TLB virtualization in the context of hypervisor verification

In this thesis we address the challenges of hypervisor verification for multicore processors. As a first contribution we unite different pieces of hypervisor verification theory into a single theory comprising the stack of highly nontrivial computational models used. We consider multicore hypervisors for x86-64 architecture written in C. To make code verification in a C verifier possible, we define a reduced hardware model and show that under certain safety conditions it simulates the full model. We introduce an extension of the C semantics, which takes into consideration possible MMU and guest interaction with the memory of a program. We argue that the extended C semantics simulates the hardware machine, which executes compiled hypervisor code, given that the compiler is correct. The second contribution of the thesis is the formal verification of a software TLB and memory virtualization approach, called SPT algorithm. Efficient TLB virtualization is one of the trickiest parts of building correct hypervisors. An SPT algorithm maintains dedicated sets of ‘‘shadow’’ page tables, ensuring memory separation and correct TLB abstraction for every guest. We use our extended C semantics to specify correctness criteria for TLB virtualization and to verify a simple SPT algorithm written in C. The code of the algorithm is formally verified in Microsoft’s VCC automatic verifier, which is ideally suited for proofs performed on top of our semantic stack.

[1]  Wolfram Schulte,et al.  Local Verification of Global Invariants in Concurrent Programs , 2010, CAV.

[2]  Thomas Gaska,et al.  Applying virtualization to avionics systems — The integration challenges , 2010, 29th Digital Avionics Systems Conference.

[3]  Dipl.-Ing. Christoph Baumann,et al.  Reordering and Simulation in Concurrent Systems Dipl , 2012 .

[4]  Jochen Liedtke,et al.  On micro-kernel construction , 1995, SOSP.

[5]  Michal Moskal,et al.  Fat Pointers , Skinny Annotations : A Heap Model for Modular C Verification , 2010 .

[6]  Ulan Degenbaev,et al.  Formal specification of the x86 instruction set architecture , 2012 .

[7]  William R. Bevier,et al.  Kit and the short stack , 1989, Journal of Automated Reasoning.

[8]  Peter Sewell,et al.  A Better x86 Memory Model: x86-TSO , 2009, TPHOLs.

[9]  H. Tews Formal Methods in the Robin project: Specification and verification of the Nova microhypervisor , 2007 .

[10]  Michel Dubois,et al.  Memory access buffering in multiprocessors , 1998, ISCA '98.

[11]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[12]  Thomas Santen,et al.  Verifying the Microsoft Hyper-V Hypervisor with VCC , 2009, FM.

[13]  Wolfram Schulte,et al.  A Precise Yet Efficient Memory Model For C , 2009, Electron. Notes Theor. Comput. Sci..

[14]  David Aspinall,et al.  Formalising Java's Data Race Free Guarantee , 2007, TPHOLs.

[15]  A. Kivity,et al.  kvm : the Linux Virtual Machine Monitor , 2007 .

[16]  Gilles Barthe,et al.  Formally Verifying Isolation and Availability in an Idealized Model of Virtualization , 2011, FM.

[17]  Gernot Heiser,et al.  Towards a Practical, Verified Kernel , 2007, HotOS.

[18]  Nancy A. Lynch,et al.  Forward and Backward Simulations: I. Untimed Systems , 1995, Inf. Comput..

[19]  Xavier Leroy,et al.  Formal Verification of a C Compiler Front-End , 2006, FM.

[20]  Yu Guo,et al.  Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads , 2009, Journal of Automated Reasoning.

[21]  C. Waldspurger Memory resource management in VMware ESX server , 2002, OSDI '02.

[22]  Wolfgang J. Paul,et al.  Theory of Multi Core Hypervisor Verification , 2013, SOFSEM.

[23]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[24]  Mark A. Hillebrand,et al.  Balancing the Load , 2009, Journal of Automated Reasoning.

[25]  Andrew W. Appel,et al.  Verified Software Toolchain , 2012, NASA Formal Methods.

[26]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[27]  Gerwin Klein,et al.  Operating system verification—An overview , 2009 .

[28]  Mark A. Hillebrand,et al.  On the Architecture of System Verification Environments , 2007, Haifa Verification Conference.

[29]  Leslie Lamport,et al.  How to Make a Multiprocessor Computer That Correctly Executes Multiprocess Programs , 2016, IEEE Transactions on Computers.

[30]  J. Strother Moore,et al.  An approach to systems verification , 1989, Journal of Automated Reasoning.

[31]  Thomas In der Rieden,et al.  CVM - A Verified Framework for Microkernel Programmers , 2008, SSV.

[32]  Nancy A. Lynch,et al.  Computer-Assisted Simulation Proofs , 1993, CAV.

[33]  Wolfgang J. Paul,et al.  Pervasive Theory of Memory , 2009, Efficient Algorithms.

[34]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[35]  Wolfgang J. Paul,et al.  Towards the Formal Verification of a C0 Compiler: Code Generation and Implementation Correctnes , 2005, SEFM.

[36]  Tom Ridge,et al.  The semantics of x86-CC multiprocessor machine code , 2009, POPL '09.

[37]  Sagar Chaki,et al.  Design, Development, and Automated Verification of an Integrity-Protected Hypervisor , 2012 .

[38]  James E. Smith,et al.  Virtual machines - versatile platforms for systems and processes , 2005 .

[39]  Wolfram Schulte,et al.  A Practical Verification Methodology for Concurrent Programs , 2009 .

[40]  Wolfgang J. Paul,et al.  Verification of TLB Virtualization Implemented in C , 2012, VSTTE.

[41]  William R. Bevier,et al.  Kit: A Study in Operating System Verification , 1989, IEEE Trans. Software Eng..

[42]  Alan Jay Smith,et al.  A class of compatible cache consistency protocols and their support by the IEEE futurebus , 1986, ISCA '86.

[43]  Sarita V. Adve,et al.  Shared Memory Consistency Models: A Tutorial , 1996, Computer.

[44]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[45]  Sabine Schmaltz,et al.  Integrated Semantics of Intermediate-Language C and Macro-Assembler for Pervasive Formal Verification of Operating Systems and Hypervisors from VerisoftXT , 2012, VSTTE.

[46]  Martín Abadi,et al.  The Existence of Refinement Mappings , 1988, LICS.

[47]  Mark A. Hillebrand,et al.  Automated Verification of a Small Hypervisor , 2010, VSTTE.

[48]  Peter Sewell,et al.  A Better x86 Memory Model: x86-TSO (Extended Version) , 2009 .

[49]  Eyad Alkassar,et al.  OS verification extended: on the formal verification of device drivers and the correctness of client-server software , 2009 .

[50]  Gil Neiger,et al.  Intel virtualization technology , 2005, Computer.

[51]  Wolfgang J. Paul,et al.  Pervasive Verification of an OS Microkernel - Inline Assembly, Memory Consumption, Concurrent Devices , 2010, VSTTE.

[52]  Ole Agesen,et al.  A comparison of software and hardware techniques for x86 virtualization , 2006, ASPLOS XII.

[53]  Pierre Wolper,et al.  A Verification-Based Approach to Memory Fence Insertion in Relaxed Memory Systems , 2011, SPIN.

[54]  Xavier Leroy,et al.  The CompCert Memory Model, Version 2 , 2012 .

[55]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[56]  Yingwei Luo,et al.  Selective hardware/software memory virtualization , 2011, VEE '11.

[58]  Nancy A. Lynch,et al.  Forward and Backward Simulations, II: Timing-Based Systems , 1991, Inf. Comput..

[59]  Peter A. Dinda,et al.  Comparing Approaches to Virtualized Page Translation in Modern VMMs , 2010 .

[60]  Peter W. O'Hearn,et al.  Resources, concurrency, and local reasoning , 2007 .

[61]  K. Rustan M. Leino,et al.  BoogiePL: A typed procedural language for checking object-oriented programs , 2005 .

[62]  Elena Petrova,et al.  Pervasive Compiler Verification - From Verified Programs to Verified Systems , 2008, Electron. Notes Theor. Comput. Sci..

[63]  Hendrik Tews,et al.  Nova Micro--Hypervisor Verification , 2008 .

[64]  Mark A. Hillebrand,et al.  Formal Verification of a Reader-Writer Lock Implementation in C , 2009, SSV.

[65]  Norbert Schirmer,et al.  A Verification Environment for Sequential Imperative Programs in Isabelle/HOL , 2005, LPAR.

[66]  Amy Newman,et al.  Practical Virtualization Solutions: Virtualization from the Trenches , 2009 .

[67]  Nancy A. Lynch,et al.  An introduction to input/output automata , 1989 .

[68]  Elena Petrova,et al.  Verification of the C0 compiler implementation on the source code level , 2007 .

[69]  Scott Owens,et al.  Reasoning about the Implementation of Concurrency Abstractions on x86-TSO , 2010, ECOOP.

[70]  Jalal Kawash,et al.  WEAK MEMORY CONSISTENCY MODELS PART ONE: DEFINITIONS AND COMPARISONS , 1998 .

[71]  Dirk Carsten Leinenbach,et al.  Compiler verification in the context of pervasive system verification , 2008 .

[72]  Christian Jacobi,et al.  Putting it all together – Formal verification of the VAMP , 2006, International Journal on Software Tools for Technology Transfer.

[73]  Andrey Shadrin,et al.  Mixed low- and high level programming language semantics and automated verification of a small hypervisor , 2012 .

[74]  Zhong Shao,et al.  Using XCAP to Certify Realistic Systems Code: Machine Context Management , 2007, TPHOLs.

[75]  Peter A. Dinda,et al.  Enhancing virtualized application performance through dynamic adaptive paging mode selection , 2011, ICAC '11.

[76]  F. Vaandrager Forward and Backward Simulations Part I : Untimed Systems , 1993 .

[77]  Tom Ridge,et al.  Operational Reasoning for Concurrent Caml Programs and Weak Memory Models , 2007, TPHOLs.

[78]  Norbert Schirmer,et al.  From Total Store Order to Sequential Consistency: A Practical Reduction Theorem , 2010, ITP.

[79]  Peter W. O'Hearn,et al.  Permission accounting in separation logic , 2005, POPL '05.

[80]  Adrian Perrig,et al.  Requirements for an Integrity-Protected Hypervisor on the x86 Hardware Virtualized Architecture , 2010, TRUST.

[81]  Eugene W. Stark Proving Entailment Between Conceptual State Specifications , 1988, Theor. Comput. Sci..

[82]  Mark A. Hillebrand,et al.  Verifying shadow page table algorithms , 2010, Formal Methods in Computer Aided Design.

[83]  Nancy A. Lynch,et al.  Hierarchical correctness proofs for distributed algorithms , 1987, PODC '87.