1. No category

digest

Combining several paradigms for circuit
validation and verification
Ghiath Al Sammane, Dominique Borrione, Emil Dumitrescu, Diana
Toma
TIMA Laboratory - VDS Group
Grenoble, France
VDS
CASSIS'04 - 13 March
‹#›
Motivations
• Question: is the hardware design correct?
– Formal methods supported by industrial tools at RTL and
below
– Early behavioral specification: ad hoc verification, essentially
by simulation (Matlab, SystemC)
– Compliance of the synthesizable level (Verilog/VHDL) not
proven
• Objective
– Specification validation
– Implementation verification
– Before reaching the RTL level
VDS
CASSIS'04 - 13 March
‹#›
Description /
Specification
formalisms
VHDL
System C
CHP
…
PSL
Semantic studies, Modeling, Specialized translators
Validation /
Verification
Objectives
Equivalence
Processing
Techniques
Theorem
Proving
Tools from
external
sources
VDS
ACL2
Correct
Implementation
Verification
+
Mathematica
Symbolic
Simulation
SMV
Functional
Validation
+
Formal
Check
Property
Verification
Model
Checking
VIS
Rule
Base
CASSIS'04 - 13 March
‹#›
Description /
Specification
formalisms
VHDL
System C
CHP
…
PSL
Semantic studies, Modeling, Specialized translators
Validation /
Verification
Objectives
Equivalence
Processing
Techniques
Theorem
Proving
Tools from
external
sources
VDS
ACL2
Correct
Implementation
Verification
+
Mathematica
Symbolic
Simulation
SMV
Functional
Validation
+
Formal
Check
Property
Verification
Model
Checking
VIS
Rule
Base
CASSIS'04 - 13 March
‹#›
First illustration: ISIA2 project
• Design of a chip for secure transmissions
• Our participation:
– Validation of the hash block, designed by L2MP
– Specification: standardized Secure Hash Algorithm (SHA)
VHDL File
Textual
Description
FIPS180-2
VDS
Functional Model
Functional
verification
with ACL2
ACL2 Formalization
and Verification
CASSIS'04 - 13 March
‹#›
First illustration: ISIA2 project
• Design of a chip for secure transmissions
• Our participation:
– Validation of the hash block, designed by L2MP
– Specification: standardized Secure Hash Algorithm
VHDL File
Textual
Description
FIPS180-2
VDS
Functional Model
Functional
verification
with ACL2
ACL2 Formalization
and Verification
CASSIS'04 - 13 March
‹#›
SHA Properties
•
•
•
Process a message to produce a condensed representation called
message digest
One way hash functions
Any change to the message will result in a different message digest
Algorithm
Message
size
Block size Word
size
Message
digest size
Security
SHA-1
<264
512
32
160
280
SHA-256
<264
512
32
256
2128
SHA-384
<2128
1024
64
384
2192
SHA-512
<2128
1024
64
512
2256
VDS
CASSIS'04 - 13 March
‹#›
SHA Properties
•
•
•
Process a message to produce a condensed representation called
message digest
One way hash functions
Any change to the message will result in a different message digest
Algorithm
Message
size
Block size Word
size
Message
digest size
Security
SHA-1
<264
512
32
160
280
SHA-256
<264
512
32
256
2128
SHA-384
<2128
1024
64
384
2192
SHA-512
<2128
1024
64
512
2256
VDS
CASSIS'04 - 13 March
‹#›
SHA Properties
•
•
•
Process a message to produce a condensed representation called
message digest
One way hash functions
Any change to the message will result in a different message digest
Algorithm
Message
size
Block size Word
size
Message
digest size
Security
SHA-1
<264
512
32
160
280
SHA-256
<264
512
32
256
2128
SHA-384
<2128
1024
64
384
2192
SHA-512
<2128
1024
64
512
2256
VDS
CASSIS'04 - 13 March
‹#›
SHA Algorithm
Message M
Preprocesing
Step
Padding
Parsing
M2
M1
Initial
Hash
Value
VDS
H
1
digest
H
2
digest
…
H
3
HK
MK
HK+1
digest
Final Digest
CASSIS'04 - 13 March
‹#›
Padding
Two cases:
- on one block : example “abc”
64
423
01100001 01100010 01100011 1 00…00 00…011000
-
a
b
on several blocks
c
M
or
M
0
len
first block
VDS
…
last block
M
0
len
last two blocks
CASSIS'04 - 13 March
‹#›
Padding Validation
Formalization
• Straightforward Lisp function
A set of theorems are proven with ACL2
•
•
•
•
•
The padded message is a bit vector
The length of the padded message is a multiple of 512
The length of the padded message is greater or equal to 512
The last 64 bits of the padded message represent the length of M
The first len (M) bits of the padded message hold the initial
message
• The bit at position len in the padded message is an end-mark ‘1’
• The bits between the end-mark bit and the last 64 bits are all ‘0’
VDS
CASSIS'04 - 13 March
‹#›
Parsing
•
•
Splits the padded message into N-bit blocks
(512 for SHA-1 and SHA-256; 1024 for the others)
Formalized by a recursive function in Lisp
A set of theorems are proven with ACL2
•
•
•
VDS
If len (l) is a multiple of n, the result is a list L of blocks of equal length
n
The number of blocks is len (l) / n
After parsing the padded message, the result is a vector of words, each
of 512 bits.
CASSIS'04 - 13 March
‹#›
Computation step for one block digest
W0
W1
W2
W3
W4
W5
W6
W7
W8
W9
W10 W11 W12 W13 W14 W15
W16
VDS
CASSIS'04 - 13 March
‹#›
Computation step for one block digest
W0
W1
W2
W3
W4
W5
W6
W7
W8
W9
W10 W11 W12 W13 W14 W15
W16
1
VDS
CASSIS'04 - 13 March
‹#›
Computation step for one block digest
W0
W1
W2
W3
W4
W5
W6
W7
W8
W9
W10 W11 W12 W13 W14 W15
A
W16
B
1
F
C
D
E
VDS
CASSIS'04 - 13 March
‹#›
Computation step for one block digest
W0
W1
W2
W3
W4
W5
W6
W7
W8
W9
W10 W11 W12 W13 W14 W15
A
W16
B
2
1
F
C
D
E
VDS
CASSIS'04 - 13 March
‹#›
Computation step for one block digest
W0
W1
W2
W3
W4
W5
W6
W7
W8
W9
W10 W11 W12 W13 W14 W15
A
W16
B
2
1
F
C
D
E
VDS
CASSIS'04 - 13 March
‹#›
Computation step for one block digest
W16 W1
W2
W3
W4
W5
W6
W7
W8
W9
W10 W11 W12 W13 W14 W15
A
W17
B
2
1
F
C
D
E
VDS
CASSIS'04 - 13 March
‹#›
Computation of the message digest
• For each block of 512 bits
Apply 80 block digest steps
Compute the hash values for the next block
• Global function
– Recursive in the number of blocks of M
– Direct translation of the standard
SHA1 (M) = digest (parsing (padding(M), 512), H_INIT)
• Main Theorem
The result is a 5 word digest
VDS
CASSIS'04 - 13 March
‹#›
Extracting the model of the implementation
• Should be automatic
• Should provide same results as VHDL on same
numeric test vectors
• Same kind of formalization as the specification
VHDL File
Textual
Description
FIPS180-2
VDS
Functional Model
Functional
verification
with ACL2
ACL2 Formalization
and Verification
CASSIS'04 - 13 March
‹#›
Sha-1
clk
reset
nb_block
start
reset_don
e
ram_sel
sha_fsm
busy
etat
bl
l_block
etatout
k
cnt
ram_write
done
sha_algorithm
count
etat
l_block
ram_rdata3
2
base_addr
result_addr
VDS
a
b
c
d
e
wi32
t
k
cnt
ram_wdata3
2ram_addr
CASSIS'04 - 13 March
‹#›
Cycle level VHDL model
VHDL
file
LISP-like
Intermediate
Format
Symbolic
simulation
Functional Model
•
•
•
•
•
VDS
Execution of the VHDL simulation algorithm for one clock cycle
Intermediate signals and non memorising variables of the source
VHDL design are eliminated
Symbolic simulation system and symbolic rewriting of expressions
performed with Mathematica
Extraction of one transition function of each output and each state
element of the resulting FSM
No limitation to the logic data types
CASSIS'04 - 13 March
‹#›
Main theorem
Registers :
a
x
b
c
d
e
wi32
t
count
bl
k
etat
cnt
l_bloc
x
x
x
x
x
x
x
x
x
x
x
x
Outputs :
ram_addr
ram_wdata32
ram_sel
ram_write
busy
done
a
x
x
x
x
x
x
6+n*347
Ram :
result
base
Initial
hash
values
Message
VDS
Registers :
b
c
d
e
wi32
t
count
bl
k
etat
cnt
l_bloc
0
0
0
0
0
0
0
0
0
0
idle
0
0
Outputs :
ram_addr
ram_wdata32
ram_sel
ram_write
busy
done
result
0
0
0
0
1
Ram :
result
Message
Digest
base
Modified
Message
CASSIS'04 - 13 March
‹#›
Functional verification
Main Theorem
For all
• n, positive integer
• RAM(base, result),
• message of size n blocks
After executing the VHDL SHA1 circuit model, during 6 + (347 * n)
clock cycles, the system is in its final state (done=1) and the expected
message digest is found at address result in the RAM
VHDL File
Textual
Description
FIPS180-2
VDS
6 + 347*n
Functional Model
=
ACL2 Formalization
and Verification
CASSIS'04 - 13 March
‹#›
Partial conclusion
• Formalization of SHA algorithms and verification of safety
theorems
• Development of a “book” for bit vectors represented as lists
with high order bits on the left, closer to the VHDL bit vectors
representation.
• Numeric execution on the tests provided in the standard
document on both models
• Prove correctness of SHA implementation
Automatic
Manual
VDS
VHDL File
Textual
Description
Symbolic
Simulation
ACL2 Formalization
and Verification
Functional
verification
with ACL2
CASSIS'04 - 13 March
‹#›
Description /
Specification
formalisms
VHDL
System C
CHP
…
PSL
Semantic studies, Modeling, Specialized translators
Validation /
Verification
Objectives
Equivalence
Processing
Techniques
Theorem
Proving
Tools from
external
sources
VDS
ACL2
Correct
Implementation
Verification
+
Mathematica
Symbolic
Simulation
Formal
Check
Functional
Validation
+
SMV
Property
Verification
Model
Checking
VIS
Rule
Base
CASSIS'04 - 13 March
‹#›
Second illustration: cache controller
cache
SRAM
banks
1 2
8
32 bit data
val req addr
128-bits
DMA
engine
fetch
stall
DSP fetch
128 bit
instruction
word
VDS
• quantitative figures:
- 300 input ports
- 1000 output ports
- 1000 flip-flops
status
val req addr dw
val req addr
command ports
CASSIS'04 - 13 March
‹#›
Formal Validation Strategies
• Circuit too big for brute force property verification
– Data reduction
– Symmetry
• Still too big, and structural decomposition impossible
– Functional decomposition
– Identification of operative modes
– Verify properties in the appropriate operative mode
• Tools must support the strategies
VDS
CASSIS'04 - 13 March
‹#›
Modeling a “hardware boot” : reset
initial
state
- active at power-up to initialize
memory elements
- inactive forever
modeling resets avoids
spurious counter-examples
rst <= 0
rst <= 0
rst
X
rst <= 1
VDS
Design under
verification
…
…
CASSIS'04 - 13 March
‹#›
Sequential decomposition
• symbolically simulate the design until the desired
operating mode is reached
– use the specification to find appropriate simulation patterns
– Perform on-the-fly cone of influence simplifications
• check that the operating mode is indeed reached
• model-check properties relative to the specified
operating mode
VDS
CASSIS'04 - 13 March
‹#›
Results
• Operating modes :
• Interesting properties :
fetch pipeline active (Op1)
- P1 : fetch pipeline is active
DMA engine running (Op2)
- P5 : memory hits are
answered within constant
time
- P6 : the DMA download
eventually terminates
Propert ies:
P1
P2
P3
P4
P5
P6
VDS
Time(sec)/Memory(MB)
with symbolic sim ulation
without symbolic simu lation
Simulat ion pattern
Op1
Op2
20/21
90/48
30/26
130/54
1300/245
90/18
120/20
2900/392
70/48
80/45
90/16
Killed at 7200/400
CASSIS'04 - 13 March
‹#›
Implementation
VHDL - RTL
Specificatio
n document
LVS
parse tree
v2smv
CTL
properties
Symbolic
simulation
patterns
SMV model
NuSMV
initial
model state
checker
VDS
symbolic
simulator
CASSIS'04 - 13 March
‹#›
Conclusion
• Formal techniques can be inserted in the design flow
from the very first specification steps
• Specifications should be executable and provable
• Synergy between various symbolic techniques
– Symbolic simulation and theorem proving
– Symbolic simulation and FSM space traversal
• Virtual modules should come with a simulation and a
proof model
– Libraries of proven components (e.g. ACL2 « books »)
• Verification strategies based on component types
VDS
CASSIS'04 - 13 March
‹#›
VDS
CASSIS'04 - 13 March
‹#›
Padding Formalization
Function padding (M)
len = length(m)
in_last_block = (len + 1) mod 512
if (M is a bitvector) and (len < 2 64)
L1 = append (M , 1)
if (in_last_block <= 448)
L2 = make_list (0, 448 - in_last_block )
else
L2 = make_list (0, 960 - in_last_block )
L1 = append (L1, L2)
L1 = append (L1, to_bitvector (len, 64)
return l1
else return nil
End padding
VDS
CASSIS'04 - 13 March
‹#›
Principle of the proof
• Stepwise process, details are circuit specific
• For SHA1 :
– 6 cycles
– 347 cycles
•
•
•
•
•
16 cycles
320 cycles
5 cycles
5 cycles
1 cycle
reset + initialization of internal registers
digest computation for one block
read 16 32-bit words of the block
compute intermediate digest (5*64)
combine with hash values
memory write
ready for next block
– Step by step symbolic execution and proof of ancillary theorems
VDS
CASSIS'04 - 13 March
‹#›
Computation of one cycle
Mathematica
Standard
Rules
VHDL Static
Simplification
Rules
Dynamic VHDL
Rules
Symbolic Computation
within Mathematica
LISP-like
Intermediate
Format
VDS
Symbolic
expressions
CASSIS'04 - 13 March
‹#›
Message digest
• For each block Mi of 512 bits
1. Parse Mi in 16 words Wi0, Wi1,…, Wi15, each of 32 bits and compute
Wij=ROTL1(Wij-3Wij-8Wij-14Wij-16), 16<=j<80
(defun prepare (M-i)
(if (wordp M-i 512)
(prepare-ac 16 (parsing M-i 32))
nil))
(defun prepare-ac (j M-i)
(declare (xargs :measure (acl2-count (- 80 j))))
(if (and (integerp j) (<= 16 j) (wvp M-i 32))
(cond ((<= 80 j) M-i)
((<= j 79)
(prepare-ac (1+ j) (append M-i
(list (rotl 1 (bv-xor (nth (- j
(nth (- j
(nth (- j
(nth (- j
nil))
3)
8)
14)
16)
M-i)
M-i)
M-i)
M-i)) 32))))))
2. Initialize the working variables with intermediate hash value
(for M1 - initial hash value)
VDS
CASSIS'04 - 13 March
‹#›
Message digest
•
•
The intermediate hash value of the block Mi is the input hash value of
the block Mi+1
The result of applying step one to four to all K message blocks
represents the message digest of message M.
(defun sha-1 (M)
(if (and (bvp M) (< (len M) (expt 2 64)))
(digest (parsing (padding M) 512) (h-1))
nil))
(defun digest (M hash-values)
(if (and (wvp M 512) (wvp hash-values 32) (equal (len hash-values) 5))
(if (endp M) hash-values
(digest (cdr M)
(intermediate-hash hash-values
(digest-one-block hash-values (prepare (car M))))))
nil))
(defthm wvp-sha-1
(implies (and (bvp M) (< (len M) (expt 2 64)))
(and (wvp (sha-1 M) 32) (equal (len (sha-1 M)) 5))))
VDS
CASSIS'04 - 13 March
‹#›

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz