vFaat: von Neumann Formal Analysis and Annotation Tool

Formal verification can be used to establish important properties of critical systems. However, applying formal methods to a low-level implementation of a complex system is a daunting challenge, in part because extracting abstract functionality from a specific implementation is tedious. Automating such efforts by placing them under computer control helps free the user to focus on the essence of the verification problem. vFaat is a tool suite to assist in the formal verification of imperative code executing on von Neumann computing architectures. Building on our experience developing proofs about high-assurance microcoded processors, this work codifies several ad hoc techniques to simplify the process of reasoning about software-based systems. 1. The Promise and Challenge of Code Proofs 1.1 Formal Methods and the Code Verification Challenge Formal methods allow precise descriptions of systems and requirements and enable them to be related in a mathematically meaningful way. Formal verification can demonstrate that, under all conditions of interest, a particular design behaves as specified. A formal proof of correctness can account for every condition that the design might experience regardless of the size of the design’s state space. Formal methods therefore provide both the high assurance and the vital scaling property that are necessary for verifying complex designs. A crucial consideration in formal methods work is the level of abstraction that is appropriate for models. The use of high-level, abstract models as the basis for formal methods verification allows for simpler reasoning when the properties of interest can be conveniently addressed at the algorithmic level. An excellent example of reasoning about such an abstract system is the work at Rockwell Collins analyzing mode awareness in flight guidance systems that formally demonstrates that the design of modern flight automation software does not lead to dangerous ambiguities [Butler98, Miller01]. There are, however, several reasons for adopting a more detailed model of computation in some applications of formal methods. To guarantee the model’s fidelity In order for the evaluation of the system to take advantage of the formal methods, it must be certain that the formal model used to support the proofs actually reflects the behavior of the system being scrutinized. When the model is a low-level model based on the actual code it is easier to demonstrate this connection [Greve00c]. To reason about low-level primitives Assembly code and compiler directives are commonly used in low-level software implementations. Such constructs are most common in code of high criticality; code such as operating system kernels and math libraries. Unfortunately, the semantics of these primitives are often difficult to express at the source code level, making formal analysis nearly impossible. To avoid reasoning about compilers and other software tools By reasoning directly about low-level machine code or microcode, one bypasses tools such as compilers and linkers that could impact the correctness of an application.[Greve00b]. The disadvantage of reasoning about code directly, rather than at a more abstract level, is complexity. Code proofs involve many implementation details that would be ignored when reasoning about a more abstract model. Some work has been done on techniques for solving this problem. One notable project is the CLI short stack [Bevier89, Wilding93]. A family of implementations – an assembler, a compiler, a hardware design, and two applications – are shown to work together and are proved correct using a theorem prover. Yuan Yu demonstrated proofs of 68020 code, many of which were compiled into machine code from higher-level languges. [Yu92]. Rockwell Collins has used the PVS theorem proving system to reason about code in several projects [Wilding97, Greve98, Miller99]. This paper describes how we will develop tools to incorporate previously developed techniques into an automated tool supporting a code proof process. 1.2 The CAPS Project: A Critical Microcode Verification Approach The CAPS (Collins Adaptive Processing System) is a family of Rockwell Collins proprietary processors. In a multiyear IR&D effort, Rockwell Collins adapted and developed techniques that allow for formal code verification of the microcode running on members of this family. The motivation for this research was that CAPS microprocessors are used in some of the most safety-critical products that Rockwell Collins sells, and current microprocessor verification and certification techniques are extremely laborious. On this project formal verification techniques were applied to several sequences of actual microcode [Greve02, Greve00a, Wilding01a]. Three important aspects of this work were model development tools, proof decomposition techniques, and modeling and proof automation. • Formal Model Development Tools Rockwell Collins has developed tools and techniques for writing and reasoning about low level implementations. These methods enable the construction of formalized implementations of sufficient detail to execute device production tests. Such low level models provide high confidence in the fidelity of the model • Code Proof Decomposition A crucial challenge in code correctness proofs is developing a methodology for breaking the proof down into smaller, more manageable pieces. The three primary proof decomposition techniques exploited in the CAPS program were the separation of algorithm from implementation, the exploitation of code block structure to break code execution into discrete steps, and loop and block simplification. • Modeling and Proof Automation Modeling and proving programs correct requires ingenuity since intellectual effort is required to understand what a program does. However, many of the tasks associated with the process of modeling and proving code correct can be automated. In fact, automation of the model and proof process is crucial for making code proofs practical. Three forms of automation employed in the Rockwell Collins’ CAPS program were the mechanical generation of proofs, sophisticated reasoning libraries, and fundamental theorem prover enhancements. Automation of the modeling and proof process in these respects was crucial to being able to demonstrate formal microcode verification in the CAPS project. Nearly all of the techniques described here apply to proofs other than microcode proofs, such as machine code proofs. Furthermore most also apply to other theorem proving systems besides ACL2. What has emerged from the CAPS project and other previous projects are ad hoc approaches for tackling the fundamental challenge of complexity in code proofs using proof decomposition and automation. 2. vFaat: A Modeling and Code Verification Tool The vFaat (von Neumann Formal Annotation and Automation Tool) methodology supports the kind of proof management and automation seen in the CAPS work in a way that is theorem prover and domain language independent. 2.1 The Tool Suite The vFaat tool assists in the formal analysis of code, such as machine code or microcode. The tool mechanizes and manages standard practices employed in the code proof process. The core of the tool suite is processor independent, making it useful for reasoning about object code for a wide variety of microprocessors. It is also theorem prover independent and can be targeted towards a variety of theorem proving environments. The tool flow has four basic parts – input, annotation, automation, and output. Input is the process of extracting useful information from executable object files. Annotation is the process of linking both user-provided and machine generated information to the internal data structures. Automation is a set of implementation independent analyses that the tool set provides to the end user. Output is the process of converting the internal data structures and annotation into theorem prover proof scripts. Each of these stages is described in more detail in the following sections.