Article

A robust machine code proof framework for highly secure applications

Authors:

David S. Hardin,

William D. YoungAuthors Info & Claims

ACL2 '06: Proceedings of the sixth international workshop on the ACL2 theorem prover and its applications

Pages 11 - 20

https://doi.org/10.1145/1217975.1217978

Published: 15 August 2006 Publication History

Abstract

Security-critical applications at the highest Evaluation Assurance Levels (EAL) require formal proofs of correctness in order to achieve certification. To support secure application development at the highest EALs, we have developed techniques to largely automate the process of producing proofs of correctness of machine code. As part of the Secure, High-Assurance Development Environment program, we have produced in ACL2 an executable formal model of the Rockwell Collins AAMP7G microprocessor at the instruction set level, in order to facilitate proofs of correctness about that processor's machine code. The AAMP7G, currently in use in Rockwell Collins secure system products, supports strict time and space partitioning in hardware, and has received a U.S. National Security Agency (NSA) Multiple Independent Levels of Security (MILS) certificate based in part on a formal proof of correctness of its separation kernel microcode. Proofs of correctness of AAMP7G machine code are accomplished using the method of "compositional cutpoints", which requires neither traditional clock functions nor a Verification Condition Generator (VCG). In this paper, we will summarize the AAMP7G architecture, detail our ACL2 model of the processor, and describe our development of the compositional cutpoint method into a robust machine code proof framework.

References

[1]

Best, D., Kress, C., Mykris, N., Russell, J., Smith, W.: An advanced-architecture CMOS/SOS microprocessor. IEEE Micro, Aug. 1982, 11--26.

[2]

Common Criteria for Information Technology Security Evaluation (CCITSE), Mar. 1999. Available at http://www.radium.nesc.mil/tpep/library/ccitse/ccitse.html.

[3]

Eclipse community, http://www.eclipse.org.

[4]

Greve, D., Wilding, M., Hardin, D.: High-speed, analyzable simulators. In Kaufmann, M., Manolios, P., Moore, J. S., eds.: Computer-Aided Reasoning: ACL2 Case Studies, Kluwer Academic Publishers, 2000, 89--106.

Digital Library

[5]

Greve, D.: Address enumeration and reasoning over linear address spaces. In Proceedings of ACL2'04, Austin, TX, Nov. 2004.

[6]

Greve, D., Richards, R., and Wilding, M.: A summary of intrinsic partitioning verification. In Proceedings of ACL2'04, Austin, TX, Nov. 2004.

[7]

Hardin, D., Wilding, M., and Greve, D.: Transforming the theorem prover into a digital design tool: from concept car to off-road vehicle. In Hu, A. and Vardi, M., eds.: CAV'98. Volume 1427 of LNCS, Springer-Verlag, 1998, 39--44.

Digital Library

[8]

Kaufmann, M., Manolios, P., Moore, J S.: Computer-Aided Reasoning: An Approach. Kluwer Academic Publishers, 2000. ISBN 0792377443.

Digital Library

[9]

Matthews, J., Moore J S., Ray, S., and Vroon, D.: Verification condition generation via theorem proving. In Proceedings of LPAR'06, to appear.

Digital Library

[10]

Moore, J S.: Inductive assertions and operational semantics. In Geist, D., ed.: CHARME 2003. Volume 2860 of LNCS, Springer-Verlag, 2003, 289--303.

[11]

Pike, L., Shields, M., and Matthews, J.: A verifying core for a cryptographic language compiler. Proceedings of HCSS'06, Apr. 2006.

Digital Library

[12]

Richards, R., Greve, D., Wilding, M, and van Fleet, M.: The Common Criteria, formal methods, and ACL2. In Proceedings of ACL2'04, Austin, TX, Nov. 2004.

[13]

Rockwell Collins, Inc.: AAMP7r1 Reference Manual, 2003.

[14]

Shields, M.: A language for symmetric-key cryptographic algorithms and its implementation, Jan. 2006. Available at http://www.cartesianclosed.com/pub/mcryptol/.

[15]

Smith, E. Compositional cutpoints for automated machine code proof. In preparation.

[16]

Smith, E., Nelesen, S., Greve, D., Wilding, M, and Richards, R.: An ACL2 library for bags (multisets). In Proceedings of ACL2'04, Nov. 2004.

[17]

Young, W.: Introducing abstractions via rewriting. In Borrione, D. and Paul, W., eds.: CHARME 2005. Volume 3725 of LNCS, Springer-Verlag, 2005, 402--405.

Digital Library

Cited By

Popescu ALammich PHou P(2020)CoCon: A Conference Management System with Formally Verified Document ConfidentialityJournal of Automated Reasoning10.1007/s10817-020-09566-9Online publication date: 16-Jul-2020
https://doi.org/10.1007/s10817-020-09566-9
Moore J(2019)Milestones from the Pure Lisp theorem prover to ACL2Formal Aspects of Computing10.1007/s00165-019-00490-3Online publication date: 30-Jul-2019
https://doi.org/10.1007/s00165-019-00490-3
Bauereiβ TPesenti Gritti APopescu ARaimondi F(2018)CoSMedJournal of Automated Reasoning10.1007/s10817-017-9443-361:1-4(113-139)Online publication date: 1-Jun-2018
https://dl.acm.org/doi/10.1007/s10817-017-9443-3
Show More Cited By

Index Terms

Recommendations

A verifying core for a cryptographic language compiler
ACL2 '06: Proceedings of the sixth international workshop on the ACL2 theorem prover and its applications

A verifying compiler is one that emits both object code and a proof of correspondence between object and source code.¹ We report the use of ACL2 in building a verifying compiler for μCryptol, a stream-based language for encryption algorithm ...
Proof Pearl: a Formal Proof of Higman's Lemma in ACL2

Higman's lemma is an important result in infinitary combinatorics, which has been formalized in several theorem provers. In this paper we present a formalization and proof of Higman's Lemma in the ACL2 theorem prover. Our formalization is based on a ...
Combining Theorem Proving with Model Checking through Predicate Abstraction

This article presents a procedure for proving invariants of infinite-state reactive systems using a combination of two formal verification techniques: theorem proving and model checking. This method uses term rewriting on the definition of the target ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACL2 '06: Proceedings of the sixth international workshop on the ACL2 theorem prover and its applications

August 2006

145 pages

ISBN:0978849302

DOI:10.1145/1217975

Conference Chairs:
Panagiotis Manolios
Georgia Institute of Technology
,
Matthew Wilding
Rockwell Collins Inc.

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 August 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

31
Total Citations
View Citations
317
Total Downloads

Downloads (Last 12 months)17
Downloads (Last 6 weeks)5

Reflects downloads up to 26 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Popescu ALammich PHou P(2020)CoCon: A Conference Management System with Formally Verified Document ConfidentialityJournal of Automated Reasoning10.1007/s10817-020-09566-9Online publication date: 16-Jul-2020
https://doi.org/10.1007/s10817-020-09566-9
Moore J(2019)Milestones from the Pure Lisp theorem prover to ACL2Formal Aspects of Computing10.1007/s00165-019-00490-3Online publication date: 30-Jul-2019
https://doi.org/10.1007/s00165-019-00490-3
Bauereiβ TPesenti Gritti APopescu ARaimondi F(2018)CoSMedJournal of Automated Reasoning10.1007/s10817-017-9443-361:1-4(113-139)Online publication date: 1-Jun-2018
https://dl.acm.org/doi/10.1007/s10817-017-9443-3
Swords S(2017)Term-Level Reasoning in Support of Bit-blastingElectronic Proceedings in Theoretical Computer Science10.4204/EPTCS.249.7249(95-111)Online publication date: 2-May-2017
https://doi.org/10.4204/EPTCS.249.7
BauereiB TGritti APopescu ARaimondi F(2017)CoSMeDis: A Distributed Social Media Platform with Formally Verified Confidentiality Guarantees2017 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2017.24(729-748)Online publication date: May-2017
https://doi.org/10.1109/SP.2017.24
Goel SHunt WKaufmann M(2017)Engineering a Formal, Executable x86 ISA Simulator for Software VerificationProvably Correct Systems10.1007/978-3-319-48628-4_8(173-209)Online publication date: 2-Mar-2017
https://doi.org/10.1007/978-3-319-48628-4_8
Bauereiß TPesenti Gritti APopescu ARaimondi F(2016)CoSMed: A Confidentiality-Verified Social Media PlatformInteractive Theorem Proving10.1007/978-3-319-43144-4_6(87-106)Online publication date: 7-Aug-2016
https://doi.org/10.1007/978-3-319-43144-4_6
Klein GAndronick JElphinstone KMurray TSewell TKolanski RHeiser G(2014)Comprehensive formal verification of an OS microkernelACM Transactions on Computer Systems10.1145/256053732:1(1-70)Online publication date: 26-Feb-2014
https://dl.acm.org/doi/10.1145/2560537
Davis JSlobodova ASwords S(2014)Microcode Verification – Another Piece of the Microprocessor Verification PuzzleInteractive Theorem Proving10.1007/978-3-319-08970-6_1(1-16)Online publication date: 2014
https://doi.org/10.1007/978-3-319-08970-6_1
Dam MGuanciale RNemati HSadeghi AArmknecht FSeifert J(2013)Machine code verification of a tiny ARM hypervisorProceedings of the 3rd international workshop on Trustworthy embedded devices10.1145/2517300.2517302(3-12)Online publication date: 4-Nov-2013
https://dl.acm.org/doi/10.1145/2517300.2517302
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents