Results 1  10
of
14
seL4: Formal Verification of an OS Kernel
 ACM SYMPOSIUM ON OPERATING SYSTEMS PRINCIPLES
, 2009
"... Complete formal verification is the only known way to guarantee that a system is free of programming errors. We present our experience in performing the formal, machinechecked verification of the seL4 microkernel from an abstract specification down to its C implementation. We assume correctness of ..."
Abstract

Cited by 288 (45 self)
 Add to MetaCart
(Show Context)
Complete formal verification is the only known way to guarantee that a system is free of programming errors. We present our experience in performing the formal, machinechecked verification of the seL4 microkernel from an abstract specification down to its C implementation. We assume correctness of compiler, assembly code, and hardware, and we used a unique design approach that fuses formal and operating systems techniques. To our knowledge, this is the first formal proof of functional correctness of a complete, generalpurpose operatingsystem kernel. Functional correctness means here that the implementation always strictly follows our highlevel abstract specification of kernel behaviour. This encompasses traditional design and implementation safety properties such as the kernel will never crash, and it will never perform an unsafe operation. It also proves much more: we can predict precisely how the kernel will behave in every possible situation. seL4, a thirdgeneration microkernel of L4 provenance, comprises 8,700 lines of C code and 600 lines of assembler. Its performance is comparable to other highperformance L4 kernels.
A trustworthy monadic formalization of the armv7 instruction set architecture
 In Proc. 23rd Int. Conf˙on Interactive Theorem Proving (ITP’10), LNCS
, 2010
"... Abstract. This paper presents a new HOL4 formalization of the current ARM instruction set architecture, ARMv7. This is a modern RISC architecture with many advanced features. The formalization is detailed and extensive. Considerable tool support has been developed, with the goal of making the model ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents a new HOL4 formalization of the current ARM instruction set architecture, ARMv7. This is a modern RISC architecture with many advanced features. The formalization is detailed and extensive. Considerable tool support has been developed, with the goal of making the model accessible and easy to work with. The model and supporting tools are publicly available – we wish to encourage others to make use of this resource. This paper explains our monadic specification approach and gives some details of the endeavours that have been made to ensure that the sizeable model is valid and trustworthy. A novel and efficient testing approach has been developed, based on automated forward proof and communication with ARM development boards. 1
Verified JustInTime Compiler on x86
"... This paper presents a method for creating formally correct justintime (JIT) compilers. The tractability of our approach is demonstrated through, what we believe is the first, verification of a JIT compiler with respect to a realistic semantics of selfmodifying x86 machine code. Our semantics inclu ..."
Abstract

Cited by 23 (5 self)
 Add to MetaCart
(Show Context)
This paper presents a method for creating formally correct justintime (JIT) compilers. The tractability of our approach is demonstrated through, what we believe is the first, verification of a JIT compiler with respect to a realistic semantics of selfmodifying x86 machine code. Our semantics includes a model of the instruction cache. Two versions of the verified JIT compiler are presented: one generates all of the machine code at once, the other one is incremental i.e. produces code ondemand. All proofs have been performed inside the HOL4 theorem prover.
seL4: from general purpose to a proof of information flow enforcement
 In IEEE Symp. Security & Privacy
, 2013
"... Abstract—In contrast to testing, mathematical reasoning and formal verification can show the absence of whole classes of security vulnerabilities. We present the, to our knowledge, first complete, formal, machinechecked verification of information flow security for the implementation of a generalp ..."
Abstract

Cited by 21 (6 self)
 Add to MetaCart
(Show Context)
Abstract—In contrast to testing, mathematical reasoning and formal verification can show the absence of whole classes of security vulnerabilities. We present the, to our knowledge, first complete, formal, machinechecked verification of information flow security for the implementation of a generalpurpose microkernel; namely seL4. Unlike previous proofs of information flow security for operating system kernels, ours applies to the actual 8,830 lines of C code that implement seL4, and so rules out the possibility of invalidation by implementation errors in this code. We assume correctness of compiler, assembly code, hardware, and boot code. We prove everything else. This proof is strong evidence of seL4’s utility as a separation kernel, and describes precisely how the general purpose kernel should be configured to enforce isolation and mandatory information flow control. We describe the information flow security statement we proved (a variant of intransitive noninterference), including the assumptions on which it rests, as well as the modifications that had to be made to seL4 to ensure it was enforced. We discuss the practical limitations and implications of this result, including covert channels not covered by the formal proof. I.
Hoare logic for realistically modelled machine code
 In Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2007), LNCS
, 2007
"... Abstract. This paper presents a mechanised Hoarestyle programming logic framework for assembly level programs. The framework has been designed to fit on top of operational semantics of realistically modelled machine code. Many ad hoc restrictions and features present in real machinecode are handle ..."
Abstract

Cited by 20 (5 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents a mechanised Hoarestyle programming logic framework for assembly level programs. The framework has been designed to fit on top of operational semantics of realistically modelled machine code. Many ad hoc restrictions and features present in real machinecode are handled, including finite memory, data and code in the same memory space, the behavior of status registers and hazards of corrupting special purpose registers (e.g. the program counter, procedure return register and stack pointer). Despite accurately modeling such low level details, the approach yields concise specifications for machinecode programs without using common simplifying assumptions (like an unbounded state space). The framework is based on a flexible state representation in which functional and resource usage specifications are written in a style inspired by separation logic. The presented work has been formalised in higherorder logic, mechanised in the HOL4 system and is currently being used to verify ARM machinecode implementations of arithmetic and cryptographic operations. 1
Machinecode verification for multiple architectures: An application of decompilation into logic
 In Formal Methods in Computer Aided Design (FMCAD
, 2008
"... Abstract — Realistic formal specifications of machine languages for commercial processors consist of thousands of lines of definitions. Current methods support trustworthy proofs of the correctness of programs for one such specification. However, these methods provide little or no support for reusin ..."
Abstract

Cited by 17 (9 self)
 Add to MetaCart
(Show Context)
Abstract — Realistic formal specifications of machine languages for commercial processors consist of thousands of lines of definitions. Current methods support trustworthy proofs of the correctness of programs for one such specification. However, these methods provide little or no support for reusing proofs of the same algorithm implemented in different machine languages. We describe an approach, based on proofproducing decompilation, which both makes machinecode verification tractable and supports proof reuse between different languages. We briefly present examples based on detailed models of machine code for ARM, PowerPC and x86. The theories and tools have been implemented in the HOL4 system. I.
A verifying core for a cryptographic language compiler
 In Manolios, P., Wilding, M., eds.: 6th ACL2 Workshop. (2006
, 2006
"... A verifying compiler is one that emits both object code and a proof of correspondence between object and source code. 1 We report the use of ACL2 in building a verifying compiler for µCryptol, a streambased language for encryption algorithm specification that targets Rockwell Collins’ AAMP7 micropr ..."
Abstract

Cited by 17 (4 self)
 Add to MetaCart
(Show Context)
A verifying compiler is one that emits both object code and a proof of correspondence between object and source code. 1 We report the use of ACL2 in building a verifying compiler for µCryptol, a streambased language for encryption algorithm specification that targets Rockwell Collins’ AAMP7 microprocessor (and is designed to compile efficiently to hardware, too). This paper reports on our success in verifying the “core ” transformations of the compiler – those transformations over the sublanguage of µCryptol that begin after “higherorder ” aspects of the language are compiled away, and finish just before hardware or software specific transformations are exercised. The core transformations are responsible for aggressive optimizations. We have written an ACL2 macro that automatically generates both the correspondence theorems and their proofs. The compiler also supplies measure functions that ACL2 uses to automatically prove termination of µCryptol programs, including programs with mutuallyrecursive cliques of streams. Our verifying compiler has proved the correctness of its core transformations for multiple algorithms, including TEA, RC6, and AES. Finally, we describe an ACL2 book of primitive operations for the general specification and verification of encryption algorithms. Categories and Subject Descriptors D.2.4 [Software Engineering]: Software/Program Verification—correctness proofs, formal methods, reliability; D.3.4 ∗ The ACL2 books associated with this paper can be retrieved at
Verification Condition Generation via Theorem Proving
 Proceedings of the 13th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR 2006), Vol. 4246 of LNCS
, 2006
"... Abstract. We present a method to convert (i) an operational semantics for a given machine language, and (ii) an offtheshelf theorem prover, into a high assurance verification condition generator (VCG). Given a program annotated with assertions at cutpoints, we show how to use the theorem prover di ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We present a method to convert (i) an operational semantics for a given machine language, and (ii) an offtheshelf theorem prover, into a high assurance verification condition generator (VCG). Given a program annotated with assertions at cutpoints, we show how to use the theorem prover directly on the operational semantics to generate verification conditions analogous to those produced by a custombuilt VCG. Thus no separate VCG is necessary, and the theorem prover can be employed both to generate and to discharge the verification conditions. The method handles both partial and total correctness. It is also compositional in that the correctness of a subroutine needs to be proved once, rather than at each call site. The method has been used to verify several machinelevel programs using the ACL2 theorem prover. 1
Hoare logic for ARM machine code
 in Proceedings of the IPM International Symposium on Fundamentals of Software Engineering (FSEN
, 2007
"... Abstract. This paper shows how a machinecode Hoare logic is used to lift reasoning from the tedious operational model of a machine language to a manageable level of abstraction without making simplifying assumptions. A Hoare logic is placed on top of a highfidelity model of the ARM instruction set ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
(Show Context)
Abstract. This paper shows how a machinecode Hoare logic is used to lift reasoning from the tedious operational model of a machine language to a manageable level of abstraction without making simplifying assumptions. A Hoare logic is placed on top of a highfidelity model of the ARM instruction set. We show how the generality of ARM instructions is captured by specifications in the logic and how the logic can be used to prove loops and procedures that traverse pointerbased data structures. The presented work has been mechanised in the HOL4 theorem prover and is currently being used to verify ARM machine code implementations of arithmetic and cryptographic operations. 1
Toward the Verification of a Simple Hypervisor
"... Virtualization promises significant benefits in security, efficiency, dependability, and cost. Achieving these benefits depends upon the reliability of the underlying virtual machine monitors (hypervisors). This paper describes an ongoing project to develop and verify MinVisor, a simple but function ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Virtualization promises significant benefits in security, efficiency, dependability, and cost. Achieving these benefits depends upon the reliability of the underlying virtual machine monitors (hypervisors). This paper describes an ongoing project to develop and verify MinVisor, a simple but functional TypeI x86 hypervisor, proving protection properties at the assembly level using ACL2. Originally based on an existing research hypervisor, MinVisor provides protection of its own memory from a malicious guest. Our longterm goal is to fully verify MinVisor, providing a vehicle to investigate the modeling and verification of hypervisors at the implementation level, and also a basis for further systems research. Functional segments of the MinVisor C code base are translated into Y86 assembly, and verified with respect to the Y86 model. The inductive assertions (also known as “compositional cutpoints”) methodology is used to prove the correctness of the code. The proof of the code that sets up the nested page tables is described. We compare this project to related efforts in systems code verification and outline some useful steps forward. 1