Formal specification of a simple operating system

Within the Verisoft project, we aim at the pervasive modeling, implementation, and verification of a complete computer system, from gate-level hardware to applications running on top of an operating system. As an adequate representative for such a system we choose a system for writing, signing, and sending emails. The starting point of our work was a processor together with its assembly language, a compiler for a type safe C variant and a micro kernel. The goal of our work was to develop a (user-mode) operating system that bridges the gap between micro kernel and user applications. That is, formally specify and implement a system that, on the one hand, is built right on top of our micro kernel and, on the other hand, provides everything necessary for user applications such as an SMTP server, a signing server, and an email client. Furthermore, the design of this system should support its verification in a pervasive context. Within this thesis, we present the formal specification of such an operating system. Along with this specification, we (i) discuss the current state-of-the-art in formal methods applied to operating-systems design, (ii) justify our approach and distinguish it from other people's work, (iii) detail our implementation and verification stack, (iv) describe the realization of our operating system, and (v) outline the verification of this system. Innerhalb des Verisoft-Projekts streben wir die durchgangige Modellierung, Implementierung und Verifikation eines kompletten Computersystems, von der Hardware auf Gatterebene bis hin zu Benutzeranwendungen, an. Ausgangspunkt unserer Arbeit war ein Prozessor inklusive Assembler Sprache, ein Compiler fur eine typensichere C Variante und ein Mikrokern. Ziel unserer Arbeit war es, ein Betriebssystem (auf Benutzerebene) zu entwickeln, welches die Verbindung zwischen Mikrokern und Benutzeranwendungen herstellt. Das bedeutet, ein System formal zu spezifizieren und zu implementieren, welches auf der einen Seite direkt auf dem Mikrokern aufsetzt und auf der anderen Seite alle Voraussetzungen fur Benutzeranwendungen wie einen SMTP Server, einen Signatur Server und ein E-Mail Programm erfullt. Auserdem soll das Design dieses Systems seine durchgangige Verifikation unterstutzen. In dieser Arbeit prasentieren wir die formale Spezifikation eines solchen Systems. Ferner (i) diskutieren wir den aktuellen Stand im Bereich der formalen Methoden im Betriebssystemdesign, (ii) rechtfertigen unseren Ansatz und differenzieren ihn von dem anderer, (iii) stellen die unterschiedlichen Implementierungs- und Verifikations-Schichten unseres Projektes vor, (iv) beschreiben unsere Umsetzung des Systems und (v) skizzieren seine Verifikation.

[1]  Gerard J. Holzmann,et al.  A mini challenge: build a verifiable filesystem , 2007, Formal Aspects of Computing.

[2]  Dirk Carsten Leinenbach,et al.  Compiler verification in the context of pervasive system verification , 2008 .

[3]  Christian Jacobi,et al.  Putting it all together – Formal verification of the VAMP , 2006, International Journal on Software Tools for Technology Transfer.

[4]  Manfred Broy,et al.  The Design of Distributed Systems - An Introduction to FOCUS-revised version , 1992 .

[5]  Alexandra Tsyban,et al.  Formal Verication of a Framework for Microkernel Programmers , 2009 .

[6]  Gernot Heiser,et al.  Towards a Practical, Verified Kernel , 2007, HotOS.

[7]  Sam Weber,et al.  Verifying the EROS confinement mechanism , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[8]  Artem Starostin,et al.  Formal Pervasive Verification of a Paging Mechanism , 2008, TACAS.

[9]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[10]  Viktor Kuncak,et al.  Verifying a File System Implementation , 2004, ICFEM.

[11]  Thomas In der Rieden,et al.  CVM - A Verified Framework for Microkernel Programmers , 2008, SSV.

[12]  Birgit Pfitzmann,et al.  The PERSEUS System Architecture , 2001 .

[13]  Mark Anthony Shawn Smith Formal verification of TCP and T/TCP , 1997 .

[14]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[15]  H. Tews Formal Methods in the Robin project: Specification and verification of the Nova microhypervisor , 2007 .

[16]  J. S. Moore,et al.  A Grand Challenge Proposal for Formal Methods: A Verified Stack , 2002, 10th Anniversary Colloquium of UNU/IIST.

[17]  Iakov Dalinger,et al.  Formal verification of a processor with memory management units , 2013 .

[18]  Elena Petrova,et al.  Verification of the C0 compiler implementation on the source code level , 2007 .

[19]  Van Jacobson,et al.  Congestion avoidance and control , 1988, SIGCOMM '88.

[20]  Leslie Lamport,et al.  Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers [Book Review] , 2002, Computer.

[21]  Christoph Berg,et al.  Formal Verification of the VAMP Floating Point Unit , 2001, Formal Methods Syst. Des..

[22]  J. Michael Spivey,et al.  The Z notation - a reference manual , 1992, Prentice Hall International Series in Computer Science.

[23]  Guido D. Salvucci,et al.  Ieee standard for binary floating-point arithmetic , 1985 .

[24]  Hermann Härtig,et al.  The Nizza secure-system architecture , 2005, 2005 International Conference on Collaborative Computing: Networking, Applications and Worksharing.

[25]  Andreas Grünbacher,et al.  POSIX Access Control Lists on Linux , 2003, USENIX Annual Technical Conference, FREENIX Track.

[26]  Mark A. Hillebrand,et al.  Dealing with I/O devices in the context of pervasive system verification , 2005, 2005 International Conference on Computer Design.

[27]  Daniel Kroening,et al.  Instantiating Uninterpreted Functional Units and Memory System: Functional Verification of the VAMP , 2003, CHARME.

[28]  K. K. Ramakrishnan,et al.  Formal specification and verification of safety and performance of TCP selective acknowledgment , 2002, TNET.

[29]  Junfeng Yang,et al.  Using model checking to find serious file system errors , 2004, TOCS.

[30]  Steffen Knapp,et al.  Pervasive Verification of Distributed Real Time Systems , 2007 .

[31]  Katharina Spies Eine Methode zur formalen Modellierung von Betriebssystemkonzepten , 1998 .

[32]  Wolfgang J. Paul,et al.  Towards the Formal Verification of a C0 Compiler: Code Generation and Implementation Correctnes , 2005, SEFM.

[33]  Michael Norrish,et al.  Engineering with logic: HOL specification and symbolic-evaluation testing for TCP implementations , 2006, POPL '06.

[34]  Mark A. Hillebrand,et al.  On the Verification of Memory Management Mechanisms , 2005, CHARME.

[35]  Sally Floyd,et al.  TCP Selective Acknowledgement Options , 1996 .

[36]  R. M. Tomasulo,et al.  An efficient algorithm for exploiting multiple arithmetic units , 1995 .

[37]  富田 眞治 20世紀の名著名論:R. M. Tomasulo : An Efficient Algorithm for Exploiting Multiple Arithmetic Units , 2004 .

[38]  Tom Ridge,et al.  A Rigorous Approach to Networking: TCP, from Implementation to Protocol to Service , 2008, FM.

[39]  Ernst-Rüdiger Olderog,et al.  A ProCoS II Project Final Report: ESPRIT Basic Research project 7071 , 1996 .

[40]  Bernhard Beckert,et al.  Formal Specification of Security-relevant Properties of User-Interfaces , 2004 .

[41]  Elena Petrova,et al.  Pervasive Compiler Verification - From Verified Programs to Verified Systems , 2008, Electron. Notes Theor. Comput. Sci..

[42]  I. Damgård,et al.  The protocols. , 1989, The New Zealand nursing journal. Kai tiaki.

[43]  Sally Floyd,et al.  RFC 2018: TCP Selective Acknowledgment Options , 1996 .

[44]  Mark A. Hillebrand,et al.  Formal Verification of Gate-Level Computer Systems , 2009, CSR.

[45]  Andreas Nonnengart,et al.  Verification of Distributed Applications , 2007, SAFECOMP.

[46]  Mark A. Hillebrand,et al.  Formal Device and Programming Model for a Serial Interface , 2007, VERIFY.

[47]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[48]  Jörg H. Siekmann,et al.  Deduction in the Verification Support Environment (VSE) , 1996, FME.

[49]  Norbert Schirmer,et al.  Verification of sequential imperative programs in Isabelle-HOL , 2006 .

[50]  Zhong Shao,et al.  Using XCAP to Certify Realistic Systems Code: Machine Context Management , 2007, TPHOLs.

[51]  Markus S. Miller,et al.  Towards a Verified , General-Purpose Operating System Kernel † , 2004 .

[52]  Hendrik Tews,et al.  The VFiasco approach for a verified operating system , 2005 .

[53]  William R. Bevier,et al.  Kit and the short stack , 1989, Journal of Automated Reasoning.

[54]  Stefan M. Petters,et al.  Towards trustworthy computing systems: taking microkernels to the next level , 2007, OPSR.

[55]  Mark A. Hillebrand,et al.  Address spaces and virtual memory: specification, implementation, and correctness , 2005 .

[56]  Mark A. Hillebrand,et al.  On the Correctness of Operating System Kernels , 2005, TPHOLs.

[57]  K. K. Ramakrishnan,et al.  Formal specification and verification of safety and performance of TCP selective acknowledgement , 2002, IEEE/ACM Trans. Netw..

[58]  Hendrik Tews,et al.  Applying source-code verification to a microkernel: the VFiasco project , 2002, EW 10.

[59]  Michael Norrish,et al.  Rigorous specification and conformance testing techniques for network protocols, as applied to TCP, UDP, and sockets , 2005, SIGCOMM '05.

[60]  Gerd Beuster,et al.  Real World Verification Experiences from the Verisoft Email Client , 2006 .

[61]  H. Tews Micro Hypervisor Verification: Possible Approaches and Relevant Properties , 2007 .

[62]  Mark A. Hillebrand,et al.  Formal Functional Verification of Device Drivers , 2008, VSTTE.