Theory of Multi Core Hypervisor Verification

From 2007 to 2010, researchers from Microsoft and the Verisoft XT project verified code from Hyper-V, a multi-core x-64 hypervisor, using VCC, a verifier for concurrent C code. However, there is a significant gap between code verification of a kernel (such as a hypervisor) and a proof of correctness of a real system running the code. When the project ended in 2010, crucial and tricky portions of the hypervisor product were formally verified, but one was far from having an overall theory of multi core hypervisor correctness even on paper. For example, the kernel code itself has to set up low-level facilities such as its call stack and virtual memory map, and must continue to use memory in a way that justifies the memory model assumed by the compiler and verifier, even though these assumptions are not directly guaranteed by the hardware. Over the last two years, much of the needed theory justifying the approach has been worked out. We survey progress on this theory and identify the work that is left to be done.

[1]  Norbert Schirmer,et al.  Verification of sequential imperative programs in Isabelle-HOL , 2006 .

[2]  Wolfgang J. Paul,et al.  A Pipelined Multi-core MIPS Machine , 2014, Lecture Notes in Computer Science.

[3]  Yu Yang,et al.  Efficient methods for formally verifying safety properties of hierarchical cache coherence protocols , 2010, Formal Methods Syst. Des..

[4]  Mark A. Hillebrand,et al.  Dealing with I/O devices in the context of pervasive system verification , 2005, 2005 International Conference on Computer Design.

[5]  Wolfram Schulte,et al.  Local Verification of Global Invariants in Concurrent Programs , 2010, CAV.

[6]  Wolfgang J. Paul,et al.  Completing the Automated Verification of a Small Hypervisor - Assembler Code Verification , 2012, SEFM.

[7]  Mark A. Hillebrand,et al.  Formal Verification of Gate-Level Computer Systems , 2009, CSR.

[8]  Matthias Daum,et al.  Model Stack for the Pervasive Verification of a Microkernel-based Operating System , 2008, VERIFY.

[9]  Mark A. Hillebrand,et al.  Balancing the Load , 2009, Journal of Automated Reasoning.

[10]  Wolfgang J. Paul,et al.  Computer architecture - complexity and correctness , 2000 .

[11]  Juhani Karhumäki,et al.  Computer Science - Theory and Applications , 2014, Lecture Notes in Computer Science.

[12]  S. Rajamani,et al.  A decade of software model checking with SLAM , 2011, Commun. ACM.

[13]  Norbert Schirmer,et al.  From Total Store Order to Sequential Consistency: A Practical Reduction Theorem , 2010, ITP.

[14]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[15]  Jan Dörrenbächer,et al.  Formal specification and verification of a microkernel , 2010 .

[16]  Scott Owens,et al.  Reasoning about the Implementation of Concurrency Abstractions on x86-TSO , 2010, ECOOP.

[17]  Dirk Carsten Leinenbach,et al.  Compiler verification in the context of pervasive system verification , 2008 .

[18]  Thomas Santen,et al.  Verifying the Microsoft Hyper-V Hypervisor with VCC , 2009, FM.

[19]  Wolfram Schulte,et al.  A Precise Yet Efficient Memory Model For C , 2009, Electron. Notes Theor. Comput. Sci..

[20]  Sabine Schmaltz,et al.  Integrated Semantics of Intermediate-Language C and Macro-Assembler for Pervasive Formal Verification of Operating Systems and Hypervisors from VerisoftXT , 2012, VSTTE.

[21]  David Aspinall,et al.  Formalising Java's Data Race Free Guarantee , 2007, TPHOLs.

[22]  Sabine Schmaltz,et al.  Towards the pervasive formal verification of multi-core operating systems and hypervisors implemented in C , 2012 .

[23]  Andreas Podelski,et al.  Verification of Hypervisor Subroutines written in Assembler , 2011 .

[24]  Theo D'Hondt ECOOP 2010 - Object-Oriented Programming, 24th European Conference, Maribor, Slovenia, June 21-25, 2010. Proceedings , 2010, ECOOP.

[25]  Daniel Kroening,et al.  Instantiating Uninterpreted Functional Units and Memory System: Functional Verification of the VAMP , 2003, CHARME.

[26]  Eyad Alkassar,et al.  OS verification extended: on the formal verification of device drivers and the correctness of client-server software , 2009 .

[27]  Norbert Schirmer,et al.  Implementation Correctness of a Real-Time Operating System , 2009, 2009 Seventh IEEE International Conference on Software Engineering and Formal Methods.

[28]  Dipl.-Ing. Christoph Baumann,et al.  Reordering and Simulation in Concurrent Systems Dipl , 2012 .

[29]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[30]  Ulan Degenbaev,et al.  Formal specification of the x86 instruction set architecture , 2012 .

[31]  Christoph Baumann Formal Specification of the x87 Floating-Point Instruction Set , 2008 .

[32]  Artem Starostin,et al.  Formal Pervasive Verification of a Paging Mechanism , 2008, TACAS.

[33]  Wolfgang J. Paul,et al.  Pervasive Theory of Memory , 2009, Efficient Algorithms.

[34]  Mark A. Hillebrand,et al.  Formal Verification of a Reader-Writer Lock Implementation in C , 2009, SSV.

[35]  J. Hartmanis,et al.  On the Computational Complexity of Algorithms , 1965 .

[36]  Mark A. Hillebrand,et al.  On the Correctness of Operating System Kernels , 2005, TPHOLs.

[37]  Leslie Lamport,et al.  How to Make a Multiprocessor Computer That Correctly Executes Multiprocess Programs , 2016, IEEE Transactions on Computers.

[38]  Wolfgang J. Paul,et al.  Verification of TLB Virtualization Implemented in C , 2012, VSTTE.

[39]  Christoph Berg,et al.  Formal Verification of the VAMP Floating Point Unit , 2001, Formal Methods Syst. Des..

[40]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[41]  Michael Norrish,et al.  seL4: formal verification of an operating-system kernel , 2010, Commun. ACM.

[42]  George J. Milne,et al.  Correct Hardware Design and Verification Methods , 2003, Lecture Notes in Computer Science.

[43]  Ana Cavalcanti,et al.  FM 2009: Formal Methods, Second World Congress, Eindhoven, The Netherlands, November 2-6, 2009. Proceedings , 2009, FM.

[44]  Wolfgang J. Paul,et al.  Proving the correctness of client/server software , 2009 .

[45]  Norbert Schirmer,et al.  A Verification Environment for Sequential Imperative Programs in Isabelle/HOL , 2005, LPAR.

[46]  Wolfram Schulte,et al.  Vx86: x86 Assembler Simulated in C Powered by Automated Theorem Proving , 2008, AMAST.

[47]  Andrew W. Appel,et al.  Verified Software Toolchain , 2012, NASA Formal Methods.

[48]  Mikhail Kovalev,et al.  TLB virtualization in the context of hypervisor verification , 2013 .

[49]  Mark A. Hillebrand,et al.  Modular specification and verification of interprocess communication , 2010, Formal Methods in Computer Aided Design.

[50]  Alan Jay Smith,et al.  A class of compatible cache consistency protocols and their support by the IEEE futurebus , 1986, ISCA '86.

[51]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.