Modular verification of preemptive OS kernels

Most major OS kernels today run on multiprocessor systems and are preemptive: it is possible for a process running in the kernel mode to get descheduled. Existing modular techniques for verifying concurrent code are not directly applicable in this setting: they rely on scheduling being implemented correctly, and in a preemptive kernel, the correctness of the scheduler is interdependent with the correctness of the code it schedules. This interdependency is even stronger in mainstream kernels, such as Linux, FreeBSD or XNU, where the scheduler and processes interact in complex ways. We propose the first logic that is able to decompose the verification of preemptive multiprocessor kernel code into verifying the scheduler and the rest of the kernel separately, even in the presence of complex interdependencies between the two components. The logic hides the manipulation of control by the scheduler when reasoning about preemptable code and soundly inherits proof rules from concurrent separation logic to verify it thread-modularly. This is achieved by establishing a novel form of refinement between an operational semantics of the real machine and an axiomatic semantics of OS processes, where the latter assumes an abstract machine with each process executing on a separate virtual CPU. The refinement is local in the sense that the logic focuses only on the relevant state of the kernel while verifying the scheduler. We illustrate the power of our logic by verifying an example scheduler, modelled on the one from Linux 2.6.11.

[1]  Amir Pnueli,et al.  In Transition From Global to Modular Temporal Reasoning about Programs , 1989, Logics and Models of Concurrent Systems.

[2]  Peter W. O'Hearn,et al.  Local Action and Abstract Separation Logic , 2007, 22nd Annual IEEE Symposium on Logic in Computer Science (LICS 2007).

[3]  Hongseok Yang,et al.  Modular verification of preemptive OS kernels , 2013, J. Funct. Program..

[4]  Stephen Brookes A semantics for concurrent separation logic , 2007, Theor. Comput. Sci..

[5]  Hayo Thielecke,et al.  From control effects to typed continuation passing , 2003, POPL '03.

[6]  Chris Hawblitzel,et al.  Safe to the last instruction: automated verification of a type-safe operating system , 2011, CACM.

[7]  James Laird Game semantics and linear CPS interpretation , 2005, Theor. Comput. Sci..

[8]  Peter W. O'Hearn,et al.  Resources, Concurrency and Local Reasoning , 2004, CONCUR.

[9]  Aaron Turon,et al.  A separation logic for refining concurrent objects , 2011, POPL '11.

[10]  Yu Guo,et al.  Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads , 2009, Journal of Automated Reasoning.

[11]  Hongseok Yang,et al.  Nested Hoare Triples and Frame Rules for Higher-Order Store , 2009, CSL.

[12]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[13]  Gavin M. Bierman,et al.  Separation logic and abstraction , 2005, POPL '05.

[14]  Alexey Gotsman,et al.  Precision and the Conjunction Rule in Concurrent Separation Logic , 2011, MFPS.

[15]  Viktor Vafeiadis,et al.  Concurrent Abstract Predicates , 2010, ECOOP.

[16]  Xinyu Feng,et al.  On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning , 2007, ESOP.

[17]  Gerwin Klein,et al.  Operating system verification—An overview , 2009 .

[18]  Zhong Shao,et al.  Certified assembly programming with embedded code pointers , 2006, POPL '06.

[19]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[20]  Wolfram Schulte,et al.  Local Verification of Global Invariants in Concurrent Programs , 2010, CAV.

[21]  Masahito Hasegawa Semantics of Linear Continuation-Passing in Call-by-Name , 2004, FLOPS.

[22]  Cliff B. Jones,et al.  Splitting atoms safely , 2007, Theor. Comput. Sci..

[23]  Burkhart Wolff,et al.  Proving Fairness and Implementation Correctness of a Microkernel Scheduler , 2009, Journal of Automated Reasoning.

[24]  Mark A. Hillebrand,et al.  On the Correctness of Operating System Kernels , 2005, TPHOLs.

[25]  Hongseok Yang,et al.  Nested Hoare Triples and Frame Rules for Higher-Order Store , 2009, CSL.

[26]  Xinyu Feng,et al.  Combining Domain-Specific and Foundational Logics to Verify Complete Software Systems , 2008, VSTTE.

[27]  Yu Guo,et al.  An open framework for foundational proof-carrying code , 2007, TLDI '07.

[28]  Hongseok Yang,et al.  Views: compositional reasoning for concurrent programs , 2013, POPL.

[29]  Robert Love,et al.  Linux Kernel Development , 2003 .

[30]  Akinori Yonezawa,et al.  Writing an OS Kernel in a Strictly and Statically Typed Language , 2009, Formal to Practical Security.

[31]  Masahito Hasegawa Linearly Used Effects: Monadic and CPS Transformations into the Linear Lambda Calculus , 2001, APLAS.

[32]  Daniel Pierre Bovet,et al.  Understanding the Linux Kernel , 2000 .

[33]  Zhong Shao Certified software , 2010, Commun. ACM.

[34]  Ralph-Johan Back,et al.  On Correct Refinement of Programs , 1981, J. Comput. Syst. Sci..

[35]  Peter W. O'Hearn,et al.  Linear Continuation-Passing , 2002, High. Order Symb. Comput..

[36]  Peter W. O'Hearn,et al.  Resources, concurrency, and local reasoning , 2007 .

[37]  Olexiy Gotsman,et al.  Logics and analyses for concurrent heap-manipulating programs , 2011 .

[38]  Stephen D. Brookes,et al.  A Semantics for Concurrent Separation Logic , 2004, CONCUR.

[39]  James Noble,et al.  Simple Ownership Types for Object Containment , 2001, ECOOP.

[40]  Xinyu Feng,et al.  Modular verification of assembly code with stack-based control abstractions , 2006, PLDI '06.

[41]  Alexey Gotsman,et al.  Local Reasoning for Storable Locks and Threads , 2007, APLAS.

[42]  Nathaniel Charlton Hoare Logic for Higher Order Store Using Simple Semantics , 2011, WoLLIC.

[43]  Viktor Vafeiadis,et al.  A Marriage of Rely/Guarantee and Separation Logic , 2007, CONCUR.

[44]  Cliff B. Jones,et al.  Specification and Design of (Parallel) Programs , 1983, IFIP Congress.