

#### UNITED STATES

SAN JOSE, CA, USA MARCH 4-7, 2024

# Automating the Formal Verification of Firmware: A Novel Foundation and Scalable Methodology Bryan Olmos, Sanjana Sainath, Wolfgang Kunz, Djones Lettnin





## Motivation of the Paper

- Increase the reliability of firmware designs based on C code
- Help meet industry standards
- Reducing costs by catching problems earlier

| Software bugs                           | Consequences                               |  |  |  |
|-----------------------------------------|--------------------------------------------|--|--|--|
| Tesla recalls almost 12k vehicles, 2021 | A glitch in its Full-Self Driving software |  |  |  |
| T-Mobile data breach, 2021              | Affects 50 million customers               |  |  |  |
| Amazon AWS Outage, 2017                 | Problems for hundreds of websites          |  |  |  |





# Scope – Target Software

• This paper verifies software used to control hardware devices



Integrated Circuit Level

- Property Verification
- Weaknesses Detection
- Code Coverage



Source: D. Lettnin, M. Winterholer. Embedded Software Verification and Debugging. Springer. 2017.





#### Background – ISO26262-6 Standard

- ISO26262-6 specifies the requirements for product development at the software level for automotive applications
- The standard recommends the analysis of requirements and requirements based tests for all the ASIL (Automotive Safety Integrity Levels)
- To evaluate the code coverage, the standard specifies 3 metrics:
  - Statement coverage
  - Branch coverage
  - MC/DC (Modified Condition/Decision Coverage)





# Background – Model Driven Arhictecture (MDA)

- MoT: Formalization of things and their intended functionality
- MoP: Abstract property model
- MoV: Final layer targeting the verification of firmware deigns







## Background – Formal Verification and CBMC

- Testing-based techniques can only show the presence of bugs, not their absence
- CBMC Bounded Model Checker for ANSI C
  - Exhaustive analysis of the code
  - Cross-function verification
  - Detection of software weaknesses
  - Branch and MC/DC coverage





# Verification Challenges - Example

```
(1) int tolerance = 8;
   void select action(int v in, int v out){
(2)
(3)
      int v ratio;
      int action;
(4)
(5)
     v_ratio = abs(v_in/v_out) + tolerance;
      if (v ratio < 8){
(6)
(7)
           action = 1;
      } else if (v_ratio >= 8 && v_ratio <= 20){</pre>
(8)
(9)
           action = 2;
(10)
      } else {
(11)
           action = 3;
(12)
      }
     if (v_in > 100 && v_out> 80){assert(action == 2);}
(13)
(14)
       write register(action);
(15) }
```

- Detection of Weaknesses
  - Line 5: Division by 0
- Unreachable paths
  - Line 6: v\_ratio is never less than 8
- Safety Properties
  - Line 13: assertion must be verified for all the possible values.
- Automation of the process

function select\_action decision/condition `v\_ratio < 8' false: SATISFIED
function select\_action decision/condition `v\_ratio < 8' true: FAILED</pre>





#### Proposed Approach - Overview



#define \_\_mul(a,b)\_\_\_a\*b





## Proposed Approach – Initial Setup

- A "tag" is generated for each requirement
- This tag is assigned to the functions of the C code







void function\_req\_1(){

## Proposed Approach – Initial Setup(2)

- The safety properties must be linked into a metamodel which includes:
  - Preconditions
  - Postconditions
  - Hardware values (boot mode, reset mode)
  - Platform parameters: bound and architecture
  - Verification parameters: type of code coverage, weaknesses under analysis







## Proposed Approach – Generation of Contracts

- The contracts are generated based on the specification
  - (1)#ifndef FILE\_DECLARATION\_REQ\_1
    (2)#define FILE\_DECLARATION\_REQ\_1
  - (3)#include "file\_req\_1.c"
  - (4)#endif
  - (5)#include "formulas.h"

```
(6)void contract_requirement_1(){
(7)signed int nondet_int();
```

- (8) //Initial values for registers
- (9) REGISTER\_1\_\_WRITE(nondet\_int);
- (10) REGISTER\_2\_\_WRITE(nondet\_int);
- (11) HW\_VALUE(adress,value);
- (12) // Preconditions
- (13) if(REGISTER\_1\_READ() >= formula){
- (14) // Function Under Verification
- (15) function\_req\_1();
- (16) // Postconditions
- (17) assert(REGISTER\_2\_READ() == 1);
- (18)
- (19)

- file\_req\_1.c: C file implementing the requirement
- formulas.h: file with arithmetic expressions
- If required, input values in the function are also included in the contract





## Proposed Approach – Generation of Contracts

• To get the main code coverage, a new contract file was generated. This file calls the functions under verification of all the contracts

```
(1)#include "file_contract_1.c"
(2)#include "file_contract_2.c"
(3)//...
(4)#include "file_contract_n.c"
(5) int main(){
(6) contract_requirement_1();
(7) contract_requirement_2();
(8)//...
(9) contract_requirement_n();
(10) }
```





## Proposed Approach – Makefile Example

• The user can access the verification parameters via a Makefile

```
run_verification:
    python run_verification.py \
    --specification_file = file.xml \
    --code_folder = files/source_folder/ \
    --weaknesses=ad \
    --cc=mb \
    --bound=16 \
    --arch=32 \
    --D=__CBMC__
```

- file.xml: generated by our in-house specification tool
- source\_folder: location of C code
- a (arithmetic overflow check)
- d (division by zero check)
- m (MC/DC coverage)
- b (branch coverage)
- --D: directives of the code





## Proposed Approach – Generation of Scripts

• The scripts are generated based on the Makefile

```
(file= open("results.xml",'w')
subprocess.check_call(['cbmc',
'-I', 'folder_1/',
'-I', 'folder 2/',
'-D', '__CBMC__',
'file_req_1.c',
'limits.c',
'protection.c',
'--unwind','16',
'--32',
'--cover', 'mcdc',
'--xml-ui'.
'--function', 'contract requirement 1'
], stdout=file
```

The scripts follows the syntax of CBMC:

- Include all the paths of the code folder (-I)
- Directives are added using (-D)
- Include all the C files i.e. Cross-over verification
- Include the name of the contract





## Proposed Approach – Verification Process



- Verify the properties with the specified bound
- Verify the weaknesses considering the range values of the requirements
- Verify the code to check all the possible weaknesses without consider the range of values
- Compute the code coverage





#### Proposed Approach – Extract Results

 The output results of CBMC were filtered in order to obtain the unit coverage, file coverage and code coverage using the branch and MC/DC coverage criteria

> 2024-01-16T11:10:22.753652 VERIFICATION SUCCESSFUL PROPERTY RUNTIME : 0 hours, 0 minutes, 0 seconds, 223 milliseconds

UNIT BRANCH COVERAGE: function\_test. \*\* 4 of 9 covered (44.44%) FILE BRANCH COVERAGE: file\_req\_1.c: \*\* 10 of 18 covered (55.55%) Code coverage: \*\* 27 of 57 covered (47.4%) Coverage Time: 0 hours, 0 minutes, 0 seconds, 386 milliseconds

UNIT MCDC COVERAGE: function\_test. \*\* 9 of 22 covered (40.90%) FILE MCDC COVERAGE : file\_req\_1.c: \*\* 21 of 37 covered (56.75%) Code coverage: \*\* 44 of 109 covered (40.4%) Coverage Time: 0 hours, 0 minutes, 0 seconds, 499 milliseconds





# Proposed Approach – Extract Results (2)

 The output results of CBMC were filtered in order to obtain the unit coverage, file coverage and code coverage using the branch and MC/DC coverage criteria

```
TYPE:DIV-BY-ZERO-CHECK

RESULT: FAILURE

WEAKNESS TOTAL: 2 - Out of 6 assertions related to division by 0, 2 have failed

TOTAL CASES: 6

WEAKNESSES TIME: 0 hours, 0 minutes, 0 seconds, 104 milliseconds
```

```
PROPERTY: function_2.division-by-zero.2

<u>REASON: division by zero in value / return_value_REGISTER1_GET</u>

RESULT: FAILURE

FUNCTION: function_2

FILE: example1.c

LINE 9
```





## Results(1)

 The methodology was applied during the pre-development phase of firmware designs for the verification of safety properties

| Design Property Verification |      | Weaknesses<br>Verification | Code Coverage |            |              |      |         |      |         |
|------------------------------|------|----------------------------|---------------|------------|--------------|------|---------|------|---------|
| Name                         | LoC  | Safety                     | Avg           | Generated  | Branch MC/DC |      | Total   |      |         |
|                              |      | Properties                 | Runtime (s)   | assertions |              |      | IVIC/DC |      | Runtime |
| FW1                          | 120k | 6                          | 49            | 9119       | 1.5%         | 2min | 3,90%   | 3min | 2h      |
| FW2                          | 9k   | 10                         | 0,48          | 17675      | 40,60%       | 4s   | 52,20%  | 6s   | 4min    |
| FW3                          | 15k  | 8                          | 0,675         | 34306      | 10,10%       | 3s   | 16,30%  | 4s   | 6min    |
| FW4                          | 12k  | 10                         | 1,029         | 6395       | 11.6%        | 3s   | 13,85%  | 35   | 4min    |





#### Results(2)



• The average runtime is determined for the complexity of the code, e.g., a code with more loops or recursive functions can be more complex even if it has less line of code.





#### Conclusion and Future Work

- The contracts and scripts were generated in a few seconds for all the designs
- The runtime of the properties depends on the size and complexity of the design —similar to a formal verification of hardware
- The reliability of firmware designs can be increased with the use of formal methods and the MDA

#### Future work:

Extend the methodology for other model checkers to automate the formal verification of concurrent designs and Rust programs





#### Acknowledgment

 This work has been developed in the project VE-VIDES (project label 16ME0243K) which is partly funded within the Research Programme ICT 2020 by the German Federal Ministry of Education and Research (BMBF).





#### Questions?

Thank you!



