Combining several paradigms for circuit validation and verification

1
Combining several paradigms for circuit
validation and verification

• Ghiath Al Sammane, Dominique Borrione, Emil
  Dumitrescu, Diana Toma
• TIMA Laboratory - VDS Group
• Grenoble, France

2
Motivations

• Question is the hardware design correct?
• Formal methods supported by industrial tools at
  RTL and below
• Early behavioral specification ad hoc
  verification, essentially by simulation (Matlab,
  SystemC)
• Compliance of the synthesizable level
  (Verilog/VHDL) not proven
• Objective
• Specification validation
• Implementation verification
• Before reaching the RTL level

3
(No Transcript)
4
Description / Specification formalisms
VHDL
System C
CHP PSL
Semantic studies, Modeling, Specialized
translators
Correct Implementation Verification
Validation / Verification Objectives
Functional Validation
Property Verification
Equivalence
Symbolic Simulation
Theorem Proving
Model Checking


Processing Techniques
Tools from external sources
Formal Check
Rule Base
SMV
ACL2
Mathematica
VIS
5
First illustration ISIA2 project

• Design of a chip for secure transmissions
• Our participation
• Validation of the hash block, designed by L2MP
• Specification standardized Secure Hash Algorithm
  (SHA)

Functional Model
VHDL File
Functional verification with ACL2
Textual Description FIPS180-2
ACL2 Formalization and Verification
6
First illustration ISIA2 project

• Design of a chip for secure transmissions
• Our participation
• Validation of the hash block, designed by L2MP
• Specification standardized Secure Hash Algorithm

Functional Model
VHDL File
Functional verification with ACL2
Textual Description FIPS180-2
ACL2 Formalization and Verification
7
SHA Properties

• Process a message to produce a condensed
  representation called message digest
• One way hash functions
• Any change to the message will result in a
  different message digest

Algorithm Message size Block size Word size Message digest size Security
SHA-1 lt264 512 32 160 280
SHA-256 lt264 512 32 256 2128
SHA-384 lt2128 1024 64 384 2192
SHA-512 lt2128 1024 64 512 2256
8
SHA Properties

• Process a message to produce a condensed
  representation called message digest
• One way hash functions
• Any change to the message will result in a
  different message digest

Algorithm Message size Block size Word size Message digest size Security
SHA-1 lt264 512 32 160 280
SHA-256 lt264 512 32 256 2128
SHA-384 lt2128 1024 64 384 2192
SHA-512 lt2128 1024 64 512 2256
9
SHA Properties

• Process a message to produce a condensed
  representation called message digest
• One way hash functions
• Any change to the message will result in a
  different message digest

Algorithm Message size Block size Word size Message digest size Security
SHA-1 lt264 512 32 160 280
SHA-256 lt264 512 32 256 2128
SHA-384 lt2128 1024 64 384 2192
SHA-512 lt2128 1024 64 512 2256
10
SHA Algorithm
Message M
Preprocesing Step
Padding
Parsing
M2
MK
M1

Initial Hash Value
H1
HK1
H2
H3
HK
digest
digest
digest
Final Digest
11
Padding

• Two cases
• on one block example abc
• on several blocks

first block
last block
last two blocks
12
Padding Validation

• Formalization
• Straightforward Lisp function
• A set of theorems are proven with ACL2
• The padded message is a bit vector
• The length of the padded message is a multiple of
  512
• The length of the padded message is greater or
  equal to 512
• The last 64 bits of the padded message represent
  the length of M
• The first len (M) bits of the padded message hold
  the initial message
• The bit at position len in the padded message is
  an end-mark 1
• The bits between the end-mark bit and the last 64
  bits are all 0

13
Parsing

• Splits the padded message into N-bit blocks
• (512 for SHA-1 and SHA-256 1024 for the others)
• Formalized by a recursive function in Lisp
• A set of theorems are proven with ACL2
• If len (l) is a multiple of n, the result is a
  list L of blocks of equal length n
• The number of blocks is len (l) / n
• After parsing the padded message, the result is a
  vector of words, each of 512 bits.

14
Computation step for one block digest
W16
15
Computation step for one block digest
W16
1
16
Computation step for one block digest
W16
1
F
17
Computation step for one block digest
W16
1
F
18
Computation step for one block digest
W16
1
F
19
Computation step for one block digest
W17
1
F
20
Computation of the message digest

• For each block of 512 bits
• Apply 80 block digest steps
• Compute the hash values for the next block
• Global function
• Recursive in the number of blocks of M
• Direct translation of the standard
• SHA1 (M) digest (parsing (padding(M), 512),
  H_INIT)
• Main Theorem
• The result is a 5 word digest

21
Extracting the model of the implementation

• Should be automatic
• Should provide same results as VHDL on same
  numeric test vectors
• Same kind of formalization as the specification

Functional Model
VHDL File
Functional verification with ACL2
Textual Description FIPS180-2
ACL2 Formalization and Verification
22
Sha-1
clk
ram_sel
sha_fsm
reset
busy
nb_block
ram_write
etat
start
reset_done
done
bl
l_block
k
cnt
etatout
sha_algorithm
count
a
k
etat
b
l_block
cnt
c
ram_rdata32
ram_wdata32
d
base_addr
e
ram_addr
result_addr
wi32
t
23
Cycle level VHDL model

• Execution of the VHDL simulation algorithm for
  one clock cycle
• Intermediate signals and non memorising variables
  of the source VHDL design are eliminated
• Symbolic simulation system and symbolic rewriting
  of expressions performed with Mathematica
• Extraction of one transition function of each
  output and each state element of the resulting
  FSM
• No limitation to the logic data types

24
Main theorem
Registers
Outputs
Registers
Outputs
a x
b x
c x
d x
e x
wi32 x
t x
count x
bl x
k x
etat x
cnt x
l_bloc x
a 0
b 0
c 0
d 0
e 0
wi32 0
t 0
count 0
bl 0
k 0
etat idle
cnt 0
l_bloc 0
ram_addr x
ram_wdata32 x
ram_sel x
ram_write x
busy x
done x
ram_addr result
ram_wdata32 0
ram_sel 0
ram_write 0
busy 0
done 1
6n347
Ram
Ram
result
Message Digest
base
Modified Message
25
Functional verification

• Main Theorem
• For all
• n, positive integer
• RAM(base, result),
• message of size n blocks
• After executing the VHDL SHA1 circuit model,
  during 6 (347 n) clock cycles, the system is
  in its final state (done1) and the expected
  message digest is found at address result in the
  RAM

6 347n
26
Partial conclusion

• Formalization of SHA algorithms and verification
  of safety theorems
• Development of a book for bit vectors
  represented as lists with high order bits on the
  left, closer to the VHDL bit vectors
  representation.
• Numeric execution on the tests provided in the
  standard document on both models
• Prove correctness of SHA implementation

Symbolic Simulation
VHDL File
Functional verification with ACL2
Automatic
Textual Description
ACL2 Formalization and Verification
Manual
27
Description / Specification formalisms
VHDL
System C
CHP PSL
Semantic studies, Modeling, Specialized
translators
Correct Implementation Verification
Validation / Verification Objectives
Functional Validation
Property Verification
Equivalence
Symbolic Simulation
Theorem Proving
Model Checking


Processing Techniques
Tools from external sources
Rule Base
Formal Check
SMV
ACL2
Mathematica
VIS
28
Second illustration cache controller
cache SRAM banks
1
2
8
val req addr
32 bit data
128-bits

• quantitative figures
• 300 input ports
• 1000 output ports
• 1000 flip-flops

DMA engine
fetch stall
status
DSP fetch
128 bit instruction word
val req addr dw
command ports
val req addr
29
Formal Validation Strategies

• Circuit too big for brute force property
  verification
• Data reduction
• Symmetry
• Still too big, and structural decomposition
  impossible
• Functional decomposition
• Identification of operative modes
• Verify properties in the appropriate operative
  mode
• Tools must support the strategies

30
Modeling a hardware boot reset

• active at power-up to initialize memory
  elements
• inactive forever
• modeling resets avoids
  spurious counter-examples

initial state
rst lt 0
rst lt 0
Design under verification
rst
X


rst lt 1
31
Sequential decomposition

• symbolically simulate the design until the
  desired operating mode is reached
• use the specification to find appropriate
  simulation patterns
• Perform on-the-fly cone of influence
  simplifications
• check that the operating mode is indeed reached
• model-check properties relative to the specified
  operating mode

32
Results

• Operating modes
• fetch pipeline active (Op1)
• DMA engine running (Op2)

• Interesting properties
• P1 fetch pipeline is active
• P5 memory hits are answered within constant
  time
• P6 the DMA download eventually terminates

33
Implementation
Specification document
VHDL - RTL
LVS
parse tree
CTL properties
Symbolic simulation patterns
v2smv
SMV model
NuSMV
initial state
symbolic simulator
model checker
34
Conclusion

• Formal techniques can be inserted in the design
  flow from the very first specification steps
• Specifications should be executable and provable
• Synergy between various symbolic techniques
• Symbolic simulation and theorem proving
• Symbolic simulation and FSM space traversal
• Virtual modules should come with a simulation and
  a proof model
• Libraries of proven components (e.g. ACL2
   books )
• Verification strategies based on component types

35
Thank you
36
Padding Formalization

• Function padding (M)
• len length(m)
• in_last_block (len 1) mod 512
• if (M is a bitvector) and (len lt 2 64)
• L1 append (M , 1)
• if (in_last_block lt 448)
• L2 make_list (0, 448 - in_last_block )
• else
• L2 make_list (0, 960 - in_last_block )
• L1 append (L1, L2)
• L1 append (L1, to_bitvector (len, 64)
• return l1
• else return nil
• End padding

37
Principle of the proof

• Stepwise process, details are circuit specific
• For SHA1
• 6 cycles reset initialization of internal
  registers
• 347 cycles digest computation for one block
• 16 cycles read 16 32-bit words of the block
• 320 cycles compute intermediate digest (564)
• 5 cycles combine with hash values
• 5 cycles memory write
• 1 cycle ready for next block
• Step by step symbolic execution and proof of
  ancillary theorems

38
Computation of one cycle
Dynamic VHDL Rules
Mathematica Standard Rules
VHDL Static Simplification Rules
Symbolic Computation within Mathematica
LISP-like Intermediate Format
Symbolic expressions
39
Message digest

• For each block Mi of 512 bits
• 1. Parse Mi in 16 words Wi0, Wi1,, Wi15, each of
  32 bits and compute
• WijROTL1(Wij-3?Wij-8?Wij-14?Wij-16), 16ltjlt80
• (defun prepare (M-i)
• (if (wordp M-i 512)
• (prepare-ac 16 (parsing M-i 32))
• nil))
• (defun prepare-ac (j M-i)
• (declare (xargs measure (acl2-count (- 80 j))))
• (if (and (integerp j) (lt 16 j) (wvp M-i 32))
• (cond ((lt 80 j) M-i)
• ((lt j 79)
• (prepare-ac (1 j) (append M-i
• (list (rotl 1 (bv-xor (nth (- j
  3) M-i)
• (nth (- j
  8) M-i)
• (nth (- j
  14) M-i)
  
• (nth (- j
  16) M-i)) 32))))))
• nil))

40
Message digest

• The intermediate hash value of the block Mi is
  the input hash value of the block Mi1
• The result of applying step one to four to all K
  message blocks represents the message digest of
  message M.
• (defun sha-1 (M)
• (if (and (bvp M) (lt (len M) (expt 2 64)))
• (digest (parsing (padding M) 512) (h-1))
• nil))
• (defun digest (M hash-values)
• (if (and (wvp M 512) (wvp hash-values 32)
  (equal (len hash-values) 5))
• (if (endp M) hash-values
• (digest (cdr M)
• (intermediate-hash hash-values
• (digest-one-block
  hash-values (prepare (car M))))))
• nil))
• (defthm wvp-sha-1
• (implies (and (bvp M) (lt (len M) (expt 2 64)))
  
• (and (wvp (sha-1 M) 32) (equal (len
  (sha-1 M)) 5))))