skip to main content
research-article
Open Access
Artifacts Evaluated & Functional

Virtual timeline: a formal abstraction for verifying preemptive schedulers with temporal isolation

Published:20 December 2019Publication History
Skip Abstract Section

Abstract

The reliability and security of safety-critical real-time systems are of utmost importance because the failure of these systems could incur severe consequences (e.g., loss of lives or failure of a mission). Such properties require strong isolation between components and they rely on enforcement mechanisms provided by the underlying operating system (OS) kernel. In addition to spatial isolation which is commonly provided by OS kernels to various extents, it also requires temporal isolation, that is, properties on the schedule of one component (e.g., schedulability) are independent of behaviors of other components. The strict isolation between components relies critically on algorithmic properties of the concrete implementation of the scheduler, such as timely provision of time slots, obliviousness to preemption, etc. However, existing work either only reasons about an abstract model of the scheduler, or proves properties of the scheduler implementation that are not rich enough to establish the isolation between different components.

In this paper, we present a novel compositional framework for reasoning about algorithmic properties of the concrete implementation of preemptive schedulers. In particular, we use virtual timeline, a variant of the supply bound function used in real-time scheduling analysis, to specify and reason about the scheduling of each component in isolation. We show that the properties proved on this abstraction carry down to the generated assembly code of the OS kernel. Using this framework, we successfully verify a real-time OS kernel, which extends mCertiKOS, a single-processor non-preemptive kernel, with user-level preemption, a verified timer interrupt handler, and a verified real-time scheduler. We prove that in the absence of microarchitectural-level timing channels, this new kernel enjoys temporal and spatial isolation on top of the functional correctness guarantee. All the proofs are implemented in the Coq proof assistant.

Skip Supplemental Material Section

Supplemental Material

a20-liu.webm

References

  1. June Andronick, Corey Lewis, Daniel Matichuk, Carroll Morgan, and Christine Rizkallah. 2016. Proof of OS Scheduling Behavior in the Presence of Interrupt-Induced Concurrency. In Proceedings of 7th International Conference on Interactive Theorem Proving (ITP). Springer International Publishing, Nancy, France, 52–68. Google ScholarGoogle ScholarCross RefCross Ref
  2. June Andronick, Corey Lewis, and Carroll Morgan. 2015. Controlled Owicki-Gries Concurrency: Reasoning about the Preemptible eChronos Embedded Operating System. In Proceedings of 2015 Workshop on Models for Formal Analysis of Real Systems (MARS). EPTCS, Suva, Fiji, 10–24. Google ScholarGoogle ScholarCross RefCross Ref
  3. ARINC. 2015. ARINC Specification 653 Part 1. ARINC, Annapolis, MD.Google ScholarGoogle Scholar
  4. B. Blackham, Y. Shi, S. Chattopadhyay, A. Roychoudhury, and G. Heiser. 2011. Timing Analysis of a Protected Operating System Kernel. In 2011 IEEE 32nd Real-Time Systems Symposium (RTSS’11). IEEE Computer Society, Washington, DC, 339–348. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Sandrine Blazy, Zaynah Dargaye, and Xavier Leroy. 2006. Formal Verification of a C Compiler Front-end. In Proceedings of the 14th International Conference on Formal Methods (FM’06). Springer-Verlag, Berlin, Heidelberg, 460–475. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. F. Cerqueira, F. Stutz, and B. B. Brandenburg. 2016. PROSA: A Case for Readable Mechanized Schedulability Analysis. In 2016 28th Euromicro Conference on Real-Time Systems (ECRTS’16). Schloss Dagstuhl, Germany, 273–284. Google ScholarGoogle ScholarCross RefCross Ref
  7. Hao Chen, Xiongnan (Newman) Wu, Zhong Shao, Joshua Lockerman, and Ronghui Gu. 2016. Toward Compositional Verification of Interruptible OS Kernels and Device Drivers. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’16), Santa Barbara, CA, USA, June 13-17, 2016. ACM, New York, 431–447. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. David Costanzo, Zhong Shao, and Ronghui Gu. 2016. End-to-end verification of information-flow security for C and assembly programs. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’16), Santa Barbara, CA, USA, June 13-17, 2016. ACM, New York, 648–664. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. R. I. Davis and A. Burns. 2005. Hierarchical Fixed Priority Pre-Emptive Scheduling. In Proceedings of the 26th IEEE International Real-Time Systems Symposium (RTSS’05). IEEE Computer Society, Washington, DC, USA, 389–398. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. B. Dutertre. 2000. Formal analysis of the priority ceiling protocol. In Proceedings 21st IEEE Real-Time Systems Symposium (RTSS’00). IEEE Computer Society, Washington, DC, 151–160. Google ScholarGoogle ScholarCross RefCross Ref
  11. Qian Ge, Yuval Yarom, Tom Chothia, and Gernot Heiser. 2019. Time Protection: The Missing OS Abstraction. In Proceedings of the Fourteenth EuroSys Conference 2019 (EuroSys’19). ACM, New York, NY, USA, Article 1, 17 pages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, Xiongnan (Newman) Wu, Shu-Chun Weng, Haozhong Zhang, and Yu Guo. 2015. Deep Specifications and Certified Abstraction Layers. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’15). ACM, New York, NY, USA, 595–608. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan (Newman) Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI’16). USENIX Association, GA, 653–669.Google ScholarGoogle Scholar
  14. Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan Wu, Jérémie Koenig, Vilhelm Sjöberg, Hao Chen, David Costanzo, and Tahina Ramananandro. 2018. Certified Concurrent Abstraction Layers. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2018). ACM, New York, 646–661.Google ScholarGoogle Scholar
  15. Xiaojie Guo, Maxime Lesourd, Mengqi Liu, Lionel Rieg, and Zhong Shao. 2019. Integrating Formal Schedulability Analysis into a Verified OS Kernel. In Computer Aided Verification - 31st International Conference (CAV’19), July 15-18, Proceedings. Springer, Berlin, Heidelberg, 496–514.Google ScholarGoogle Scholar
  16. J. Kim, T. Abdelzaher, and L. Sha. 2015. Budgeted generalized rate monotonic analysis for the partitioned, yet globally scheduled uniprocessor model. In 21st IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS’15). IEEE Computer Society, Washington, DC, 221–231. Google ScholarGoogle ScholarCross RefCross Ref
  17. Gerwin Klein. 2009. Operating system verification—An overview. Sadhana 34, 1 (01 Feb 2009), 27–69. Google ScholarGoogle ScholarCross RefCross Ref
  18. Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal Verification of an OS Kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles (SOSP’09). ACM, New York, NY, USA, 207–220. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Jean J. Labrosse. 1998. Microc/OS-II (2nd ed.). Focal Press, New York.Google ScholarGoogle Scholar
  20. Jean J. Labrosse. 2011. Microc/OS-III. Micrium Press, Austin, TX.Google ScholarGoogle Scholar
  21. J. Lehoczky, L. Sha, and Y. Ding. 1989. The rate monotonic scheduling algorithm: exact characterization and average case behavior. In Proceedings. Real-Time Systems Symposium (RTSS’89). IEEE Computer Society, Washington, DC, 166–171. Google ScholarGoogle ScholarCross RefCross Ref
  22. Xavier Leroy. 2009. Formal verification of a realistic compiler. Commun. ACM 52, 7 (2009), 107–115. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Xavier Leroy, Andrew W. Appel, Sandrine Blazy, and Gordon Stewart. 2014. The CompCert memory model. In Program Logics for Certified Compilers, Andrew W. Appel (Ed.). Cambridge University Press, Cambridge, UK. http://vst.cs.princeton.edu/Google ScholarGoogle Scholar
  24. C. L. Liu and James W. Layland. 1973. Scheduling Algorithms for Multiprogramming in a Hard-Real-Time Environment. J. ACM 20, 1 (Jan. 1973), 46–61. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Jane W. S. W. Liu. 2000. Real-Time Systems (1st ed.). Prentice Hall PTR, Upper Saddle River, NJ, USA.Google ScholarGoogle Scholar
  26. Anna Lyons, Kent McLeod, Hesham Almatary, and Gernot Heiser. 2018. Scheduling-context Capabilities: A Principled, Light-weight Operating-system Mechanism for Managing Time. In Proceedings of the Thirteenth EuroSys Conference (EuroSys’18). ACM, New York, NY, USA, Article 26, 16 pages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Toby C. Murray, Daniel Matichuk, Matthew Brassil, Peter Gammie, Timothy Bourke, Sean Seefried, Corey Lewis, Xin Gao, and Gerwin Klein. 2013. seL4: From General Purpose to a Proof of Information Flow Enforcement. In 2013 IEEE Symposium on Security and Privacy (SP’13), Berkeley, CA, USA, May 19-22, 2013. IEEE Computer Society, Washington, DC, 415–429. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang. 2017. Hyperkernel: Push-Button Verification of an OS Kernel. In Proceedings of the 26th Symposium on Operating Systems Principles (SOSP’17), Shanghai, China, October 28-31, 2017. ACM, New York, NY, USA, 252–269. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Hamed Nemati, Roberto Guanciale, and Mads Dam. 2015. Trustworthy Virtualization of the ARMv7 Memory Subsystem. In SOFSEM 2015: Theory and Practice of Computer Science - 41st International Conference on Current Trends in Theory and Practice of Computer Science, Pec pod Sněžkou, Czech Republic, January 24-29, 2015. Proceedings. Springer-Verlag, Berlin, Heidelberg, 578–589. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. QNX. 2019. Neutrino RTOS. http://blackberry.qnx.com/en/products/neutrino- rtos/neutrino- rtosGoogle ScholarGoogle Scholar
  31. Raymond J. Richards. 2010. Modeling and Security Analysis of a Commercial Real-Time Operating System Kernel. Springer US, Boston, MA, 301–322. Google ScholarGoogle ScholarCross RefCross Ref
  32. Thomas Sewell, Felix Kam, and Gernot Heiser. 2017. High-assurance timing analysis for a high-assurance real-time operating system. Real-Time Systems 53, 5 (01 Sep 2017), 812–853. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Thomas Arthur Leck Sewell, Magnus O. Myreen, and Gerwin Klein. 2013. Translation Validation for a Verified OS Kernel. In Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’13). ACM, New York, NY, USA, 471–482. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. L. Sha, M. Caccamo, R. Mancuso, J. E. Kim, M. K. Yoon, R. Pellizzoni, H. Yun, R. B. Kegley, D. R. Perlman, G. Arundale, and R. Bradford. 2016. Real-Time Computing on Multicore Processors. Computer 49, 9 (Sept 2016), 69–77. Google ScholarGoogle ScholarCross RefCross Ref
  35. Helgi Sigurbjarnarson, Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang. 2018. Nickel: A Framework for Design and Verification of Information Flow Control Systems. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI’18). USENIX Association, Carlsbad, CA, 287–305.Google ScholarGoogle Scholar
  36. Brinkley Sprunt, Lui Sha, and John Lehoczky. 1989. Scheduling Sporadic and Aperiodic Events in a Hard Real-Time System. Technical Report CMU/SEI-89-TR-011. Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA.Google ScholarGoogle Scholar
  37. Matthew Wilding. 1998. A Machine-Checked Proof of the Optimality of a Real-Time Scheduling Policy. In Proceedings of the 10th International Conference on Computer Aided Verification (CAV’98). Springer-Verlag, London, UK, UK, 369–378. http://dl.acm.org/citation.cfm?id=647767.733638Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. S. Xi, J. Wilson, C. Lu, and C. Gill. 2011. RT-Xen: Towards real-time hypervisor scheduling in Xen. In Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT). ACM, New York, 39–48.Google ScholarGoogle Scholar
  39. Fengwei Xu, Ming Fu, Xinyu Feng, Xiaoran Zhang, Hui Zhang, and Zhaohui Li. 2016. A Practical Verification Framework for Preemptive OS Kernels. In Computer Aided Verification: 28th International Conference (CAV’16), Toronto, ON, Canada, July 17-23, 2016, Proceedings, Swarat Chaudhuri and Azadeh Farzan (Eds.). Springer International Publishing, Berlin, Heidelberg, 59–79.Google ScholarGoogle ScholarCross RefCross Ref
  40. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières. 2006. Making Information Flow Explicit in HiStar. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation. USENIX Association, Berkeley, CA, USA, 19–19. http://dl.acm.org/citation.cfm?id=1267308.1267327Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Xingyuan Zhang, Christian Urban, and Chunhan Wu. 2012. Priority Inheritance Protocol Proved Correct. In Interactive Theorem Proving (ITP’12). Springer, Berlin, Heidelberg, 217–232.Google ScholarGoogle Scholar
  42. Yongwang Zhao, Zhibin Yang, and Dianfu Ma. 2017. A Survey on Formal Specification and Verification of Separation Kernels. Front. Comput. Sci. 11, 4 (Aug. 2017), 585–607. Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Virtual timeline: a formal abstraction for verifying preemptive schedulers with temporal isolation

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!