Operating system verificationâAn overview
Operating system verificationâAn overview
Operating system verificationâAn overview
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Operating</strong> <strong>system</strong> verification—An <strong>overview</strong> 35<br />
<strong>system</strong> to a similar, but slightly different one allows him to escape the Gödelian restriction.<br />
Having so evaded the impossible part, strictly speaking, one still gets caught out<br />
with a useless statement. There is no guarantee that the new axiom <strong>system</strong> is sound and<br />
even if it was, we still have used the tool itself to show its own correctness, which means<br />
we are still relying on its infrastructure to be correct. A soundness-critical bug in the<br />
infrastructure can easily show its own correctness by exploiting precisely this bug. Nevertheless,<br />
going back to the argument of benign users, it is an interesting and revealing<br />
exercise to go through the process that genuinely increases the degree of assurance of the<br />
theorem prover being correct. Additionally checking the proof in a different, compatible<br />
prover like Isabelle/HOL makes the probability of accidentally using an infrastructure<br />
implementation bug very small. There is currently only one such self-verified tool: Harrison’s<br />
HOL-light. A similar idea is using one theorem prover to show the correctness<br />
of another. Followed to the end, this must lead to either an infinite chain of such proofs<br />
or stop somewhere at a traditionally certified <strong>system</strong>. The author is not aware of any<br />
production-quality <strong>system</strong>s that have undergone such a process, but there are certainly<br />
examples of theorem-proving algorithms and models being analysed in theorem provers<br />
(Ridge 2004).<br />
With independent, small proof checkers, even the most paranoid customers of formal verification,<br />
such as the defence and intelligence communities, are satisfied that the correctness of<br />
formal proofs themselves is essentially a solved problem. Much more critical and potentially<br />
dangerous are the relationships between the informal and formal parts. In the following, we<br />
look at the formal/physical and formal/idealistic dimensions in turn.<br />
(i) Translating physical artefacts into formal models: One crucial question in formal verification<br />
is how closely the model resembles the physical <strong>system</strong>. The exposition in § 2·1<br />
has already established that this connection can never be fully precise. As in all of engineering,<br />
we work with abstractions of the real world. The important part is to cover what<br />
is relevant to the task at hand. As mentioned before, opinions vary on what is appropriate<br />
here, because the more detailed the model, the harder and more resource-intensive<br />
the verification. Even if it is agreed what the appropriate level should be, it is still possible<br />
to make mistakes in the translation itself. If for instance, the semantics of the C<br />
programming language on the formal side does not match the compiler’s interpretation,<br />
then the proof constructed with that semantics will exhibit a large gap to the physical<br />
artefact and might make wrong predictions of its behaviour. This gap is often downplayed<br />
in academic literature and in the marketing material of companies. For instance,<br />
there currently exists no operating <strong>system</strong> kernel that can be called formally verified in<br />
the above sense, although two of the projects surveyed below come close and have made<br />
promising progress towards that goal. Not even the highest Common Criteria evaluation<br />
level (EAL 7) demands a formal or even semi-formal implementation. No strong, formal<br />
case needs to be made that the low-level design adequately models the implementation.<br />
What is verified is the low-level design with respect to the functional specification only.<br />
This, of course, is already a very worthwhile process, and it might be all that is required<br />
or appropriate for a specific application, but it falls short of what can be achieved. Even<br />
though the projects surveyed below have different views on which level of implementation<br />
detail is appropriate, they all agree that it should at least be as deep as the source<br />
code level of the implementation language. This level is significant, because it is the lowest<br />
level that is usually worked on manually. Deeper levels are commonly produced by