Safe to the last instruction: automated verification of a type-safe operating system

Typed assembly language (TAL) and Hoare logic can verify the absence of many kinds of errors in low-level code. We use TAL and Hoare logic to achieve highly automated, static verification of the safety of a new operating system called Verve. Our techniques and tools mechanically verify the safety of every assembly language instruction in the operating system, run-time system, drivers, and applications (in fact, every part of the system software except the boot loader). Verve consists of a "Nucleus" that provides primitive access to hardware and memory, a kernel that builds services on top of the Nucleus, and applications that run on top of the kernel. The Nucleus, written in verified assembly language, implements allocation, garbage collection, multiple stacks, interrupt handling, and device access. The kernel, written in C# and compiled to TAL, builds higher-level services, such as preemptive threads, on top of the Nucleus. A TAL checker verifies the safety of the kernel and applications. A Hoare-style verifier with an automated theorem prover verifies both the safety and correctness of the Nucleus. Verve is, to the best of our knowledge, the first operating system mechanically verified to guarantee both type and memory safety. More generally, Verve's approach demonstrates a practical way to mix high-level typed code with low-level untyped code in a verifiably safe manner.

[1]  Frank Pfenning,et al.  A type theory for memory allocation and data layout , 2003, POPL '03.

[2]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[3]  Yogen K. Dalal,et al.  Pilot: an operating system for a personal computer , 1980, CACM.

[4]  Erez Petrank,et al.  Automated verification of practical garbage collectors , 2009, POPL '09.

[5]  Yu Guo,et al.  Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads , 2009, Journal of Automated Reasoning.

[6]  Trent Jaeger,et al.  Achieved IPC performance (still the foundation for extensibility) , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[7]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[8]  Mike Hibler,et al.  Interface and execution models in the Fluke kernel , 1999, OSDI '99.

[9]  James R. Larus,et al.  Language support for fast and reliable message-based communication in singularity OS , 2006, EuroSys.

[10]  Long Li,et al.  A general framework for certifying garbage collectors and their mutators , 2007, PLDI '07.

[11]  P JonesMark,et al.  A principled approach to operating system construction in Haskell , 2005 .

[12]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[13]  Yu Guo,et al.  Foundational Typed Assembly Language with Certified Garbage Collection , 2007, First Joint IEEE/IFIP Symposium on Theoretical Aspects of Software Engineering (TASE '07).

[14]  Juan Chen,et al.  Type-preserving compilation for large-scale optimizing object-oriented compilers , 2008, PLDI '08.

[15]  Adrian Schüpbach,et al.  The multikernel: a new OS architecture for scalable multicore systems , 2009, SOSP '09.

[16]  Mark P. Jones,et al.  A principled approach to operating system construction in Haskell , 2005, ICFP '05.

[17]  J. Strother Moore,et al.  An approach to systems verification , 1989, Journal of Automated Reasoning.

[18]  Wilson C. Hsieh,et al.  Processes in KaffeOS: isolation, resource management, and sharing in java , 2000, OSDI.

[19]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.