Automated Verification of the FreeRTOS Scheduler in HIP/SLEEK

Automated verification of operating system kernels is a challenging problem, partly due to the use of shared mutable data structures. In this paper, we show how we can automatically verify memory safety and functional correctness of the task scheduler component of the Free RTOS kernel using the verification system Hip Sleek. We show how some of Hip Sleek features like user-defined predicates and lemmas make the specifications highly expressive and the verification process viable. To the best of our knowledge, this is the first code-level verification of memory safety and functional correctness properties of the Free RTOS scheduler. The outcome of our experiment confirms that Hip Sleek can indeed be used to verify code that is used in production. Moreover, since the properties that we verify are quite general, we envisage that the same approach can be adopted to verify the scheduler of other operating systems.

[1]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[2]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[3]  Bernhard Beckert,et al.  Formal Verification of a Microkernel Used in Dependable Software Systems , 2009, SAFECOMP.

[4]  Vitaliy Mezhuyev,et al.  OpenComRTOS: A Runtime Environment for Interacting Entities , 2009, CPA.

[5]  Frank Piessens,et al.  A Quick Tour of the VeriFast Program Verifier , 2010, APLAS.

[6]  Peter W. O'Hearn,et al.  A Local Shape Analysis Based on Separation Logic , 2006, TACAS.

[7]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[8]  Thomas A. Henzinger,et al.  Abstractions from proofs , 2004, SIGP.

[9]  Hongseok Yang,et al.  Program Analysis for Overlaid Data Structures , 2011, CAV.

[10]  Shengchao Qin,et al.  Loop invariant synthesis in a combined abstract domain , 2013, J. Symb. Comput..

[11]  Peter W. O'Hearn,et al.  Smallfoot: Modular Automatic Assertion Checking with Separation Logic , 2005, FMCO.

[12]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[13]  Shengchao Qin,et al.  Automated Verification of Shape, Size and Bag Properties , 2007, ICECCS.

[14]  Jan Tobias Mühlberg,et al.  Verifying FreeRTOS: from requirements to binary code , 2011 .

[15]  Peter W. O'Hearn,et al.  Verified Software: A Grand Challenge , 2006, Computer.

[16]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[17]  Shengchao Qin,et al.  A Specialization Calculus for Pruning Disjunctive Predicates to Support Verification , 2011, CAV.

[18]  Shengchao Qin,et al.  Loop Invariant Synthesis in a Combined Domain , 2010, ICFEM.

[19]  Peter W. O'Hearn,et al.  Compositional Shape Analysis by Means of Bi-Abduction , 2011, JACM.

[20]  Shengchao Qin,et al.  Automatically Refining Partial Specifications for Program Verification , 2011, FM.

[21]  Hongseok Yang,et al.  A divide-and-conquer approach for analysing overlaid data structures , 2012, Formal Methods Syst. Des..

[22]  C. A. R. Hoare The Verifying Compiler, a Grand Challenge for Computing Research , 2005, VMCAI.

[23]  Gerwin Klein,et al.  Operating system verification—An overview , 2009 .

[24]  Shengchao Qin,et al.  Automated Verification of Shape and Size Properties Via Separation Logic , 2007, VMCAI.

[25]  Peter Lee,et al.  THOR: A Tool for Reasoning about Shape and Arithmetic , 2008, CAV.

[26]  Peter W. O'Hearn,et al.  Scalable Shape Analysis for Systems Code , 2008, CAV.

[27]  Shengchao Qin,et al.  Automatically refining partial specifications for heap-manipulating programs , 2014, Sci. Comput. Program..

[28]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[29]  Moshe Y. Vardi,et al.  Temporal property verification as a program analysis task , 2012, Formal Methods Syst. Des..