Semantics Driven Hardware Design, Implementation, and Verification with ReWire Adam Procter William L. Harrison Ian Graves Michela Becchi University of Missouri procteram@missouri.edu harrisonwl@missouri.edu iangraves@mail.missouri.edu becchim@missouri.edu Gerard Allwein U.S. Naval Research Laboratory gerard.allwein@nrl.navy.mil Abstract There is no such thing as high assurance without high assurance hardware. High assurance hardware is essential, because any and all high assurance systems ultimately depend on hardware that con- forms to, and does not undermine, critical system properties and in- variants. And yet, high assurance hardware development is stymied by the conceptual gap between formal methods and hardware de- scription languages used by engineers. This paper presents ReWire, a functional programming language providing a suitable founda- tion for formal verification of hardware designs, and a compiler for that language that translates high-level, semantics-driven designs directly into working hardware. ReWire’s design and implementa- tion are presented, along with a case study in the design of a secure multicore processor, demonstrating both ReWire’s expressiveness as a programming language and its power as a framework for for- mal, high-level reasoning about hardware systems. 1. Introduction This paper presents ReWire, a high level functional language for designing, implementing and verifying high assurance hardware systems. ReWire is a formally defined programming language for expressing reactive, concurrent, and parallel computations. ReWire is a computational λ -calculus [22] and, as such, is conducive to formal verification [14] of, in particular, security and safety prop- erties [15, 17]. ReWire is a subset of Haskell, where the subset has been carefully chosen so that every ReWire program may be compiled to working hardware implementations. In this work, we outline the design of the ReWire language, and present a substantial case study demonstrating that ReWire supports the rapid develop- ment and implementation of provably secure hardware. The philosophy driving the development of ReWire is the con- viction that semantic archaeology is the bane of high assurance computing. By “semantic archaeology”, we mean the process of developing a formal specification for an existing computing arti- Publication rights licensed to ACM. ACM acknowledges that this contribution was au- thored or co-authored by an employee, contractor or affiliate of the United States gov- ernment. As such, the United States Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only. LCTES’15, June 18–19, 2015, Portland, OR, USA. Copyright is held by the owner/author(s). Publication rights licensed to ACM. ACM 978-1-4503-3257-6//. . . $15.00. http://dx.doi.org/10.1145/2670529.2754970 fact. Semantic archaeology is time-consuming and expensive, be- cause such artifacts are rarely written with formal semantics in mind, and, consequently, the formal methods scientist must attempt a painstaking reconstruction of the system semantics from infor- mal and often incomplete natural language documents (if, indeed, such a reconstruction is even possible). ReWire aims to eliminate the need for semantic archaeology by encouraging a “semantics- first” design style. This is achieved by providing (1) a source lan- guage with a clear semantic foundation, (2) a compiler that trans- lates these source language programs directly into working imple- mentations, and (3) a formal framework for expressing and proving desired properties (including, but not limited to, security). The semantics-aware design process supported by ReWire is es- pecially valuable when semantically novel features are important, as is increasingly the case with modern architectures. Consider, for example, hardware-level support for the enforcement of secure in- formation flow policies. Traditionally, information flow concerns are handled in software by a separation kernel [28], which ensures that the sharing of hardware resources by high- and low-security processes does not result in unauthorized information flow. For em- bedded systems, however, the overhead of such a software-based solution may be cost prohibitive. Furthermore, moving this separa- tion functionality at least partially into hardware [23, 33] can bring great benefit with respect to reliability and verifiability; in high as- surance applications, this fact alone may justify the expenditure of a significant fraction of one’s transistor budget. The technical burden of constructing and verifying a separating processor is, however, quite substantial. Section 4 presents a case study demonstrating that ReWire substantially lightens that burden. Beginning with a ReWire-based implementation of a single-core processor supporting an off-the-shelf instruction set architecture, we will see that the extension of this design to a secure, verified dual-core processor may be undertaken with no instrumentation or modification of the original design, and that the proof of security is concise and readable. The point of departure for this work is the application of ideas from monadic semantics (esp., monads of resumptions and state and effect types) to the modeling and verification of concurrent systems [15–17]. As design tools, these ideas have many virtues. They are flexible and expressive, support formal analysis, and can be readily simulated with any Haskell implementation. In this pa- per we demonstrate that modular monadic semantics, previously applied to software artifacts such as interpreters and compilers [21] and operating system kernels [4, 15], is also useful in the realm of hardware design. Previous work [26] presents an informal descrip- tion of ReWire’s design in the form of a short paper. This paper