Efficient Formal Verification for the Linux Kernel

Formal verification of the Linux kernel has been receiving increasing attention in recent years, with the development of many models, from memory subsystems to the synchronization primitives of the real-time kernel. The effort in developing formal verification methods is justified considering the large code-base, the complexity in synchronization required in a monolithic kernel and the support for multiple architectures, along with the usage of Linux on critical systems, from high-frequency trading to self-driven cars. Despite recent developments in the area, none of the proposed approaches are suitable and flexible enough to be applied in an efficient way to a running kernel. Aiming to fill such a gap, this paper proposes a formal verification approach for the Linux kernel, based on automata models. It presents a method to auto-generate verification code from an automaton, which can be integrated into a module and dynamically added into the kernel for efficient on-the-fly verification of the system, using in-kernel tracing features. Finally, a set of experiments demonstrate verification of three models, along with performance analysis of the impact of the verification, in terms of latency and throughput of the system, showing the efficiency of the approach.

[1]  Laura L. Pullum,et al.  Software Fault Tolerance Techniques and Implementation , 2001 .

[2]  Sriram K. Rajamani,et al.  SLAM and Static Driver Verifier: Technology Transfer of Formal Methods inside Microsoft , 2004, IFM.

[3]  Daniel Kroening,et al.  CBMC - C Bounded Model Checker - (Competition Contribution) , 2014, TACAS.

[4]  Christos G. Cassandras,et al.  Introduction to Discrete Event Systems , 1999, The Kluwer International Series on Discrete Event Dynamic Systems.

[5]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[6]  Sherif Abdelwahed,et al.  Compensating for Timing Jitter in Computing Systems with General-Purpose Operating Systems , 2009, 2009 IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing.

[7]  Leslie Lamport,et al.  The temporal logic of actions , 1994, TOPL.

[8]  Domenico Cotroneo,et al.  A Case Study on State-Based Robustness Testing of an Operating System for the Avionic Domain , 2011, SAFECOMP.

[9]  Yasser Sedaghat,et al.  Improving the stateful robustness testing of embedded real-time operating systems , 2016, 2016 6th International Conference on Computer and Knowledge Engineering (ICCKE).

[10]  R. Malik,et al.  Supremica - An integrated environment for verification, synthesis and simulation of discrete event systems , 2006, 2006 8th International Workshop on Discrete Event Systems.

[11]  Rômulo Silva de Oliveira,et al.  Timing analysis of the PREEMPT RT Linux kernel , 2016, Softw. Pract. Exp..

[12]  Emden R. Gansner,et al.  Graphviz - Open Source Graph Drawing Tools , 2001, GD.

[13]  Domenico Cotroneo,et al.  SABRINE: State-based robustness testing of operating systems , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[14]  Tommaso Cucinotta,et al.  A Real-Time Service-Oriented Architecture for Industrial Automation , 2009, IEEE Transactions on Industrial Informatics.

[15]  Daniel Kroening,et al.  Model checking concurrent linux device drivers , 2007, ASE.

[16]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[17]  Lander Usategui San Juan,et al.  Real-time Linux communications: an evaluation of the Linux communication stack for real-time robotic applications , 2018, ArXiv.

[18]  Gernot Heiser,et al.  Timing Analysis of a Protected Operating System Kernel , 2011, 2011 IEEE 32nd Real-Time Systems Symposium.

[19]  Hiroyuki Chishiro RT-Seed: Real-Time Middleware for Semi-Fixed-Priority Scheduling , 2016, 2016 IEEE 19th International Symposium on Real-Time Distributed Computing (ISORC).

[20]  Tommaso Cucinotta,et al.  Untangling the Intricacies of Thread Synchronization in the PREEMPT_RT Linux Kernel , 2019, 2019 IEEE 22nd International Symposium on Real-Time Distributed Computing (ISORC).

[21]  Michel Dagenais,et al.  Automata-based approach for kernel trace analysis , 2009, 2009 Canadian Conference on Electrical and Computer Engineering.

[22]  Bin Lei,et al.  State Based Robustness Testing for Components , 2010, Electron. Notes Theor. Comput. Sci..

[23]  Andrea Parri,et al.  Frightening Small Children and Disconcerting Grown-ups: Concurrency in the Linux Kernel , 2018, ASPLOS.

[24]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[25]  Daniel Kroening,et al.  satabs: A Bit-Precise Verifier for C Programs - (Competition Contribution) , 2012, TACAS.

[26]  Joël Ouaknine,et al.  Concurrent software verification with states, events, and deadlocks , 2005, Formal Aspects of Computing.

[27]  Alex Groce,et al.  Modular verification of software components in C , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[28]  Mathieu Desnoyers,et al.  Using Tracing to Solve the Multicore System Debug Problem , 2012, Computer.