Comprehensive formal verification of an OS microkernel
@article{Klein2014ComprehensiveFV, title={Comprehensive formal verification of an OS microkernel}, author={Gerwin Klein and June Andronick and Kevin Elphinstone and Toby C. Murray and Thomas Sewell and Rafal Kolanski and Gernot Heiser}, journal={ACM Trans. Comput. Syst.}, year={2014}, volume={32}, pages={2:1-2:70} }
We present an in-depth coverage of the comprehensive machine-checked formal verification of seL4, a general-purpose operating system microkernel.
We discuss the kernel design we used to make its verification tractable. We then describe the functional correctness proof of the kernel's C implementation and we cover further steps that transform this result into a comprehensive formal verification of the kernel: a formally verified IPC fastpath, a proof that the binary code of the kernel correctly…
Figures and Tables from this paper
316 Citations
seL4 in Australia
- Computer ScienceCommun. ACM
- 2020
Much has happened since the functional correctness proof of the seL4 microkernel: the verification to show the kernel enforces desired security and safety properties is extended, the need to trust the compiler is removed, and implementations for processor architectures other than the original Arm v6 are verified.
Hyperkernel: Push-Button Verification of an OS Kernel
- Computer ScienceSOSP
- 2017
Experience shows that Hyperkernel can avoid bugs similar to those found in xv6, and that the verification of Hyper kernel can be achieved with a low proof burden.
2 Background and Overview of Our Work 2 . 1 Preemptive OS Kernels and Interrupts
- Computer Science
- 2016
This work is the first to verify the functional correctness of a practical preemptive OS kernel with machine-checkable proofs and the priority-inversion-freedom (PIF) in μC/OS-II.
A Practical Verification Framework for Preemptive OS Kernels
- Computer ScienceCAV
- 2016
This work is the first to verify the functional correctness of a practical preemptive OS kernel with machine-checkable proofs and the priority-inversion-freedom (PIF) in \(\mu \text {C/OS-II}\).
Self-compilation and self-verification
- Computer Science
- 2016
This thesis is that verification of a realistic implementation can be produced mostly automatically from a verified high-level implementation, via the use of verified compilation, and proposes self-verification as a benchmark for theorem provers.
Proof engineering challenges for large-scale verification
- Computer Science
- 2014
Challenges for proof engineering are summarized in the formal verification of the seL4 microkernel, and its subsequent proofs of integrity, non-interference, and binary correctness, which focus on problems where there is scope for automation using AI and machine-learning techniques.
Toward Compositional Verification of Interruptible OS Kernels and Device Drivers
- Computer ScienceJournal of Automated Reasoning
- 2017
A novel compositional framework for building certified interruptible OS kernels with device drivers is presented, providing a general device model that can be instantiated with various hardware devices, and a realistic formal model of interrupts, which can be used to reason about interruptible code.
CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels
- Computer ScienceOSDI
- 2016
This work has successfully developed a practical concurrent OS kernel and verified its (contextual) functional correctness in Coq, and is the first proof of functional correctness of a complete, general-purpose concurrent OS kernels with fine-grained locking.
On the verification of system-level information flow properties for virtualized execution platforms
- Computer ScienceJournal of Cryptographic Engineering
- 2019
This work proposes a compositional top-down approach to embedded system specification and verification, where the system-on-chip is modeled as a network of distributed automata communicating via paired synchronous message passing and reports on the complete verification of guest mode security properties in the HOL4 theorem prover.
Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel
- Computer ScienceOSDI
- 2020
The results show that it is possible to build a verified component within a large, unverified system with careful design of specification and proof strategy and an automated proof strategy that scales to practical implementations.
References
SHOWING 1-10 OF 165 REFERENCES
seL4: formal verification of an OS kernel
- Computer ScienceSOSP '09
- 2009
To the knowledge, this is the first formal proof of functional correctness of a complete, general-purpose operating-system kernel.
seL4: From General Purpose to a Proof of Information Flow Enforcement
- Computer Science2013 IEEE Symposium on Security and Privacy
- 2013
This is the first complete, formal, machine-checked verification of information flow security for the implementation of a general-purpose microkernel; namely seL4, and describes precisely how the general purpose kernel should be configured to enforce isolation and mandatory information flow control.
seL4: formal verification of an operating-system kernel
- Computer ScienceCommun. ACM
- 2010
It is proved that the implementation of the seL4 microkernel always strictly follows the high-level abstract specification of kernel behavior, which encompasses traditional design and implementation safety properties such as that the kernel will never crash, and it will never perform an unsafe operation.
Concerned with the unprivileged: user programs in kernel refinement
- Computer ScienceFormal Aspects of Computing
- 2014
The original correctness theorem is strengthened in two ways: first, the previous abstraction relations are converted into projection functions from concrete to abstract states, and second, the specification of the kernel’s execution environment is revisited.
Translation validation for a verified OS kernel
- Computer SciencePLDI
- 2013
An approach for proving refinement between the formal semantics of a program on the C source level and its formal semantics on the binary level, thus checking the validity of compilation, including some optimisations, and linking, and extending static properties proved of the source code to the executable is presented.
Formal specification and verification of data separation in a separation kernel for an embedded system
- Computer ScienceCCS '06
- 2006
The approach begins with a well-defined set of security properties and constructs a compact security model containing only information needed to rea-son about the properties, and concludes with a formal demonstration that each category of code enforces data separation.
Leveraging a Semantics Stack for Systems Verification
- Computer Science
- 2009
A stack of semantics for a high-level C-like language and low-level assembly code, which has been carefully crafted to support the pervasive verification of system software, which demonstrates the applicability of the framework by proving the correct virtualization of user memory in the microkernel, which implements demand paging.
Safe to the last instruction: automated verification of a type-safe operating system
- Computer SciencePLDI '10
- 2010
Verve is the first operating system mechanically verified to guarantee both type and memory safety, and its approach demonstrates a practical way to mix high-level typed code with low-level untyped code in a verifiably safe manner.
Timing Analysis of a Protected Operating System Kernel
- Computer Science2011 IEEE 32nd Real-Time Systems Symposium
- 2011
This paper believes this is one of the largest code bases on which a fully context-aware WCET analysis has been performed, and creates a foundation for integrating hard real-time systems with less critical time-sharing components on the same processor, supporting enhanced functionality while keeping hardware and development costs low.
Formal memory models for verifying C systems code
- Computer Science
- 2008
This thesis studies the mechanisation of a series of models, from semantic to separation logic, for achieving abstraction when performing interactive theorem-prover based verification of C systems code in higherorder logic.