Abstract
We present an in-depth coverage of the comprehensive machine-checked formal verification of seL4, a general-purpose operating system microkernel.
We discuss the kernel design we used to make its verification tractable. We then describe the functional correctness proof of the kernel's C implementation and we cover further steps that transform this result into a comprehensive formal verification of the kernel: a formally verified IPC fastpath, a proof that the binary code of the kernel correctly implements the C semantics, a proof of correct access-control enforcement, a proof of information-flow noninterference, a sound worst-case execution time analysis of the binary, and an automatic initialiser for user-level systems that connects kernel-level access-control enforcement with reasoning about system behaviour. We summarise these results and show how they integrate to form a coherent overall analysis, backed by machine-checked, end-to-end theorems.
The seL4 microkernel is currently not just the only general-purpose operating system kernel that is fully formally verified to this degree. It is also the only example of formal proof of this scale that is kept current as the requirements, design and implementation of the system evolve over almost a decade. We report on our experience in maintaining this evolving formally verified code base.
- M. Accetta, R. Baron, W. Bolosky, D. Golub, R. Rashid, A. Tevanian, and M. Young. 1986. Mach: A new kernel foundation for UNIX development. In Proceedings of the Summer USENIX Technical Conference. USENIX Association, 93--112.Google Scholar
- E. Alkassar, E. Cohen, M. A. Hillebrand, M. Kovalev, and W. Paul. 2010a. Verifying shadow page table algorithms. In Proceedings of the Conference on Formal Methods in Computer-Aided Design. R. Bloem and N. Sharygina, Eds., IEEE, 267--270. Google Scholar
Digital Library
- E. Alkassar, M. Hillebrand, D. Leinenbach, N. Schirmer, A. Starostin, and A. Tsyban. 2009. Balancing the load—leveraging a semantics stack for systems verification. J. Automat. Reason. Special Issue on Operating System Verification, 42, 2--4, 389--454. Google Scholar
Digital Library
- E. Alkassar, M. Hillebrand, W. Paul, and E. Petrova. 2010b. Automated verification of a small hypervisor. In Proceedings of Verified Software: Theories, Tools and Experiments. G. Leavens, P. O'Hearn, and S. Rajamani, Eds., Lecture Notes in Computer Science, vol. 6217, Springer, 40--54. Google Scholar
Digital Library
- E. Alkassar, W. Paul, A. Starostin, and A. Tsyban. 2010c. Pervasive verification of an OS microkernel: Inline assembly, memory consumption, concurrent devices. In Proceedings of Verified Software: Theories, Tools and Experiments. P. O'Hearn, G. T. Leavens, and S. Rajamani, Eds., Lecture Notes in Computer Science, vol. 6217, Springer, 71--85. Google Scholar
Digital Library
- E. Alkassar, N. Schirmer, and A. Starostin. 2008. Formal pervasive verification of a paging mechanism. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). C. R. Ramakrishnan and J. Rehof, Eds., Lecture Notes in Computer Science, vol. 4963, Springer, 109--123. Google Scholar
Digital Library
- J. Alves-Foss, P. W. Oman, C. Taylor, and S. Harrison. 2006. The MILS architecture for high-assurance embedded systems. Int. J. Embed. Syst. 2, 239--247.Google Scholar
- J. Andronick, D. Greenaway, and K. Elphinstone. 2010. Towards proving security in the presence of large untrusted components. In Proceedings of the 5th Systems Software Verification. G. Klein, R. Huuck, and B. Schlich, Eds., USENIX, Berkeley, CA. Google Scholar
Digital Library
- J. Andronick, R. Jeffery, G. Klein, R. Kolanski, M. Staples, H. J. Zhang, and L. Zhu. 2012. Large-scale formal verification in practice: A process perspective. In Proceedings of the International Conference on Software Engineering. ACM, 1002--1011. Google Scholar
Digital Library
- M. Archer, E. Leonard, and M. Pradella. 2003. Analyzing security-enhanced Linux policy specifications. In Proceedings of the 4th IEEE Workshop on Policies for Distributed Systems and Networks (POLICY). IEEE, 158--169. Google Scholar
Digital Library
- ARM Ltd. 2005. ARM1136JF-S and ARM1136J-S Technical Reference Manual. R1P1 Ed., ARM Ltd.Google Scholar
- T. Ball and S. K. Rajamani. 2001. SLIC: A specification language for interface checking. Tech. Rep. MSR-TR-2001-21, Microsoft Research.Google Scholar
- J. Barhorst, T. Belote, P. Binns, J. Hoffman, J. Paunicka, P. Sarathy, J. Scoredos, P. Stanfill, D. Stuart, and R. Urzi. 2009. A research agenda for mixed-criticality systems. http://www.cse.wustl.edu/∼cdgill/CPSWEEK09_MCAR/.Google Scholar
- G. Barthe, G. Betarte, J. D. Campo, and C. Luna. 2011. Formally verifying isolation and availability in an idealized model of virtualization. In Proceedings of the 17th International Symposium on Formal Methods (FM). M. Butler and W. Schulte, Eds., Lecture Notes in Computer Science, vol. 6664, Springer, 231--245. Google Scholar
Digital Library
- G. Barthe, G. Betarte, J. D. Campo, and C. Luna. 2012. Cache-leakage resilient OS isolation in an idealized model of virtualization. In Proceedings of the 25th IEEE Computer Security Foundations Symposium. 186--197. Google Scholar
Digital Library
- D. Bell and L. LaPadula. 1976. Secure computer system: Unified exposition and Multics interpretation. Tech. Rep. MTR-2997, MITRE Corp.Google Scholar
- S. Berghofer. 2003. Proofs, programs and executable specifications in higher order logic. Ph.D. thesis, Institut für Informatik, Technische Universität München.Google Scholar
- B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczynski, D. Becker, C. Chambers, and S. Eggers. 1995. Extensibility, safety and performance in the SPIN operating system. In Proceedings of the 15th ACM Symposium on Operating Systems Principles. ACM, 267--284. Google Scholar
Digital Library
- W. R. Bevier. 1989. Kit: A study in operating system verification. IEEE Trans. Soft. Eng. 15, 11, 1382--1396. Google Scholar
Digital Library
- W. R. Bevier and L. Smith. 1993. A mathematical model of the Mach kernel: Atomic actions and locks. Tech. Rep. 89, Computational Logic Inc. Apr.Google Scholar
- M. Bishop. 2003. Computer Security: Art and Science. Addison-Wesley.Google Scholar
- B. Blackham and G. Heiser. 2012. Correct, fast, maintainable -- choose any three! In Proceedings of the 3rd Asia-Pacific Workshop on Systems (APSys). 13:1--13:7. Google Scholar
Digital Library
- B. Blackham and G. Heiser. 2013. Sequoll: A framework for model checking binaries. In Proceedings of the IEEE Real-Time and Embedded Technology and Applications Symposium. Eduardo Tovar, Ed., IEEE, 97--106. Google Scholar
Digital Library
- B. Blackham, Y. Shi, S. Chattopadhyay, A. Roychoudhury, and G. Heiser. 2011. Timing analysis of a protected operating system kernel. In Proceedings of the 32nd IEEE Real-Time Systems Symposium. IEEE, 339--348. Google Scholar
Digital Library
- B. Blackham, Y. Shi, and G. Heiser. 2012a. Improving interrupt response time in a verifiable protected microkernel. In Proceedings of the 7th EuroSys Conference. 323--336. Google Scholar
Digital Library
- B. Blackham, V. Tang, and G. Heiser. 2012b. To preempt or not to preempt, that is the question. In Proceedings of the 3rd Asia-Pacific Workshop on Systems (APSys). 8:1--8:7. Google Scholar
Digital Library
- I. T. Bowman, R. C. Holt, and N. V. Brewster. 1999. Linux as a case study: Its extracted software architecture. In Proceedings of the International Conference on Software Engineering. 555--563. Google Scholar
Digital Library
- A. Boyton, J. Andronick, C. Bannister, M. Fernandez, X. Gao, D. Greenaway, G. Klein, C. Lewis, and T. Sewell. 2013. Formally verified system initialisation. In Proceedings of the 15th International Conference on Formal Engineering Methods. Lindsay Groves and Jing Sun, Ed., Springer, 70--85.Google Scholar
- P. Brinch Hansen. 1970. The nucleus of a multiprogramming operating system. Communi. ACM 13, 238--250. Google Scholar
Digital Library
- M. Carlsson, J. Engblom, A. Ermedahl, J. Lindblad, and B. Lisper. 2002. Worst-case execution time analysis of disable interrupt regions in a commercial real-time operating system. In Proceedings of the 2nd International Workshop on Real-Time Tools.Google Scholar
- D. Cock. 2008. Bitfields and tagged unions in C: Verification through automatic generation. In Proceedings of the 5th International Verification Workshop. B. Beckert and G. Klein, Eds., CEUR Workshop Proceedings, vol. 372, 44--55.Google Scholar
- D. Cock, G. Klein, and T. Sewell. 2008. Secure microkernels, state monads and scalable refinement. In Proceedings of the 21st International Conference on Theorem Proving in Higher Order Logics. O. A. Mohamed, C. Muñoz, and S. Tahar, Eds., Lecture Notes in Computer Science, vol. 5170, Springer, 167--182. Google Scholar
Digital Library
- E. Cohen and N. Schirmer. 2010. From total store order to sequential consistency: A practical reduction theorem. In Proceedings of the 1st International Conference on Interactive Theorem Proving. M. Kaufmann and L. Paulson, Eds., Lecture Notes in Computer Science, vol. 6172, Springer, 403--418. Google Scholar
Digital Library
- A. Colin and I. Puaut. 2001. Worst case execution time analysis of the RTEMS real-time operating system. In Proceedings of the 13th Euromicro Conference on Real-Time Systems. 191--198. Google Scholar
Digital Library
- B. Cook, A. Gotsman, A. Podelski, A. Rybalchenko, and M. Y. Vardi. 2007. Proving that programs eventually do something good. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM, 265--276. Google Scholar
Digital Library
- COYOTOS 2008. The Coyotos secure operating system. http://www.coyotos.org/.Google Scholar
- J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. 2007. Secure virtual architecture: A safe execution environment for commodity operating systems. In Proceedings of the 21st ACM Symposium on Operating Systems Principles. ACM, 351--366. Google Scholar
Digital Library
- U. Dannowski. 2009. Personal communication.Google Scholar
- M. Daum, N. Billing, and G. Klein. 2014. Concerned with the unprivileged: User programs in kernel refinement. Form. Aspects Comput. To appear. Google Scholar
Cross Ref
- L. M. de Moura and N. Bjørner. 2008. Z3: An efficient SMT solver. In Proceedings of International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Lecture Notes in Computer Science, vol. 4963, Springer, Berlin, Germany, 337--340. Google Scholar
Digital Library
- W.-P. de Roever and K. Engelhardt. 1998. Data Refinement: Model-Oriented Proof Methods and their Comparison. Number 47 in Cambridge Tracts in Theoretical Computer Science, Cambridge University Press, Cambridge, UK. Google Scholar
Digital Library
- A. DeHon, B. Karel, B. Montagu, B. C. Pierce, M. Jonathan, F. Smithand Thomas, J. Knight, S. Ray, G. Sullivan, G. Malecha, G. Morrisett, R. Pollack, R. Morisset, and O. Shivers. 2011. Preliminary design of the SAFE platform. In Proceedings of the 6th Workshop on Programming Languages and Operating Systems (PLOS). Google Scholar
Digital Library
- J. B. Dennis and E. C. Van Horn. 1966. Programming semantics for multiprogrammed computations. Commun. ACM 9, 143--155. Google Scholar
Digital Library
- P. Derrin, K. Elphinstone, G. Klein, D. Cock, and M. M. T. Chakravarty. 2006. Running the manual: An approach to high-assurance microkernel development. In Proceedings of the ACM SIGPLAN Haskell Workshop. ACM Google Scholar
Digital Library
- D. Elkaduwe. 2010. A principled approach to kernel memory management. Ph.D. thesis, School of Computer Science and Engineering, University of New South Wales, Sydney, Australia. http://ssrg. nicta.com.au/.Google Scholar
- D. Elkaduwe, P. Derrin, and K. Elphinstone. 2008. Kernel design for isolation and assurance of physical memory. In Proceedings of the 1st Workshop on Isolation and Integration in Embedded Systems. ACM, 35--40. Google Scholar
Digital Library
- K. Elphinstone and G. Heiser. 2013. From L3 to seL4 -- what have we learnt in 20 years of L4 microkernels? In Proceedings of the ACM Symposium on Operating Systems Principles. ACM, 133--150. Google Scholar
Digital Library
- K. Elphinstone, G. Klein, P. Derrin, T. Roscoe, and G. Heiser. 2007. Towards a practical, verified kernel. In Proceedings of the 11th Workshop on Hot Topics in Operating Systems. 117--122. Google Scholar
Digital Library
- M. Fähndrich, M. Aiken, C. Hawblitzel, O. Hodson, G. C. Hunt, J. R. Larus, and S. Levi. 2006. Language support for fast and reliable message-based communication in Singularity OS. In Proceedings of the 1st EuroSys Conference. 177--190. Google Scholar
Digital Library
- R. J. Feiertag and P. G. Neumann. 1979. The foundations of a provably secure operating system (PSOS). In Proceedings of the National Computer Conference, AFIPS Conference Proceedings. 329--334.Google Scholar
- B. Ford, M. Hibler, J. Lepreau, R. McGrath, and P. Tullmann. 1999. Interface and execution models in the Fluke kernel. In Proceedings of the 3rd USENIX Symposium on Operating Systems Design and Implementation. USENIX Association, 101--115. Google Scholar
Digital Library
- A. Fox. 2003. Formal specification and verification of ARM6. In Proceedings of the 16th International Conference on Theorem Proving in Higher Order Logics. D. Basin and B. Wolff, Eds., Lecture Notes in Computer Science, vol. 2758, Springer, 25--40.Google Scholar
Cross Ref
- A. Fox and M. Myreen. 2010. A trustworthy monadic formalization of the ARMv7 instruction set architecture. In Proceedings of the 1st International Conference on Interactive Theorem Proving. M. Kaufmann and L. C. Paulson, Eds., Lecture Notes in Computer Science, vol. 6172, Springer, 243--258. Google Scholar
Digital Library
- T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. 2003. Terra: A virtual machine-based platform for trusted computing. In Proceedings of the 19th ACM Symposium on Operating Systems Principles. ACM, 193--206. Google Scholar
Digital Library
- J. Goguen and J. Meseguer. 1982. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 11--20.Google Scholar
- M. J. C. Gordon, R. Milner, and C. P. Wadsworth. 1979. Edinburgh LCF. Lecture Notes in Computer Science, vol. 78, Springer.Google Scholar
- Greenhills Software, Inc. 2008. Integrity real-time operating system. http://www.ghs.com/products/rtos/integrity.html.Google Scholar
- D. A. Greve. 2010. Information security modeling and analysis. In Design and Verification of Microprocessor Systems for High-Assurance Applications, D. S. Hardin, Ed., Springer, 249--300.Google Scholar
- J. D. Guttman, A. L. Herzog, J. D. Ramsdell, and C. W. Skorupka. 2005. Verifying information flow goals in security-enhanced Linux. J. Comput. Secur. 13, 115--134. Google Scholar
Digital Library
- J. T. Haigh and W. D. Young. 1987. Extending the noninterference version of MLS for SAT. IEEE Trans. Softw. Engi. 13, 141--150. Google Scholar
Digital Library
- D. S. Hardin, E. W. Smith, and W. D. Young. 2006. A robust machine code proof framework for highly secure applications. In Proceedings of the Workshop on the ACL2 Theorem Prover and its Applications. 11--20. Google Scholar
Digital Library
- G. Heiser. 2009. Hypervisors for consumer electronics. In Proceedings of the 6th IEEE Consumer Communications and Networking Conference. 1--5. Google Scholar
Digital Library
- C. L. Heitmeyer, M. Archer, E. I. Leonard, and J. McLean. 2006. Formal specification and verification of data separation in a separation kernel for an embedded system. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, 346--355. Google Scholar
Digital Library
- C. L. Heitmeyer, M. Archer, E. I. Leonard, and J. McLean. 2008. Applying formal methods to a certifiably secure software system. IEEE Trans. Softw. Engi. 34, 1, 82--98. Google Scholar
Digital Library
- T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. 2003. Software verification with Blast. In Proceedings of the 10th SPIN Workshop on Model Checking Software. Lecture Notes in Computer Science, vol. 2648, Springer, (Portland, OR). 235--239. Google Scholar
Digital Library
- B. Hicks, S. Rueda, L. S. Clair, T. Jaeger, and P. D. McDaniel. 2007. A logical specification and analysis for SELinux MLS policy. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT). V. Lotz and B. M. Thuraisingham, Eds., ACM, 91--100. Google Scholar
Digital Library
- C. A. R. Hoare. 1985. Communicating Sequential Processes. Prentice Hall. Google Scholar
Digital Library
- M. Hohmuth, M. Peter, H. Härtig, and J. S. Shapiro. 2004. Reducing TCB size by using untrusted components—small kernels versus virtual-machine monitors. In Proceedings of the 11th SIGOPS European Workshop, ACM. Google Scholar
Digital Library
- M. Hohmuth and H. Tews. 2005. The VFiasco approach for a verified operating system. In Proceedings of the 2nd Workshop on Programming Languages and Operating Systems (PLOS).Google Scholar
- C. Hritcu, M. Greenberg, B. Karel, B. C. Pierce, and G. Morrisett. 2013. All your IFCException are belong to us. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 3--17. Google Scholar
Digital Library
- Information Assurance Directorate. 2007. U.S. government protection profile for separation kernels in environments requiring high robustness. Information Assurance Directorate, Version 1.03. http://www. niap-ccevs.org/cc-scheme/pp/pp.cfm/id/pp_skpp_hr_v1.03/.Google Scholar
- G. Klein. 2009. Operating system verification—an overview. Sādhanā 34, 1, 27--69.Google Scholar
Cross Ref
- G. Klein, J. Andronick, K. Elphinstone, G. Heiser, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. 2010. seL4: Formal verification of an operating system kernel. Communi. ACM 53, 6, 107--115. Google Scholar
Digital Library
- G. Klein, P. Derrin, and K. Elphinstone. 2009a. Experience report: seL4—formally verifying a high-performance microkernel. In Proceedings of the 14th International Conference on Functional Programming. ACM, 91--96. Google Scholar
Digital Library
- G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. 2009b. seL4: Formal verification of an OS kernel. In Proceedings of the ACM Symposium on Operating Systems Principles. ACM, 207--220. Google Scholar
Digital Library
- G. Klein, T. Murray, P. Gammie, T. Sewell, and S. Winwood. 2011. Provable security: How feasible is it? In Proceedings of the 13th Workshop on Hot Topics in Operating Systems. (Napa, CA). USENIX Association, 28--32. Google Scholar
Digital Library
- R. Kolanski. 2011. Verification of programs in virtual memory using separation logic. Ph.D. thesis, School of Computer Science and Engineering, University of New South Wales, Sydney, Australia. http://ssrg.nicta.com.au/.Google Scholar
- R. Kolanski and G. Klein. 2009. Types, maps and separation logic. In Proceedings of the 22nd International Conference on Theorem Proving in Higher Order Logics. S. Berghofer, T. Nipkow, C. Urban, and M. Wenzel, Eds., Lecture Notes in Computer Science, vol. 5674, Springer, 276--292. Google Scholar
Digital Library
- M. Kovalev. 2013. TLB virtualization in the context of hypervisor verification. Ph.D. thesis, Saarland University, Saarbrücken, Germany.Google Scholar
- M. Krohn and E. Tromer. 2009. Noninterference for a practical DIFC-based operating system. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 61--76. Google Scholar
Digital Library
- I. Kuz, G. Klein, C. Lewis, and A. Walker. 2010. capDL: A language for describing capability-based systems. In Proceedings of the 1st Asia-Pacific Workshop on Systems (APSys). 31--36. Google Scholar
Digital Library
- L4HQ. 2007. http://l4hq.org/arch/arm/.Google Scholar
- L4Ka Team. 2004. L4Ka::Pistachio kernel. http://l4ka.org/projects/pistachio/.Google Scholar
- B. W. Lampson. 1971. Protection. In Proceedings of the 5th Princeton Symposium on Information Sciences and Systems. Princeton University, 437--443.Google Scholar
- D. Leinenbach and T. Santen. 2009. Verifying the Microsoft Hyper-V hypervisor with VCC. In Proceedings of the 2nd World Congress on Formal Methods (FM). A. Cavalcanti and D. Dams, Eds., Lecture Notes in Computer Science, vol. 5850, Springer, 806--809. Google Scholar
Digital Library
- X. Leroy. 2006. Formal certification of a compiler back-end, or: Programming a compiler with a proof assistant. In Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. J. G. Morrisett and S. L. P. Jones, Eds., ACM, (Charleston, SC). 42--54. Google Scholar
Digital Library
- X. Leroy. 2012. Compcert version 1.10. http://compcert.inria.fr.Google Scholar
- X. Li, Y. Liang, T. Mitra, and A. Roychoudhury. 2007. Chronos: A timing analyzer for embedded software. Science Computer Program. (Special issue on Experimental Software and Toolkit) 69, 1--3, 56--67. Google Scholar
Digital Library
- Y.-T. Li, S. Malik, and A. Wolfe. 1995. Efficient microarchitecture modeling and path analysis for real-time software. In Proceedings of the 16th IEEE Real-Time Systems Symposium. IEEE, 298--307. Google Scholar
Digital Library
- J. Liedtke. 1993. Improving IPC by kernel design. In Proceedings of the 14th ACM Symposium on Operating Systems Principles. ACM, 175--188. Google Scholar
Digital Library
- J. Liedtke. 1996. Towards real microkernels. Communi. ACM 39, 9, 70--77. Google Scholar
Digital Library
- J. Liedtke, K. Elphinstone, S. Schönberg, H. Härtig, G. Heiser, N. Islam, and T. Jaeger. 1997. Achieved IPC performance (still the foundation for extensibility). In Proceedings of the 6th Workshop on Hot Topics in Operating Systems. 28--31. Google Scholar
Digital Library
- R. J. Lipton and L. Snyder. 1977. A linear time algorithm for deciding subject security. J. ACM 24, 3, 455--464. Google Scholar
Digital Library
- M. Lv, N. Guan, Y. Zhang, R. Chen, Q. Deng, G. Yu, and W. Yi. 2009a. WCET analysis of the μC/OS-II real-time kernel. In Proceedings of the 12th International Conference on Computational Science and Engineering. 270--276. Google Scholar
Digital Library
- M. Lv, N. Guan, Y. Zhang, Q. Deng, G. Yu, and J. Zhang. 2009b. A survey of WCET analysis of real-time operating systems. In Proceedings of the 9th IEEE International Conference on Embedded Systems and Software. IEEE, 65--72. Google Scholar
Digital Library
- W. B. Martin, P. White, F. Taylor, and A. Goldberg. 2000. Formal construction of the mathematically analyzed separation kernel. In Proceedings of the 15th IEEE/ACM International Conference on Automated Software Engineering. IEEE, 133--141. Google Scholar
Digital Library
- W. B. Martin, P. White, and F. S. Taylor. 2002. Creating high confidence in a separation kernel. Automat. Softw. Engi. 9, 3, 263--284. Google Scholar
Digital Library
- D. Matichuk and T. Murray. 2012. Extensible specifications for automatic re-use of specifications and proofs. In Proceedings of the 10th International Conference on Software Engineering and Formal Methods. 8. Google Scholar
Digital Library
- T. Murray, D. Matichuk, M. Brassil, P. Gammie, T. Bourke, S. Seefried, C. Lewis, X. Gao, and G. Klein. 2013. seL4: from general purpose to a proof of information flow enforcement. In Proceedings of the Symposium on Security and Privacy. IEEE, 415--429. Google Scholar
Digital Library
- T. Murray, D. Matichuk, M. Brassil, P. Gammie, and G. Klein. 2012. Noninterference for operating system kernels. In Proceedings of the 2nd International Conference on Certified Programs and Proofs. Chris Hawblitzel and Dale Miller, Ed., Springer, 126--142. Google Scholar
Digital Library
- M. O. Myreen. 2008. Formal verification of machine-code programs. Ph.D. thesis, University of Cambridge, Computer Laboratory, Cambridge, UK.Google Scholar
- Z. Ni, D. Yu, and Z. Shao. 2007. Using XCAP to certify realistic system code: Machine context management. In Proceedings of the 20th International Conference on Theorem Proving in Higher Order Logics. Lecture Notes in Computer Science, vol. 4732, Springer, 189--206. Google Scholar
Digital Library
- NICTA. 2006. Iguana. http://www.ertos.nicta.com.au/software/kenge/iguana-project/latest/.Google Scholar
- NICTA. 2013a. sel4 microkernel. http://ertos.nicta.com.au/research/sel4/.Google Scholar
- NICTA. 2013b. Worst-case execution time computation tools. http://ssrg.nicta.com.au/software/TS/wcet- tools/.Google Scholar
- T. Nipkow, L. Paulson, and M. Wenzel. 2002. Isabelle/HOL — A proof assistant for higher-order logic. In Lecture Notes in Computer Science, vol. 2283, Springer. Google Scholar
Digital Library
- Open Kernel Labs. 2008. OKL4 web site. http://wiki.ok-labs.com/PreviousReleases.Google Scholar
- J. Peleska, E. Vorobev, and F. Lapschies. 2011. Automated test case generation with SMT-solving and abstract interpretation. In Proceedings of the NSAS Formal Methods Symposium. Springer, 298--312. Google Scholar
Digital Library
- T. Perrine, J. Codd, and B. Hardy. 1984. An overview of the kernelized secure operating system (KSOS). In Proceedings of the DoD/NBS Computer Security Initiative Conference. 146--160.Google Scholar
- QNX. 2012. Operating systems. http://www.qnx.com/products/neutrino-rtos/.Google Scholar
- R. J. Richards. 2010. Modeling and security analysis of a commercial real-time operating system kernel. In Design and Verification of Microprocessor Systems for High-Assurance Applications, D. S. Hardin, Ed., Springer, 301--322.Google Scholar
- J. Rushby. 1992. Noninterference, transitivity, and channel-control security policies. Tech. Rep. CSL-92-02, SRI International.Google Scholar
- J. M. Rushby. 1981. Design and verification of secure systems. In Proceedings of the 8th ACM Symposium on Operating Systems Principles. ACM, 12--21. Google Scholar
Digital Library
- D. Sandell, A. Ermedahl, J. Gustafsson, and B. Lisper. 2004. Static timing analysis of real-time operating system code. In Proceedings of the 1st International Symposium on Leveraging Applications of Formal Methods. Google Scholar
Digital Library
- O. Saydjari, J. Beckman, and J. Leaman. 1987. LOCKing computers securely. In Proceedings of the National Computer Security Conference. 129--141.Google Scholar
- A. Seshadri, M. Luk, N. Qu, and A. Perrig. 2007. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In Proceedings of the 16th ACM Symposium on Operating Systems Principles. ACM, 335--350. Google Scholar
Digital Library
- T. Sewell, M. Myreen, and G. Klein. 2013. Translation validation for a verified OS kernel. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation. (Seattle, WA) ACM, 471--481. Google Scholar
Digital Library
- T. Sewell, S. Winwood, P. Gammie, T. Murray, J. Andronick, and G. Klein. 2011. seL4 enforces integrity. In Proceedings of the 2nd International Conference on Interactive Theorem Proving. M. C. J. D. van Eekelen, H. Geuvers, J. Schmaltz, and F. Wiedijk, Eds., Lecture Notes in Computer Science, vol. 6898, Springer, (The Netherlands). 325--340. Google Scholar
Digital Library
- J. S. Shapiro, D. F. Faber, and J. M. Smith. 1996. State caching in the EROS kernel—implementing efficient orthogonal peristence in a pure capability system. In Proceedings of the 5th IEEE International Workshop on Object Orientation in Operating Systems (IWOOOS). IEEE, 89--100.Google Scholar
- J. S. Shapiro, J. M. Smith, and D. J. Farber. 1999. EROS: A fast capability system. In Proceedings of the 17th ACM Symposium on Operating Systems Principles. ACM, 170--185. Google Scholar
Digital Library
- J. S. Shapiro and S. Weber. 2000. Verifying the EROS confinement mechanism. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 166--181. Google Scholar
Digital Library
- M. Singal and S. M. Petters. 2007. Issues in analysing L4 for its WCET. In Proceedings of the 1st International Workshop on Microkernels for Embedded Systems (MIKES). NICTA.Google Scholar
- L. Singaravelu, C. Pu, H. Härtig, and C. Helmuth. 2006. Reducing TCB complexity for security-sensitive applications: Three case studies. In Proceedings of the 1st EuroSys Conference. 161--174. Google Scholar
Digital Library
- K. Slind and M. Norrish. 2008. A brief overview of HOL4. In Proceedings of the Theorem Proving in Higher Order Logics, 20th International Conference. Otmane Ait Mohamed, Csar Muoz, and Sofine Tahar, Ed., Springer, (Canada). 28--32. Google Scholar
Digital Library
- R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. 1999. The Flask security architecture: System support for diverse security policies. In Proceedings of the 8th USENIX Security Symposium. USENIX Association. 123--139. Google Scholar
Digital Library
- U. Steinberg and B. Kauer. 2010. NOVA: A microhypervisor-based secure virtualization architecture. In Proceedings of the 5th EuroSys Conference. 209--222. Google Scholar
Digital Library
- H. Tews, T. Weber, and M. Völp. 2008. A formal model of memory peculiarities for the verification of low-level operating-system code. In Proceedings of the 3rd Systems Software Verification. R. Huuck, G. Klein, and B. Schlich, Eds., Electronic Notes in Theoretical Computer Science, vol. 217, Elsevier, 79--96. Google Scholar
Digital Library
- H. Tuch. 2008. Formal memory models for verifying C systems code. Ph.D. thesis, School of Computer Science and Engineering, University of New South Wales, Sydney, Australia.Google Scholar
- H. Tuch. 2009. Formal verification of C systems code: Structured types, separation logic and theorem proving. J. Automat. Reason. (Special Issue on Operating System Verification) 42, 2--4, 125--187. Google Scholar
Digital Library
- H. Tuch, G. Klein, and G. Heiser. 2005. OS verification—now! In Proceedings of the 10th Workshop on Hot Topics in Operating Systems. 7--12.Google Scholar
- H. Tuch, G. Klein, and M. Norrish. 2007. Types, bytes, and separation logic. In Proceedings of the 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. M. Hofmann and M. Felleisen, Eds., ACM, 97--108. Google Scholar
Digital Library
- D. von Oheimb. 2004. Information flow control revisited: Noninfluence = noninterference + nonleakage. In Proceedings of the 9th European Symposium on Research in Computer Security. P. Samarati, P. Ryan, D. Gollmann, and R. Molva, Eds., Lecture Notes in Computer Science, vol. 3193, Springer, 225--243.Google Scholar
- M. von Tessin. 2010. Towards high-assurance multiprocessor virtualisation. In Proceedings of the 6th International Verification Workshop. M. Aderhold, S. Autexier, and H. Mantel, Eds., EasyChair Proceedings in Computing, vol. 3, EasyChair, 110--125.Google Scholar
- M. von Tessin. 2012. The clustered multikernel: An approach to formal verification of multiprocessor OS kernels. In Proceedings of the 2nd Workshop on Systems for Future Multi-Core Architectures. Microsoft, 1--6.Google Scholar
- M. von Tessin. 2013. The clustered multikernel: An approach to formal verification of multiprocessor operating-system kernels. Ph.D. thesis, School of Computer Science and Engineering, University of New South Wales, Sydney, Australia.Google Scholar
- B. J. Walker, R. A. Kemmerer, and G. J. Popek. 1980. Specification and verification of the UCLA Unix security kernel. Commun. ACM 23, 2, 118--131. Google Scholar
Digital Library
- D. A. Wheeler. 2001. SLOCCount. http://www.dwheeler.com/sloccount/.Google Scholar
- A. Whitaker, M. Shaw, and S. D. Gribble. 2002. Scale and performance in the Denali isolation kernel. In Proceedings of the 5th USENIX Symposium on Operating Systems Design and Implementation. USENIX Association, CA, 195--210. Google Scholar
Digital Library
- R. Wilhelm, J. Engblom, A. Ermedahl, N. Holsti, S. Thesing, D. Whalley, G. Bernat, C. Ferdinand, R. Heckmann, T. Mitra, F. Mueller, I. Puaut, P. Puschner, J. Staschulat, and P. Stenström. 2008. The worst-case execution-time problem—overview of methods and survey of tools. ACM Trans. Embed. Comput. Syst. 7, 3, 1--53. Google Scholar
Digital Library
- S. Winwood, G. Klein, T. Sewell, J. Andronick, D. Cock, and M. Norrish. 2009. Mind the gap: A verification framework for low-level C. In Proceedings of the 22nd International Conference on Theorem Proving in Higher Order Logics. S. Berghofer, T. Nipkow, C. Urban, and M. Wenzel, Eds., Lecture Notes in Computer Science, vol. 5674, Springer, 500--515. Google Scholar
Digital Library
- W. Wulf, E. Cohen, W. Corwin, A. Jones, R. Levin, C. Pierson, and F. Pollack. 1974. HYDRA: The kernel of a multiprocessor operating system. Commun. ACM 17, 337--345. Google Scholar
Digital Library
- J. Yang and C. Hawblitzel. 2010. Safe to the last instruction: automated verification of a type-safe operating system. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM, New York, 99--110. Google Scholar
Digital Library
- N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. 2011. Making information flow explicit in HiStar. Commun. ACM 54, 11, 93--101. Google Scholar
Digital Library
Index Terms
Comprehensive formal verification of an OS microkernel
Recommendations
L4 Microkernels: The Lessons from 20 Years of Research and Deployment
The L4 microkernel has undergone 20 years of use and evolution. It has an active user and developer community, and there are commercial versions that are deployed on a large scale and in safety-critical systems. In this article we examine the lessons ...
seL4: formal verification of an OS kernel
SOSP '09: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principlesComplete formal verification is the only known way to guarantee that a system is free of programming errors.
We present our experience in performing the formal, machine-checked verification of the seL4 microkernel from an abstract specification down to ...
Experience report: seL4: formally verifying a high-performance microkernel
ICFP '09We report on our experience using Haskell as an executable specification language in the formal verification of the seL4 microkernel. The verification connects an abstract operational specification in the theorem prover Isabelle/HOL to a C ...






Comments