Isla: Integrating Full-Scale ISA Semantics and Axiomatic Concurrency Models

Armstrong, Alasdair; Campbell, Brian; Simner, Ben; Pulte, Christopher; Sewell, Peter

doi:10.1007/978-3-030-81685-8_14

Cited by 10 publications

(4 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We reused the existing open-source Sail tooling and ASL-to-Sail translation [9,10] mostly as-is, with only minor improvements and some engineering work needed to handle Morello. In addition to the Isabelle definitions, we generate a C emulator for validation ( §6) using the Sail tool, and we reuse the Isla symbolic execution engine for Sail [10] to generate tests ( §7).…”

Section: Using Cheri In Softwarementioning

confidence: 99%

“…Instruction set specifications are good candidates for symbolic execution because the languages tend to be relatively simple and the number of paths for any given instruction is bounded. To build a test generator for Morello we were able to reuse the Isla symbolic execution tool, which was already being developed for work combining Sail ISAs with relaxed memory models [10].…”

Section: Model-based Test Generationmentioning

confidence: 99%

“…Finally, we developed a test generator, using the Isla symbolic execution tooling for Sail [10], to automatically generate interesting instruction-sequence tests, aiming at good specification coverage. These complemented Arm's test suite and were used by Arm as part of their pre-tape-out validation, and were used as the main test suite for development of a Morello version of the QEMU emulator.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Verified Security for the Morello Capability-enhanced Prototype Arm Architecture

Bauereiss

Campbell

Sewell

et al. 2022

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Memory safety bugs continue to be a major source of security vulnerabilities in our critical infrastructure. The CHERI project has proposed extending conventional architectures with hardware-supported capabilities to enable fine-grained memory protection and scalable compartmentalisation, allowing historically memory-unsafe C and C++ to be adapted to deterministically mitigate large classes of vulnerabilities, while requiring only minor changes to existing system software sources. Arm is currently designing and building Morello, a CHERI-enabled prototype architecture, processor, SoC, and board, extending the high-performance Neoverse N1, to enable industrial evaluation of CHERI and pave the way for potential mass-market adoption. However, for such a major new security-oriented architecture feature, it is important to establish high confidence that it does provide the intended protections, and that cannot be done with conventional engineering techniques.In this paper we put the Morello architecture on a solid mathematical footing from the outset. We define the fundamental security property that Morello aims to provide, reachable capability monotonicity, and prove that the architecture definition satisfies it. This proof is mechanised in Isabelle/HOL, and applies to a translation of the official Arm specification of the Morello instruction-set architecture (ISA) into Isabelle. The main challenge is handling the complexity and scale of a production architecture: 62,000 lines of specification, translated to 210,000 lines of Isabelle. We do so by factoring the proof via a narrow abstraction capturing essential properties of arbitrary CHERI ISAs, expressed above a monadic intra-instruction semantics. We also develop a model-based test generator, which generates instruction-sequence tests that give good specification coverage, used in early testing of the Morello implementation and in Morello QEMU development, and we use Arm’s internal test suite to validate our model.This gives us machine-checked mathematical proofs of whole-ISA security properties of a full-scale industry architecture, at design-time. To the best of our knowledge, this is the first demonstration that that is feasible, and it significantly increases confidence in Morello.

show abstract

Section: Using Cheri In Softwarementioning

confidence: 99%

Section: Model-based Test Generationmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Verified Security for the Morello Capability-enhanced Prototype Arm Architecture

Bauereiss

Campbell

Sewell

et al. 2022

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…First, even just the sequential definition of Armv8-A address translation, with the page-table walk and its options, is remarkably intricate, defined in thousands of lines of Arm's ASL instruction description language. Manually reimplementing a simplified version would be error-prone and incomplete, so we instead build on our Isla tool [15], which integrates the full 123,000 line Armv8-A ISA semantics (as defined by Arm in ASL and automatically translated into Sail [14]), with SMT-based tooling to evaluate tests w.r.t. axiomatic concurrency models.…”

Section: Isla-based Model Evaluationmentioning

confidence: 99%

Relaxed virtual memory in Armv8-A (extended version)

Simner¹,

Armstrong²,

Pichon-Pharabod³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Virtual memory is an essential mechanism for enforcing security boundaries, but its relaxed-memory concurrency semantics has not previously been investigated in detail. The concurrent systems code managing virtual memory has been left on an entirely informal basis, and OS and hypervisor verification has had to make major simplifying assumptions.We explore the design space for relaxed virtual memory semantics in the Armv8-A architecture, to support future system-software verification. We identify many design questions, in discussion with Arm; develop a test suite, including use cases from the pKVM production hypervisor under development by Google; delimit the design space with axiomatic-style concurrency models; prove that under simple stable configurations our architectural model collapses to previous "user" models; develop tooling to compute allowed behaviours in the model integrated with the full Armv8-A ISA semantics; and develop a hardware test harness.This lays out some of the main issues in relaxed virtual memory bringing these security-critical systems phenomena into the domain of programming-language semantics and verification with foundational architecture semantics.This document is an extended version of a paper in ESOP 2022, with additional explanation and examples in the main body, and appendices detailing our litmus tests, models, proofs, and test results.

show abstract

Relaxed virtual memory in Armv8-A

Simner

Armstrong

Pichon-Pharabod

et al. 2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Virtual memory is an essential mechanism for enforcing security boundaries, but its relaxed-memory concurrency semantics has not previously been investigated in detail. The concurrent systems code managing virtual memory has been left on an entirely informal basis, and OS and hypervisor verification has had to make major simplifying assumptions.We explore the design space for relaxed virtual memory semantics in the Armv8-A architecture, to support future system-software verification. We identify many design questions, in discussion with Arm; develop a test suite, including use cases from the pKVM production hypervisor under development by Google; delimit the design space with axiomatic-style concurrency models; prove that under simple stable configurations our architectural model collapses to previous “user” models; develop tooling to compute allowed behaviours in the model integrated with the full Armv8-A ISA semantics; and develop a hardware test harness.This lays out some of the main issues in relaxed virtual memory bringing these security-critical systems phenomena into the domain of programming-language semantics and verification with foundational architecture semantics.

show abstract

Isla: Integrating Full-Scale ISA Semantics and Axiomatic Concurrency Models

Cited by 10 publications

References 22 publications

Verified Security for the Morello Capability-enhanced Prototype Arm Architecture

Verified Security for the Morello Capability-enhanced Prototype Arm Architecture

Relaxed virtual memory in Armv8-A (extended version)

Relaxed virtual memory in Armv8-A

Contact Info

Product

Resources

About