The CertiKOS project at Yale aims to develop new language-based technologies for building large-scale certified system software. Initially, we thought that verifying an OS kernel would require new program logics and powerful proof automation tools, but it should not be much different from standard Hoare-style program verification. After several years of trials and errors, we have decided to take a different path from the one we originally planned. We now believe that building large-scale certified system software requires a fundamental shift in the way we design the underlying programming languages, program logics, and proof assistants. In this talk, I outline our new clean-slate approach, explain its rationale, and describe various lessons and insights based on our experience with the development of several new certified OS kernels.
OverviewOperating System (OS) kernels and hypervisors form the backbone of every safety-critical software system in the world, so it is highly desirable to formally verify the correctness of these programs [18]. During the last 10 years, we (the FLINT group at Yale) have developed a large number of program logics (for C and assembly) to support modular verification of low-level constructs such as storage allocation [21,3], embedded code pointers [15], stack-based control abstractions [7], machine context management [16], self-modifying code [2], garbage collectors [14], hardware interrupts and preemptive threads [5], nonblocking concurrency [4, 8, 12], concurrent thread management [11], and virtual memory management [20].We have also developed a certified linking framework [6] and used it to compose heterogeneous program components to build end-toend certified systems.In 2010, we were ready to test these program logics on a realistic OS kernel [19,9]. The new CertiKOS project aimed to develop language-based techniques for building large-scale certified system software. We wanted to explore the design space of various OS kernel architectures, but on the verification side, we thought that it is mostly a matter of proof engineering: we will develop more domain-specific program logics and powerful proof automation tools, but we would likely stick to the original path which followed the spirit of standard Hoare-style program verification.After several years of trials and errors, we have decided to take a different path [10]. We now believe that building large-scale certified system software requires a fundamental shift in the way we design the underlying programming languages, program logics, and proof assistants. More specifically, we advocate a clean-slate approach that uses compositionality as a decisive factor in choosing the underlying programming and specification languages and on forming certified software components. Language features that have no simple and clean compositional semantics should either be avoided completely or be encapsulated inside a single module. Certified system software should have highly compositional specifications and be built strictly using compositional b...