Abstract
A virtual memory manager (VMM) is a part of an operating system that provides the rest of the kernel with an abstract model of memory. Although small in size, it involves complicated and interdependent invariants that make monolithic verification of the VMM and the kernel running on top of it difficult. In this paper, we make the observation that a VMM is constructed in layers: physical page allocation, page table drivers, address space API, etc., each layer providing an abstraction that the next layer utilizes. We use this layering to simplify the verification of individual modules of VMM and then to link them together by composing a series of small refinements. The compositional verification also supports function calls from less abstract layers into more abstract ones, allowing us to simplify the verification of initialization functions as well. To facilitate such compositional verification, we develop a framework that assists in creation of verification systems for each layer and refinements between the layers. Using this framework, we have produced a certification of BabyVMM, a small VMM designed for simplified hardware. The same proof also shows that a certified kernel using BabyVMM’s virtual memory abstraction can be refined following a similar sequence of refinements, and can then be safely linked with BabyVMM. Both the verification framework and the entire certification of BabyVMM have been mechanized in the Coq Proof Assistant.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Alkassar, E., Hillebrand, M.A., Leinenbach, D.C., Schirmer, N.W., Starostin, A., Tsyban, A.: Balancing the load: Leveraging a semantics stack for systems verification. Journal of Automated Reasoning: OS Verification 42, 389–454 (2009)
Alkassar, E., Schirmer, N.W., Starostin, A.: Formal Pervasive Verification of a Paging Mechanism. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 109–123. Springer, Heidelberg (2008)
Cai, H., Shao, Z., Vaynberg, A.: Certified self-modifying code. In: Proc. PLDI 2007, pp. 66–77. ACM, New York (2007)
Calcagno, C., O’Hearn, P., Yang, H.: Local action and abstract separation logic. In: Proc. LICS 2007, pp. 366–378 (July 2007)
Coq Development Team. The Coq proof assistant reference manual. The Coq release v8.0 (October 2005)
Elphinstone, K., Klein, G., Derrin, P., Roscoe, T., Heiser, G.: Towards a practical, verified kernel. In: Proc. HoTOS 2007, San Diego, CA, USA (May 2007)
Feng, X., Shao, Z., Dong, Y., Guo, Y.: Certifying low-level programs with hardware interrupts and preemptive threads. In: Proc. PLDI 2008, pp. 170–182. ACM (2008)
Feng, X., Shao, Z., Vaynberg, A., Xiang, S., Ni, Z.: Modular verification of assembly code with stack-based control abstractions. In: PLDI 2006, pp. 401–414 (June 2006)
Gargano, M., Hillebrand, M.A., Leinenbach, D., Paul, W.J.: On the Correctness of Operating System Kernels. In: Hurd, J., Melham, T. (eds.) TPHOLs 2005. LNCS, vol. 3603, pp. 1–16. Springer, Heidelberg (2005)
Gu, L., Vaynberg, A., Ford, B., Shao, Z., Costanzo, D.: Certikos: A certified kernel for secure cloud computing. In: Proc. APSys 2011. ACM (2011)
In der Rieden, T.: Verified Linking for Modular Kernel Verification. PhD thesis, Saarland University, Computer Science Department (November 2009)
Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: formal verification of an OS kernel. In: Proc. SOSP 2009, pp. 207–220 (2009)
Klein, G., Tuch, H.: Towards verified virtual memory in l4. In: TPHOLs Emerging Trends 2004, Park City, Utah, USA (September 2004)
Kolanski, R., Klein, G.: Mapped Separation Logic. In: Shankar, N., Woodcock, J. (eds.) VSTTE 2008. LNCS, vol. 5295, pp. 15–29. Springer, Heidelberg (2008)
McCreight, A., Shao, Z., Lin, C., Li, L.: A general framework for certifying garbage collectors and their mutators. In: Proc. PLDI 2007, pp. 468–479 (2007)
O’Hearn, P.W., Yang, H., Reynolds, J.C.: Separation and information hiding. In: POPL 2004, pp. 268–280 (January 2004)
Reynolds, J.C.: Separation logic: A logic for shared mutable data structures. In: Proc. LICS 2002, pp. 55–74 (July 2002)
Starostin, A.: Formal Verification of Demand Paging. PhD thesis, Saarland University, Computer Science Department (March 2010)
Vaynberg, A., Shao, Z.: Compositional verification of BabyVMM (extended version and Coq proof). Technical Report YALEU/DCS/TR-1463, Yale University (October 2012), http://flint.cs.yale.edu/publications/babyvmm.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Vaynberg, A., Shao, Z. (2012). Compositional Verification of a Baby Virtual Memory Manager. In: Hawblitzel, C., Miller, D. (eds) Certified Programs and Proofs. CPP 2012. Lecture Notes in Computer Science, vol 7679. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35308-6_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-35308-6_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35307-9
Online ISBN: 978-3-642-35308-6
eBook Packages: Computer ScienceComputer Science (R0)