Verifying FreeRTOS' Cyclic Doubly Linked List Implementation: From Abstract Specification to Machine Code

In order to facilitate proof of correctness, micro-kernels are based on simplicity, providing an application only with the minimal set of features it needs in order to to work. However, simplicity alone does not guarantee the absence of bugs and software errors, and the complexity of an OS often makes such problems difficult to find and fix. In this work, we prove the functional correctness of an abstract model for the C implementation of the cyclic linked list in the real-time micro-kernel FreeRTOS, which is used in the FreeRTOS scheduler, its correctness being of critical importance for the real-time properties of FreeRTOS. The formal specification of the functional properties of FreeRTOS also provides a guide for a correct use of the functions that the implementation provides, since it lacks checks on the data. Additionally, we prove the correctness of the machine code resulting from compiling the implementation targeting the ARM architecture. Following a verification approach based on refinement, we first construct the abstract model of the implementation, where we prove both the cyclic linked list invariant and the correctness of the implementation behaviour for any list in the heap using separation logic. Second, we leverage existing machine code verification frameworks to get a HOL model of the FreeRTOS linked list compiled machine code, and we apply forward simulation to prove that such a machine code model refines the abstract model, and therefore satisfies the properties already proven over the specification.

[1]  Konrad Slind,et al.  Decompilation into logic — Improved , 2012, 2012 Formal Methods in Computer-Aided Design (FMCAD).

[2]  Anamaria Martins Moreira,et al.  Formalizing FreeRTOS: First Steps , 2009, SBMF.

[3]  Tom Ridge,et al.  The semantics of x86-CC multiprocessor machine code , 2009, POPL '09.

[4]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[5]  Magnus O. Myreen,et al.  A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture , 2010, ITP.

[6]  Willem P. de Roever,et al.  Data Refinement: Model-oriented Proof Theories and their Comparison , 1998, Cambridge Tracts in Theoretical Computer Science.

[7]  Anne Elisabeth Haxthausen,et al.  A formal approach for the construction and verification of railway control systems , 2011, Formal Aspects of Computing.

[8]  Julian Vetter,et al.  Undermining Isolation Through Covert Channels in the Fiasco.OC Microkernel , 2015, ISCIS.

[9]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[10]  Michael Norrish,et al.  seL4: formal verification of an operating-system kernel , 2010, Commun. ACM.

[11]  Sumesh Divakaran,et al.  Efficient Refinement Checking in VCC , 2014, VSTTE.

[12]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[13]  Anna Slobodová,et al.  Replacing Testing with Formal Verification in Intel CoreTM i7 Processor Execution Engine Validation , 2009, CAV.

[14]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[15]  Shengchao Qin,et al.  Automated verification of the FreeRTOS scheduler in Hip/Sleek , 2012, 2012 Sixth International Symposium on Theoretical Aspects of Software Engineering.

[16]  Michael Norrish,et al.  A Brief Overview of HOL4 , 2008, TPHOLs.

[17]  Michael R. Lowry,et al.  Experimental Evaluation of Verification and Validation Tools on Martian Rover Software , 2013, Formal Methods Syst. Des..

[18]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[19]  Bernhard Beckert,et al.  Formal Verification of a Microkernel Used in Dependable Software Systems , 2009, SAFECOMP.

[20]  Matthew John Matias Program Verification of FreeRTOS using Microsoft Dafny , 2014 .

[21]  Francesco Flammini,et al.  Formal methods for railway control systems , 2014, International Journal on Software Tools for Technology Transfer.

[22]  Hendrik Tews,et al.  The VFiasco approach for a verified operating system , 2005 .

[23]  Deepak D'Souza,et al.  Using formal reasoning on a model of tasks for FreeRTOS , 2014, Formal Aspects of Computing.

[24]  Konrad Slind,et al.  Machine-Code Verification for Multiple Architectures - An Application of Decompilation into Logic , 2008, 2008 Formal Methods in Computer-Aided Design.

[25]  Myla Archer,et al.  Formal specification and verification of data separation in a separation kernel for an embedded system , 2006, CCS '06.