Reflections on Industrial Use of Frama-C

Joseph R. Kiniry and Daniel M. Zimmerman Sound Static Analysis for Security Workshop NIST — Gaithersburg, Maryland — 28 June 2018 About Galois

• established in 1999 to apply functional programming and formal methods to the problem of information assurance • over 40 active projects for numerous clients, both U.S. government (NSA, DARPA, IARPA, Homeland Security, Air Force Research Lab) and commercial (Amazon, LG, others) • over the years, we have substantially broadened our scope to high assurance everything ‹#› © 2018 Galois, Inc.

2 © 2018 Galois, Inc. Galois and Frama-C

• Galois has used Frama-C on some projects • DARPA Crowdsourced Formal Verification • WP plugin to generate verification conditions • custom plugins to generate schematic assertions and program traces • DARPA SHAVE • Our clients rarely ask for formal verification in Frama-C’s “sweet spot”‹#› © 2018 Galois, Inc.

3 © 2018 Galois, Inc. SHAVE: Software/Hardware Assurance Verified End-to-End • DARPA MTO seedling for the SSITH program • a bump-in-wire encryption device • single, one-time AES key provisioning • encryption or decryption mutual exclusion • open hardware, firmware, and software • crypto realized as a MMIO RISC-V extension • custom development of a verification system for Bluespec hardware description language ‹#› © 2018 Galois, Inc.

4 © 2018 Galois, Inc. SHAVE Assurance

Concept Silicon

Verilog Informal Architec- BSV Netlist GDSII Artifacts RTL specs ture spec spec spec spec spec

Refinement manual design automatic synthesis and manual design Technology

Today's manual inspection, runtime testing, Assurance manual inspection model checking, formal verification Technique

SHAVE formal verification that produces independently verifiable claims and proofs Assurance ‹#› © 2018 Galois, Inc.

5 © 2018 Galois, Inc. The SHAVE Process

SHAVE Process Systems Engineering Point-of-view

define an informal perform domain formalize specify informal 1 2 3 4 domain model engineering domain model system requirements

5 Systems Engineer manually implement validation piecewise implement properties that cannot be 14 specification automatically generated specify static system 13 architecture 15a 15b

implement “bottom” 6 behavior for all execute runtime formally verify implementations verification of test implementations benches against all models specify dynamic system model

12 16 16 7

specify concrete reason about concrete specify the behavior of implementations that implementations to ensure the system model refine models that they are fit for purpose

11 8

automatically generate reason about all formal formalize informal validation bench from 10 models to ensure that 9 system requirements specifications they‹#› are fit for purpose © 2018as Galois, properties Inc.

6 © 2018 Galois, Inc. The SHAVE Architecture

STREAMING ENCRYPTION APPLICATION behavioral architecture library spec software NO OPERATING SYSTEM spec SOFTWARE (ACSL/ theory C code (BON) Cryptol) (Cryptol) CRYPTO LIBRARY

architecture behavioral firmware spec firmware FIRMWARE CRYPTO FIRMWARE spec theory C code (BON) (ACSL/ (Cryptol) Cryptol)

RISC-V in BSV in Coq RISC-V in SV BSV RISC-V HARDWARE CPU AES in AES AES in BSV AES in SV NI Cryptol ‹#› © 2018 Galois, Inc.

7 © 2018 Galois, Inc.

SHAVE Abstract State Machines System Initialization

System Initialization Powered Operating Mode = Power On Test Mode On Test Mode START Powered Operating Mode = Power On Test Mode On Test Mode Normal Mode START ƛ

Normal Mode ƛ Operating Mode = ƛ Initialized Normal Mode Operating Mode = ƛ Initialized Normal Mode

Boot and Config

Boot and Config Encrypt Behavior Mode = Encrypting Mode ƛ Initialized Boot BootedEncrypt Behavior Mode = Configured Encrypting Mode ƛƛ Behavior Mode = Initialized Boot Booted Configured Decrypt Decrypting Mode ‹#› ƛ Behavior Mode = © 2018 Galois, Inc. Decrypt Decrypting Mode

8 © 2018 Galois, Inc.

Load Key and Stream Data

Load Key and Stream Data

Key Streaming Configured Load Key ƛ Loaded Mode Key Streaming Configured Load Key ƛ Loaded Mode Process buffer

Process buffer

States Under Test System Shutdown

States UnderAny Test System Shutdown Booted Any State Test State Halt Any Booted Pause Any State Halt Test State Power Off Continue Pause Power Off Continue Powered ƛ Halted Paused Off Powered ƛ Halted Paused Off

I/O

I/O Any Initialized State Any Initialized State Read UART Write UART

Read UART Write UART

Figure 3 The SHAVE Software ASM Figure 3 The SHAVE Software ASM

10 10 SHAVE Assurance Case

• assurance case via layered rely/guarantee • entire system formally specified and assured except for (a) implementation of RISC-V ISA, and (b) behavior below RTL • entire assurance case hangs on realization of system ASM composing ASMs for soft/firmware • security properties include reset predicate, write-once key, no key leakage, crypto correctness, and guarantee that all bits are always encrypt/decrypted

also includes formally verified‹#› trusted boot for RISC-V • © 2018 Galois, Inc.

9 © 2018 Galois, Inc. Assurance Technologies and Compositionality • userland software and firmware specified in BON, PVS, ACSL, Cryptol, & SAW and verified using multiple Frama-C plugins, PVS, Cryptol, and SAW • hardware and state machine assurance via Cryptol and SAW • including a new frontend on SAW for reasoning about Bluespec SystemVerilog Cryptol is the compositional formal model that • ‹#› © 2018 Galois, Inc. spans formalisms and tools

10 © 2018 Galois, Inc. Composed Assurance Case

• ad hoc • human reviewed to ensure specs written in different concrete languages are consistent • complex! • need a SAW-like assurance language that understands evidence • we’re working on that for SSITH for hardware (and firmware) security,‹#› and some day…© 2018 Galois, Inc.

11 © 2018 Galois, Inc. Comparison of Experience with other BISL Technologies

• we have ~20 years of experience using CodeContracts, SPARK, Eiffel, and JML • we have written several formal verification and rigorous validation tools on these foundations • our statements of joy and disappointment with respect to ACSL and Frama-C come from this background, with love

‹#› © 2018 Galois, Inc.

12 © 2018 Galois, Inc. Frama-C Tools and Techniques Used

• both mainstream & experimental plugins used • metrics, callback, pdg, and from analysis to drive verification process • ASM reasoning with Aorai • rtegen for combined reasoning a la Julien’s talk this morning on combining RTE+E-ACSL • value analysis for unexpected behavior wp reasoning about functional correctness • ‹#› © 2018 Galois, Inc.

13 © 2018 Galois, Inc. Our Experiences

• tool documentation is very good • tool behavior is not as reliable as compilers • the “fine print” is hard to find and understand even for a formal methods expert • understanding the dependencies between, and order in which, different plugins should/can be used is complex • experimental aspects of ACSL and reasoning tools are what we need most for scaling (advanced logic specifications, sets and lists, model programs, memory

model subtleties, etc.) ‹#› © 2018 Galois, Inc.

14 © 2018 Galois, Inc. Constructive Next Steps

• we continue to use Frama-C at Galois as one of the tools in our toolbox • Frama-C complements our reasoning capabilities (embodied in Cryptol and SAW) • we see opportunities for writing new (possibly open source) plugins that relate to our work on hardware security and firmware reasoning

‹#› © 2018 Galois, Inc.

15 © 2018 Galois, Inc.