Proof Engineering Considered Essential

In this talk, I will give an overview of the various formal verification projects around the evolving seL4 microkernel, and discuss our experience in large scale proof engineering and maintenance. In particular, the presentation will draw a picture of what these verifications mean and how they fit together into a whole. Among these are a number of firsts: the first code-level functional correctness proof of a general-purpose OS kernel, the first non-interference proof for such a kernel at the code-level, the first binary-level functional verification of systems code of this complexity, and the first sound worst-case execution-time profile for a protected-mode operating system kernel. Taken together, these projects produced proof artefacts on the order of 400,000 lines of Isabelle/HOL proof scripts. This order of magnitude brings engineering aspects to proofs that we so far mostly associate with software and code. In the second part of the talk, I will report on our experience in proof engineering methods and tools, and pose a number of research questions that we think will be important to solve for the wider scale practical application of such formal methods in industry.

[1]  Georges Gonthier,et al.  Formal Proof—The Four- Color Theorem , 2008 .

[2]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[3]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[4]  Gerwin Klein,et al.  capDL: a language for describing capability-based systems , 2010, APSys '10.

[5]  Kevin Elphinstone,et al.  Towards Proving Security in the Presence of Large Untrusted Components , 2010, SSV.

[6]  Michael Norrish,et al.  A Brief Overview of HOL4 , 2008, TPHOLs.

[7]  Robin Milner,et al.  Edinburgh LCF , 1979, Lecture Notes in Computer Science.

[8]  Roope Kaivola,et al.  Proof Engineering in the Large: Formal Verification of Pentium® 4 Floating-Point Divider , 2001, CHARME.

[9]  Ajitha Rajan,et al.  Requirements Coverage as an Adequacy Measure for Conformance Testing , 2008, ICFEM.

[10]  George J. Milne,et al.  Correct Hardware Design and Verification Methods , 2003, Lecture Notes in Computer Science.

[11]  Idit Keidar,et al.  GPUfs: integrating a file system with GPUs , 2014, ASPLOS '13.

[12]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[13]  Jochen Liedtke,et al.  Toward real microkernels , 1996, CACM.

[14]  Albert Endres,et al.  A handbook of software and systems engineering - empirical observations, laws and theories , 2003, The Fraunhofer IESE series on software engineering.

[15]  Gerwin Klein,et al.  seL4 Enforces Integrity , 2011, ITP.

[16]  Georges Gonthier A computer-checked proof of the Four Colour Theorem , 2005 .

[17]  Mark A. Hillebrand,et al.  Balancing the Load , 2009, Journal of Automated Reasoning.

[18]  Jim Alves-Foss,et al.  The MILS architecture for high-assurance embedded systems , 2006, Int. J. Embed. Syst..

[19]  Gustavo Alonso,et al.  RapiLog: reducing system complexity through verification , 2013, EuroSys '13.

[20]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[21]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[22]  Magnus O. Myreen,et al.  Translation validation for a verified OS kernel , 2013, PLDI.

[23]  Markus Wenzel Isabelle/jEdit - A Prover IDE within the PIDE Framework , 2012, AISC/MKM/Calculemus.

[24]  Xin Gao,et al.  Formally Verified System Initialisation , 2013, ICFEM.

[25]  Magnus O. Myreen,et al.  A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture , 2010, ITP.

[26]  Brian Campbell,et al.  An Executable Semantics for CompCert C , 2012, CPP.

[27]  Gernot Heiser,et al.  Timing Analysis of a Protected Operating System Kernel , 2011, 2011 IEEE 32nd Real-Time Systems Symposium.

[28]  David Aspinall,et al.  Formalising Java's Data Race Free Guarantee , 2007, TPHOLs.

[29]  Mark A. Hillebrand,et al.  Balancing the Load , 2009, Journal of Automated Reasoning.

[30]  Stephen M. Watt,et al.  Intelligent Computer Mathematics , 2014, Lecture Notes in Computer Science.

[31]  Gerwin Klein,et al.  Noninterference for Operating System Kernels , 2012, CPP.