Journal of Automated Reasoning

, Volume 42, Issue 2–4, pp 349–388 | Cite as

Proving Fairness and Implementation Correctness of a Microkernel Scheduler

  • Matthias Daum
  • Jan Dörrenbächer
  • Burkhart Wolff


We report on the formal proof of a microkernel’s key property, namely that its multi-priority process scheduler guarantees progress, i.e., strong fairness. The proof architecture links a layer of behavioral reasoning over system-trace sets with a concrete, fairly realistic implementation written in C. Our microkernel provides an infrastructure for memory virtualization, for communication with hardware devices, for processes (represented as a sequence of assembly instructions, which are executed concurrently over an underlying, formally defined processor), and for inter-process communication (IPC) via synchronous message passing. The kernel establishes process switches according to IPCs and timer-events; the scheduling of process switches, however, follows a hierarchy of priorities, favoring, e.g., system processes over application processes over maintenance processes. Besides the quite substantial models developed in Isabelle/HOL and the formal clarification of their relationship, we provide a detailed analysis what formal requirements a microkernel imposes on the key ingredients (hardware, timers, machine-dependent code) in order to establish the correct operation of the overall system. On the methodological side, we show how early modeling with foresight to the later verification has substantially helped our project.


Microkernel Formal verification Interactive theorem proving Isabelle/HOL 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alkassar, E., Hillebrand, M.A.: Formal functional verification of device drivers. In: Woodcock, J., Shankar, N. (eds.) Verified Software: Theories, Tools, and Experiments. LNCS, vol. 5295, pp. 225–239. Springer, New York (2008)CrossRefGoogle Scholar
  2. 2.
    Alkassar, E., Hillebrand, M.A., Leinenbach, D., Schirmer, N.W., Starostin, A.: The Verisoft approach to systems verification. In: Shankar, N., Woodcock, J. (eds.) Verified Software: Theories, Tools, and Experiments. LNCS, vol. 5295, pp. 209–224. Springer, New York (2008)CrossRefGoogle Scholar
  3. 3.
    Alkassar, E., Hillebrand, M.A., Leinenbach, D.C., Schirmer, N.W., Starostin, A., Tsyban, A.: Balancing the load—leveraging a semantics stack for systems verification. J. Autom. Reasoning, Special Issue on Operating System Verification (2009). doi: 10.1007/s10817-009-9123-z Google Scholar
  4. 4.
    Alkassar, E., Schirmer, N., Starostin, A.: Formal pervasive verification of a paging mechanism. In: TACAS. LNCS, vol. 4963, pp. 109–123. Springer, New York (2008)Google Scholar
  5. 5.
    Andrews, P.B.: An Introduction to Mathematical Logic and Type Theory: To Truth Through Proof. Kluwer, Dordrecht (2002)zbMATHGoogle Scholar
  6. 6.
    Barnett, M., Chang, B.Y.E., DeLine, R., Jacobs, B., Leino, K.R.M.: Boogie: a modular reusable verifier for object-oriented programs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.P (eds.) Formal Methods for Components and Objects: 4th International Symposium, FMCO 2005. LNCS, vol. 4111, pp. 364–387. Springer, New York (2006)CrossRefGoogle Scholar
  7. 7.
    Basin, D.A., Kuruma, H., Miyazaki, K., Takaragi, K., Wolff, B.: Verifying a signature architecture: a comparative case study. Form. Asp. Comput. 19(1), 63–91 (2007)zbMATHCrossRefGoogle Scholar
  8. 8.
    Bevier, W.R.: Kit and the short stack. J. Autom. Reason. 5(4), 519–530 (1989)Google Scholar
  9. 9.
    Bevier, W.R., Hunt, W.A., Jr., Moore, J S., Young, W.D.: An approach to systems verification. J. Autom. Reason. 5(4), 411–428 (1989)Google Scholar
  10. 10.
    Beyer, S., Jacobi, C., Kröning, D., Leinenbach, D., Paul, W.J.: Putting it all together: Formal verification of the VAMP. STTT 8(4–5), 411–430 (2006)CrossRefGoogle Scholar
  11. 11.
    Böhme, S., Leino, K.R.M., Wolff, B.: HOL-Boogie—an interactive prover for the Boogie program-verifier. In: Mohamed, O.A., Muñoz, C., Tahar, S. (eds.) TPHOLs. LNCS, vol. 5170, pp. 150–166. Springer, New York (2008)Google Scholar
  12. 12.
    Brock, B., Kaufmann, M., Moore, J S.: ACL2 theorems about commercial microprocessors. In: FMCAD, pp. 275–293. Springer, New York (1996)Google Scholar
  13. 13.
    Church, A.: A formulation of the simple theory of types. J. Symb. Log. 5(2), 56–68 (1940)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Cock, D., Klein, G., Sewell, T.: Secure microkernels, state monads and scalable refinement. In: Mohamed, O.A., Muñoz, C., Tahar, S. (eds.) TPHOLs. LNCS, vol. 5170, pp. 167–182. Springer, New York (2008)Google Scholar
  15. 15.
    Cohen, E., Moskal, M., Schulte, W., Tobies, S.: A precise yet efficient memory model for C (2008).
  16. 16.
    Daum, M., Dörrenbächer, J., Wolff, B., Schmidt, M.: A verification approach for system-level concurrent programs. In: Woodcock, J., Shankar, N. (eds.) Verified Software: Theories, Tools, and Experiments. LNCS, vol. 5295, pp. 161–176. Springer, New York (2008)CrossRefGoogle Scholar
  17. 17.
    Elphinstone, K., Greenaway, D., Ruocco, S.: Lazy scheduling and direct process switch – merit or myths? In: Workshop on Operating System Platforms for Embedded Real-Time Applications. Pisa, Italy (2007).
  18. 18.
    Engler, D.R., Kaashoek, M.F., O’Toole, J.: Exokernel: an operating system architecture for application-level resource management. In: SOSP, pp. 251–266. ACM, New York (1995)Google Scholar
  19. 19.
    Fagin, R., Williams, J.H.: A fair carpool scheduling algorithm. IBM J. Res. Develop. 27(2), 133–139 (1983)CrossRefGoogle Scholar
  20. 20.
    Filliâtre, J.C., Marché, C.: The why/Krakatoa/Caduceus platform for deductive program verification. In: CAV, pp. 173–177, Berlin, 3–7 July 2007Google Scholar
  21. 21.
    Fleisch, B.D., Co, M.A.A.: Workplace microkernel and OS: a case study. Softw. Pract. Exp. 28(6), 569–591 (1998)CrossRefGoogle Scholar
  22. 22.
    Fox, A.C.J.: Formal specification and verification of ARM6. In: TPHOLs, pp. 25–40, Rome, 8–12 September 2003Google Scholar
  23. 23.
    Francez, N.: Fairness. Springer, New York (1986)zbMATHGoogle Scholar
  24. 24.
    Heckmann, R., Ferdinand, C.: Worst-case execution time prediction by static program analysis. White paper, AbsInt Angewandte Informatik GmbH (2004).
  25. 25.
    Heiser, G., Elphinstone, K., Kuz, I., Klein, G., Petters, S.M.: Towards trustworthy computing systems: taking microkernels to the next level. Oper. Syst. Rev. 41(4), 3–11 (2007)CrossRefGoogle Scholar
  26. 26.
    Hillebrand, M.A., Paul, W.J.: On the architecture of system verification environments. In: Haifa Verification Conference, pp. 153–168. Springer, New York (2007)Google Scholar
  27. 27.
    In der Rieden, T., Tsyban, A.: CVM—a verified framework for microkernel programmers. In: Systems Software Verification. ENTCS, vol. 217, pp. 151–168. Elsevier Science B.V., Amsterdam (2008)Google Scholar
  28. 28.
    Kaiser, R.: Combining partitioning and virtualization for safety-critical systems. White Paper WP_CPV_10_A4_R10, SYSGO AG (2007).
  29. 29.
    Klein, G.: Operating system verification—an overview. In: Sādhanā, vol. 34, no. 1, pp. 27–69. Springer (2009)Google Scholar
  30. 30.
    Knapp, S., Paul, W.: Realistic worst case execution time analysis in the context of pervasive system verification. In: Reps, T., Sagiv, M., Bauer, J. (eds.) Program Analysis and Compilation, Theory and Practice: Essays Dedicated to Reinhard Wilhelm on the Occasion of his 60th Birthday. Lecture Notes in Computer Science, vol. 4444, pp. 53–81. Springer, New York (2007). Google Scholar
  31. 31.
    Leinenbach, D.: Compiler verification in the context of pervasive system verification. Ph.D. thesis, Saarland University, Saarbrücken (2008).
  32. 32.
    Leinenbach, D., Paul, W.J., Petrova, E.: Towards the formal verification of a C0 compiler: Code generation and implementation correctness. In: SEFM, pp. 2–12. IEEE Computer Society, Los Alamitos (2005)Google Scholar
  33. 33.
    Liedtke, J.: Improving IPC by kernel design. In: SOSP, pp. 175–188. ACM, New York (1993)Google Scholar
  34. 34.
    Liedtke, J.: On μ-kernel construction. In: SOSP, pp. 237–250. ACM, New York (1995)Google Scholar
  35. 35.
    Liedtke, J.: Towards real microkernels. Commun. ACM 39(9), 70–77 (1996)CrossRefGoogle Scholar
  36. 36.
    Moore, J S.: A grand challenge proposal for formal methods: A verified stack. In: 10th Anniversary Colloquium of UNU/IIST, pp. 161–172. Springer, New York (2002)Google Scholar
  37. 37.
    Moore, J S., Lynch, T.W., Kaufmann, M.: A mechanically checked proof of the AMD5K86TM floating point division program. IEEE Trans. Comput. 47(9), 913–926 (1998)CrossRefMathSciNetGoogle Scholar
  38. 38.
    Ni, Z., Yu, D., Shao, Z.: Using XCAP to certify realistic systems code: Machine context management. In: TPHOLs. LNCS, vol. 4732, pp. 189–206. Springer, New York (2007)Google Scholar
  39. 39.
    Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: A proof assistant for higher-order logic. LNCS, vol. 2283. Springer, New York (2002)zbMATHGoogle Scholar
  40. 40.
    Petters, S.M., Zadarnowski, P., Heiser, G.: Measurements or static analysis or both? In: Rochange, C. (ed.) WCET. Dagstuhl Seminar Proceedings, vol. 07002. Internationales Begegnungs- und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl, Germany (2007)Google Scholar
  41. 41.
    Rashid, R., Avadis Tevanin, J., Young, M., Golub, D., Baron, R.: Machine-independent virtual memory management for paged uniprocessor and multiprocessor architectures. IEEE Trans. Comput. 37(8), 896–908 (1988)CrossRefGoogle Scholar
  42. 42.
    Ruocco, S.: Real-time programming and L4 microkernels. In: Workshop on Operating System Platforms for Embedded Real-Time Applications, Dresden, Germany (2006).
  43. 43.
    Samman, T.: Verifying 50,000 lines of C code. Futures, Microsoft’s European Innovation Magazine, vol. 21. Microsoft Corporate Affairs Europe, Brussels (2008)Google Scholar
  44. 44.
    Schirmer, N.: A verification environment for sequential imperative programs in Isabelle/HOL. In: LPAR. LNCS, pp. 398–414. Springer, New York (2005). Google Scholar
  45. 45.
    Schirmer, N.: Verification of sequential imperative programs in Isabelle/HOL. Ph.D. thesis, TU Munich (2006)Google Scholar
  46. 46.
    Shapiro, J., Doerrie, M.S., Northup, E., Sridhar, S., Miller, M.: Towards a verified, general-purpose operating system kernel. In: FM Workshop on OS Verification. Tech. rep. 0401005T-1, pp.  1–19. National ICT Australia (2004).
  47. 47.
    Singal, M., Petters, S.M.: Issues in analysing L4 for its WCET. In: Workshop on Microkernels for Embedded Systems, Sydney, Australia. (2007)
  48. 48.
    Starostin, A., Tsyban, A.: Correct microkernel primitives. In: Systems Software Verification. ENTCS, vol. 217, pp. 169–185. Elsevier Science B.V., Amsterdam (2008)Google Scholar
  49. 49.
    Starostin, A., Tsyban, A.: Verified process-context switch for C-programmed kernels. In: Shankar, N., Woodcock, J. (eds.) Verified Software: Theories, Tools, and Experiments. LNCS, vol. 5295, pp. 240–254. Springer, New York (2008)CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media B.V. 2009

Authors and Affiliations

  • Matthias Daum
    • 1
  • Jan Dörrenbächer
    • 1
  • Burkhart Wolff
    • 2
  1. 1.Computer Science Dept.Saarland UniversitySaarbrückenGermany
  2. 2.LRIUniversité Paris-SudOrsay CedexFrance

Personalised recommendations