Safe to the last instruction: automated verification of a type-safe operating system

@inproceedings{Yang2010SafeTT,
  title={Safe to the last instruction: automated verification of a type-safe operating system},
  author={Jean Yang and Chris Hawblitzel},
  booktitle={PLDI '10},
  year={2010}
}
Typed assembly language (TAL) and Hoare logic can verify the absence of many kinds of errors in low-level code. We use TAL and Hoare logic to achieve highly automated, static verification of the safety of a new operating system called Verve. Our techniques and tools mechanically verify the safety of every assembly language instruction in the operating system, run-time system, drivers, and applications (in fact, every part of the system software except the boot loader). Verve consists of a… 

Figures from this paper

Type safety from the ground up
TLDR
This talk will discuss ongoing work to move closer to the goal of unified, foundational certification as pursued by the FLINT project, by expressing both Verve's low-level state and a TAL type system in a unified language (Coq).
Terrier: an embedded operating system using advanced types for safety
TLDR
The Terrier operating system project focuses on low-level systems programming in the context of a multi-core, real-time, embedded system, while taking advantage of a dependently typed programming language named ATS to improve reliability.
Comprehensive formal verification of an OS microkernel
TLDR
An in-depth coverage of the comprehensive machine-checked formal verification of seL4, a general-purpose operating system microkernel, and the experience in maintaining this evolving formally verified code base.
2 Background and Overview of Our Work 2 . 1 Preemptive OS Kernels and Interrupts
TLDR
This work is the first to verify the functional correctness of a practical preemptive OS kernel with machine-checkable proofs and the priority-inversion-freedom (PIF) in μC/OS-II.
High-assurance timing analysis for a high-assurance real-time operating system
TLDR
This work design and validate an improvement to the seL4 implementation, which permits a key part of the kernel’s API to be available to users in a mixed-criticality setting, and shows that this approach automatically determines all loop bounds and many infeasible paths in theseL4 microkernel.
A Practical Verification Framework for Preemptive OS Kernels
TLDR
This work is the first to verify the functional correctness of a practical preemptive OS kernel with machine-checkable proofs and the priority-inversion-freedom (PIF) in \(\mu \text {C/OS-II}\).
Verification of a Concurrent Garbage Collector
TLDR
This thesis aims at reducing the gap toward the implementation of such a verified compiler by focusing more specifically on a state-of-the-art concurrent garbage collector, and introduces a methodology inspired by the work of Vafeiadis and dedicated to the proof of observational refinement for so-called ``linearisable'' concurrent data-structures.
Toward compositional verification of interruptible OS kernels and device drivers
TLDR
A novel compositional framework for building certified interruptible OS kernels with device drivers is presented, providing a general device model that can be instantiated with various hardware devices, and a realistic formal model of interrupts, which can be used to reason about interruptible code.
Toward Compositional Verification of Interruptible OS Kernels and Device Drivers
TLDR
A novel compositional framework for building certified interruptible OS kernels with device drivers is presented, providing a general device model that can be instantiated with various hardware devices, and a realistic formal model of interrupts, which can be used to reason about interruptible code.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 20 REFERENCES
seL4: formal verification of an OS kernel
TLDR
To the knowledge, this is the first formal proof of functional correctness of a complete, general-purpose operating-system kernel.
Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads
TLDR
A novel Hoare-logic-like framework for certifying low-level system programs involving both hardware interrupts and preemptive threads, and is able to—for the first time—successfully certify a preemptive thread implementation and a large number of common synchronization primitives.
A general framework for certifying garbage collectors and their mutators
TLDR
This work defines a formal garbage collector interface general enough to reason about a variety of algorithms while allowing the mutator to ignore implementation-specific details of the collector, and mechanically verify assembly implementations of mark-sweep, copying and incremental copying GCs in Coq.
Processes in KaffeOS: isolation, resource management, and sharing in java
TLDR
Because of its implementation base, KaffeOS is substantially slower than commercial JVMs for trusted code, but it clearly outperforms those JVs in the presence of denial-of-service attacks or misbehaving code.
Foundational Typed Assembly Language with Certified Garbage Collection
TLDR
This work introduces a general methodology for combining foundational TAL with a certified garbage collector, and proves the safety of the collector, the soundness of TAL, and the safe interaction between TAL programs and the garbage collector.
Automated verification of practical garbage collectors
TLDR
This work presents two mechanically verified garbage collectors, both practical enough to use for real-world C# benchmarks, and provides measurements comparing the performance of the verified collector with that of the standard Bartok collectors on off-the-shelf C # benchmarks, demonstrating their competitiveness.
A principled approach to operating system construction in Haskell
TLDR
A monadic interface to low-level hardware features that is a suitable basis for building operating systems in Haskell and shows how a variety of simple O/S kernels can be constructed on top of the interface.
Extensibility safety and performance in the SPIN operating system
This paper describes the motivation, architecture and performance of SPIN, an extensible operating system. SPIN provides an extension infrastructure, together with a core set of extensible services,
Interface and execution models in the Fluke kernel
TLDR
A kernel API is defined and implemented that makes every exported operation fully interruptible and restartable, thereby appearing atomic to the user, and allows us to explore novel kernel implementation techniques and to evaluate existing techniques.
Language support for fast and reliable message-based communication in singularity OS
TLDR
It is shown that using advanced programming language and verification techniques, it is possible to provide and enforce strong system-wide invariants that enable efficient communication and low-overhead software-based process isolation and reduce the difficulty of the message-based programming model.
...
1
2
...