TY - GEN
T1 - A Coq Framework for More Trustworthy DRAM Controllers
AU - Lisboa Malaquias, Felipe
AU - Asavoae, Mihail
AU - Brandner, Florian
N1 - Publisher Copyright:
© 2022 ACM.
PY - 2022/6/7
Y1 - 2022/6/7
N2 - In order to prove conformance to memory standards and bound memory access latency, recently proposed real-time DRAM controllers rely on paper and pencil proofs, which can be troubling: they are difficult to read and review, they are often shown only partially and/or rely on abstractions for the sake of conciseness, and they can easily diverge from the controller implementation, as no formal link is established between both. We propose a new framework written in Coq, in which we model a DRAM controller and its expected behaviour as a formal specification. The trustworthiness in our solution comes two-fold: 1) proofs that are typically done on paper and pencil are now done in Coq and thus certified by it's kernel, and 2) the reviewer's job develops into making sure that the formal specification matches the standards - instead of performing a thorough check of the underlying mathematical formalism. Our framework provides a generic DRAM model capturing a set of controller properties as proof obligations, which all implementations must comply with. We focus on properties related to the respect of timing constraints imposed by the memory standards, the correctness of the DRAM command protocol and the assertiveness that every incoming request is handled in bounded time. We refine our specification with two implementations based on widely-known arbitration policies - First-in First-Out (FIFO) and Time-Division Multiplexing (TDM). We extract proved code from our model and use it as a "trusted core"on a cycle-accurate DRAM simulator.
AB - In order to prove conformance to memory standards and bound memory access latency, recently proposed real-time DRAM controllers rely on paper and pencil proofs, which can be troubling: they are difficult to read and review, they are often shown only partially and/or rely on abstractions for the sake of conciseness, and they can easily diverge from the controller implementation, as no formal link is established between both. We propose a new framework written in Coq, in which we model a DRAM controller and its expected behaviour as a formal specification. The trustworthiness in our solution comes two-fold: 1) proofs that are typically done on paper and pencil are now done in Coq and thus certified by it's kernel, and 2) the reviewer's job develops into making sure that the formal specification matches the standards - instead of performing a thorough check of the underlying mathematical formalism. Our framework provides a generic DRAM model capturing a set of controller properties as proof obligations, which all implementations must comply with. We focus on properties related to the respect of timing constraints imposed by the memory standards, the correctness of the DRAM command protocol and the assertiveness that every incoming request is handled in bounded time. We refine our specification with two implementations based on widely-known arbitration policies - First-in First-Out (FIFO) and Time-Division Multiplexing (TDM). We extract proved code from our model and use it as a "trusted core"on a cycle-accurate DRAM simulator.
KW - Coq
KW - DRAM
KW - Formal Proof Assistant
KW - Memory Controller
U2 - 10.1145/3534879.3534907
DO - 10.1145/3534879.3534907
M3 - Conference contribution
AN - SCOPUS:85132391531
T3 - ACM International Conference Proceeding Series
SP - 140
EP - 150
BT - RTNS 2022 - Proceedings of the 30th International Conference on Real-Time Networks and Systems
PB - Association for Computing Machinery
T2 - 30th International Conference on Real-Time Networks and Systems, RTNS 2022
Y2 - 7 June 2022 through 8 June 2022
ER -