Abstract. Software reliability is a core requirement for safety- and security-critical systems. In the area of avionics, for example, the DO-178B standard requires extensive validation, such as software reviews, requirement engineering, coverage analysis, and careful design of test cases. In a broader context, EAL7 (of the Common Criteria framework) also demands “formally verified, designed, and tested ” systems. It is part of the BMBF-supported Verisoft XT project (www.verisoftxt.de) to explore the freedom of design offered within these regulatory requirements, where code verification is one of the available options. In recent years, deductive code verification has improved to a degree that makes it feasible for real-world programs. In the Verisoft XT subproject Avionics, the goal is to apply formal methods to a commercial embedded operating system. In particular, the goal is to use deductive techniques to verify functional correctness of the PikeOS microkernel. For verification, we use tools like VCC (the Verifying C Compiler) developed by Microsoft Research, which is a batch-mode verification tool, i.e., when all specifications and other required information have been added as annotations to the source code (which is the actual user effort required), the tool verifies the code automatically. First experiences with this new tool are described in this paper. 1

Abstract. This paper presents a separation-logic framework for reasoning about low-level C code in the presence of virtual memory. We describe our abstract, generic Isabelle/HOL framework for reasoning about virtual memory in separation logic, and we instantiate this framework to a precise, formal model of ARMv6 page tables. The logic supports the usual separation logic rules, including the frame rule, and extends separation logic with additional basic predicates for mapping virtual to physical addresses. We build on earlier work to parse potentially type-unsafe, system-level C code directly into Isabelle/HOL and further instantiate the separation logic framework to C. 1

Abstract. We present Mapped Separation Logic, an instance of Separation Logic for reasoning about virtual memory. Our logic is formalised in the Isabelle/HOL theorem prover and it allows reasoning on properties about page tables, direct physical memory access, virtual memory access, and shared memory. Mapped Separation Logic fully supports all rules of abstract Separation Logic, including the frame rule. 1

Abstract. We report on the first formal pervasive verification of an operating system microkernel featuring the correctness of inline assembly, large non-trivial C portions, and concurrent devices in a single seamless formal proof. We integrated all relevant verification results we had achieved so far [21,20,2,5,4] into a single top-level theorem of microkernel correctness. This theorem states the simulation of user processes with own, separate virtual memories — via the microkernel — by the underlying hardware with devices. All models, theorems, and proofs are formalized in the interactive proof system Isabelle/HOL. 1

Verisoft [1] is a large coordinated project funded by the German Federal Government. The mission of the project is i) to develop the technology which

Abstract. The verification of device drivers is essential for the pervasive verification of an operating system. To show the correctness of device drivers, devices have to be formally modeled. In this paper we present the formal model of the serial interface controller UART 16550A. By combining the device model with a formal model of a processor instruction set architecture we obtain an assembler-level programming model for a serial interface. As a programming and verification example we present a simple UART driver implemented in assembler and prove its correctness. All models presented in this paper have been formally specified in the Isabelle/HOL theorem prover. 1

This paper presents work in progress on the Lyrebird framework, consisting of a language for specifying the programmervisible behaviour of a processor and its associated devices, a tool forautomaticallyproducingafast simulator, and a formal semantic interpretation providing a machine model for use in an interactive theorem prover. Machine specifications are modular, providingabstractinterfacesandstructuralparameterization (MMU-lessprocessors,forexample). Alsopresentedisa specific example: An instantiation for the ARM1136jf-s core. 1