Building a trustworthy life-critical embedded system requires deep reasoning about the potential effects that sequences of machine instructions can have on full system operation. Rather than trying to analyze complete binaries and the countless ways their instructions can interact with one another — memory, side effects, control registers, implicit state, etc. — we explore a new approach. We propose an architecture controlled by a thin computational layer designed to tightly correspond with the lambda calculus, drawing on principles of functional programming to bring the assembly much closer to myriad reasoning frameworks, such as the Coq proof assistant. This approach allows assembly-level verified versions of critical code to operate safely in tandem with arbitrary code, including imperative and unverified system components, without the need for large supporting trusted computing bases. We demonstrate that this computational layer can be built in such a way as to simultaneously provide full programmability and compact, precise, and complete semantics, while still using hardware resources comparable to normal embedded systems. To demonstrate the practicality of this approach, our FPGA-implemented prototype runs an embedded medical application which monitors and treats life-threatening arrhythmias. Though the system integrates untrusted and imperative components, our architecture allows for the formal verification of multiple properties of the end-to-end system. We present a proof of correctness of the assembly-level implementation of the core algorithm in Coq, the integrity of trusted data via a non-interference proof, and a guarantee that our prototype meets critical timing requirements.

构建一个值得信赖的，对生命至关重要的嵌入式系统，需要对机器指令序列可能对整个系统运行产生潜在影响进行深入的推理。我们探索一种新的方法，而不是尝试分析完整的二进制文件以及它们的指令之间相互影响的无数方式（内存，副作用，控制寄存器，隐式状态等）。我们提出了一个由薄计算层控制的体系结构，该层旨在与lambda微积分紧密对应，并利用函数式编程原理使程序集更接近无数推理框架，例如Coq证明助手。这种方法可以使关键代码的汇编级验证版本与任意代码（包括命令性和未经验证的系统组件）一起安全地运行，无需大型支持的受信任计算基础。我们证明了可以以一种方式构建此计算层，以便同时提供完整的可编程性以及紧凑，精确和完整的语义，同时仍使用与普通嵌入式系统相当的硬件资源。为了证明这种方法的实用性，我们的FPGA实现的原型运行了一个嵌入式医疗应用程序，该程序可以监视和治疗威胁生命的心律不齐。尽管该系统集成了不受信任的命令性组件，但是我们的体系结构允许对端到端系统的多个属性进行形式验证。我们提供了Coq核心算法的汇编级实现的正确性证明，通过无干扰证明的可信数据的完整性，