In the context of the Verisoft XT project functional correctness of the microkernel of PikeOS fro... more In the context of the Verisoft XT project functional correctness of the microkernel of PikeOS from SYSGO AG is shown at the source code level using the VCC verification tool, developed by Microsoft Research. In this paper we outline a simulation theorem between a top-level abstract model and the system consisting of the kernel and user programs running in alternation on the real machine. Based on an example of a typical code trace through the kernel, we identify the correctness properties of all components in the trace that are needed for the overall correctness proof of the microkernel.
The security of embedded systems can be dramatically improved through the use of formally verifie... more The security of embedded systems can be dramatically improved through the use of formally verified isolation mechanisms such as separation kernels, hypervisors, or microkernels. For trustworthiness, particularly for system level behaviour, the verifications need precise models of the underlying hardware. Such models are hard to attain, highly complex, and proofs of their security properties may not easily apply to similar but different platforms. This may render verification economically infeasible.To address these issues, we propose a compositional top-down approach to embedded system specification and verification, where the system-on-chip is modeled as a network of distributed automata communicating via paired synchronous message passing. Using abstract specifications for each component allows to delay the development of detailed models for cores, devices, etc., while still being able to verify high level security properties like integrity and confidentiality, and soundly refine ...
In this paper, we are giving an overview of the ongoing VerisoftXT Avionics project reporting on ... more In this paper, we are giving an overview of the ongoing VerisoftXT Avionics project reporting on the progress of the project, and presenting first results in the verification of the system calls of the microkernel. The goal of VerisoftXT Avionics is to formally verify an existing operating system which has not been designed for deductive code verification. The system under consideration is PikeOS, a state-of-the-art micro- kernel developed by SYSGO AG, which is used in a variety of embedded applications. For automated formal verification we deploy Microsoft's Verifying C Compiler (VCC). Introduction Functional correctness of the built-in operating system is a crucial require- ment for the reliability of safety- and security-critical systems. Hence, operating system kernels are a worthwhile target for formal verification. The goal of the VerisoftXT Avionics sub-project is to prove functional correctness of the microkernel in PikeOS, a commercial operating system for embedded syst...
Software reliability is a core requirement for safety- and security-critical systems. In the area... more Software reliability is a core requirement for safety- and security-critical systems. In the area of avionics, for example, the DO-178B standard requires extensive validation, such as software reviews, requirement engineering, coverage analysis, and careful design of test cases. In a broader context, EAL7 (of the Common Criteria framework) also de- mands "formally verified, designed, and tested" systems. It is part of the BMBF-supported VerisoftXT project (www.verisoftxt.de) to explore the freedom of design offered within these regulatory requirements, where code verification is one of the available options. In recent years, deductive code verification has improved to a degree that makes it feasible for real-world programs. In the VerisoftXT subproject Avionics, the goal is to apply formal methods to a commercial embedded operating system. In particular, the goal is to use deductive techniques to verify functional correctness of the PikeOS microkernel. For verifi- cation, ...
In the context of the Verisoft XT project functional correctness of the microkernel of PikeOS fro... more In the context of the Verisoft XT project functional correctness of the microkernel of PikeOS from SYSGO AG is shown at the source code level using the VCC verification tool, developed by Microsoft Research. In this paper we outline a simulation theorem between a top-level abstract model and the system consisting of the kernel and user programs running in alternation on the real machine. Based on an example of a typical code trace through the kernel, we identify the correctness properties of all components in the trace that are needed for the overall correctness proof of the microkernel.
The security of embedded systems can be dramatically improved through the use of formally verifie... more The security of embedded systems can be dramatically improved through the use of formally verified isolation mechanisms such as separation kernels, hypervisors, or microkernels. For trustworthiness, particularly for system level behaviour, the verifications need precise models of the underlying hardware. Such models are hard to attain, highly complex, and proofs of their security properties may not easily apply to similar but different platforms. This may render verification economically infeasible.To address these issues, we propose a compositional top-down approach to embedded system specification and verification, where the system-on-chip is modeled as a network of distributed automata communicating via paired synchronous message passing. Using abstract specifications for each component allows to delay the development of detailed models for cores, devices, etc., while still being able to verify high level security properties like integrity and confidentiality, and soundly refine ...
In this paper, we are giving an overview of the ongoing VerisoftXT Avionics project reporting on ... more In this paper, we are giving an overview of the ongoing VerisoftXT Avionics project reporting on the progress of the project, and presenting first results in the verification of the system calls of the microkernel. The goal of VerisoftXT Avionics is to formally verify an existing operating system which has not been designed for deductive code verification. The system under consideration is PikeOS, a state-of-the-art micro- kernel developed by SYSGO AG, which is used in a variety of embedded applications. For automated formal verification we deploy Microsoft's Verifying C Compiler (VCC). Introduction Functional correctness of the built-in operating system is a crucial require- ment for the reliability of safety- and security-critical systems. Hence, operating system kernels are a worthwhile target for formal verification. The goal of the VerisoftXT Avionics sub-project is to prove functional correctness of the microkernel in PikeOS, a commercial operating system for embedded syst...
Software reliability is a core requirement for safety- and security-critical systems. In the area... more Software reliability is a core requirement for safety- and security-critical systems. In the area of avionics, for example, the DO-178B standard requires extensive validation, such as software reviews, requirement engineering, coverage analysis, and careful design of test cases. In a broader context, EAL7 (of the Common Criteria framework) also de- mands "formally verified, designed, and tested" systems. It is part of the BMBF-supported VerisoftXT project (www.verisoftxt.de) to explore the freedom of design offered within these regulatory requirements, where code verification is one of the available options. In recent years, deductive code verification has improved to a degree that makes it feasible for real-world programs. In the VerisoftXT subproject Avionics, the goal is to apply formal methods to a commercial embedded operating system. In particular, the goal is to use deductive techniques to verify functional correctness of the PikeOS microkernel. For verifi- cation, ...
Uploads
Papers by Christoph Baumann