# Comprehensive formal verification of an OS microkernel

@article{Klein2014ComprehensiveFV,
title={Comprehensive formal verification of an OS microkernel},
author={Gerwin Klein and June Andronick and Kevin Elphinstone and Toby C. Murray and Thomas Sewell and Rafal Kolanski and Gernot Heiser},
journal={ACM Trans. Comput. Syst.},
year={2014},
volume={32},
pages={2:1-2:70}
}
• Published 1 February 2014
• Computer Science
• ACM Trans. Comput. Syst.
We present an in-depth coverage of the comprehensive machine-checked formal verification of seL4, a general-purpose operating system microkernel. We discuss the kernel design we used to make its verification tractable. We then describe the functional correctness proof of the kernel's C implementation and we cover further steps that transform this result into a comprehensive formal verification of the kernel: a formally verified IPC fastpath, a proof that the binary code of the kernel correctly…
316 Citations

## Figures and Tables from this paper

• Computer Science
Commun. ACM
• 2020
Much has happened since the functional correctness proof of the seL4 microkernel: the verification to show the kernel enforces desired security and safety properties is extended, the need to trust the compiler is removed, and implementations for processor architectures other than the original Arm v6 are verified.
• Computer Science
SOSP
• 2017
Experience shows that Hyperkernel can avoid bugs similar to those found in xv6, and that the verification of Hyper kernel can be achieved with a low proof burden.
• Computer Science
• 2016
This work is the first to verify the functional correctness of a practical preemptive OS kernel with machine-checkable proofs and the priority-inversion-freedom (PIF) in μC/OS-II.
• Computer Science
CAV
• 2016
This work is the first to verify the functional correctness of a practical preemptive OS kernel with machine-checkable proofs and the priority-inversion-freedom (PIF) in $$\mu \text {C/OS-II}$$.
This thesis is that verification of a realistic implementation can be produced mostly automatically from a verified high-level implementation, via the use of verified compilation, and proposes self-verification as a benchmark for theorem provers.
Challenges for proof engineering are summarized in the formal verification of the seL4 microkernel, and its subsequent proofs of integrity, non-interference, and binary correctness, which focus on problems where there is scope for automation using AI and machine-learning techniques.
• Computer Science
Journal of Automated Reasoning
• 2017
A novel compositional framework for building certified interruptible OS kernels with device drivers is presented, providing a general device model that can be instantiated with various hardware devices, and a realistic formal model of interrupts, which can be used to reason about interruptible code.
• Computer Science
OSDI
• 2016
This work has successfully developed a practical concurrent OS kernel and verified its (contextual) functional correctness in Coq, and is the first proof of functional correctness of a complete, general-purpose concurrent OS kernels with fine-grained locking.
• Computer Science
Journal of Cryptographic Engineering
• 2019
This work proposes a compositional top-down approach to embedded system specification and verification, where the system-on-chip is modeled as a network of distributed automata communicating via paired synchronous message passing and reports on the complete verification of guest mode security properties in the HOL4 theorem prover.
• Computer Science
OSDI
• 2020
The results show that it is possible to build a verified component within a large, unverified system with careful design of specification and proof strategy and an automated proof strategy that scales to practical implementations.

## References

SHOWING 1-10 OF 165 REFERENCES

• Computer Science
SOSP '09
• 2009
To the knowledge, this is the first formal proof of functional correctness of a complete, general-purpose operating-system kernel.
• Computer Science
2013 IEEE Symposium on Security and Privacy
• 2013
This is the first complete, formal, machine-checked verification of information flow security for the implementation of a general-purpose microkernel; namely seL4, and describes precisely how the general purpose kernel should be configured to enforce isolation and mandatory information flow control.
• Computer Science
Commun. ACM
• 2010
It is proved that the implementation of the seL4 microkernel always strictly follows the high-level abstract specification of kernel behavior, which encompasses traditional design and implementation safety properties such as that the kernel will never crash, and it will never perform an unsafe operation.
• Computer Science
Formal Aspects of Computing
• 2014
The original correctness theorem is strengthened in two ways: first, the previous abstraction relations are converted into projection functions from concrete to abstract states, and second, the specification of the kernel’s execution environment is revisited.
• Computer Science
PLDI
• 2013
An approach for proving refinement between the formal semantics of a program on the C source level and its formal semantics on the binary level, thus checking the validity of compilation, including some optimisations, and linking, and extending static properties proved of the source code to the executable is presented.
• Computer Science
CCS '06
• 2006
The approach begins with a well-defined set of security properties and constructs a compact security model containing only information needed to rea-son about the properties, and concludes with a formal demonstration that each category of code enforces data separation.
• Computer Science
• 2009
A stack of semantics for a high-level C-like language and low-level assembly code, which has been carefully crafted to support the pervasive verification of system software, which demonstrates the applicability of the framework by proving the correct virtualization of user memory in the microkernel, which implements demand paging.
• Computer Science
PLDI '10
• 2010
Verve is the first operating system mechanically verified to guarantee both type and memory safety, and its approach demonstrates a practical way to mix high-level typed code with low-level untyped code in a verifiably safe manner.
• Computer Science
2011 IEEE 32nd Real-Time Systems Symposium
• 2011
This paper believes this is one of the largest code bases on which a fully context-aware WCET analysis has been performed, and creates a foundation for integrating hard real-time systems with less critical time-sharing components on the same processor, supporting enhanced functionality while keeping hardware and development costs low.
This thesis studies the mechanisation of a series of models, from semantic to separation logic, for achieving abstraction when performing interactive theorem-prover based verification of C systems code in higherorder logic.