Abstract
We present an overview of the different refinement frameworks used in the L4.verified project to formally prove the functional correctness of the seL4 microkernel. The verification is conducted in the interactive theorem prover Isabelle/HOL and proceeds in two large refinement steps: one proof between two monadic, functional specifications in HOL and one proof between such a monadic specification and a C program. To connect these proofs into one overall theorem, we map both refinement statements into a common overall framework.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Alkassar E, Hillebrand M, Leinenbach D, Schirmer N, Starostin A, Tsyban A (2009) Balancing the load – leveraging a semantics stack for systems verification. J Autom Reason 42(2–4): 389–454
Bevier WR (1989) Kit: a study in operating system verification. IEEE Trans Softw Eng 15(11):1382–1396
Cock D (2008) Bitfields and tagged unions in C: verification through automatic generation. In: Beckert B, Klein G (eds) VERIFY’08, vol 372 of CEUR workshop proceedings, Aug 2008, pp 44–55
Cock D, Klein G, Sewell T (2008) Secure microkernels, state monads and scalable refinement. In: Mohamed OA, Muñoz C, Tahar S (eds) 21st TPHOLs, vol 5170 of LNCS. Springer, Berlin, pp 167–182
Cohen E, Dahlweid M, Hillebrand M, Leinenbach D, Moskal M, Santen T, Schulte W, Tobies S (2009) VCC: a practical system for verifying concurrent C. In: Theorem proving in higher order logics (TPHOLs 2009), vol 5674 of Lecture notes in computer science, Munich, Germany. Springer, Berlin, pp 23–42
de Roever W-P, Engelhardt K (1998) Data refinement: model-oriented proof methods and their comparison. In: Cambridge tracts in theoretical computer science, vol 47. Cambridge University Press, Cambridge
Dijkstra EW (1975) Guarded commands, nondeterminacy and formal derivation of programs. Commun ACM 18(8):453–457
Elphinstone K, Klein G, Derrin P, Roscoe T, Heiser G (2007) Towards a practical, verified kernel. In: Proceedings of 11th workshop on hot topics in operating systems, San Diego, CA, USA, pp 117–122
Feiertag RJ, Neumann PG (1979) The foundations of a provably secure operating system (PSOS). In: AFIPS conference proceedings, 1979 National computer conference, New York, NY, USA, June 1979, pp 329–334
Green Hills Software, Inc. (2008) INTEGRITY-178B separation kernel security target version 1.0. http://www.niap-ccevs.org/cc-scheme/st/st_vid10119-st.pdf
Green Hills Software, Inc. (2008) Integrity real-time operating system. http://www.ghs.com/products/rtos/integrity.html
Heitmeyer CL, Archer M, Leonard EI, McLean J (2006) Formal specification and verification of data separation in a separation kernel for an embedded system. In: CCS ’06: proceedings of 13th conference on computer and communications security. ACM, New York, NY, pp 346–355
Hohmuth M, Tews H (2005) The VFiasco approach for a verified operating system. In: 2nd PLOS, July 2005
Information Assurance Directorate (2007) U.S. government protection profile for separation kernels in environments requiring high robustness, June 2007. Version 1.03. http://www.niap-ccevs.org/cc-scheme/pp/pp.cfm/id/pp_skpp_hr_v1.03/
ISO/IEC (2005) Programming languages – C. In: Technical report 9899:TC2, ISO/IEC JTC1/SC22/WG14, May 2005
Klein G (2009). Operating system verification – an overview. Sādhanā 34(1):27–69
Klein G, Elphinstone K, Heiser G, Andronick J, Cock D, Derrin P, Elkaduwe D, Engelhardt K, Kolanski R, Norrish M, Sewell T, Tuch H, Winwood S (2009) seL4: Formal verification of an OS kernel. In: Proceedings of 22th SOSP, Big Sky, MT, USA, October 2009. ACM, New York, NY, pp 207–220
Schirmer N (2006) Verification of sequential imperative programs in Isabelle/HOL. PhD thesis, Technische Universität München
Tews H, Weber T, Völp M (2008) A formal model of memory peculiarities for the verification of low-level operating-system code. In: Huuck R, Klein G, Schlich B (eds) Proceedings of 3rd international workshop on systems software verification (SSV’08), vol 217 of ENTCS. Elsevier, Amsterdam, pp 79–96
Tuch H (2009) Formal verification of C systems code: structured types, separation logic and theorem proving. J Autom Reason (special issue on operating system verification) 42(2–4):125–187
Tuch H, Klein G, Norrish M (2007) Types, bytes, and separation logic. In: Hofmann M, Felleisen M (eds) Proceedings of 34th ACM SIGPLAN-SIGACT symposium on principles of programming languages, Nice, France. ACM, New York, NY, pp 97–108
Walker B, Kemmerer R, Popek G (1980) Specification and verification of the UCLA unix security kernel. Commun ACM 23(2):118–131
Winwood S, Klein G, Sewell T, Andronick J, Cock D, Norrish M (2009) Mind the gap: a verification framework for low-level C. In: Berghofer S, Nipkow T, Urban C, Wenzel M (eds) Proceedings of TPHOls’09, vol 5674 of LNCS, Munich, Germany, August 2009. Springer, Berlin, pp 500–515
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Klein, G., Sewell, T., Winwood, S. (2010). Refinement in the Formal Verification of the seL4 Microkernel. In: Hardin, D. (eds) Design and Verification of Microprocessor Systems for High-Assurance Applications. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-1539-9_11
Download citation
DOI: https://doi.org/10.1007/978-1-4419-1539-9_11
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4419-1538-2
Online ISBN: 978-1-4419-1539-9
eBook Packages: EngineeringEngineering (R0)