Operating system verificationâAn overview
Operating system verificationâAn overview
Operating system verificationâAn overview
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
58 Gerwin Klein<br />
a difficult and long process. In contrast to the OS approach, the traditional formal methods<br />
approach would take the design ideas, formalise them into a high-level specification first and<br />
then analyse that specification. This has the advantage of exposing conceptual problems early.<br />
The disadvantages lie in not exercising the design through user applications and not exposing<br />
performance and data structure layout problems.<br />
In the seL4 approach, the prototype is not written in C, but in a high-level, functional<br />
programming language that is efficiently executable and close to the notation of the theorem<br />
prover. In this case, the language chosen by the OS group was Haskell (Jones 2003), a pure,<br />
side-effect free functional language that the kernel implementers felt comfortable with. Given<br />
a hardware simulator for the target platform that transforms hardware kernel trap instructions<br />
into calls to the Haskell prototype, normal user application binaries can still exercise the<br />
design directly. The Haskell prototype can be made sufficiently low-level to expose data layout<br />
problems immediately. Performance is only evaluated in a qualitative way, by observing the<br />
number of <strong>system</strong> calls necessary to achieve a desired goal and by inspecting the Haskell code<br />
of these calls to judge how well they could be implemented in C. Since Haskell is very close<br />
to Isabelle/HOL, it can be automatically translated into the theorem prover. In this way, we<br />
arrive automatically at a precise, formal low-level design which is the basis of further formal<br />
analysis. Both the formal analysis and the validation against user binaries are able to feed<br />
back rapidly into the design cycle. Changes in the design can be implemented in a manner of<br />
days, sometimes hours (Heiser et al 2007; Elphinstone et al 2007, 2006).<br />
For the purpose of running the Haskell kernel prototype, the two projects jointly developed<br />
a hardware simulator generator that takes an instruction set specification together with a<br />
simple device description and turns it into an efficient instruction-level simulator as well<br />
as an Isabelle/HOL formalisation. This hardware formalisation can then form the basis for<br />
assembly level verification. By running the simulator, the formalisation can be extensively<br />
validated against the real processor. Trust is reduced from a manual formalisation to the<br />
correct operation of the generator.<br />
The total effort spent on designing, implementing and validating the seL4 kernel comes to<br />
6 person years. This includes benchmarking and porting the L4/Linux (Leslie et al 2005) and<br />
Iguana (NICTA 2008) operating <strong>system</strong>s to the new kernel.<br />
We now turn from the seL4 design to its verification in the L4.verified project. Figure 10<br />
gives an <strong>overview</strong> of how the design fits into the verification picture. The L4.verified refinement<br />
approach looks similar to that of UCLA Secure Unix. On the bottom layer, we find<br />
the source code implementation of the kernel in C and assembly. To reason about the implementation,<br />
this lowest model also needs to include some detail about the hardware such as a<br />
model of the MMU, exceptions, and interrupts. The next layer up is the low-level design—the<br />
Isabelle/HOL translation of the Haskell prototype mentioned above. It contains implementations<br />
of all important data structures with a high degree of low-level detail like the number<br />
of bits that are used to store capabilities, doubly-linked lists implemented by pointers, etc.<br />
The second highest layer in figure 10 is the high-level design. It contains a description of all<br />
user-visible kernel operations, but leaves out data structures and detail where possible. For<br />
instance, the scheduler on the abstract level is specified simply by saying pick any thread in<br />
the <strong>system</strong> that is runnable, but in the low-level design, a data structure is provided for tracking<br />
which threads are runnable and which priority they have. The top level of figure 10 is<br />
the access control model of seL4 (Elkaduwe et al 2007). It abstracts strongly from detail and<br />
only specifies how capabilities are distributed in the <strong>system</strong>. The security property proven in<br />
L4.verified states that the kernel can effectively isolate sub<strong>system</strong>s and can enforce flexible<br />
global security policies.