Translation validation for a verified OS kernel

We extend the existing formal verification of the seL4 operating system microkernel from 9500 lines of C source code to the binary level. We handle all functions that were part of the previous verification. Like the original verification, we currently omit the assembly routines and volatile accesses used to control system hardware. More generally, we present an approach for proving refinement between the formal semantics of a program on the C source level and its formal semantics on the binary level, thus checking the validity of compilation, including some optimisations, and linking, and extending static properties proved of the source code to the executable. We make use of recent improvements in SMT solvers to almost fully automate this process. We handle binaries generated by unmodified gcc 4.5.1 at optimisation level 1, and can handle most of seL4 even at optimisation level 2.

[1]  Magnus O. Myreen Formal verification of machine-code programs , 2011 .

[2]  Andrew W. Appel Verified Software Toolchain - (Invited Talk) , 2011, ESOP.

[3]  William R. Bevier,et al.  Kit: A Study in Operating System Verification , 1989, IEEE Trans. Software Eng..

[4]  Jan Peleska,et al.  Automated Test Case Generation with SMT-Solving and Abstract Interpretation , 2011, NASA Formal Methods.

[5]  Ofer Strichman,et al.  Translation Validation: From Simulink to C , 2009, CAV.

[6]  George C. Necula,et al.  Translation validation for an optimizing compiler , 2000, PLDI '00.

[7]  Chris Hawblitzel,et al.  Safe to the last instruction: automated verification of a type-safe operating system , 2011, CACM.

[8]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[9]  Norbert Schirmer,et al.  A Verification Environment for Sequential Imperative Programs in Isabelle/HOL , 2005, LPAR.

[10]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[11]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[12]  Harvey Tuch Formal Verification of C Systems Code , 2009, Journal of Automated Reasoning.

[13]  Jan Olaf Blech,et al.  Translation Validation of System Abstractions , 2007, RV.

[14]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[15]  Amir Pnueli,et al.  VOC: A Methodology for the Translation Validation of OptimizingCompilers , 2003, J. Univers. Comput. Sci..

[16]  Amir Pnueli,et al.  Translation and Run-Time Validation of Optimized Code , 2002, RV@FLoC.

[17]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[18]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[19]  Wolfgang J. Paul,et al.  Pervasive Verification of an OS Microkernel - Inline Assembly, Memory Consumption, Concurrent Devices , 2010, VSTTE.

[20]  Michael Norrish,et al.  A Brief Overview of HOL4 , 2008, TPHOLs.

[21]  Benjamin Goldberg,et al.  Into the Loops: Practical Issues in Translation Validation for Optimizing Compilers , 2005, COCV@ETAPS.

[22]  Konrad Slind,et al.  Machine-Code Verification for Multiple Architectures - An Application of Decompilation into Logic , 2008, 2008 Formal Methods in Computer-Aided Design.

[23]  Sorin Lerner,et al.  Translation Validation of High-Level Synthesis , 2010, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[24]  Michael Norrish,et al.  Types, bytes, and separation logic , 2007, POPL '07.

[25]  Magnus O. Myreen,et al.  A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture , 2010, ITP.

[26]  Bjarne Stroustrup,et al.  C++ Programming Language , 1986, IEEE Softw..

[27]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[28]  Gerwin Klein,et al.  seL4 Enforces Integrity , 2011, ITP.

[29]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[30]  Konrad Slind,et al.  Decompilation into logic — Improved , 2012, 2012 Formal Methods in Computer-Aided Design (FMCAD).

[31]  J. Gregory Morrisett,et al.  Evaluating value-graph translation validation for LLVM , 2011, PLDI '11.

[32]  Adam Chlipala,et al.  A certified type-preserving compiler from lambda calculus to assembly language , 2007, PLDI '07.

[33]  Harvey Tuch Formal verification of C systems code Structured types, separation logic and theorem proving , 2009 .

[34]  Norbert Schirmer,et al.  Verification of sequential imperative programs in Isabelle-HOL , 2006 .

[35]  Zhong Shao,et al.  Using XCAP to Certify Realistic Systems Code: Machine Context Management , 2007, TPHOLs.

[36]  Adam Chlipala,et al.  Mostly-automated verification of low-level programs in computational separation logic , 2011, PLDI '11.

[37]  Amir Pnueli,et al.  Translation Validation , 1998, TACAS.