research-article

seL4: formal verification of an OS kernel

Authors:
Gerwin Klein

NICTA & UNSW, Sydney, Australia

NICTA & UNSW, Sydney, Australia
View Profile

,
Kevin Elphinstone

NICTA & UNSW, Sydney, Australia

NICTA & UNSW, Sydney, Australia
View Profile

,
Gernot Heiser

NICTA, UNSW & Open Kernel Labs, Sydney, Australia

NICTA, UNSW & Open Kernel Labs, Sydney, Australia
View Profile

,
June Andronick

NICTA & UNSW, Sydney, Australia

NICTA & UNSW, Sydney, Australia
View Profile

,
David Cock

NICTA & UNSW, Sydney, Australia

NICTA & UNSW, Sydney, Australia
View Profile

,
Philip Derrin

NICTA, Sydney, Australia

NICTA, Sydney, Australia
View Profile

,
Dhammika Elkaduwe

NICTA & UNSW, Sydney, Australia

NICTA & UNSW, Sydney, Australia
View Profile

,
Kai Engelhardt

UNSW & NICTA, Sydney, Australia

UNSW & NICTA, Sydney, Australia
View Profile

,
Rafal Kolanski

NICTA & UNSW, Sydney, Australia

NICTA & UNSW, Sydney, Australia
View Profile

,
Michael Norrish

NICTA & ANU, Canberra, Australia

NICTA & ANU, Canberra, Australia
View Profile

,
Thomas Sewell

NICTA, Sydney, Australia

NICTA, Sydney, Australia
View Profile

,
Harvey Tuch

NICTA & UNSW, Sydney, Australia

NICTA & UNSW, Sydney, Australia
View Profile

,
Simon Winwood

NICTA & UNSW, Sydney, Australia

NICTA & UNSW, Sydney, Australia
View Profile

SOSP '09: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principlesOctober 2009Pages 207–220https://doi.org/10.1145/1629575.1629596

Published:11 October 2009Publication History

SOSP '09: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles

Pages 207–220

ABSTRACT

Complete formal verification is the only known way to guarantee that a system is free of programming errors.

We present our experience in performing the formal, machine-checked verification of the seL4 microkernel from an abstract specification down to its C implementation. We assume correctness of compiler, assembly code, and hardware, and we used a unique design approach that fuses formal and operating systems techniques. To our knowledge, this is the first formal proof of functional correctness of a complete, general-purpose operating-system kernel. Functional correctness means here that the implementation always strictly follows our high-level abstract specification of kernel behaviour. This encompasses traditional design and implementation safety properties such as the kernel will never crash, and it will never perform an unsafe operation. It also proves much more: we can predict precisely how the kernel will behave in every possible situation.

seL4, a third-generation microkernel of L4 provenance, comprises 8,700 lines of C code and 600 lines of assembler. Its performance is comparable to other high-performance L4 kernels.

References

M. Accetta, R. Baron, W. Bolosky, D. Golub, R. Rashid, A. Tevanian, and M. Young. Mach: A new kernel foundation for UNIX development. In 1986 Summer USENIX, pages 93--112, 1986.Google Scholar
E. Alkassar, M. Hillebrand, D. Leinenbach, N. Schirmer, A. Starostin, and A. Tsyban. Balancing the load -- leveraging a semantics stack for systems verification. JAR, 42(2-4), 2009. Google ScholarDigital Library
E. Alkassar, N. Schirmer, and A. Starostin. Formal pervasive verification of a paging mechanism. In C.R. Ramakrishnan and J. Rehof, editors, Tools and Alg. for the Construction and Analysis of Systems (TACAS), volume 4963 of LNCS, pages 109--123. Springer, 2008. Google ScholarDigital Library
J. Alves-Foss, P.W. Oman, C. Taylor, and S. Harrison. The MILS architecture for high-assurance embedded systems. Int. J. Emb. Syst., 2:239--247, 2006.Google ScholarCross Ref
M. Archer, E. Leonard, and M. Pradella. Analyzing security-enhanced Linux policy specifications. In POLICY '03: Proc. 4th IEEE Int. WS on Policies for Distributed Systems and Networks, pages 158--169. IEEE Computer Society, 2003. Google ScholarDigital Library
T. Ball and S.K. Rajamani. SLIC: A specification language for interface checking. Technical Report MSR-TR-2001-21, Microsoft Research, 2001.Google Scholar
B.N. Bershad, S. Savage, P. Pardyak, E.G. Sirer, M.E. Fiuczynski, D. Becker, C. Chambers, and S. Eggers. Extensibility, safety and performance in the SPIN operating system. In 15th SOSP, Dec 1995. Google ScholarDigital Library
W.R. Bevier. Kit: A study in operating system verification. IEEE Transactions on Software Engineering, 15(11):1382--1396, 1989. Google ScholarDigital Library
W.R. Bevier and L. Smith. A mathematical model of the Mach kernel: Atomic actions and locks. Technical Report 89, Computational Logic Inc., Apr 1993.Google Scholar
I.T. Bowman, R.C. Holt, and N.V. Brewster. Linux as a case study: its extracted software architecture. In ICSE '99: Proc. 21st Int. Conf. on Software Engineering, pages 555--563. ACM, 1999. Google ScholarDigital Library
A. Boyton. A verified shared capability model. In G. Klein, R. Huuck, and B. Schlich, editors, 4th WS Syst. Softw. Verification SSV'09, ENTCS, pages 99--116. Elsevier, Jun 2009.Google Scholar
P. Brinch Hansen. The nucleus of a multiprogramming operating system. CACM, 13:238--250, 1970. Google ScholarDigital Library
D. Cock. Bitfields and tagged unions in C: Verification through automatic generation. In B. Beckert and G. Klein, editors, VERIFY'08, volume 372 of CEUR Workshop Proceedings, pages 44--55, Aug 2008.Google Scholar
D. Cock, G. Klein, and T. Sewell. Secure microkernels, state monads and scalable refinement. In O.A. Mohamed, C. Mu n oz, and S. Tahar, editors, 21st TPHOLs, volume 5170 of LNCS, pages 167--182. Springer, Aug 2008. Google ScholarDigital Library
B. Cook, A. Gotsman, A. Podelski, A. Rybalchenko, and M.Y. Vardi. Proving that programs eventually do something good. In 34th POPL. ACM, 2007. Google ScholarDigital Library
J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. Secure virtual architecture: A safe execution environment for commodity operating systems. In 16th SOSP, pages 351--366, Oct 2007. Google ScholarDigital Library
U. Dannowski. Personal communication.Google Scholar
W.-P. de Roever and K. Engelhardt. Data Refinement: Model-Oriented Proof Methods and their Comparison. Number 47 in Cambridge Tracts in Theoretical Computer Science. Cambridge University Press, 1998. Google ScholarDigital Library
P. Derrin, K. Elphinstone, G. Klein, D. Cock, and M.M.T. Chakravarty. Running the manual: An approach to high-assurance microkernel development. In ACM SIGPLAN Haskell WS, Sep 2006. Google ScholarDigital Library
D. Elkaduwe, P. Derrin, and K. Elphinstone. Kernel design for isolation and assurance of physical memory. In 1st IIES, pages 35--40. ACM SIGOPS, Apr 2008. Google ScholarDigital Library
D. Elkaduwe, G. Klein, and K. Elphinstone. Verified protection model of the seL4 microkernel. In J. Woodcock and N. Shankar, editors, VSTTE 2008 -- Verified Softw.: Theories, Tools&Experiments, volume 5295 of LNCS, pages 99--114. Springer, Oct 2008. Google ScholarDigital Library
K. Elphinstone, G. Klein, P. Derrin, T. Roscoe, and G. Heiser. Towards a practical, verified kernel. In 11th HotOS, pages 117--122, May 2007. Google ScholarDigital Library
M. Faehndrich, M. Aiken, C. Hawblitzel, O. Hodson, G.C. Hunt, J.R. Larus, and S. Levi. Language support for fast and reliable message-based communication in Singularity OS. In 1st EuroSys Conf., pages 177--190, Apr 2006. Google ScholarDigital Library
R.J. Feiertag and P.G. Neumann. The foundations of a provably secure operating system (PSOS). In AFIPS Conf. Proc., 1979 National Comp. Conf., Jun 1979.Google ScholarCross Ref
B. Ford, M. Hibler, J. Lepreau, R. McGrath, and P. Tullmann. Interface and execution models in the Fluke kernel. In 3rd OSDI. USENIX, Feb 1999. Google ScholarDigital Library
T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. In 19th SOSP, Oct 2003. Google ScholarDigital Library
Green Hills Software, Inc. INTEGRITY-178B separation kernel security target version 1.0. http://www.niap-ccevs.org/cc-scheme/st/st_vid10119-st.pdf, 2008.Google Scholar
Greenhills Software, Inc. Integrity real-time operating system. http://www.ghs.com/products/rtos/integrity.html, 2008.Google Scholar
J.D. Guttman, A.L. Herzog, J.D. Ramsdell, and C.W. Skorupka. Verifying information flow goals in security-enhanced Linux. Journal of Computer Security, 13(1):115--134, 2005. Google ScholarDigital Library
J.T. Haigh and W.D. Young. Extending the noninterference version of MLS for SAT. IEEE Trans. on Software Engineering, 13(2):141--150, 1987. Google ScholarDigital Library
D.S. Hardin, E.W. Smith, and W.D. Young. A robust machine code proof framework for highly secure applications. In ACL2'06: Proc. Int. WS on the ACL2 theorem prover and its applications. ACM, 2006. Google ScholarDigital Library
G. Heiser. Hypervisors for consumer electronics. In 6th IEEE CCNC, 2009. Google ScholarDigital Library
C.L. Heitmeyer, M. Archer, E.I. Leonard, and J. McLean. Formal specification and verification of data separation in a separation kernel for an embedded system. In CCS '06: Proc. 13th Conf. on Computer and Communications Security, pages 346--355. ACM, 2006. Google ScholarDigital Library
T.A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Software verification with Blast. In SPIN'03, Workshop on Model Checking Software, 2003. Google ScholarDigital Library
M. Hohmuth, M. Peter, H. Haertig, and J.S. Shapiro. Reducing TCB size by using untrusted components -- small kernels versus virtual-machine monitors. In 11th SIGOPS Eur. WS, Sep 2004. Google ScholarDigital Library
M. Hohmuth and H. Tews. The VFiasco approach for a verified operating system. In 2nd PLOS, Jul 2005.Google Scholar
Iguana. http://www.ertos.nicta.com.au/software/kenge/iguana-project/latest/.Google Scholar
Information Assurance Directorate. U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, Jun 2007. Version 1.03. http://www.niap--ccevs.org/cc--scheme/pp/pp.cfm/id/pp_skpp_hr_v1.03/.Google Scholar
ISO/IEC. Programming languages -- C. Technical Report 9899:TC2, ISO/IEC JTC1/SC22/WG14, May 2005.Google Scholar
G. Klein. Operating system verification -- an overview. Sadhana, 34(1):27--69, Feb 2009. Google ScholarDigital Library
G. Klein, P. Derrin, and K. Elphinstone. Experience report: seL4 -- formally verifying a high-performance microkernel. In 14th ICFP, Aug 2009. Google ScholarDigital Library
R. Kolanski and G. Klein. Types, maps and separation logic. In S. Berghofer, T. Nipkow, C. Urban, and M. Wenzel, editors, Proc. TPHOLs'09, volume 5674 of LNCS. Springer, 2009. Google ScholarDigital Library
L4HQ. http://l4hq.org/arch/arm/.Google Scholar
X. Leroy. Formal certification of a compiler back-end, or: Programming a compiler with a proof assistant. In J.G. Morrisett and S.L.P. Jones, editors, 33rd POPL, pages 42--54. ACM, 2006. Google ScholarDigital Library
J. Liedtke. Improving IPC by kernel design. In 14th SOSP, pages 175--188, Dec 1993. Google ScholarDigital Library
J. Liedtke. Towards real microkernels. CACM, 39(9):70--77, Sep 1996. Google ScholarDigital Library
J. Liedtke, K. Elphinstone, S. Schoenberg, H. Haertig, G. Heiser, N. Islam, and T. Jaeger. Achieved IPC performance (still the foundation for extensibility). In 6th HotOS, pages 28--31, May 1997. Google ScholarDigital Library
W.B. Martin, P. White, A. Goldberg, and F.S. Taylor. Formal construction of the mathematically analyzed separation kernel. In ASE '00: Proc. 15th IEEE Int. Conf. on Automated software engineering, pages 133--141. IEEE Computer Society, 2000. Google ScholarDigital Library
Z. Ni, D. Yu, and Z. Shao. Using XCAP to certify realistic system code: Machine context management. In Proc. TPHOLs'07, volume 4732 of LNCS, pages 189--206. Springer, Sep 2007. Google ScholarDigital Library
T. Nipkow, L. Paulson, and M. Wenzel. Isabelle/HOL -- A Proof Assistant for Higher-Order Logic, volume 2283 of LNCS. Springer, 2002. Google ScholarDigital Library
OKL4 web site. http://okl4.org.Google Scholar
T. Perrine, J. Codd, and B. Hardy. An overview of the kernelized secure operating system (KSOS). In Proceedings of the Seventh DoD/NBS Computer Security Initiative Conference, pages 146--160, Sep 1984.Google Scholar
Rockwell Collins, Inc. AAMP7r1 Reference Manual, 2003.Google Scholar
J.M. Rushby. Design and verification of secure systems. In 8th SOSP, pages 12--21, 1981. Google ScholarDigital Library
O. Saydjari, J. Beckman, and J. Leaman. Locking computers securely. In 10th National Computer Security Conference, pages 129--141, Sep 1987.Google Scholar
A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In 16th SOSP, pages 335--350, Oct 2007. Google ScholarDigital Library
J.S. Shapiro, D.F. Faber, and J.M. Smith. State caching in the EROS kernel--implementing efficient orthogonal peristence in a pure capability system. In 5th IWOOOS, pages 89--100, Nov 1996.Google Scholar
J.S. Shapiro, J.M. Smith, and D.J. Farber. EROS: A fast capability system. In 17th SOSP, Dec 1999. Google ScholarDigital Library
L. Singaravelu, C. Pu, H. Haertig, and C. Helmuth. Reducing TCB complexity for security-sensitive applications: Three case studies. In 1st EuroSys Conf., pages 161--174, Apr 2006. Google ScholarDigital Library
R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. The Flask security architecture: System support for diverse security policies. In 8th USENIX Security Symp., Aug 1999. Google ScholarDigital Library
H. Tews, T. Weber, and M. Voelp. A formal model of memory peculiarities for the verification of low-level operating-system code. In R. Huuck, G. Klein, and B. Schlich, editors, Proc. 3rd Int. WS on Systems Software Verification (SSV'08), volume 217 of ENTCS, pages 79--96. Elsevier, Feb 2008. Google ScholarDigital Library
H. Tuch. Formal Memory Models for Verifying C Systems Code. PhD thesis, UNSW, Aug 2008.Google Scholar
H. Tuch. Formal verification of C systems code: Structured types, separation logic and theorem proving. JAR, 42(2-4):125--187, 2009. Google ScholarDigital Library
H. Tuch, G. Klein, and G. Heiser. OS verification -- now! In 10th HotOS, pages 7--12. USENIX, Jun 2005. Google ScholarDigital Library
H. Tuch, G. Klein, and M. Norrish. Types, bytes, and separation logic. In M. Hofmann and M. Felleisen, editors, 34th POPL, pages 97--108, Jan 2007. Google ScholarDigital Library
US National Institute of Standards. Common Criteria for IT Security Evaluation, 1999. ISO Standard 15408. http://csrc.nist.gov/cc/.Google Scholar
B.J. Walker, R.A. Kemmerer, and G.J. Popek. Specification and verification of the UCLA Unix security kernel. CACM, 23(2):118--131, 1980. Google ScholarDigital Library
D.A. Wheeler. SLOCCount. http://www.dwheeler.com/sloccount/, 2001.Google Scholar
A. Whitaker, M. Shaw, and S. D. Gribble. Scale and performance in the Denali isolation kernel. In 5th OSDI, Dec 2002. Google ScholarDigital Library
S. Winwood, G. Klein, T. Sewell, J. Andronick, D. Cock, and M. Norrish. Mind the gap: A verification framework for low-level C. In S. Berghofer, T. Nipkow, C. Urban, and M. Wenzel, editors, Proc. TPHOLs'09, volume 5674. Springer, 2009. Google ScholarDigital Library
W. Wulf, E. Cohen, W. Corwin, A. Jones, R. Levin, C. Pierson, and F. Pollack. HYDRA: The kernel of a multiprocessor operating system. CACM, 17:337--345, 1974. Google ScholarDigital Library

Index Terms

seL4: formal verification of an OS kernel

Recommendations

Comprehensive formal verification of an OS microkernel

We present an in-depth coverage of the comprehensive machine-checked formal verification of seL4, a general-purpose operating system microkernel.

We discuss the kernel design we used to make its verification tractable. We then describe the functional ...
Read More
Experience report: seL4: formally verifying a high-performance microkernel
ICFP '09

We report on our experience using Haskell as an executable specification language in the formal verification of the seL4 microkernel. The verification connects an abstract operational specification in the theorem prover Isabelle/HOL to a C ...
Read More
Experience report: seL4: formally verifying a high-performance microkernel
ICFP '09: Proceedings of the 14th ACM SIGPLAN international conference on Functional programming

We report on our experience using Haskell as an executable specification language in the formal verification of the seL4 microkernel. The verification connects an abstract operational specification in the theorem prover Isabelle/HOL to a C ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SOSP '09: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
October 2009
346 pages
ISBN:9781605587523
DOI:10.1145/1629575
General Chair:
Jeanna Neefe Matthews
Clarkson University
,
Program Chair:
Thomas Anderson
University of Washington
Copyright © 2009 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 11 October 2009
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
isabelle/hol
l4
microkernel
sel4
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate131of716submissions,18%
Upcoming Conference
SOSP '24

Sponsor:

sigops

ACM SIGOPS 29th Symposium on Operating Systems Principles

November 5 - 8, 2024

Austin , TX , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 1,148
  Total Citations
  View Citations
- 6,138
  Total Downloads
- Downloads (Last 12 months)830
- Downloads (Last 6 weeks)306
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.