Applying source-code verification to a microkernel: the VFiasco project

We present the VFiasco project, in which we apply source-code verification to a complete operating-system kernel written in C++. The aim of the VFiasco project is to establish security-relevant properties of the Fiasco microkernel.Source-code verification works by reasoning about the semantics of the full source code of a program. Traditionally it is limited to small programs written in an academic programming language. The project's main challenges are to enable high-level reasoning about typed data starting from only low-level knowledge about the hardware, and to develop a clean semantics for the subset of C++ used by the kernel. In this extended abstract we present our ideas for tackling these challenges. We focus on a type-safe object store that is based on a hardware model that closely resembles the IA32 virtual-memory architecture and on guarantees provided by the kernel itself. We also briefly touch on the semantics for C++.Please find the full version of this paper at http://www.vfiasco.org/objstore.pdf.

[1]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[2]  Bart Jacobs,et al.  Java Program Verification via a Hoare Logic with Abrupt Termination , 2000, FASE.

[3]  Bart Jacobs,et al.  A Type-Theoretic Memory Model for Verification of Sequential Java Programs , 1999, WADT.

[4]  M. Wahab,et al.  Verification and Abstraction of Flow-Graph Programs with Pointers and Computed Jumps , 1998 .

[5]  Lawrence Charles Paulson,et al.  Isabelle: A Generic Theorem Prover , 1994 .

[6]  John Harrison,et al.  A Machine-Checked Theory of Floating Point Arithmetic , 1999, TPHOLs.

[7]  Christoph Kreitz,et al.  Building reliable, high-performance communication systems from components , 2000, OPSR.

[8]  Jacques Julliand,et al.  Modeling and Verification of the RUBIS μ−Kernel with SPIN , 2002 .

[9]  Jay Lepreau,et al.  Formal methods: a practical tool for OS implementors , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[10]  Hermann Härtig,et al.  Pragmatic Nonblocking Synchronization for Real-Time Systems , 2001, USENIX Annual Technical Conference, General Track.

[11]  T. Cattel Modelling and verification of a multiprocessor realtime OS kernel , 1995 .

[12]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[13]  Bart Jacobs,et al.  Exercises in Coalgebraic Specification , 2000, Algebraic and Coalgebraic Methods in the Mathematics of Program Construction.

[14]  E. Allen Emerson,et al.  Temporal and Modal Logic , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[15]  Ernst-Rüdiger Olderog,et al.  Verification of Sequential and Concurrent Programs , 1997, Graduate Texts in Computer Science.

[16]  Zohar Manna,et al.  The Temporal Logic of Reactive and Concurrent Systems , 1991, Springer New York.

[17]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[18]  J. Girard,et al.  Proofs and types , 1989 .

[19]  Wolfgang Thomas,et al.  Handbook of Theoretical Computer Science, Volume B: Formal Models and Semantics , 1990 .

[20]  Mike Hibler,et al.  Interface and execution models in the Fluke kernel , 1999, OSDI '99.

[21]  Rance Cleaveland,et al.  Implementing mathematics with the Nuprl proof development system , 1986 .

[22]  Yang Meng Tan,et al.  LCLint: a tool for using specifications to check code , 1994, SIGSOFT '94.

[23]  Bart Jacobs,et al.  A case study in class library verification: Java’s vector class , 1999, International Journal on Software Tools for Technology Transfer.

[24]  Professor Dr. Wolfgang Reisig Elements of Distributed Algorithms , 1998, Springer Berlin Heidelberg.