Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems...

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems

Georg Hofferek

IAIK – Graz University of Technologygeorg.hofferek@iaik.tugraz.at

Aspects of Property SynthesisGeorg Hofferek Taipei, 2010-09-17

Aspects of Property Synthesis

An Overview of IAIK’s Background and Current Work on the Topic

http://www.iaik.tugraz.at

Overview

Who We Are & What We Do Property Synthesis in a Nutshell

From Strategies to Circuits Synthesis with Uninterpreted Functions

Other Work in Our Group

TUG – Who We Are

Graz University of Technology. Departments: Architecture Civil Engineering Mechanical Engineering and Economic Sciences Electrical and Information Engineering Technical Mathematics and Technical Physics Technical Chemistry, Chemical Process Engineering,

Biotechnology Department of Computer Science. Institutes:

Information Systems and Computer Media Knowledge Management Foundations of Computer Science Semantic Data Amalysis / Knowledge Discovery Visual Computing Computer Graphics and Knowledge Visualization Software Technology Applied Information Processing and Communications (IAIK)

IAIK – Who We Are

IT Security & Correctness ~60 researchers 3 professors:

Roderick Bloem Reinhard Posch Vincent Rijmen

Affiliates: SIC – Foundation Secure Information and

Communication, founded by IAIK A-SIT – Center for Secure Information Technology

Secure & Correct Systens

e-governmentVLSI

Cryptography

What We Do

e-governmentVLSI

Cryptography

e-governmentVLSI

Cryptography

e-governmentVLSI

CryptographyCryptography

Cryptography

Lead: Prof Vincent Rijmen Design and Analysis of Ciphers (AES) Design and Analysis of Hash Functions

Grøstl submitted to the NIST SHA-3 competition SHA-1 Analysis

Implementation of Cryptographic primitives

e-governmentVLSI

Cryptography

e-governmentVLSI

Cryptography

Lead: Manfred Aigner Application-specific crypto hardware

Hardware Implementation of Cryptographic Algorithms (“AES on a Grain of Sand”)

Implementation Attacks (sidechannel, fault injection, etc): Vulnerability Analysis Design Styles & Methodologies for Attack Resistance

Security Protocols for RFID Instruction Set Extensions (embedded systems)

e-governmentVLSI

Cryptography

e-governmentVLSI

Cryptography

e-government

e-Government

Lead: Herbert Leitold Austrian citizen card

Electronic identity Electronic signature Official signature (Amtssignatur)

Interoperability of e-identities (STORK) Electronic delivery (legally binding) Authenticated work flows

Modules for Online Applications (MOA)

e-governmentVLSI

Cryptography

e-governmentVLSI

Cryptography

Secure & CorrectSystems (SCoS)

Lead: Roderick Bloem Java Crypto Toolkit (commercial)

Implementation of Java Crypto Extensions, CCE-certified Ciphers, hash functions, signature schemes, key management Current focus: XML-Security (W3C), XAdES (also

interoperability testing (ETSI)), ECC, CAdES

Formal Methods Verification and Debugging Correct by Construction

Network Security Trusted Computing

Formal Methods for Design & Verification

Roderick Bloem Lead

Karin Greimel Theory of Property Synthesis

Georg Hofferek Practical Aspects of Property Synthesis

Robert Könighofer Spec Debugging & Program Repair

EU Project COCONUT (2008-2010)

Synthesizing circuits from specs No more coding! Efficient synthesis Effective specifications

Robustness Spec debugging

Transaction-level synthesis

Applications to debugging

Design Intent

Specification Implementation

Synthesis

EU Project DIAMOND (2010-2012)

Automated location and correction techniques Transaction Level (“Software” Model) Implementation Level (RT or Gate Level)

Implementation of a reasoning framework word-level techniques formal, semi-formal techniques dynamic techniques

PROPERTY SYNTHESIS IN A NUTSHELL

Synthesis FlowWrite down Properties of System

(in formal way)

Find Winning Strategy (if one exists)

Build Combinational Functions adhering to Strategy

Open (Reactive) Systems

Infinite Sequence of Inputs

Infinite Sequence of Outputs

Examples: Bus Arbiter Lift Controller Traffic Lights …

SystemInputs Outputs

Mealy MachineSystem

State(Memory/Flipflops)

CombinationalLogic

InputsOutputs

Properties

A property describes a subset of all possible input/output traces of a system “The traffic lights will show green infinitely many times for all

directions.” “The signals ack1 and ack2 will never be high at the same time.” “Whenever the button is pushed, the lift will eventually arrive at

the respective floor.”

Can be formalized in different ways LTL Formulas Büchi Automata …

“What to do” vs. “How to do it”

The Game Point of View

2 Players1. Environment (Inputs)

2. System (Outputs)

State Memory

“Rules” and Winning Condition Defined by Properties

Example: Tic Tac Toe Goal (for Player 2):

Make three O in a line, or prevent Player 1 from having three X in a line.

Strategy

Maps a state of the game to a set of conforming moves

Winning Strategies

Player wins, if she adheres to strategy

Computed using Game Graph

Example: Tic Tac Toe1. Win: If you have two in a row, play the third to get three in a row.

2. Block: If the opponent has two in a row, play the third to block them.

3. Fork: Create an opportunity where you can win in two ways.

... …

8. Empty Side: Play an empty side.http://en.wikipedia.org/wiki/Tic-tac-toe

FROM STRATEGIES TO CIRCUITS

System

State(Memory/Flipflops)

CombinationalLogi

Strategies Represented as Relations

Relation

Represented Symbolically (BDDs) More Freedom than Functions

OIR Combinational

All Inputsto CombinationalLogic

All Outputsof CombinationalLogic

Freedom in Relations

Input (i1i2) Output (o1o2o3)

0 0 0 1 0

0 1 1 0 –

1 01 1 0

1 11 0 00 1 11 1 –

Fixed Output, No Freedom

“Don’t Care”: 1 0 – = 1 0 0, 1 0 1

Multiple Vertices,Not Expressible with Don’t Cares.

Compatible Function

Input (i1i2) Output (o1o2o3)Compatible

Function (example)

0 0 0 1 0 0 1 0

0 1 1 0 – 1 0 0

1 01 1 0, 0 0 1

1 11 0 0,0 1 1,1 1 –

Solving Relations

Problem:Given a Boolean relation, find a compatible (multi-output) Boolean function, which is minimal with respect to some cost function (e.g. gate count).

Our Relations are large many compatible functions

Use freedom in a meaningful way Share common sub-functions

Simple Cofactor Approach

For each output do:1. Abstract other outputs

2. Find cofactors w.r.t. output

3. Remove redundant variables (*)

4. Compute care-set

5. Minimize positive cofactor w.r.t. care-set

6. Substitute output in relation with computed function

[R. Bloem et al., “Specify, Compile, Run: Hardware from PSL“, COCV’07]

Resubstitution

Input (i1i2) Output (o1o2o3)Compatible

Function (example)

0 0 00 0 10 1 00 1 11 1 1

0 11 0 01 0 1

1 00 0 11 0 1

1 1 1 0 0 . . .

Loss of freedom for o2 and o3

Circuit Construction

Strategy and compatible functions are represented as Binary Decision Diagrams (BDDs)

BDDs can easily be dumped into a network of multiplexers

IMPROVEMENTS WE WORKED ON

Overview

DAC’04 Recursive Conflict-Solving Approach [Baneres et al.]

Other Minimization Methods Minato-Morreale’s Irredundant Sum-of-Products Algorithm Generalized Version of ISoP

Caching to Increase Sharing of Sub-Functions

Combining the Above

DAC’04 Recursive Approach

Based on:D. Baneres et al., “A Recursive Paradigm to Solve Boolean Relations”, DAC’04

Basic Idea: Resubstituting outputs takes away freedom Freedom decreases with each output bad for minimization Minimize outputs independently, resolve conflicts (if any) recursively

Branch & Bound Algorithm, with arbitrary cost function

Independent Output MinimizationInput: Relation R, inputs I, outputs O

F = 1foreach o in O do: R’ = exists O\o . R F = F * (o <-> Minimize(R,o)) // no resubstitution

C = F * not(R) // check for conflictsif C != 0: (X, y) = pickConflict(C) (R1, R2) = Split(R, X, y) // divide & conquer Recursively solve R1, R2

Inputs Outputs Function

0 00 11 0

Our Results with the DAC’04 Approach

Complete Search Infeasible Depth-First Search (Recursion Limit) Breadth-First Search (Call Limit) Quick Solution (Cofactor Approach)

after using up resources

No significant improvements over initial solution (so far) Maybe bad choice of conflicts Use Minato-Morreale algorithm instead of cofactor approach

(not implemented in our tool yet)

Incompletely Specified Functions

ON-Set

Don’t-Care-Set

OFF-Set

ON-Set of CompletelySpecified Function

Lattice of Functions

f1 > f2

f1 , f2 incomparable

f2 f3 f4f1

f6 f7 f8f5 f9 f10

f12 f13 f14f11

Upper Bound(ON-Set + DC-Set)

Lower Bound(ON-Set)

Interval

= ON-Set of function f1

= ON-Set of function f2

Minato-Morreale Algorithm

Irredundant Sum-of-Products:No single literal or cube can be deleted to keep the function.

Recursive Procedure:ISoP = v’ * ISoP0 + v * ISoP1 + ISoPd

Starts with Incompletely Specified Function

[S. Minato, “Fast generation of irredundant sum-of-products forms from binary decision diagrams“, SASIMI’92]

Minato-Morreale Algorithm (2)

Given: Incompletely Specified Function (ON, DC)

In each step:Find literal v and ISFs for ISoP0, ISoP1, ISoPd, such that

ISoP = v’ * ISoP0 + v * ISoP1 + ISoPd

lies in the intervall [ON, ON+DC]. Recur on ISoP0, ISoP1, ISoPd

Finding ISoP0

All diagrams show ON-Sets only!

Uv Lv’

Lv’Uv

Lv’ – Uv

Given: Upper and Lower Bound of ISoP: Cofactors of Upper Bound: Cofactor of Lower Bound:

Minimum set which must be multiplied by v’: Interval for ISoP0:

Finding ISoP1, ISoPd

ISoP1: similar to ISoP0, with opposite cofactors

ISoPd:

L ISoP0

Uv Uv’

Upper Bound for ISoPd:

Lower Bound for ISoPd:

Interval for ISoPd:

Terminal Cases of Recursion

f2 f3 f4f1

f6 f7 f8f5 f9 f10

f12 f13 f14f11

Circuit Construction Along the Way

Generalization of ISoP-Algorithm

ISoP splits off one literal v at a time:

Instead:Split off arbitrary (simple) function f

ISoP = f’ * ISoP0 + f * ISoP1 + ISoPd

How to choose good divisors (for intervals)? E.g. Kernels, Co-Kernels, … of lower bound?

Preliminary results are not promising

Caching Intermediate Results

Given interval [L, U], check whether a function f: L ≤ f ≤ U has already been “built”. Reuse Wire

f2 f3 f4f1

f6 f7 f8f5 f9 f10

f12 f13 f14f11

Cache Issues

Memory Constraints Cannot save all intermediate results Cache Policy: Which ones to delete?

“Smaller” functions have higher reuse probability?

Efficient Cache Lookup 2 comparisons needed to check whether function is in an

interval Minimize function comparisons

How can this be done?

Simulation-Based Lookup

Don’t Store Functions, Use “Signatures” Random Input Vectors Corresponding Outputs Compact in Memory Quick Comparison (Bit-Vectors)

Candidate function must have at least as many 1s as the lower bound of interval not more 1s than the upper bound of interval

Discard candidate function on first violation of above property False Positives

Reconstruct Functions on Demand

Input Out

110010110 0

001000101 1

110110110 1

100100111 0

… …

cf. [A. Mishchenko, “FRAIGs: A unifying representation for logic synthesis and verification”, Tech Report, 2005]

SYNTHESIS WITH UNINTERPRETED FUNCTIONS

What is an Uninterpreted Function?

A function… (obviously)

Possibly n-ary Mapping input value(s) to output value

... which is uninterpreted. i.e., we do not know/care about its “internals”

But: functional consistency

for n-ary function:

fa f(a)

What is a controller?

Controller

Datapathincludes:• memory• arithmetic components

• adders• multipliers• …

• other data manipulating stuff

inputs

control signals

status signals

outputs

Controller versus Datapath are like:

• Driver versus Car

• Musician versus Piano

• …

Motivation: Pipelined Microprocessor

Registers / Memory

c1 c2 cn

Controller

Equivalence: Commutativity

Pipelined Architecture

Non-Pipelined Architecture

flush flush

instruction

(Very) Simple Example

Registers REG

control

source

Registers REG

ALURead

source

Non-pipelined Architecture (=reference):

Pipelined Architecture:

Synthesis Approach

Define equivalence criterion:

Claim:

Reads: “For all (initial) array contents, for all interpretations of the functions, and for all inputs and initial states, there are control values, and resulting new array contents and next states, such that the equivalence criterion evaluates to true.”

If the claim is valid, extract

Example: Equivalence Criterion

complete – ISA:

step – complete:

Equivalence criterion:

complete

Transformations

Equivalence criterion is a first-order formula, using the theories of Arrays (A) Uninterpreted Functions (U) Equality (E)

Three reductions/transformations: A-U-E U-E (proof done) U-E E (proof in progress) E Propositional Logic (proof in progress)

A-U-E U-E

1. Replace Array-Writes with fresh variables and apply write axiom

2. Replace existential quantifications with fresh variables

3. Replace universal quantifications with conjunction over index set

4. Replace Array-Reads with uninterpreted functions

Ackermann’s Reduction: UIF-E E Replace all function instances with fresh variables

and thus obtain Add functional consistency constraints

and obtain

E Prop. Logic (Graph-based)

Build the non-polar equality graph Make it chordal

E Prop. Logic (continued)

Replace equalities with fresh Boolean variables

For each triangle in the equality graph, add the following conjunct to

Open point: Respect quantifier structure

Extract Function for Control Logic

We started from:

Apply transformations, obtain

Existentially quantify “next states” i.e., quantify all variables which “come from” one of the next state variables. E.g.

Expand existential quantification of Example:

Find cofactors of Positive Cofactor: ON-Set + DC-Set

Negative Cofactor: OFF-Set + DC-Set

Find function in this intervalON-Set

Don’t-Care-Set

OFF-Set

Results

We started from a datapath of the target system a reference implementation an equivalence criterion

We obtained Boolean function(s) for the control logic in terms of

(dis-)equalities between inputs and states Example:

Datapath

Open Points / Questions

Proof(s) for Transformations unfinished

Practical issues Runtime complexity? Efficiency:

BDDs SMT Solvers

Certificats? Interpolants?

Implementation Only hardcoded for simple pipeline example Based on BDD operations Not even (completely) finished

OTHER WORK AT OUR GROUP

Find replacement of statement such that program is correct. The simpler, the better May depend on all variables in scope, no additional state

Find expression e such that replacing repair(...) with e makes assertion violations impossible

Checking if a given e is a repair is easy. Find one: Maybe reuse ideas for dynamic detection of likely

invariants.

1: int foo(int a) {2: int x=0, i=0;3: x = a + 4;4: while( i < 3) {5: x = repair(x, i, a);and so on

1: int foo(int a) {2: int x=0, i=0;3: x = a + 4;4: while( i < 3) {5: x = x – 1;and so on

Transaction Level Diagnosis and Repair

Robust Systems

Tower controls ≤ 100 airplanes

What happens with the 101st plane?

1) System shut down

2) Ignore 101st plane3) Control 101 planes, accepting a

system slow down

Correct – Incorrectvs.

Correct – Incorrect but reasonable

RATSY – A Tool for Property-based Design

G(F(in out))

module main(clock,r1,…);input clock, r1,…;output g1,…;reg r1_ps, …;assign tmp0 = !r1;…initialbeginr1_ps = 0;…

endalways @(posedge clock)beging1_ps = tmp80;…

endendmodule

Enforce Desired Behavior

Debug Unrealizability

Design Intent

Formal Specification realizable? Simulation

SynthesizedImplementation

Undesired Behavior

Observed

Environment System

Adhere to this spec!

Impossible! Try it!

Environment System

Try this input!

Indeed! Impossible!

Simply by modifying the trace:

Using automata or PSL:

Idea: Swapping the roles to pinpoint inconsistencies:

Hi! My name is RATSY.I offer you: Full support for

property- based design. Specifications: PSL

or Büchi automata. Game-based

debugging features. Automated correct-

by- construction circuit synthesis.

Spec Debugging

Environment SystemInputs

Outputs Strategy

OutputsCounter-strategy

OutputsEnvironment SystemInputs

Outputs

Reactive Systems

Swapping the Roles for Debugging

Realizable Specification Unrealizable Specification

Unrealizable SpecificationRealizable Specification

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems...

Documents

Transcript of Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems...

SoC Design Flow Tutorial - IAIK

Mannheim / Deutschland 2012 - dah.at · Radius im Kindes und Jugendalter Georg Singer (Graz-AT) 10 min vt27 Die ulnare Verkürzungsosteotomie als Therapie des ulnaren Impaktionssyndroms

Sustainability Award 2008 - BMBWF6d3b5ed0-fd4e-431a... · CHANGE MANAGEMENT/ FüHRUNGSKRÄFTE, TU Graz EESD 2008, TU Graz FUSSABDRUCKSRECHNER, TU Graz GESUNDHEITSFÖRDERUNG, TU Graz

Institute for Applied Information Processing and Communications (IAIK) 1 TU Graz/Computer Science/IAIK Graz, 2009 AK Design and Verification Presentation.

Fault Attacks on FPGAs - IAIK

Florian Mendel - Radboud Universiteit Attack.pdf · Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology

1 Fischer und Lammer, IWF Graz, 2005 Österreichische Akademie der Wissenschaften Titan Vor der Ankunft der ESA-Landesonde Huygens Georg Fischer und Helmut.

IAIK – Institut für Angewandte Informationsverarbeitung ... · Input/Output . 2 IAIK – Institut für Angewandte Informationsverarbeitung und Kommunikationstechnologie Professor

STUDIENLEITFADEN · MA Mag. Dr. Georg Tafner; M.E.S., M. phil. Wiss. ... um BWL der Uni Graz erfüllt diese Voraussetzungen auf jeden Fall, bezüglich anderer Studien verweisen

Airport Offices Graz - Büroflächen am Flughafen Graz

Graz University of Technology TU Graz - Study Abroadstudyabroad.wayne.edu/mis-documents/folie_1.pdf · 2005: TU Graz and Uni Graz are founding NAWI Graz 2010: TU Graz, TU Wien and

Donky: Domain Keys Efficient In-Process Isolation for RISC-V and … · k2 k1 k3 Access policy: k k k k2 k k k k3 7 Schrammel et al. | IAIK { Graz University of Technology. Implementation

KHz SLR Station Graz Graz kHz LIDAR Georg Kirchner, Franz Koidl, Daniel Kucharski Institute for Space Research SLR Station Graz / Austria Poznan, Oct.

Graz University of Technology TU Graz - Study Abroad

Cache Side-Channel Attacks and the case of … Cache Side-Channel Attacks and the case of Rowhammer Daniel Gruss IAIK, Graz University of Technology April 28, 2016 Daniel Gruss, IAIK,

SBE19 Graz - Home - TU Graz

Bevölkerung der Landeshauptstadt Graz · 2019-09-07 · Bevölkerung der Stadt Graz Präsidialamt, Referat für Statistik Stadt Graz 7 1. Bevölkerungsstand der Stadt Graz 1.1 Entwicklung

Real Time Image Distortion for Manual Image … Real Time Image Distortion for Manual Image Alignment Georg Marius Matr.Nr: 0130194 mariusg@sbox.tugraz.at Technical University Graz

Metadata - DiXiTdixit.uni-koeln.de/wp-content/uploads/2015/04/Camp2-18...Metadata Georg Vogeler DiXiT Camp 2, Graz, 14-19 September 2014 What is metadata? • „data about data“

IAIK · 2020. 9. 8. · IAIK SGSN Data delivery from/to mobile station in defined geographical service area (De-)tunnel packets from/to GGSN (Downlink, Uplink) Handover phone moves