Tractable Problems in AI Security via Formal Methods

GPU Drivers for Verified Kernels

Multi-tenant GPU workloads today run on hypervisors whose TCB is orders of magnitude too large to verify, and whose GPU-facing driver is proprietary kernel code running at ring 0 (§). Two verified microkernels are candidates for hosting an ML-grade GPU stack: seL4 [1], whose functional-correctness proof is the most complete but which has no GPU driver support at all, and NOVA [2], whose partial proof covers concurrency and weak memory and whose microhypervisor architecture is explicitly designed for the host/guest split a GPU-passthrough workload needs.

The research methodology for verifying a driver — separation-logic proofs against an abstract hardware model — is settled [3], [4], [5]. The real blocker is that the abstract hardware model does not exist. No GPU vendor publishes a machine-checkable specification of their command processor, MMU, or DMA engine; Peter Sewell’s REMS Group has the most accurate public modeling work but is scoped to the CPU ISA [6]. The tractable problem is accordingly two-sided: produce a formal model of a GPU command-submission interface at a fidelity that supports proof, and prove a driver against it.

Solution/project Sketch

Start with the smallest useful surface: the command-submission path of a single open-source GPU stack (NVK/Nouveau on NVIDIA, or an AMDGPU subset). Specify the command-ring state machine in Rocq or Lean at a level of detail that admits noninterference claims across tenant contexts — ring-buffer consistency, IOMMU mapping integrity, context-switch scrubbing. Prove a reference driver (runnable under either seL4′s sDDF or NOVA’s userspace driver model) against that spec, with the security property being no sequence of guest-supplied command packets causes the driver to program an IOMMU mapping or issue a DMA outside the guest’s declared memory region. Two natural stopping points: a verified command-submission module with a stubbed-in hardware model, which is shippable on its own as a reference; and the same driver proved against a model co-developed with the vendor or with REMS, which is the research contribution.

Bibliography

[1] G. Klein et al., “seL4: Formal Verification of an OS Kernel,” in Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles (SOSP), 2009, pp. 207–220.
[2] BlueRock Security, “NOVA: A Microhypervisor-Based Secure Virtualization Architecture.” [Online]. Available: https://bluerocksec.gitlab.io/formal-methods/faq/what-is-nova/
[3] G. Stewart, “Device Driver Verification in Separation Logic (talk).” [Online]. Available: https://sel4.systems/Summit/2025/abstracts2025.html
[4] BlueRock Security, “Verifying a Virtual Machine Monitor,” Tech report, 2024. [Online]. Available: https://bluerocksec.gitlab.io/formal-methods/tech_reports/verifying-a-virtual-machine-monitor/
[5] BlueRock Security, “Modularizing CPU Semantics for Virtualization,” Tech report, 2024. [Online]. Available: https://bluerocksec.gitlab.io/formal-methods/tech_reports/modularizing-cpu-semantics-for-virtualization/
[6] P. Sewell and REMS Group, “REMS: Rigorous Engineering of Mainstream Systems.” [Online]. Available: https://www.cl.cam.ac.uk/~pes20/rems/