## Mechanized Certification of Secure Hardware Designs (2007)

### Cached

### Download Links

- [www.cs.utexas.edu]
- [www.cs.utexas.edu]
- [www.cs.utexas.edu]
- [www.cs.utexas.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 1 - 0 self |

### BibTeX

@MISC{Ray07mechanizedcertification,

author = {Sandip Ray and Warren A. Hunt and Jr.},

title = {Mechanized Certification of Secure Hardware Designs},

year = {2007}

}

### OpenURL

### Abstract

We develop a framework for mechanized certification of secure hardware systems built out of commercial off-theshelf (COTS) components purchased from untrusted vendors. Certification requires a guarantee that the fabricated system satisfies the requisite safety and security properties. Our framework facilitates this by (1) providing an unambiguous description of the requirements specification in a formal, computational logic, (2) a formalized hardware description language (HDL) to describe the implementation, and (3) mechanical tools and techniques for providing a certification of correctness and security. We illustrate the use of the framework in certifying the correctness and security properties of the netlist implementation of a voting machine using the ACL2 theorem prover.

### Citations

548 | A computational logic - Boyer, Moore - 1979 |

466 | The existence of refinement mappings
- Abadi, Lamport
- 1991
(Show Context)
Citation Context ... that the formulas in Fig. 4 are theorems. The theorems imply that every good execution of the implementation is matched by the specification and essentially formalize the notion of trace containment =-=[2]-=- in ACL2, where containment is restricted to good traces. 2 Note that the specification needs to match the implementation only for good transitions. Contrast this with our approach of defining spec as... |

285 |
Computer-Aided Reasoning: An Approach
- Kaufmann, Manolios, et al.
- 2000
(Show Context)
Citation Context ...SA. hunt@cs.utexas.edu infrastructuctural support necessary for the certification of security-critical hardware designs. The formal foundational basis for our framework is provided by the ACL2 system =-=[9]-=-. ACL2 is a general-purpose theorem prover supporting a first-order logic with induction up to ε0. ACL2 has been successfully used in the formal analysis of a slew of computing systems, ranging from p... |

201 |
The Verilog Hardware Description Language
- Thomas, Moorby
- 1998
(Show Context)
Citation Context ... a languageswith formal and unambiguous semantics. However, in practice, hardware designs are typically implemented in some commercial Hardware Description Language (HDL) such as VHDL [4] and Verilog =-=[18]-=-. These HDLs need to satisfy several disparate goals other than formal verification, namely ease of use, simulation speed, etc. As a result, most commercial HDLs are large, unwieldy, and in parts poor... |

77 | An approach to systems verification
- Bevier, Hunt, et al.
- 1989
(Show Context)
Citation Context ...ols in the same formal framework; secondly, the logic has high execution support; third, the theorem prover has been extensively used in the verification of systems at different levels of abstraction =-=[3]-=-. However, we believe that it is possible to port the framework to any other theorem prover that provides strong support to executability and symbolic rewriting. We have illustrated an approach to mec... |

49 | Structured Theory Development for a Mechanized Logic - Kaufmann, Moore |

39 | Trace Table Based Approach for Pipeline Microprocessor Verification
- Sawada, Hunt
- 1997
(Show Context)
Citation Context ... first-order logic with induction up to ε0. ACL2 has been successfully used in the formal analysis of a slew of computing systems, ranging from pipelined microprocessors to JVM byte codes [13], [15], =-=[17]-=-, [11]. In our framework we make critical use of the mechanical reasoning engine of ACL2, and in particular its support for efficient function execution which facilitates validation of the formal mode... |

37 | Design goals for ACL2 - Kaufmann, JS - 1994 |

30 |
A mechanically checked proof of IEEE compliance of a register-transferlevel specification of the AMD-K7 floating-point multiplication, division, and square root instructions
- Russinoff
- 1998
(Show Context)
Citation Context ...ting a first-order logic with induction up to ε0. ACL2 has been successfully used in the formal analysis of a slew of computing systems, ranging from pipelined microprocessors to JVM byte codes [13], =-=[15]-=-, [17], [11]. In our framework we make critical use of the mechanical reasoning engine of ACL2, and in particular its support for efficient function execution which facilitates validation of the forma... |

21 | Executable JVM model for analytical reasoning: a study
- Liu, Moore
- 2003
(Show Context)
Citation Context ...-order logic with induction up to ε0. ACL2 has been successfully used in the formal analysis of a slew of computing systems, ranging from pipelined microprocessors to JVM byte codes [13], [15], [17], =-=[11]-=-. In our framework we make critical use of the mechanical reasoning engine of ACL2, and in particular its support for efficient function execution which facilitates validation of the formal models by ... |

20 | A summary of intrinsic partitioning verification
- Greve, Richards, et al.
- 2004
(Show Context)
Citation Context ...ently, in the E language this observation has been used to develop different built-in interpreters of the same module, including information-flow interpreter discussed here.sAAMP7 TM processor design =-=[6]-=-. We have found that ACL2 is well-suited to serve as a mechanized framework for designing high-assurance systems for several reasons. The language of ACL2 is a programming language, namely Applicative... |

15 |
Efficient rewriting of data structures in acl2
- Kaufmann, Sumners
- 2002
(Show Context)
Citation Context ...ck (case status (:ready (>s :tvote0 0 :tvote1 0)) .... (t s))) (:freeze (>s :status :frozen :tally ...)) (t s)))) Fig. 1. Fragment of a Voting Machine Specification. Here we use the ACL2 records book =-=[10]-=- to update and access machine components; (status s), (opcode i), etc., are accessors, >s is a macro for updating fields of record s, and > updates the empty record. thus requires a semantic embedding... |

13 | Certifying compositional model checking algorithms in ACL2
- Ray, Matthews, et al.
- 2003
(Show Context)
Citation Context ...ors, >s is a macro for updating fields of record s, and > updates the empty record. thus requires a semantic embedding of temporal logic, which is cumbersome because of the first-order nature of ACL2 =-=[14]-=-. However, to use operational specifications, we must additionally formalize a notion of correspondence between the state machines. We address this in Section IV. III. IMPLEMENTATION Having described ... |

12 | Applications of the DE2 language
- Reeber
- 2006
(Show Context)
Citation Context .... The utility of such a verification then rests upon the assumption that the encoding faithfully reflects the actual implementation. Our solution to this problem is the development of the DE language =-=[8]-=-. 1 DE is a hierarchical, occurrence-oriented HDL with a formal semantics defined by a deep embedding in the logic of ACL2. Figure 2 shows a fragment of the netlist representation of our voting machin... |

10 | Single-threaded objects in ACL2 - Boyer, Moore |

9 |
Linking Model-checking and Theorem-proving with Well-founded Bisimulations
- Manolios, Namjoshi, et al.
- 1999
(Show Context)
Citation Context ...mantic functions) that mimic the workings of each module and prove theorems 2 It is sometimes more convenient to use trace containment under stuttering to relate to machines at different abstractions =-=[12]-=-. We do not discuss stuttering in this paper.s(defun 4btnt (n) (and (equal (assoc-eq ’4-bit-ctr n) ’(4-bit-ctr (incr reset-) ...)) (1btnt (delete-eq-module ’4-bit-ctr n)))) (defthm 4-bit-ctr-se-eval (... |

8 |
The DUAL-EVAL Hardware Description Language and
- Brock, Jr
- 1997
(Show Context)
Citation Context ...emantics: the above definitions together with the primitive evaluators constitute the entire language definition. The regularity and economy of 1 The DE language is the successor of the DUAL-EVAL HDL =-=[5]-=-, and is an evolving project [7], [8]. The version of DE used in the analysis described here is called DE4. Recently, Boyer and Hunt have developed a version of the language, called E with a number of... |

8 | Efficient execution in an automated reasoning environment - Greve, Kaufmann, et al. |

7 |
The DE language
- Hunt
- 2000
(Show Context)
Citation Context ...together with the primitive evaluators constitute the entire language definition. The regularity and economy of 1 The DE language is the successor of the DUAL-EVAL HDL [5], and is an evolving project =-=[7]-=-, [8]. The version of DE used in the analysis described here is called DE4. Recently, Boyer and Hunt have developed a version of the language, called E with a number of sophisticated analysis capabili... |

5 |
A Mechanically Checked Proof of the Kernel of the AMD5K86 Floating-point Division Algorithm
- Moore, Lynch, et al.
- 1998
(Show Context)
Citation Context ...supporting a first-order logic with induction up to ε0. ACL2 has been successfully used in the formal analysis of a slew of computing systems, ranging from pipelined microprocessors to JVM byte codes =-=[13]-=-, [15], [17], [11]. In our framework we make critical use of the mechanical reasoning engine of ACL2, and in particular its support for efficient function execution which facilitates validation of the... |

4 |
RTL Verification: A Floating Point Multiplier
- Russinoff, Flatau
- 2000
(Show Context)
Citation Context ...need to satisfy several disparate goals other than formal verification, namely ease of use, simulation speed, etc. As a result, most commercial HDLs are large, unwieldy, and in parts poorly specified =-=[16]-=-. Therefore, formal analysis of a hardware design written in a commercial HDL has been traditionally restricted to some alternative encoding of the underlying algorithm written (typically by a human) ... |