

# Crossing the Model Checking/ Theorem Proving Gap for Ibex Correctness

End-to-End

Memory

Continuity

Liveness

Observational Equivalence



# Ibex



# CHERIoT-Ibex



# Sail

```
mapping clause encdec = ITYPE(imm, rs1, rd, op)
  <-> imm @ encdec_reg(rs1) @ encdec_iop(op) @ encdec_reg(rd) @ 0b0010011

function clause execute ITYPE(imm, rs1, rd, op) = {
  let immext : xlenbits = sign_extend(imm);
  X(rd) = match op {
    ADDI  => X(rs1) + immext,
    SLTI  => zero_extend(bool_to_bits(X(rs1) <_s immext)),
    SLTIU => zero_extend(bool_to_bits(X(rs1) <_u immext)),
    ANDI  => X(rs1) & immext,
    ORI   => X(rs1) | immext,
    XORI  => X(rs1) ^ immext
  };
  RETIRE_SUCCESS
}
```

# Sail ISA models and tooling



# The Specification Module



# End-to-end Correctness



# Bugs

## Illegal CLC load

CLC tag bit leak

CSeal otypes

CJALR alignment checks

CSEQX memory vs. decoded

MTVEC/MEPC legalisation

CSC alignment checks

CSC decoding

## CSR clear not flushing, PMP

Store local violation

Memory capability layout

PCC.address vs. PC

CJAL vs. CJALR

## Memory bounds check overflow

## CLC tag/perms clearing

MSHWM/MSHWMB updates

tvec\_addr alignment

Sealed PCC

## CSetBounds lower bound check

Illegal instruction MVAL values

Memory/branch exception priorities

CSpecialRW exception priorities

EBreak MVAL values

MRet MStatus.MPRV

16 vs. 32 register spec issues

IF granules and overflow

MEPCC set\_address

User mode WFI

CSR instruction problems

Unspecified CJALR

PMP pipeline flushing on CSR clear

TRVK RF write collision

Stack EPC for CHERI NMIs

# Quick Aside: Open Source



# Regression

```
4055 [21/08/25 11:43:33.782188] UNSAT: 1 properties in step 9 proven in 53.496s with 13.188GB
4056 [21/08/25 11:43:35.703409] Finished `rIC3 -e kind --no-preproc --start 1 build/aiger-277.aig` (55.316s) (13.252GB)
4057 [21/08/25 11:43:35.704089] UNSAT: 4 properties in step 10 proven in 55.316s with 13.252GB
4058 [21/08/25 11:43:39.850663] Finished `rIC3 -e kind --no-preproc --start 1 build/aiger-170.aig` (374.093s) (13.262GB)
4059 [21/08/25 11:43:39.851459] UNSAT: 1 properties in step 10 proven in 374.093s with 13.262GB
4060 [21/08/25 11:43:39.952362] Finished `rIC3 build/aiger-290.aig` (22.767s) (6.952GB)
4061 [21/08/25 11:43:39.952722] UNSAT: 1 properties in step 0 proven in 22.767s with 6.952GB
4062 [21/08/25 11:43:45.306982] Finished `rIC3 -e kind --no-preproc --start 1 build/aiger-283.aig` (28.428s) (12.885GB)
4063 [21/08/25 11:43:45.307801] UNSAT: 1 properties in step 9 proven in 28.428s with 12.885GB
4064 [21/08/25 11:43:46.115471] Finished `rIC3 -e kind --no-preproc --start 1 build/aiger-289.aig` (28.931s) (12.873GB)
4065 [21/08/25 11:43:46.116564] UNSAT: 1 properties in step 5 proven in 28.931s with 12.873GB
4066 [21/08/25 11:43:46.619792] Finished `rIC3 -e kind --no-preproc --start 1 build/aiger-288.aig` (29.537s) (12.876GB)
4067 [21/08/25 11:43:46.620610] UNSAT: 1 properties in step 5 proven in 29.537s with 12.876GB
4068 [21/08/25 11:43:46.922784] Finished `rIC3 -e kind --no-preproc build/aiger-294.aig` (29.532s) (12.967GB)
4069 [21/08/25 11:43:46.923299] UNSAT: 4 properties in step 14 proven in 29.532s with 12.967GB
4070 [21/08/25 11:43:47.124623] Finished `rIC3 -e kind --no-preproc build/aiger-291.aig` (29.837s) (12.913GB)
4071 [21/08/25 11:43:47.125182] UNSAT: 11 properties in step 3 proven in 29.837s with 12.913GB
4072 [21/08/25 11:43:47.427108] Finished `rIC3 -e kind --no-preproc build/aiger-295.aig` (30.036s) (12.989GB)
4073 [21/08/25 11:43:47.427275] UNSAT: 2 properties in step 15 proven in 30.036s with 12.989GB
4074 [21/08/25 11:43:48.734940] Finished `rIC3 -e kind --no-preproc build/aiger-292.aig` (31.447s) (13.130GB)
4075 [21/08/25 11:43:48.735222] UNSAT: 6 properties in step 16 proven in 31.447s with 13.130GB
4076 [21/08/25 11:43:50.444188] Finished `rIC3 -e kind --no-preproc --start 1 build/aiger-286.aig` (33.463s) (13.108GB)
4077 [21/08/25 11:43:50.444663] UNSAT: 1 properties in step 9 proven in 33.463s with 13.108GB
4078 [21/08/25 11:43:57.679356] Running 2 processes, with 0 pending. Memory used right now: 29.999GB
4079 [21/08/25 11:44:27.722895] Running 2 processes, with 0 pending. Memory used right now: 32.444GB
4080 [21/08/25 11:44:43.712300] Finished `rIC3 -e kind --no-preproc build/aiger-296.aig` (86.219s) (16.236GB)
4081 [21/08/25 11:44:43.719588] UNSAT: 1 properties in step 22 proven in 86.219s with 16.236GB
4082 [21/08/25 11:44:47.228456] Finished `rIC3 -e kind --no-preproc build/aiger-297.aig` (89.734s) (16.208GB)
4083 [21/08/25 11:44:47.228825] UNSAT: 1 properties in step 22 proven in 89.734s with 16.208GB
4084 [21/08/25 11:44:47.245172] Ran strategy in 1908.236s
4085 [21/08/25 11:44:47.245448] 298/298 proof steps were UNSAT
```

# The K-Induction Game



# psgen

## Case Splitting



## Automata



**936**

**properties**

**243**

**hand written properties**

**22**

**assume guarantee steps**

# Primary Limitations

- State interpretation
- Internal signals drive verification
- Missing continuity
- Instruction Fetch

# Continuity



# Liveness



# Liveness



# Pen and Paper Proof

validate the constraint as a legitimate assumption about capabilities read from memory. Doing this also has the added benefit of strengthening the DTI, which usually increases both the speed of its own proofs and of dependent proofs.

## VIII. TOP-LEVEL OBSERVATIONAL CORRECTNESS

As outlined in Sec. III, the top-level correctness statement for CHERIoT-Ibex is that it produces the same stream of memory interactions as the iterated Sail specification, when these are run in the same initial state. In this section, we explore how this property is established, given end-to-end instruction correctness (Sec. VI) and memory correctness (Sec. VII). We explain the proof bottom-up.

### A. Continuity Properties

In our approach to end-to-end instruction correctness, we step the pipeline follower forward using internal processor signals, rather than some independently-implemented control logic. This methodology is easier to implement and verify, and it finds many bugs. But it does not fully verify the processor's pipeline control logic, which is often complex and may contain subtle corner case bugs.

In our methodology, we therefore complement the end-to-end proofs with certain continuity properties. These assertions use the end-to-end results as lemmas to prove that, in essence, each time the Sail specification is ‘queried’, the new inputs to the specification are equivalent to (or at least as strict as, in the case of CHERI) the outputs from the previous time the specification was queried.

To implement this approach, we introduce a small, self-contained piece of SystemVerilog that, when the signal `spe_en` is high, will verify that the new inputs to the compiled Sail specification—which are abstracted from the microarchitectural state of the RTL—match the old outputs. It also checks that the new inputs to the specification are equivalent to (or at least as strict as, in the case of CHERI) the outputs from the previous time the specification was queried.

It is relatively easy to get conclusive proofs of the continuity properties when the end-to-end correctness properties are provided as lemmas. With some helper invariant work these proofs can be obtained in a matter of seconds or minutes.

Successful verification of these properties extends the end-to-end properties to show that not only does each instruction run correctly, but that the state we finish in is the state the next iteration begins with.

### B. State Matching

The next level of our verification establishes that a certain infinite sequence of periodically sampled states of the processor matches the sequence of states produced by iterating the Sail specification, when they both start in the same initial state. In particular, consider the infinite sequence of microarchitectural states obtained by repeatedly sampling the processor state when `spe_en` is high. Recall that this is the signal that triggers an evaluation of the Sail specification. State matching says that the abstraction of this sequence

of microarchitectural states should match the sequence of architectural states produced by iterating the specification.

Logically, it does not matter how `spe_en` is defined, but in our case it is high when either an instruction moves from the execute stage to the writeback stage, or when an interrupt is handled. It does, however, matter that `spe_en` is live. If `spe_en` is not always eventually fired then it may be possible for CHERIoT-Ibex to deviate from the specification without ever being checked for correctness again. Essentially, liveness for `spe_en` ensures that states are always eventually compared.

To prove this in our formal verification, we obtain a weak but finite upper bound on the number of cycles between successive `spe_en` states. This is done under the assumption that a processor sleep following a WFI will always be awoken from in bounded time, and that memory response times are bounded, as explained earlier. We proved these weak bounds by considering the ‘path’ of microarchitectural states between one’s `spe_en` state and the next. We then prove small bounds over the edges of each state, which are then summed into longer paths until the full cycle is reached. The initial bounds can take a few minutes to prove, but they compose more or less instantly into proofs for longer paths, including `spe_en` to `spe_en`.

We now introduce a function

$$\text{clear} : S_A \times I \times S_A \rightarrow S_A$$

denoting the additional tag clearing that the CHERIoT-Ibex implementation does. Given an architectural state and an architectural input that are to be provided to the Sail specification, along with the next architectural state that the specification would produce for these inputs, `clear` produces the potentially more strict architectural state that aligns with what the implementation would do:

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

We introduce the notation  $\text{Realise} : I^{\infty} \times T_p^{\infty} \rightarrow I^{\infty}$  to denote the mapping from a sequence of architectural inputs, as presented to the specification, to the corresponding sequence of microarchitectural inputs presented to the CHERIoT-Ibex design over successive clock cycles, using the corresponding timing information.

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

We introduce the notation  $\text{Realise} : I^{\infty} \times T_p^{\infty} \rightarrow I^{\infty}$  to denote the mapping from a sequence of architectural inputs, as presented to the specification, to the corresponding sequence of microarchitectural inputs presented to the CHERIoT-Ibex design over successive clock cycles, using the corresponding timing information.

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

We now let  $i = \text{Realise}(s, t)$  be the infinite sequence of microarchitectural inputs sent to CHERIoT-Ibex, one for each clock cycle, that corresponds to the sequence  $i$  under timings  $t$ . We define  $s \in S_A^{\infty}$  to be the infinite sequence of microarchitectural states that arise from  $i$ , with  $s_0$  being the reset state of the microarchitecture. We argue above that `spe_en` will be strictly often, under any sequence of inputs to CHERIoT-Ibex. So we can define  $\text{en}(s) \in S_A^{\infty}$  to be the infinite sequence of  $s$  obtained by sampling the sequence  $s$  whenever `spe_en` is true, where  $\text{en}(s)_0$  is the microarchitectural state when `spe_en` is true for the first time. We use the notation  $\text{en}(s)_n$  for the  $n$ th state of  $s$ .

# Dependent Types

```
new :: (n : Int) -> Vec n
```

# A Formal Definition of Ibex

- $\mu$  - The set of micro-architectural states
- $R \subseteq \mu$  - The set of reset states
- $i_\mu$  - The set of micro-architectural inputs
- $\text{Ibex} : \mu \times i_\mu \rightarrow \mu$  - The step function
- $\text{sig} : \mu \times i_\mu \rightarrow \nu$  - The extraction function for any signal  $\text{sig}$

# A Formal Definition of The Specification

- $A$  - The set of architectural states
- $R_A$  - The architectural reset state
- $i_A$  - The set of architectural inputs
- $\text{Spec} : A \times i_A \rightarrow A$  - The step function
- $\text{SpecOut} : A \times i_A \rightarrow O$  - The output function

# Lean Spec Definition

- $A$  - The set of architectural states
- $R_A$  - The architectural reset state
- $i_A$  - The set of architectural inputs
- $\text{Spec} : A \times i_A \rightarrow A$  - The step function
- $\text{SpecOut} : A \times i_A \rightarrow O$  - The output function



```
structure Spec (v r i : Type u) where
  step : AbsState v r -> i -> AbsState v r
  routputs : RestrictedAbsState v r -> i -> List (AbsMemOp v)
  init : AbsState v r
```

# Lean Axioms

SndEn: assert property (mem\_req\_snd\_d  $\rightarrow$  spec\_mem\_en\_snd)

*i.e. if Ibex had a second memory operation, then the spec did too*



```
axiom SndEn (v : @Verif αi μ va r) (s : CombIn μ va) (reach : v.ibex.reachable s.state) :  
  v.mem_req_snd_d s  $\rightarrow$  v.spec_mem_en_snd s
```

# Lean Proof Structure



# Lean ObservationalCorrectness Definition

```
theorem ObservationalCorrectness (v : @Verif αi μ v r) (is : InfList αi) :  
  let spec_outs := (v.sample_spec is).map fun (s, i) => v.spec.outputs s i  
  let ibex_outs := (v.sample is).map fun s => (v.ibex.outputs s).interpret  
  ∃ (ln : InfList Nat),  
    (spec_outs.zip (ibex_outs.chunk ln).val).map_all fun (x, y) => x = y.flatten
```



# Caveats

- Assumption of equivalent inputs
- Instruction fetch
- Some CSRs not missing
- Assumptions about debug mode
- Side channels

# Thanks

- Professor Tom Melham, for his supervision and guidance.
- Alasdair Armstrong, for his work on Sail.
- Marno van der Maas, Harry Callahan, John Thompson and all the others at lowRISC for supporting my work there.
- Kunyan Liu for his work on CHERIoT-Ibex.
- Professor Peter Sewell, Alastair Reid, Laurent Arditi and others for their guidance and suggestions.
- Amy, friends and family for their support.