Presentation is loading. Please wait.

Presentation is loading. Please wait.

Page 1 Advanced Technology Center HCSS 03 – April 2003 vFaat: von Neumann Formal Analysis and Annotation Tool David Greve Dr. Matthew Wilding Rockwell.

Published byBaldric Cooper Modified over 8 years ago

Similar presentations

Presentation on theme: "Page 1 Advanced Technology Center HCSS 03 – April 2003 vFaat: von Neumann Formal Analysis and Annotation Tool David Greve Dr. Matthew Wilding Rockwell."— Presentation transcript:

1 Page 1 Advanced Technology Center HCSS 03 – April 2003 vFaat: von Neumann Formal Analysis and Annotation Tool David Greve Dr. Matthew Wilding Rockwell Collins Advanced Computing Systems Cedar Rapids, IA dagreve@rockwellcollins.com mmwildin@rockwellcollins.com April 2003

2 Page 2 Advanced Technology Center HCSS 03 – April 2003 Overview l Rockwell Collins History –Have 10+ years experience in applying Formal Methods Have embraced and extended a variety of techniques l Observations –Advantages to Accurate Low-Level Models Abstraction can be tedious –Domain knowledge Missing from generic theorem provers Can be codified –Techniques generalize to Different Verification Targets Different Theorem Provers l Conclusion –Judicious use of automation simplifies verification task Improve Productivity, Extend Scope vFaat: A collection of tools and techniques to help simplify reasoning about complex systems”

3 Page 3 Advanced Technology Center HCSS 03 – April 2003 Outline l Motivating History l Observations l Future Directions

4 Page 4 Advanced Technology Center HCSS 03 – April 2003 RC Formal Methods Projects l AAMP5/AAMP-FV l JEM1: Symbolic Simulation l JEM2: Executable Formal Models l CAPS: High-Assurance Processor l AAMP7: Intrinsic Partitioning

5 Page 5 Advanced Technology Center HCSS 03 – April 2003 AAMP5/AAMP-FV l Goal –Demonstrate use of Formal Methods in Industrial Setting l Project –Sponsored by NASA Langley –Used PVS and teamed with SRI –Abstract representation of instruction execution created –Functionally described Microarchitecture –Standard Commuting Diagram Proof “Formal Verification of the AAMP5 Microprocessor”, NASA Report 1995 “Formal Verification of the AAMP-FV Microcode”, NASA Report 1999

6 Page 6 Advanced Technology Center HCSS 03 – April 2003 AAMP5/AAMP-FV l Inspections connected model to implementation –Found variety of errors in formal specification l Was there a better way to validate the model? –Better Integration with design process? l Verified a number of instructions –Even found a few bugs l Brute Force Formalization –Microcode specified by hand –“Clock functions” crafted by hand l Automated microcode specification an obvious next step

7 Page 7 Advanced Technology Center HCSS 03 – April 2003 JEM1: Symbolic Simulation l Goals –Integration of Formal Models into Design Process –Leverage Automated Analysis –Detect Microcode Errors (Bug Finding) l Project –Specified JEM1 Microarchitecture in PVS –Used PVS to execute symbolically the model Generated Symbolic Results for Microcode Basic Blocks –Analyzed Symbolic Results as part of Microcode Inspections “Symbolic Simulation of the JEM1 Microprocessor”, FMCAD-98

8 Page 8 Advanced Technology Center HCSS 03 – April 2003 JEM1: Symbolic Simulation l Symbolic Results Difficult to Read –Good for detecting data-flow errors (Definition/Use) Unexpected Side-Effects Unexpected Data-Dependencies l Demonstrated Effective Use of Automation –Codified knowledge of problem domain Control Flow Analysis Dictated Proof Architecture –Employed Automatic Generation of: Function Definitions (uCode) Theorems and Theory Structure (Proof Architecture) Symbolic Results (batch mode PVS)

9 Page 9 Advanced Technology Center HCSS 03 – April 2003 JEM2: Executable Formal Models l Goals –Integration of Formal Models into Design Process –Improve Model Validation Technique Replace Microcode Simulator with Executable Formal Model l Project –Modeled JEM2 in logic of ACL2 Subset of Common Lisp –Compiled model to C and linked into GUI development environment “Efficient Simulation of Formal Processor Models”, FMSD 2002

10 Page 10 Advanced Technology Center HCSS 03 – April 2003 JEM2: Executable Formal Models l Impressive Results –Final simulator ran as fast as original No penalty to developers for using formal model –Successfully executed regression tests Guaranteed validity of formal model l Exposed ACL2 tool limitations –Model was large and complex –Is it possible to reason about such models?

11 Page 11 Advanced Technology Center HCSS 03 – April 2003 CAPS: High-Assurance Processor l Goals –Reason about an Executable Formal Model –Perform Instruction Level Proofs of CAPS processor l Project –Modeled Microarchitecture of CAPS in ACL2 –Executed Standard Regression Tests to Validate Model –Formalized a set of CAPS instructions –Constructed Instruction Level Proofs “Evaluatable, High-Assurance Microprocessors”, HCSS-02

12 Page 12 Advanced Technology Center HCSS 03 – April 2003 CAPS ACL2 uarch model passes 3-hr standard CAPS regression test! CAPS Microarchitecture Model The ACL2 CAPS uarch model replaces the C model in the CAPS microcode simulator. The replacement is not observable to users. High-speed, formal models provide for evaluatability (looks like C, passes regression tests, integrated into dev process, proofs checked)

13 Page 13 Advanced Technology Center HCSS 03 – April 2003 CAPS Correctness Theorem I - CAPS Instruction Set Model Start state End state Start state End state M - CAPS Microarchitecture Model How do we decompose the proof of this theorem into manageable pieces?

14 Page 14 Advanced Technology Center HCSS 03 – April 2003 Decomposing the Proof Microcode sequences can be specified and verified in steps. microcode line Instruction microcode implementation

15 Page 15 Advanced Technology Center HCSS 03 – April 2003 Decomposing the Proof Microcode sequences can be specified and verified in steps. microcode line microcode line spec Instruction microcode implementation

16 Page 16 Advanced Technology Center HCSS 03 – April 2003 Decomposing the Proof Microcode sequences can be specified and verified in steps. microcode line microcode line spec microcode block spec Instruction microcode implementation

17 Page 17 Advanced Technology Center HCSS 03 – April 2003 Decomposing the Proof Microcode sequences can be specified and verified in steps. microcode line microcode line spec microcode block spec abstract microcode block spec Instruction microcode implementation

18 Page 18 Advanced Technology Center HCSS 03 – April 2003 Decomposing the Proof Microcode sequences can be specified and verified in steps. microcode line microcode line spec microcode block spec abstract microcode block spec instruction Instruction microcode implementation

19 Page 19 Advanced Technology Center HCSS 03 – April 2003 Proving the CAPS Correctness Theorem I - CAPS Instruction Set Model Start state End state Start state End state M - CAPS Microarchitecture Model Single Microcode Line Specs Abstract Microcode Block Specs Microcode Block Specs

20 Page 20 Advanced Technology Center HCSS 03 – April 2003 CAPS: High-Assurance Processor l Considerable effort expended on EFM reasoning –ACL2 enhanced to deal efficiently with single threaded expressions l Techniques to manage complexity –Proof libraries Bit vectors –Using low level model to help define abstract model Simplifies abstract specification and proof process –Proof-generating Macros Similar to techniques constructed for JEM1 symbolic simulation

21 Page 21 Advanced Technology Center HCSS 03 – April 2003 AAMP7: Intrinsic Partitioning l Goals –Verify Security Properties of AAMP Intrinsic Partitioning Mechanism l Project –Formalize Security Property in ACL2 –Formalize Intrinsic Partitioning Functionality “Instruction Level” Model Linear Address Space –Prove that Intrinsic Partitioning satisfies Security Property “High-Assurance Intrinsic Partitioning”, HCSS-03

22 Page 22 Advanced Technology Center HCSS 03 – April 2003 Linear Address Space Reasoning ACTIVE CURRENT

23 Page 23 Advanced Technology Center HCSS 03 – April 2003 Linear Address Space Reasoning ACTIVE CURRENT

24 Page 24 Advanced Technology Center HCSS 03 – April 2003 AAMP7: Intrinsic Partitioning l Reasoning about Linear Address Spaces –Identify orthogonal functionality Techniques that scale Make explicit for theorem prover –Could Leverage Data Flow (Definition/Use) Analysis l Proof Architecture –Block structured decomposition Similar to CAPS work –Over function boundaries Not Microcode blocks

25 Page 25 Advanced Technology Center HCSS 03 – April 2003 Outline l Motivating History l Observations l Future Directions

26 Page 26 Advanced Technology Center HCSS 03 – April 2003 Observations l Advantages to Accurate Low-Level Models –Model Validation –Tie to Design Process via Simulation l Domain knowledge –Control Flow, Data Flow Analysis –Can be codified in 3 rd party tools Results represented in language of theorem prover l Techniques generalize to –Different theorem provers (PVS,ACL2) –Many different processor models –Different levels of abstraction

27 Page 27 Advanced Technology Center HCSS 03 – April 2003 Outline l Motivating History l Observations l Future Directions

28 Page 28 Advanced Technology Center HCSS 03 – April 2003 Future Directions l Extend techniques to larger, more complex problems –Additional microprocessors in the AAMP/JEM/CAPS family –Operating System Kernels –Mathematical and Cryptographic Libraries –Virtual Machines l Enable the use of low-level models –Model validation –Avoid trusting or reasoning about compilers/abstractions –Assembly/micro code is not uncommon in these domains Performance Access to features unavailable in high-level languages l Encourage continued industrialization of theorem proving technology –More powerful –More capable

29 Page 29 Advanced Technology Center HCSS 03 – April 2003 vFaat: Overview l Input –Domain specific: object files, microcode –Produces device and theorem prover independent representation l Annotation –Pre/Post conditions –Proof Composition l Analysis –3 rd party tools automate capture of domain specific knowledge –Stores results as annotations l Output –Generates input for theorem prover –Isolates 3 rd party tools from correctness argument “A collection of tools and techniques to help simplify reasoning about complex systems”

30 Page 30 Advanced Technology Center HCSS 03 – April 2003 Conclusion l Rockwell Collins History –Have 10+ years experience in applying Formal Methods l Observations –Low Level Models are useful in a variety of domains –Domain knowledge can be codified and used in theorem provers –Effective techniques generalize over domains and theorem provers l Conclusion –Combining automated analysis and theorem proving Improves productivity Continues to provide high-assurance results Extends the scope of what is currently feasible

Download ppt "Page 1 Advanced Technology Center HCSS 03 – April 2003 vFaat: von Neumann Formal Analysis and Annotation Tool David Greve Dr. Matthew Wilding Rockwell."

Similar presentations

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
What are Formal Verification Methods Mathematically based languages, techniques and tools for specifying and verifying systems Language – Clear unambiguous.

What are Formal Verification Methods Mathematically based languages, techniques and tools for specifying and verifying systems Language – Clear unambiguous.
LIFE CYCLE MODELS FORMAL TRANSFORMATION

LIFE CYCLE MODELS FORMAL TRANSFORMATION
Programming Languages Marjan Sirjani 2 2. Language Design Issues Design to Run efficiently : early languages Easy to write correctly : new languages.

Programming Languages Marjan Sirjani 2 2. Language Design Issues Design to Run efficiently : early languages Easy to write correctly : new languages.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
Presented by: Thabet Kacem Spring 2010. Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.

Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.

VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Advanced Technology Center Slide 1 Formal Verification of Flight Critical Software Dr. Steven P. Miller Advanced Computing Systems Elise A. Anderson Commercial.

Advanced Technology Center Slide 1 Formal Verification of Flight Critical Software Dr. Steven P. Miller Advanced Computing Systems Elise A. Anderson Commercial.
The Concept of Computer Architecture

The Concept of Computer Architecture
Presenter : Shih-Tung Huang Tsung-Cheng Lin Kuan-Fu Kuo 2015/6/15 EICE team Model-Level Debugging of Embedded Real-Time Systems Wolfgang Haberl, Markus.

Presenter : Shih-Tung Huang Tsung-Cheng Lin Kuan-Fu Kuo 2015/6/15 EICE team Model-Level Debugging of Embedded Real-Time Systems Wolfgang Haberl, Markus.
Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.

Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.
ECE 667 - Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

Similar presentations

Ads by Google