Abstract
The reliability and security of safety-critical real-time systems are of utmost importance because the failure of these systems could incur severe consequences (e.g., loss of lives or failure of a mission). Such properties require strong isolation between components and they rely on enforcement mechanisms provided by the underlying operating system (OS) kernel. In addition to spatial isolation which is commonly provided by OS kernels to various extents, it also requires temporal isolation, that is, properties on the schedule of one component (e.g., schedulability) are independent of behaviors of other components. The strict isolation between components relies critically on algorithmic properties of the concrete implementation of the scheduler, such as timely provision of time slots, obliviousness to preemption, etc. However, existing work either only reasons about an abstract model of the scheduler, or proves properties of the scheduler implementation that are not rich enough to establish the isolation between different components.
In this paper, we present a novel compositional framework for reasoning about algorithmic properties of the concrete implementation of preemptive schedulers. In particular, we use virtual timeline, a variant of the supply bound function used in real-time scheduling analysis, to specify and reason about the scheduling of each component in isolation. We show that the properties proved on this abstraction carry down to the generated assembly code of the OS kernel. Using this framework, we successfully verify a real-time OS kernel, which extends mCertiKOS, a single-processor non-preemptive kernel, with user-level preemption, a verified timer interrupt handler, and a verified real-time scheduler. We prove that in the absence of microarchitectural-level timing channels, this new kernel enjoys temporal and spatial isolation on top of the functional correctness guarantee. All the proofs are implemented in the Coq proof assistant.
Supplemental Material
- June Andronick, Corey Lewis, Daniel Matichuk, Carroll Morgan, and Christine Rizkallah. 2016. Proof of OS Scheduling Behavior in the Presence of Interrupt-Induced Concurrency. In Proceedings of 7th International Conference on Interactive Theorem Proving (ITP). Springer International Publishing, Nancy, France, 52–68. Google Scholar
Cross Ref
- June Andronick, Corey Lewis, and Carroll Morgan. 2015. Controlled Owicki-Gries Concurrency: Reasoning about the Preemptible eChronos Embedded Operating System. In Proceedings of 2015 Workshop on Models for Formal Analysis of Real Systems (MARS). EPTCS, Suva, Fiji, 10–24. Google Scholar
Cross Ref
- ARINC. 2015. ARINC Specification 653 Part 1. ARINC, Annapolis, MD.Google Scholar
- B. Blackham, Y. Shi, S. Chattopadhyay, A. Roychoudhury, and G. Heiser. 2011. Timing Analysis of a Protected Operating System Kernel. In 2011 IEEE 32nd Real-Time Systems Symposium (RTSS’11). IEEE Computer Society, Washington, DC, 339–348. Google Scholar
Digital Library
- Sandrine Blazy, Zaynah Dargaye, and Xavier Leroy. 2006. Formal Verification of a C Compiler Front-end. In Proceedings of the 14th International Conference on Formal Methods (FM’06). Springer-Verlag, Berlin, Heidelberg, 460–475. Google Scholar
Digital Library
- F. Cerqueira, F. Stutz, and B. B. Brandenburg. 2016. PROSA: A Case for Readable Mechanized Schedulability Analysis. In 2016 28th Euromicro Conference on Real-Time Systems (ECRTS’16). Schloss Dagstuhl, Germany, 273–284. Google Scholar
Cross Ref
- Hao Chen, Xiongnan (Newman) Wu, Zhong Shao, Joshua Lockerman, and Ronghui Gu. 2016. Toward Compositional Verification of Interruptible OS Kernels and Device Drivers. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’16), Santa Barbara, CA, USA, June 13-17, 2016. ACM, New York, 431–447. Google Scholar
Digital Library
- David Costanzo, Zhong Shao, and Ronghui Gu. 2016. End-to-end verification of information-flow security for C and assembly programs. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’16), Santa Barbara, CA, USA, June 13-17, 2016. ACM, New York, 648–664. Google Scholar
Digital Library
- R. I. Davis and A. Burns. 2005. Hierarchical Fixed Priority Pre-Emptive Scheduling. In Proceedings of the 26th IEEE International Real-Time Systems Symposium (RTSS’05). IEEE Computer Society, Washington, DC, USA, 389–398. Google Scholar
Digital Library
- B. Dutertre. 2000. Formal analysis of the priority ceiling protocol. In Proceedings 21st IEEE Real-Time Systems Symposium (RTSS’00). IEEE Computer Society, Washington, DC, 151–160. Google Scholar
Cross Ref
- Qian Ge, Yuval Yarom, Tom Chothia, and Gernot Heiser. 2019. Time Protection: The Missing OS Abstraction. In Proceedings of the Fourteenth EuroSys Conference 2019 (EuroSys’19). ACM, New York, NY, USA, Article 1, 17 pages. Google Scholar
Digital Library
- Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, Xiongnan (Newman) Wu, Shu-Chun Weng, Haozhong Zhang, and Yu Guo. 2015. Deep Specifications and Certified Abstraction Layers. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’15). ACM, New York, NY, USA, 595–608. Google Scholar
Digital Library
- Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan (Newman) Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI’16). USENIX Association, GA, 653–669.Google Scholar
- Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan Wu, Jérémie Koenig, Vilhelm Sjöberg, Hao Chen, David Costanzo, and Tahina Ramananandro. 2018. Certified Concurrent Abstraction Layers. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2018). ACM, New York, 646–661.Google Scholar
- Xiaojie Guo, Maxime Lesourd, Mengqi Liu, Lionel Rieg, and Zhong Shao. 2019. Integrating Formal Schedulability Analysis into a Verified OS Kernel. In Computer Aided Verification - 31st International Conference (CAV’19), July 15-18, Proceedings. Springer, Berlin, Heidelberg, 496–514.Google Scholar
- J. Kim, T. Abdelzaher, and L. Sha. 2015. Budgeted generalized rate monotonic analysis for the partitioned, yet globally scheduled uniprocessor model. In 21st IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS’15). IEEE Computer Society, Washington, DC, 221–231. Google Scholar
Cross Ref
- Gerwin Klein. 2009. Operating system verification—An overview. Sadhana 34, 1 (01 Feb 2009), 27–69. Google Scholar
Cross Ref
- Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal Verification of an OS Kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles (SOSP’09). ACM, New York, NY, USA, 207–220. Google Scholar
Digital Library
- Jean J. Labrosse. 1998. Microc/OS-II (2nd ed.). Focal Press, New York.Google Scholar
- Jean J. Labrosse. 2011. Microc/OS-III. Micrium Press, Austin, TX.Google Scholar
- J. Lehoczky, L. Sha, and Y. Ding. 1989. The rate monotonic scheduling algorithm: exact characterization and average case behavior. In Proceedings. Real-Time Systems Symposium (RTSS’89). IEEE Computer Society, Washington, DC, 166–171. Google Scholar
Cross Ref
- Xavier Leroy. 2009. Formal verification of a realistic compiler. Commun. ACM 52, 7 (2009), 107–115. Google Scholar
Digital Library
- Xavier Leroy, Andrew W. Appel, Sandrine Blazy, and Gordon Stewart. 2014. The CompCert memory model. In Program Logics for Certified Compilers, Andrew W. Appel (Ed.). Cambridge University Press, Cambridge, UK. http://vst.cs.princeton.edu/Google Scholar
- C. L. Liu and James W. Layland. 1973. Scheduling Algorithms for Multiprogramming in a Hard-Real-Time Environment. J. ACM 20, 1 (Jan. 1973), 46–61. Google Scholar
Digital Library
- Jane W. S. W. Liu. 2000. Real-Time Systems (1st ed.). Prentice Hall PTR, Upper Saddle River, NJ, USA.Google Scholar
- Anna Lyons, Kent McLeod, Hesham Almatary, and Gernot Heiser. 2018. Scheduling-context Capabilities: A Principled, Light-weight Operating-system Mechanism for Managing Time. In Proceedings of the Thirteenth EuroSys Conference (EuroSys’18). ACM, New York, NY, USA, Article 26, 16 pages. Google Scholar
Digital Library
- Toby C. Murray, Daniel Matichuk, Matthew Brassil, Peter Gammie, Timothy Bourke, Sean Seefried, Corey Lewis, Xin Gao, and Gerwin Klein. 2013. seL4: From General Purpose to a Proof of Information Flow Enforcement. In 2013 IEEE Symposium on Security and Privacy (SP’13), Berkeley, CA, USA, May 19-22, 2013. IEEE Computer Society, Washington, DC, 415–429. Google Scholar
Digital Library
- Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang. 2017. Hyperkernel: Push-Button Verification of an OS Kernel. In Proceedings of the 26th Symposium on Operating Systems Principles (SOSP’17), Shanghai, China, October 28-31, 2017. ACM, New York, NY, USA, 252–269. Google Scholar
Digital Library
- Hamed Nemati, Roberto Guanciale, and Mads Dam. 2015. Trustworthy Virtualization of the ARMv7 Memory Subsystem. In SOFSEM 2015: Theory and Practice of Computer Science - 41st International Conference on Current Trends in Theory and Practice of Computer Science, Pec pod Sněžkou, Czech Republic, January 24-29, 2015. Proceedings. Springer-Verlag, Berlin, Heidelberg, 578–589. Google Scholar
Digital Library
- QNX. 2019. Neutrino RTOS. http://blackberry.qnx.com/en/products/neutrino- rtos/neutrino- rtosGoogle Scholar
- Raymond J. Richards. 2010. Modeling and Security Analysis of a Commercial Real-Time Operating System Kernel. Springer US, Boston, MA, 301–322. Google Scholar
Cross Ref
- Thomas Sewell, Felix Kam, and Gernot Heiser. 2017. High-assurance timing analysis for a high-assurance real-time operating system. Real-Time Systems 53, 5 (01 Sep 2017), 812–853. Google Scholar
Digital Library
- Thomas Arthur Leck Sewell, Magnus O. Myreen, and Gerwin Klein. 2013. Translation Validation for a Verified OS Kernel. In Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’13). ACM, New York, NY, USA, 471–482. Google Scholar
Digital Library
- L. Sha, M. Caccamo, R. Mancuso, J. E. Kim, M. K. Yoon, R. Pellizzoni, H. Yun, R. B. Kegley, D. R. Perlman, G. Arundale, and R. Bradford. 2016. Real-Time Computing on Multicore Processors. Computer 49, 9 (Sept 2016), 69–77. Google Scholar
Cross Ref
- Helgi Sigurbjarnarson, Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang. 2018. Nickel: A Framework for Design and Verification of Information Flow Control Systems. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI’18). USENIX Association, Carlsbad, CA, 287–305.Google Scholar
- Brinkley Sprunt, Lui Sha, and John Lehoczky. 1989. Scheduling Sporadic and Aperiodic Events in a Hard Real-Time System. Technical Report CMU/SEI-89-TR-011. Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA.Google Scholar
- Matthew Wilding. 1998. A Machine-Checked Proof of the Optimality of a Real-Time Scheduling Policy. In Proceedings of the 10th International Conference on Computer Aided Verification (CAV’98). Springer-Verlag, London, UK, UK, 369–378. http://dl.acm.org/citation.cfm?id=647767.733638Google Scholar
Digital Library
- S. Xi, J. Wilson, C. Lu, and C. Gill. 2011. RT-Xen: Towards real-time hypervisor scheduling in Xen. In Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT). ACM, New York, 39–48.Google Scholar
- Fengwei Xu, Ming Fu, Xinyu Feng, Xiaoran Zhang, Hui Zhang, and Zhaohui Li. 2016. A Practical Verification Framework for Preemptive OS Kernels. In Computer Aided Verification: 28th International Conference (CAV’16), Toronto, ON, Canada, July 17-23, 2016, Proceedings, Swarat Chaudhuri and Azadeh Farzan (Eds.). Springer International Publishing, Berlin, Heidelberg, 59–79.Google Scholar
Cross Ref
- Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières. 2006. Making Information Flow Explicit in HiStar. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation. USENIX Association, Berkeley, CA, USA, 19–19. http://dl.acm.org/citation.cfm?id=1267308.1267327Google Scholar
Digital Library
- Xingyuan Zhang, Christian Urban, and Chunhan Wu. 2012. Priority Inheritance Protocol Proved Correct. In Interactive Theorem Proving (ITP’12). Springer, Berlin, Heidelberg, 217–232.Google Scholar
- Yongwang Zhao, Zhibin Yang, and Dianfu Ma. 2017. A Survey on Formal Specification and Verification of Separation Kernels. Front. Comput. Sci. 11, 4 (Aug. 2017), 585–607. Google Scholar
Cross Ref
Index Terms
Virtual timeline: a formal abstraction for verifying preemptive schedulers with temporal isolation
Recommendations
Compositional virtual timelines: verifying dynamic-priority partitions with algorithmic temporal isolation
Real-time systems power safety-critical applications that require strong isolation among each other. Such isolation needs to be enforced at two orthogonal levels. On the micro-architectural level, this mainly involves avoiding interference through ...
Partitioned Fixed-Priority Preemptive Scheduling for Multi-core Processors
ECRTS '09: Proceedings of the 2009 21st Euromicro Conference on Real-Time SystemsEnergy and thermal considerations are increasingly driving system designers to adopt multi-core processors. In this paper, we consider the problem of scheduling periodic real-time tasks on multi-core processors using fixed-priority preemptive ...
A Low-Overhead Partition-Oriented ERfair Scheduler for Hard Real-Time Embedded Systems
This letter presents partition-oriented ERfair scheduler (POES), a low-overhead proportional fair scheduler for hard real-time multiprocessor embedded systems. POES achieves lower overheads using an online partitioning/merging mechanism that retains the ...






Comments