A Practical Verification Framework for Preemptive OS Kernels

We propose a practical verification framework for preemptive OS kernels. The framework models the correctness of API implementations in OS kernels as contextual refinement of their abstract specifications. It provides a specification language for defining the high-level abstract model of OS kernels, a program logic for refinement verification of concurrent kernel code with multi-level hardware interrupts, and automated tactics for developing mechanized proofs. The whole framework is developed for a practical subset of the C language. We have successfully applied it to verify key modules of a commercial preemptive OS \(\mu \text {C/OS-II}\) [2], including the scheduler, interrupt handlers, message queues, and mutexes etc. We also verify the priority-inversion-freedom (PIF) in \(\mu \text {C/OS-II}\). All the proofs are mechanized in Coq. To our knowledge, our work is the first to verify the functional correctness of a practical preemptive OS kernel with machine-checkable proofs.

[1]  Yu Guo,et al.  Deep Specifications and Certified Abstraction Layers , 2015, POPL.

[2]  Peter W. O'Hearn,et al.  Resources, concurrency, and local reasoning , 2007 .

[3]  Fred B. Schneider,et al.  A formalization of priority inversion , 2005, Real-Time Systems.

[4]  Lars Birkedal,et al.  Unifying refinement and hoare-style reasoning in a logic for higher-order concurrency , 2013, ICFP.

[5]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[6]  Xiaokang Qiu,et al.  Natural proofs for structure, data, and separation , 2013, PLDI.

[7]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[8]  Yu Guo,et al.  Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads , 2009, Journal of Automated Reasoning.

[9]  Hongseok Yang,et al.  Modular verification of preemptive OS kernels , 2011, Journal of Functional Programming.

[10]  Lars Birkedal,et al.  Logical relations for fine-grained concurrency , 2013, POPL.

[11]  Xinyu Feng,et al.  Compositional verification of termination-preserving refinement of concurrent programs , 2014, CSL-LICS.

[12]  Suresh Jagannathan,et al.  CompCertTSO: A Verified Compiler for Relaxed-Memory Concurrency , 2013, JACM.

[13]  Chris Hawblitzel,et al.  Safe to the last instruction: automated verification of a type-safe operating system , 2010, PLDI '10.

[14]  Andrew McCreight,et al.  Practical Tactics for Separation Logic , 2009, TPHOLs.

[15]  Xinyu Feng,et al.  Practical Tactics for Verifying C Programs in Coq , 2015, CPP.

[16]  Xinyu Feng,et al.  Modular verification of linearizability with non-fixed linearization points , 2013, PLDI 2013.

[17]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[18]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[19]  Lui Sha,et al.  Priority Inheritance Protocols: An Approach to Real-Time Synchronization , 1990, IEEE Trans. Computers.

[20]  Wolfgang J. Paul,et al.  Pervasive Verification of an OS Microkernel - Inline Assembly, Memory Consumption, Concurrent Devices , 2010, VSTTE.

[21]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[22]  Michael Norrish,et al.  seL4: formal verification of an operating-system kernel , 2010, Commun. ACM.

[23]  Zhong Shao,et al.  Toward Compositional Verification of Interruptible OS Kernels and Device Drivers , 2017, Journal of Automated Reasoning.

[24]  Xinyu Feng,et al.  A rely-guarantee-based simulation for verifying concurrent program transformations , 2012, POPL '12.