Gerwin Klein
ABSTRACT
We report on our experience using Haskell as an executable specification language in the formal verification of the seL4 microkernel. The verification connects an abstract operational specification in the theorem prover Isabelle/HOL to a C implementation of the microkernel. We describe how this project differs from other efforts, and examine the effect of using Haskell in a large-scale formal verification. The kernel comprises 8,700 lines of C code; the verification more than 150,000 lines of proof script.
Supplemental Material
- D. Cock. Bitfields and tagged unions in C: Verification through automatic generation. In B. Beckert and G. Klein, editors, Proceedings of the 5th International VerificationWorkshop (VERIFY'08), volume 372 of CEUR Workshop Proceedings, pages 44--55, Sydney, Australia, Aug 2008.Google Scholar
- D. Cock, G. Klein, and T. Sewell. Secure microkernels, state monads and scalable refinement. In O. A. Mohamed, C. MuÜnoz, and S. Tahar, editors, 21st TPHOLs, volume 5170 of LNCS, pages 167--182, Montreal, Canada, Aug 2008. Springer. Google ScholarDigital Library
- P. Derrin, K. Elphinstone, G. Klein, D. Cock, and M. M. T. Chakravarty. Running the manual: An approach to high-assurance microkernel development. In ACM SIGPLAN Haskell WS, Portland, OR, USA, Sep 2006. Google ScholarDigital Library
- D. Elkaduwe, G. Klein, and K. Elphinstone. Verified protection model of the seL4 microkernel. In J. Woodcock and N. Shankar, editors, VSTTE 2008 2008 -- Verified Softw.: Theories, Tools&Experiments, volume 5295 of LNCS, pages 99--114, Toronto, Canada, 2008. Springer. Google ScholarDigital Library
- K. Elphinstone, G. Klein, P. Derrin, T. Roscoe, and G. Heiser. Towards a practical, verified kernel. In 11th HotOS, pages 117--122, 2007. Google ScholarDigital Library
- G. Klein. Operating system verification - an overview. Sadhana, 34(1): 27--69, Feb 2009.Google ScholarCross Ref
- J. Liedtke. On ¼-kernel construction. In 15th SOSP, pages 237--250, Copper Mountain, CO, USA, Dec 1995. Google ScholarDigital Library
- T. Nipkow, L. Paulson, and M. Wenzel. Isabelle/HOL - A Proof Assistant for Higher-Order Logic, volume 2283 of LNCS. Springer, 2002. Google ScholarDigital Library
- Open Kernel Labs. OKL4 v2.1. http://www.ok-labs.com, 2008.Google Scholar
- H. Tuch, G. Klein, and G. Heiser. OS verification - now! In 10th HotOS, pages 7--12, Santa Fe, NM, USA, Jun 2005. USENIX. Google ScholarDigital Library
- H. Tuch, G. Klein, and M. Norrish. Types, bytes, and separation logic. In M. Hofmann and M. Felleisen, editors, 34th POPL, pages 97--108, 2007. Google ScholarDigital Library
- S. Winwood, G. Klein, T. Sewell, J. Andronick, D. Cock, and M. Norrish. Mind the gap: A verification framework for low-level C. In S. Berghofer, T. Nipkow, C. Urban, and M. Wenzel, editors, Proc. 22nd International Conference on Theorem Proving in Higher Order Logics (TPHOLs'09), volume 5674 of LNCS. Springer, 2009. To appear. Google ScholarDigital Library
Index Terms
- Experience report: seL4: formally verifying a high-performance microkernel
Recommendations
seL4: formal verification of an OS kernel
SOSP '09: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principlesComplete formal verification is the only known way to guarantee that a system is free of programming errors.
We present our experience in performing the formal, machine-checked verification of the seL4 microkernel from an abstract specification down to ...
Comprehensive formal verification of an OS microkernel
We present an in-depth coverage of the comprehensive machine-checked formal verification of seL4, a general-purpose operating system microkernel.
We discuss the kernel design we used to make its verification tractable. We then describe the functional ...
Experience report: seL4: formally verifying a high-performance microkernel
ICFP '09We report on our experience using Haskell as an executable specification language in the formal verification of the seL4 microkernel. The verification connects an abstract operational specification in the theorem prover Isabelle/HOL to a C ...
Reviews
Wolfgang Schreiner
The formal verification of computer software is not confined to toy programs anymore. It has reached a state where it is applicable to real-life applications. This experience report witnesses this evolution, by demonstrating an approach to the verification of an operating system microkernel-in fact, to the whole process of specifying, implementing, and verifying such a piece of software. The process starts with the development of a rapid prototype, in a subset of the functional programming language Haskell, which was automatically translated into the language of the theorem prover Isabelle/HOL. From this executable specification, a verification team constructed an abstract specification, in which the intended correctness properties could be expressed and verified. The main effort was to develop a refinement proof that insures that the executable specification also satisfies these properties. At the same time, an implementation team constructed a high-performance C implementation from the executable specification, verifying the correspondence of these two levels in a second refinement proof. In the course of this process-that took 20 person-years-the Haskell prototype was repeatedly modified, due to insights gained from the efforts of both teams. The paper presents numerous interesting insights into the process of designing, implementing, and verifying a realistic piece of software, and how these activities go hand in hand. Unfortunately, little is said about the actual correctness properties of the microkernel and their verification (these details are described in a separate publication). Nevertheless, the paper nicely demonstrates how the development of safety-critical software should or might proceed in the future. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments