Sail, RISC-V, and CHERI-RISC-V Prashanth Mundkur and Peter G. Neumann, SRI International (most of this work done by University of Cambridge) Robert Norton-Wright, Jon French, Brian Campbell * , Alasdair Armstrong, Thomas Bauereiss, Shaked Flur, Peter Sewell University of Cambridge ( * University of Edinburgh) Ninth Summer School on Formal Techniques, May 23, 2019 Menlo College, Atherton, CA This work was partially supported by EPSRC grant EP/K008528/1 (REMS), an ARM iCASE award, and EPSRC IAA KTF funding. Approved for public release; distribution is unlimited. This research is sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (”CTSRD”) and FA8650-18-C-7809 (”CIFV”). The views, opinions, and/or findings contained in this article/presentation are those of the author(s)/presenter(s) and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government. 1/1
24
Embed
Prashanth Mundkur and Peter G. Neumann, SRI Internationalfm.csl.sri.com/SSFT19/sail-riscv-cheri-ssft-2019-slides.pdfPrashanth Mundkur and Peter G. Neumann, SRI International (most
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Sail, RISC-V, and CHERI-RISC-V
Prashanth Mundkur and Peter G. Neumann, SRI International(most of this work done by University of Cambridge)
Robert Norton-Wright, Jon French, Brian Campbell∗, AlasdairArmstrong, Thomas Bauereiss, Shaked Flur, Peter Sewell
University of Cambridge (∗University of Edinburgh)
Ninth Summer School on Formal Techniques, May 23, 2019Menlo College, Atherton, CA
This work was partially supported by EPSRC grant EP/K008528/1 (REMS), an ARM iCASE award, and EPSRC
IAA KTF funding. Approved for public release; distribution is unlimited. This research is sponsored by the Defense
Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts
FA8750-10-C-0237 (”CTSRD”) and FA8650-18-C-7809 (”CIFV”). The views, opinions, and/or findings contained
in this article/presentation are those of the author(s)/presenter(s) and should not be interpreted as representing the
official views or policies of the Department of Defense or the U.S. Government.
1 / 1
ISA Specification
The problem:I ISA specifications use a
mixture of prose andpseudocode
I Often many thousands ofpages
I Sometimes loosely wordedand containing errors
Without machine-readablespecifications
I Cannot do machine-checkedproofs
I Hard to test or formallyverify implementationsagainst specification
2 / 1
Existing Formal ISA Models
I CakeML - HOL models for x86-64, ARMv6, ARMv8,RISCV-64, MIPS-64
I CompCert - Coq models for PowerPC, ARM, x86, RISC-V(32- and 64-bit)
I seL4 - Isabelle/HOL ARMv7 model
I ACL2 (x86) - Goel et al
I RockSalt SFI - Coq model of x86 (Morrisett et al)
I ... and others
I Public release of ARMv8-A specification by ARM
but no public tool support
I Few include full system-level specifications
I Tied to specific use-cases or theorem provers
3 / 1
Existing Formal ISA Models
I CakeML - HOL models for x86-64, ARMv6, ARMv8,RISCV-64, MIPS-64
I CompCert - Coq models for PowerPC, ARM, x86, RISC-V(32- and 64-bit)
I seL4 - Isabelle/HOL ARMv7 model
I ACL2 (x86) - Goel et al
I RockSalt SFI - Coq model of x86 (Morrisett et al)
I ... and others
I Public release of ARMv8-A specification by ARM
but no public tool support
I Few include full system-level specifications
I Tied to specific use-cases or theorem provers
3 / 1
Existing Formal ISA Models
I CakeML - HOL models for x86-64, ARMv6, ARMv8,RISCV-64, MIPS-64
I CompCert - Coq models for PowerPC, ARM, x86, RISC-V(32- and 64-bit)
I seL4 - Isabelle/HOL ARMv7 model
I ACL2 (x86) - Goel et al
I RockSalt SFI - Coq model of x86 (Morrisett et al)
I ... and others
I Public release of ARMv8-A specification by ARM
but no public tool support
I Few include full system-level specifications
I Tied to specific use-cases or theorem provers
3 / 1
Existing Formal ISA Models
I CakeML - HOL models for x86-64, ARMv6, ARMv8,RISCV-64, MIPS-64
I CompCert - Coq models for PowerPC, ARM, x86, RISC-V(32- and 64-bit)
I seL4 - Isabelle/HOL ARMv7 model
I ACL2 (x86) - Goel et al
I RockSalt SFI - Coq model of x86 (Morrisett et al)
I ... and others
I Public release of ARMv8-A specification by ARM
but no public tool support
I Few include full system-level specifications
I Tied to specific use-cases or theorem provers
3 / 1
Sail design goals
ISA models which are:
I similar to existing pseudocode
I cover the full scope of the architecture
I translatable into executable sequential emulator codeI translatable into idiomatic theorem prover definitions
I For multiple provers!
I offer fine-grained execution information for relaxed-memorymodel integration
ARM model generated from ARM ASL, other models hand-written
6 / 1
RISC-V
Open ISA, developed by broad industrial and academic community
I Test system features by booting seL4, FreeBSD and Linux
I Validated against RISC-V test suite, and via trace comparisonwith Spike simulator
I Led to contributions to original ISA specification, e.g.I description of page-faults in page-table walksI ambiguities in the specification of interrupt delegationI bug fixes in Spike simulator
I Integration with RMEM concurrency toolI Used with the 6874 litmus tests for the RISC-V memory model
7 / 1
MIPS and CHERI-MIPS
CHERI: Research architecture that extends 64-bit MIPS withhardware capabilities for fine-grained memory protection andsecure compartmentalisationThe Sail model:
I Sufficient privileged architecture features to boot FreeBSD,but excluding floating-point and other optional extensions
I Under continuous development with CHERI project
I Owned and developed by hardware researchers
I Used in upcoming CHERI ISA specification document
Successful example of hardware/software/semantics codesign
8 / 1
The Sail Language
I Imperative first-order language for describing ISAspecifications
I Lightweight dependent typesI Purely syntax directed bi-directional approachI Prove important properties for MiniSail fragment:
I Type safetyI Decidability of type checking
I SMT solver to make dependent typechecking mostly automatic
As simple as possible, but no simpler
9 / 1
Emulator Generation
Need reasonably efficient emulator generation for ISA validationSimple OCaml translation, optimised C translation for speedKey optimisations:
I Use dependent types and SMT to pack integers into 64-bitmachine words
I Similarly, identify bitvectors that can be packed into single64-bit words
I Statically allocate all storage where possible
1M IPS for MIPS, 80 000 IPS for ARM
10 / 1
Generating Theorem Prover Definitions
I Currently targeting Isabelle/HOL, HOL4, and Coq
I State monad for sequential reasoning
I Free monad over memory effects for concurrent reasoning
I Use dependent type information to integrate with machineword libraries
I Validation of translation via testingI Code extraction from Isabelle model of CHERI-MIPS to OCamlI Successfully (albeit slowly) execute CHERI-MIPS test suite
11 / 1
Example Proof for ARMv8-A
Key question: Is such a large specification actually useable forproof?
Address translation: Most complex part of ARMv8 model!
I 9000 lines of specification requiredI Page table walk: Over 500 LOS excluding helper functions
I . . . and there are lots of page table helper functions
I Involves iteration, variable-length bitvectors, memory effects,nondeterminism, . . .
12 / 1
Example Proof for ARMv8-A
We define a simple characterisation of address translation suitablefor reasoning about non-system codeAbout 500 lines of Isabelle total
TheoremSimplified address translation is equivalent to full ARMv8 addresstranslation under certain useful assumptionsuser mode, no virtualisation, valid translation tables, hardwareupdating of translation table flags
Uncovered a few small bugs in the ASL specification
13 / 1
RISC-V in Sail
sail-riscv
+---- model // Sail specification modules
+---- generated_definitions // Files generated by Sail
| +---- c, ocaml, lem, isabelle, coq, hol4, latex
|---- handwritten_support // Prover support files
+---- c_emulator // supporting platform files for C emulator
+---- ocaml_emulator // supporting platform files for OCaml emulator
+---- doc // documentation
+---- test // test files
14 / 1
RISC-V Specification Structure
prelude:helpers
raw physical memory
basic types:registers, indices,
exceptions, privilege-levels,. . .
virtual memory:PTE formats, TLB
page table walks
instructions:decode, execute
step:fetch-execute
interrupt dispatchclock
device models
physical memory:memory access
platform memory mapMMIO devicesregisters:
PC, integer (user)system regs
current privilege
privilege transition:exceptions, interrupts
returns
15 / 1
Extendable ISA Specifications
Possible extension points
I register width (e.g. 32/64, 32+64)
I new registers (floating point, vector)
I privilege levels (e.g. M-only, M/U, M/S/U, virtualization)
I physical memory (tagged memory)
I address translation (virtualization, security extensions)