Formal Verication of a Framework for Microkernel Programmers

This thesis presents the formal verification of a framework for microkernel programmers called CVM (communicating virtual machines) [41]. CVM is a computational model for concurrent user processes interacting with a generic microkernel and devices. It is implemented in C0A, a restricted C-dialect with support of inline assembly, as a framework featuring virtual memory, demand paging, memory management, and low-level inter-process and devices communications. The framework can be linked on the source code level with an abstract kernel, an interface to users, in order to obtain a concrete kernel, a program that can be translated and run on a target machine. We use a formally verified microprocessor VAMP [20] as a platform to run the concrete kernel. The main result of this work is a mechanically checked formal proof that concurrent executions of user processes interacting with a kernel are simulated by executions of the VAMP instruction set architecture model interleaved with devices. In order to obtain this result a number of attendant formal theories have been developed, most notably, a theory of inline assembly verification. This work is a part of the Verisoft project [111], a large scale effort bringing together industrial and academic partners to push the state-of-the-art in formal verification for realistic computer systems comprising hardand software.

[1]  Robert S. Boyer,et al.  A verified operating system kernel , 1987 .

[2]  Stefan M. Petters,et al.  Towards trustworthy computing systems: taking microkernels to the next level , 2007, OPSR.

[3]  Mark A. Hillebrand,et al.  Address spaces and virtual memory: specification, implementation, and correctness , 2005 .

[4]  Martín Abadi,et al.  An Overview of the Singularity Project , 2005 .

[5]  Markus S. Miller,et al.  Towards a Verified , General-Purpose Operating System Kernel † , 2004 .

[6]  Jonathan Rees,et al.  Revised3 report on the algorithmic language scheme , 1986, SIGP.

[7]  Dirk Carsten Leinenbach,et al.  Compiler verification in the context of pervasive system verification , 2008 .

[8]  Christian Jacobi,et al.  Putting it all together – Formal verification of the VAMP , 2006, International Journal on Software Tools for Technology Transfer.

[9]  Warren A. Hunt FM8501: A Verified Microprocessor , 1994, Lecture Notes in Computer Science.

[10]  Artem Starostin,et al.  Formal Pervasive Verification of a Paging Mechanism , 2008, TACAS.

[11]  Mickey Williams,et al.  Microsoft Visual C# .NET , 2002 .

[12]  Mark A. Hillebrand,et al.  On the Verification of Memory Management Mechanisms , 2005, CHARME.

[13]  James R. Larus,et al.  Singularity: rethinking the software stack , 2007, OPSR.

[14]  Jochen Liedtke,et al.  Improving IPC by kernel design , 1994, SOSP '93.

[15]  Lawrence Robinson,et al.  SPECIAL - A Specification and Assertion Language. , 1976 .

[16]  Claude Kaiser,et al.  Overview of the CHORUS ® Distributed Operating Systems , 1991 .

[17]  Elena Petrova,et al.  Verification of the C0 compiler implementation on the source code level , 2007 .

[18]  R. Kent Dybvig,et al.  Revised5 Report on the Algorithmic Language Scheme , 1986, SIGP.

[19]  Arthur David Flatau,et al.  A verified implementation of an applicative language with dynamic storage allocation , 1992 .

[20]  Jochen Liedtke,et al.  On micro-kernel construction , 1995, SOSP.

[21]  William A. Wulf,et al.  Policy/mechanism separation in Hydra , 1975, SOSP.

[22]  Mark A. Hillebrand,et al.  Dealing with I/O devices in the context of pervasive system verification , 2005, 2005 International Conference on Computer Design.

[23]  Gerwin Klein,et al.  Verifying the L4 virtual memory subsystem , 2004 .

[24]  Zhong Shao,et al.  Certified assembly programming with embedded code pointers , 2006, POPL '06.

[25]  Michael Norrish,et al.  Types, bytes, and separation logic , 2007, POPL '07.

[26]  Shin Nakajima,et al.  The SPIN Model Checker : Primer and Reference Manual , 2004 .

[27]  Peter G. Neumann,et al.  PSOS revisited , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[28]  Wolfgang J. Paul,et al.  Computer architecture - complexity and correctness , 2000 .

[29]  J. Strother Moore Piton: A Mechanically Verified Assembly-Level Language , 1996 .

[30]  Burkhart Wolff,et al.  Proving Fairness and Implementation Correctness of a Microkernel Scheduler , 2009, Journal of Automated Reasoning.

[31]  Thomas In der Rieden,et al.  CVM - A Verified Framework for Microkernel Programmers , 2008, SSV.

[32]  Eyad Alkassar,et al.  Formal Correctness of an Automotive Bus Controller Implementation at Gate-Level , 2008, DIPES.

[33]  Dave Jaggar,et al.  Arm Architecture And Systems , 1997, IEEE Micro.

[34]  J. Strother Moore,et al.  An approach to systems verification , 1989, Journal of Automated Reasoning.

[35]  Sebastian Bogan,et al.  Formal specification of a simple operating system , 2008 .

[36]  Iakov Dalinger,et al.  Formal verification of a processor with memory management units , 2013 .

[37]  Michael J. C. Gordon,et al.  From LCF to HOL: a short history , 2000, Proof, Language, and Interaction.

[38]  Jan Trobitius,et al.  Anwendung der "Common Criteria for Information Technology Security Evaluation" (CC) / ISO 15408 auf ein SOA Registry-Repository , 2007, Informatiktage.

[39]  Zhong Shao,et al.  Using XCAP to Certify Realistic Systems Code: Machine Context Management , 2007, TPHOLs.

[40]  Robert S. Boyer,et al.  A computational logic handbook , 1979, Perspectives in computing.

[41]  J. Shapiro,et al.  EROS: a fast capability system , 2000, OPSR.

[42]  Gerd Beuster,et al.  Real World Verification Experiences from the Verisoft Email Client , 2006 .

[43]  Richard A. Kemmerer,et al.  Specification and verification of the UCLA Unix security kernel , 1979, CACM.

[44]  Eyad Alkassar,et al.  OS verification extended: on the formal verification of device drivers and the correctness of client-server software , 2009 .

[45]  H. Tews Micro Hypervisor Verification: Possible Approaches and Relevant Properties , 2007 .

[46]  Yu Guo,et al.  Certifying low-level programs with hardware interrupts and preemptive threads , 2008, PLDI '08.

[47]  Mark A. Hillebrand,et al.  Formal Functional Verification of Device Drivers , 2008, VSTTE.

[48]  Alexandra Tsyban,et al.  Verified Process-Context Switch for C-Programmed Kernels , 2008, VSTTE.

[49]  Per Brinch Hansen,et al.  The nucleus of a multiprogramming system , 1970, CACM.

[50]  David L. Black,et al.  Machine-independent virtual memory management for paged uniprocessor and multiprocessor architectures , 1987, IEEE Trans. Computers.

[51]  C. A. R. HOARE,et al.  An axiomatic basis for computer programming , 1969, CACM.

[52]  David A. Patterson,et al.  Computer Architecture: A Quantitative Approach , 1969 .

[53]  RICHARD J. FEIERTAG,et al.  The foundations of a provably secure operating system (PSOS) , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[54]  J. Liedtke /spl mu/-kernels must and can be small , 1996, Proceedings of the Fifth International Workshop on Object-Orientation in Operation Systems.

[55]  Mark A. Hillebrand,et al.  Balancing the Load , 2009, Journal of Automated Reasoning.

[56]  Hugo Herbelin,et al.  The Coq proof assistant : reference manual, version 6.1 , 1997 .

[57]  Gerwin Klein,et al.  Operating system verification—An overview , 2009 .

[58]  Alexandra Tsyban,et al.  Correct Microkernel Primitives , 2008, Electron. Notes Theor. Comput. Sci..

[59]  Mark A. Hillebrand,et al.  On the Correctness of Operating System Kernels , 2005, TPHOLs.

[60]  Norbert Schirmer,et al.  A Verification Environment for Sequential Imperative Programs in Isabelle/HOL , 2005, LPAR.

[61]  Elena Petrova,et al.  Pervasive Compiler Verification - From Verified Programs to Verified Systems , 2008, Electron. Notes Theor. Comput. Sci..

[62]  Mark A. Hillebrand,et al.  Formal Device and Programming Model for a Serial Interface , 2007, VERIFY.

[63]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[64]  Dan Hildebrand,et al.  An Architectural Overview of QNX , 1992, USENIX Workshop on Microkernels and Other Kernel Architectures.

[65]  Hendrik Tews,et al.  The Semantics of C++ Data Types: Towards Verifying low-level System Components , 2003 .

[66]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[67]  William R. Bevier,et al.  Kit: A Study in Operating System Verification , 1989, IEEE Trans. Software Eng..

[68]  J. S. Moore,et al.  A Grand Challenge Proposal for Formal Methods: A Verified Stack , 2002, 10th Anniversary Colloquium of UNU/IIST.

[69]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[70]  James R. Larus,et al.  Language support for fast and reliable message-based communication in singularity OS , 2006, EuroSys.

[71]  Wolfgang J. Paul,et al.  Towards the Formal Verification of a C0 Compiler: Code Generation and Implementation Correctnes , 2005, SEFM.

[72]  Matthias Daum Modelling User Programs on top of a Microkernel ? , 2008 .

[73]  Gerry Kane,et al.  MIPS RISC Architecture , 1987 .

[74]  Donald I. Good,et al.  An interactive program verification system , 1975 .

[75]  Hermann Härtig,et al.  The Nizza secure-system architecture , 2005, 2005 International Conference on Collaborative Computing: Networking, Applications and Worksharing.

[76]  Matthew Wilding,et al.  A Mechanically Verified Application for a Mechanically Verified Environment , 1993, CAV.

[77]  Lawrence Charles Paulson,et al.  ML for the working programmer , 1991 .

[78]  Mark A. Hillebrand,et al.  On the Architecture of System Verification Environments , 2007, Haifa Verification Conference.

[79]  Brian N. Bershad,et al.  The impact of operating system structure on memory system performance , 1994, SOSP '93.

[80]  Wolfgang J. Paul,et al.  Towards a Worldwide Verification Technology , 2005, VSTTE.

[81]  Sam Weber,et al.  Verifying the EROS confinement mechanism , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[82]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[83]  Hendrik Tews,et al.  The VFiasco approach for a verified operating system , 2005 .