research-article

Public Access

Toward compositional verification of interruptible OS kernels and device drivers

Authors:

Xiongnan (Newman) Wu,

Joshua Lockerman,

Ronghui GuAuthors Info & Claims

PLDI '16: Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation

Pages 431 - 447

https://doi.org/10.1145/2908080.2908101

Published: 02 June 2016 Publication History

Abstract

An operating system (OS) kernel forms the lowest level of any system software stack. The correctness of the OS kernel is the basis for the correctness of the entire system. Recent efforts have demonstrated the feasibility of building formally verified general-purpose kernels, but it is unclear how to extend their work to verify the functional correctness of device drivers, due to the non-local effects of interrupts. In this paper, we present a novel compositional framework for building certified interruptible OS kernels with device drivers. We provide a general device model that can be instantiated with various hardware devices, and a realistic formal model of interrupts, which can be used to reason about interruptible code. We have realized this framework in the Coq proof assistant. To demonstrate the effectiveness of our new approach, we have successfully extended an existing verified non-interruptible kernel with our framework and turned it into an interruptible kernel with verified device drivers. To the best of our knowledge, this is the first verified interruptible operating system with device drivers.

References

[1]

E. Alkassar. OS Verication Extended - On the Formal Verication of Device Drivers and the Correctness of Client/Server Software. PhD thesis, Saarland University, Computer Science Department, 2009.

[2]

E. Alkassar and M. A. Hillebrand. Formal functional verification of device drivers. In Verified Software: Theories, Tools, Experiments Second International Conference (VSTTE), Proceedings, pages 225–239, Toronto, Canada, Oct. 2008.

Digital Library

[3]

E. Alkassar, W. Paul, A. Starostin, and A. Tsyban. Pervasive verification of an OS microkernel: Inline assembly, memory consumption, concurrent devices. In Verified Software: Theories, Tools, Experiments (VSTTE 2010), pages 71–85, Edinburgh, UK, Aug. 2010.

Digital Library

[4]

S. Amani, P. Chubb, A. Donaldson, A. Legg, L. Ryzhyk, and Y. Zhu. Automatic verification of message-based device drivers. In Systems Software Verification, pages 1–14, Sydney, Australia, Nov 2012.

[5]

T. Ball, E. Bounimova, B. Cook, V. Levin, J. Lichtenberg, C. McGarvey, B. Ondrusek, S. K. Rajamani, and A. Ustuner. Thorough static analysis of device drivers. In Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006, EuroSys ’06, pages 73–85, New York, NY, USA, 2006. ACM.

Digital Library

[6]

T. Ball, E. Bounimova, R. Kumar, and V. Levin. SLAM2: Static driver verification with under 4% false alarms. In Proceedings of the 2010 Conference on Formal Methods in Computer-Aided Design, FMCAD ’10, pages 35–42, Austin, TX, 2010. FMCAD Inc.

Digital Library

[7]

A. Chou, J. Yang, B. Chelf, S. Hallem, and D. Engler. An empirical study of operating systems errors. In Proceedings of the 18th ACM Symposium on Operating Systems Principles, SOSP ’01, pages 73–88, New York, NY, USA, 2001. ACM.

Digital Library

[8]

L. M. de Moura and N. Bjørner. Z3: An efficient SMT solver. In Proceedings of the 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’08), pages 337–340, 2008.

Digital Library

[9]

J. Duan. Formal verification of device drivers in embedded systems. PhD thesis, University of Utah, 2013.

[10]

J. Duan and J. Regehr. Correctness proofs for device drivers in embedded systems. In Proceedings of the 5th International Conference on Systems Software Verification, SSV’10, pages 5–5, Berkeley, CA, USA, 2010. USENIX Association.

Digital Library

[11]

X. Feng, Z. Shao, Y. Dong, and Y. Guo. Certifying low-level programs with hardware interrupts and preemptive threads. In Proc. 2008 ACM Conference on Programming Language Design and Implementation, pages 170–182, 2008.

Digital Library

[12]

X. Feng, Z. Shao, Y. Guo, and Y. Dong. Certifying lowlevel programs with hardware interrupts and preemptive threads. J. Autom. Reasoning, 42(2-4):301–347, 2009.

Digital Library

[13]

A. Ganapathi, V. Ganapathi, and D. Patterson. Windows XP kernel crash analysis. In Proceedings of the 20th Conference on Large Installation System Administration, LISA ’06, pages 12–12, Berkeley, CA, USA, 2006. USENIX Association.

Digital Library

[14]

R. Gu, J. Koenig, T. Ramananandro, Z. Shao, X. Wu, S.-C. Weng, H. Zhang, and Y. Guo. Deep specifications and certified abstraction layers. In Proc. 42nd ACM Symposium on Principles of Programming Languages, pages 595–608, 2015.

Digital Library

[15]

C. Hawblitzel, J. Howell, J. R. Lorch, A. Narayan, B. Parno, D. Zhang, and B. Zill. Ironclad apps: End-toend security via automated full-system verification. In Proc. 11th USENIX Symposium on Operating Systems Design and Implementation, 2014.

Digital Library

[16]

Intel. 82093AA I/O advanced programmable interrupt controller (I/O APIC) datasheet. Specification, May 1996.

[17]

Intel. Multiprocessor specification, version 1.4. Specification, May 1997.

[18]

A. Khoroshilov, V. Mutilin, A. Petrenko, and V. Zakharov. Establishing Linux driver verification process. In A. Pnueli, I. Virbitskaite, and A. Voronkov, editors, Perspectives of Systems Informatics, volume 5947 of Lecture Notes in Computer Science, pages 165–176. Springer Berlin Heidelberg, 2010.

Digital Library

[19]

M. Kim, Y. Choi, Y. Kim, and H. Kim. Formal verification of a flash memory device driver – an experience report. In K. Havelund, R. Majumdar, and J. Palsberg, editors, Model Checking Software, volume 5156 of Lecture Notes in Computer Science, pages 144–159. Springer Berlin Heidelberg, 2008.

Digital Library

[20]

G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles (SOSP), pages 207–220, Big Sky, MT, US, Oct 2009.

Digital Library

[21]

G. Klein, J. Andronick, K. Elphinstone, T. Murray, T. Sewell, R. Kolanski, and G. Heiser. Comprehensive formal verification of an OS microkernel. ACM Transactions on Computer Systems, 32(1), Feb. 2014.

Digital Library

[22]

K. R. M. Leino. Dafny: An automatic program verifier for functional correctness. In Proceedings of the Conference on Logic for Programming, Artificial Intelligence and Reasoning (LPAR 2010), pages 348–370, 2010.

Digital Library

[23]

X. Leroy. Formal verification of a realistic compiler. Communications of the ACM, 52(7):107–115, 2009.

Digital Library

[24]

X. Leroy and S. Blazy. Formal verification of a Clike memory model and its uses for verifying program transformation. Journal of Automated Reasoning, 2008.

Digital Library

[25]

D. Monniaux. Verification of device drivers and intelligent controllers: a case study. In C. Kirsch and R. Wilhelm, editors, EMSOFT 2007, 7th ACM International Conference On Embedded Software, Proceedings, pages 30–36. ACM & IEEE, 2007.

Digital Library

[26]

P. W. O’Hearn. Resources, concurrency and local reasoning. In Proc. 15th Int’l Conf. on Concurrency Theory (CONCUR’04), pages 49–67, 2004.

[27]

W. Paul, M. Broy, and T. In der Rieden. The Verisoft XT Project. http://www.verisoft.de, 2007.

[28]

L. C. Paulson. Isabelle: A Generic Theorem Prover, volume 828 of Lecture Notes in Computer Science. Springer-Verlag, 1994.

[29]

L. Ryzhyk, P. Chubb, I. Kuz, E. Le Sueur, and G. Heiser. Automatic device driver synthesis with Termite. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles (SOSP), pages 73–86, Big Sky, MT, US, Oct 2009.

Digital Library

[30]

L. Ryzhyk, A. C. Walker, J. Keys, A. Legg, A. Raghunath, M. Stumm, and M. Vij. User-guided device driver synthesis. In USENIX Symposium on Operating Systems Design and Implementation, pages 661–676, Broomfield, CO, USA, Oct 2014.

Digital Library

[31]

O. Schwarz and M. Dam. Formal verification of secure user mode device execution with DMA. In E. Yahav, editor, Hardware and Software: Verification and Testing, volume 8855 of Lecture Notes in Computer Science, pages 236–251. Springer International Publishing, 2014.

[32]

The Coq development team. The Coq proof assistant. http://coq.inria.fr, 1999 – 2016.

[33]

T. Witkowski. Formal verification of Linux device drivers. Master’s thesis, Dresden University of Technology, May 2007.

[34]

J. Yang and C. Hawblitzel. Safe to the last instruction: automated verification of a type-safe operating system. In Proc. 2010 ACM Conference on Programming Language Design and Implementation, pages 99–110, 2010.

Digital Library

Cited By

Kim JGu RShao Z(2024) SimplMMJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2023.103049147:COnline publication date: 17-Apr-2024
https://dl.acm.org/doi/10.1016/j.sysarc.2023.103049
Kim JKoenig JChen HGu RShao Z(2024) ThreadAbsJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2023.103046147:COnline publication date: 17-Apr-2024
https://dl.acm.org/doi/10.1016/j.sysarc.2023.103046
Pohjola JSyeda HTanaka MWinter KSau TNott BUng TMcLaughlin CSeassau RMyreen MNorrish MHeiser G(2023)PancakeProceedings of the 12th Workshop on Programming Languages and Operating Systems10.1145/3623759.3624544(1-9)Online publication date: 23-Oct-2023
https://dl.acm.org/doi/10.1145/3623759.3624544
Show More Cited By

Index Terms

Recommendations

Toward compositional verification of interruptible OS kernels and device drivers
PLDI '16

An operating system (OS) kernel forms the lowest level of any system software stack. The correctness of the OS kernel is the basis for the correctness of the entire system. Recent efforts have demonstrated the feasibility of building formally verified ...
Toward Compositional Verification of Interruptible OS Kernels and Device Drivers

An operating system (OS) kernel forms the lowest level of any system software stack. The correctness of the OS kernel is the basis for the correctness of the entire system. Recent efforts have demonstrated the feasibility of building formally verified ...
Mechanized verification of preemptive OS kernels (invited talk)
CPP 2017: Proceedings of the 6th ACM SIGPLAN Conference on Certified Programs and Proofs

We propose a practical verification framework for preemptive OS kernels. The framework models the correctness of API implementations in OS kernels as contextual refinement of their abstract specifications. It provides a specification language for ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

PLDI '16: Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation

June 2016

726 pages

ISBN:9781450342612

DOI:10.1145/2908080

General Chair:
Chandra Krintz
University of California at Santa Barbara, USA
,
Program Chair:
Emery Berger
University of Massachusetts at Amherst, USA

ACM SIGPLAN Notices Volume 51, Issue 6
PLDI '16
June 2016
726 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/2980983
Editor:
Andy Gill
University of Kansas, Lawrence, KS
Issue’s Table of Contents

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 June 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

PLDI '16

Sponsor:

SIGPLAN

PLDI '16: ACM SIGPLAN Conference on Programming Language Design and Implementation

June 13 - 17, 2016

CA, Santa Barbara, USA

Acceptance Rates

Overall Acceptance Rate 406 of 2,067 submissions, 20%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

68
Total Citations
View Citations
1,096
Total Downloads

Downloads (Last 12 months)193
Downloads (Last 6 weeks)26

Reflects downloads up to 16 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kim JGu RShao Z(2024) SimplMMJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2023.103049147:COnline publication date: 17-Apr-2024
https://dl.acm.org/doi/10.1016/j.sysarc.2023.103049
Kim JKoenig JChen HGu RShao Z(2024) ThreadAbsJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2023.103046147:COnline publication date: 17-Apr-2024
https://dl.acm.org/doi/10.1016/j.sysarc.2023.103046
Pohjola JSyeda HTanaka MWinter KSau TNott BUng TMcLaughlin CSeassau RMyreen MNorrish MHeiser G(2023)PancakeProceedings of the 12th Workshop on Programming Languages and Operating Systems10.1145/3623759.3624544(1-9)Online publication date: 23-Oct-2023
https://dl.acm.org/doi/10.1145/3623759.3624544
Siapoush MAlves-Foss J(2023)Is Formal Verification of seL4 Adequate to Address the Key Security Challenges of Kernel Design?IEEE Access10.1109/ACCESS.2023.331603111(101750-101759)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3316031
Sun HMao ZWang JZhao ZWang W(2023)Applying Rely-Guarantee Reasoning on Concurrent Memory Management and Mailbox in $$\mu $$C/OS-II: A Case StudyFormal Methods for Industrial Critical Systems10.1007/978-3-031-43681-9_13(224-241)Online publication date: 17-Sep-2023
https://doi.org/10.1007/978-3-031-43681-9_13
Sammler MHammond ALepigre RCampbell BPichon-Pharabod JDreyer DGarg DSewell PJhala RDillig I(2022)Islaris: verification of machine code against authoritative ISA semanticsProceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation10.1145/3519939.3523434(825-840)Online publication date: 9-Jun-2022
https://dl.acm.org/doi/10.1145/3519939.3523434
Oliveira Vale AMelliès PShao ZKoenig JStefanesco L(2022)Layered and object-based game semanticsProceedings of the ACM on Programming Languages10.1145/34987036:POPL(1-32)Online publication date: 12-Jan-2022
https://dl.acm.org/doi/10.1145/3498703
Chistikov DMajumdar RSchepper P(2022)Subcubic certificates for CFL reachabilityProceedings of the ACM on Programming Languages10.1145/34987026:POPL(1-29)Online publication date: 12-Jan-2022
https://dl.acm.org/doi/10.1145/3498702
Eichholz MCampbell EKrebs MFoster NMezini M(2022)Dependently-typed data plane programmingProceedings of the ACM on Programming Languages10.1145/34987016:POPL(1-28)Online publication date: 12-Jan-2022
https://dl.acm.org/doi/10.1145/3498701
Jang JGélineau SMonnier SPientka B(2022)Mœbius: metaprogramming using contextual types: the stage where system f can pattern match on itselfProceedings of the ACM on Programming Languages10.1145/34987006:POPL(1-27)Online publication date: 12-Jan-2022
https://dl.acm.org/doi/10.1145/3498700
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents