Formal Verification of Demand Paging

This thesis presents the formal pervasive verification of demand paging. Memory virtualization by means of demand paging is a crucial component of every modern operating system. The formal verification is challenging because the reasoning about the page-fault handler (i) has to cover two concurrent computational sources: the processor and the hard disk, and (ii) involves different kinds of semantics for highand low-level programming languages. In order to tackle the challenge we applied a stack of semantics [Sch06, AHL09] for a high-level C-dialect [Lei07] and low-level assembly code. It can handle mixed-language implementations and concurrently operating devices, and permits the transferral of properties to the target architecture while obeying its resource restrictions. We use a formally verified microprocessor VAMP [BJK06] with devices [Alk09] as a target architecture to run the demand paging implementation. The main result of this work is a mechanically checked formal proof that the page-fault handler maintains memory virtualization of user processes running on top of an operating-system microkernel: each user process is provided with the notion of an own, large and isolated memory. This work is a part of the Verisoft project, a large scale effort bringing together industrial and academic partners to push the state-of-the-art in formal verification for realistic computer systems comprising hardand software.

[1]  J. S. Moore,et al.  A Grand Challenge Proposal for Formal Methods: A Verified Stack , 2002, 10th Anniversary Colloquium of UNU/IIST.

[2]  Alexandra Tsyban,et al.  Verified Process-Context Switch for C-Programmed Kernels , 2008, VSTTE.

[3]  Mark A. Hillebrand,et al.  Balancing the Load , 2009, Journal of Automated Reasoning.

[4]  Mohamed Nassim Seghir,et al.  Integration of a Software Model Checker into Isabelle , 2005, LPAR.

[5]  J. Strother Moore,et al.  An approach to systems verification , 1989, Journal of Automated Reasoning.

[6]  Gerwin Klein,et al.  Operating system verification—An overview , 2009 .

[7]  Alexandra Tsyban,et al.  Correct Microkernel Primitives , 2008, Electron. Notes Theor. Comput. Sci..

[8]  Iakov Dalinger,et al.  Formal verification of a processor with memory management units , 2013 .

[9]  Elena Petrova,et al.  Pervasive Compiler Verification - From Verified Programs to Verified Systems , 2008, Electron. Notes Theor. Comput. Sci..

[10]  Dirk Carsten Leinenbach,et al.  Compiler verification in the context of pervasive system verification , 2008 .

[11]  Christian Jacobi,et al.  Putting it all together – Formal verification of the VAMP , 2006, International Journal on Software Tools for Technology Transfer.

[12]  Alexandra Tsyban,et al.  Formal Verication of a Framework for Microkernel Programmers , 2009 .

[13]  Daniel Kroening,et al.  Instantiating Uninterpreted Functional Units and Memory System: Functional Verification of the VAMP , 2003, CHARME.

[14]  Norbert Schirmer,et al.  Verification of sequential imperative programs in Isabelle-HOL , 2006 .

[15]  David A. Patterson,et al.  Computer Architecture: A Quantitative Approach , 1969 .

[16]  RICHARD J. FEIERTAG,et al.  The foundations of a provably secure operating system (PSOS) , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[17]  Kevin Elphinstone,et al.  Experience report: seL4: formally verifying a high-performance microkernel , 2009, ICFP.

[18]  Hendrik Tews,et al.  The VFiasco approach for a verified operating system , 2005 .

[19]  Zhong Shao,et al.  Using XCAP to Certify Realistic Systems Code: Machine Context Management , 2007, TPHOLs.

[20]  Mark A. Hillebrand,et al.  On the Correctness of Operating System Kernels , 2005, TPHOLs.

[21]  Gerd Beuster,et al.  Real World Verification Experiences from the Verisoft Email Client , 2006 .

[22]  Richard A. Kemmerer,et al.  Specification and verification of the UCLA Unix security kernel , 1979, CACM.

[23]  Eyad Alkassar,et al.  OS verification extended: on the formal verification of device drivers and the correctness of client-server software , 2009 .

[24]  Peter G. Neumann,et al.  PSOS revisited , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[25]  Markus S. Miller,et al.  Towards a Verified , General-Purpose Operating System Kernel † , 2004 .

[26]  Yu Guo,et al.  Certifying low-level programs with hardware interrupts and preemptive threads , 2008, PLDI '08.

[27]  Matthias Daum,et al.  Model Stack for the Pervasive Verification of a Microkernel-based Operating System , 2008, VERIFY.

[28]  Sam Weber,et al.  Verifying the EROS confinement mechanism , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[29]  Artem Starostin Formal Verification of a C-Library for Strings , 2006 .

[30]  Hendrik Tews,et al.  The Semantics of C++ Data Types: Towards Verifying low-level System Components , 2003 .

[31]  Wolfgang J. Paul,et al.  Computer architecture - complexity and correctness , 2000 .

[32]  Tobias Nipkow,et al.  Proving pointer programs in higher-order logic , 2005, Inf. Comput..

[33]  Wolfgang J. Paul,et al.  Towards the Formal Verification of a C0 Compiler: Code Generation and Implementation Correctnes , 2005, SEFM.

[34]  Andrew S. Tanenbaum,et al.  Operating systems - design and implementation, 3rd Edition , 2005 .

[35]  Sebastian Bogan,et al.  Formal specification of a simple operating system , 2008 .

[36]  Wolfgang J. Paul,et al.  Proving the correctness of client/server software , 2009 .

[37]  Norbert Schirmer,et al.  A Verification Environment for Sequential Imperative Programs in Isabelle/HOL , 2005, LPAR.

[38]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[39]  Andrew S. Tanenbaum,et al.  Operating systems: design and implementation , 1987, Prentice-Hall software series.

[40]  Mark A. Hillebrand,et al.  On the Verification of Memory Management Mechanisms , 2005, CHARME.

[41]  Mark A. Hillebrand,et al.  Dealing with I/O devices in the context of pervasive system verification , 2005, 2005 International Conference on Computer Design.

[42]  Zhong Shao,et al.  Certified assembly programming with embedded code pointers , 2006, POPL '06.

[43]  Tom Kilburn,et al.  One-Level Storage System , 1962, IRE Trans. Electron. Comput..

[44]  Mark A. Hillebrand,et al.  Formal Verification of Gate-Level Computer Systems , 2009, CSR.

[45]  Brian Randell,et al.  Demand paging in perspective , 1968, AFIPS '68 (Fall, part II).

[46]  Thomas In der Rieden,et al.  CVM - A Verified Framework for Microkernel Programmers , 2008, SSV.

[47]  Burkhart Wolff,et al.  Proving Fairness and Implementation Correctness of a Microkernel Scheduler , 2009, Journal of Automated Reasoning.

[48]  Mark A. Hillebrand,et al.  Formal Device and Programming Model for a Serial Interface , 2007, VERIFY.

[49]  Alan Jay Smith,et al.  Bibliography on paging and related topics , 1978, OPSR.

[50]  Elena Petrova,et al.  Verification of the C0 compiler implementation on the source code level , 2007 .

[51]  Mark A. Hillebrand,et al.  On the Architecture of System Verification Environments , 2007, Haifa Verification Conference.

[52]  William R. Bevier,et al.  Kit: A Study in Operating System Verification , 1989, IEEE Trans. Software Eng..

[53]  Robert S. Boyer,et al.  A verified operating system kernel , 1987 .

[54]  Stefan M. Petters,et al.  Towards trustworthy computing systems: taking microkernels to the next level , 2007, OPSR.

[55]  D. J. Howarth,et al.  The Manchester University Atlas Operating System Part I: Internal Organization , 1961, Comput. J..

[56]  Mark A. Hillebrand,et al.  Address spaces and virtual memory: specification, implementation, and correctness , 2005 .

[57]  Mark A. Hillebrand,et al.  The Verisoft Approach to Systems Verification , 2008, VSTTE.

[58]  Burkhart Wolff,et al.  A Verification Approach for System-Level Concurrent Programs , 2008, VSTTE.

[59]  Steffen Knapp,et al.  The correctness of a distributed real-time system , 2008 .

[60]  Kevin Elphinstone,et al.  Verified Protection Model of the seL4 Microkernel , 2008, VSTTE.