A Case Study on Formal Verification of the Anaxagoros Hypervisor Paging System with Frama-C

Blanchard, Allan; Kosmatov, Nikolaï; Lemerre, Matthieu; Loulergue, Frédéric

doi:10.1007/978-3-319-19458-5_2

Cited by 18 publications

(13 citation statements)

References 21 publications

(23 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It supports many approaches to verificationÐthe most related one is the łWPž deductive verification module, which lets programmers annotate a C program with pre-and postconditions written in a specification language called ACSL, which then generate goals for either an automatic or interactive theorem prover. It has been applied to verify parts of hypervisors/microkernels [Blanchard et al 2015[Blanchard et al , 2018Mangano et al 2016]. The emphasis of ACSL is on logic formulas: it includes first-and higher-order quantifiers, separation-logic connectives, inductive definitions, built-in sets and lists, and recursive definitions.…”

Section: Related Workmentioning

confidence: 99%

DeepSEA: a language for certified system software

Sjöberg

Sang

Weng

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Writing certifiably correct system software is still very labor-intensive, and current programming languages are not well suited for the task. Proof assistants work best on programs written in a high-level functional style, while operating systems need low-level control over the hardware. We present DeepSEA, a language which provides support for layered specification and abstraction refinement, effect encapsulation and composition, and full equational reasoning. A single DeepSEA program is automatically compiled into a certified łlayerž consisting of a C program (which is then compiled into assembly by CompCert), a low-level functional Coq specification, and a formal (Coq) proof that the C program satisfies the specification. Multiple layers can be composed and interleaved with manual proofs to ascribe a high-level specification to a program by stepwise refinement. We evaluate the language by using it to reimplement two existing verified programs: a SHA-256 hash function and an OS kernel page table manager. This new style of programming language design can directly support the development of correct-by-construction system software. CCS Concepts: • Software and its engineering → Software verification; Abstraction, modeling and modularity; General programming languages.

show abstract

Section: Related Workmentioning

confidence: 99%

DeepSEA: a language for certified system software

Sjöberg

Sang

Weng

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

show abstract

“…There are many formalizations of memory models in the literature, e.g., [10,14,15,19,21], where some of them only create an abstract specification of the services for memory allocation and release [10,15,21]. 2Formal verification of OS memory management has been studied in CertiKOS [11,20], seL4 [12,13], Verisoft [3], and in the hypervisors from [4,5], where only the works in [4,11] consider concurrency. Comparing to buddy memory allocation, the data structures and algorithms verified in [11] are relatively simpler, without block split/coalescence and multiple levels of free lists and bitmaps.…”

Section: Introductionmentioning

confidence: 99%

“…Comparing to buddy memory allocation, the data structures and algorithms verified in [11] are relatively simpler, without block split/coalescence and multiple levels of free lists and bitmaps. [4] only considers virtual mapping but not allocation or deallocation of memory areas.…”

Section: Introductionmentioning

confidence: 99%

Rely-Guarantee Reasoning About Concurrent Memory Management in Zephyr RTOS

Zhao

Sanán

2019

Computer Aided Verification

View full text Add to dashboard Cite

Formal verification of concurrent operating systems (OSs) is challenging, and in particular the verification of the dynamic memory management due to its complex data structures and allocation algorithm. Up to our knowledge, this paper presents the first formal specification and mechanized proof of a concurrent buddy memory allocation for a real-world OS. We develop a fine-grained formal specification of the buddy memory management in Zephyr RTOS. To ease validation of the specification and the source code, the provided specification closely follows the C code. Then, we use the rely-guarantee technique to conduct the compositional verification of functional correctness and invariant preservation. During the formal verification, we found three bugs in the C code of Zephyr.

show abstract

“…Hypervisors implement nontrivial algorithms, and formally verifying them is an active research field ( [18], [20], [19], to name but a few -an exhaustive list of references can be found in [21]). We only verify our hypervisor's algorithm, not its implementation; the counterpart is that our verification effort is comparatively much smaller.…”

Section: Introductionmentioning

confidence: 99%

Proving Partial-Correctness and Invariance Properties of Transition-System Models

Rusu

Grimaud

Hauspie

2018

2018 International Symposium on Theoretical Aspects of Software Engineering (TASE)

View full text Add to dashboard Cite

We propose a deductive verification approach for proving partial-correctness and invariance properties on transition-system models. Regarding partial correctness, we generalise the recently introduced formalism of Reachability Logic, currently used as a language-parametric logic for programs, to transition systems. We propose a sound and relatively complete proof system for the resulting reachability logic. The soundness of the proof system is formally established in the Coq proof assistant, and the mechanised proof provides us with a Coq-certified Reachability-Logic prover for transition-system models. The relative completeness of the proof system, although theoretical in nature, also has a practical value, as it induces a proof strategy that is guaranteed to prove all valid formulas on a given transition system. The strategy reduces partial-correctness verification to invariance verification; for the latter we propose an incremental technique in order to deal with the case-explosion problem that affects it. All these techniques were instrumental in enabling us to prove, within reasonable time and effort limits, that the nontrivial algorithm implemented in security hypervisor that we designed in earlier work meets its expected functional requirements.

show abstract

A Case Study on Formal Verification of the Anaxagoros Hypervisor Paging System with Frama-C

Cited by 18 publications

References 21 publications

DeepSEA: a language for certified system software

DeepSEA: a language for certified system software

Rely-Guarantee Reasoning About Concurrent Memory Management in Zephyr RTOS

Proving Partial-Correctness and Invariance Properties of Transition-System Models

Contact Info

Product

Resources

About