Operating system verificationâAn overview
Operating system verificationâAn overview
Operating system verificationâAn overview
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
60 Gerwin Klein<br />
into separate functions, which are verified separately against their specification. This specification<br />
is then used in the rest of the C program. The C program state may be enriched with<br />
hardware state that is only accessible to these assembly functions. The technique is similar<br />
to Verisoft’s XCalls (Leinenbach & Petrova 2008).<br />
One salient feature of the L4.verified C model is that it is formalised at a very detailed level<br />
to support reasoning about unsafe language constructs. For example, it uses a formalisation of<br />
fixed-size machine words (Dawson 2009) such as 32-bit or 64-bit words, instead of assuming<br />
general natural numbers. At the same time, the formalisation provides proof techniques and<br />
abstractions that allow efficient, abstract verification of program parts that do not use unsafe C<br />
features (Tuch & Klein 2005, Tuch et al 2007, Tuch 2008b). Tuch’s (2008a) work proves two<br />
high-level reasoning techniques correct and integrates them into the C verification framework:<br />
separation logic (Reynolds 2002) and multiple typed heaps (Bornat 2000; Burstall 1972). The<br />
first is a logic for pointer-based programs that is currently gaining popularity in the verification<br />
community. The second allows the program heap to be cut into separate, non-interfering parts<br />
by type to simplify verification.<br />
The C code is parsed directly and automatically into the theorem prover. The technology<br />
has been tested in a complex case study of the L4 kernel memory allocator functions (Tuch<br />
et al 2007). As part of the project, (Kolanski 2008) has developed an adaptation of separation<br />
logic that allows reasoning about the virtual memory layout of the machine. This logic can<br />
be used to justify a simpler memory model for the majority of the code, and to reason directly<br />
about MMU manipulations.<br />
The total effort spent on all tool, library, logic, and C model development in the project so<br />
far was an estimated 10 person years.<br />
Coming back to the already completed, large-scale proof between high-level and low-level<br />
design, the formal implementation correctness statement required the project to show a large<br />
number of internal consistency invariants on both models. These invariant proofs made the<br />
strongest direct contribution to the seL4 design process. One of the simplest of these invariants<br />
states that all references in the kernel, including all capabilities, always point to valid objects<br />
of the right type (i.e. thread capabilities always point to thread control blocks). This is easy to<br />
establish for most kernel operations, but becomes interesting in the case of the retype operation<br />
which allows processes to re-use memory, destroying old kernel data structures and initialising<br />
new ones in their place. The kernel implements a number of complex bookkeeping data<br />
structures and enforces restrictions on the retyping operation. These elaborate data structures<br />
and restrictions are collectively designed to make sure that the internal consistency cannot<br />
be broken by cleverly misusing the operation alone or in combination with any other kernel<br />
operation.<br />
The invariant proof shows that this design and interplay between bookkeeping and API<br />
restrictions indeed works: No user will be able to create unsafe pointers inside the kernel, spoof<br />
capability derivations, or gain elevated access to kernel resources through obscure corner<br />
conditions or wrong parameter encodings. The project has established these consistency<br />
invariants for all kernel operations, for all possible inputs, and for all possible sequences of<br />
kernel invocations. Cock et al (2008) describe some of them in more detail. Even without<br />
C-level implementation verification yet, this proof constitutes a strong validation of the seL4<br />
design and the mechanisms it provides.