## A Robust Machine Code Proof Framework for Highly Secure Applications (2006)

### Cached

### Download Links

- [www.cc.gatech.edu]
- [www.ccs.neu.edu]
- [www.ccs.neu.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In Proceedings of the 2006 ACL2 Workshop |

Citations: | 13 - 1 self |

### BibTeX

@INPROCEEDINGS{Hardin06arobust,

author = {David S. Hardin},

title = {A Robust Machine Code Proof Framework for Highly Secure Applications},

booktitle = {In Proceedings of the 2006 ACL2 Workshop},

year = {2006},

publisher = {Accepted}

}

### Years of Citing Articles

### OpenURL

### Abstract

Security-critical applications at the highest Evaluation Assurance Levels (EAL) require formal proofs of correctness in order to achieve certification. To support secure application development at the highest EALs, we have developed techniques to largely automate the process of producing proofs of correctness of machine code. As part of the Secure, High-Assurance Development Environment program, we have produced in ACL2 an executable formal model of the Rockwell Collins AAMP7G microprocessor at the instruction set level, in order to facilitate proofs of correctness about that processor’s machine code. The AAMP7G, currently in use in Rockwell Collins secure system products, supports strict time and space partitioning in hardware, and has received a U.S. National Security Agency (NSA) Multiple Independent Levels of Security (MILS) certificate based in part on a formal proof of correctness of its separation kernel microcode. Proofs of correctness of AAMP7G machine code are accomplished using the method of “compositional cutpoints”, which requires neither traditional clock functions nor a Verification Condition Generator (VCG). In this paper, we will summarize the AAMP7G architecture, detail our ACL2 model of the processor, and describe our development of the compositional cutpoint method into a robust machine code proof framework.

### Citations

274 |
Computer-Aided Reasoning: An Approach
- Kaufmann, Manolios, et al.
- 2000
(Show Context)
Citation Context ...f framework for highly secure applications targeting the Rockwell Collins AAMP7G embedded microprocessor [1], [13], built upon an executable formal instruction set model of the AAMP7G written in ACL2 =-=[8]-=-. The AAMP7G is of particular interest because it supports strict time and space partitioning in hardware, and has received an NSA MILS certificate to handle Unclassified through Top Secret codeword i... |

26 | High-speed analyzable simulators
- Greve, Wilding, et al.
- 1987
(Show Context)
Citation Context ...s. In support of this goal, we have developed practical techniques for creating executable formal computing platform models that can both be proved correct, and also function as high-speed simulators =-=[4]-=-, [7]. This allows us to both verify the correctness of the models, as well as validate that the formalizations accurately model what was actually designed and built. In this paper, we will present a ... |

26 | Inductive assertions and operational semantics - Moore - 2003 |

20 | A summary of intrinsic partitioning verification
- Greve, Richards, et al.
- 2004
(Show Context)
Citation Context ...Certificate from NSA in May 2005, enabling a single AAMP7G to concurrently process Unclassified through Top Secret codeword information. We first established a formal security policy, as described in =-=[6]-=-. We produced an abstract model of the AAMP7G’s partitioning system, as well as a low-level model that directly corresponded to the AAMP7G microcode. We used ACL2 to automatically produce the followin... |

15 | A verifying core for a cryptographic language compiler
- Pike, Shields, et al.
- 2006
(Show Context)
Citation Context ...ogramming language [14]. The certifying compiler for µCryptol generates correctness statements for intermediate transformations of the compiler that are then checked automatically by a theorem prover =-=[11]-=-.s2. THE AAMP7G The AAMP7G is the latest in the line of Collins Adaptive Processing System (CAPS) processors and AAMP microprocessors developed by Rockwell Collins, Inc. (RCI) for use in military and ... |

13 | Transforming the theorem prover into a digital design tool: From concept car to off-road vehicle
- Hardin, Wilding, et al.
- 1998
(Show Context)
Citation Context ... support of this goal, we have developed practical techniques for creating executable formal computing platform models that can both be proved correct, and also function as high-speed simulators [4], =-=[7]-=-. This allows us to both verify the correctness of the models, as well as validate that the formalizations accurately model what was actually designed and built. In this paper, we will present a code ... |

13 | Verification condition generation via theorem proving
- Matthews, Moore, et al.
- 2006
(Show Context)
Citation Context ...cursive clique of routines at time.) To prove the correctness theorem for a subroutine we use a proof methodology called "compositional cutpoints." Our method borrows parts of the method put forth in =-=[9]-=-; both methods are improvements of an earlier method described by those same authors. Cutpoint proofs require annotating the subroutine to be verified by placing assertions at some of its program loca... |

7 |
J.: An advanced-architecture CMOS/SOS microprocessor
- Best, Kress, et al.
- 1982
(Show Context)
Citation Context ...curately model what was actually designed and built. In this paper, we will present a code proof framework for highly secure applications targeting the Rockwell Collins AAMP7G embedded microprocessor =-=[1]-=-, [13], built upon an executable formal instruction set model of the AAMP7G written in ACL2 [8]. The AAMP7G is of particular interest because it supports strict time and space partitioning in hardware... |

4 |
The Common Criteria, Formal Methods and ACL2
- Richards, Greve, et al.
- 2004
(Show Context)
Citation Context ...e following: 1. Proofs validating the security model 2. Proof that the abstract model enforces the security policy 3. Proof that the low-level model corresponds to the abstract model. Richards et al. =-=[12]-=- discuss the use of ACL2 to meet highassurance Common Criteria requirements. One interpretation of the requirement for low-level design models is that the low-level design model be sufficiently detail... |

4 |
A language for symmetric-key cryptographic algorithms and its implementation. Available at http://www.cartesianclosed.com/pub/mcryptol
- Shields
- 2006
(Show Context)
Citation Context .... This secure application code can be generated from a number of sources, including traditional compilers, but also including a certifying compiler for the µCryptol cryptographic programming language =-=[14]-=-. The certifying compiler for µCryptol generates correctness statements for intermediate transformations of the compiler that are then checked automatically by a theorem prover [11].s2. THE AAMP7G The... |

2 | Address enumeration and reasoning over linear address spaces
- Greve
- 2004
(Show Context)
Citation Context ...odel, written in a sequential manner that reflects how the machine actually operates. The AAMP memory model is based on the linear address space book previously used in the AAMP7G partitioning proofs =-=[5]-=-, which in turn is built on a bags library described in [16]. The AAMP7G machine state, including the architecturally-defined registers, is represented as an ACL2 single-threaded object (stobj) for pe... |

2 | An ACL2 library for bags (multisets
- Smith, Nelesen, et al.
- 2004
(Show Context)
Citation Context ...machine actually operates. The AAMP memory model is based on the linear address space book previously used in the AAMP7G partitioning proofs [5], which in turn is built on a bags library described in =-=[16]-=-. The AAMP7G machine state, including the architecturally-defined registers, is represented as an ACL2 single-threaded object (stobj) for performance reasons. START STATE Partition Step Thread Context... |

1 |
Compositional cutpoints for automated machine code proof
- Smith
(Show Context)
Citation Context ...the state at the end of every simulation branch satisfies its corresponding assertion.) The proof proceeds by symbolic simulation using several symbolic simulation rules, which are described fully in =-=[15]-=-. Among the rules are ones that:s(prove-it fact-iter ;the name of the routine :wormhole t :subroutine-calls nil ;makes for faster proofs :user-cutpoints ;; List of (PC byte offset . assertion) pairs (... |

1 |
Introducing abstractions via rewriting
- Young
- 2005
(Show Context)
Citation Context ...rmalization had been adapted from the model of the Rockwell AAMP5 and was designed to be executable and faithful to the operation-level semantics. However, it was far from friendly to formal analysis =-=[17]-=-. In particular, the semantics is defined in terms of a complex macro mechanism that embeds in ACL2 a simple assembly like language. On its face, this notation provides an extremely perspicuous charac... |