Abstract
An operating system (OS) kernel forms the lowest level of any system software stack. The correctness of the OS kernel is the basis for the correctness of the entire system. Recent efforts have demonstrated the feasibility of building formally verified general-purpose kernels, but it is unclear how to extend their work to verify the functional correctness of device drivers, due to the non-local effects of interrupts. In this paper, we present a novel compositional framework for building certified interruptible OS kernels with device drivers. We provide a general device model that can be instantiated with various hardware devices, and a realistic formal model of interrupts, which can be used to reason about interruptible code. We have realized this framework in the Coq proof assistant. To demonstrate the effectiveness of our new approach, we have successfully extended an existing verified non-interruptible kernel with our framework and turned it into an interruptible kernel with verified device drivers. To the best of our knowledge, this is the first verified interruptible operating system with device drivers.
- E. Alkassar. OS Verication Extended - On the Formal Verication of Device Drivers and the Correctness of Client/Server Software. PhD thesis, Saarland University, Computer Science Department, 2009.Google Scholar
- E. Alkassar and M. A. Hillebrand. Formal functional verification of device drivers. In Verified Software: Theories, Tools, Experiments Second International Conference (VSTTE), Proceedings, pages 225–239, Toronto, Canada, Oct. 2008. Google Scholar
Digital Library
- E. Alkassar, W. Paul, A. Starostin, and A. Tsyban. Pervasive verification of an OS microkernel: Inline assembly, memory consumption, concurrent devices. In Verified Software: Theories, Tools, Experiments (VSTTE 2010), pages 71–85, Edinburgh, UK, Aug. 2010. Google Scholar
Digital Library
- S. Amani, P. Chubb, A. Donaldson, A. Legg, L. Ryzhyk, and Y. Zhu. Automatic verification of message-based device drivers. In Systems Software Verification, pages 1–14, Sydney, Australia, Nov 2012.Google Scholar
Cross Ref
- T. Ball, E. Bounimova, B. Cook, V. Levin, J. Lichtenberg, C. McGarvey, B. Ondrusek, S. K. Rajamani, and A. Ustuner. Thorough static analysis of device drivers. In Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006, EuroSys ’06, pages 73–85, New York, NY, USA, 2006. ACM. Google Scholar
Digital Library
- T. Ball, E. Bounimova, R. Kumar, and V. Levin. SLAM2: Static driver verification with under 4% false alarms. In Proceedings of the 2010 Conference on Formal Methods in Computer-Aided Design, FMCAD ’10, pages 35–42, Austin, TX, 2010. FMCAD Inc. Google Scholar
Digital Library
- A. Chou, J. Yang, B. Chelf, S. Hallem, and D. Engler. An empirical study of operating systems errors. In Proceedings of the 18th ACM Symposium on Operating Systems Principles, SOSP ’01, pages 73–88, New York, NY, USA, 2001. ACM. Google Scholar
Digital Library
- L. M. de Moura and N. Bjørner. Z3: An efficient SMT solver. In Proceedings of the 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’08), pages 337–340, 2008. Google Scholar
Digital Library
- J. Duan. Formal verification of device drivers in embedded systems. PhD thesis, University of Utah, 2013.Google Scholar
- J. Duan and J. Regehr. Correctness proofs for device drivers in embedded systems. In Proceedings of the 5th International Conference on Systems Software Verification, SSV’10, pages 5–5, Berkeley, CA, USA, 2010. USENIX Association. Google Scholar
Digital Library
- X. Feng, Z. Shao, Y. Dong, and Y. Guo. Certifying low-level programs with hardware interrupts and preemptive threads. In Proc. 2008 ACM Conference on Programming Language Design and Implementation, pages 170–182, 2008. Google Scholar
Digital Library
- X. Feng, Z. Shao, Y. Guo, and Y. Dong. Certifying lowlevel programs with hardware interrupts and preemptive threads. J. Autom. Reasoning, 42(2-4):301–347, 2009. Google Scholar
Digital Library
- A. Ganapathi, V. Ganapathi, and D. Patterson. Windows XP kernel crash analysis. In Proceedings of the 20th Conference on Large Installation System Administration, LISA ’06, pages 12–12, Berkeley, CA, USA, 2006. USENIX Association. Google Scholar
Digital Library
- R. Gu, J. Koenig, T. Ramananandro, Z. Shao, X. Wu, S.-C. Weng, H. Zhang, and Y. Guo. Deep specifications and certified abstraction layers. In Proc. 42nd ACM Symposium on Principles of Programming Languages, pages 595–608, 2015. Google Scholar
Digital Library
- C. Hawblitzel, J. Howell, J. R. Lorch, A. Narayan, B. Parno, D. Zhang, and B. Zill. Ironclad apps: End-toend security via automated full-system verification. In Proc. 11th USENIX Symposium on Operating Systems Design and Implementation, 2014. Google Scholar
Digital Library
- Intel. 82093AA I/O advanced programmable interrupt controller (I/O APIC) datasheet. Specification, May 1996.Google Scholar
- Intel. Multiprocessor specification, version 1.4. Specification, May 1997.Google Scholar
- A. Khoroshilov, V. Mutilin, A. Petrenko, and V. Zakharov. Establishing Linux driver verification process. In A. Pnueli, I. Virbitskaite, and A. Voronkov, editors, Perspectives of Systems Informatics, volume 5947 of Lecture Notes in Computer Science, pages 165–176. Springer Berlin Heidelberg, 2010. Google Scholar
Digital Library
- M. Kim, Y. Choi, Y. Kim, and H. Kim. Formal verification of a flash memory device driver – an experience report. In K. Havelund, R. Majumdar, and J. Palsberg, editors, Model Checking Software, volume 5156 of Lecture Notes in Computer Science, pages 144–159. Springer Berlin Heidelberg, 2008. Google Scholar
Digital Library
- G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles (SOSP), pages 207–220, Big Sky, MT, US, Oct 2009. Google Scholar
Digital Library
- G. Klein, J. Andronick, K. Elphinstone, T. Murray, T. Sewell, R. Kolanski, and G. Heiser. Comprehensive formal verification of an OS microkernel. ACM Transactions on Computer Systems, 32(1), Feb. 2014. Google Scholar
Digital Library
- K. R. M. Leino. Dafny: An automatic program verifier for functional correctness. In Proceedings of the Conference on Logic for Programming, Artificial Intelligence and Reasoning (LPAR 2010), pages 348–370, 2010. Google Scholar
Digital Library
- X. Leroy. Formal verification of a realistic compiler. Communications of the ACM, 52(7):107–115, 2009. Google Scholar
Digital Library
- X. Leroy and S. Blazy. Formal verification of a Clike memory model and its uses for verifying program transformation. Journal of Automated Reasoning, 2008. Google Scholar
Digital Library
- D. Monniaux. Verification of device drivers and intelligent controllers: a case study. In C. Kirsch and R. Wilhelm, editors, EMSOFT 2007, 7th ACM International Conference On Embedded Software, Proceedings, pages 30–36. ACM & IEEE, 2007. Google Scholar
Digital Library
- P. W. O’Hearn. Resources, concurrency and local reasoning. In Proc. 15th Int’l Conf. on Concurrency Theory (CONCUR’04), pages 49–67, 2004.Google Scholar
- W. Paul, M. Broy, and T. In der Rieden. The Verisoft XT Project. http://www.verisoft.de, 2007.Google Scholar
- L. C. Paulson. Isabelle: A Generic Theorem Prover, volume 828 of Lecture Notes in Computer Science. Springer-Verlag, 1994.Google Scholar
- L. Ryzhyk, P. Chubb, I. Kuz, E. Le Sueur, and G. Heiser. Automatic device driver synthesis with Termite. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles (SOSP), pages 73–86, Big Sky, MT, US, Oct 2009. Google Scholar
Digital Library
- L. Ryzhyk, A. C. Walker, J. Keys, A. Legg, A. Raghunath, M. Stumm, and M. Vij. User-guided device driver synthesis. In USENIX Symposium on Operating Systems Design and Implementation, pages 661–676, Broomfield, CO, USA, Oct 2014. Google Scholar
Digital Library
- O. Schwarz and M. Dam. Formal verification of secure user mode device execution with DMA. In E. Yahav, editor, Hardware and Software: Verification and Testing, volume 8855 of Lecture Notes in Computer Science, pages 236–251. Springer International Publishing, 2014.Google Scholar
- The Coq development team. The Coq proof assistant. http://coq.inria.fr, 1999 – 2016.Google Scholar
- T. Witkowski. Formal verification of Linux device drivers. Master’s thesis, Dresden University of Technology, May 2007.Google Scholar
- J. Yang and C. Hawblitzel. Safe to the last instruction: automated verification of a type-safe operating system. In Proc. 2010 ACM Conference on Programming Language Design and Implementation, pages 99–110, 2010. Google Scholar
Digital Library
Index Terms
Toward compositional verification of interruptible OS kernels and device drivers
Recommendations
Toward compositional verification of interruptible OS kernels and device drivers
PLDI '16: Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and ImplementationAn operating system (OS) kernel forms the lowest level of any system software stack. The correctness of the OS kernel is the basis for the correctness of the entire system. Recent efforts have demonstrated the feasibility of building formally verified ...
Toward Compositional Verification of Interruptible OS Kernels and Device Drivers
An operating system (OS) kernel forms the lowest level of any system software stack. The correctness of the OS kernel is the basis for the correctness of the entire system. Recent efforts have demonstrated the feasibility of building formally verified ...
Deep Specifications and Certified Abstraction Layers
POPL '15: Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming LanguagesModern computer systems consist of a multitude of abstraction layers (e.g., OS kernels, hypervisors, device drivers, network protocols), each of which defines an interface that hides the implementation details of a particular set of functionality. ...







Comments