Abstract. We report on the first formal pervasive verification of an operating system microkernel featuring the correctness of inline assembly, large non-trivial C portions, and concurrent devices in a single seamless formal proof. We integrated all relevant verification results we had achieved so far [21,20,2,5,4] into a single top-level theorem of microkernel correctness. This theorem states the simulation of user processes with own, separate virtual memories — via the microkernel — by the underlying hardware with devices. All models, theorems, and proofs are formalized in the interactive proof system Isabelle/HOL. 1

Semantic models are the basis for specification and verification of software. Operational, denotational, and axiomatic or algebraic methods offer complementary insights and reasoning techniques which are surveyed here. Unifying theories are needed to link models. Also considered are selected programming features for which new models are needed.

Typical operating system design is marked by trade-offs between speed and reliability, features and security. Most systems are written in a low-level untyped programming language to achieve optimal hardware usage and for other practical reasons. But, this often results in CPU, memory, and I/O protection flaws due to mistakes in unverified code. On the other hand, fully verified systems are exceedingly hard to construct on any industrial scale. A high-level programming language, with an expressive type system suitable for systems programming, can help alleviate many of these problems without requiring the enormous effort of full verification. Categories and Subject Descriptors D.1.1 [PROGRAMMING

Abstract. This paper presents the preemption abstraction, an abstraction technique for lightweight verification of one sequential component of a concurrent system. Thereby, different components of the system are permitted to interfere with each other. The preemption abstraction yields a sequential abstract system that can easily be described in the higherorder logic of a theorem prover. One can therefore avoid the cumbersome and costly reasoning about all possible interleavings of state changes of each system component. The preemption abstraction is best suited for components that use preemption points, that is, where the concurrently running environment can only interfere at a limited number of points. The preemption abstraction has been used to model the IPC subsystem of the Fiasco microkernel. We proved two practically relevant properties of the model. On the attempt to prove a third property, namely that the assertions in the code are always valid, we discovered a bug that could potentially crash the whole system. 1

Abstract. Though program verification is known and has been used for decades, the verification of a complete computer system still remains a grand challenge. Part of this challenge is the interaction of application programs with the operating system, which is usually entrusted with retrieving input data from and transferring output data to peripheral devices. In this scenario, the correct operation of the applications inherently relies on operating-system correctness. Based on the formal correctness of our real-time operating system Olos, this paper describes an approach to pervasively verify applications running on top of the operating system. 1