skip to main content
research-article

Comprehensive formal verification of an OS microkernel

Published:26 February 2014Publication History
Skip Abstract Section

Abstract

We present an in-depth coverage of the comprehensive machine-checked formal verification of seL4, a general-purpose operating system microkernel.

We discuss the kernel design we used to make its verification tractable. We then describe the functional correctness proof of the kernel's C implementation and we cover further steps that transform this result into a comprehensive formal verification of the kernel: a formally verified IPC fastpath, a proof that the binary code of the kernel correctly implements the C semantics, a proof of correct access-control enforcement, a proof of information-flow noninterference, a sound worst-case execution time analysis of the binary, and an automatic initialiser for user-level systems that connects kernel-level access-control enforcement with reasoning about system behaviour. We summarise these results and show how they integrate to form a coherent overall analysis, backed by machine-checked, end-to-end theorems.

The seL4 microkernel is currently not just the only general-purpose operating system kernel that is fully formally verified to this degree. It is also the only example of formal proof of this scale that is kept current as the requirements, design and implementation of the system evolve over almost a decade. We report on our experience in maintaining this evolving formally verified code base.

References

  1. M. Accetta, R. Baron, W. Bolosky, D. Golub, R. Rashid, A. Tevanian, and M. Young. 1986. Mach: A new kernel foundation for UNIX development. In Proceedings of the Summer USENIX Technical Conference. USENIX Association, 93--112.Google ScholarGoogle Scholar
  2. E. Alkassar, E. Cohen, M. A. Hillebrand, M. Kovalev, and W. Paul. 2010a. Verifying shadow page table algorithms. In Proceedings of the Conference on Formal Methods in Computer-Aided Design. R. Bloem and N. Sharygina, Eds., IEEE, 267--270. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. E. Alkassar, M. Hillebrand, D. Leinenbach, N. Schirmer, A. Starostin, and A. Tsyban. 2009. Balancing the load—leveraging a semantics stack for systems verification. J. Automat. Reason. Special Issue on Operating System Verification, 42, 2--4, 389--454. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. E. Alkassar, M. Hillebrand, W. Paul, and E. Petrova. 2010b. Automated verification of a small hypervisor. In Proceedings of Verified Software: Theories, Tools and Experiments. G. Leavens, P. O'Hearn, and S. Rajamani, Eds., Lecture Notes in Computer Science, vol. 6217, Springer, 40--54. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. E. Alkassar, W. Paul, A. Starostin, and A. Tsyban. 2010c. Pervasive verification of an OS microkernel: Inline assembly, memory consumption, concurrent devices. In Proceedings of Verified Software: Theories, Tools and Experiments. P. O'Hearn, G. T. Leavens, and S. Rajamani, Eds., Lecture Notes in Computer Science, vol. 6217, Springer, 71--85. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. E. Alkassar, N. Schirmer, and A. Starostin. 2008. Formal pervasive verification of a paging mechanism. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). C. R. Ramakrishnan and J. Rehof, Eds., Lecture Notes in Computer Science, vol. 4963, Springer, 109--123. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. J. Alves-Foss, P. W. Oman, C. Taylor, and S. Harrison. 2006. The MILS architecture for high-assurance embedded systems. Int. J. Embed. Syst. 2, 239--247.Google ScholarGoogle Scholar
  8. J. Andronick, D. Greenaway, and K. Elphinstone. 2010. Towards proving security in the presence of large untrusted components. In Proceedings of the 5th Systems Software Verification. G. Klein, R. Huuck, and B. Schlich, Eds., USENIX, Berkeley, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. J. Andronick, R. Jeffery, G. Klein, R. Kolanski, M. Staples, H. J. Zhang, and L. Zhu. 2012. Large-scale formal verification in practice: A process perspective. In Proceedings of the International Conference on Software Engineering. ACM, 1002--1011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. M. Archer, E. Leonard, and M. Pradella. 2003. Analyzing security-enhanced Linux policy specifications. In Proceedings of the 4th IEEE Workshop on Policies for Distributed Systems and Networks (POLICY). IEEE, 158--169. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. ARM Ltd. 2005. ARM1136JF-S and ARM1136J-S Technical Reference Manual. R1P1 Ed., ARM Ltd.Google ScholarGoogle Scholar
  12. T. Ball and S. K. Rajamani. 2001. SLIC: A specification language for interface checking. Tech. Rep. MSR-TR-2001-21, Microsoft Research.Google ScholarGoogle Scholar
  13. J. Barhorst, T. Belote, P. Binns, J. Hoffman, J. Paunicka, P. Sarathy, J. Scoredos, P. Stanfill, D. Stuart, and R. Urzi. 2009. A research agenda for mixed-criticality systems. http://www.cse.wustl.edu/∼cdgill/CPSWEEK09_MCAR/.Google ScholarGoogle Scholar
  14. G. Barthe, G. Betarte, J. D. Campo, and C. Luna. 2011. Formally verifying isolation and availability in an idealized model of virtualization. In Proceedings of the 17th International Symposium on Formal Methods (FM). M. Butler and W. Schulte, Eds., Lecture Notes in Computer Science, vol. 6664, Springer, 231--245. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. G. Barthe, G. Betarte, J. D. Campo, and C. Luna. 2012. Cache-leakage resilient OS isolation in an idealized model of virtualization. In Proceedings of the 25th IEEE Computer Security Foundations Symposium. 186--197. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. D. Bell and L. LaPadula. 1976. Secure computer system: Unified exposition and Multics interpretation. Tech. Rep. MTR-2997, MITRE Corp.Google ScholarGoogle Scholar
  17. S. Berghofer. 2003. Proofs, programs and executable specifications in higher order logic. Ph.D. thesis, Institut für Informatik, Technische Universität München.Google ScholarGoogle Scholar
  18. B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczynski, D. Becker, C. Chambers, and S. Eggers. 1995. Extensibility, safety and performance in the SPIN operating system. In Proceedings of the 15th ACM Symposium on Operating Systems Principles. ACM, 267--284. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. W. R. Bevier. 1989. Kit: A study in operating system verification. IEEE Trans. Soft. Eng. 15, 11, 1382--1396. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. W. R. Bevier and L. Smith. 1993. A mathematical model of the Mach kernel: Atomic actions and locks. Tech. Rep. 89, Computational Logic Inc. Apr.Google ScholarGoogle Scholar
  21. M. Bishop. 2003. Computer Security: Art and Science. Addison-Wesley.Google ScholarGoogle Scholar
  22. B. Blackham and G. Heiser. 2012. Correct, fast, maintainable -- choose any three! In Proceedings of the 3rd Asia-Pacific Workshop on Systems (APSys). 13:1--13:7. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. B. Blackham and G. Heiser. 2013. Sequoll: A framework for model checking binaries. In Proceedings of the IEEE Real-Time and Embedded Technology and Applications Symposium. Eduardo Tovar, Ed., IEEE, 97--106. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. B. Blackham, Y. Shi, S. Chattopadhyay, A. Roychoudhury, and G. Heiser. 2011. Timing analysis of a protected operating system kernel. In Proceedings of the 32nd IEEE Real-Time Systems Symposium. IEEE, 339--348. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. B. Blackham, Y. Shi, and G. Heiser. 2012a. Improving interrupt response time in a verifiable protected microkernel. In Proceedings of the 7th EuroSys Conference. 323--336. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. B. Blackham, V. Tang, and G. Heiser. 2012b. To preempt or not to preempt, that is the question. In Proceedings of the 3rd Asia-Pacific Workshop on Systems (APSys). 8:1--8:7. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. I. T. Bowman, R. C. Holt, and N. V. Brewster. 1999. Linux as a case study: Its extracted software architecture. In Proceedings of the International Conference on Software Engineering. 555--563. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. A. Boyton, J. Andronick, C. Bannister, M. Fernandez, X. Gao, D. Greenaway, G. Klein, C. Lewis, and T. Sewell. 2013. Formally verified system initialisation. In Proceedings of the 15th International Conference on Formal Engineering Methods. Lindsay Groves and Jing Sun, Ed., Springer, 70--85.Google ScholarGoogle Scholar
  29. P. Brinch Hansen. 1970. The nucleus of a multiprogramming operating system. Communi. ACM 13, 238--250. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. M. Carlsson, J. Engblom, A. Ermedahl, J. Lindblad, and B. Lisper. 2002. Worst-case execution time analysis of disable interrupt regions in a commercial real-time operating system. In Proceedings of the 2nd International Workshop on Real-Time Tools.Google ScholarGoogle Scholar
  31. D. Cock. 2008. Bitfields and tagged unions in C: Verification through automatic generation. In Proceedings of the 5th International Verification Workshop. B. Beckert and G. Klein, Eds., CEUR Workshop Proceedings, vol. 372, 44--55.Google ScholarGoogle Scholar
  32. D. Cock, G. Klein, and T. Sewell. 2008. Secure microkernels, state monads and scalable refinement. In Proceedings of the 21st International Conference on Theorem Proving in Higher Order Logics. O. A. Mohamed, C. Muñoz, and S. Tahar, Eds., Lecture Notes in Computer Science, vol. 5170, Springer, 167--182. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. E. Cohen and N. Schirmer. 2010. From total store order to sequential consistency: A practical reduction theorem. In Proceedings of the 1st International Conference on Interactive Theorem Proving. M. Kaufmann and L. Paulson, Eds., Lecture Notes in Computer Science, vol. 6172, Springer, 403--418. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. A. Colin and I. Puaut. 2001. Worst case execution time analysis of the RTEMS real-time operating system. In Proceedings of the 13th Euromicro Conference on Real-Time Systems. 191--198. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. B. Cook, A. Gotsman, A. Podelski, A. Rybalchenko, and M. Y. Vardi. 2007. Proving that programs eventually do something good. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM, 265--276. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. COYOTOS 2008. The Coyotos secure operating system. http://www.coyotos.org/.Google ScholarGoogle Scholar
  37. J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. 2007. Secure virtual architecture: A safe execution environment for commodity operating systems. In Proceedings of the 21st ACM Symposium on Operating Systems Principles. ACM, 351--366. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. U. Dannowski. 2009. Personal communication.Google ScholarGoogle Scholar
  39. M. Daum, N. Billing, and G. Klein. 2014. Concerned with the unprivileged: User programs in kernel refinement. Form. Aspects Comput. To appear. Google ScholarGoogle ScholarCross RefCross Ref
  40. L. M. de Moura and N. Bjørner. 2008. Z3: An efficient SMT solver. In Proceedings of International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Lecture Notes in Computer Science, vol. 4963, Springer, Berlin, Germany, 337--340. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. W.-P. de Roever and K. Engelhardt. 1998. Data Refinement: Model-Oriented Proof Methods and their Comparison. Number 47 in Cambridge Tracts in Theoretical Computer Science, Cambridge University Press, Cambridge, UK. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. A. DeHon, B. Karel, B. Montagu, B. C. Pierce, M. Jonathan, F. Smithand Thomas, J. Knight, S. Ray, G. Sullivan, G. Malecha, G. Morrisett, R. Pollack, R. Morisset, and O. Shivers. 2011. Preliminary design of the SAFE platform. In Proceedings of the 6th Workshop on Programming Languages and Operating Systems (PLOS). Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. J. B. Dennis and E. C. Van Horn. 1966. Programming semantics for multiprogrammed computations. Commun. ACM 9, 143--155. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. P. Derrin, K. Elphinstone, G. Klein, D. Cock, and M. M. T. Chakravarty. 2006. Running the manual: An approach to high-assurance microkernel development. In Proceedings of the ACM SIGPLAN Haskell Workshop. ACM Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. D. Elkaduwe. 2010. A principled approach to kernel memory management. Ph.D. thesis, School of Computer Science and Engineering, University of New South Wales, Sydney, Australia. http://ssrg. nicta.com.au/.Google ScholarGoogle Scholar
  46. D. Elkaduwe, P. Derrin, and K. Elphinstone. 2008. Kernel design for isolation and assurance of physical memory. In Proceedings of the 1st Workshop on Isolation and Integration in Embedded Systems. ACM, 35--40. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. K. Elphinstone and G. Heiser. 2013. From L3 to seL4 -- what have we learnt in 20 years of L4 microkernels? In Proceedings of the ACM Symposium on Operating Systems Principles. ACM, 133--150. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. K. Elphinstone, G. Klein, P. Derrin, T. Roscoe, and G. Heiser. 2007. Towards a practical, verified kernel. In Proceedings of the 11th Workshop on Hot Topics in Operating Systems. 117--122. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. M. Fähndrich, M. Aiken, C. Hawblitzel, O. Hodson, G. C. Hunt, J. R. Larus, and S. Levi. 2006. Language support for fast and reliable message-based communication in Singularity OS. In Proceedings of the 1st EuroSys Conference. 177--190. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. R. J. Feiertag and P. G. Neumann. 1979. The foundations of a provably secure operating system (PSOS). In Proceedings of the National Computer Conference, AFIPS Conference Proceedings. 329--334.Google ScholarGoogle Scholar
  51. B. Ford, M. Hibler, J. Lepreau, R. McGrath, and P. Tullmann. 1999. Interface and execution models in the Fluke kernel. In Proceedings of the 3rd USENIX Symposium on Operating Systems Design and Implementation. USENIX Association, 101--115. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. A. Fox. 2003. Formal specification and verification of ARM6. In Proceedings of the 16th International Conference on Theorem Proving in Higher Order Logics. D. Basin and B. Wolff, Eds., Lecture Notes in Computer Science, vol. 2758, Springer, 25--40.Google ScholarGoogle ScholarCross RefCross Ref
  53. A. Fox and M. Myreen. 2010. A trustworthy monadic formalization of the ARMv7 instruction set architecture. In Proceedings of the 1st International Conference on Interactive Theorem Proving. M. Kaufmann and L. C. Paulson, Eds., Lecture Notes in Computer Science, vol. 6172, Springer, 243--258. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. 2003. Terra: A virtual machine-based platform for trusted computing. In Proceedings of the 19th ACM Symposium on Operating Systems Principles. ACM, 193--206. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. J. Goguen and J. Meseguer. 1982. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 11--20.Google ScholarGoogle Scholar
  56. M. J. C. Gordon, R. Milner, and C. P. Wadsworth. 1979. Edinburgh LCF. Lecture Notes in Computer Science, vol. 78, Springer.Google ScholarGoogle Scholar
  57. Greenhills Software, Inc. 2008. Integrity real-time operating system. http://www.ghs.com/products/rtos/integrity.html.Google ScholarGoogle Scholar
  58. D. A. Greve. 2010. Information security modeling and analysis. In Design and Verification of Microprocessor Systems for High-Assurance Applications, D. S. Hardin, Ed., Springer, 249--300.Google ScholarGoogle Scholar
  59. J. D. Guttman, A. L. Herzog, J. D. Ramsdell, and C. W. Skorupka. 2005. Verifying information flow goals in security-enhanced Linux. J. Comput. Secur. 13, 115--134. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. J. T. Haigh and W. D. Young. 1987. Extending the noninterference version of MLS for SAT. IEEE Trans. Softw. Engi. 13, 141--150. Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. D. S. Hardin, E. W. Smith, and W. D. Young. 2006. A robust machine code proof framework for highly secure applications. In Proceedings of the Workshop on the ACL2 Theorem Prover and its Applications. 11--20. Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. G. Heiser. 2009. Hypervisors for consumer electronics. In Proceedings of the 6th IEEE Consumer Communications and Networking Conference. 1--5. Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. C. L. Heitmeyer, M. Archer, E. I. Leonard, and J. McLean. 2006. Formal specification and verification of data separation in a separation kernel for an embedded system. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, 346--355. Google ScholarGoogle ScholarDigital LibraryDigital Library
  64. C. L. Heitmeyer, M. Archer, E. I. Leonard, and J. McLean. 2008. Applying formal methods to a certifiably secure software system. IEEE Trans. Softw. Engi. 34, 1, 82--98. Google ScholarGoogle ScholarDigital LibraryDigital Library
  65. T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. 2003. Software verification with Blast. In Proceedings of the 10th SPIN Workshop on Model Checking Software. Lecture Notes in Computer Science, vol. 2648, Springer, (Portland, OR). 235--239. Google ScholarGoogle ScholarDigital LibraryDigital Library
  66. B. Hicks, S. Rueda, L. S. Clair, T. Jaeger, and P. D. McDaniel. 2007. A logical specification and analysis for SELinux MLS policy. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT). V. Lotz and B. M. Thuraisingham, Eds., ACM, 91--100. Google ScholarGoogle ScholarDigital LibraryDigital Library
  67. C. A. R. Hoare. 1985. Communicating Sequential Processes. Prentice Hall. Google ScholarGoogle ScholarDigital LibraryDigital Library
  68. M. Hohmuth, M. Peter, H. Härtig, and J. S. Shapiro. 2004. Reducing TCB size by using untrusted components—small kernels versus virtual-machine monitors. In Proceedings of the 11th SIGOPS European Workshop, ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  69. M. Hohmuth and H. Tews. 2005. The VFiasco approach for a verified operating system. In Proceedings of the 2nd Workshop on Programming Languages and Operating Systems (PLOS).Google ScholarGoogle Scholar
  70. C. Hritcu, M. Greenberg, B. Karel, B. C. Pierce, and G. Morrisett. 2013. All your IFCException are belong to us. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 3--17. Google ScholarGoogle ScholarDigital LibraryDigital Library
  71. Information Assurance Directorate. 2007. U.S. government protection profile for separation kernels in environments requiring high robustness. Information Assurance Directorate, Version 1.03. http://www. niap-ccevs.org/cc-scheme/pp/pp.cfm/id/pp_skpp_hr_v1.03/.Google ScholarGoogle Scholar
  72. G. Klein. 2009. Operating system verification—an overview. Sādhanā 34, 1, 27--69.Google ScholarGoogle ScholarCross RefCross Ref
  73. G. Klein, J. Andronick, K. Elphinstone, G. Heiser, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. 2010. seL4: Formal verification of an operating system kernel. Communi. ACM 53, 6, 107--115. Google ScholarGoogle ScholarDigital LibraryDigital Library
  74. G. Klein, P. Derrin, and K. Elphinstone. 2009a. Experience report: seL4—formally verifying a high-performance microkernel. In Proceedings of the 14th International Conference on Functional Programming. ACM, 91--96. Google ScholarGoogle ScholarDigital LibraryDigital Library
  75. G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. 2009b. seL4: Formal verification of an OS kernel. In Proceedings of the ACM Symposium on Operating Systems Principles. ACM, 207--220. Google ScholarGoogle ScholarDigital LibraryDigital Library
  76. G. Klein, T. Murray, P. Gammie, T. Sewell, and S. Winwood. 2011. Provable security: How feasible is it? In Proceedings of the 13th Workshop on Hot Topics in Operating Systems. (Napa, CA). USENIX Association, 28--32. Google ScholarGoogle ScholarDigital LibraryDigital Library
  77. R. Kolanski. 2011. Verification of programs in virtual memory using separation logic. Ph.D. thesis, School of Computer Science and Engineering, University of New South Wales, Sydney, Australia. http://ssrg.nicta.com.au/.Google ScholarGoogle Scholar
  78. R. Kolanski and G. Klein. 2009. Types, maps and separation logic. In Proceedings of the 22nd International Conference on Theorem Proving in Higher Order Logics. S. Berghofer, T. Nipkow, C. Urban, and M. Wenzel, Eds., Lecture Notes in Computer Science, vol. 5674, Springer, 276--292. Google ScholarGoogle ScholarDigital LibraryDigital Library
  79. M. Kovalev. 2013. TLB virtualization in the context of hypervisor verification. Ph.D. thesis, Saarland University, Saarbrücken, Germany.Google ScholarGoogle Scholar
  80. M. Krohn and E. Tromer. 2009. Noninterference for a practical DIFC-based operating system. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 61--76. Google ScholarGoogle ScholarDigital LibraryDigital Library
  81. I. Kuz, G. Klein, C. Lewis, and A. Walker. 2010. capDL: A language for describing capability-based systems. In Proceedings of the 1st Asia-Pacific Workshop on Systems (APSys). 31--36. Google ScholarGoogle ScholarDigital LibraryDigital Library
  82. L4HQ. 2007. http://l4hq.org/arch/arm/.Google ScholarGoogle Scholar
  83. L4Ka Team. 2004. L4Ka::Pistachio kernel. http://l4ka.org/projects/pistachio/.Google ScholarGoogle Scholar
  84. B. W. Lampson. 1971. Protection. In Proceedings of the 5th Princeton Symposium on Information Sciences and Systems. Princeton University, 437--443.Google ScholarGoogle Scholar
  85. D. Leinenbach and T. Santen. 2009. Verifying the Microsoft Hyper-V hypervisor with VCC. In Proceedings of the 2nd World Congress on Formal Methods (FM). A. Cavalcanti and D. Dams, Eds., Lecture Notes in Computer Science, vol. 5850, Springer, 806--809. Google ScholarGoogle ScholarDigital LibraryDigital Library
  86. X. Leroy. 2006. Formal certification of a compiler back-end, or: Programming a compiler with a proof assistant. In Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. J. G. Morrisett and S. L. P. Jones, Eds., ACM, (Charleston, SC). 42--54. Google ScholarGoogle ScholarDigital LibraryDigital Library
  87. X. Leroy. 2012. Compcert version 1.10. http://compcert.inria.fr.Google ScholarGoogle Scholar
  88. X. Li, Y. Liang, T. Mitra, and A. Roychoudhury. 2007. Chronos: A timing analyzer for embedded software. Science Computer Program. (Special issue on Experimental Software and Toolkit) 69, 1--3, 56--67. Google ScholarGoogle ScholarDigital LibraryDigital Library
  89. Y.-T. Li, S. Malik, and A. Wolfe. 1995. Efficient microarchitecture modeling and path analysis for real-time software. In Proceedings of the 16th IEEE Real-Time Systems Symposium. IEEE, 298--307. Google ScholarGoogle ScholarDigital LibraryDigital Library
  90. J. Liedtke. 1993. Improving IPC by kernel design. In Proceedings of the 14th ACM Symposium on Operating Systems Principles. ACM, 175--188. Google ScholarGoogle ScholarDigital LibraryDigital Library
  91. J. Liedtke. 1996. Towards real microkernels. Communi. ACM 39, 9, 70--77. Google ScholarGoogle ScholarDigital LibraryDigital Library
  92. J. Liedtke, K. Elphinstone, S. Schönberg, H. Härtig, G. Heiser, N. Islam, and T. Jaeger. 1997. Achieved IPC performance (still the foundation for extensibility). In Proceedings of the 6th Workshop on Hot Topics in Operating Systems. 28--31. Google ScholarGoogle ScholarDigital LibraryDigital Library
  93. R. J. Lipton and L. Snyder. 1977. A linear time algorithm for deciding subject security. J. ACM 24, 3, 455--464. Google ScholarGoogle ScholarDigital LibraryDigital Library
  94. M. Lv, N. Guan, Y. Zhang, R. Chen, Q. Deng, G. Yu, and W. Yi. 2009a. WCET analysis of the μC/OS-II real-time kernel. In Proceedings of the 12th International Conference on Computational Science and Engineering. 270--276. Google ScholarGoogle ScholarDigital LibraryDigital Library
  95. M. Lv, N. Guan, Y. Zhang, Q. Deng, G. Yu, and J. Zhang. 2009b. A survey of WCET analysis of real-time operating systems. In Proceedings of the 9th IEEE International Conference on Embedded Systems and Software. IEEE, 65--72. Google ScholarGoogle ScholarDigital LibraryDigital Library
  96. W. B. Martin, P. White, F. Taylor, and A. Goldberg. 2000. Formal construction of the mathematically analyzed separation kernel. In Proceedings of the 15th IEEE/ACM International Conference on Automated Software Engineering. IEEE, 133--141. Google ScholarGoogle ScholarDigital LibraryDigital Library
  97. W. B. Martin, P. White, and F. S. Taylor. 2002. Creating high confidence in a separation kernel. Automat. Softw. Engi. 9, 3, 263--284. Google ScholarGoogle ScholarDigital LibraryDigital Library
  98. D. Matichuk and T. Murray. 2012. Extensible specifications for automatic re-use of specifications and proofs. In Proceedings of the 10th International Conference on Software Engineering and Formal Methods. 8. Google ScholarGoogle ScholarDigital LibraryDigital Library
  99. T. Murray, D. Matichuk, M. Brassil, P. Gammie, T. Bourke, S. Seefried, C. Lewis, X. Gao, and G. Klein. 2013. seL4: from general purpose to a proof of information flow enforcement. In Proceedings of the Symposium on Security and Privacy. IEEE, 415--429. Google ScholarGoogle ScholarDigital LibraryDigital Library
  100. T. Murray, D. Matichuk, M. Brassil, P. Gammie, and G. Klein. 2012. Noninterference for operating system kernels. In Proceedings of the 2nd International Conference on Certified Programs and Proofs. Chris Hawblitzel and Dale Miller, Ed., Springer, 126--142. Google ScholarGoogle ScholarDigital LibraryDigital Library
  101. M. O. Myreen. 2008. Formal verification of machine-code programs. Ph.D. thesis, University of Cambridge, Computer Laboratory, Cambridge, UK.Google ScholarGoogle Scholar
  102. Z. Ni, D. Yu, and Z. Shao. 2007. Using XCAP to certify realistic system code: Machine context management. In Proceedings of the 20th International Conference on Theorem Proving in Higher Order Logics. Lecture Notes in Computer Science, vol. 4732, Springer, 189--206. Google ScholarGoogle ScholarDigital LibraryDigital Library
  103. NICTA. 2006. Iguana. http://www.ertos.nicta.com.au/software/kenge/iguana-project/latest/.Google ScholarGoogle Scholar
  104. NICTA. 2013a. sel4 microkernel. http://ertos.nicta.com.au/research/sel4/.Google ScholarGoogle Scholar
  105. NICTA. 2013b. Worst-case execution time computation tools. http://ssrg.nicta.com.au/software/TS/wcet- tools/.Google ScholarGoogle Scholar
  106. T. Nipkow, L. Paulson, and M. Wenzel. 2002. Isabelle/HOL — A proof assistant for higher-order logic. In Lecture Notes in Computer Science, vol. 2283, Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  107. Open Kernel Labs. 2008. OKL4 web site. http://wiki.ok-labs.com/PreviousReleases.Google ScholarGoogle Scholar
  108. J. Peleska, E. Vorobev, and F. Lapschies. 2011. Automated test case generation with SMT-solving and abstract interpretation. In Proceedings of the NSAS Formal Methods Symposium. Springer, 298--312. Google ScholarGoogle ScholarDigital LibraryDigital Library
  109. T. Perrine, J. Codd, and B. Hardy. 1984. An overview of the kernelized secure operating system (KSOS). In Proceedings of the DoD/NBS Computer Security Initiative Conference. 146--160.Google ScholarGoogle Scholar
  110. QNX. 2012. Operating systems. http://www.qnx.com/products/neutrino-rtos/.Google ScholarGoogle Scholar
  111. R. J. Richards. 2010. Modeling and security analysis of a commercial real-time operating system kernel. In Design and Verification of Microprocessor Systems for High-Assurance Applications, D. S. Hardin, Ed., Springer, 301--322.Google ScholarGoogle Scholar
  112. J. Rushby. 1992. Noninterference, transitivity, and channel-control security policies. Tech. Rep. CSL-92-02, SRI International.Google ScholarGoogle Scholar
  113. J. M. Rushby. 1981. Design and verification of secure systems. In Proceedings of the 8th ACM Symposium on Operating Systems Principles. ACM, 12--21. Google ScholarGoogle ScholarDigital LibraryDigital Library
  114. D. Sandell, A. Ermedahl, J. Gustafsson, and B. Lisper. 2004. Static timing analysis of real-time operating system code. In Proceedings of the 1st International Symposium on Leveraging Applications of Formal Methods. Google ScholarGoogle ScholarDigital LibraryDigital Library
  115. O. Saydjari, J. Beckman, and J. Leaman. 1987. LOCKing computers securely. In Proceedings of the National Computer Security Conference. 129--141.Google ScholarGoogle Scholar
  116. A. Seshadri, M. Luk, N. Qu, and A. Perrig. 2007. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In Proceedings of the 16th ACM Symposium on Operating Systems Principles. ACM, 335--350. Google ScholarGoogle ScholarDigital LibraryDigital Library
  117. T. Sewell, M. Myreen, and G. Klein. 2013. Translation validation for a verified OS kernel. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation. (Seattle, WA) ACM, 471--481. Google ScholarGoogle ScholarDigital LibraryDigital Library
  118. T. Sewell, S. Winwood, P. Gammie, T. Murray, J. Andronick, and G. Klein. 2011. seL4 enforces integrity. In Proceedings of the 2nd International Conference on Interactive Theorem Proving. M. C. J. D. van Eekelen, H. Geuvers, J. Schmaltz, and F. Wiedijk, Eds., Lecture Notes in Computer Science, vol. 6898, Springer, (The Netherlands). 325--340. Google ScholarGoogle ScholarDigital LibraryDigital Library
  119. J. S. Shapiro, D. F. Faber, and J. M. Smith. 1996. State caching in the EROS kernel—implementing efficient orthogonal peristence in a pure capability system. In Proceedings of the 5th IEEE International Workshop on Object Orientation in Operating Systems (IWOOOS). IEEE, 89--100.Google ScholarGoogle Scholar
  120. J. S. Shapiro, J. M. Smith, and D. J. Farber. 1999. EROS: A fast capability system. In Proceedings of the 17th ACM Symposium on Operating Systems Principles. ACM, 170--185. Google ScholarGoogle ScholarDigital LibraryDigital Library
  121. J. S. Shapiro and S. Weber. 2000. Verifying the EROS confinement mechanism. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 166--181. Google ScholarGoogle ScholarDigital LibraryDigital Library
  122. M. Singal and S. M. Petters. 2007. Issues in analysing L4 for its WCET. In Proceedings of the 1st International Workshop on Microkernels for Embedded Systems (MIKES). NICTA.Google ScholarGoogle Scholar
  123. L. Singaravelu, C. Pu, H. Härtig, and C. Helmuth. 2006. Reducing TCB complexity for security-sensitive applications: Three case studies. In Proceedings of the 1st EuroSys Conference. 161--174. Google ScholarGoogle ScholarDigital LibraryDigital Library
  124. K. Slind and M. Norrish. 2008. A brief overview of HOL4. In Proceedings of the Theorem Proving in Higher Order Logics, 20th International Conference. Otmane Ait Mohamed, Csar Muoz, and Sofine Tahar, Ed., Springer, (Canada). 28--32. Google ScholarGoogle ScholarDigital LibraryDigital Library
  125. R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. 1999. The Flask security architecture: System support for diverse security policies. In Proceedings of the 8th USENIX Security Symposium. USENIX Association. 123--139. Google ScholarGoogle ScholarDigital LibraryDigital Library
  126. U. Steinberg and B. Kauer. 2010. NOVA: A microhypervisor-based secure virtualization architecture. In Proceedings of the 5th EuroSys Conference. 209--222. Google ScholarGoogle ScholarDigital LibraryDigital Library
  127. H. Tews, T. Weber, and M. Völp. 2008. A formal model of memory peculiarities for the verification of low-level operating-system code. In Proceedings of the 3rd Systems Software Verification. R. Huuck, G. Klein, and B. Schlich, Eds., Electronic Notes in Theoretical Computer Science, vol. 217, Elsevier, 79--96. Google ScholarGoogle ScholarDigital LibraryDigital Library
  128. H. Tuch. 2008. Formal memory models for verifying C systems code. Ph.D. thesis, School of Computer Science and Engineering, University of New South Wales, Sydney, Australia.Google ScholarGoogle Scholar
  129. H. Tuch. 2009. Formal verification of C systems code: Structured types, separation logic and theorem proving. J. Automat. Reason. (Special Issue on Operating System Verification) 42, 2--4, 125--187. Google ScholarGoogle ScholarDigital LibraryDigital Library
  130. H. Tuch, G. Klein, and G. Heiser. 2005. OS verification—now! In Proceedings of the 10th Workshop on Hot Topics in Operating Systems. 7--12.Google ScholarGoogle Scholar
  131. H. Tuch, G. Klein, and M. Norrish. 2007. Types, bytes, and separation logic. In Proceedings of the 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. M. Hofmann and M. Felleisen, Eds., ACM, 97--108. Google ScholarGoogle ScholarDigital LibraryDigital Library
  132. D. von Oheimb. 2004. Information flow control revisited: Noninfluence = noninterference + nonleakage. In Proceedings of the 9th European Symposium on Research in Computer Security. P. Samarati, P. Ryan, D. Gollmann, and R. Molva, Eds., Lecture Notes in Computer Science, vol. 3193, Springer, 225--243.Google ScholarGoogle Scholar
  133. M. von Tessin. 2010. Towards high-assurance multiprocessor virtualisation. In Proceedings of the 6th International Verification Workshop. M. Aderhold, S. Autexier, and H. Mantel, Eds., EasyChair Proceedings in Computing, vol. 3, EasyChair, 110--125.Google ScholarGoogle Scholar
  134. M. von Tessin. 2012. The clustered multikernel: An approach to formal verification of multiprocessor OS kernels. In Proceedings of the 2nd Workshop on Systems for Future Multi-Core Architectures. Microsoft, 1--6.Google ScholarGoogle Scholar
  135. M. von Tessin. 2013. The clustered multikernel: An approach to formal verification of multiprocessor operating-system kernels. Ph.D. thesis, School of Computer Science and Engineering, University of New South Wales, Sydney, Australia.Google ScholarGoogle Scholar
  136. B. J. Walker, R. A. Kemmerer, and G. J. Popek. 1980. Specification and verification of the UCLA Unix security kernel. Commun. ACM 23, 2, 118--131. Google ScholarGoogle ScholarDigital LibraryDigital Library
  137. D. A. Wheeler. 2001. SLOCCount. http://www.dwheeler.com/sloccount/.Google ScholarGoogle Scholar
  138. A. Whitaker, M. Shaw, and S. D. Gribble. 2002. Scale and performance in the Denali isolation kernel. In Proceedings of the 5th USENIX Symposium on Operating Systems Design and Implementation. USENIX Association, CA, 195--210. Google ScholarGoogle ScholarDigital LibraryDigital Library
  139. R. Wilhelm, J. Engblom, A. Ermedahl, N. Holsti, S. Thesing, D. Whalley, G. Bernat, C. Ferdinand, R. Heckmann, T. Mitra, F. Mueller, I. Puaut, P. Puschner, J. Staschulat, and P. Stenström. 2008. The worst-case execution-time problem—overview of methods and survey of tools. ACM Trans. Embed. Comput. Syst. 7, 3, 1--53. Google ScholarGoogle ScholarDigital LibraryDigital Library
  140. S. Winwood, G. Klein, T. Sewell, J. Andronick, D. Cock, and M. Norrish. 2009. Mind the gap: A verification framework for low-level C. In Proceedings of the 22nd International Conference on Theorem Proving in Higher Order Logics. S. Berghofer, T. Nipkow, C. Urban, and M. Wenzel, Eds., Lecture Notes in Computer Science, vol. 5674, Springer, 500--515. Google ScholarGoogle ScholarDigital LibraryDigital Library
  141. W. Wulf, E. Cohen, W. Corwin, A. Jones, R. Levin, C. Pierson, and F. Pollack. 1974. HYDRA: The kernel of a multiprocessor operating system. Commun. ACM 17, 337--345. Google ScholarGoogle ScholarDigital LibraryDigital Library
  142. J. Yang and C. Hawblitzel. 2010. Safe to the last instruction: automated verification of a type-safe operating system. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM, New York, 99--110. Google ScholarGoogle ScholarDigital LibraryDigital Library
  143. N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. 2011. Making information flow explicit in HiStar. Commun. ACM 54, 11, 93--101. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Comprehensive formal verification of an OS microkernel

            Recommendations

            Comments

            Login options

            Check if you have access through your login credentials or your institution to get full access on this article.

            Sign in

            Full Access

            • Published in

              cover image ACM Transactions on Computer Systems
              ACM Transactions on Computer Systems  Volume 32, Issue 1
              February 2014
              132 pages
              ISSN:0734-2071
              EISSN:1557-7333
              DOI:10.1145/2584468
              Issue’s Table of Contents

              Copyright © 2014 ACM

              Publisher

              Association for Computing Machinery

              New York, NY, United States

              Publication History

              • Published: 26 February 2014
              • Accepted: 1 September 2013
              • Received: 1 August 2013
              Published in tocs Volume 32, Issue 1

              Permissions

              Request permissions about this article.

              Request Permissions

              Check for updates

              Qualifiers

              • research-article
              • Research
              • Refereed

            PDF Format

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader
            About Cookies On This Site

            We use cookies to ensure that we give you the best experience on our website.

            Learn more

            Got it!