OS verification extended: on the formal verification of device drivers and the correctness of client-server software

This thesis tackles two important challenges in OS veri cation: The formal verification of device drivers and the correctness of client/server software. Device drivers are an integral part of system software. Not only high-level functionality such as le I/O depends on devices. Even basic OS features, such as demand paging, need correctly implemented drivers. In this thesis, we show how to pervasively integrate devices and their drivers into a language stack reaching from the level of assembly up to high-level languages. This stack is leveraged for the formal veri fication of a simple hard disk driver, which is subsequently embedded into Verisoft's micro kernel. To the best of our knowledge, this marks the rst formal functional veri cation of a device driver against a realistic device and system model. Remote procedure calls (RPCs) lie at the heart of any client/server software. In the second part of this thesis, we present a speci cation of an RPC mechanism and we outline how to verify an implementation of this mechanism at the code level. The formalization is based on a model of user processes running concurrently under a simple OS, which provides inter-process communication and portmapper system calls. A simple theory of non interference permits us to use conventional sequential program analysis between system calls. To the best of our knowledge this is the first treatment of the correctness of an entire RPC mechanism at the code level. Diese Arbeit behandelt zwei wichtige Probleme in der Veri kation von Betriebssystemen (BS): Die formale Veri kation von Geratetreibern und die Korrektheit von Client/Server Software. Grundlegende Funktionen eines BS, wie z.B. Demand Paging, setzen korrekt implementierte Treiber voraus. In dieser Arbeit zeigen wir auf, wie Gerate nahtlos in allen Semantikschichten integriert werden konnen|von Assembler bis hin zu einer C ahnlichen Hochsprache. Diese durchgangige Theorie wird anschliesend verwendet, um einen einfachen Festplattentreiber (Teil des Verisoft Mikrokerns) formal zu verifi zieren. So weit uns bekannt, stellt dies die erste formale Veri kation eines Treibers im Kontext eines realistischen Gerate- und Systemmodells dar. Implementierungen von Client/Server Software basieren oftmals auf Remote Procedure Calls (RPCs). Im zweiten Teil dieser Arbeit, spezi zieren wir einen solchen RPC Mechanismus und skizzieren dessen Veri kation auf Codeebene. Die Formalisierung basiert auf einem Modell von Benutzerprozessen die nebenlaufi g in einem einfachen BS ausgefuhrt werden. Dieses BS stellt Interprozess-Kommunikation und Portmapper Funktionalitat uber spezielle Systemaufrufe zur Verfugung. Um sequentiell uber einzelne Prozesse argumentieren zu konnen, fuuhren wir eine kleine Theorie zur Bestimmung der Abhangigkeit von Systemaufrufen ein. So weit uns bekannt, behandelt diese Arbeit erstmals die Korrektheit eines vollstandigen RPC Mechanismus auf Codeebene.

[1]  Wolfram Schulte,et al.  A Practical Verification Methodology for Concurrent Programs , 2009 .

[2]  Mark A. Hillebrand,et al.  Formal Device and Programming Model for a Serial Interface , 2007, VERIFY.

[3]  Michael Norrish,et al.  Types, bytes, and separation logic , 2007, POPL '07.

[4]  Mark P. Jones,et al.  A principled approach to operating system construction in Haskell , 2005, ICFP '05.

[5]  Scott D. Stoller,et al.  Optimistic synchronization-based state-space reduction , 2006, Formal Methods Syst. Des..

[6]  Dirk Carsten Leinenbach,et al.  Compiler verification in the context of pervasive system verification , 2008 .

[7]  Christian Jacobi,et al.  Putting it all together – Formal verification of the VAMP , 2006, International Journal on Software Tools for Technology Transfer.

[8]  Alexandra Tsyban,et al.  Formal Verication of a Framework for Microkernel Programmers , 2009 .

[9]  Wolfgang J. Paul,et al.  Proving the correctness of client/server software , 2009 .

[10]  Nancy G. Leveson,et al.  An investigation of the Therac-25 accidents , 1993, Computer.

[11]  Leena Singh,et al.  System-on-a-Chip Verification: Methodology and Techniques , 2000 .

[12]  Robert Thurlow,et al.  RPC: Remote Procedure Call Protocol Specification Version 2 , 2009, RFC.

[13]  G. Berry,et al.  System level design and verification using a synchronous language , 2003, ICCAD-2003. International Conference on Computer Aided Design (IEEE Cat. No.03CH37486).

[14]  Norbert Schirmer,et al.  Verification of sequential imperative programs in Isabelle-HOL , 2006 .

[15]  Sebastian Bogan,et al.  Formal specification of a simple operating system , 2008 .

[16]  Hendrik Tews,et al.  Applying source-code verification to a microkernel: the VFiasco project , 2002, EW 10.

[17]  Jim Woodcock,et al.  Formalising Flash Memory: First Steps , 2007, 12th IEEE International Conference on Engineering Complex Computer Systems (ICECCS 2007).

[18]  Zhong Shao,et al.  Using XCAP to Certify Realistic Systems Code: Machine Context Management , 2007, TPHOLs.

[19]  Gerd Beuster,et al.  Real World Verification Experiences from the Verisoft Email Client , 2006 .

[20]  Richard A. Kemmerer,et al.  Specification and verification of the UCLA Unix security kernel , 1979, CACM.

[21]  Sriram K. Rajamani,et al.  Automatically validating temporal safety properties of interfaces , 2001, SPIN '01.

[22]  Mark A. Hillebrand,et al.  Formal Functional Verification of Device Drivers , 2008, VSTTE.

[23]  Gerwin Klein,et al.  Operating system verification—An overview , 2009 .

[24]  Matthias Daum Modelling User Programs on top of a Microkernel ? , 2008 .

[25]  Manfred Broy,et al.  The RPC-Memory Case Study: A Synopsis , 1994, Formal Systems Specification.

[26]  Jim Woodcock,et al.  POSIX file store in Z/Eves: an experiment in the verified software repository , 2007, ICECCS.

[27]  Wolfgang J. Paul,et al.  Computer architecture - complexity and correctness , 2000 .

[28]  Thomas C. Hales,et al.  Jordan ’ s Proof of the Jordan Curve Theorem , 2007 .

[29]  J. S. Moore,et al.  A Grand Challenge Proposal for Formal Methods: A Verified Stack , 2002, 10th Anniversary Colloquium of UNU/IIST.

[30]  Andrew Birrell,et al.  Implementing Remote procedure calls , 1983, SOSP '83.

[31]  Mark A. Hillebrand,et al.  On the Verification of Memory Management Mechanisms , 2005, CHARME.

[32]  Richard J. Lipton,et al.  Reduction: a method of proving properties of parallel programs , 1975, CACM.

[33]  Mark A. Hillebrand,et al.  Dealing with I/O devices in the context of pervasive system verification , 2005, 2005 International Conference on Computer Design.

[34]  Gerwin Klein,et al.  Verifying the L4 virtual memory subsystem , 2004 .

[35]  Artem Starostin Formal Verification of a C-Library for Strings , 2006 .

[36]  Wolfgang J. Paul,et al.  Realistic Worst-Case Execution Time Analysis in the Context of Pervasive System Verification , 2006, Program Analysis and Compilation.

[37]  Stefan M. Petters,et al.  Towards trustworthy computing systems: taking microkernels to the next level , 2007, OPSR.

[38]  Mark A. Hillebrand,et al.  Formal Verification of Gate-Level Computer Systems , 2009, CSR.

[39]  Mark A. Hillebrand,et al.  The Verisoft Approach to Systems Verification , 2008, VSTTE.

[40]  Ernie Cohen,et al.  Separation and Reduction , 2000, MPC.

[41]  Leslie Lamport,et al.  Reduction in TLA , 1998, CONCUR.

[42]  J. Strother Moore,et al.  An approach to systems verification , 1989, Journal of Automated Reasoning.

[43]  Sergey Tverdyshev,et al.  Efficient Bit-Level Model Reductions for Automated Hardware Verification , 2008, 2008 15th International Symposium on Temporal Representation and Reasoning.

[44]  Zhong Shao,et al.  Verification of safety properties for concurrent assembly code , 2004, ICFP '04.

[45]  Alex Groce,et al.  New Challenges in Model Checking , 2008, 25 Years of Model Checking.

[46]  Peter Bohm Formal Verification of a Clock Synchronization Method in a Distributed Automotive System , 2007 .

[47]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[48]  Steffen Knapp,et al.  The correctness of a distributed real-time system , 2008 .

[49]  Thomas In der Rieden,et al.  CVM - A Verified Framework for Microkernel Programmers , 2008, SSV.

[50]  Eyad Alkassar,et al.  Correctness of a Fault-Tolerant Real-Time Scheduler and its Hardware Implementation , 2008, 2008 6th ACM/IEEE International Conference on Formal Methods and Models for Co-Design.

[51]  Wolfgang J. Paul,et al.  Formal Verification of Demand Paging , 2010 .

[52]  David A. Patterson,et al.  Computer Architecture: A Quantitative Approach , 1969 .