Comprehensive formal verification of an OS microkernel

@article{Klein2014ComprehensiveFV,
  title={Comprehensive formal verification of an OS microkernel},
  author={Gerwin Klein and June Andronick and Kevin Elphinstone and Toby C. Murray and Thomas Sewell and Rafal Kolanski and Gernot Heiser},
  journal={ACM Trans. Comput. Syst.},
  year={2014},
  volume={32},
  pages={2:1-2:70}
}
We present an in-depth coverage of the comprehensive machine-checked formal verification of seL4, a general-purpose operating system microkernel. We discuss the kernel design we used to make its verification tractable. We then describe the functional correctness proof of the kernel's C implementation and we cover further steps that transform this result into a comprehensive formal verification of the kernel: a formally verified IPC fastpath, a proof that the binary code of the kernel correctly… 
View on ACM
courses.cs.washington.edu
312 Citations
Highly Influential Citations
19
Background Citations
149
Methods Citations
80
Results Citations
3

312 Citations

seL4 in Australia

Much has happened since the functional correctness proof of the seL4 microkernel: the verification to show the kernel enforces desired security and safety properties is extended, the need to trust the compiler is removed, and implementations for processor architectures other than the original Arm v6 are verified.

Hyperkernel: Push-Button Verification of an OS Kernel

Experience shows that Hyperkernel can avoid bugs similar to those found in xv6, and that the verification of Hyper kernel can be achieved with a low proof burden.

2 Background and Overview of Our Work 2 . 1 Preemptive OS Kernels and Interrupts

This work is the first to verify the functional correctness of a practical preemptive OS kernel with machine-checkable proofs and the priority-inversion-freedom (PIF) in μC/OS-II.

A Practical Verification Framework for Preemptive OS Kernels

This work is the first to verify the functional correctness of a practical preemptive OS kernel with machine-checkable proofs and the priority-inversion-freedom (PIF) in \(\mu \text {C/OS-II}\).

Self-compilation and self-verification

This thesis is that verification of a realistic implementation can be produced mostly automatically from a verified high-level implementation, via the use of verified compilation, and proposes self-verification as a benchmark for theorem provers.

Proof Engineering Considered Essential

An overview of the various formal verification projects around the evolving seL4 microkernel is given, and the experience in large scale proof engineering and maintenance is discussed, and a picture of what these verifications mean and how they fit together into a whole is drawn.

Proof engineering challenges for large-scale verification

Challenges for proof engineering are summarized in the formal verification of the seL4 microkernel, and its subsequent proofs of integrity, non-interference, and binary correctness, which focus on problems where there is scope for automation using AI and machine-learning techniques.

Toward Compositional Verification of Interruptible OS Kernels and Device Drivers

A novel compositional framework for building certified interruptible OS kernels with device drivers is presented, providing a general device model that can be instantiated with various hardware devices, and a realistic formal model of interrupts, which can be used to reason about interruptible code.

CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels

This work has successfully developed a practical concurrent OS kernel and verified its (contextual) functional correctness in Coq, and is the first proof of functional correctness of a complete, general-purpose concurrent OS kernels with fine-grained locking.

On the verification of system-level information flow properties for virtualized execution platforms

This work proposes a compositional top-down approach to embedded system specification and verification, where the system-on-chip is modeled as a network of distributed automata communicating via paired synchronous message passing and reports on the complete verification of guest mode security properties in the HOL4 theorem prover.
...

References

SHOWING 1-10 OF 165 REFERENCES

seL4: formal verification of an OS kernel

To the knowledge, this is the first formal proof of functional correctness of a complete, general-purpose operating-system kernel.

seL4: From General Purpose to a Proof of Information Flow Enforcement

This is the first complete, formal, machine-checked verification of information flow security for the implementation of a general-purpose microkernel; namely seL4, and describes precisely how the general purpose kernel should be configured to enforce isolation and mandatory information flow control.

seL4: formal verification of an operating-system kernel

It is proved that the implementation of the seL4 microkernel always strictly follows the high-level abstract specification of kernel behavior, which encompasses traditional design and implementation safety properties such as that the kernel will never crash, and it will never perform an unsafe operation.

Concerned with the unprivileged: user programs in kernel refinement

The original correctness theorem is strengthened in two ways: first, the previous abstraction relations are converted into projection functions from concrete to abstract states, and second, the specification of the kernel’s execution environment is revisited.

Translation validation for a verified OS kernel

An approach for proving refinement between the formal semantics of a program on the C source level and its formal semantics on the binary level, thus checking the validity of compilation, including some optimisations, and linking, and extending static properties proved of the source code to the executable is presented.

Formal specification and verification of data separation in a separation kernel for an embedded system

The approach begins with a well-defined set of security properties and constructs a compact security model containing only information needed to rea-son about the properties, and concludes with a formal demonstration that each category of code enforces data separation.

Leveraging a Semantics Stack for Systems Verification

A stack of semantics for a high-level C-like language and low-level assembly code, which has been carefully crafted to support the pervasive verification of system software, which demonstrates the applicability of the framework by proving the correct virtualization of user memory in the microkernel, which implements demand paging.

Safe to the last instruction: automated verification of a type-safe operating system

Verve is the first operating system mechanically verified to guarantee both type and memory safety, and its approach demonstrates a practical way to mix high-level typed code with low-level untyped code in a verifiably safe manner.

Timing Analysis of a Protected Operating System Kernel

This paper believes this is one of the largest code bases on which a fully context-aware WCET analysis has been performed, and creates a foundation for integrating hard real-time systems with less critical time-sharing components on the same processor, supporting enhanced functionality while keeping hardware and development costs low.

Formal memory models for verifying C systems code

This thesis studies the mechanisation of a series of models, from semantic to separation logic, for achieving abstraction when performing interactive theorem-prover based verification of C systems code in higherorder logic.
...