HIVE: Scalable Hardware-Firmware Co-Verification using Scenario-based Decomposition and Automated Hint Extraction

TL;DR

This paper presents HIVE, a scalable, fully automated framework for hardware-firmware co-verification that combines simulation and formal methods, using scenario-based decomposition and automatic hint extraction to efficiently detect complex bugs.

Contribution

HIVE introduces an automated approach that integrates simulation and formal verification, eliminating manual intervention in hint generation for hardware-firmware co-verification.

Findings

Scalable verification of RISC-V systems demonstrated.

Automated hint extraction improves verification efficiency.

Framework successfully detects complex firmware-hardware bugs.

Abstract

Hardware-firmware co-verification is critical to design trustworthy systems. While formal methods can provide verification guarantees, due to the complexity of firmware and hardware, it can lead to state space explosion. There are promising avenues to reduce the state space during firmware verification through manual abstraction of hardware or manual generation of hints. Manual development of abstraction or hints requires domain expertise and can be time-consuming and error-prone, leading to incorrect proofs or inaccurate results. In this paper, we effectively combine the scalability of simulation-based validation and the completeness of formal verification. Our proposed approach is applicable to actual firmware and hardware implementations without requiring any manual intervention during formal model generation or hint extraction. To reduce the state space complexity, we utilize both static module-level analysis and dynamic execution of verification scenarios to automatically generate system-level hints. These hints guide the underlying solver to perform scalable equivalence checking using proofs. The extracted hints are validated against the implementation before using them in the proofs. Experimental evaluation on RISC-V based systems demonstrates that our proposed framework is scalable due to scenario-based decomposition and automated hint extraction. Moreover, our fully automated framework can identify complex bugs in actual firmware-hardware implementations.