Virtual timeline: a formal abstraction for verifying preemptive schedulers with temporal isolation

The reliability and security of safety-critical real-time systems are of utmost importance because the failure of these systems could incur severe consequences (e.g., loss of lives or failure of a mission). Such properties require strong isolation between components and they rely on enforcement mechanisms provided by the underlying operating system (OS) kernel. In addition to spatial isolation which is commonly provided by OS kernels to various extents, it also requires temporal isolation, that is, properties on the schedule of one component (e.g., schedulability) are independent of behaviors of other components. The strict isolation between components relies critically on algorithmic properties of the concrete implementation of the scheduler, such as timely provision of time slots, obliviousness to preemption, etc. However, existing work either only reasons about an abstract model of the scheduler, or proves properties of the scheduler implementation that are not rich enough to establish the isolation between different components. In this paper, we present a novel compositional framework for reasoning about algorithmic properties of the concrete implementation of preemptive schedulers. In particular, we use virtual timeline, a variant of the supply bound function used in real-time scheduling analysis, to specify and reason about the scheduling of each component in isolation. We show that the properties proved on this abstraction carry down to the generated assembly code of the OS kernel. Using this framework, we successfully verify a real-time OS kernel, which extends mCertiKOS, a single-processor non-preemptive kernel, with user-level preemption, a verified timer interrupt handler, and a verified real-time scheduler. We prove that in the absence of microarchitectural-level timing channels, this new kernel enjoys temporal and spatial isolation on top of the functional correctness guarantee. All the proofs are implemented in the Coq proof assistant.

[1]  Yongwang Zhao,et al.  A survey on formal specification and verification of separation kernels , 2015, Frontiers of Computer Science.

[2]  Gernot Heiser,et al.  Scheduling-context capabilities: a principled, light-weight operating-system mechanism for managing time , 2018, EuroSys.

[3]  Gerwin Klein,et al.  Operating system verification—An overview , 2009 .

[4]  Xavier Leroy,et al.  Formal Verification of a C Compiler Front-End , 2006, FM.

[5]  Zhong Shao,et al.  End-to-end verification of information-flow security for C and assembly programs , 2016, PLDI.

[6]  Xinyu Feng,et al.  A Practical Verification Framework for Preemptive OS Kernels , 2016, CAV.

[7]  Jane W.-S. Liu Real-Time Systems , 2000, Encyclopedia of Algorithms.

[8]  Christian Urban,et al.  Priority Inheritance Protocol Proved Correct , 2012, Journal of Automated Reasoning.

[9]  Carroll Morgan,et al.  Controlled Owicki-Gries Concurrency: Reasoning about the Preemptible eChronos Embedded Operating System , 2015, MARS.

[10]  Zhong Shao,et al.  Toward Compositional Verification of Interruptible OS Kernels and Device Drivers , 2017, Journal of Automated Reasoning.

[11]  Chenyang Lu,et al.  RT-Xen: Towards real-time hypervisor scheduling in Xen , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[12]  Emina Torlak,et al.  Nickel: A Framework for Design and Verification of Information Flow Control Systems , 2018, OSDI.

[13]  Chung Laung Liu,et al.  Scheduling Algorithms for Multiprogramming in a Hard-Real-Time Environment , 1989, JACM.

[14]  Yu Guo,et al.  Deep Specifications and Certified Abstraction Layers , 2015, POPL.

[15]  Jean J. Labrosse Microc/OS-II , 1998 .

[16]  Lui Sha,et al.  Real-Time Computing on Multicore Processors , 2016, Computer.

[17]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[18]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[19]  Tom Chothia,et al.  Time Protection: The Missing OS Abstraction , 2018, EuroSys.

[20]  Magnus O. Myreen,et al.  Translation validation for a verified OS kernel , 2013, PLDI.

[21]  Bruno Dutertre Formal analysis of the priority ceiling protocol , 2000, Proceedings 21st IEEE Real-Time Systems Symposium.

[22]  Raymond J. Richards Modeling and Security Analysis of a Commercial Real-Time Operating System Kernel , 2010, Design and Verification of Microprocessor Systems for High-Assurance Applications.

[23]  Zhong Shao,et al.  Certified concurrent abstraction layers , 2018, PLDI.

[24]  Carroll Morgan,et al.  Proof of OS Scheduling Behavior in the Presence of Interrupt-Induced Concurrency , 2016, ITP.

[25]  Andrew W. Appel,et al.  The CompCert memory model , 2014 .

[26]  Xi Wang,et al.  Hyperkernel: Push-Button Verification of an OS Kernel , 2017, SOSP.

[27]  Gernot Heiser,et al.  Timing Analysis of a Protected Operating System Kernel , 2011, 2011 IEEE 32nd Real-Time Systems Symposium.

[28]  Gernot Heiser,et al.  High-assurance timing analysis for a high-assurance real-time operating system , 2017, Real-Time Systems.

[29]  Zhong Shao,et al.  Integrating Formal Schedulability Analysis into a Verified OS Kernel , 2019, CAV.

[30]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[31]  John P. Lehoczky,et al.  The rate monotonic scheduling algorithm: exact characterization and average case behavior , 1989, [1989] Proceedings. Real-Time Systems Symposium.

[32]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[33]  Lui Sha,et al.  Scheduling sporadic and aperiodic events in a hard real-time system. Final report , 1989 .

[34]  Roberto Guanciale,et al.  Trustworthy Virtualization of the ARMv7 Memory Subsystem , 2015, SOFSEM.

[35]  Alan Burns,et al.  Hierarchical fixed priority pre-emptive scheduling , 2005, 26th IEEE International Real-Time Systems Symposium (RTSS'05).

[36]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[37]  Lui Sha,et al.  Budgeted generalized rate monotonic analysis for the partitioned, yet globally scheduled uniprocessor model , 2015, 21st IEEE Real-Time and Embedded Technology and Applications Symposium.

[38]  Matthew Wilding,et al.  A Machine-Checked Proof of the Optimality of a Real-Time Scheduling Policy , 1998, CAV.

[39]  Felipe Cerqueira,et al.  PROSA: A Case for Readable Mechanized Schedulability Analysis , 2016, 2016 28th Euromicro Conference on Real-Time Systems (ECRTS).