University of California Santa Barbara The ZARF Architecture for Recursive Functions A dissertation submitted in partial satisfaction of the requirements for the degree Doctor of Philosophy in Electrical and Computer Engineering by Joseph Earl McMahan Committee in charge: Professor Timothy Sherwood, Chair Professor Chandra Krintz Professor Ben Hardekopf Professor Yuan Xie June 2019 The Dissertation of Joseph Earl McMahan is approved. Professor Chandra Krintz Professor Ben Hardekopf Professor Yuan Xie Professor Timothy Sherwood, Committee Chair June 2019 The ZARF Architecture for Recursive Functions Copyright c 2019 by Joseph Earl McMahan iii Dedicated to every errant embedded system and every erroneous C program iv Acknowledgements First, I have to acknowledge the collaborators that made this research possible. I am but a humble architect, and though I could design a crazy CPU at the onset of the project, I had no notion of how to prove a property of anything, or what types really where, or what a monad does. Zarf never would have gotten off the ground without the programming languages side of things, motivating it, shaping it, and giving it life. Jared Roesch deserves half the credit for the original Zarf ISA design, though at the time we were calling it the “h-machine.” We worked through so many problems together in a short span — what instructions should look like, what the capabilities of software should be, how much influence Haskell should have — and at the end of only a few months, we had a mostly- broken CPU and a mostly-broken compiler. Our first paper was rejected. Those were good times. Jared would leave for the University of Washington and the Zarf hardware and ISA would be redesigned, but I still think of him as the co-creator of the platform. Any success Zarf eventually finds is due in part to him. Once we began to actually develop applications and try to start proving things, Lawton Nichols took over the PL side of things. He gave Zarf its first formal semantics, and did the first proofs on the platform. He moved on to bigger and better projects, but he helped Zarf get off the ground. Michael Christensen stepped in, and though he had never used Coq before, or written a typesystem or language semantics, his ability to learn and pick things up on his own made him cover ground fast. Most of the formalisms in this thesis are the product of his labor. He’s the co- author on all the Zarf papers to-date, and they wouldn’t exist without him and his exceptional work ethic. Of course, it would be remiss of me to not thank and acknowledge my family and friends v for the support they’ve given me in this seemingly endless series of grad school years. Thanks belongs especially to my boyfriend, Jonathan Lee, who is always there after a long day of failed papers to remind me that there’s a world outside of grad school and a life waiting to be lived. The last and largest acknowledgement goes to my advisor, Tim Sherwood — a professor on the fringe, who gives radical ideas a home. From his willingness to let new students join projects, to the freedom he gives in what we work on, to the support and hands-on advising he’s not afraid to administer, Tim is not only a top-notch researcher and professor, but a good human too. And that deserves to be acknowledged. vi Curriculum Vitæ Joseph Earl McMahan Education 2019 Ph.D. in Electrical and Computer Engineering (Expected), University of California, Santa Barbara. 2018 M.S. in Electrical and Computer Engineering, University of California, Santa Barbara. 2013 B.A. in Physics, Princeton University. Publications Bouncer: Static Program Analysis in Hardware Joseph McMahan, Michael Christensen, Kyle Dewey, Ben Hardekopf, and Timothy Sher- wood. International Symposium on Computer Architecture (ISCA), June 2019. Phoenix, AZ. Safer Program Behavior Sharing Through Trace Wringing Deeksha Dangawl, Weilong Cui, Joseph McMahan, and Timothy Sherwood. Proceedings of the 24th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), April 2019. Providence, RI. Information Leakage in Arbiter Protocols Nestan Tsiskaridze, Lucas Bang, Joseph McMahan, Tevfik Bultan, and Timothy Sherwood. International Symposium for Verification and Analysis (ATVA), October 2018. Los Angeles, CA. Hiding Intermitten Information Leakage with Architectural Support for Blinking Alric Althoff, Joseph McMahan, Luis Vega, Scott Davidson, Timothy Sherwood, Michael Taylor, and Ryan Kastner. International Symposium on Computer Architecture (ISCA), June 2018. Los Angeles, CA. Charm: A Language for Closed-form High-level Architecture Modeling Weilong Cui, Yongshan Ding, Deeksha Dangwal, Adam Holmes, Joseph McMahan, Ali Javadi-Abhari, Geroge Tzimpragos, Frederic Chong, Timothy Sherwood. International Sym- posium on Computer Architecture (ISCA), June 2018. Los Angeles, CA. An Architecture for Analysis Joseph McMahan, Michael Christensen, Lawton Nichols, Jared Roesch, Sung-Yee Guo, Ben Hardekopf, and Timothy Sherwood. IEEE Micro: Micro’s Top Picks from Computer Architec- ture Conferences (IEEE Micro - top pick), May-June 2018. A Pythonic Approach for Rapid Hardware Prototyping and Instrumentation John Clow, Georgios Tzimpragos, Deeksha Dangwal, Sammy Guo, Joseph McMahan, and Timothy Sherwood. Proceedings of the International Conference on Field-Programmable Logic and Applications (FPL), September 2017. Ghent, Belgium. vii Challenging On-Chip SRAM Security with Boot-State Statistics Joseph McMahan, Weilong Cui, Liang Xia, Jeff Heckey, Frederic T. Chong, and Timothy Sherwood. IEEE International Symposium on Hardware Oriented Security and Trust (HOST), May 2017. McLean, VA. An Architecture Supporting Formal and Compositional Binary Analysis Joseph McMahan, Michael Christensen, Lawton Nichols, Jared Roesch, Sung-Yee Guo, Ben Hardekopf, and Timothy Sherwood. Proceedings of the 22th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), April 2017. Xi’an, China. viii Abstract The ZARF Architecture for Recursive Functions by Joseph Earl McMahan For highly critical workloads, the legitimate fear of catastrophic failure leads to both highly conservative design practices and excessive assurance costs. One import part of the problem is that modern machines, while providing impressive performance and efficiency, are difficult to reason about formally. We explore the microarchitectural support needed to create a machine with a compact and well defined semantics, lowering the difficulty of sound and compositional reasoning across the hardware/software interface. Specifically, we explore implementation options for a machine organization devoid of programmer-visible memory, registers, or state update, built instead around function primitives. The resulting machine can be precisely and mathematically described in a brief set of semantics, which we quantitatively and qualitatively demonstrate is amenable to software proofs at the binary level. As time continues, we become increasingly dependent on computational devices for all facets of our lives — including our health, well-being, and safety. Many of these devices live “in the wild,” in resource-constrained and/or embedded environments, without access to large software stacks and heavy language run-times. At the same, increasing trends in heterogeneity in computer architecture gives the opportunity for new cores in system-on-chips (SoC’s) that provide support for increasing critical workloads. We propose an implementation and provide an evaluation of such a device, the Zarf Architecture for Recursive Functions (Zarf), provid- ing a interface of reduced semantic complexity at the ISA level, giving designers a platform amenable to reasoning and static analysis. The described prototype is comparable to normal embedded systems in size and resource usage, but it is far easier to reason about programs ix according to analysis. This can serve both resource-constrained devices, providing a new hard- ware platform, and resource-rich SoC’s, serving as a small, trusted co-processor that can handle critical workloads in the larger ecosystem. x Contents Curriculum Vitae vii Abstract ix List of Figures xiii List of Tables xv 1 Introduction 1 1.1 Permissions and Attributions . .5 2 Background and Related Work 7 2.1 Verification . .7 2.2 Architecture . 10 2.3 Typed Assembly . 11 3 Interface and Instruction Set Architecture 14 3.1 Introduction . 14 3.2 ISA . 18 3.3 Big Step Semantics . 23 3.4 Small Step Semantics . 36 3.5 Binary Encoding . 44 4 Lazy Implementation 52 4.1 Introduction . 52 4.2 Hardware Implementation . 56 4.3 Garbage Collection . 70 5 Strict Implementation 76 5.1 Introduction . 76 5.2 Hardware Implementation . 79 5.3 Garbage Collection . 86 xi 6 Software Reasoning 90 6.1 Introduction . 90 6.2 Proving Correctness . 100 6.3 Integrity Types . 103 6.4 Bounding Execution Time . 104 7 Implementing a Hardware Typechecker 107 7.1 Introduction . 107 7.2 Static Semantics . 108 7.3 Instruction Checking . 128 7.4 Hardware Implementation . 131 7.5 Fuzzing the Checker . 144 7.6 Provable Non-bypassability . 145 7.7 Checker Performance . 147 8 Conclusion and Future Work 155 8.1 Future Work . 157 A Progress and Preservation of Zarf Typesystem 163 B Integrity Typing 171 B.1 Typesystem . 171 B.2 Proof of Soundness . 174 Bibliography 179 xii List of Figures 3.1 Zarf ISA Abstract Syntax . 22 3.2 Zarf big-step semantics, part 1 . 25 3.3 Zarf big-step semantics, part 2 . 26 3.4 Zarf big-step semantics helper functions . 27 3.5 Small step semantics, part 1 . 37 3.6 Small step semantics, part 2 . 38 3.7 Zarf binary encoding . 45 3.8 Example translation of an assembly program . 47 4.1 Zarf lazy implementation state machine . 57 4.2 Lazy info word structure . 61 4.3 Lazy GC model . 71 5.1 Zarf strict implementation state machine . 78 5.2 Strict Zarf Stack activation record . 82 5.3 Full state machine for strict Zarf garbage collector. 86 6.1 Lines of proof code . 92 6.2 ICD application filter passes .