We propose a development methodology for designing and prototyping high assurance microkernels, and describe our application of it. The methodology is based on rapid prototyping and iterative refinement of the microkernel in a functional programming language. The prototype provides a precise semi-formal model, which is also combined with a machine simulator to form a reference implementation capable of executing real user-level software, to obtain accurate feedback on the suitability of the kernel API during development phases. We extract from the prototype a machine-checkable formal specification in higher-order logic, which may be used to verify properties of the design, and also results in corrections to the design without the need for full verification. We found the approach leads to productive, highly iterative development where formal modelling, semi-formal design and prototyping, and end use all contribute to a more mature final design in a shorter period of time.

Abstract. We present a Hoare logic for a call-by-value programming language equipped with recursive, higher-order functions, algebraic data types, and a polymorphic type system in the style of Hindley and Milner. It is the theoretical basis for a tool that extracts proof obligations out of programs annotated with logical assertions. These proof obligations, expressed in a typed, higher-order logic, are discharged using off-theshelf automated or interactive theorem provers. Although the technical apparatus that we exploit is by now standard, its application to callby-value functional programming languages appears to be new, and (we claim) deserves attention. As a sample application, we check the partial correctness of a balanced binary search tree implementation. 1

This paper argues that a pragmatic approach is needed for integrating design and formalisation of complex systems. We report on our approach to designing the seL4 operating system microkernel API and its formalisation in Isabelle/HOL. The formalisation consists of the systematic translation of significant parts of the functional programming language Haskell into Isabelle/HOL, including monadbased code. We give an account of the experience, decisions and outcomes in this translation as well as the technical problems we encountered together with our solutions. The longer-term goal is to demonstrate that formalisation and verification of a large, complex, OS-level code base is feasible with current tools and methods and is in the order of magnitude of traditional development cost.

Abstract. In programs written in lazy functional languages such as for example Clean and Haskell, the programmer can choose freely whether particular subexpressions will be evaluated lazily (the default) or strictly (must be specified explicitly). It is widely known that this choice affects program behavior, resource consumption and semantics in several ways. However, not much experience is available about the impact on logical program properties and formal reasoning. This paper aims to give a better understanding of the concept of explicit strictness. The impact of explicit strictness on formal reasoning will be investigated. It will be shown that this impact is bigger than expected and that tool support is needed for formal reasoning in the context of explicit strictness. We introduce the various ways in which strictness specific support is offered by the proof assistant Sparkle. 1

Counter Automata are Finite State Automata which include a set of registers containing natural numbers, and where state transitions occur based on these register values. The contribution of our work is to extend previous work on verification of counter automata properties to cover arbitrary computable functions and predicates (in principle). In order to achieve this, we use the dependently typed language Agda to verify properties. The advantage of this approach is that it allows us to verify both functional and extra-functional properties such as resource consumption, in the presence of iteration and control parameters. However, we are not able to achieve fully automatic verification. We illustrate our approach using three examples: i) verifying that a particular finite state automaton accepts exactly those binary sequences divisible by 3, if they are interpreted as numbers; ii) verifying the worst-case execution time of a system of three boxes, depending on an unknown control parameter; and iii) verifying the number of box executions for a system of two boxes, which is non-linear.