Journal of Automated Reasoning

, Volume 42, Issue 2–4, pp 389–454 | Cite as

Balancing the Load

Leveraging a Semantics Stack for Systems Verification
  • Eyad Alkassar
  • Mark A. Hillebrand
  • Dirk C. Leinenbach
  • Norbert W. Schirmer
  • Artem Starostin
  • Alexandra Tsyban
Article

Abstract

We have developed a stack of semantics for a high-level C-like language and low-level assembly code, which has been carefully crafted to support the pervasive verification of system software. It can handle mixed-language implementations and concurrently operating devices, and permits the transferral of properties to the target architecture while obeying its resource restrictions. We demonstrate the applicability of our framework by proving the correct virtualization of user memory in our microkernel, which implements demand paging. This verification target is of particular interest because it has a relatively simple top-level specification and it exercises all parts of our semantics stack. At the bottom level a disk driver written in assembly implements page transfers via a swap disk. A page-fault handler written in C uses the driver to implement the paging algorithm. It guarantees that a step of the currently executing user can be simulated at the architecture level. Besides the mere theoretical and technical difficulties the project also bore the social challenge to manage the large verification effort, spread over many sites and people, concurrently contributing to and maintaining a common theory corpus. We share our experiences and elaborate on lessons learned.

Keywords

Pervasive formal verification Systems verification Software verification 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Alkassar, E., Bogan, S., Paul, W.: Proving the correctness of client/server software. Sādhanā 34(1), 145–192 (2009)MATHMathSciNetGoogle Scholar
  2. 2.
    Alkassar, E., Hillebrand, M.A.: Formal functional verification of device drivers. In: Shankar, N., Woodcock, J. (eds.) Proceedings, Verified Software: Theories, Tools, Experiments Second International Conference, VSTTE 2008. LNCS, vol. 5295, Toronto, Canada, 6–9 October 2008, pp. 225–239. Springer, New York (2008)Google Scholar
  3. 3.
    Alkassar, E., Hillebrand, M., Knapp, S., Rusev, R., Tverdyshev, S.: Formal device and programming model for a serial interface. In: Beckert, B. (ed.) Proceedings, 4th International Verification Workshop (VERIFY), Bremen, Germany, pp. 4–20. CEUR-WS.org (2007)
  4. 4.
    Alkassar, E., Hillebrand, M.A., Leinenbach, D., Schirmer, N.W., Starostin, A.: The Verisoft approach to systems verification. In: Shankar, N., Woodcock, J. (eds.) Proceedings, Verified Software: Theories, Tools, Experiments Second International Conference, VSTTE 2008. LNCS, vol. 5295, Toronto, Canada, 6–9 October 2008, pp. 209–224. Springer, New York (2008)Google Scholar
  5. 5.
    Alkassar, E., Schirmer, N., Starostin, A.: Formal pervasive verification of a paging mechanism. In: Ramakrishnan, C.R., Rehof, J. (eds.) 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS08). LNCS, vol. 4963, pp. 109–123. Springer, New York (2008)CrossRefGoogle Scholar
  6. 6.
    Ballarin, C.: Locales and locale expressions in Isabelle/Isar. In: Berardi, S., Coppo, M., Damiani, F. (eds.) Types for Proofs and Programs, International Workshop, TYPES 2003, Revised Selected Papers. LNCS, vol. 3085, Torino, Italy, 30 April–4 May 2003, pp. 34–50. Springer, New York (2003)Google Scholar
  7. 7.
    Ballarin, C.: Interpretation of locales in Isabelle: theories and proof contexts. In: Borwein, J.M., Farmer, W.M. (eds.) Proceedings, Mathematical Knowledge Management, 5th International Conference, MKM 2006. LNCS, vol. 4108, Wokingham, UK, 11–12 August 2006, pp. 31–43. Springer, New York (2006)Google Scholar
  8. 8.
    Bevier, W.R., Hunt, W.A., Jr., Moore, J S., Young, W.D.: An approach to systems verification. JAR 5(4), 411–428 (1989)Google Scholar
  9. 9.
    Beuster, G., Henrich, N., Wagner, M.: Real world verification—experiences from the Verisoft email client. In: Sutcliffe, G., Schmidt, R., Schulz, S. (eds.) Proceedings of the FLoC’06 Workshop on Empirically Successful Computerized Reasoning (ESCoR 2006). CEUR Workshop Proceedings, August 2006, vol. 192, pp. 112–125. CEUR-WS.org (2006)
  10. 10.
    Beyer, S., Jacobi, C., Kroening, D., Leinenbach, D., Paul, W.: Instantiating uninterpreted functional units and memory system: functional verification of the VAMP. In: Geist, D., Tronci, E. (eds.) Proceedings of the 12th Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME). LNCS, vol. 860, pp. 51–65. Springer, New York (2003)Google Scholar
  11. 11.
    Beyer, S., Jacobi, C., Kroening, D., Leinenbach, D., Paul, W.: Putting it all together: formal verification of the VAMP. Int. J. Softw. Tools Technol. Transf. 8(4–5), 411–430 (2006)CrossRefGoogle Scholar
  12. 12.
    Bogan, S.: Formal Specification of a Simple Operating System. PhD thesis, Saarland University, Computer Science Department (2008)Google Scholar
  13. 13.
    Burstall, R.: Some techniques for proving correctness of programs which alter data structures. In: Meltzer, B., Michie, D. (eds) Machine Intelligence 7, pp. 23–50. Edinburgh University Press, Edinburgh (1972)Google Scholar
  14. 14.
    Condea, C.: Design and implementation of a page fault handler in C0. Master’s thesis, Saarland University (2006)Google Scholar
  15. 15.
    Daum, M., Dörrenbächer, J., Bogan, S.: Model stack for the pervasive verification of a microkernel-based operating system. In: Beckert, B., Klein, G. (eds.) Proceedings, 5th International Verification Workshop (VERIFY). CEUR Workshop Proceedings, vol. 372, Sydney, Australia, August 2008, pp. 56–70. CEUR-WS.org (2008)
  16. 16.
    Daum, M., Dörrenbächer, J., Wolff, B.: Proving fairness and implementation correctness of a microkernel scheduler. J. Autom. Reason. (Special Issue on Operating Systems Verification). (2009). doi: 10.1007/s10817-009-9119-8 MATHGoogle Scholar
  17. 17.
    Daum, M., Dörrenbächer, J., Wolff, B., Schmidt, M.: A verification approach for system-level concurrent programs. In: Shankar, N., Woodcock, J. (eds.) Proceedings, Verified Software: Theories, Tools, Experiments Second International Conference, VSTTE 2008. LNCS, vol. 5295, Toronto, Canada, 6–9 October 2008, pp. 161–176. Springer, New York (2008)Google Scholar
  18. 18.
    Dalinger, I., Hillebrand, M., Paul, W.: On the verification of memory management mechanisms. In: Borrione, D., Paul, W. (eds.) Proceedings of the 13th Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME 2005). LNCS, vol. 3725, pp. 301–316. Springer, New York (2005)CrossRefGoogle Scholar
  19. 19.
    Daum, M., Maus, S., Schirmer, N., Seghir, M.N.: Integration of a software model checker into Isabelle. In: Sutcliffe, G., Voronkov, A. (eds.) Proceedings, Logic for Programming, Artificial Intelligence, and Reasoning, 12th International Conference, LPAR 2005. LNCS, vol. 3835, Montego Bay, Jamaica, 2–6 December 2005, pp. 381–395. Springer, New York (2005)Google Scholar
  20. 20.
    Gargano, M., Hillebrand, M., Leinenbach, D., Paul, W.: On the correctness of operating system kernels. In: Hurd, J., Melham, T.F. (eds.) 18th International Conference on Theorem Proving in Higher Order Logics (TPHOLs 2005). LNCS, vol. 3603, pp. 1–16. Springer, New York (2005)Google Scholar
  21. 21.
    Heiser, G., Elphinstone, K., Kuz, I., Klein, G., Petters, S.M.: Towards trustworthy computing systems: taking microkernels to the next level. SIGOPS Oper. Syst. Rev. 41(4), 3–11 (2007)CrossRefGoogle Scholar
  22. 22.
    Hennessy, J.L., Patterson, D.A.: Computer Architecture: A Quantitative Approach, 2nd edn. Morgan Kaufmann, San Mateo (1996)MATHGoogle Scholar
  23. 23.
    Hillebrand, M.A., Paul, W.: On the architecture of system verification environments. In: Yorav, K. (ed.) Hardware and Software, Verification and Testing, Third International Haifa Verification Conference, HVC 2007. LNCS, vol. 4899, Haifa, Israel, 23–25 October 2007, pp. 153–168. Springer, New York (2008)Google Scholar
  24. 24.
    In der Rieden, T., Tsyban, A.: CVM—a verified framework for microkernel programmers. In: Huuck, R., Klein, G., Schlich, B. (eds.) 3rd Intl Workshop on Systems Software Verification (SSV 2008). Electronic Notes in Theoretical Computer Science, vol. 217C. Elsevier Science B.V., Oxford (2008)Google Scholar
  25. 25.
    Kleymann, T.: Hoare logic and auxiliary variables. Form. Asp. Comput. 11(5), 541–566 (1999)MATHCrossRefGoogle Scholar
  26. 26.
    Klein, G.: Operating system verification—an overview. Sādhanā 34(1), 27–70 (2009)MATHGoogle Scholar
  27. 27.
    Leinenbach, D.C.: Compiler Verification in the Context of Pervasive System Verification. PhD thesis, Saarland University, Computer Science Department (2008)Google Scholar
  28. 28.
    Langenstein, B., Nonnengart, A., Rock, G., Stephan, W.: Verification of distributed applications. In: Saglietti, F., Oster, N. (eds.) Computer Safety, Reliability, and Security, 26th International Conference, SAFECOMP 2007. LNCS, vol. 4680, Nuremberg, Germany, 18–21 September 2007, pp. 315–328. Springer, New York (2007)Google Scholar
  29. 29.
    Leinenbach, D., Petrova, E.: Pervasive compiler verification—from verified programs to verified systems. In: Huuck, R., Klein, G., Schlich, B. (eds.) 3rd intl Workshop on Systems Software Verification (SSV 2008). Electronic Notes in Theoretical Computer Science, vol. 217C, pp. 23–40. Elsevier Science B.V., Oxford (2008)Google Scholar
  30. 30.
    Mueller, S.M., Paul, W.J.: Computer Architecture: Complexity and Correctness. Springer, New York (2000)MATHGoogle Scholar
  31. 31.
    Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: a proof assistant for higher-order logic. LNCS, vol. 2283. Springer, New York (2002)MATHGoogle Scholar
  32. 32.
    Ni, Z., Yu, D., Shao, Z.: Using XCAP to certify realistic systems code: machine context management. In: TPHOLs ’07. LNCS, pp. 189–206, Kaiserslautern, 10–13 September 2007Google Scholar
  33. 33.
    Paulson, L.C.: Isabelle: a generic theorem prover. LNCS, vol. 828. Springer, New York (1994)MATHGoogle Scholar
  34. 34.
    Petrova, E.: Verification of the C0 Compiler Implementation on the Source Code Level. PhD thesis, Saarland University, Computer Science Department (2007)Google Scholar
  35. 35.
    Schirmer, N.: A verification environment for sequential imperative programs in Isabelle/HOL. In: Baader, F., Voronkov, A. (eds.) Logic for Programming, Artificial Intelligence, and Reasoning, 11th International Conference, LPAR 2004. LNCS, vol. 3452, pp. 398–414. Springer, New York (2005)Google Scholar
  36. 36.
    Schirmer, N.: Verification of Sequential Imperative Programs in Isabelle/HOL. PhD thesis, Technical University of Munich (2006)Google Scholar
  37. 37.
    Starostin, A., Tsyban, A.: Correct microkernel primitives. In: Huuck, R., Klein, G., Schlich, B. (eds.) 3rd Intl Workshop on Systems Software Verification (SSV 2008). Electronic Notes in Theoretical Computer Science, vol. 217C, pp. 169–185. Elsevier Science B.V., Oxford (2008)Google Scholar
  38. 38.
    Starostin, A., Tsyban, A.: Verified process-context switch for C-programmed kernels. In: Shankar, N., Woodcock, J. (eds.) Proceedings, Verified Software: Theories, Tools, Experiments Second International Conference, VSTTE 2008. LNCS, vol. 5295, Toronto, Canada, 6–9 October 2008, pp. 240–254. Springer, New York (2008)Google Scholar
  39. 39.
    Tverdyshev, S., Shadrin, A.: Formal verification of gate-level computer systems. In: Rozier, K.Y. (ed.) LFM 2008: Sixth NASA Langley Formal Methods Workshop, NASA Scientific and Technical Information (STI), pp. 56–58. NASA, Washington, DC (2008)Google Scholar

Copyright information

© Springer Science+Business Media B.V. 2009

Authors and Affiliations

  • Eyad Alkassar
    • 2
  • Mark A. Hillebrand
    • 1
  • Dirk C. Leinenbach
    • 1
  • Norbert W. Schirmer
    • 1
  • Artem Starostin
    • 2
  • Alexandra Tsyban
    • 2
  1. 1.German Research Center for Artificial Intelligence (DFKI)SaarbrückenGermany
  2. 2.Computer Science Dept.Saarland UniversitySaarbrückenGermany

Personalised recommendations