The Formal Verification of the Fairisle ATM Network

The Formal Verification of the Fairisle ATM Network

The aim of this project has been to investigate the application of hierarchical, formal machine-checked proof to a real Asynchronous Transfer Mode (ATM) Network. In particular we have verified parts of the switch hardware of the Farisle ATM Network which was designed in Cambridge. It is a working network that was not designed with formal verification in mind. As such it provides a realistic formal verification case study. We are using the HOL Theorem Proving System. We have formally verified several different switching fabrics. In the process we have investigated other issues with respect to hardware verification in general, such as tracking design changes and the notion of design for verifiability.

The work has been funded by the EPSRC. The project builds upon the existing expertise of the Automated Reasoning Group and the Systems Research Group at the University of Cambridge Computer Laboratory, UK.

The following people were involved with the project:


Contents


The Fairisle Switch

Farisle is an Asynchronous Transfer Mode (ATM) network designed and implemented at the University of Cambridge by the Systems Research Group. It is a real network, carrying real user data and is also being used for research into multimedia and management issues of ATM networks.

The Fairisle switch consists of port controllers and a switching fabric. The fabric forms the heart of the switch, routing ATM cells from input ports to output ports. It also arbitrates cell clashes and sends acknowledgements back to the input ports. It is self routing; making routing and arbitration decisions based on routing tags appended to the front of the cells by the port controllers. The tags are stripped off by the fabric. Fabrics come in various sizes. The smallest is the 4 by 4 fabric which connects 4 input ports to 4 output ports. The larger 16 by 16 fabric is constructed from 4 by 4 elements that are based on the 4 by 4 fabric design. They are connected in two rows of 4 elements in a delta network. Different element designs are used in the two rows. The port controllers are more complex. They deal with the queueing of cells, the addition of headers to control routing and other management tasks.

A more complete overview of the fabric designs is here.


Hardware Verification using the HOL System

The formal verification work was conducted using the
HOL proof assistant: an LCF style theorem prover for higher-order logic. A user of the HOL system gives proof commands interactively in the form of Standard ML function calls. We followed the traditional approach to verifying hardware using higher-order logic. The verification consisted of proving for each module in the design, a correctness theorem of the form:

|- Assumptions ==> (Implementation ==> Specification)

This states that the description of the implementation implies the specification under certain assumptions on the environment. Implementation gives a hierarchical structural description of the implementation down to the logic gate level: the components used, how they are wired together and which wires are inputs, outputs and local to the module. Specification gives the more abstract behavioural description consisting of the timing and functional behaviour of the module, mainly in the form of interval temporal style operators. Assumptions give the conditions on the environment (i.e.~inputs) under which the module will satisfy the specification. The implementation, behavioural specification and assumptions are given in the form of higher-order logic relations on the inputs and outputs (as appropriate). Once the separate modules have been independently verified, their correctness theorems are hierarchically combined to give a correctness theorem for the whole device. In general, the proofs involve expanding definitions, performing case splits over different time intervals, and appealing to previously proved lemmas about the functional behaviour over the given intervals. All lemmas used were proved within HOL.

For more information see:

The Formal Verification of the Fairisle ATM Switching Element: an Overview,
Paul Curzon. Technical Report 328, University of Cambridge, Computer Laboratory, 1994.

Verifying the 4 by 4 Fabric

We formally proved that a HDL style structural specification of the 4 by 4 fabric's implementation did implement a timing diagram level behavioural specification. In contrast to validation by testing the results apply to all valid input combinations.

The first task in verifying the 4 by 4 fabric was to provide formal structural and behavioural specifications of the implementation and all its component modules. As the fabric had not been designed with verification in mind these did not initially exist. The former was relatively simple as HDL descriptions did exist. It was straightforward to translate these to higher-order logic descriptions, to which formal verification could be applied. The resulting descriptions were very similar, up to surface syntax, to the originals. Some changes were made, however. In particular, extra features of HOL such as words of words were used and additional levels of hierarchy were added. This made the proof more tractable. It was not intended to change the design, just the description of it. The underlying netlists should have been identical. In fact some translation errors were made. These were discovered and corrected during the proof process. Whilst demonstrating that formal verification can detect errors and give an indication of their locations, this also highlights a reason for integrating formal methods into the design process rather than tagging it on as an afterthought. If the original designs had been written in a HDL suitable for formal verification, such mistakes could have been avoided.

Producing formal behavioural specifications was much harder than producing structural ones. The designs had only minimal documentation, so the formal specifications were largely reverse-engineered from the HDL descriptions. This was very time consuming; taking approximately 2 person-months. The resulting specifications contained many errors that were uncovered by the proof process. The number of such errors would have been reduced if the specification had been produced as an integrated part of the design process. The specifications of all modules were written before any proof was performed. In retrospect it would have been better to verify each module as it was specified. This would have prevented errors propagating throughout the hierarchy, as the modules' specifications were used to determine the behaviour of those which called them.

The proof of the 4 by 4 fabric took a total of approximately 2 person-months to complete. 3 weeks of this were taken up by the verification of 2 out of the 43 distinct modules of the design. The main reason these modules took so much longer was that the specifications contained many errors. Correcting the errors was time consuming. The interaction of different errors also hindered the proof process. The verifier got bogged down in the details of the proof. It is clear that formal proof should be used in conjunction with other techniques such as animation. Formal proof is a good way of finding small numbers of obscure errors, but it is better if more obvious errors are found by other methods prior to the proof attempt.

The designer estimated that had the 4 by 4 fabric been designed from scratch it would have required several months work. The formal proof thus took a roughly similar amount of time. If the verification had been integrated with the design it is likely that the specification and proof times would have been reduced for the reasons discussed. Thus formal proof could be a viable validation technique.

For more information see:

Experiences Formally Verifying a Network Component
Paul Curzon. In Proceedings of the 9th Annual IEEE Conference on Computer Assurance, pp 183-193, IEEE Press, 1994. (Time taken, problems encountered, errors found for the 4 by 4 fabric verification)
The Formal Verification of the Fairisle ATM Switching Element: an Overview,
Paul Curzon. Technical Report 328, University of Cambridge, Computer Laboratory, 1994.(An earlier, longer version of the above.)
The Formal Verification of the Fairisle ATM Switching Element
Paul Curzon. Technical Report 329, University of Cambridge Computer Laboratory, 1994. (The full HOL specifications of the 4 by 4 fabric modules)

Tracking Design Changes

The design time quoted for the 4 by 4 fabric was just an estimate of how long it would have taken to design from scratch. The design actually evolved from earlier designs. This begs the question as to whether formal proof could really have kept up, assuming the earlier designs had been verified. If the verification would still have taken months to complete, it would be of little practical use. Designs often evolve in this way. To be of use formal proof scripts must be just as much a long term asset as the designs themselves. The second part of the project aimed to determine if this was so.

The 16 by 16 fabric is constructed from 4 by 4 elements connected in a regular array of two rows. In an ideal world, these 4 by 4 elements would just be 4 by 4 fabrics. However, in practice changes needed to be made. In fact two different designs resulted: one for the front row elements and one for the back row elements. We modified the original proof of the 4 by 4 fabric to verify these two new designs, both of which had been fabricated prior to the verification project. We also verified five other designs of which one had been fabricated.

The new designs were verified by first editing the structural and behavioural specifications to take account of the changes. The proofs were then modified by interactively rerunning the original proofs, fixing problems as they arose. Because the designs were modular, only modules whose specifications had been modified needed to be reverified. The changes to the implementations were all relatively small so it would be hoped that the reverification could be performed very quickly. This was indeed so. All seven new designs were verified in a matter of hours or days. Some speed up was expected because only modules that had been changed needed to be reverified. However, the speedup was much greater than would be expected from that alone. This is clearly demonstrated by the fact that the total time taken to specify and verify all seven new designs was less than seven days compared with the 4 months required to specify and verify the original. This was despite a similar number of modules being reverified as were in the original design. The rate at which modules were reverified, including those that were originally the slowest, was as fast as the original verification of the most trivial modules. The upper level modules which were originally slowest needed to be reverified for each new design because the specification of the whole device changed for each. Thus these slowest modules were actually verified most often.

There were several reasons for the increased speed-up. The most obvious was that the new specifications were largely error free. The rate of verification was noticeable slowed down in the presence of errors. The design which took the longest to reverify did so because it violated an assumption of the original specification. The modules in the original verification that took longest were the ones with most errors. The verification process helped locate errors, but it was not always immediately clear to the verifier what remedy was required. For example fixing the error might involve changing the behavioural specification, the implementation or the specification of a submodule. Thus much time was spent inspecting the design and proof when a problem was encountered. This time would almost certainly have been reduced if the verification was more closely coupled with the design.

There were fewer errors in the specifications for several reasons. Firstly, modifications were being made to a correct specification, thus there were less opportunities for errors to arise. Also, the verifier understood the designs very well after the original verification -- it is highly unlikely that the verification could be completed without this occurring. Thus for the reverification, the changes made were less likely to introduce errors.

A further reason for the speed up was that the proofs of individual modules was divided into a series of lemmas. Only some of the lemmas and thus proofs needed to be modified to account for the changes. Also, modifying a proof script is much quicker than creating one from scratch. This was highlighted by the verification of one of the designs which required completely new proofs for several modules. These proofs were far simpler than the originals but this design took longer than the other designs to verify. Most proofs in the other designs were largely still suitable, with Changes being required at just a few points. The task of reverification is in finding those points and then correcting the proof. The points are found relatively quickly by running the proof and seeing where it breaks (though the point where a proof breaks is rarely exactly the point where the change must be made).

The study highlighted a problem with the combination of reengineering specifications from the implementation and modifying old proofs. Some of the non-fabricated designs resulted from changes being made to the structural description which did not correspond to the changes made to the actual implementation. Since the behavioural specifications were reverse-engineered from these incorrect structural descriptions, the designs were successfully verified. The mistakes were only discovered when a 16 by 16 fabric constructed from these incorrect elements was attempted to be verified. Had the verification been incorporated into the design process (for example, by the designers using higher-order logic as the HDL) errors of this kind would be much less likely. This also emphasizes the advantages as the hierarchical proof methodology since the errors in the specification of one level were discovered when the next level was attempted to be verified.

For more information see:

Tracking Design Changes with Formal Machine-checked Proof
Paul Curzon. The Computer Journal, 38 (2), pp 91-100, 1995.
Tracking Design Changes with Formal Verification
Paul Curzon. In Higher Order Logic Theorem Proving and Its Applications: 7th International Workshop, edited by Thomas F. Melham and Juanito Camilleri, Lecture Notes in Computer Science, Volume 859, pages 177-192, Springer-Verlag, September 1994. (An earlier version of the above paper)

The 4 by 4 Switching Fabric as a Case Study

The 4 by 4 Switching Fabric has been used, or is being considered, as a case study by several other verification groups.
Solange Coupet-Grimal and Line Jakubiec, Laboratoire d'Informatique de Marseilles.
Have reworked the specifications in Coq, and are working on a verification of the 4 by 4 fabric in Coq.

MDG Verification Group, University of Montreal, Canada
Has reverified the 4 by 4 fabric using a verification system based on multiway decision graphs.

Tom Gebhardt, Oxford University
Used the Handel system to compile high level (essentially Occam) descriptions of the system into Xilinx hardware.

Hardware Verification Group , University of Karlsruhe, Germany
Used the Mephisto II System to reverify the 4 by 4 design using a combination of model checking and formal proof. Bit level specifications were used.

Edelweis Helena Ache Garcez , University of Tuebingen
Has verified some properties of the 4x4 fabric using the HSIS model checking tool.

M. Fairtlough (University of Sheffield) and M. Mendler (University of Passau)
Considering using it as a case study for the Propositional Lax Logic .

S. Tahar, Concordia University
has reverified aspects of the fabric using VIS
Other groups are encouraged to reverify the 4 by 4 fabric using their favourite verification (or synthesis) system. The HOL specifications are publicly available.

Comparing Proof Systems

In conjunction with groups based at Concordia and Montreal Universities, we have compared various proof systems using the Fairisle Fabric as a case study. Systems considered include HOL, MDG, VIS and Coq. See the project's homepage given above for more information.

Verifying the 16 by 16 fabric

We initially attempted to formally verify the fabricated Fairisle 16 by 16 switching fabric. It is constructed from the 4 by 4 elements that had already been verified. The proof was completed up to certain environment assumptions being discharged. Unfortunately the correctness theorems previously proved about the elements were not sufficient to discharge these assumptions. They needed to be strengthened. This would not have been a great effort in comparison to the full proof as it would have involved modifying the existing proofs. We have shown that this is much quicker than creating proofs from scratch. However, it was decided that the time would be better spent looking at ways to avoid the problem. This problem aside, the verification proved to be more time-consuming than anticipated. The reasons for this were studied in detail. One of the main reasons was the complexity of the interface between the elements. Other problems arose due to the lack of theory management tools. Work to overcome these problems was performed and is discussed in subsequent sections.

For more information see:

Problems Encountered in the Machine-Assisted Proof of Hardware
Paul Curzon. In Correct Hardware Design and Verification Methods, LNCS 987, pp 56-70, Springer-Verlag, 1995.

Design for Verifiability

One avenue that we investigated as a means of reducing the cost of formal verification was that of ``design for verifiability'', similar to design for testability. The thesis is that the cost of formal verification can be reduced if appropriate design and implementation choices are made. This idea was originally introduced by Milne in the context of automated state-exploration verification techniques. He only suggested very general ways that designs might be made more easily verifiable, such as using synchronous rather than asynchronous design, imposing the use of particular target architectures and providing language constructs that restrict the structures used. There has been little concrete work done to investige the feasibility of this idea. Our aim was to determine whether design for verifiability can be of practical interest with respect to real hardware designs. A major consideration was that design decisions made to ease the verification task should not compromise other design requirements such as performance and functionality.

Our approach was to attempt to verify existing, real hardware (notably the 16 by 16 fabric), identifying factors in the implementation which slowed the proof. On the basis of the identified bottlenecks, design changes were suggested by the verifier which it was believed would remove the problems. These were evaluated for acceptability by the original designer. A new design was specified incorporating many of these changes and a detailed implementation performed. Finally the new implementation was formally verified to determine whether the expected advantages were realized. We built on our preliminary work conducted as part of the EPSRC funded feasibility study (``Formal Verification of an Asynchronous Transfer Mode Network''). There we identified some areas where the design of the 4 by 4 elements might be altered, though no detailed implementation or verification was performed.

A range of possible design changes were identified: most totally acceptable to the designer. The new implementation was successfully formally verified. The problematic parts of the proof were removed. The specifications of each module in the new design and of the whole design itself are much simpler and clearer than in the original design. The assumptions made about the environment have been simplified dramatically and the more problematic ones removed completely. In particular, the troublesome environment assumption that had prevented the completion of the proof for the fabricated 16 by 16 fabric was removed. Various lemmas which previously needed to be proven about the environment assumptions were no longer needed. No significant extra proof work appears to have resulted. The new version of some of the lower level modules required longer proofs. However, as these units occur low in the hierarchy, and are thus relatively simple, the extra work was small.

Several general lessons arose with respect to the way a designer can make the verifier's task easier from the outset:

Keep the interfaces between modules simple. A common feature of the acceptable design changes is that they involve simplifying the environment assumptions of modules. This reduces the verification cost by removing or simplifying proof obligations, reducing the possibility of mistakes being made in those assumptions.

Push complexity down to the lowest levels. The biggest savings in verification time are made where modules deep in the hierarchy depend on assumptions that are discharged by modules much higher up. The result of removing such assumptions is often that extra proof complexity is pushed down to the simplest modules at the base of the hierarchy where it is most easily managed.

Start with a clean specification and stick to it. The specification of the modified design is very clean. If a designer were to write down a specification of the exact intended behaviour of the design before the implementation stage, it is likely that something similar would be produced. Many of the verification problems arose because specific implementation decisions introduced minor deviations from the clean specification.

Keep related designs as similar as possible. Clearly proof effort can be reduced if the number and degree of modifications made when a design is re-engineered is kept to a minimum. Designs should be made generic from the outset where possible. It is also important that the verification team are aware of possible future changes so that genericity can be built in.

We have shown that implementation changes can be made to a design that ease the verification task but that do not impeach on other design considerations. Indeed several of the design changes suggested improve the design with respect to other such considerations. Further research is required to investigate the practicality of incorporating design for verifiability into the design process.

Perhaps most importantly, designing with verifiability in mind encourages design simplicity. The designer may have to work a little harder to ease the verifier's task. However, the result is a much cleaner design. This is vitally important in itself for safety-critical systems where formal proof techniques are most likely to be used.

For more information see:

Improving Hardware Designs whilst Simplifying their Proof
Paul Curzon and Ian Leslie. In Designing Correct Circuits, Workshops in Computing, Springer-Verlag, 1996. (The implementation and verification of the redesigned 16 by 16 fabric)
A Case Study on Design for Provability
Paul Curzon and Ian Leslie. In the Proceedings of the First International Conference on Engineering of Complex Computer Systems, pp 59-62, IEEE Press, 1995. (Initial ideas on how the 16 by 16 fabric could be redesigned)

Proof Re-Engineering and Theory Management

One of the deficiencies of HOL identified during both this project and the earlier feasibility study was the lack of support for proof in the large. To overcome some of the problems encountered a new theory manager was developed. The traditional HOL theory tools only allowed a single theory to be developed at once. This made it much harder to maintain the resulting proof source files. However, on large developments and when proofs are re-engineered, proof maintenance becomes very important just as for software maintenance. The new theory manager allowed multiple theories to be developed at the same time, whilst ensuring that source files were kept in a consistent state. This theory manager was used throughout the current project, and scaled well to the real world proofs. It solved at least part of the maintenance problem.

For more information see:

Virtual Theories
Paul Curzon. Higher Order Logic Theorem Proving and Its Applications: 8th International Workshop, Lecture Notes in Computer Science 971, pp 138-153, Springer-Verlag 1995. (A prototype theory manager for HOL which allows multiple-active theories)
The Importance of Proof Maintenance and Re-engineering
Paul Curzon. International Workshop on Higher Order Logic Theorem Proving and Its Applications: B-Track: Short Presentations, editor Jim Alves-Foss, pp 17-32, 1995. (Discussion of why support for proof modification is at least as important as proof creation)

Publications

Improving Hardware Designs whilst Simplifying their Proof
Paul Curzon and Ian Leslie. In Designing Correct Circuits, Workshops in Computing, Springer-Verlag, 1996.
A Comparison of MDG and HOL for Hardware Verification
Sofiene Tahar and Paul Curzon. In Theorem Proving in Higher Order Logics: 9th International Conference, TPHOLs'96, Joakim von Wright, Jim Grundy, and John Harrison (Eds.) LNCS 1125, Springer-Verlag, 1996.
Hierarchical Formal Verification of Communication Networks
Paul Curzon. Poster presented at EPSRC ITeC'96, Leeds, April 1996. (This looks best when blown up to A0 size!)
Problems Encountered in the Machine-Assisted Proof of Hardware
Paul Curzon. In Correct Hardware Design and Verification Methods, LNCS 987, pp 56-70, Springer-Verlag, 1995.
A Case Study on Design for Provability
Paul Curzon and Ian Leslie. In the Proceedings of the First International Conference on Engineering of Complex Computer Systems, pp 59-62, IEEE Press, 1995.
Tracking Design Changes with Formal Machine-checked Proof
Paul Curzon. The Computer Journal, 38 (2), pp 91-100, 1995.
Virtual Theories
Paul Curzon. Higher Order Logic Theorem Proving and Its Applications: 8th International Workshop, Lecture Notes in Computer Science 971, pp 138-153, Springer-Verlag 1995.
The Importance of Proof Maintenance and Reengineering
Paul Curzon. International Workshop on Higher Order Logic Theorem Proving and Its Applications: B-Track: Short Presentations, editor Jim Alves-Foss, pp 17-32, 1995.
Conclusions from a Study to Verify a Real Network Component
Paul Curzon, Ian Leslie and Mike Gordon. In Proceedings of the Second Workshop on Automated Reasoning: Bridging the Gap Between Theory and Practice, April 1995.
The Formal Verification of an ATM Network
Paul Curzon. In Proceedings of the 13th Annual ACM Symposium on Principles of Distributed Computing, page 392, ACM Press, August 1994.
Experiences Formally Verifying a Network Component
Paul Curzon. In Proceedings of the 9th Annual IEEE Conference on Computer Assurance, pp 183-193, IEEE Press, 1994.
Tracking Design Changes with Formal Verification
Paul Curzon. In Higher Order Logic Theorem Proving and Its Applications: 7th International Workshop, edited by Thomas F. Melham and Juanito Camilleri, Lecture Notes in Computer Science, Volume 859, pages 177-192, Springer-Verlag, September 1994.
The Formal Verification of the Fairisle Switch: The 4x4 Switching Fabric.
Paul Curzon. Chapter 37 of ATM Document Collection 3 (The Blue Book), ed. Richard Black, University of Cambridge Computer Laboratory, 1994.
The Formal Verification of the Fairisle ATM Switching Element: an Overview,
Paul Curzon. Technical Report 328, University of Cambridge, Computer Laboratory, 1994.
The Formal Verification of the Fairisle ATM Switching Element
Paul Curzon. Technical Report 329, University of Cambridge Computer Laboratory, 1994.

Seminars

Experiences Formally Verifying the Fairisle Switching Elements
Paul Curzon. Presented at the University of Cambridge Computer Laboratory, in the Wednesday Seminar series on 9th November 1994. This seminar was broadcast live over MBONE.
Hardware Verification and ATM Switches
Paul Curzon. Invited Talk at the Colloquium on Formal Methods and Security, Isaac Newton Institute, Cambridge, April 1996.

Other Reports, etc


Details of Papers


Improving Hardware Designs whilst Simplifying their Proof

Paul Curzon and Ian Leslie. In Designing Correct Circuits, Workshops in Computing, Springer-Verlag, 1996.

Abstract

We describe a study to investigate the notion of ``design for verifiability''. Our aim was to determine whether the cost of verification by interactive proof can be reduced by making appropriate design decisions. A major consideration was that such decisions should not compromise other design goals such as performance and functionality. We attempted to formally verify a real hardware design, noting factors which slowed the proof. On the basis of the identified bottlenecks, design changes were suggested by the verifier which would remove the problems. These were evaluated for acceptability by the original designer. Finally a new design was verified incorporating many of the suggested changes. This demonstrated that the expected advantages were realized.

Obtaining the paper

This paper is published electronically by Springer-Verlag in their Workshops in Computing series. Copies can therefore be obtained from
Springer-Verlag.

Bibtex Entry

@InProceedings{CurzonLeslie96DCC,
  author = 	 {Paul Curzon and Ian Leslie},
  title = 	 {Improving Hardware Designs Whilst Simplifying their Proof},
  booktitle = 	 {Designing Correct Circuits},
  series =	 {Workshops in Computing},
  year =	 {1996},
  publisher =	 {Springer-Verlag}
}

A Comparison of MDG and HOL for Hardware Verification

Sofiene Tahar and Paul Curzon. In Theorem Proving in Higher Order Logics: 9th International Conference, TPHOLs'96, Joakim von Wright, Jim Grundy, and John Harrison (Eds.) LNCS 1125, Springer-Verlag, 1996.

Abstract

Interactive formal proof and automated verification based on decision graphs are two contrasting formal hardware verification techniques. In this paper, we compare these two approaches. In particular we consider HOL and MDG. The former is an interactive theorem proving system based on higher-order logic, while the latter is an automatic system based on Multiway Decision Graphs. As the basis for our comparison we have used both systems to independently verify a fabricated ATM communications chip: the Fairisle 4 by 4 switch fabric.

Obtaining the paper

An online version of this paper is available as
compressed postscript.

Bibtex Entry

@InProceedings{TaharCurzon96,
  author = 	 {Sofi{\`{e}}ne Tahar and Paul Curzon},
  title = 	 {A Comparison of {MDG} and {HOL} for Hardware Verification},
  booktitle = 	 {Theorem Proving in Higher Order Logics: 9th International Conference},
  editor =	 {Joakim von Wright and Jim Grundy and John Harrison},
  number =	 {1125},
  series =	 {Lecture Notes in Computer Science},
  year =	 {1996},
  publisher =	 {Springer-Verlag},
  OPTpages = 	 {415-430},
}


Problems Encountered with the Machine-Assisted Proof of Hardware

Paul Curzon. In
Correct Hardware Design and Verification Methods, eds Paolo E. Camurati and Hans Eveking, LNCS 987, pp 56-70, Springer-Verlag, 1995.

Abstract

We describe our experiences verifying real communications hardware using machine-assisted proof. In particular we reflect on the errors found, problems encountered and the bottlenecks that slowed the progress of the proofs. We also note techniques which would alleviate the problems. Most of the problems we discuss only become significant when large designs are verified.

Obtaining the paper

An online version of this paper is available as compressed postscript.

Bibtex Entry


@InProceedings{Curzon95CHARME,
  author = 	 "Paul Curzon",
  title = 	 "Problems Encountered with the Machine-assisted Proof of
		  Hardware",
  editor =	 "Paolo E. Camurati and Hans Eveking",
  volume =	 "987",
  series =	 "Lecture Notes in Computer Science",
  pages = 	 "56-70",
  booktitle =	 "Correct Hardware Design and Verification
		  Methods", 
  year =	 "1995",
  publisher =	 "Springer-Verlag",
}



A Case Study on Design for Provability

Paul Curzon and Ian Leslie. the Proceedings of the
First International Conference on Engineering of Complex Computer Systems, pp 59-62, IEEE Press, 1995.

Abstract

We describe a case study which demonstrates that, by designing with formal verification in mind, a designer can simplify the verification task enormously without sacrificing other design considerations. In addition, the formal specification and verification process can highlight anomalies in a design, and suggest design changes that improve it. The design we considered was a switching fabric for an ATM network switch. It is a real, fabricated component of a working network.

Bibtex Entry

@InProceedings{CurzonLeslie95ICECCS,
  author = 	 "Paul Curzon and Ian Leslie",
  title = 	 "A Case Study on Design for Provability ",
  pages = 	 "59-62",
  booktitle =	 "The Proceedings of the First International Conference on
		  Engineering of Complex Computer Systems",
  year =	 "1995",
  publisher = "{IEEE} Computer Society Press",
  month = 	 nov,
}

Tracking Design Changes with Formal Machine-Checked Proof

Paul Curzon. The Computer Journal, 38 (2), pp 91-100, 1995.

Abstract

Designs are often modified for use in new circumstances. If formal proof is to be an acceptable verification methodology for industry, it must be capable of tracking design changes quickly. We describe our experiences formally verifying an implementation of an ATM network component, and on our subsequent verification of modified designs. Three of the designs verified are in use in a working network. They were designed and implemented with no consideration for formal methods. This case study gives an indication of the difficulties in formally verifying a real design and of subsequently tracking design changes.

Obtaining the paper

Email me (pc@cl.cam.ac.uk) with your postal address for a copy.

Bibtex Entry

@Article{Curzon95CJ,
  author = 	 "Paul Curzon",
  title = 	 "Tracking Design Changes with Formal Machine-Checked Proof",
  journal =	 "The Computer Journal",
  year =	 "1995",
  volume =	 "38",
  number =	 "2",
  pages = 	 "91-100"
}

Conclusions from a Study to Verify a Real Network Component

Paul Curzon, Ian Leslie and Mike Gordon. In Proceedings of the Second Workshop on Automated Reasoning: Bridging the Gap Between Theory and Practice, April 1995.

Abstract

We describe the main conclusions with respect to practical automated reasoning of a project to to verify the Fairisle 16 by 16 Switching fabric. The main points are that proof scripts are an asset that should not be squandered and that design for provability can be feasible.

Obtaining the paper

An online version of this paper is available as
compressed postscript.

Bibtex Entry

@InProceedings{Curzon95WAR,
  author = 	 "Paul Curzon and Ian Leslie and Mike Gordon",
  title = 	 "Conclusions from a Study to Verify a Real Network Component",
  booktitle =	 "Proceedings of the Second Workshop on Automated Reasoning:
		  Bridging the Gap Between Theory and Practice", 
  year =	 "1995",
  month =	 apr,
}

The Formal Verification of an ATM Network

Paul Curzon. In Proceedings of the 13th Annual ACM Symposium on Principles of Distributed Computing, page 392, ACM Press, August 1994.

Abstract

This paper is a one page abstract of the goals of the Fairisle verification project.

Obtaining the paper

An online version of this paper is available as
compressed postscript.

Bibtex Entry

@InProceedings{Curzon94PODC,
  author = 	 "Paul Curzon",
  title = 	 "The Formal Verification of an ATM Network",
  pages =	 "392",
  booktitle = "Proceedings of the 13th Annual ACM Symposium on Principles
		  of Distributed Computing", 
  year =	 "1994",
  publisher =	 "{ACM} Press",
  month =	 aug,
}

Experiences formally verifying a network component

Paul Curzon. In Proceedings of the 9th Annual IEEE Conference on Computer Assurance, pp 183-193, IEEE Press, 1994.

Abstract

Errors in network components can have disastrous effects so it is important that all aspects of the design are correct. We describe our experiences formally verifying an implementation of an Asynchronous Transfer Mode (ATM) network switching fabric using the HOL 90 theorem proving system. The design has been fabricated and is in use in the Cambridge Fairisle Network. It was designed and implemented with no consideration for formal specification or verification. This case study gives an indication of the difficulties in formally verifying real designs. We discuss the time spent on the verification. This was comparable to the time spent designing and testing the fabric. We also describe the problems encountered and the errors discovered.

Obtaining the paper

An online version of this paper is available as
compressed postscript.

Bibtex Entry

@InProceedings{Curzon94COMP,
  author = 	 "Paul Curzon",
  title = 	 "Experiences formally verifying a network component",
  pages = 	 "183-193",
  booktitle =	 "Proceedings of the 9th Annual IEEE Conference on Computer Assurance",
  year =	 "1994",
  publisher =	 "{IEEE} Press",
}

Tracking Design Changes with Formal Verification

Paul Curzon. In
Higher Order Logic Theorem Proving and Its Applications: 7th International Workshop, edited by Thomas F. Melham and Juanito Camilleri, Lecture Notes in Computer Science, Volume 859, pages 177-192, Springer-Verlag, 1994.

Abstract

Designs are often modified for use in new circumstances. If formal proof is to be an acceptable verification methodology for industry, it must be capable of tracking design changes quickly. We describe our experiences formally verifying an implementation of an ATM network component, and on our subsequent verification of modified designs. Three of the designs verified are in use in a working network. They were designed and implemented with no consideration for formal methods. This case study gives an indication of the difficulties in formally verifying a real design and of subsequently tracking design changes.

Obtaining the paper

An online version of this paper is available as compressed postscript.

Bibtex Entry

@InProceedings{Curzon94HUG,
  author = 	"Paul Curzon",
  title = 	"Tracking Design Changes with Formal Verification",
  pages = 	"177-192",
  booktitle =	"Higher Order Logic Theorem Proving and Its Applications: 7th
		  International Workshop",
  year =	"1994",
  publisher =	"Springer-Verlag",
  editor =	 "Thomas F. Melham and Juanito Camilleri",
  volume = 	"859",
  series = 	"Lecture Notes in Computer Science",
  month =	 sep,
}

The Formal Verification of the Fairisle Switch: The 4x4 Switching Fabric.

Paul Curzon. Chapter 37 of
ATM Document Collection 3 (The Blue Book), ed. Richard Black, University of Cambridge Computer Laboratory, 1994.

Abstract

This paper gives a short summary of the verification of an implementation of the Fairisle 4x4 Switching Fabric. This verification was performed using the HOL90 theorem proving system so is fully machine-checked. The switching element is in use in a real network, switching real data. Thus, this work constitutes a realistic formal verification case study. We discuss the time spent on the verification. This was comparable to the time spent designing and testing the element.

Obtaining the paper

An online copy of the paper is available as postscript.

Bibtex Entry

@InCollection{Curzon94BLUE,
  author = 	 "Paul Curzon",
  title = 	 "The Formal Verification of the Fairisle Switch: The 4x4 Switching Fabric.",
  booktitle =	 "{ATM} Document Collection 3 (The Blue Book)",
  publisher =	 "University of Cambridge Computer Laboratory",
  year =	 1994"",
  editor = 	 "Richard Black",
  chapter =	 "37",
  address =	 "University of Cambridge Computer Laboratory, New Museums
		  Site, Pembroke Street, Cambridge CB2 3QG. England",
  month =	 mar,
}

The Formal Verification of the Fairisle ATM Switching Element: an Overview

Paul Curzon. Technical Report 328, University of Cambridge, Computer Laboratory, March 1994.

Abstract

We overview the formal verification of an implementation of a self routeing ATM switching element. This verification was performed using the HOL90 theorem proving system so is fully machine-checked. The switching element is in use in a real network, switching real data. Thus, this work constitutes a realistic formal verification case study. We give an informal overview of the switch and element and give a tutorial on the methods used. We overview how these techniques were applied to verify the switching element. We then discuss the time spent on the verification. This was comparable to the time spent designing and testing the element. Finally we describe the errors discovered.

Obtaining the paper

An online version of this paper is available as
compressed postscript.

A hard copy can be ordered via ...

Email: tech_reports@cl.cam.ac.uk

Phone: +44 1223 334648

Bibtex Entry

@TechReport{Curzon94ElementTR1,
  author = 	 "Paul Curzon",
  title = 	 "The Formal Verification of the {F}airisle {ATM} Switching
		  Element: an Overview",
  institution =  "University of Cambridge Computer Laboratory",
  year = 	 "1994",
  number =	 "328",
  month = 	 mar,
}

The Formal Verification of the Fairisle ATM Switching Element

Paul Curzon. Technical Report 329, University of Cambridge Computer Laboratory, March 1994.

Abstract

We describe the formal verification of an implementation of the switching element of the Fairisle ATM switch. This verification was performed using the HOL 90 theorem proving system so is fully machine-checked. We give here all the definitions used in the verification together with the main correctness theorems proved. Fairisle switches are in use in a working network, switching real data. Thus, this work constitutes a realistic formal verification case study.

Obtaining the paper

An online version of this paper is available as
compressed postscript.

A hard copy can be ordered via ...

Email: tech_reports@cl.cam.ac.uk

Phone: +44 1223 334648

Bibtex Entry

@TechReport{Curzon94ElementTR2,
  author = 	 "Paul Curzon",
  title = 	 "The Formal Verification of the {F}airisle {ATM} Switching Element",
  institution =  "University of Cambridge Computer Laboratory",
  year = 	 "1994",
  number =	 "329",
  month = 	 mar,
}

Virtual Theories

Paul Curzon. Higher Order Logic Theorem Proving and Its Applications: 8th International Workshop, Lecture Notes in Computer Science 971, pp 138-153, Springer-Verlag 1995.

Abstract

We present the notion of virtual HOL theories. These give the effect of multiple active theories in a HOL session, helping to correct a major deficiency of the HOL system. They allow the user to switch between different theories at will, proving theorems and making definitions in each virtual theory in turn. The system ensures that proofs only use resources available in the environment of the current virtual theory. The code has been implemented on top of the HOL90 system. A side effect is that a version of autoloading is obtained for HOL90. A more radical feature is the autoloading of tools. The system has been tested on part of a real hardware verification proof.

Obtaining the paper

This paper is available online in
compressed postscript format.

Bibtex Entry

@InProceedings{Curzon95HUGV,
  author = 	 "Paul Curzon",
  title = 	 "Virtual Theories",
  editor =	 "E. Thomas Schubert and Phillip J. Windley and James Alves-Foss",
  volume =	 "971",
  series =	 "Lecture Notes in Computer Science",
  pages =	 "138-153",
  booktitle =	 "Higher Order Logic Theorem Proving
		  and Its Applications: 8th International Workshop",
  year =	 "1995",
  publisher =	 "Springer-Verlag"
}

The Importance of Proof Maintenance and Reengineering

Paul Curzon.
International Workshop on Higher Order Logic Theorem Proving and Its Applications: B-Track: Short Presentations, editor Jim Alves-Foss, pp 17-32, 1995.

Abstract

Our work on the verification of real hardware designs using HOL has resulted in very large proof scripts. Consequently, problems are encountered that are not an issue in smaller verification efforts. In particular, we have found that the maintainability of proofs is of paramount importance. There are many reasons why proof scripts in LCF style theorem provers may be reused. This can be in order to maintain and understand old proofs as well as to speed the creation of new ones. Consequently, proofs should be written in styles that ease their maintainability and make them easier to reuse. Furthermore, proof tools and interfaces should be designed with proof reuse as well as proof creation in mind. Many of the problems can be prevented from occurring in the first place with suitable tool support.

Obtaining the paper

An online version of this paper is available in compressed postscript format.

Bibtex Entry

@InProceedings{Curzon95HUGM,
  author = 	 "Paul Curzon",
  title = 	 "The Importance of Proof Maintenance and Reengineering",
  editor =	 "Jim Alves-Foss",
  pages =	 "17-32",
  booktitle =	 "International Workshop on Higher Order Logic Theorem Proving
		  and Its Applications: B-Track: Short Presentations",
  year =	 "1995"
}