## Verifying the L4 virtual memory subsystem (2004)

### Cached

### Download Links

Venue: | National ICT Australia |

Citations: | 13 - 4 self |

### BibTeX

@INPROCEEDINGS{Tuch04verifyingthe,

author = {Harvey Tuch and Gerwin Klein},

title = {Verifying the L4 virtual memory subsystem},

booktitle = {National ICT Australia},

year = {2004},

pages = {73--97}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We describe aspects of the formalisation and verification of the L4 µ-kernel. Starting from an abstract model of the virtual memory subsystem in L4, we prove safety properties about this model, and then refine the page table abstraction, one part of the model, towards C source code. All formalisations and proofs have been carried out in the theorem prover Isabelle. 1

### Citations

340 | On Microkernel Construction
- Liedtke
- 1995
(Show Context)
Citation Context ...formalisations and proofs have been carried out in the theorem prover Isabelle. 1 Introduction L4 is a second generation microkernel based on the principles of minimality, flexibility, and efficiency =-=[12]-=-. It provides the traditional advantages of the microkernel approach to system structure, namely improved reliability and flexibility, while overcoming the performance limitations of the previous gene... |

149 |
Data refinement: model-oriented proof methods and their comparison
- WP, Engelhardt
- 1998
(Show Context)
Citation Context ...ctness of the implementation with respect to the abstraction is established by showing the concrete model to be a refinement of the abstract 80smodel. Here refinement is taken to mean data refinement =-=[5]-=- and we use the proof technique of simulation. Simulation between an abstract ( ′ a, ′ j , ′ o) DataType and a concrete ( ′ c, ′ j , ′ o) DataType is formalized as follows. The step relations for each... |

83 | Architectural Support for Translation Table Management in Large Address Space Machines
- Huck, Hays
- 1993
(Show Context)
Citation Context ...ing systems therefore use data structures that balance the requirement for fast traversal and memory use considerations. These include multi-level page tables, inverse page tables, hashed page tables =-=[8]-=- and guarded page tables [13]. L4Ka::Pistachio implements a multi-level hierarchical page table (MLPT). The page table format defined by the ARM hardware, a two-level page table, is an instance of thi... |

58 | Kit: A Study in Operating System Verification
- Bevier
- 1989
(Show Context)
Citation Context ...re hampered by the lack of mechanisation and appropriate tools available at the time and so while the designs were formalised, the full verification proofs were not practical. Later work, such as KIT =-=[2]-=-, describes verification of properties such as process isolation to source or object level but with kernels providing far simpler and less general abstractions than modern microkernels. There exists s... |

56 | Tradeoffs in supporting two page sizes
- Talluri, Kong, et al.
- 1992
(Show Context)
Citation Context ...eably in the previous section, this will no longer be sufficient when considering the specifics of page table implementations, since modern TLBs usually support multiple page sizes, called superpages =-=[18]-=-, in order to improve the coverage of the TLB; a single PTE (and TLB entry) can then cover large regions of the address space. Hence many virtual pages may be associated with a single virtual address.... |

56 |
Specification and verification of the UCLA Unix security kernel
- Walker, Kemmerer, et al.
- 1980
(Show Context)
Citation Context ...its operations in a programming language that in its level of abstraction is close to C. Earlier work on operating system kernel formalisation and verification includes PSOS [15] and UCLA Secure Unix =-=[20]-=-. The focus of this work was on capability-based security kernels, allowing security policies such as multi-level security to be enforced. These efforts were hampered by the lack of mechanisation and ... |

45 |
A Provably Secure Operating System: The system, its applications, and proofs
- Neumann, Boyer, et al.
- 1980
(Show Context)
Citation Context ...implementation of some of its operations in a programming language that in its level of abstraction is close to C. Earlier work on operating system kernel formalisation and verification includes PSOS =-=[15]-=- and UCLA Secure Unix [20]. The focus of this work was on capability-based security kernels, allowing security policies such as multi-level security to be enforced. These efforts were hampered by the ... |

38 | Object-oriented verification based on record subtyping in higher-order logic
- Naraschewski, Wenzel
- 1998
(Show Context)
Citation Context ...re updates, abbreviates to [. . .]. For example, empty(x↦→y) becomes [x ↦→ y]. Implication is denoted by =⇒ and [ A1; . . .; An ] =⇒ A abbreviates A1 =⇒ (. . . =⇒ (An =⇒ A). . .). Records in Isabelle =-=[14]-=-, as familiar from programming languages, are essentially tuples with named fields. The type declaration record point = X :: nat Y :: nat 75screates a new record type point with two components X and Y... |

29 | Applying source-code verification to a microkernel: the VFiasco project
- Hohmuth, Tews, et al.
- 2002
(Show Context)
Citation Context ...de guarantees of correctness. Finally, the VFiasco project, working with the Fiasco implementation of L4, has published exploratory work on the issues involved in C++ verification at the source level =-=[7]-=-. After introducing our notation in the following section, we first present the abstract conceptual model of virtual memory in L4 in section 3, and then show parts of the refinement of the memory look... |

21 | A verification environment for sequential imperative programs in Isabelle/HOL
- Schirmer
- 2005
(Show Context)
Citation Context ... indexed at a level above the intended insertion point. We describe the two larger operations, lookup and insertion, from the concrete model below. We utilise the verification environment of Schirmer =-=[16]-=- with custom pretty-printing to provide C-like syntax. Keywords, procedure names, and program variables referring to the current state are printed in typewriter font. Normal Isabelle functions and con... |

19 | Formal methods: A practical tool for OS implementors
- Tullmann, Turner, et al.
- 1997
(Show Context)
Citation Context ...nd Weber [17] give an operational 74ssemantics for EROS and prove a confinement security policy. Our work differs in that we plan to formally relate our model to the implementation. Some case studies =-=[6, 4, 19]-=- appear in the literature in which the IPC and scheduling subsystems of microkernels have been described in PROMELA and verified with the SPIN model checker. These abstractions were not necessarily so... |

17 | Modelling and verification of a multiprocessor realtime OS kernel
- Cattel
- 1994
(Show Context)
Citation Context ...nd Weber [17] give an operational 74ssemantics for EROS and prove a confinement security policy. Our work differs in that we plan to formally relate our model to the implementation. Some case studies =-=[6, 4, 19]-=- appear in the literature in which the IPC and scheduling subsystems of microkernels have been described in PROMELA and verified with the SPIN model checker. These abstractions were not necessarily so... |

11 | Verifying operating system security
- Shapiro, Weber
- 1997
(Show Context)
Citation Context ...lling of microkernels at the abstract level with varying degrees of completeness. Bevier and Smith [3] specify legal Mach states and describe Mach system calls using temporal logic. Shapiro and Weber =-=[17]-=- give an operational 74ssemantics for EROS and prove a confinement security policy. Our work differs in that we plan to formally relate our model to the implementation. Some case studies [6, 4, 19] ap... |

9 | Modelling and verification of the RUBIS µ-kernel with SPIN
- Duval, Julliand
- 1995
(Show Context)
Citation Context ...nd Weber [17] give an operational 74ssemantics for EROS and prove a confinement security policy. Our work differs in that we plan to formally relate our model to the implementation. Some case studies =-=[6, 4, 19]-=- appear in the literature in which the IPC and scheduling subsystems of microkernels have been described in PROMELA and verified with the SPIN model checker. These abstractions were not necessarily so... |

8 | A mathematical model of the Mach kernel
- Bevier, Smith
- 1994
(Show Context)
Citation Context ...s general abstractions than modern microkernels. There exists some work in the literature on the modelling of microkernels at the abstract level with varying degrees of completeness. Bevier and Smith =-=[3]-=- specify legal Mach states and describe Mach system calls using temporal logic. Shapiro and Weber [17] give an operational 74ssemantics for EROS and prove a confinement security policy. Our work diffe... |

8 | Towards verified virtual memory in l4
- Klein, Tuch
- 2004
(Show Context)
Citation Context ...pulating the mapping from virtual to physical memory pages of address spaces at user-level. We now present a formal model for address spaces. A first description of this model has already appeared in =-=[9]-=-. For completeness, we repeat parts of it in sections 3.1 and 3.2. The treatment of abstract datatypes in section 3.3 is updated to incorporate operations with output. 3.1 Address Spaces Fig. 2 illust... |

7 |
On the Realization Of Huge Sparsely-Occupied and Fine-Grained Address Spaces. Oldenbourg
- Liedtke
- 1996
(Show Context)
Citation Context ...ta structures that balance the requirement for fast traversal and memory use considerations. These include multi-level page tables, inverse page tables, hashed page tables [8] and guarded page tables =-=[13]-=-. L4Ka::Pistachio implements a multi-level hierarchical page table (MLPT). The page table format defined by the ARM hardware, a two-level page table, is an instance of this. MLPTs are tree data struct... |