A Case Study on Formal Verification of the Anaxagoros Hypervisor Paging System with Frama-C

Cloud hypervisors are critical software whose formal verification can increase our confidence in the reliability and security of the cloud. This work presents a case study on formal verification of the virtual memory system of the cloud hypervisor Anaxagoros, a microkernel designed for resource isolation and protection. The code under verification is specified and proven in the frama-C software verification framework, mostly using automatic theorem proving. The remaining properties are interactively proven with the Coq proof assistant. We describe in detail selected aspects of the case study, including parallel execution and counting references to pages, and discuss some lessons learned, benefits and limitations of our approach.

[1]  Nikolai Kosmatov,et al.  Frama-C: A software analysis perspective , 2015, Formal Aspects of Computing.

[2]  Matthieu Lemerre,et al.  A dependable kernel design for resource isolation and protection , 2010 .

[3]  Mark A. Hillebrand,et al.  Automated Verification of a Small Hypervisor , 2010, VSTTE.

[4]  Radha Jagadeesan,et al.  A theory of memory models , 2007, PPOPP.

[5]  Stephen D. Brookes,et al.  A Semantics for Concurrent Separation Logic , 2004, CONCUR.

[6]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[7]  Nikolai Kosmatov,et al.  A Case Study on Verification of a Cloud Hypervisor by Proof and Structural Testing , 2014, TAP@STAF.

[8]  Ernie Cohen,et al.  Store Buffer Reduction with MMUs : Complete Paper-and-pencil Proof , 2013 .

[9]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[10]  Gilles Barthe,et al.  Formally Verified Implementation of an Idealized Model of Virtualization , 2013, TYPES.

[11]  Matthieu Lemerre,et al.  A communication mechanism for resource isolation , 2009, IIES '09.

[12]  Gerwin Klein,et al.  From a Verified Kernel towards Verified Systems , 2010, APLAS.

[13]  Wolfgang J. Paul,et al.  Pervasive Verification of an OS Microkernel - Inline Assembly, Memory Consumption, Concurrent Devices , 2010, VSTTE.

[14]  J. Filliâtre,et al.  ACSL: ANSI/ISO C Specification Language , 2008 .

[15]  Wolfgang J. Paul,et al.  Verification of TLB Virtualization Implemented in C , 2012, VSTTE.

[16]  Sarita V. Adve,et al.  Shared Memory Consistency Models: A Tutorial , 1996, Computer.

[17]  David Pichardie,et al.  A Certified Data Race Analysis for a Java-like Language , 2009, TPHOLs.

[18]  Zhong Shao,et al.  Compositional Verification of a Baby Virtual Memory Manager , 2012, CPP.

[19]  Gérard Boudol,et al.  Relaxed memory models: an operational approach , 2009, POPL '09.

[20]  Norbert Schirmer,et al.  From Total Store Order to Sequential Consistency: A Practical Reduction Theorem , 2010, ITP.

[21]  Mathieu Jan,et al.  Method and Tools for Mixed-Criticality Real-Time Applications within PharOS , 2011, 2011 14th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing Workshops.

[22]  Xavier Leroy,et al.  Verified squared: does critical software deserve verified tools? , 2011, POPL '11.

[23]  Mikhail Kovalev,et al.  Store Buffer Reduction with MMUs , 2014, VSTTE.