A formal framework to design and prove trustworthy memory controllers

IF 1.4 4区计算机科学 Q3 COMPUTER SCIENCE, THEORY & METHODS Real-Time Systems Pub Date : 2023-11-14 DOI:10.1007/s11241-023-09411-3

Felipe Lisboa Malaquias, Mihail Asavoae, Florian Brandner

{"title":"A formal framework to design and prove trustworthy memory controllers","authors":"Felipe Lisboa Malaquias, Mihail Asavoae, Florian Brandner","doi":"10.1007/s11241-023-09411-3","DOIUrl":null,"url":null,"abstract":"Abstract In order to prove conformance to memory standards and bound memory access latency, recently proposed real-time DRAM controllers rely on paper and pencil proofs, which can be troubling: they are difficult to read and review, they are often shown only partially and/or rely on abstractions for the sake of conciseness, and they can easily diverge from the controller implementation, as no formal link is established between both. We propose a new framework written in Coq, in which we model a DRAM controller and its expected behaviour as a formal specification. The trustworthiness in our solution is two-fold: (1) proofs that are typically done on paper and pencil are now done in Coq and thus certified by its kernel, and (2) the reviewer’s job develops into making sure that the formal specification matches the standards—instead of performing a thorough check of the mathematical formalism. Our framework provides a generic DRAM model capturing a set of controller properties as proof obligations, which all implementations must comply with. We focus on properties related to the assertiveness that timing constraints are respected, every incoming request is handled in bounded time, and the DRAM command protocol is respected. We refine our specification with two implementations based on widely-known arbitration policies— First-in First-Out (FIFO) and Time-Division Multiplexing (TDM). We extract proved code from our model and use it as a “trusted core” on a cycle-accurate DRAM simulator.","PeriodicalId":54507,"journal":{"name":"Real-Time Systems","volume":null,"pages":null},"PeriodicalIF":1.4000,"publicationDate":"2023-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Real-Time Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1007/s11241-023-09411-3","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 0

Abstract

Abstract In order to prove conformance to memory standards and bound memory access latency, recently proposed real-time DRAM controllers rely on paper and pencil proofs, which can be troubling: they are difficult to read and review, they are often shown only partially and/or rely on abstractions for the sake of conciseness, and they can easily diverge from the controller implementation, as no formal link is established between both. We propose a new framework written in Coq, in which we model a DRAM controller and its expected behaviour as a formal specification. The trustworthiness in our solution is two-fold: (1) proofs that are typically done on paper and pencil are now done in Coq and thus certified by its kernel, and (2) the reviewer’s job develops into making sure that the formal specification matches the standards—instead of performing a thorough check of the mathematical formalism. Our framework provides a generic DRAM model capturing a set of controller properties as proof obligations, which all implementations must comply with. We focus on properties related to the assertiveness that timing constraints are respected, every incoming request is handled in bounded time, and the DRAM command protocol is respected. We refine our specification with two implementations based on widely-known arbitration policies— First-in First-Out (FIFO) and Time-Division Multiplexing (TDM). We extract proved code from our model and use it as a “trusted core” on a cycle-accurate DRAM simulator.

Abstract Image

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

一个正式的框架来设计和证明可信的内存控制器

为了证明符合存储器标准和限制存储器访问延迟，最近提出的实时DRAM控制器依赖于纸和铅笔证明，这可能会带来麻烦:它们难以阅读和审查，它们通常只是部分显示和/或为了简洁而依赖于抽象，并且它们很容易与控制器实现偏离，因为两者之间没有建立正式的联系。我们提出了一个用Coq编写的新框架，其中我们将DRAM控制器及其预期行为建模为正式规范。我们的解决方案的可信度是双重的:(1)通常在纸上和铅笔上完成的证明现在在Coq中完成，因此由其内核认证;(2)审稿人的工作发展为确保形式规范与标准相匹配，而不是执行数学形式化的彻底检查。我们的框架提供了一个通用的DRAM模型，捕获一组控制器属性作为证明义务，所有实现都必须遵守。我们关注的是与遵守时间约束、在有限时间内处理每个传入请求以及遵守DRAM命令协议的断言性相关的属性。我们使用两种基于广为人知的仲裁策略的实现来完善我们的规范——先进先出(FIFO)和时分多路复用(TDM)。我们从模型中提取经过验证的代码，并将其用作周期精确的DRAM模拟器上的“可信核心”。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Real-Time Systems 工程技术-计算机：理论方法

CiteScore

2.90

自引率

7.70%

发文量

审稿时长

6 months

期刊介绍： Papers published in Real-Time Systems cover, among others, the following topics: requirements engineering, specification and verification techniques, design methods and tools, programming languages, operating systems, scheduling algorithms, architecture, hardware and interfacing, dependability and safety, distributed and other novel architectures, wired and wireless communications, wireless sensor systems, distributed databases, artificial intelligence techniques, expert systems, and application case studies. Applications are found in command and control systems, process control, automated manufacturing, flight control, avionics, space avionics and defense systems, shipborne systems, vision and robotics, pervasive and ubiquitous computing, and in an abundance of embedded systems.