Learn More
We report on the first formal pervasive verification of an operating system microkernel featuring the correctness of inline assembly, large non-trivial C portions, and concurrent devices in a single seamless formal proof. We integrated all relevant verification results we had achieved so far [21,20,2,5,4] into a single top-level theorem of micro-kernel(More)
The Verisoft project aims at the pervasive formal verification from the application layer over the system level software, comprising a microkernel and a compiler, down to the hardware. The different layers of the system give rise to various abstraction levels to conduct the reasoning steps efficiently. The lower the abstraction level the more details and(More)
We report on applying techniques for static information flow analysis to identify privacy leaks in Android applications. We have crafted a framework which checks with the help of a security type system whether the Dalvik bytecode implementation of an Android app conforms to a given privacy policy. We have carefully analyzed the Android API for possible(More)
Memory virtualization by means of demand paging is a crucial component of every modern operating system. The formal verification is challenging since reasoning about the page fault handler has to cover two concurrent computational sources: the processor and the hard disk. We accurately model the in-terleaved executions of devices and the page fault handler,(More)
Primitives are basic means provided by a microkernel to im-plementors of operating system services. Intensively used within every OS and commonly implemented in a mixture of high-level and assembly programming languages, primitives are meaningful and challenging candidates for formal verification. We report on the accomplished correct-ness proof of academic(More)
Modern mobile devices store and process an abundance of data. Although many users consider some of this data as private, they do not yet obtain satisfactory support for controlling what applications might do with their data. In this article, we propose Cassandra, a tool that enables users of mobile devices to check whether Android apps comply with their(More)
A timing attack exploits the variance in the running time of a crypto-algorithm's implementation in order to infer confidential information. Such a dependence between confidential information and the running time, called a timing channel, is often caused by branching of the control flow in the implementation's source code with branching conditions depending(More)