Toward Compositional Verification of Interruptible OS Kernels and Device Drivers

An operating system (OS) kernel forms the lowest level of any system software stack. The correctness of the OS kernel is the basis for the correctness of the entire system. Recent efforts have demonstrated the feasibility of building formally verified general-purpose kernels, but it is unclear how to extend their work to verify the functional correctness of device drivers, due to the non-local effects of interrupts. In this paper, we present a novel compositional framework for building certified interruptible OS kernels with device drivers. We provide a general device model that can be instantiated with various hardware devices, and a realistic formal model of interrupts, which can be used to reason about interruptible code. We have realized this framework in the Coq proof assistant. To demonstrate the effectiveness of our new approach, we have successfully extended an existing verified non-interruptible kernel with our framework and turned it into an interruptible kernel with verified device drivers. To the best of our knowledge, this is the first verified interruptible operating system with device drivers.

[1]  John Regehr,et al.  Correctness Proofs for Device Drivers in Embedded Systems , 2010, SSV.

[2]  Leonid Ryzhyk,et al.  Automatic device driver synthesis with termite , 2009, SOSP '09.

[3]  Wolfgang J. Paul,et al.  Pervasive Verification of an OS Microkernel - Inline Assembly, Memory Consumption, Concurrent Devices , 2010, VSTTE.

[4]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[5]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[6]  Thomas Witkowski,et al.  Formal Verification of Linux Device Drivers , 2007 .

[7]  Yu Guo,et al.  Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads , 2009, Journal of Automated Reasoning.

[8]  Jianjun Duan Formal verification of device drivers in embedded systems , 2013 .

[9]  Lawrence Charles Paulson,et al.  Isabelle: A Generic Theorem Prover , 1994 .

[10]  Alexandre Petrenko,et al.  Establishing Linux Driver Verification Process , 2009, Ershov Memorial Conference.

[11]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[12]  Chris Hawblitzel,et al.  Safe to the last instruction: automated verification of a type-safe operating system , 2011, CACM.

[13]  Peter W. O'Hearn,et al.  Resources, Concurrency and Local Reasoning , 2004, CONCUR.

[14]  Chris Hawblitzel,et al.  Safe to the last instruction: automated verification of a type-safe operating system , 2010, PLDI '10.

[15]  Yu Guo,et al.  Deep Specifications and Certified Abstraction Layers , 2015, POPL.

[16]  Thomas Ball,et al.  SLAM2: Static driver verification with under 4% false alarms , 2010, Formal Methods in Computer Aided Design.

[17]  Leonid Ryzhyk,et al.  User-Guided Device Driver Synthesis , 2014, OSDI.

[18]  David Monniaux,et al.  Verification of device drivers and intelligent controllers: a case study , 2007, EMSOFT '07.

[19]  Junfeng Yang,et al.  An empirical study of operating systems errors , 2001, SOSP.

[20]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[21]  Danfeng Zhang,et al.  Ironclad Apps: End-to-End Security via Automated Full-System Verification , 2014, OSDI.

[22]  Archana Ganapathi,et al.  Windows XP Kernel Crash Analysis , 2006, LISA.

[23]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[24]  Moonzoo Kim,et al.  Formal Verification of a Flash Memory Device Driver - An Experience Report , 2008, SPIN.

[25]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[26]  Wolfgang J. Paul,et al.  Proving the correctness of client/server software , 2009 .

[27]  Mads Dam,et al.  Formal Verification of Secure User Mode Device Execution with DMA , 2014, Haifa Verification Conference.

[28]  Sidney Amani,et al.  Automatic Verification of Message-Based Device Drivers , 2012, SSV.

[29]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[30]  Eyad Alkassar,et al.  OS verification extended: on the formal verification of device drivers and the correctness of client-server software , 2009 .

[31]  Mark A. Hillebrand,et al.  Formal Functional Verification of Device Drivers , 2008, VSTTE.

[32]  Xavier Leroy,et al.  Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations , 2008, Journal of Automated Reasoning.