Provably trustworthy systems

  title={Provably trustworthy systems},
  author={Gerwin Klein and June Andronick and Gabriele Keller and Daniel Matichuk and Toby C. Murray and Liam O'Connor},
  journal={Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences},
  • G. KleinJune Andronick Liam O'Connor
  • Published 13 October 2017
  • Computer Science
  • Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences
We present recent work on building and scaling trustworthy systems with formal, machine-checkable proof from the ground up, including the operating system kernel, at the level of binary machine code. We first give a brief overview of the seL4 microkernel verification and how it can be used to build verified systems. We then show two complementary techniques for scaling these methods to larger systems: proof engineering, to estimate verification effort; and code/proof co-generation, for scalable… 

Figures and Tables from this paper

Verifying Code toward Trustworthy Software

The on-going approaches for guaranteeing or verifying the safety of software systems are discussed and the future research challenge which must be solved with better solutions in the near future is discussed.

Verified trustworthy software systems

  • P. Gardner
  • Computer Science
    Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences
  • 2017
The challenge is to bring program specification and verification to the heart of the software design process, based on outdated ideas of trusting that the internal, unpublished procedures of a company are robust and the assumption that the developer is not malicious.

Cogent: uniqueness types and certifying compilation

A framework aimed at significantly reducing the cost of proving functional correctness for low-level operating systems components, designed around a new functional programming language, Cogent, which eliminates the need for a trusted runtime or garbage collector while still guaranteeing memory safety.

QED at Large: A Survey of Engineering of Formally Verified Software

A survey of the literature presents a holistic understanding of proof engineering for program correctness, covering impact in practice, foundations, proof automation, proof organization, and practical proof development.

Position paper: the science of deep specification

This article introduces the key formal underpinnings of industrial-scale formal specifications of software and hardware components, and identifies an important class of specification that has already been used in a few experiments that connect strong component-correctness theorems across the work of different teams.



IronFleet: proving practical distributed systems correct

A methodology for building practical and provably correct distributed systems based on a unique blend of TLA-style state-machine refinement and Hoare-logic verification is described, which proves that each obeys a concise safety specification, as well as desirable liveness requirements.

seL4: formal verification of an OS kernel

To the knowledge, this is the first formal proof of functional correctness of a complete, general-purpose operating-system kernel.

seL4: From General Purpose to a Proof of Information Flow Enforcement

This is the first complete, formal, machine-checked verification of information flow security for the implementation of a general-purpose microkernel; namely seL4, and describes precisely how the general purpose kernel should be configured to enforce isolation and mandatory information flow control.

Translation validation for a verified OS kernel

An approach for proving refinement between the formal semantics of a program on the C source level and its formal semantics on the binary level, thus checking the validity of compilation, including some optimisations, and linking, and extending static properties proved of the source code to the executable is presented.

Comprehensive formal verification of an OS microkernel

An in-depth coverage of the comprehensive machine-checked formal verification of seL4, a general-purpose operating system microkernel, and the experience in maintaining this evolving formally verified code base.

Automated Verification of RPC Stub Code

This paper shows how this assumption can be eliminated by automatically generating machine-checked proofs of the correctness of a component platform’s generated Remote Procedure Call (RPC) code, and forms the basis of a scalable approach to formal verification of large software systems.

Using XCAP to Certify Realistic Systems Code: Machine Context Management

XCAP theory is applied to an x86 machine model, building libraries of common proof tactics and lemmas, composing specifications for the context data structures and routines, and proving that the code behave accordingly, resulting in the first formal, modular, and mechanized verification of realistic x86 context management code.

The Verisoft Approach to Systems Verification

The layers are discussed and the trade-off between efficiency of reasoning at a more abstract layer versus the development of meta-theory to transfer the verification results between the layers is discussed.

Timing Analysis of a Protected Operating System Kernel

This paper believes this is one of the largest code bases on which a fully context-aware WCET analysis has been performed, and creates a foundation for integrating hard real-time systems with less critical time-sharing components on the same processor, supporting enhanced functionality while keeping hardware and development costs low.

Pervasive Verification of an OS Microkernel - Inline Assembly, Memory Consumption, Concurrent Devices

We report on the first formal pervasive verification of an operating system microkernel featuring the correctness of inline assembly, large non-trivial C portions, and concurrent devices in a single