# Comprehensive formal verification of an OS microkernel

@article{Klein2014ComprehensiveFV,
title={Comprehensive formal verification of an OS microkernel},
author={Gerwin Klein and June Andronick and Kevin Elphinstone and Toby C. Murray and Thomas Sewell and Rafal Kolanski and Gernot Heiser},
journal={ACM Trans. Comput. Syst.},
year={2014},
volume={32},
pages={2:1-2:70}
}
We present an in-depth coverage of the comprehensive machine-checked formal verification of seL4, a general-purpose operating system microkernel. We discuss the kernel design we used to make its verification tractable. We then describe the functional correctness proof of the kernel's C implementation and we cover further steps that transform this result into a comprehensive formal verification of the kernel: a formally verified IPC fastpath, a proof that the binary code of the kernel correctly… Expand
279 Citations
seL4 in Australia
• Computer Science
• Commun. ACM
• 2020
Much has happened since the functional correctness proof of the seL4 microkernel: the verification to show the kernel enforces desired security and safety properties is extended, the need to trust the compiler is removed, and implementations for processor architectures other than the original Arm v6 are verified. Expand
Hyperkernel: Push-Button Verification of an OS Kernel
Experience shows that Hyperkernel can avoid bugs similar to those found in xv6, and that the verification of Hyper kernel can be achieved with a low proof burden. Expand
2 Background and Overview of Our Work 2 . 1 Preemptive OS Kernels and Interrupts
We propose a practical verification framework for preemptive OS kernels. The framework models the correctness of API implementations in OS kernels as contextual refinement of their abstractExpand
A Practical Verification Framework for Preemptive OS Kernels
• F. Xu, Hui Zhang
• Computer Science
• CAV
• 2016
This work is the first to verify the functional correctness of a practical preemptive OS kernel with machine-checkable proofs and the priority-inversion-freedom (PIF) in $$\mu \text {C/OS-II}$$. Expand
Self-compilation and self-verification
This thesis is that verification of a realistic implementation can be produced mostly automatically from a verified high-level implementation, via the use of verified compilation, and proposes self-verification as a benchmark for theorem provers. Expand
Proof Engineering Considered Essential
An overview of the various formal verification projects around the evolving seL4 microkernel is given, and the experience in large scale proof engineering and maintenance is discussed, and a picture of what these verifications mean and how they fit together into a whole is drawn. Expand
Proof engineering challenges for large-scale verification
Challenges for proof engineering are summarized in the formal verification of the seL4 microkernel, and its subsequent proofs of integrity, non-interference, and binary correctness, which focus on problems where there is scope for automation using AI and machine-learning techniques. Expand
Toward compositional verification of interruptible OS kernels and device drivers
• Computer Science
• PLDI 2016
• 2016
A novel compositional framework for building certified interruptible OS kernels with device drivers is presented, providing a general device model that can be instantiated with various hardware devices, and a realistic formal model of interrupts, which can be used to reason about interruptible code. Expand
Toward Compositional Verification of Interruptible OS Kernels and Device Drivers
• Computer Science
• Journal of Automated Reasoning
• 2017
A novel compositional framework for building certified interruptible OS kernels with device drivers is presented, providing a general device model that can be instantiated with various hardware devices, and a realistic formal model of interrupts, which can be used to reason about interruptible code. Expand
CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels
This work has successfully developed a practical concurrent OS kernel and verified its (contextual) functional correctness in Coq, and is the first proof of functional correctness of a complete, general-purpose concurrent OS kernels with fine-grained locking. Expand

#### References

SHOWING 1-10 OF 165 REFERENCES
seL4: From General Purpose to a Proof of Information Flow Enforcement
This is the first complete, formal, machine-checked verification of information flow security for the implementation of a general-purpose microkernel; namely seL4, and describes precisely how the general purpose kernel should be configured to enforce isolation and mandatory information flow control. Expand
Concerned with the unprivileged: user programs in kernel refinement
• Computer Science
• Formal Aspects of Computing
• 2014
The original correctness theorem is strengthened in two ways: first, the previous abstraction relations are converted into projection functions from concrete to abstract states, and second, the specification of the kernel’s execution environment is revisited. Expand
seL4: formal verification of an OS kernel
To the knowledge, this is the first formal proof of functional correctness of a complete, general-purpose operating-system kernel. Expand
Translation validation for a verified OS kernel
• Computer Science
• PLDI 2013
• 2013
An approach for proving refinement between the formal semantics of a program on the C source level and its formal semantics on the binary level, thus checking the validity of compilation, including some optimisations, and linking, and extending static properties proved of the source code to the executable is presented. Expand
Formal specification and verification of data separation in a separation kernel for an embedded system
• Computer Science
• CCS '06
• 2006
The approach begins with a well-defined set of security properties and constructs a compact security model containing only information needed to rea-son about the properties, and concludes with a formal demonstration that each category of code enforces data separation. Expand
Leveraging a Semantics Stack for Systems Verification
We have developed a stack of semantics for a high-level C-like language and low-level assembly code, which has been carefully crafted to support the pervasive verification of system software. It canExpand
Safe to the last instruction: automated verification of a type-safe operating system
• Computer Science
• CACM
• 2011
Verve is the first operating system mechanically verified to guarantee both type and memory safety, and its approach demonstrates a practical way to mix high-level typed code with low-level untyped code in a verifiably safe manner. Expand
Timing Analysis of a Protected Operating System Kernel
• Computer Science
• 2011 IEEE 32nd Real-Time Systems Symposium
• 2011
This paper believes this is one of the largest code bases on which a fully context-aware WCET analysis has been performed, and creates a foundation for integrating hard real-time systems with less critical time-sharing components on the same processor, supporting enhanced functionality while keeping hardware and development costs low. Expand
Formal memory models for verifying C systems code
This thesis studies the mechanisation of a series of models, from semantic to separation logic, for achieving abstraction when performing interactive theorem-prover based verification of C systems code in higherorder logic. Expand
Types, bytes, and separation logic
• Computer Science
• POPL '07
• 2007
A formal model of memory is presented that both captures the low-level features of C's pointers and memory, and forms the basis for an expressive implementation of separation logic that is applicable to real, security- and safety-critical code by formally verifying the memory allocator of the L4 microkernel. Expand