Hyperkernel: Push-Button Verification of an OS Kernel

This paper describes an approach to designing, implementing, and formally verifying the functional correctness of an OS kernel, named Hyperkernel, with a high degree of proof automation and low proof burden. We base the design of Hyperkernel's interface on xv6, a Unix-like teaching operating system. Hyperkernel introduces three key ideas to achieve proof automation: it finitizes the kernel interface to avoid unbounded loops or recursion; it separates kernel and user address spaces to simplify reasoning about virtual memory; and it performs verification at the LLVM intermediate representation level to avoid modeling complicated C semantics. We have verified the implementation of Hyperkernel with the Z3 SMT solver, checking a total of 50 system calls and other trap handlers. Experience shows that Hyperkernel can avoid bugs similar to those found in xv6, and that the verification of Hyperkernel can be achieved with a low proof burden.

[1]  Milo M. K. Martin,et al.  Formalizing the LLVM intermediate representation for verified program transformations , 2012, POPL '12.

[2]  Junfeng Yang,et al.  An empirical study of operating systems errors , 2001, SOSP.

[3]  Chung-Kil Hur,et al.  Taming undefined behavior in LLVM , 2017, PLDI.

[4]  Xiaokang Qiu,et al.  Natural proofs for structure, data, and separation , 2013, PLDI.

[5]  Derek Dreyer,et al.  RustBelt: securing the foundations of the rust programming language , 2017, Proc. ACM Program. Lang..

[6]  Rafal Kolanski,et al.  Types, Maps and Separation Logic , 2009, TPHOLs.

[7]  Julekha Dash Peer-to-peer communications , 1996 .

[8]  Chucky Ellison,et al.  Defining the undefinedness of C , 2015, PLDI.

[9]  Katerina J. Argyraki,et al.  A Formally Verified NAT , 2017, SIGCOMM.

[10]  K. Rustan M. Leino,et al.  Weakest-precondition of unstructured programs , 2005, PASTE '05.

[11]  Xi Wang,et al.  Linux kernel vulnerabilities: state-of-the-art defenses and open problems , 2011, APSys.

[12]  Adrian Schüpbach,et al.  The multikernel: a new OS architecture for scalable multicore systems , 2009, SOSP '09.

[13]  Timothy Roscoe,et al.  Arrakis , 2014, OSDI.

[14]  Christoforos E. Kozyrakis,et al.  IX: A Protected Dataplane Operating System for High Throughput and Low Latency , 2014, OSDI.

[15]  Jason Nieh,et al.  KVM/ARM: the design and implementation of the linux ARM hypervisor , 2014, ASPLOS.

[16]  Robert N. M. Watson,et al.  Into the depths of C: elaborating the de facto standards , 2016, PLDI.

[17]  Henry M. Levy,et al.  Virtual Memory Management in the VAX/VMS Operating System , 1982, Computer.

[18]  Gil Neiger,et al.  Intel ® Virtualization Technology for Directed I/O , 2006 .

[19]  Sorin Lerner,et al.  Automating formal proofs for reactive systems , 2014, PLDI.

[20]  Samuel T. King,et al.  Verifying security invariants in ExpressOS , 2013, ASPLOS '13.

[21]  William R. Bevier,et al.  Kit: A Study in Operating System Verification , 1989, IEEE Trans. Software Eng..

[22]  Richard A. Kemmerer,et al.  Specification and verification of the UCLA Unix security kernel , 1979, CACM.

[23]  Gerwin Klein,et al.  Refinement in the Formal Verification of the seL4 Microkernel , 2010, Design and Verification of Microprocessor Systems for High-Assurance Applications.

[24]  Xinyu Feng,et al.  A Practical Verification Framework for Preemptive OS Kernels , 2016, CAV.

[25]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[26]  Armando Solar-Lezama,et al.  Towards optimization-safe systems: analyzing the impact of undefined behavior , 2013, SOSP.

[27]  Lawrence Robinson,et al.  Proving multilevel security of a system design , 1977, SOSP '77.

[28]  Christoforos E. Kozyrakis,et al.  Usenix Association 10th Usenix Symposium on Operating Systems Design and Implementation (osdi '12) 335 Dune: Safe User-level Access to Privileged Cpu Features , 2022 .

[29]  Rafal Kolanski Verification of programs in virtual memory using separation logic , 2011 .

[30]  Sidney Amani,et al.  Cogent: Verifying High-Assurance File System Implementations , 2016, ASPLOS.

[31]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[32]  Marsha Chechik,et al.  Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification , 2012, CAV.

[33]  Christophe Calvès,et al.  Faults in linux: ten years later , 2011, ASPLOS XVI.

[34]  Henry M. Levy,et al.  Hardware and software support for efficient exception handling , 1994, ASPLOS VI.

[35]  Chris Hawblitzel,et al.  Safe to the last instruction: automated verification of a type-safe operating system , 2011, CACM.

[36]  Christine Paulin-Mohring,et al.  The coq proof assistant reference manual , 2000 .

[37]  Eric C. Reed Patina : A Formalization of the Rust Programming Language , 2015 .

[38]  Andrew W. Appel,et al.  Virtual memory primitives for user programs , 1991, ASPLOS IV.

[39]  Robbert Krebbers,et al.  The C standard formalized in Coq , 2015 .

[40]  Robbert Krebbers,et al.  Subtleties of the ANSI / ISO C standard , 2012 .

[41]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[42]  Austin T. Clements,et al.  The scalable commutativity rule: designing scalable software for multicore processors , 2013, SOSP.

[43]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[44]  Danfeng Zhang,et al.  Ironclad Apps: End-to-End Security via Automated Full-System Verification , 2014, OSDI.

[45]  Zvonimir Rakamaric,et al.  SMACK: Decoupling Source Language Details from Verifier Implementations , 2014, CAV.

[46]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[47]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[48]  Dylan Johnson Porting Hyperkernel to the ARM Architecture , 2017 .

[49]  Srinath T. V. Setty,et al.  IronFleet: proving practical distributed systems correct , 2015, SOSP.

[50]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[51]  Andrea C. Arpaci-Dusseau,et al.  A Study of Linux File System Evolution , 2013, FAST.

[52]  John Regehr,et al.  Provably correct peephole optimizations with alive , 2015, PLDI.

[53]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[54]  Alastair David Reid Who guards the guards? formal validation of the Arm v8-m architecture specification , 2017, Proc. ACM Program. Lang..

[55]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[56]  Nicolas Christin,et al.  Push-Button Verification of File Systems via Crash Refinement , 2016, USENIX Annual Technical Conference.

[57]  Viktor Kuncak,et al.  Full functional verification of linked data structures , 2008, PLDI '08.

[58]  Emina Torlak,et al.  A lightweight symbolic virtual machine for solver-aided host languages , 2014, PLDI.

[59]  Adam Chlipala,et al.  Using Crash Hoare logic for certifying the FSCQ file system , 2015, USENIX Annual Technical Conference.

[60]  Gernot Heiser,et al.  From L3 to seL4 what have we learnt in 20 years of L4 microkernels? , 2013, SOSP.

[61]  Robert Grimm,et al.  Application performance and flexibility on exokernel systems , 1997, SOSP.

[62]  Daniel Jackson,et al.  Software Abstractions - Logic, Language, and Analysis , 2006 .

[63]  Radu Rugina,et al.  Software Techniques for Avoiding Hardware Virtualization Exits , 2012, USENIX Annual Technical Conference.

[64]  Gidon Ernst,et al.  Development of a Verified Flash File System , 2014, ABZ.

[65]  David E. Culler,et al.  Ownership is theft: experiences building an embedded OS in rust , 2015, PLOS@SOSP.