Provably trustworthy systems

We present recent work on building and scaling trustworthy systems with formal, machine-checkable proof from the ground up, including the operating system kernel, at the level of binary machine code. We first give a brief overview of the seL4 microkernel verification and how it can be used to build verified systems. We then show two complementary techniques for scaling these methods to larger systems: proof engineering, to estimate verification effort; and code/proof co-generation, for scalable development of provably trustworthy applications. This article is part of the themed issue ‘Verified trustworthy software systems’.

[1]  David Walker,et al.  The PADS project: an overview , 2011, ICDT '11.

[2]  Sidney Amani,et al.  Refinement through restraint: bringing down the cost of verification , 2016, ICFP 2016.

[3]  Yutaka Nagashima,et al.  A Framework for the Automatic Formal Verification of Refinement from Cogent to C , 2016, ITP.

[4]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[5]  Gerwin Klein,et al.  seL4 Enforces Integrity , 2011, ITP.

[6]  D. Ross Jeffery,et al.  Empirical Study Towards a Leading Indicator for Cost of Formal Software Verification , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[7]  Mark A. Hillebrand,et al.  The Verisoft Approach to Systems Verification , 2008, VSTTE.

[8]  Yves Bertot,et al.  Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions , 2010 .

[9]  Magnus O. Myreen,et al.  Translation validation for a verified OS kernel , 2013, PLDI.

[10]  Magnus O. Myreen,et al.  Self-Formalisation of Higher-Order Logic , 2016, Journal of Automated Reasoning.

[11]  Leonard J. Bass,et al.  Formal specifications better than function points for code sizing , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[12]  Zhong Shao,et al.  Using XCAP to Certify Realistic Systems Code: Machine Context Management , 2007, TPHOLs.

[13]  Xin Gao,et al.  Formally Verified System Initialisation , 2013, ICFEM.

[14]  Gernot Heiser,et al.  Complete, High-Assurance Determination of Loop Bounds and Infeasible Paths for WCET Analysis , 2016, 2016 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS).

[15]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[16]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[17]  David Greenaway,et al.  Automated proof-producing abstraction of C code , 2014 .

[18]  Jan Peleska,et al.  Automated Test Case Generation with SMT-Solving and Abstract Interpretation , 2011, NASA Formal Methods.

[19]  Gernot Heiser,et al.  L4 Microkernels: The Lessons from 20 Years of Research and Deployment , 2016, TOCS.

[20]  Matthew Fernandez,et al.  Formal Verification of a Component Platform , 2016 .

[21]  Tobias Nipkow,et al.  A FORMAL PROOF OF THE KEPLER CONJECTURE , 2015, Forum of Mathematics, Pi.

[22]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[23]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[24]  Wolfgang J. Paul,et al.  Pervasive Verification of an OS Microkernel - Inline Assembly, Memory Consumption, Concurrent Devices , 2010, VSTTE.

[25]  D. Ross Jeffery,et al.  Productivity for proof engineering , 2014, ESEM '14.

[26]  Christophe Calvès,et al.  Faults in linux: ten years later , 2011, ASPLOS XVI.

[27]  Eyad Alkassar,et al.  OS verification extended: on the formal verification of device drivers and the correctness of client-server software , 2009 .

[28]  Gernot Heiser,et al.  Timing Analysis of a Protected Operating System Kernel , 2011, 2011 IEEE 32nd Real-Time Systems Symposium.

[29]  Mark A. Hillebrand,et al.  Formal Functional Verification of Device Drivers , 2008, VSTTE.

[30]  Gernot Heiser,et al.  Trickle: Automated infeasible path detection using all minimal unsatisfiable subsets , 2014, 2014 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS).

[31]  Georges Gonthier,et al.  Formal Proof—The Four- Color Theorem , 2008 .

[32]  Jochen Liedtke,et al.  Toward real microkernels , 1996, CACM.

[33]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[34]  Ramana Kumar,et al.  CakeML: a verified implementation of ML , 2014, POPL.

[35]  Georges Gonthier A computer-checked proof of the Four Colour Theorem , 2005 .

[36]  Andrew Boyton Secure architectures on a verified microkernel , 2014 .

[37]  Timothy Bourke,et al.  Challenges and Experiences in Managing Large-Scale Proofs , 2012, AISC/MKM/Calculemus.

[38]  Tobias Nipkow,et al.  A Revision of the Proof of the Kepler Conjecture , 2009, Discret. Comput. Geom..

[39]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[40]  Filip Maric Formal Verification of Modern SAT Solvers , 2008, Arch. Formal Proofs.

[41]  Gerwin Klein,et al.  Don't sweat the small stuff: formal verification of C code without the pain , 2014, PLDI.

[42]  Gernot Heiser,et al.  Improving interrupt response time in a verifiable protected microkernel , 2012, EuroSys '12.

[43]  Liming Zhu,et al.  Large-scale formal verification in practice: A process perspective , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[44]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[45]  Andrew W. Appel,et al.  Verified Correctness and Security of OpenSSL HMAC , 2015, USENIX Security Symposium.

[46]  Sidney Amani,et al.  Specifying a Realistic File System , 2015, MARS.

[47]  Gerwin Klein,et al.  Automated Verification of RPC Stub Code , 2015, FM.

[48]  Srinath T. V. Setty,et al.  IronFleet: proving practical distributed systems correct , 2015, SOSP.

[49]  James R. Larus,et al.  Sealing OS processes to improve dependability and safety , 2007, EuroSys '07.

[50]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[51]  Sidney Amani,et al.  Cogent: Verifying High-Assurance File System Implementations , 2016, ASPLOS.

[52]  Pierre Castéran,et al.  Interactive Theorem Proving and Program Development , 2004, Texts in Theoretical Computer Science An EATCS Series.

[53]  Xianfeng Li,et al.  Chronos: A timing analyzer for embedded software , 2007, Sci. Comput. Program..

[54]  Michael Norrish,et al.  A Brief Overview of HOL4 , 2008, TPHOLs.

[55]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[56]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[57]  Jeremy Avigad,et al.  A Machine-Checked Proof of the Odd Order Theorem , 2013, ITP.

[58]  Tobias Nipkow,et al.  Mining the Archive of Formal Proofs , 2015, CICM.

[59]  Andreas Lochbihler Jinja with Threads , 2007, Arch. Formal Proofs.

[60]  Adam Chlipala,et al.  Using Crash Hoare logic for certifying the FSCQ file system , 2015, USENIX Annual Technical Conference.

[61]  Magnus O. Myreen,et al.  The Reflective Milawa Theorem Prover Is Sound - (Down to the Machine Code That Runs It) , 2014, ITP.

[62]  Andrei Popescu,et al.  A Conference Management System with Verified Document Confidentiality , 2014, CAV.