Operating system verificationâAn overview
Operating system verificationâAn overview
Operating system verificationâAn overview
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Operating</strong> <strong>system</strong> verification—An <strong>overview</strong> 57<br />
constantly creating new threads. EROS solves this problem by viewing kernel memory as a<br />
cache of the <strong>system</strong> state (Shapiro et al 1999). This solution makes it hard to predict worstcase<br />
execution times and is therefore not well suited for embedded and real-time applications.<br />
Separation kernels solve the problem by giving each separation domain a fixed quota<br />
of kernel memory. This solution is not flexible enough for a full microkernel design. The<br />
seL4 design on the other hand provides a solution well suited for embedded and real-time<br />
<strong>system</strong>s.<br />
Capabilities in seL4 are not hardware-enforced like in PSOS. Instead they are softwareimplemented<br />
on a standard processor architecture and are kernel-enforced. They provide fully<br />
dynamic, flexible mechanisms for hierarchically delegatable authority.<br />
An important factor in the success of the seL4 kernel design was the tight integration of<br />
the two teams: While the design was mainly driven by the NICTA OS group in the seL4<br />
project, the concurrent verification effort in L4.verified provided continuous, early feedback<br />
that was taken into account by the design group. This way, a good balance between external<br />
performance requirements and verification constraints was maintained. The tight integration<br />
kept the focus on performance and realistic architecture decisions instead of trading off more<br />
ease-of-verification for slower kernel implementation as in Verisoft. The verification influence<br />
kept the design to a small, manageable size instead of the greater complexity of a <strong>system</strong> such<br />
as PSOS. The seL4 and L4.verified projects jointly developed a methodology that facilitated<br />
this tight integration between formalisation and kernel prototyping. Figure 9 gives a summary<br />
of the idea.<br />
The most important activities in designing a microkernel are discussions between the developers,<br />
e.g. on a whiteboard. To validate the design decisions, in the traditional OS approach<br />
a prototype kernel is implemented in C or similar. This exposes performance and data structure<br />
layout problems and allows direct testing of applications on top of the kernel. However,<br />
this prototyping has a long overhead time between new design ideas and new prototype versions<br />
(on the order of weeks and months). Additionally, initial case studies in the L4.verified<br />
project (Tuch et al 2005) and the experience in VFiasco showed that starting the verification<br />
directly from the C source without any higher-level specification should be expected to be<br />
Design<br />
Design Cycle<br />
Hardware<br />
Simulator<br />
+<br />
Haskell Prototype<br />
Formal Low-Level Design<br />
Manual<br />
Implementation<br />
Proof<br />
User Programs<br />
High-Performance C Implementation<br />
Figure 9.<br />
The seL4 design and rapid prototyping method.