Physical Addressing on Real Hardware in Isabelle/HOL

  • Reto AchermannEmail author
  • Lukas Humbel
  • David Cock
  • Timothy Roscoe
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10895)


Modern computing platforms are inherently complex and diverse: a heterogeneous collection of cores, interconnects, programmable memory translation units, and devices means that there is no single physical address space, and each core or DMA device may see other devices at different physical addresses. This is a problem because correct operation of system software relies on correct configuration of these interconnects, and current operating systems (and associated formal specifications) make assumptions about global physical addresses which do not hold. We present a formal model in Isabelle/HOL to express this complex addressing hardware that captures the intricacies of different real platforms or Systems-on-Chip (SoCs), and demonstrate its expressivity by showing, as an example, the impossibility of correctly configuring a MIPS R4600 TLB as specified in its documentation. Such a model not only facilitates proofs about hardware, but is used to generate correct code at compile time and device configuration at runtime in the Barrelfish research OS.


  1. 1.
    Achermann, R.: Message passing and bulk transport on heterogenous multiprocessors. Master’s thesis, Department of Computer Science, ETH Zurich, Switzerland (2017)Google Scholar
  2. 2.
    Achermann, R., Cock, D., Humebl, L.: Hardware Models in Isabelle/HOL, January 2018.
  3. 3.
    Achermann, R., Humbel, L., Cock, D., Roscoe, T.: Formalizing memory accesses and interrupts. In: Proceedings of the 2nd Workshop on Models for Formal Analysis of Real Systems, MARS 2017, pp. 66–116 (2017)Google Scholar
  4. 4.
    Alglave, J.: A formal hierarchy of weak memory models. Form. Methods Syst. Des. 41(2), 178–210 (2012)CrossRefGoogle Scholar
  5. 5.
    The Barrelfish Operating System.
  6. 6.
    Beyer, S., Jacobi, C., Kröning, D., Leinenbach, D., Paul, W.J.: Putting it all together – formal verification of the VAMP. Int. J. Softw. Tools Technol. Transf. 8(4), 411–430 (2006)CrossRefGoogle Scholar
  7. 7.
    Bishop, M.K., Brock, C., Hunt, W.A.: The FM9001 Microprocessor Proof. Technical report 86, Computational Logic Inc. (1994)Google Scholar
  8. 8. Devicetree Specification, May 2016. Release 0.1.
  9. 9.
    Flur, S., Gray, K.E., Pulte, C., Sarkar, S., Sezgin, A., Maranget, L., Deacon, W., Sewell, P.: Modelling the ARMv8 architecture, operationally: concurrency and ISA. In: Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2016, pp. 608–621. ACM, St. Petersburg (2016)Google Scholar
  10. 10.
    Fox, A., Myreen, M.O.: A trustworthy monadic formalization of the ARMv7 instruction set architecture. In: Kaufmann, M., Paulson, L.C. (eds.) ITP 2010. LNCS, vol. 6172, pp. 243–258. Springer, Heidelberg (2010). Scholar
  11. 11.
    Gerber, S., Zellweger, G., Achermann, R., Kourtis, K., Roscoe, T., Milojicic, D.: Not your parents’ physical address space. In: Proceedings of the 15th USENIX Conference on Hot Topics in Operating Systems, HOTOS 2015, p. 16 (2015)Google Scholar
  12. 12.
    Gu, R., Shao, Z., Chen, H., Wu, X., Kim, J., Sjöberg, V., Costanzo, D.: CertiKOS: an extensible architecture for building certified concurrent OS kernels. In: Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation, OSDI 2016, pp. 653–669. USENIX Association, Savannah (2016)Google Scholar
  13. 13.
    Hunt, W.A., Kaufmann, M., Moore, J.S., Slobodova, A.: Industrial hardware and software verification with ACL2. Phil. Trans. R. Soc. A 375(2104), 20150399 (2017)CrossRefGoogle Scholar
  14. 14.
    Integrated Device Technology, Inc.: IDT79R4600 TM and IDT79R4700 TM RISC Processor Hardware User’s Manual, revision 2.0 edition, April 1995Google Scholar
  15. 15.
    Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: formal verification of an OS kernel. In: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, SOSP 2009, pp. 207–220. ACM, Big Sky (2009)Google Scholar
  16. 16.
    Kocher, P., Genkin, D., Gruss, D., Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, T., Schwarz, M., Yarom, Y.: Spectre Attacks: Exploiting Speculative Execution. ArXiv e-prints, January 2018Google Scholar
  17. 17.
    Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Mangard, S., Kocher, P., Genkin, D., Yarom, Y., Hamburg, M.: Meltdown. ArXiv e-prints, January 2018Google Scholar
  18. 18.
    T.B. Project: Sockeye in BarrelfishGoogle Scholar
  19. 19.
    Reid, A.: Trustworthy specifications of ARM V8-A and V8-M system level architecture. In: FMCAD 2016, pp. 161–168. FMCAD Inc., Austin (2016)Google Scholar
  20. 20.
    Schwyn, D.: Hardware configuration with dynamically-queried formal models. Master’s thesis, Department of Computer Science, ETH Zurich, Switzerland (2017)Google Scholar
  21. 21.
    Texas Instruments: OMAP44xx Multimedia Device Technical Reference Manual, April 2014. Version AB.

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Reto Achermann
    • 1
    Email author
  • Lukas Humbel
    • 1
  • David Cock
    • 1
  • Timothy Roscoe
    • 1
  1. 1.Department of Computer ScienceETH ZurichZürichSwitzerland

Personalised recommendations