Using XCAP to Certify Realistic Systems Code: Machine Context Management

Abstract. Pervasive formal verification of operating systems and hypervisors is, due to their safety-critical aspects, a highly relevant area of research. Many implementations consist of both assembler and C functions. Formal verification of their correctness must consider the correct interaction of code written in these languages, which is, in practice, ensured by using matching application binary interfaces (ABIs). Also, these programs must be able to interact with hardware. We present an integrated operational small-step semantics model of intermediatelanguage C and Macro-Assembler code execution for pervasive operating systems and hypervisor verification. Our semantics is based on a compiler calling convention that defines callee-and caller-save registers. We sketch a theory connecting this semantic layer with an ISA-model executing the compiled code for use in a pervasive verification context. This forms a basis for soundness proofs of tools used in the VerisoftXT project and is a crucial step towards arguing formal correctness of execution of the verified code on a gate-level hardware model.

show abstract

“…Expressions We define the set of expressions E in table 4. O 1 and O 2 are sets of operators (table 5) defined for the compiler in question.…”

Section: Semanticsmentioning

confidence: 99%

“…The FLINT group, on the other hand focuses on assembler code verification using their framework XCAP [3], which they successfully applied in [4] and [5]. So far, however, no integration of results into a semantics stack with high-level programming languages has been reported yet.…”

Section: Introductionmentioning

confidence: 99%

Integrated Semantics of Intermediate-Language C and Macro-Assembler for Pervasive Formal Verification of Operating Systems and Hypervisors from VerisoftXT

Schmaltz

Shadrin

2012

Verified Software: Theories, Tools, Experiments

View full text Add to dashboard Cite

show abstract

“…In the former category fall projects like the FLINT project [38], the MASK project, the AAMP7 project, the EMBEDDED DEVICE project and EROS/Coyotos [46], for all of which we refer the interested reader to the excellent and comprehensive overview by Klein [29].…”

Section: Related Workmentioning

confidence: 99%

Proving Fairness and Implementation Correctness of a Microkernel Scheduler

2009

View full text Add to dashboard Cite

We report on the formal proof of a microkernel's key property, namely that its multi-priority process scheduler guarantees progress, i. e., strong fairness. The proof architecture links a layer of behavioral reasoning over system-trace sets with a concrete, fairly realistic implementation written in C.Our microkernel provides an infrastructure for memory virtualization, for communication with hardware devices, for processes (represented as a sequence of assembly instructions, which are executed concurrently over an underlying, formally defined processor), and for inter-process communication (IPC) via synchronous message passing. The kernel establishes process switches according to IPCs and timer-events; the scheduling of process switches, however, follows a hierarchy of priorities, favoring, e. g., system processes over application processes over maintenance processes.Besides the quite substantial models developed in Isabelle/HOL and the formal clarification of their relationship, we provide a detailed analysis what formal requirements a microkernel imposes on the key ingredients (hardware, timers, machine-dependent code) in order to establish the correct operation of the overall system. On the methodological side, we show how early modeling with foresight to the later verification has substantially helped our project.

show abstract

“…Code verification relies on Verisoft's Hoare environment [8]. In the FLINT project, an assembly code verification framework is developed and code for context switching on a x86 architecture was formally proven [9]. A program logic for assembler code is presented, but no integration of results into high-level programming languages is undertaken.…”

Section: Motivation and Challengesmentioning

confidence: 99%

The Verisoft Approach to Systems Verification

Alkassar

Hillebrand

Leinenbach

et al.

Verified Software: Theories, Tools, Experiments

View full text Add to dashboard Cite

Abstract. The Verisoft project aims at the pervasive formal verification from the application layer over the system level software, comprising a microkernel and a compiler, down to the hardware. The different layers of the system give rise to various abstraction levels to conduct the reasoning steps efficiently. The lower the abstraction level the more details and invariants are necessary to ensure overall system correctness. Illustrated by a page-fault handler we discuss the layers and the trade-off between efficiency of reasoning at a more abstract layer versus the development of meta-theory to transfer the verification results between the layers.

show abstract

Using XCAP to Certify Realistic Systems Code: Machine Context Management

Cited by 40 publications

References 10 publications

Integrated Semantics of Intermediate-Language C and Macro-Assembler for Pervasive Formal Verification of Operating Systems and Hypervisors from VerisoftXT

Integrated Semantics of Intermediate-Language C and Macro-Assembler for Pervasive Formal Verification of Operating Systems and Hypervisors from VerisoftXT

Proving Fairness and Implementation Correctness of a Microkernel Scheduler

The Verisoft Approach to Systems Verification

Contact Info

Product

Resources

About