Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Comprehensive Formal Verification of Observational Correctness for the CHERIoT-Ibex Processor

Louis-Emile Ploix, Alasdair Armstrong, Tom Melham, Ray Lin, Haolong Wang, Anastasia Courtney

TL;DR

This work tackles the challenge of formally verifying a CHERI-extended RISC-V core with compressed capabilities against a Sail specification, establishing observational correctness for the processor’s memory interactions. It introduces a Sail-to-SystemVerilog flow and a pipeline follower that synchronizes Sail evaluation with a pipelined ISA implementation, supported by a global data-type invariant to enable unbounded proofs via $k$-induction. The verification uncovers roughly 30 design bugs, including critical monotonicity violations, and demonstrates practical impact by enabling high-assurance CHERI hardware implementations such as CHERIoT-Ibex in embedded contexts. Positioned among prior CHERI verification efforts, this methodology offers a repeatable, scalable pathway for proving hard security properties in CHERI-enabled processors and informs both core verification and broader CHERI hardware development.

Abstract

The CHERI architecture equips conventional RISC ISAs with significant architectural extensions that provide a hardware-enforced mechanism for memory protection and software compartmentalisation. Architectural capabilities replace conventional integer pointers with memory addresses bound to permissions constraining their use. We present the first comprehensive formal verification of a capability extended RISC-V processor with internally 'compressed' capabilities - a concise encoding of capabilities with some resemblance to floating point number representations. The reference model for RTL correctness is a minor variant of the full and definitive ISA description written in the Sail ISA specification language. This is made accessible to formal verification tools by a prototype flow for translation of Sail into SystemVerilog. Our verification demonstrates a methodology for establishing that the processor always produces a stream of interactions with memory that is identical to that specified in Sail, when started in the same initial state. We additionally establish liveness. This abstract, microarchitecture-independent observational correctness property provides a comprehensive and clear assurance of functional correctness for the CHERIoT-Ibex processor's observable interactions with memory.

Comprehensive Formal Verification of Observational Correctness for the CHERIoT-Ibex Processor

TL;DR

This work tackles the challenge of formally verifying a CHERI-extended RISC-V core with compressed capabilities against a Sail specification, establishing observational correctness for the processor’s memory interactions. It introduces a Sail-to-SystemVerilog flow and a pipeline follower that synchronizes Sail evaluation with a pipelined ISA implementation, supported by a global data-type invariant to enable unbounded proofs via -induction. The verification uncovers roughly 30 design bugs, including critical monotonicity violations, and demonstrates practical impact by enabling high-assurance CHERI hardware implementations such as CHERIoT-Ibex in embedded contexts. Positioned among prior CHERI verification efforts, this methodology offers a repeatable, scalable pathway for proving hard security properties in CHERI-enabled processors and informs both core verification and broader CHERI hardware development.

Abstract

The CHERI architecture equips conventional RISC ISAs with significant architectural extensions that provide a hardware-enforced mechanism for memory protection and software compartmentalisation. Architectural capabilities replace conventional integer pointers with memory addresses bound to permissions constraining their use. We present the first comprehensive formal verification of a capability extended RISC-V processor with internally 'compressed' capabilities - a concise encoding of capabilities with some resemblance to floating point number representations. The reference model for RTL correctness is a minor variant of the full and definitive ISA description written in the Sail ISA specification language. This is made accessible to formal verification tools by a prototype flow for translation of Sail into SystemVerilog. Our verification demonstrates a methodology for establishing that the processor always produces a stream of interactions with memory that is identical to that specified in Sail, when started in the same initial state. We additionally establish liveness. This abstract, microarchitecture-independent observational correctness property provides a comprehensive and clear assurance of functional correctness for the CHERIoT-Ibex processor's observable interactions with memory.

Paper Structure

This paper contains 32 sections, 12 equations, 2 figures, 1 algorithm.

Table of Contents

  1. Introduction
  2. Contributions
  3. Background on CHERI and CHERIoT-Ibex
  4. CHERIoT and CHERIoT-Ibex
  5. Methodology Overview
  6. Integrating the Sail Specification
  7. Compilation of Sail Specifications to SystemVerilog
  8. Sail Specification Modifications
  9. Global Data-Type Invariant
  10. End-to-End Instruction Correctness
  11. The Pipeline Follower
  12. State Abstraction
  13. Memory
  14. Memory Correctness Properties
  15. Constraint on Capabilities coming from Memory
  16. ...and 17 more sections

Figures (2)

  • Figure 1: CHERIoT-Ibex pipeline with specification installed using a pipeline follower.
  • Figure 2: List of bugs found in CHERIoT-Ibex CHERIoT-Ibex-issues. The PMP (and arguable NMI) bugs are relevant only to vanilla Ibex.