institute for applied information processing and communications (iaik) – secure & correct...

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems

1

Georg Hofferek

IAIK – Graz University of [email protected]

Aspects of Property SynthesisGeorg Hofferek Taipei, 2010-09-17

Aspects of Property Synthesis

An Overview of IAIK’s Background and Current Work on the Topic

mailto:[email protected]

http://www.iaik.tugraz.at


2


Overview

Who We Are & What We Do Property Synthesis in a Nutshell

From Strategies to Circuits Synthesis with Uninterpreted Functions

Other Work in Our Group



3


TUG – Who We Are

Graz University of Technology. Departments: Architecture Civil Engineering Mechanical Engineering and Economic Sciences Electrical and Information Engineering Technical Mathematics and Technical Physics Technical Chemistry, Chemical Process Engineering,

Biotechnology Department of Computer Science. Institutes:

Information Systems and Computer Media Knowledge Management Foundations of Computer Science Semantic Data Amalysis / Knowledge Discovery Visual Computing Computer Graphics and Knowledge Visualization Software Technology Applied Information Processing and Communications (IAIK)



4


IAIK – Who We Are

IT Security & Correctness ~60 researchers 3 professors:

Roderick Bloem Reinhard Posch Vincent Rijmen

Affiliates: SIC – Foundation Secure Information and

Communication, founded by IAIK A-SIT – Center for Secure Information Technology



5


Secure & Correct Systens

e-governmentVLSI

Cryptography

What We Do


e-governmentVLSI

Cryptography




6



e-governmentVLSI

Cryptography


e-governmentVLSI

CryptographyCryptography

Cryptography

Lead: Prof Vincent Rijmen Design and Analysis of Ciphers (AES) Design and Analysis of Hash Functions

Grøstl submitted to the NIST SHA-3 competition SHA-1 Analysis

Implementation of Cryptographic primitives



7



e-governmentVLSI

Cryptography


e-governmentVLSI

Cryptography

VLSI

VLSI

Lead: Manfred Aigner Application-specific crypto hardware

RFID

Hardware Implementation of Cryptographic Algorithms (“AES on a Grain of Sand”)

Implementation Attacks (sidechannel, fault injection, etc): Vulnerability Analysis Design Styles & Methodologies for Attack Resistance

Security Protocols for RFID Instruction Set Extensions (embedded systems)



8



e-governmentVLSI

Cryptography


e-governmentVLSI

Cryptography

e-government

e-Government

Lead: Herbert Leitold Austrian citizen card

Electronic identity Electronic signature Official signature (Amtssignatur)

Interoperability of e-identities (STORK) Electronic delivery (legally binding) Authenticated work flows

Modules for Online Applications (MOA)



9



e-governmentVLSI

Cryptography


e-governmentVLSI

Cryptography


Secure & CorrectSystems (SCoS)

Lead: Roderick Bloem Java Crypto Toolkit (commercial)

Implementation of Java Crypto Extensions, CCE-certified Ciphers, hash functions, signature schemes, key management Current focus: XML-Security (W3C), XAdES (also

interoperability testing (ETSI)), ECC, CAdES

Formal Methods Verification and Debugging Correct by Construction

Network Security Trusted Computing



10


Formal Methods for Design & Verification

Roderick Bloem Lead

Karin Greimel Theory of Property Synthesis

Georg Hofferek Practical Aspects of Property Synthesis

Robert Könighofer Spec Debugging & Program Repair



11


EU Project COCONUT (2008-2010)

Synthesizing circuits from specs No more coding! Efficient synthesis Effective specifications

Robustness Spec debugging

Transaction-level synthesis

Applications to debugging

Design Intent

Specification Implementation

Check

Synthesis



12


EU Project DIAMOND (2010-2012)

Automated location and correction techniques Transaction Level (“Software” Model) Implementation Level (RT or Gate Level)

Implementation of a reasoning framework word-level techniques formal, semi-formal techniques dynamic techniques



13


PROPERTY SYNTHESIS IN A NUTSHELL



14


Synthesis FlowWrite down Properties of System

(in formal way)

Find Winning Strategy (if one exists)

Build Combinational Functions adhering to Strategy



15


Open (Reactive) Systems

Infinite Sequence of Inputs

Infinite Sequence of Outputs

Examples: Bus Arbiter Lift Controller Traffic Lights …

SystemInputs Outputs



16


Mealy MachineSystem

State(Memory/Flipflops)

CombinationalLogic

InputsOutputs



17


Properties

A property describes a subset of all possible input/output traces of a system “The traffic lights will show green infinitely many times for all

directions.” “The signals ack1 and ack2 will never be high at the same time.” “Whenever the button is pushed, the lift will eventually arrive at

the respective floor.”

Can be formalized in different ways LTL Formulas Büchi Automata …

“What to do” vs. “How to do it”



18


The Game Point of View

2 Players1. Environment (Inputs)

2. System (Outputs)

State Memory

“Rules” and Winning Condition Defined by Properties



19


Example: Tic Tac Toe Goal (for Player 2):

Make three O in a line, or prevent Player 1 from having three X in a line.

XO

XX

XO

O

O

X



20


Strategy

Maps a state of the game to a set of conforming moves

X

O

X

X

O

X

O

X

O

X

O

X

O

X

OX

O

X

O

X

O

XO

X

O

XO



21


Winning Strategies

Player wins, if she adheres to strategy

Computed using Game Graph

Example: Tic Tac Toe1. Win: If you have two in a row, play the third to get three in a row.

2. Block: If the opponent has two in a row, play the third to block them.

3. Fork: Create an opportunity where you can win in two ways.

... …

8. Empty Side: Play an empty side.http://en.wikipedia.org/wiki/Tic-tac-toe

http://en.wikipedia.org/wiki/Tic-tac-toe



22


FROM STRATEGIES TO CIRCUITS



23


System

State(Memory/Flipflops)

CombinationalLogi

c

Strategies Represented as Relations

Relation

Represented Symbolically (BDDs) More Freedom than Functions

OIR Combinational

Logic

All Inputsto CombinationalLogic

All Outputsof CombinationalLogic



24


Freedom in Relations

Input (i1i2) Output (o1o2o3)

0 0 0 1 0

0 1 1 0 –

1 01 1 0

0 0 1

1 11 0 00 1 11 1 –

Fixed Output, No Freedom

“Don’t Care”: 1 0 – = 1 0 0, 1 0 1

Multiple Vertices,Not Expressible with Don’t Cares.



25


Compatible Function

Input (i1i2) Output (o1o2o3)Compatible

Function (example)

0 0 0 1 0 0 1 0

0 1 1 0 – 1 0 0

1 01 1 0, 0 0 1

1 1 0

1 11 0 0,0 1 1,1 1 –

1 1 0



26


Solving Relations

Problem:Given a Boolean relation, find a compatible (multi-output) Boolean function, which is minimal with respect to some cost function (e.g. gate count).

Our Relations are large many compatible functions

Use freedom in a meaningful way Share common sub-functions



27


Simple Cofactor Approach

For each output do:1. Abstract other outputs

2. Find cofactors w.r.t. output

3. Remove redundant variables (*)

4. Compute care-set

5. Minimize positive cofactor w.r.t. care-set

6. Substitute output in relation with computed function

[R. Bloem et al., “Specify, Compile, Run: Hardware from PSL“, COCV’07]

p nf



29


Resubstitution

Input (i1i2) Output (o1o2o3)Compatible

Function (example)

0 0

0 0 00 0 10 1 00 1 11 1 1

. . .

0 11 0 01 0 1

. . .

1 00 0 11 0 1

. . .

1 1 1 0 0 . . .

1

1

1

1

Loss of freedom for o2 and o3



30


Circuit Construction

Strategy and compatible functions are represented as Binary Decision Diagrams (BDDs)

BDDs can easily be dumped into a network of multiplexers



31


IMPROVEMENTS WE WORKED ON



32


Overview

DAC’04 Recursive Conflict-Solving Approach [Baneres et al.]

Other Minimization Methods Minato-Morreale’s Irredundant Sum-of-Products Algorithm Generalized Version of ISoP

Caching to Increase Sharing of Sub-Functions

Combining the Above



33


DAC’04 Recursive Approach

Based on:D. Baneres et al., “A Recursive Paradigm to Solve Boolean Relations”, DAC’04

Basic Idea: Resubstituting outputs takes away freedom Freedom decreases with each output bad for minimization Minimize outputs independently, resolve conflicts (if any) recursively

Branch & Bound Algorithm, with arbitrary cost function



34


Independent Output MinimizationInput: Relation R, inputs I, outputs O

F = 1foreach o in O do: R’ = exists O\o . R F = F * (o <-> Minimize(R,o)) // no resubstitution

C = F * not(R) // check for conflictsif C != 0: (X, y) = pickConflict(C) (R1, R2) = Split(R, X, y) // divide & conquer Recursively solve R1, R2

Inputs Outputs Function

0 00 11 0

0 0



35


Our Results with the DAC’04 Approach

Complete Search Infeasible Depth-First Search (Recursion Limit) Breadth-First Search (Call Limit) Quick Solution (Cofactor Approach)

after using up resources

No significant improvements over initial solution (so far) Maybe bad choice of conflicts Use Minato-Morreale algorithm instead of cofactor approach

(not implemented in our tool yet)



36


Incompletely Specified Functions

ON-Set

Don’t-Care-Set

OFF-Set

ON-Set of CompletelySpecified Function



37


Lattice of Functions

f1f2

f1 > f2

f1

f2

f1 , f2 incomparable

f0

f2 f3 f4f1

f6 f7 f8f5 f9 f10

f12 f13 f14f11

f15

Upper Bound(ON-Set + DC-Set)

Lower Bound(ON-Set)

Interval

= ON-Set of function f1

= ON-Set of function f2



38


Minato-Morreale Algorithm

Irredundant Sum-of-Products:No single literal or cube can be deleted to keep the function.

Recursive Procedure:ISoP = v’ * ISoP0 + v * ISoP1 + ISoPd

Starts with Incompletely Specified Function

[S. Minato, “Fast generation of irredundant sum-of-products forms from binary decision diagrams“, SASIMI’92]



39


Minato-Morreale Algorithm (2)

Given: Incompletely Specified Function (ON, DC)

In each step:Find literal v and ISFs for ISoP0, ISoP1, ISoPd, such that

ISoP = v’ * ISoP0 + v * ISoP1 + ISoPd

lies in the intervall [ON, ON+DC]. Recur on ISoP0, ISoP1, ISoPd



40


Finding ISoP0

All diagrams show ON-Sets only!

L

U

Uv Lv’

Lv’Uv

Uv’

Uv’

Lv’ – Uv

ISoP0

Given: Upper and Lower Bound of ISoP: Cofactors of Upper Bound: Cofactor of Lower Bound:

Minimum set which must be multiplied by v’: Interval for ISoP0:



41


Finding ISoP1, ISoPd

ISoP1: similar to ISoP0, with opposite cofactors

ISoPd:

L ISoP0

U

ISoP1

Uv Uv’

ISoPd

Upper Bound for ISoPd:

Lower Bound for ISoPd:

Interval for ISoPd:



42


Terminal Cases of Recursion

L = 0

U = 1

L = U

f0

f2 f3 f4f1

f6 f7 f8f5 f9 f10

f12 f13 f14f11

f15



43


Circuit Construction Along the Way


AND

AND

OR

v

ISoP0

ISoP1

ISoPd

ISoP



44


Generalization of ISoP-Algorithm

ISoP splits off one literal v at a time:


Instead:Split off arbitrary (simple) function f

ISoP = f’ * ISoP0 + f * ISoP1 + ISoPd

How to choose good divisors (for intervals)? E.g. Kernels, Co-Kernels, … of lower bound?

Preliminary results are not promising



45


Caching Intermediate Results

Given interval [L, U], check whether a function f: L ≤ f ≤ U has already been “built”. Reuse Wire

AND

AND

OR

v

ISoP0

ISoP1

ISoPd

ISoP

f0

f2 f3 f4f1

f6 f7 f8f5 f9 f10

f12 f13 f14f11

f15



46


Cache Issues

Memory Constraints Cannot save all intermediate results Cache Policy: Which ones to delete?

“Smaller” functions have higher reuse probability?

Efficient Cache Lookup 2 comparisons needed to check whether function is in an

interval Minimize function comparisons

How can this be done?



47


Simulation-Based Lookup

Don’t Store Functions, Use “Signatures” Random Input Vectors Corresponding Outputs Compact in Memory Quick Comparison (Bit-Vectors)

Candidate function must have at least as many 1s as the lower bound of interval not more 1s than the upper bound of interval

Discard candidate function on first violation of above property False Positives

Reconstruct Functions on Demand

Input Out

110010110 0

001000101 1

110110110 1

100100111 0

… …

cf. [A. Mishchenko, “FRAIGs: A unifying representation for logic synthesis and verification”, Tech Report, 2005]



48


SYNTHESIS WITH UNINTERPRETED FUNCTIONS



49


What is an Uninterpreted Function?

A function… (obviously)

Possibly n-ary Mapping input value(s) to output value

... which is uninterpreted. i.e., we do not know/care about its “internals”

But: functional consistency

for n-ary function:

fa f(a)



50


What is a controller?

Controller

Datapathincludes:• memory• arithmetic components

• adders• multipliers• …

• other data manipulating stuff

inputs

control signals

status signals

outputs

Controller versus Datapath are like:

• Driver versus Car

• Musician versus Piano

• …



51


Motivation: Pipelined Microprocessor

Registers / Memory

c1 c2 cn

Controller



52


Equivalence: Commutativity

Pipelined Architecture

Non-Pipelined Architecture

flush flush

step

instruction



53


(Very) Simple Example

Registers REG

ALU

control

v

w

Read

Write

source

dest

Registers REG

ALURead

Write

source

dest

Non-pipelined Architecture (=reference):

Pipelined Architecture:



54


Synthesis Approach

Define equivalence criterion:

Claim:

Reads: “For all (initial) array contents, for all interpretations of the functions, and for all inputs and initial states, there are control values, and resulting new array contents and next states, such that the equivalence criterion evaluates to true.”

If the claim is valid, extract



55


Example: Equivalence Criterion

complete – ISA:

step – complete:

Equivalence criterion:

complete

ISA

step

complete



56


Transformations

Equivalence criterion is a first-order formula, using the theories of Arrays (A) Uninterpreted Functions (U) Equality (E)

Three reductions/transformations: A-U-E U-E (proof done) U-E E (proof in progress) E Propositional Logic (proof in progress)



57


A-U-E U-E

1. Replace Array-Writes with fresh variables and apply write axiom

2. Replace existential quantifications with fresh variables

3. Replace universal quantifications with conjunction over index set

4. Replace Array-Reads with uninterpreted functions



58


Ackermann’s Reduction: UIF-E E Replace all function instances with fresh variables

and thus obtain Add functional consistency constraints

and obtain

?



59


E Prop. Logic (Graph-based)

Build the non-polar equality graph Make it chordal



60


E Prop. Logic (continued)

Replace equalities with fresh Boolean variables

For each triangle in the equality graph, add the following conjunct to

Open point: Respect quantifier structure



61


Extract Function for Control Logic

We started from:

Apply transformations, obtain

Existentially quantify “next states” i.e., quantify all variables which “come from” one of the next state variables. E.g.

Expand existential quantification of Example:

Find cofactors of Positive Cofactor: ON-Set + DC-Set

Negative Cofactor: OFF-Set + DC-Set

Find function in this intervalON-Set

Don’t-Care-Set

OFF-Set



62


Results

We started from a datapath of the target system a reference implementation an equivalence criterion

We obtained Boolean function(s) for the control logic in terms of

(dis-)equalities between inputs and states Example:

=

Datapath



63


Open Points / Questions

Proof(s) for Transformations unfinished

Practical issues Runtime complexity? Efficiency:

BDDs SMT Solvers

Certificats? Interpolants?

Implementation Only hardcoded for simple pipeline example Based on BDD operations Not even (completely) finished



64


OTHER WORK AT OUR GROUP



65


Find replacement of statement such that program is correct. The simpler, the better May depend on all variables in scope, no additional state

Find expression e such that replacing repair(...) with e makes assertion violations impossible

Checking if a given e is a repair is easy. Find one: Maybe reuse ideas for dynamic detection of likely

invariants.

1: int foo(int a) {2: int x=0, i=0;3: x = a + 4;4: while( i < 3) {5: x = repair(x, i, a);and so on

1: int foo(int a) {2: int x=0, i=0;3: x = a + 4;4: while( i < 3) {5: x = x – 1;and so on

Transaction Level Diagnosis and Repair



66


Robust Systems

Tower controls ≤ 100 airplanes

What happens with the 101st plane?

1) System shut down

2) Ignore 101st plane3) Control 101 planes, accepting a

system slow down

Correct – Incorrectvs.

Correct – Incorrect but reasonable



67


RATSY – A Tool for Property-based Design

G(F(in out))

module main(clock,r1,…);input clock, r1,…;output g1,…;reg r1_ps, …;assign tmp0 = !r1;…initialbeginr1_ps = 0;…

endalways @(posedge clock)beging1_ps = tmp80;…

endendmodule

Enforce Desired Behavior

Debug Unrealizability

Design Intent

Formal Specification realizable? Simulation

SynthesizedImplementation

YES

NO

Undesired Behavior

Observed

Environment System

Adhere to this spec!

Impossible! Try it!

Environment System

Try this input!

Indeed! Impossible!

IN

OUTt

t

IN

OUTt

t?

Simply by modifying the trace:

Using automata or PSL:

Idea: Swapping the roles to pinpoint inconsistencies:

Hi! My name is RATSY.I offer you: Full support for

property- based design. Specifications: PSL

or Büchi automata. Game-based

debugging features. Automated correct-

by- construction circuit synthesis.



68


Spec Debugging

Environment SystemInputs

Outputs Strategy


OutputsCounter-strategy


OutputsEnvironment SystemInputs

Outputs

Reactive Systems

Swapping the Roles for Debugging

Realizable Specification Unrealizable Specification

Unrealizable SpecificationRealizable Specification

institute for applied information processing and communications (iaik) – secure & correct...

Documents

foundation secure information

information systems

communications iaikhttp

group http

chemical process engineering

analysis of ciphers

current work

economic scienceselectrical