Program Verification in the Presence of Cached Address Translation

Operating system (OS) kernels achieve isolation between user-level processes using multi-level page tables and translation lookaside buffers (TLBs). Controlling the TLB correctly is a fundamental security property—yet all large-scale formal OS verification projects leave correct functionality of the TLB as an assumption. We present a logic for reasoning about low-level programs in the presence of TLB address translation. We extract invariants and necessary conditions for correct TLB operation that mirror the informal reasoning of OS engineers. Our program logic reduces to a standard logic for user-level reasoning, reduces to side-condition checks for kernel-level reasoning, and can handle typical OS kernel tasks such as context switching and page table manipulations.

[1]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[2]  Michael Hamburg,et al.  Meltdown , 2018, meltdownattack.com.

[3]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[4]  Gerwin Klein,et al.  Reasoning about Translation Lookaside Buffers , 2017, LPAR.

[5]  Gilles Barthe,et al.  Cache-Leakage Resilient OS Isolation in an Idealized Model of Virtualization , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[6]  Rafal Kolanski Verification of programs in virtual memory using separation logic , 2011 .

[7]  Michael Norrish,et al.  A Brief Overview of HOL4 , 2008, TPHOLs.

[8]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[9]  Roberto Guanciale,et al.  Trustworthy Virtualization of the ARMv7 Memory Subsystem , 2015, SOFSEM.

[10]  Magnus O. Myreen,et al.  A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture , 2010, ITP.

[11]  Gerwin Klein,et al.  Concerned with the unprivileged: user programs in kernel refinement , 2014, Formal Aspects of Computing.

[12]  Wolfgang J. Paul,et al.  Verification of TLB Virtualization Implemented in C , 2012, VSTTE.

[13]  Rafal Kolanski A Logic for Virtual Memory , 2008, Electron. Notes Theor. Comput. Sci..

[14]  Liang Gu,et al.  CertiKOS: a certified kernel for secure cloud computing , 2011, APSys.

[15]  Mikhail Kovalev,et al.  TLB virtualization in the context of hypervisor verification , 2013 .

[16]  Rafal Kolanski,et al.  Types, Maps and Separation Logic , 2009, TPHOLs.