ABSTRACT
Complete formal verification is the only known way to guarantee that a system is free of programming errors.
We present our experience in performing the formal, machine-checked verification of the seL4 microkernel from an abstract specification down to its C implementation. We assume correctness of compiler, assembly code, and hardware, and we used a unique design approach that fuses formal and operating systems techniques. To our knowledge, this is the first formal proof of functional correctness of a complete, general-purpose operating-system kernel. Functional correctness means here that the implementation always strictly follows our high-level abstract specification of kernel behaviour. This encompasses traditional design and implementation safety properties such as the kernel will never crash, and it will never perform an unsafe operation. It also proves much more: we can predict precisely how the kernel will behave in every possible situation.
seL4, a third-generation microkernel of L4 provenance, comprises 8,700 lines of C code and 600 lines of assembler. Its performance is comparable to other high-performance L4 kernels.
- M. Accetta, R. Baron, W. Bolosky, D. Golub, R. Rashid, A. Tevanian, and M. Young. Mach: A new kernel foundation for UNIX development. In 1986 Summer USENIX, pages 93--112, 1986.Google Scholar
- E. Alkassar, M. Hillebrand, D. Leinenbach, N. Schirmer, A. Starostin, and A. Tsyban. Balancing the load -- leveraging a semantics stack for systems verification. JAR, 42(2-4), 2009. Google ScholarDigital Library
- E. Alkassar, N. Schirmer, and A. Starostin. Formal pervasive verification of a paging mechanism. In C.R. Ramakrishnan and J. Rehof, editors, Tools and Alg. for the Construction and Analysis of Systems (TACAS), volume 4963 of LNCS, pages 109--123. Springer, 2008. Google ScholarDigital Library
- J. Alves-Foss, P.W. Oman, C. Taylor, and S. Harrison. The MILS architecture for high-assurance embedded systems. Int. J. Emb. Syst., 2:239--247, 2006.Google ScholarCross Ref
- M. Archer, E. Leonard, and M. Pradella. Analyzing security-enhanced Linux policy specifications. In POLICY '03: Proc. 4th IEEE Int. WS on Policies for Distributed Systems and Networks, pages 158--169. IEEE Computer Society, 2003. Google ScholarDigital Library
- T. Ball and S.K. Rajamani. SLIC: A specification language for interface checking. Technical Report MSR-TR-2001-21, Microsoft Research, 2001.Google Scholar
- B.N. Bershad, S. Savage, P. Pardyak, E.G. Sirer, M.E. Fiuczynski, D. Becker, C. Chambers, and S. Eggers. Extensibility, safety and performance in the SPIN operating system. In 15th SOSP, Dec 1995. Google ScholarDigital Library
- W.R. Bevier. Kit: A study in operating system verification. IEEE Transactions on Software Engineering, 15(11):1382--1396, 1989. Google ScholarDigital Library
- W.R. Bevier and L. Smith. A mathematical model of the Mach kernel: Atomic actions and locks. Technical Report 89, Computational Logic Inc., Apr 1993.Google Scholar
- I.T. Bowman, R.C. Holt, and N.V. Brewster. Linux as a case study: its extracted software architecture. In ICSE '99: Proc. 21st Int. Conf. on Software Engineering, pages 555--563. ACM, 1999. Google ScholarDigital Library
- A. Boyton. A verified shared capability model. In G. Klein, R. Huuck, and B. Schlich, editors, 4th WS Syst. Softw. Verification SSV'09, ENTCS, pages 99--116. Elsevier, Jun 2009.Google Scholar
- P. Brinch Hansen. The nucleus of a multiprogramming operating system. CACM, 13:238--250, 1970. Google ScholarDigital Library
- D. Cock. Bitfields and tagged unions in C: Verification through automatic generation. In B. Beckert and G. Klein, editors, VERIFY'08, volume 372 of CEUR Workshop Proceedings, pages 44--55, Aug 2008.Google Scholar
- D. Cock, G. Klein, and T. Sewell. Secure microkernels, state monads and scalable refinement. In O.A. Mohamed, C. Mu n oz, and S. Tahar, editors, 21st TPHOLs, volume 5170 of LNCS, pages 167--182. Springer, Aug 2008. Google ScholarDigital Library
- B. Cook, A. Gotsman, A. Podelski, A. Rybalchenko, and M.Y. Vardi. Proving that programs eventually do something good. In 34th POPL. ACM, 2007. Google ScholarDigital Library
- J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. Secure virtual architecture: A safe execution environment for commodity operating systems. In 16th SOSP, pages 351--366, Oct 2007. Google ScholarDigital Library
- U. Dannowski. Personal communication.Google Scholar
- W.-P. de Roever and K. Engelhardt. Data Refinement: Model-Oriented Proof Methods and their Comparison. Number 47 in Cambridge Tracts in Theoretical Computer Science. Cambridge University Press, 1998. Google ScholarDigital Library
- P. Derrin, K. Elphinstone, G. Klein, D. Cock, and M.M.T. Chakravarty. Running the manual: An approach to high-assurance microkernel development. In ACM SIGPLAN Haskell WS, Sep 2006. Google ScholarDigital Library
- D. Elkaduwe, P. Derrin, and K. Elphinstone. Kernel design for isolation and assurance of physical memory. In 1st IIES, pages 35--40. ACM SIGOPS, Apr 2008. Google ScholarDigital Library
- D. Elkaduwe, G. Klein, and K. Elphinstone. Verified protection model of the seL4 microkernel. In J. Woodcock and N. Shankar, editors, VSTTE 2008 -- Verified Softw.: Theories, Tools&Experiments, volume 5295 of LNCS, pages 99--114. Springer, Oct 2008. Google ScholarDigital Library
- K. Elphinstone, G. Klein, P. Derrin, T. Roscoe, and G. Heiser. Towards a practical, verified kernel. In 11th HotOS, pages 117--122, May 2007. Google ScholarDigital Library
- M. Faehndrich, M. Aiken, C. Hawblitzel, O. Hodson, G.C. Hunt, J.R. Larus, and S. Levi. Language support for fast and reliable message-based communication in Singularity OS. In 1st EuroSys Conf., pages 177--190, Apr 2006. Google ScholarDigital Library
- R.J. Feiertag and P.G. Neumann. The foundations of a provably secure operating system (PSOS). In AFIPS Conf. Proc., 1979 National Comp. Conf., Jun 1979.Google ScholarCross Ref
- B. Ford, M. Hibler, J. Lepreau, R. McGrath, and P. Tullmann. Interface and execution models in the Fluke kernel. In 3rd OSDI. USENIX, Feb 1999. Google ScholarDigital Library
- T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. In 19th SOSP, Oct 2003. Google ScholarDigital Library
- Green Hills Software, Inc. INTEGRITY-178B separation kernel security target version 1.0. http://www.niap-ccevs.org/cc-scheme/st/st_vid10119-st.pdf, 2008.Google Scholar
- Greenhills Software, Inc. Integrity real-time operating system. http://www.ghs.com/products/rtos/integrity.html, 2008.Google Scholar
- J.D. Guttman, A.L. Herzog, J.D. Ramsdell, and C.W. Skorupka. Verifying information flow goals in security-enhanced Linux. Journal of Computer Security, 13(1):115--134, 2005. Google ScholarDigital Library
- J.T. Haigh and W.D. Young. Extending the noninterference version of MLS for SAT. IEEE Trans. on Software Engineering, 13(2):141--150, 1987. Google ScholarDigital Library
- D.S. Hardin, E.W. Smith, and W.D. Young. A robust machine code proof framework for highly secure applications. In ACL2'06: Proc. Int. WS on the ACL2 theorem prover and its applications. ACM, 2006. Google ScholarDigital Library
- G. Heiser. Hypervisors for consumer electronics. In 6th IEEE CCNC, 2009. Google ScholarDigital Library
- C.L. Heitmeyer, M. Archer, E.I. Leonard, and J. McLean. Formal specification and verification of data separation in a separation kernel for an embedded system. In CCS '06: Proc. 13th Conf. on Computer and Communications Security, pages 346--355. ACM, 2006. Google ScholarDigital Library
- T.A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Software verification with Blast. In SPIN'03, Workshop on Model Checking Software, 2003. Google ScholarDigital Library
- M. Hohmuth, M. Peter, H. Haertig, and J.S. Shapiro. Reducing TCB size by using untrusted components -- small kernels versus virtual-machine monitors. In 11th SIGOPS Eur. WS, Sep 2004. Google ScholarDigital Library
- M. Hohmuth and H. Tews. The VFiasco approach for a verified operating system. In 2nd PLOS, Jul 2005.Google Scholar
- Iguana. http://www.ertos.nicta.com.au/software/kenge/iguana-project/latest/.Google Scholar
- Information Assurance Directorate. U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, Jun 2007. Version 1.03. http://www.niap--ccevs.org/cc--scheme/pp/pp.cfm/id/pp_skpp_hr_v1.03/.Google Scholar
- ISO/IEC. Programming languages -- C. Technical Report 9899:TC2, ISO/IEC JTC1/SC22/WG14, May 2005.Google Scholar
- G. Klein. Operating system verification -- an overview. Sadhana, 34(1):27--69, Feb 2009. Google ScholarDigital Library
- G. Klein, P. Derrin, and K. Elphinstone. Experience report: seL4 -- formally verifying a high-performance microkernel. In 14th ICFP, Aug 2009. Google ScholarDigital Library
- R. Kolanski and G. Klein. Types, maps and separation logic. In S. Berghofer, T. Nipkow, C. Urban, and M. Wenzel, editors, Proc. TPHOLs'09, volume 5674 of LNCS. Springer, 2009. Google ScholarDigital Library
- L4HQ. http://l4hq.org/arch/arm/.Google Scholar
- X. Leroy. Formal certification of a compiler back-end, or: Programming a compiler with a proof assistant. In J.G. Morrisett and S.L.P. Jones, editors, 33rd POPL, pages 42--54. ACM, 2006. Google ScholarDigital Library
- J. Liedtke. Improving IPC by kernel design. In 14th SOSP, pages 175--188, Dec 1993. Google ScholarDigital Library
- J. Liedtke. Towards real microkernels. CACM, 39(9):70--77, Sep 1996. Google ScholarDigital Library
- J. Liedtke, K. Elphinstone, S. Schoenberg, H. Haertig, G. Heiser, N. Islam, and T. Jaeger. Achieved IPC performance (still the foundation for extensibility). In 6th HotOS, pages 28--31, May 1997. Google ScholarDigital Library
- W.B. Martin, P. White, A. Goldberg, and F.S. Taylor. Formal construction of the mathematically analyzed separation kernel. In ASE '00: Proc. 15th IEEE Int. Conf. on Automated software engineering, pages 133--141. IEEE Computer Society, 2000. Google ScholarDigital Library
- Z. Ni, D. Yu, and Z. Shao. Using XCAP to certify realistic system code: Machine context management. In Proc. TPHOLs'07, volume 4732 of LNCS, pages 189--206. Springer, Sep 2007. Google ScholarDigital Library
- T. Nipkow, L. Paulson, and M. Wenzel. Isabelle/HOL -- A Proof Assistant for Higher-Order Logic, volume 2283 of LNCS. Springer, 2002. Google ScholarDigital Library
- OKL4 web site. http://okl4.org.Google Scholar
- T. Perrine, J. Codd, and B. Hardy. An overview of the kernelized secure operating system (KSOS). In Proceedings of the Seventh DoD/NBS Computer Security Initiative Conference, pages 146--160, Sep 1984.Google Scholar
- Rockwell Collins, Inc. AAMP7r1 Reference Manual, 2003.Google Scholar
- J.M. Rushby. Design and verification of secure systems. In 8th SOSP, pages 12--21, 1981. Google ScholarDigital Library
- O. Saydjari, J. Beckman, and J. Leaman. Locking computers securely. In 10th National Computer Security Conference, pages 129--141, Sep 1987.Google Scholar
- A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In 16th SOSP, pages 335--350, Oct 2007. Google ScholarDigital Library
- J.S. Shapiro, D.F. Faber, and J.M. Smith. State caching in the EROS kernel--implementing efficient orthogonal peristence in a pure capability system. In 5th IWOOOS, pages 89--100, Nov 1996.Google Scholar
- J.S. Shapiro, J.M. Smith, and D.J. Farber. EROS: A fast capability system. In 17th SOSP, Dec 1999. Google ScholarDigital Library
- L. Singaravelu, C. Pu, H. Haertig, and C. Helmuth. Reducing TCB complexity for security-sensitive applications: Three case studies. In 1st EuroSys Conf., pages 161--174, Apr 2006. Google ScholarDigital Library
- R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. The Flask security architecture: System support for diverse security policies. In 8th USENIX Security Symp., Aug 1999. Google ScholarDigital Library
- H. Tews, T. Weber, and M. Voelp. A formal model of memory peculiarities for the verification of low-level operating-system code. In R. Huuck, G. Klein, and B. Schlich, editors, Proc. 3rd Int. WS on Systems Software Verification (SSV'08), volume 217 of ENTCS, pages 79--96. Elsevier, Feb 2008. Google ScholarDigital Library
- H. Tuch. Formal Memory Models for Verifying C Systems Code. PhD thesis, UNSW, Aug 2008.Google Scholar
- H. Tuch. Formal verification of C systems code: Structured types, separation logic and theorem proving. JAR, 42(2-4):125--187, 2009. Google ScholarDigital Library
- H. Tuch, G. Klein, and G. Heiser. OS verification -- now! In 10th HotOS, pages 7--12. USENIX, Jun 2005. Google ScholarDigital Library
- H. Tuch, G. Klein, and M. Norrish. Types, bytes, and separation logic. In M. Hofmann and M. Felleisen, editors, 34th POPL, pages 97--108, Jan 2007. Google ScholarDigital Library
- US National Institute of Standards. Common Criteria for IT Security Evaluation, 1999. ISO Standard 15408. http://csrc.nist.gov/cc/.Google Scholar
- B.J. Walker, R.A. Kemmerer, and G.J. Popek. Specification and verification of the UCLA Unix security kernel. CACM, 23(2):118--131, 1980. Google ScholarDigital Library
- D.A. Wheeler. SLOCCount. http://www.dwheeler.com/sloccount/, 2001.Google Scholar
- A. Whitaker, M. Shaw, and S. D. Gribble. Scale and performance in the Denali isolation kernel. In 5th OSDI, Dec 2002. Google ScholarDigital Library
- S. Winwood, G. Klein, T. Sewell, J. Andronick, D. Cock, and M. Norrish. Mind the gap: A verification framework for low-level C. In S. Berghofer, T. Nipkow, C. Urban, and M. Wenzel, editors, Proc. TPHOLs'09, volume 5674. Springer, 2009. Google ScholarDigital Library
- W. Wulf, E. Cohen, W. Corwin, A. Jones, R. Levin, C. Pierson, and F. Pollack. HYDRA: The kernel of a multiprocessor operating system. CACM, 17:337--345, 1974. Google ScholarDigital Library
Index Terms
- seL4: formal verification of an OS kernel
Recommendations
Comprehensive formal verification of an OS microkernel
We present an in-depth coverage of the comprehensive machine-checked formal verification of seL4, a general-purpose operating system microkernel.
We discuss the kernel design we used to make its verification tractable. We then describe the functional ...
Experience report: seL4: formally verifying a high-performance microkernel
ICFP '09We report on our experience using Haskell as an executable specification language in the formal verification of the seL4 microkernel. The verification connects an abstract operational specification in the theorem prover Isabelle/HOL to a C ...
Experience report: seL4: formally verifying a high-performance microkernel
ICFP '09: Proceedings of the 14th ACM SIGPLAN international conference on Functional programmingWe report on our experience using Haskell as an executable specification language in the formal verification of the seL4 microkernel. The verification connects an abstract operational specification in the theorem prover Isabelle/HOL to a C ...
Comments