Model-Checking the Linux Virtual File System

  • Andy Galloway
  • Gerald Lüttgen
  • Jan Tobias Mühlberg
  • Radu I. Siminiceanu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5403)


This paper presents a case study in modelling and verifying the Linux Virtual File System (VFS). Our work is set in the context of Hoare’s verification grand challenge and, in particular, Joshi and Holzmann’s mini-challenge to build a verifiable file system. The aim of the study is to assess the viability of retrospective verification of a VFS implementation using model-checking technology. We show how to extract an executable model of the Linux VFS implementation, validate the model by employing the simulation capabilities of SPIN, and analyse it for adherence to data integrity constraints and deadlock freedom using the SMART model checker.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alkassar, E., Schirmer, N., Starostin, A.: Formal pervasive verification of a paging mechanism. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 109–123. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Arkoudas, K., Zee, K., Kuncak, V., Rinard, M.C.: Verifying a file system implementation. In: Davies, J., Schulte, W., Barnett, M. (eds.) ICFEM 2004. LNCS, vol. 3308, pp. 373–390. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Ball, T., Rajamani, S.K.: Automatically validating temporal safety properties of interfaces. In: Dwyer, M.B. (ed.) SPIN 2001. LNCS, vol. 2057, pp. 103–122. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Bovet, D.P., Cesati, M.: Understanding the Linux Kernel. O’Reilly, Sebastopol (2002)Google Scholar
  5. 5.
    Chaki, S., Clarke, E.M., Groce, A., Ouaknine, J., Strichman, O., Yorav, K.: Efficient verification of sequential and concurrent C programs. FMSD 25(2-3), 129–166 (2004)zbMATHGoogle Scholar
  6. 6.
    Ciardo, G., Jones III, R.L., Miner, A.S., Siminiceanu, R.: Logic and stochastic modeling with SMART. Performance Evaluation 63(6), 578–608 (2006)CrossRefGoogle Scholar
  7. 7.
    Ciardo, G., Lüttgen, G., Miner, A.S.: Exploiting interleaving semantics in symbolic state-space generation. FMSD 31(1), 63–100 (2007)zbMATHGoogle Scholar
  8. 8.
    Ciardo, G., Lüttgen, G., Siminiceanu, R.: Saturation: An efficient iteration strategy for symbolic state-space generation. In: Margaria, T., Yi, W. (eds.) TACAS 2001. LNCS, vol. 2031, pp. 328–342. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Das, M., Lerner, S., Seigle, M.: ESP: Path-sensitive program verification in polynomial time. In: PLDI, pp. 57–68. ACM, New York (2002)Google Scholar
  10. 10.
    DeLine, R., Fähndrich, M.: Enforcing high-level protocols in low-level software. In: PLDI, pp. 59–69. ACM Press, New York (2001)Google Scholar
  11. 11.
    Freitas, L., Fu, Z., Woodcock, J.: POSIX file store in Z/EVES: An experiment in the verified software repository. In: ICECCS, pp. 3–14. IEEE, Los Alamitos (2007)Google Scholar
  12. 12.
    Freitas, L., Woodcock, J., Butterfield, A.: POSIX and the verification grand challenge: A roadmap. In: ICECCS, pp. 153–162. IEEE, Los Alamitos (2008)Google Scholar
  13. 13.
    Galloway, A., Mühlberg, J.T., Siminiceanu, R., Lütgen, G.: Model-checking part of a Linux file system. Technical Report YCS-2007-423, U. of York, UK (2007),
  14. 14.
    The Open Group. The POSIX 1003.1, Edition Specification (2003)Google Scholar
  15. 15.
    Henzinger, T., Jhala, R., Majumdar, R., Necula, G., Sutre, G., Weimer, W.: Temporal-safety proofs for systems code. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 526–538. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  16. 16.
    Hoare, T.: The verifying compiler: A grand challenge for computing research. J. ACM 50(1), 63–69 (2003)zbMATHGoogle Scholar
  17. 17.
    Holzmann, G.J.: The SPIN Model Checker. Addison-Wesley, Reading (2003)Google Scholar
  18. 18.
    Holzmann, G.J., Smith, M.H.: Software model checking – Extracting verification models from source code. In: FMPEDS, pp. 481–497. Kluwer, Dordrecht (1999)Google Scholar
  19. 19.
    Joshi, R., Holzmann, G.J.: A mini challenge: Build a verifiable filesystem. Formal Aspects of Computing 19(2), 269–272 (2007)CrossRefzbMATHGoogle Scholar
  20. 20.
    Malekpour, M.R.: A Byzantine fault-tolerant self-stabilizing protocol for distributed clock synchronization systems. Technical Report TM-2006-214322, NASA Langley Research Center (2007)Google Scholar
  21. 21.
    Mühlberg, J.T., Lüttgen, G.: Blasting Linux code. In: Brim, L., Haverkort, B.R., Leucker, M., van de Pol, J. (eds.) FMICS 2006 and PDMC 2006. LNCS, vol. 4346, pp. 211–226. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  22. 22.
    Siminiceanu, R., Ciardo, G.: Formal verification of the NASA Runway Safety Monitor. STTT 9(1), 63–76 (2007)CrossRefGoogle Scholar
  23. 23.
    Yang, J., Sar, C., Twohey, P., Cadar, C., Engler, D.R.: Automatically generating malicious disks using symbolic execution. In: Security and Privacy, pp. 243–257. IEEE, Los Alamitos (2006)Google Scholar
  24. 24.
    Yang, J., Twohey, P., Engler, D.R., Musuvathi, M.: Using model checking to find serious file system errors. In: OSDI, pp. 273–288. USENIX (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Andy Galloway
    • 1
  • Gerald Lüttgen
    • 1
  • Jan Tobias Mühlberg
    • 1
  • Radu I. Siminiceanu
    • 2
  1. 1.Department of Computer ScienceUniversity of YorkYorkUK
  2. 2.National Institute of Aerospace, HamptonVirginiaUSA

Personalised recommendations