Mind the Gap

A Verification Framework for Low-Level C
  • Simon Winwood
  • Gerwin Klein
  • Thomas Sewell
  • June Andronick
  • David Cock
  • Michael Norrish
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5674)


This paper presents the formal Isabelle/HOL framework we use to prove refinement between an executable, monadic specification and the C implementation of the seL4 microkernel. We describe the refinement framework itself, the automated tactics it supports, and the connection to our previous C verification framework. We also report on our experience in applying the framework to seL4. The characteristics of this microkernel verification are the size of the target (8,700 lines of C code), the treatment of low-level programming constructs, the focus on high performance, and the large subset of the C programming language addressed, which includes pointer arithmetic and type-unsafe code.


Function Call Memory Model Proof Obligation Separation Logic Extraction Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Andronick, J.: Modélisation et Vérification Formelles de Systèmes Embarqués dans les Cartes à Microprocesseur—Plate-Forme Java Card et Système d’Exploitation. Ph.D thesis, Université Paris-Sud (March 2006)Google Scholar
  2. 2.
    Andronick, J., Chetali, B., Paulin-Mohring, C.: Formal verification of security properties of smart card embedded source code. In: Fitzgerald, J.S., Hayes, I.J., Tarlecki, A. (eds.) FM 2005. LNCS, vol. 3582, pp. 302–317. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  3. 3.
    Bevier, W.R.: Kit: A study in operating system verification. IEEE Transactions on Software Engineering 15(11), 1382–1396 (1989)CrossRefGoogle Scholar
  4. 4.
    Cock, D.: Bitfields and tagged unions in C: Verification through automatic generation. In: Beckert, B., Klein, G. (eds.) Proc, 5th VERIFY, Sydney, Australia, August 2008. CEUR Workshop Proceedings, vol. 372, pp. 44–55 (2008)Google Scholar
  5. 5.
    Cock, D., Klein, G., Sewell, T.: Secure microkernels, state monads and scalable refinement. In: Mohamed, O.A., Muñoz, C., Tahar, S. (eds.) TPHOLs 2008. LNCS, vol. 5170, pp. 167–182. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Cohen, E., Moskał, M., Schulte, W., Tobies, S.: A precise yet efficient memory model for C (2008),
  7. 7.
    de Roever, W.-P., Engelhardt, K.: Data Refinement: Model-Oriented Proof Methods and their Comparison. Cambridge Tracts in Theoretical Computer Science, vol. 47. Cambridge University Press (1998)Google Scholar
  8. 8.
    Derrin, P., Elphinstone, K., Klein, G., Cock, D., Chakravarty, M.M.T.: Running the manual: An approach to high-assurance microkernel development. In: Proc. ACM SIGPLAN Haskell WS, Portland, OR, USA (September 2006)Google Scholar
  9. 9.
    Dijkstra, E.W.: Guarded commands, nondeterminacy and formal derivation of programs. CACM 18(8), 453–457 (1975)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Elphinstone, K., Klein, G., Derrin, P., Roscoe, T., Heiser, G.: Towards a practical, verified kernel. In: Proc. 11th Workshop on Hot Topics in Operating Systems (2007)Google Scholar
  11. 11.
    Elphinstone, K., Klein, G., Kolanski, R.: Formalising a high-performance microkernel. In: Leino, R. (ed.) VSTTE, Microsoft Research Technical Report MSR-TR-2006-117, Seattle, USA, August 2006, pp. 1–7 (2006)Google Scholar
  12. 12.
    Feiertag, R.J., Neumann, P.G.: The foundations of a provably secure operating system (PSOS). In: AFIPS Conf. Proc., 1979 National Comp. Conf., New York, NY, USA, June 1979, pp. 329–334 (1979)Google Scholar
  13. 13.
    Filliâtre, J.-C., Marché, C.: Multi-prover verification of C programs. In: Davies, J., Schulte, W., Barnett, M. (eds.) ICFEM 2004. LNCS, vol. 3308, pp. 15–29. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    Frama-C (2008),
  15. 15.
    Hohmuth, M., Tews, H.: The VFiasco approach for a verified operating system. In: Proc. 2nd ECOOP-PLOS Workshop, Glasgow, UK (October 2005)Google Scholar
  16. 16.
    Programming languages—C, ISO/IEC 9899:1999 (1999)Google Scholar
  17. 17.
    Klein, G.: Operating system verification—An overview. Sādhanā 34(1), 27–69 (2009)MathSciNetzbMATHGoogle Scholar
  18. 18.
    Liedtke, J.: On μ-kernel construction. In: Proc. 15th SOSP (December 1995)Google Scholar
  19. 19.
    Moy, Y.: Union and cast in deductive verification. In: Proc. C/C++ Verification Workshop, Technical Report ICIS-R07015. Radboud University Nijmegen (2007)Google Scholar
  20. 20.
    Mürk, O., Larsson, D., Hähnle, R.: KeY-C: A tool for verification of C programs. In: Pfenning, F. (ed.) CADE 2007. LNCS, vol. 4603, pp. 385–390. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Nipkow, T., Paulson, L.C., Wenzel, M.T.: Isabelle/HOL. LNCS, vol. 2283. Springer, Heidelberg (2002)zbMATHGoogle Scholar
  22. 22.
    Open Kernel Labs. OKL4 v2.1 (2008),
  23. 23.
    Schirmer, N.: Verification of Sequential Imperative Programs in Isabelle/HOL. Ph.D thesis, Technische Universität München (2006)Google Scholar
  24. 24.
    Schirmer, N., Hillebrand, M., Leinenbach, D., Alkassar, E., Starostin, A., Tsyban, A.: Balancing the load — leveraging a semantics stack for systems verification. JAR, special issue on Operating System Verification 42(2-4), 389–454 (2009)zbMATHGoogle Scholar
  25. 25.
    Tuch, H.: Formal Memory Models for Verifying C Systems Code. Ph.D thesis, School Comp. Sci. & Engin., University NSW, Sydney 2052, Australia (August 2008)Google Scholar
  26. 26.
    Tuch, H.: Formal verification of C systems code: Structured types, separation logic and theorem proving. JAR, special issue on Operating System Verification 42(2–4), 125–187 (2009)MathSciNetzbMATHGoogle Scholar
  27. 27.
    Tuch, H., Klein, G., Norrish, M.: Types, bytes, and separation logic. In: Hofmann, M., Felleisen, M. (eds.) Proc. 34th POPL, pp. 97–108. ACM, New York (2007)Google Scholar
  28. 28.
    Walker, B., Kemmerer, R., Popek, G.: Specification and verification of the UCLA Unix security kernel. CACM 23(2), 118–131 (1980)CrossRefzbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Simon Winwood
    • 1
    • 2
  • Gerwin Klein
    • 1
    • 2
  • Thomas Sewell
    • 1
  • June Andronick
    • 1
  • David Cock
    • 1
  • Michael Norrish
    • 1
    • 3
  1. 1.NICTAAustralia
  2. 2.School of Computer Science and EngineeringUNSWSydneyAustralia
  3. 3.Computer Sciences LaboratoryANUCanberraAustralia

Personalised recommendations