Automatic kernel code synthesis and verification

Abstract Formal verification of an OS kernel is widely considered a major challenge; however, traditional interactive theorem provers used in OS kernel verification require manually written proofs and come with a non-trivial cost. In this paper, we propose a formal verification framework to build a verifiably correct OS kernel, named iv6, with a high degree of proof automation and a low burden of proof. Using this framework, programmers only need to write the specification as required, and it can be translated into the corresponding implementation of C code automatically. The verification framework can guarantee that the behaviour of the implementation code adheres to its specifications. Iv6 introduces four key ideas to achieve proof automation: its interfaces and corresponding specifications are designed to be finite to avoid unbounded loops or recursion; it separates kernel and user address spaces using a kernel page table isolation approach to simplify reasoning about virtual memory; it partitions the modules of a kernel state machine according to a state transition function to improve verification performance; and to avoid modelling complicated C semantics, it performs verification at the LLVM intermediate representation level. A total of 48 system calls and some high-level system properties in iv6 have been verified using this method. Experience shows that this framework can reduce the impact of human error on kernel development and make the verification of iv6 more efficient and straightforward.

[1]  Stefan Mangard,et al.  Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR , 2016, CCS.

[2]  William E. Lorensen,et al.  Object-Oriented Modeling and Design , 1991, TOOLS.

[3]  Krzysztof Czarnecki,et al.  Classification of Model Transformation Approaches , 2003 .

[4]  Marsha Chechik,et al.  Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification , 2012, CAV.

[5]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[6]  John Harrison,et al.  HOL Light: A Tutorial Introduction , 1996, FMCAD.

[7]  Zvonimir Rakamaric,et al.  SMACK: Decoupling Source Language Details from Verifier Implementations , 2014, CAV.

[8]  Stephen J. Mellor,et al.  Executable UML - A Foundation for Model-Driven Architecture , 2002, Addison Wesley object technology series.

[9]  Emina Torlak,et al.  A lightweight symbolic virtual machine for solver-aided host languages , 2014, PLDI.

[10]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[11]  William R. Bevier,et al.  Kit: A Study in Operating System Verification , 1989, IEEE Trans. Software Eng..

[12]  Gerald J. Popek,et al.  UCLA Secure UNIX , 1899 .

[13]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[14]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[15]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[16]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2011, Journal of Functional Programming.

[17]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[18]  Nikolai Kosmatov,et al.  Frama-C: A software analysis perspective , 2015, Formal Aspects of Computing.

[19]  John Regehr,et al.  Provably correct peephole optimizations with alive , 2015, PLDI.

[20]  Leonid Ryzhyk,et al.  User-Guided Device Driver Synthesis , 2014, OSDI.

[21]  Stefan Mangard,et al.  KASLR is Dead: Long Live KASLR , 2017, ESSoS.

[22]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[23]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[24]  Leonid Ryzhyk,et al.  Automatic device driver synthesis with termite , 2009, SOSP '09.

[25]  Zohar Manna,et al.  Fundamentals of Deductive Program Synthesis , 1992, IEEE Trans. Software Eng..

[26]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[27]  Christoforos E. Kozyrakis,et al.  Usenix Association 10th Usenix Symposium on Operating Systems Design and Implementation (osdi '12) 335 Dune: Safe User-level Access to Privileged Cpu Features , 2022 .

[28]  Rafal Kolanski Verification of programs in virtual memory using separation logic , 2011 .

[29]  Robbert Krebbers,et al.  The C standard formalized in Coq , 2015 .

[30]  Jiro Tanaka,et al.  An Object-Oriented Approach To Generate Java Code From UML Statecharts , 2005 .

[31]  Xinyu Feng,et al.  A Practical Verification Framework for Preemptive OS Kernels , 2016, CAV.

[32]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[33]  Frank Piessens,et al.  The VeriFast program verifier , 2008 .

[34]  Chucky Ellison,et al.  Defining the undefinedness of C , 2015, PLDI.

[35]  Kevin Lano,et al.  Model-Transformation Design Patterns , 2014, IEEE Transactions on Software Engineering.

[36]  Yves Bertot,et al.  Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions , 2010 .

[37]  RICHARD J. FEIERTAG,et al.  The foundations of a provably secure operating system (PSOS) , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[38]  Xi Wang,et al.  Hyperkernel: Push-Button Verification of an OS Kernel , 2017, SOSP.