# OTM Who guards the guards?

#### Formal validation of the Arm v8-M Architecture Specification

Alastair Reid

Arm Research

@alastair\_d\_reid

**OOPLSA 2017** 



© 2017 Arm Limited

#### **Uses of formal processor specifications**

Writing compilers, operating systems, ...

Formally verifying compilers, operating systems, ...

Program synthesis

Security analysis

Malware analysis

Formally verifying processor implementations

#### The state of most processor specifications

Large (1000s of pages)

Broad (10+ years of implementations, multiple manufacturers)

Complex (exceptions, weak memory, ...)

Informal (mostly English prose)

We are all just learning how to (retrospectively) formalize specifications

#### **Arm Processor Specifications**

A-class (phones, tablets, servers, ...)

6,000 pages 40,000 line formal specification

Instructions (32/64-bit) Exceptions / Interrupts Memory protection Page tables Multiple privilege levels System control registers Debug / trace

#### M-class (microcontrollers, IoT)

1,200 pages 15,000 line formal specification

Instructions (32-bit) Exceptions / Interrupts Memory protection <del>Page tables</del> Multiple privilege levels System control registers Debug / trace





5 © 2017 Arm Limited















5 © 2017 Arm Limited

#### **Executable Specification**

Defines what *is* allowed

- Animation → Check spec matches expectation

#### **Executable Specification**

Defines what *is* allowed

- Animation → Check spec matches expectation
- Testable → Compare spec against implementation

Does not define what is not allowed

e.g., Impossible states, impossible actions/transitions, security properties No redundancy

Problem when extending specification

#### **Creating a specification of disallowed behaviour**

Where to get a list of disallowed behaviour?

How to formalise this list?

How to formally validate specification against spec of disallowed behaviour?

(This may look familiar from formal specification of software)











arm



### **Rule JRJC**

Exit from lockup is by any of the following:

- A Cold reset.
- A Warm reset.
- Entry to Debug state.
- Preemption by a higher priority processor exception.

#### Rule R

**State Change X** is by any of the following:

- Event A
- Event B
- State Change C
- Event D

#### Rule R

**State Change X** is by any of the following:

- Event A
- Event B
- State Change C
- Event D

And cannot happen any other way

#### Rule R

**State Change X** is by any of the following:

- Event A
- Event B
- State Change C
- Event D

And cannot happen any other way

## Rule R: $X \rightarrow A \lor B \lor C \lor D$

State Change X Event A Event B State Change C Event D

Exit from lockup

A Cold reset

A Warm reset

Entry to Debug state

Preemption by a higher priority processor exception Fell(LockedUp) Called(TakeColdReset)

Called(TakeReset)

Rose(Halted)

Called(ExceptionEntry)

Fell(LockedUp) → Called(TakeColdReset) ∨ Called(TakeReset) ∨ Rose(Halted) ∨ Called(ExceptionEntry)

#### **Rule VGNW**

Entry to lockup from an exception causes

• Any Fault Status Registers associated with the exception to be updated.

Out of date Misleading Untestable Ambiguous

- •No update to the exception state, pending or active.
- The PC to be set to 0xEFFFFFE.
- EPSR.IT to become UNKNOWN.

In addition, HFSR.FORCED is not set to 1.





Fell(LockedUp) → Called(TakeColdReset) ∨ Called(TakeReset) ∨ Rose(Halted) ∨ Called(ExceptionEntry)



#### **Temporal Operators**





#### **Temporal Operators**

#### Fell(LockedUp)



FunctionUnderTest();

... \_\_Past\_LockedUp > LockedUp ...



#### Called(TakeReset)

```
TakeReset()
{
    Called_TakeReset = TRUE;
...
}
```

#### **Rule JRJC**

Exit from lockup is by any of the following:

- A Cold reset.
- A Warm reset.
- Entry to Debug state.
- Preemption by a higher priority processor exception.

Fell(LockedUp) → Called(TakeColdReset) ∨ Called(TakeReset) ∨ Rose(Halted) ∨ Called(ExceptionEntry)

\_\_Called\_TakeColdReset = FALSE; \_\_Called\_TakeReset = FALSE; \_\_Called\_TakeExceptionEntry = FALSE; \_\_Past\_LockedUp = LockedUp; \_\_Past\_Halted = Halted; assert((\_\_Past\_LockedUp > LockedUp)
 ==>
 ( \_\_Called\_TakeColdReset
 || \_\_Called\_TakeReset
 || \_\_Past\_Halted < Halted
 || Called\_ExceptionEntry));</pre>

## Arm Specification\_ Language



Arithmetic operations **Boolean operations Bit Vectors** Arrays Functions Local Variables **Statements** Assignments **If-statements** Loops Exceptions

Arithmetic operations **Boolean operations Bit Vectors** Arrays **Functions** Local Variables **Statements Assignments** If-statements Loops Exceptions

#### **Results (more in paper)**

Most properties proved in under 100 seconds

Found 12 bugs in specification:

- debug, exceptions, system registers, security

Found bugs in English prose:

- ambiguous, imprecise, incorrect, ...



Formalization of large, complex specifications

Executable specifications have a fatal flaw

Need specification of disallowed behaviour

Manually formalized structured English prose

Used SMT checker to find bugs in both spec and prose

Thank You! Danke! Merci! 谢谢! ありがとう! Gracias! Kiitos!

#### @alastair\_d\_reid

arm

See also:

"Trustworthy Specifications of the ARM v8-A and v8-M architecture," FMCAD 2016 "End to End Verification of ARM processors with ISA Formal," CAV 2016