seL4: formal verification of an OS kernel

Complete formal verification is the only known way to guarantee that a system is free of programming errors. We present our experience in performing the formal, machine-checked verification of the seL4 microkernel from an abstract specification down to its C implementation. We assume correctness of compiler, assembly code, and hardware, and we used a unique design approach that fuses formal and operating systems techniques. To our knowledge, this is the first formal proof of functional correctness of a complete, general-purpose operating-system kernel. Functional correctness means here that the implementation always strictly follows our high-level abstract specification of kernel behaviour. This encompasses traditional design and implementation safety properties such as the kernel will never crash, and it will never perform an unsafe operation. It also proves much more: we can predict precisely how the kernel will behave in every possible situation. seL4, a third-generation microkernel of L4 provenance, comprises 8,700 lines of C code and 600 lines of assembler. Its performance is comparable to other high-performance L4 kernels.

[1]  Per Brinch Hansen,et al.  The nucleus of a multiprogramming system , 1970, CACM.

[2]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[3]  RICHARD J. FEIERTAG,et al.  The foundations of a provably secure operating system (PSOS) , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[4]  Richard A. Kemmerer,et al.  Specification and verification of the UCLA Unix security kernel , 1979, CACM.

[5]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[6]  J. Thomas Haigh,et al.  Extending The Non-Interference Version Of MLS For Sat , 1987, 1986 IEEE Symposium on Security and Privacy.

[7]  William J. Bolosky,et al.  Mach: A New Kernel Foundation for UNIX Development , 1986, USENIX Summer.

[8]  Bjarne Stroustrup,et al.  C++ Programming Language , 1986, IEEE Softw..

[9]  William R. Bevier,et al.  Kit: A Study in Operating System Verification , 1989, IEEE Trans. Software Eng..

[10]  Michael Lawrence,et al.  A Mathematical Model of the Mach Kernel: Atomic Actions and Locks , 1993 .

[11]  Jochen Liedtke,et al.  Improving IPC by kernel design , 1994, SOSP '93.

[12]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[13]  Jochen Liedtke,et al.  Toward real microkernels , 1996, CACM.

[14]  Jonathan M. Smith,et al.  State Caching in the EROS Kernel Implementing Efficient Orthogonal Persistence in a Pure Capability System , 1996 .

[15]  Trent Jaeger,et al.  Achieved IPC performance (still the foundation for extensibility) , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[16]  Kai Engelhardt,et al.  Data Refinement: Model-Oriented Proof Methods and their Comparison , 1998 .

[17]  Richard C. Holt,et al.  Linux as a case study: its extracted software architecture , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[18]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[19]  Mike Hibler,et al.  The Flask Security Architecture: System Support for Diverse Security Policies , 1999, USENIX Security Symposium.

[20]  Mike Hibler,et al.  Interface and execution models in the Fluke kernel , 1999, OSDI '99.

[21]  A. Goldberg,et al.  Formal construction of the Mathematically Analyzed Separation Kernel , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[22]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[23]  Marianne Shaw,et al.  Scale and performance in the Denali isolation kernel , 2002, OSDI '02.

[24]  Sriram K. Rajamani,et al.  SLIC: A Specification Language for Interface Checking (of C) , 2002 .

[25]  Tom Perrine The Kernelized Secure Operating System (KSOS) , 2002, login Usenix Mag..

[26]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[27]  Thomas A. Henzinger,et al.  Software Verification with BLAST , 2003, SPIN.

[28]  Matteo Pradella,et al.  Analyzing security-enhanced Linux policy specifications , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[29]  Hermann Härtig,et al.  Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors , 2004, EW 11.

[30]  Joshua D. Guttman,et al.  Verifying information flow goals in Security-Enhanced Linux , 2005, J. Comput. Secur..

[31]  Hendrik Tews,et al.  The VFiasco approach for a verified operating system , 2005 .

[32]  Gernot Heiser,et al.  OS Verification - Now! , 2005, HotOS.

[33]  Jim Alves-Foss,et al.  The MILS architecture for high-assurance embedded systems , 2006, Int. J. Embed. Syst..

[34]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[35]  Calton Pu,et al.  Reducing TCB complexity for security-sensitive applications: three case studies , 2006, EuroSys.

[36]  Myla Archer,et al.  Formal specification and verification of data separation in a separation kernel for an embedded system , 2006, CCS '06.

[37]  Gerwin Klein,et al.  Running the manual: an approach to high-assurance microkernel development , 2006, Haskell '06.

[38]  William D. Young,et al.  A robust machine code proof framework for highly secure applications , 2006, ACL2 '06.

[39]  James R. Larus,et al.  Language support for fast and reliable message-based communication in singularity OS , 2006, EuroSys.

[40]  Debra S. Herrmann The Common Criteria for IT Security Evaluation , 2007, Information Security Management Handbook, 6th ed..

[41]  Andreas Podelski,et al.  Proving that programs eventually do something good , 2007, POPL '07.

[42]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[43]  Gernot Heiser,et al.  Towards a Practical, Verified Kernel , 2007, HotOS.

[44]  Michael Norrish,et al.  Types, bytes, and separation logic , 2007, POPL '07.

[45]  Dinakar Dhurjati,et al.  Secure virtual architecture: a safe execution environment for commodity operating systems , 2007, SOSP.

[46]  Zhong Shao,et al.  Using XCAP to Certify Realistic Systems Code: Machine Context Management , 2007, TPHOLs.

[47]  David Cock Bitfields and Tagged Unions in C: Verification through Automatic Generation , 2008, VERIFY.

[48]  Gerwin Klein,et al.  Secure Microkernels, State Monads and Scalable Refinement , 2008, TPHOLs.

[49]  Harvey Tuch,et al.  Formal memory models for verifying C systems code , 2008 .

[50]  Kevin Elphinstone,et al.  Verified Protection Model of the seL4 Microkernel , 2008, VSTTE.

[51]  Artem Starostin,et al.  Formal Pervasive Verification of a Paging Mechanism , 2008, TACAS.

[52]  Kevin Elphinstone,et al.  Kernel design for isolation and assurance of physical memory , 2008, IIES '08.

[53]  Hendrik Tews,et al.  A Formal Model of Memory Peculiarities for the Verification of Low-Level Operating-System Code , 2008, SSV.

[54]  Harvey Tuch Formal Verification of C Systems Code , 2009, Journal of Automated Reasoning.

[55]  Mark A. Hillebrand,et al.  Balancing the Load , 2009, Journal of Automated Reasoning.

[56]  Mark A. Hillebrand,et al.  Balancing the Load , 2009, Journal of Automated Reasoning.

[57]  Harvey Tuch Formal verification of C systems code Structured types, separation logic and theorem proving , 2009 .

[58]  Gernot Heiser Hypervisors for Consumer Electronics , 2009, 2009 6th IEEE Consumer Communications and Networking Conference.

[59]  Bastian Schlich,et al.  Operating System Verification , 2009, Journal of Automated Reasoning.

[60]  Andrew Boyton A Verified Shared Capability Model , 2009, Electron. Notes Theor. Comput. Sci..

[61]  Kevin Elphinstone,et al.  Experience report: seL4: formally verifying a high-performance microkernel , 2009, ICFP.

[62]  Gerwin Klein,et al.  Operating system verification—An overview , 2009 .

[63]  Rafal Kolanski,et al.  Types, Maps and Separation Logic , 2009, TPHOLs.