be specified and verified in steps. microcode line Instruction microcode implementation Advanced Technology Center HCSS 03 – April 2003 Page 14

Decomposing the Proof Microcode sequences can be specified and verified in steps. microcode line

Decomposing the Proof Microcode sequences can be specified and verified in steps. microcode line spec Advanced Technology Center Instruction microcode implementation HCSS 03 – April 2003 Page 15

Decomposing the Proof Microcode sequences can be specified and verified in steps. microcode line

Decomposing the Proof Microcode sequences can be specified and verified in steps. microcode line spec Instruction microcode implementation microcode block spec Advanced Technology Center HCSS 03 – April 2003 Page 16

Decomposing the Proof Microcode sequences can be specified and verified in steps. microcode line

Decomposing the Proof Microcode sequences can be specified and verified in steps. microcode line spec Instruction microcode implementation microcode block spec abstract microcode block spec Advanced Technology Center HCSS 03 – April 2003 Page 17

Decomposing the Proof Microcode sequences can be specified and verified in steps. microcode line

Decomposing the Proof Microcode sequences can be specified and verified in steps. microcode line spec Instruction microcode implementation microcode block spec abstract microcode block spec instruction Advanced Technology Center HCSS 03 – April 2003 Page 18

Proving the CAPS Correctness Theorem Start state I - CAPS Instruction Set Model End

Proving the CAPS Correctness Theorem Start state I - CAPS Instruction Set Model End state Abstract Microcode Block Specs Single Microcode Line Specs M - CAPS Microarchitecture Model End state Start state Advanced Technology Center HCSS 03 – April 2003 Page 19

CAPS: High-Assurance Processor l Considerable effort expended on EFM reasoning – ACL 2 enhanced

CAPS: High-Assurance Processor l Considerable effort expended on EFM reasoning – ACL 2 enhanced to deal efficiently with single threaded expressions l Techniques to manage complexity – Proof libraries • Bit vectors – Using low level model to help define abstract model • Simplifies abstract specification and proof process – Proof-generating Macros • Similar to techniques constructed for JEM 1 symbolic simulation Advanced Technology Center HCSS 03 – April 2003 Page 20

AAMP 7: Intrinsic Partitioning “High-Assurance Intrinsic Partitioning”, HCSS-03 l Goals – Verify Security Properties

AAMP 7: Intrinsic Partitioning “High-Assurance Intrinsic Partitioning”, HCSS-03 l Goals – Verify Security Properties of AAMP Intrinsic Partitioning Mechanism l Project – Formalize Security Property in ACL 2 – Formalize Intrinsic Partitioning Functionality • “Instruction Level” Model • Linear Address Space – Prove that Intrinsic Partitioning satisfies Security Property Advanced Technology Center HCSS 03 – April 2003 Page 21

Linear Address Space Reasoning CURRENT ACTIVE Advanced Technology Center HCSS 03 – April 2003

Linear Address Space Reasoning CURRENT ACTIVE Advanced Technology Center HCSS 03 – April 2003 Page 22

Linear Address Space Reasoning CURRENT ACTIVE Advanced Technology Center HCSS 03 – April 2003

Linear Address Space Reasoning CURRENT ACTIVE Advanced Technology Center HCSS 03 – April 2003 Page 23

AAMP 7: Intrinsic Partitioning l Reasoning about Linear Address Spaces – Identify orthogonal functionality

AAMP 7: Intrinsic Partitioning l Reasoning about Linear Address Spaces – Identify orthogonal functionality • Techniques that scale • Make explicit for theorem prover – Could Leverage Data Flow (Definition/Use) Analysis l Proof Architecture – Block structured decomposition • Similar to CAPS work – Over function boundaries • Not Microcode blocks Advanced Technology Center HCSS 03 – April 2003 Page 24

Outline l l l Motivating History Observations Future Directions Advanced Technology Center HCSS 03

Outline l l l Motivating History Observations Future Directions Advanced Technology Center HCSS 03 – April 2003 Page 25

Observations l Advantages to Accurate Low-Level Models – Model Validation – Tie to Design

Observations l Advantages to Accurate Low-Level Models – Model Validation – Tie to Design Process via Simulation l Domain knowledge – Control Flow, Data Flow Analysis – Can be codified in 3 rd party tools • Results represented in language of theorem prover l Techniques generalize to – Different theorem provers (PVS, ACL 2) – Many different processor models – Different levels of abstraction Advanced Technology Center HCSS 03 – April 2003 Page 26

Outline l l l Motivating History Observations Future Directions Advanced Technology Center HCSS 03

Outline l l l Motivating History Observations Future Directions Advanced Technology Center HCSS 03 – April 2003 Page 27

Future Directions l Extend techniques to larger, more complex problems – – l Additional

Future Directions l Extend techniques to larger, more complex problems – – l Additional microprocessors in the AAMP/JEM/CAPS family Operating System Kernels Mathematical and Cryptographic Libraries Virtual Machines Enable the use of low-level models – Model validation – Avoid trusting or reasoning about compilers/abstractions – Assembly/micro code is not uncommon in these domains • Performance • Access to features unavailable in high-level languages l Encourage continued industrialization of theorem proving technology – More powerful – More capable Advanced Technology Center HCSS 03 – April 2003 Page 28

v. Faat: Overview “A collection of tools and techniques to help simplify reasoning about

v. Faat: Overview “A collection of tools and techniques to help simplify reasoning about complex systems” l Input – Domain specific: object files, microcode – Produces device and theorem prover independent representation l Annotation – Pre/Post conditions – Proof Composition l Analysis – 3 rd party tools automate capture of domain specific knowledge – Stores results as annotations l Output – Generates input for theorem prover – Isolates 3 rd party tools from correctness argument Advanced Technology Center HCSS 03 – April 2003 Page 29

Conclusion l Rockwell Collins History – Have 10+ years experience in applying Formal Methods

Conclusion l Rockwell Collins History – Have 10+ years experience in applying Formal Methods l Observations – Low Level Models are useful in a variety of domains – Domain knowledge can be codified and used in theorem provers – Effective techniques generalize over domains and theorem provers l Conclusion – Combining automated analysis and theorem proving • Improves productivity • Continues to provide high-assurance results • Extends the scope of what is currently feasible Advanced Technology Center HCSS 03 – April 2003 Page 30

John von Neumann und der von Neumann RechnerJohn von Neumann und der von Neumann Rechner
Von Neumann Machine Objectives Explain Von Neumann architectureVon Neumann Machine Objectives Explain Von Neumann architecture
JOHN VON NEUMANN John von Neumann nato ilJOHN VON NEUMANN John von Neumann nato il
Andrea DAddazio VON NEUMANN John von Neumann BudapestAndrea DAddazio VON NEUMANN John von Neumann Budapest
Functional Annotation and Functional Enrichment Annotation Structural AnnotationFunctional Annotation and Functional Enrichment Annotation Structural Annotation
Annotation 1 Annotation 1 n n Override AnnotationAnnotation 1 Annotation 1 n n Override Annotation
Annotation What is an annotation An annotation isAnnotation What is an annotation An annotation is
Annotation Annotation Annotation is a fancy word forAnnotation Annotation Annotation is a fancy word for
Java Annotation Trinea www trinea cn Annotation AnnotationJava Annotation Trinea www trinea cn Annotation Annotation
Genome analysis and annotation Genome Annotation Which sequencesGenome analysis and annotation Genome Annotation Which sequences
Annotation The Key to Analysis Why Annotate AnnotationAnnotation The Key to Analysis Why Annotate Annotation
Nagy magyar tudsok Neumann Jnos 1903 1957 NeumannNagy magyar tudsok Neumann Jnos 1903 1957 Neumann
Neumann T Biermann J Neumann A Wasem JNeumann T Biermann J Neumann A Wasem J
Neumann Till Biermann Janine Neumann Anja Wasem JrgenNeumann Till Biermann Janine Neumann Anja Wasem Jrgen
Neumann Jnos munkssga Ksztette Lzr Zoltn Neumann JnosNeumann Jnos munkssga Ksztette Lzr Zoltn Neumann Jnos
Neumann Jnos 1903 december 28 n szletett NeumannNeumann Jnos 1903 december 28 n szletett Neumann
Formal Methods What Are Formal Methods Formal methodsFormal Methods What Are Formal Methods Formal methods
Formal Verification Lecture 9 Formal Verification l FormalFormal Verification Lecture 9 Formal Verification l Formal
Formal Verification Lecture 11 Formal Verification l FormalFormal Verification Lecture 11 Formal Verification l Formal
Formal Methods continued Formal Methods Modifying a FormalFormal Methods continued Formal Methods Modifying a Formal
Formal Language Formal Language A formal language isFormal Language Formal Language A formal language is
Formal or Informal Formal We use formal languageFormal or Informal Formal We use formal language
Macchina di Von Neumann 1 Macchina di VonMacchina di Von Neumann 1 Macchina di Von
John von Neumannova koncepce John von Neumann pJohn von Neumannova koncepce John von Neumann p