Refinement in the Formal Verification of the seL4 Microkernel

  • Gerwin Klein
  • Thomas Sewell
  • Simon Winwood


We present an overview of the different refinement frameworks used in the L4.verified project to formally prove the functional correctness of the seL4 microkernel. The verification is conducted in the interactive theorem prover Isabelle/HOL and proceeds in two large refinement steps: one proof between two monadic, functional specifications in HOL and one proof between such a monadic specification and a C program. To connect these proofs into one overall theorem, we map both refinement statements into a common overall framework.


Composition Operator Forward Simulation Idle Mode Separation Logic Functional Correctness 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alkassar E, Hillebrand M, Leinenbach D, Schirmer N, Starostin A, Tsyban A (2009) Balancing the load – leveraging a semantics stack for systems verification. J Autom Reason 42(2–4): 389–454zbMATHCrossRefGoogle Scholar
  2. 2.
    Bevier WR (1989) Kit: a study in operating system verification. IEEE Trans Softw Eng 15(11):1382–1396CrossRefGoogle Scholar
  3. 3.
    Cock D (2008) Bitfields and tagged unions in C: verification through automatic generation. In: Beckert B, Klein G (eds) VERIFY’08, vol 372 of CEUR workshop proceedings, Aug 2008, pp 44–55Google Scholar
  4. 4.
    Cock D, Klein G, Sewell T (2008) Secure microkernels, state monads and scalable refinement. In: Mohamed OA, Muñoz C, Tahar S (eds) 21st TPHOLs, vol 5170 of LNCS. Springer, Berlin, pp 167–182Google Scholar
  5. 5.
    Cohen E, Dahlweid M, Hillebrand M, Leinenbach D, Moskal M, Santen T, Schulte W, Tobies S (2009) VCC: a practical system for verifying concurrent C. In: Theorem proving in higher order logics (TPHOLs 2009), vol 5674 of Lecture notes in computer science, Munich, Germany. Springer, Berlin, pp 23–42CrossRefGoogle Scholar
  6. 6.
    de Roever W-P, Engelhardt K (1998) Data refinement: model-oriented proof methods and their comparison. In: Cambridge tracts in theoretical computer science, vol 47. Cambridge University Press, CambridgeGoogle Scholar
  7. 7.
    Dijkstra EW (1975) Guarded commands, nondeterminacy and formal derivation of programs. Commun ACM 18(8):453–457zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Elphinstone K, Klein G, Derrin P, Roscoe T, Heiser G (2007) Towards a practical, verified kernel. In: Proceedings of 11th workshop on hot topics in operating systems, San Diego, CA, USA, pp 117–122Google Scholar
  9. 9.
    Feiertag RJ, Neumann PG (1979) The foundations of a provably secure operating system (PSOS). In: AFIPS conference proceedings, 1979 National computer conference, New York, NY, USA, June 1979, pp 329–334Google Scholar
  10. 10.
    Green Hills Software, Inc. (2008) INTEGRITY-178B separation kernel security target version 1.0.
  11. 11.
    Green Hills Software, Inc. (2008) Integrity real-time operating system.
  12. 12.
    Heitmeyer CL, Archer M, Leonard EI, McLean J (2006) Formal specification and verification of data separation in a separation kernel for an embedded system. In: CCS ’06: proceedings of 13th conference on computer and communications security. ACM, New York, NY, pp 346–355CrossRefGoogle Scholar
  13. 13.
    Hohmuth M, Tews H (2005) The VFiasco approach for a verified operating system. In: 2nd PLOS, July 2005Google Scholar
  14. 14.
    Information Assurance Directorate (2007) U.S. government protection profile for separation kernels in environments requiring high robustness, June 2007. Version 1.03.
  15. 15.
    ISO/IEC (2005) Programming languages – C. In: Technical report 9899:TC2, ISO/IEC JTC1/SC22/WG14, May 2005Google Scholar
  16. 16.
    Klein G (2009). Operating system verification – an overview. Sādhanā 34(1):27–69zbMATHGoogle Scholar
  17. 17.
    Klein G, Elphinstone K, Heiser G, Andronick J, Cock D, Derrin P, Elkaduwe D, Engelhardt K, Kolanski R, Norrish M, Sewell T, Tuch H, Winwood S (2009) seL4: Formal verification of an OS kernel. In: Proceedings of 22th SOSP, Big Sky, MT, USA, October 2009. ACM, New York, NY, pp 207–220Google Scholar
  18. 18.
    Schirmer N (2006) Verification of sequential imperative programs in Isabelle/HOL. PhD thesis, Technische Universität MünchenGoogle Scholar
  19. 19.
    Tews H, Weber T, Völp M (2008) A formal model of memory peculiarities for the verification of low-level operating-system code. In: Huuck R, Klein G, Schlich B (eds) Proceedings of 3rd international workshop on systems software verification (SSV’08), vol 217 of ENTCS. Elsevier, Amsterdam, pp 79–96Google Scholar
  20. 20.
    Tuch H (2009) Formal verification of C systems code: structured types, separation logic and theorem proving. J Autom Reason (special issue on operating system verification) 42(2–4):125–187zbMATHMathSciNetGoogle Scholar
  21. 21.
    Tuch H, Klein G, Norrish M (2007) Types, bytes, and separation logic. In: Hofmann M, Felleisen M (eds) Proceedings of 34th ACM SIGPLAN-SIGACT symposium on principles of programming languages, Nice, France. ACM, New York, NY, pp 97–108CrossRefGoogle Scholar
  22. 22.
    Walker B, Kemmerer R, Popek G (1980) Specification and verification of the UCLA unix security kernel. Commun ACM 23(2):118–131zbMATHCrossRefGoogle Scholar
  23. 23.
    Winwood S, Klein G, Sewell T, Andronick J, Cock D, Norrish M (2009) Mind the gap: a verification framework for low-level C. In: Berghofer S, Nipkow T, Urban C, Wenzel M (eds) Proceedings of TPHOls’09, vol 5674 of LNCS, Munich, Germany, August 2009. Springer, Berlin, pp 500–515Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  1. 1.NICTASydneyAustralia

Personalised recommendations