Virtual Memory Simulation Theorems€¦ · (impossibility of hacking) 4. Writes to code section are...

Virtual MemorySimulation Theorems

Mark A. Hillebrand, Wolfgang J. Paul{mah,wjp}@cs.uni-sb.de

Saarland University, Saarbruecken, Germany

This workwas partiallysupported by

Virtual MemorySimulation Theorems – p.1

OverviewTheorem: the parallel user programs of a main framesee a sequentially consistent virtual shared memory(Correctness of main frame hardware & part of OS)


ContextA (practical) approach for the complete formalverification of real computer systems:

1. Specify (precisely)

2. Construct (completely)

3. Mathematical correctness proof

4. Check correctness proof by computer

5. Automate approach (partially; recall Gödel)


Example: Processor design1.–3. [MP00]

Computer Architecture:Complexity and CorrectnessSpringer

4. [BJKLP03]Functional verification of the VAMP processorCharme ’03

5. PhD Thesis Project S. Tverdyshev(Khabarovsk State Technical University)


Why Memory Management?Layers of computer systems (all using localcomputation and communication):

User Program

Operating System

Hardware

! In memory management hardware and softwareare coupled extremely tightly.


DLX ConfigurationA processor configuration of the DLX is a pairc = (R,M):

• R : {register names} → {0, 1}32

where register names PC ,GPR(r), status, . . .

• M : {memory addresses} → {0, 1}8

where memory addresses ∈ {0, 1}32

Standard definition is an abstraction:real hardware usually has no 232 bytes main memory


DLX V ConfigurationA virtual processor configuration of DLX V is a triplec = (R,M, r):

• R : {register names} → {0, 1}32

where register names: PC ,GPR(r), status, . . .

• M : {virtual memory addresses} → {0, 1}8

where virtual memory addresses ∈ {0, 1}32

• r : {virtual memory addresses} → {R, W}where the rights R (read) and W (write) areidentical for each page (4K).

! DLX V is a basis for user programs.


DLX S ConfigurationA real specification machine configuration of DLX S

is a triple cS = (RS,PM , SM ):• RS \ R:

• mode system mode (0) or user mode (1)• pto Page table origin• ptl Page table length (only for exceptions)

• PM physical memory• SM swap memory

! DLX S is hardware specification.


Page-Table Lookup

(pto,012) px bx

+

32Page Table 20

ppx

02

Let c = (RS,PM , SM ).• Virtual address

va = (px, bx)

px: page indexbx: byte index

• PTc(px) = PM 4(〈pto〉 + 4 · 〈px〉)

=31 1 0

vwrppx[19 : 0] · · ·

12 11 3 2

ppxc(va): physical page indexvc(va): valid bit (↔ page in PM)


Address Translation(pto,012) px bx

+

32Page Table 20

ppx

02

pmac(va)

20

12Let c = (RS,PM , SM ).

• Virtual addressva = (px, bx)

px: page indexbx: byte index

• pmac(va) = (ppxc(va), bx)pmac: physical memory address

• To access swap memory, we also define:smac: swap memory address (e.g. sbasec + va)


Instruction ExecutionDLX V uses virtual addresses:

• Fetch: va = DPC (delayed PC)• Effective address of load/store:

va = ea = GPR(RS1 ) + imm (register relative)

Hardware DLX S for mode = 1 (user):• If vc(va), use translated addresses pmac(va)

instead of va.• Otherwise, exception.

(hardware supplies parameters for page faulthandler)


Hardware Implementation

IMMU

DMMU

fetch

load,store

DCache

ICache

PMCPU

• Build 2 hardware boxes MMU (memorymanagement unit for fetch and load/store)between CPU and caches

• Show it translates• Done



IMMU

DMMU

fetch

load,store

DCache

ICache

PMCPU

• Build 2 hardware boxes MMU (memorymanagement unit for fetch and load/store)between CPU and caches

• Show it translates• Done

No!



IMMU

DMMU

fetch

load,store

DCache

ICache

PMCPU

• Build hardware boxes MMU & a few gates• Identify software conditions• Show MMU translates if software conditions are

met• Show software meets conditions• Almost done

We do not care about translation (purely technical),we care about a simulation theorem.


Simulating DLX V by DLX S

Let c = (RS,PM , SM ) and cV = (RV ,PM , r).Define a projection: cV = Π(c)

• Identical register contents: RV (r) = RS(r)

• Rights in page table:R ∈ r(va) ⇔ rc(va) = 1

W ∈ r(va) ⇔ wc(va) = 1



VM (va) =

{

PM (pmac(va) if vc(va)

SM (smac(va) otherwise

ppx

v

SM

bxpx

page(px)

PT (px)

PM

va

1

PM cache for virtual memory, PT is cache directory.Handlers (almost!) work accordingly (select victim,write back to SM, swap in from SM)



VM (va) =

{

PM (pmac(va) if vc(va)

SM (smac(va) otherwise

SM

bxpx

ppx

v

page(px)

PT (px)

PM

va

0

PM cache for virtual memory, PT is cache directory.Handlers (almost!) work accordingly (select victim,write back to SM, swap in from SM)


Software Conditions1. OS code and data structures (PT, sbase,

free space) maintained in system areaSys ⊆ PM

2. OS does not destroy its code & dataTablePage

...

...

sbase

PM

User

Sys

3. User program (UP) cannot modify Sys(impossibility of hacking)

4. Writes to code section are separated from reads incode section by sync or (syncing) rfe

Standard sync empties pipelined or OoO (out oforder) machine before next instruction is issued.

! Swap in code then user mode fetch= self modification of code by OS & UP


Guaranteeing Software Conditions1. Operating system construction

2. Operating system construction

3. No pages of Sys allocated via PT to UP

4. UP alone not self modifying, handlers end withrfe


Hardware ICPU – memory system – protocol

load / store

fetch

DCache

ICache

PMCPU

Cache Miss

DPC

I

addr

dout

DPC

mbusy

mr

Cache Hit

clk

I


Hardware IIInserting 2 MMUs:

IMMU

DMMU

fetch

load,store

DCache

ICache

PMCPU

Must obey memory protocol at both sides!


Primitive MMUPrimitive MMU controlled by finite state diagram (FSD)

c.addr[31:2]p.din[31:0]

arce

[31:2]

add

(r,w,v)

t

[31:12]

pte[31:0]

drce

c.din[31:0]

[11:0] [31:12]

[31:0]

(p.addr[31:2],0^2)

ptl[19:0] pto[19:0]

0^2 0^12

[31:0]lexcp

[2:0]

1 0

1 0

+<

ar[31:0]

dr[31:0]

idle

add:arce,addp.busy

p.req &p.t

seta:arce,p.busy

p.req &/p.t

lexcp

readpte:c.mr,drce

p.busy

/lexcp

c.busy

comppa:arce,p.busy

/c.busy

pteexcp

read:c.mr,drce

p.busy

/pteexcp &p.mr

write:c.mw,p.busy

/pteexcp &p.mw

/c.busy

c.busy

/c.busy

c.busy

p.mr p.mw


MMU CorrectnessLocal translation lemma:Let T and V denote the start and end of a translatedread request, no excp. Let t ∈ {T, . . . , V }.Hypothesis: the following 4 groups of inputs do notchange in cycles t (i.e. X t = XT ):G0 : va = p.addrt, p.rdt, p.wrt, p.reqt

G1 : ptot, ptlt,modet

G2 : PT t

G3 : PM t(pmat(va)

Claim: p.dinV = PM T (pmaT (va))Proof: plain hardware correctness


Guaranteeing Hypotheses Gi

G0 MMU keeps p.busy active during translation

G1 Extra gates: normal sync before issue notenough. If rfe or update to {mode, pto, ptl} inissue stage, stop translation of fetch of nextinstruction.

G3 User program cannot modify Sys . Precedingsystem code terminated (by sync)

G4 Fetch: correct by syncLoad: assumes non-pipelined, in-order memoryunit, extra arguments otherwise


Global Hardware Correctness (fetch)Define scheduling functions I(k, T ) = i: instructionIi is in stage k during cycle T iff (. . . )

• Similar to tag computation• Key concept for hardware verification in SB

Hypothesis: I(fetch, T ) = i, translation from T to V

Claim: IR.dinV = PM iS(pmai

S(DPC iS))

Formal proof: part of PhD thesis project of I. Dalinger(Khabarovsk State Technical University)


Virtual Memory Theorem (SW only!)Consider a computation of DLX S:

Conf.

Phase

Mode

Initialisation User Program Handler User Program Handler

0

c0 cα−1

0 1

cα

1

c

0

c c

0 1

c

1

c

0

c

0

c

Initialisation: Π(cαS) = c0

V

Simulation Step Theorem:

! 2 page faults per instruction possible(fetch & load/store)


Virtual Memory Theorem IIAssume Π(ci

S) = cjV .

Define:

• Same cycle or first cycle after handler:

s1(i) =

{

i if ¬pff i ∧ ¬pfls i

min{j > i,modej} otherwise

• Cycle after pagefault-free user mode step:

s2(i) =

{

i + 1 if ¬pff i ∧ ¬pfls i

s1(s1(i)) + 1 otherwise

Claim: Π(cs2(i)S ) = c

j+1V


LivenessWe must maintain in Sys :MRSI (most recently swapped-in page)

Page fault handler must not evict page MRSI !

Formal proof: PhD thesis project of T. In der Rieden(Saarbrücken)


Translation Look-aside Buffers I1-level lookup: formally caches for PT-region of PM

• Consistency of 4 caches:ICache, DCache, ITLB, DTLB

• Simply invalidate TLBs at mode switch to 1,sufficient by sync conditions


Translation Look-aside Buffers IIMulti-level lookup: TLB is simplified cache hardware:

• Normal cache entry:v = 1 tag PM(tag,c ad)c ad

• TLB entry:v = 1 tag pmat(tag,c ad)c ad

t : time of last sync / rfeInvalidate at mode switch to 1

• No writeback or load of lines• Only ‘cache’ reads and writes of values pma(va)

by MMU

Formal verification trivial from verified cache


Multiuser with Sharing• Easy implementation and proof of protection

properties using right bits r(va) and w(va)


Main Frames I

Proc Proc Proc

Shared Memory

• PM: sequentially consistent shared memory (bycache coherence protocol)

• New software condition: before change of anypage table entry all processors sync

• Sync hardware: some AND trees and driver treesinterfaced with CPUConsidered alone almost completelymeaningless.


Main Frames IITheorem: user programs see sequentially consistentvirtual shared memoryProof: Phases OS - UPs OS UPsGlobal serial schedule:

• in each phase from sequential consistency ofphysical shared memory

• straight forward composition across phases• remaining arguments not changed!


Summary• Mathematical treatment of memory management• Intricate combination of hardware and software

considered• Formalization under way


Future WorkFormal verification of

• compilers,• operating systems,• applications,• communication systems

in industrial context. . .


Future WorkFormal verification of

• compilers,• operating systems,• applications,• communication systems

in industrial context. . .

. . . with a little help from my friends.


Virtual Memory Simulation Theorems€¦ · (impossibility of hacking) 4. Writes to code section are...

Documents

Transcript of Virtual Memory Simulation Theorems€¦ · (impossibility of hacking) 4. Writes to code section are...