



#### Model-checking Synthesizable SystemVerilog Descriptions of Asynchronous Circuits

Aymane Bouzafour<sup>1</sup>, Marc Renaudin<sup>1</sup>, Hubert Garavel<sup>2</sup>, Radu Mateescu<sup>2</sup>, Wendelin Serwe<sup>2</sup>

<sup>1</sup>Tiempo Secure - SAS , Montbonnot-Saint-Martin, France. <sup>2</sup>Univ. Grenoble Alpes, Inria, CNRS, Grenoble INP, LIG F-38000 Grenoble France

ASYNC2018





- Context and Objectives
- Formal modelling and verification Flow
- "Memory Protection Unit" case study
- Conclusion and prospects





## **Context and Objectives**





#### Tiempo's objectives for this work

- Enhancing the quality and security of Tiempo's products
- Obtaining top-level certification for its products (Common Criteria EAL6/EAL7)
- Formal verification methods

#### Election of CADP toolbox (INRIA/Convecs)

- Well suited for modelling asynchronous concurrent systems (process calculi based languages)
- Long-standing collaboration and geographical proximity (CHP to Lotos translator..., DES...)

4

## Context and Objectives



#### CADP toolbox

- A wide array of software tools for model checking and equivalence checking (more than 50 tools)
- A long-run effort: Development of CADP started in 1986
- Theoretical background: "concurrency theory"
- Modelling languages: LOTOS (ISO 8807:1989), LNT derived from E-LOTOS (ISO 15437:2001), MCL
- Numerous industrial utilizations for hardware verification (STMicroelectronics, Bull ...)
- Website: <u>http://cadp.inria.fr</u>







#### Overview of the model checking endeavor







#### Results

- Formal verification of qualitative properties on the TLM of the asynchronous design
  - Functional properties
  - Security properties (Relating to the security requirements of third-party certifications)
- Smooth integration of the specified formal modelling and verification flow in the existing Tiempo asynchronous design flow





# Formal modelling and verification flow





#### Supplemented Tiempo asynchronous design flow



9





#### Asynchronous SystemVerilog (ASV) [Renaudin et al.2012]

- Based on the standard HDL: SystemVerilog [IEEE 1800-2012]
- Un-timed Transaction Level Modeling (TLM)
- Concurrent processes communicating through channels
  - Channels => SV interfaces + handshake protocol
  - Compositions operators : Parallel (fork..join), Sequential (;)
- Mixed Sync-Async design
- Support by commercial CAD tools (simulation)





#### 

- Modern language for replacing LOTOS [ISO 8807:1989]
- Similar features and coding style to ASV

#### Fully specified translation

Done manually, but easy to automate

-- main LNT process -- main SV module module address\_decoder ( process main[ ch\_bit.in add\_in, add\_in : ch\_bit, ch data t.in d in, d in, ch\_data\_t.out d\_out0, d out0, ch data t.out d out1 d\_out1 : ch\_data\_t] is always begin loop var bit address; address : bit. data t data; data : data\_t in fork par add\_in.BeginRead(address); add in(?address) d\_in.BeginRead(data);  $\| d_in(?data)$ join end par; case (address) case address in 1'b0: d\_out0.Write(data);  $0 \rightarrow d_out0(data); d_out0$ 1'b1: d\_out1.Write(data);  $| 1 \rightarrow d_out1(data); d_out1$ end case; end case fork par add\_in.EndRead(); add in d in.EndRead(); || d in end par join end end var end loop end module end process





#### Temporal logic language: MCL

- Extended modal µ-calculus with (regular expressions, data-handling mechanisms...)
- Expressing the qualitative properties as a combination of safety and liveness properties

#### Choice of MCL (MCL vs SVA, PSL)

- MCL is compatible with LNT and supported by CADP toolset
- SVA and PSL are linear-time oriented and more suited to RTL properties





## "Memory Protection Unit" case study

#### 14 May 15<sup>th</sup>, 2018



### A crucial block for security

Sufficiently complex (state-space wise)



Access config data to be read

Adcess config data to write

MPU\_CFR





#### Size of the code

- 4400 lines of SystemVerilog
- 8950 lines of LNT

Modelling most ASV constructs and its typical design patterns

#### High degree of internal concurrency

- 146 "main" concurrent processes (themselves concurrent)
- 250 internal channels
- 660 tokens in the underlying Petri net

#### Exposing state-space related limitations





#### Formal expression of the verified properties

- Expressing the verified functions as a combination of safety and liveness properties
- Example: Access control CC requirement [CCPART2V3.1R5]
  - The SFR shall enforce the Memory Access Control Policy to restrict the ability to change initial values, modify or delete the security access rights of control information to running at privilege mode.







#### Formal expression of the verified properties

- Safety property
  - Unprivileged subjects cannot access/modify configuration registers (MPU\_CFR)

```
-- MCL expression
[ "ACCESS_MODE_IN !0" . not ({ACCESS_MODE_IN ...})* . {CFG_REG1_WRITE ... } ] false;
```

#### Liveness property

• A privileged subject requesting access to a configuration register must be granted access to the targeted register

```
-- MCL expression
[ par_3 ("ACCESS_MODE_IN !1", "ADDRESS_IN !BIT3_T(0, 1, 1)", "WEN_IN !1") ]
INEVITABLE ( {CFG_REG1_WRITE ...} );
```





#### State-space explosion

- Generation of the state-space
- Exploring the state-space to verify properties

#### State space-reduction techniques

- Abstraction of data-types and variables
- Reduction modulo graph equivalences (branching bisimulation)
- Compositional state-space generation [Garavel et al. 2015]
  - "Divide-and-conquer" strategy
  - Projections and interfaces



#### Verified properties

- Memory access control objective [CCPART2V3.1R5]
- 184 qualitative properties verified
  - Functional properties (deadlock/livelock freedom, stimulus-response ...)
  - Security properties (access-control policies)

#### Performance

| Acces type   | Number<br>of inter-<br>mediate<br>LTSs | Largest<br>intermediate LTS |             | Final LTS |             |           | Time   |
|--------------|----------------------------------------|-----------------------------|-------------|-----------|-------------|-----------|--------|
|              |                                        | States                      | Transitions | States    | Transitions | File size |        |
| Co-processor | 20                                     | 6.6 M                       | 53 M        | 5.5 M     | 42 M        | 92 MB     | 13 min |
| MPU_CFR      | 20                                     | 27 M                        | 355 M       | 27 M      | 355 M       | 692 MB    | 4h33   |
| NVM          | 20                                     | 117 M                       | 862 M       | 21 M      | 144 M       | 296 MB    | 3h34   |





#### Beyond the TESIC MPU

- The MPU verification is not a one-shot attempt
- More designs are being verified by Tiempo:
  - Asynchronous Serial Link -- see model at [MCC'2018]
  - DES crypto-processor
- Integration of CADP in Tiempo's design flow, usable by Tiempo hardware designers





## **Conclusions And Prospects**





#### Conclusions

- Appropriateness of the proposed formal verification approach
- Validation on an industrial circuit by engineers relatively unfamiliar with formal verification

#### Prospective endeavors

- SystemVerilog to LNT translator
- Extending the specified flow to lower abstraction-level descriptions
  - Formal verification of quantitative properties
  - Equivalence checking ASV vs Gate-Level





## Thank you for your attention !