

# School of Computer Science & Engineering Trustworthy Systems Group



## High-Fidelity Specification of Real-World Devices

Liam Murphy <sup>1</sup> Albert Rizaldi <sup>2</sup> Lesley Rossouw <sup>1</sup>

Chen George 3 James Treloar 1 Hammond Pearce 1

Miki Tanaka <sup>1</sup> Gernot Heiser <sup>1</sup>

<sup>1</sup>UNSW Sydney <sup>2</sup>PlanV GmbH <sup>3</sup>University of Wisconsin - Madison

**PLOS '25** 



## Background



## Who Are We?





## Who Are We?





## Who Are We?







 Device driver bugs are a major source of OS vulnerabilities



- Device driver bugs are a major source of OS vulnerabilities
  - Cause of majority of Linux CVEs from 2018-2022 [Pohjola et al. 2023]



- Device driver bugs are a major source of OS vulnerabilities
  - Cause of majority of Linux CVEs from 2018-2022 [Pohjola et al. 2023]
- Dominant cause of Linux driver bugs is device-protocol violations [Ryzhyk et al. 2009]



Causes of Linux driver bugs (2002–2008)





- Device driver bugs are a major source of OS vulnerabilities
  - Cause of majority of Linux CVEs from 2018-2022 [Pohjola et al. 2023]
- Dominant cause of Linux driver bugs is device-protocol violations [Ryzhyk et al. 2009]
  - Without knowledge of the device protocol, formal verification cannot prevent these



Causes of Linux driver bugs (2002–2008)





• Prevent device-protocol bugs by:



- Prevent device-protocol bugs by:
  - Formally specifying device interfaces

Device specification



- Prevent device-protocol bugs by:
  - Formally specifying device interfaces
  - Verifying these specifications against the device implementation





- Prevent device-protocol bugs by:
  - Formally specifying device interfaces
  - Verifying these specifications against the device implementation
- Future work: driver verification



## Overview



- Target hardware
- Verification approach
- Specification format
- Application
- Status

© Liam Murphy 2025, CC-BY-SA 4.0





#### Cheshire









#### Cheshire





|                  | Verilog | Driver | HOL spec |
|------------------|---------|--------|----------|
| I <sup>2</sup> C | 5993    | 713    | 1414     |
| SPI              | 4609    | 864    | 1235     |
| Ethernet         | 3987    | 641    | N/A      |



## Verification Approach



• HOL4 theorem prover



- HOL4 theorem prover
- HOL4 Verilog formalisation [Lööw and Myreen 2019]:



- HOL4 theorem prover
- HOL4 Verilog formalisation [Lööw and Myreen 2019]:
  - Semantics for Verilog AST

Verilog AST



- HOL4 theorem prover
- HOL4 Verilog formalisation [Lööw and Myreen 2019]:
  - Semantics for Verilog AST
  - Semantics for functional representation

Functional Representation

Verilog AST





- HOL4 theorem prover
- HOL4 Verilog formalisation [Lööw and Myreen 2019]:
  - Semantics for Verilog AST
  - Semantics for functional representation
  - Proof-producing translator from functional to AST





- HOL4 theorem prover
- HOL4 Verilog formalisation [Lööw and Myreen 2019]:
  - Semantics for Verilog AST
  - Semantics for functional representation
  - Proof-producing translator from functional to AST
  - Pretty-printer for deep embedding





- HOL4 theorem prover
- HOL4 Verilog formalisation [Lööw and Myreen 2019]:
  - Semantics for Verilog AST
  - Semantics for functional representation
  - Proof-producing translator from functional to AST
  - Pretty-printer for deep embedding
- Problem: need opposite direction









- Workaround:
  - Manually translate Verilog to functional representation





- Manually translate Verilog to functional representation
- Translate and export into Verilog





- Manually translate Verilog to functional representation
- Translate and export into Verilog





- Manually translate Verilog to functional representation
- Translate and export into Verilog
- Use equivalence-checker (eqy) to prove equivalence to original Verilog





- Workaround:
  - Manually translate Verilog to functional representation
  - Translate and export into Verilog
  - Use equivalence-checker (eqy) to prove equivalence to original Verilog
- Finally, prove that functional representation refines specification





## **Specification Format**

## **Specification Format**





## **Specification Format**





# **Specification Format**





# **Specification Format**





# **Specification Format**







• Model can be non-deterministic



- Model can be non-deterministic
  - Inputs not controlled by driver



- Model can be non-deterministic
  - Inputs not controlled by driver
  - Underspecification



- Model can be non-deterministic
  - Inputs not controlled by driver
  - Underspecification
- f only returns one possible state



- Model can be non-deterministic
  - Inputs not controlled by driver
  - Underspecification
- f only returns one possible state
- Determined by fnums infinite stream of numbers



- Model can be non-deterministic
  - Inputs not controlled by driver
  - Underspecification
- f only returns one possible state
- Determined by fnums infinite stream of numbers
- To obtain set of all possible states, try all fnums





# Application to Cheshire























Format of Cheshire peripheral specifications:

```
cheshire_run tick read write:
   state -> req option list ->
   ffi_outcome + state # word32 option list
```



Format of Cheshire peripheral specifications:

```
cheshire_run tick read write:
   state -> req option list ->
   ffi_outcome + state # word32 option list
```

Input instantiated with optional MMIO request



Format of Cheshire peripheral specifications:

```
cheshire_run tick read write:
   state -> req option list ->
   ffi_outcome + state # word32 option list
```

- Input instantiated with optional MMIO request
- Output instantiated with response to read requests



Format of Cheshire peripheral specifications:

```
cheshire_run tick read write:
   state -> req option list ->
   ffi_outcome + state # word32 option list
```

- Input instantiated with optional MMIO request
- Output instantiated with response to read requests
- Executes multiple cycles



```
cheshire_run tick read write:
   state -> req option list ->
   ffi_outcome + state # word32 option list
```

• tick represents core logic



```
cheshire_run tick read write:
   state -> req option list ->
   ffi_outcome + state # word32 option list
```

- tick represents core logic
- read, write and cheshire\_run represent address-decoding logic



# Status



#### Status



|                           | l <sup>2</sup> C |              | SPI              |      |
|---------------------------|------------------|--------------|------------------|------|
|                           | Address-decoding | Core         | Address-decoding | Core |
| Specification             | <b>√</b>         | ✓            | <b>√</b>         | ✓    |
| Functional Representation | $\checkmark$     | $\checkmark$ | $\checkmark$     | WIP  |
| Equivalence-checking      | $\checkmark$     | WIP          | $\checkmark$     | WIP  |
| Correctness proof         | ✓                | Almost!      | $\checkmark$     | WIP  |

#### Questions?





Note

UNSW is recruiting OS faculty members - talk to Gernot if you're interested



#### References



- Pohjola, Johannes Åman et al. (Oct. 2023). "Pancake: Verified Systems Programming Made Sweeter". In: Workshop on Programming Languages and Operating Systems (PLOS). Koblenz, DE.
- Ryzhyk, Leonid et al. (Apr. 2009). "Dingo: Taming Device Drivers". In: EuroSys Conference. Nuremberg, DE, pp. 275–288.
- Lööw, Andreas and Magnus O. Myreen (2019). "A proof-producing translator for Verilog development in HOL". In: Proceedings of the International Workshop on Formal Methods in Software Engineering (FormaliSE@ICSE), pp. 99–108.