Theory of Multi Core Hypervisor Verification

  • Ernie Cohen
  • Wolfgang Paul
  • Sabine Schmaltz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7741)


From 2007 to 2010, researchers from Microsoft and the Verisoft XT project verified code from Hyper-V, a multi-core x-64 hypervisor, using VCC, a verifier for concurrent C code. However, there is a significant gap between code verification of a kernel (such as a hypervisor) and a proof of correctness of a real system running the code. When the project ended in 2010, crucial and tricky portions of the hypervisor product were formally verified, but one was far from having an overall theory of multi core hypervisor correctness even on paper. For example, the kernel code itself has to set up low-level facilities such as its call stack and virtual memory map, and must continue to use memory in a way that justifies the memory model assumed by the compiler and verifier, even though these assumptions are not directly guaranteed by the hardware. Over the last two years, much of the needed theory justifying the approach has been worked out. We survey progress on this theory and identify the work that is left to be done.


Processor Core Store Buffer Reduction Theorem Page Table Interrupt Handler 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Verisoft Consortium: The Verisoft-XT Project (2007-2010),
  2. 2.
    Leinenbach, D., Santen, T.: Verifying the Microsoft Hyper-V Hypervisor with VCC. In: Cavalcanti, A., Dams, D. (eds.) FM 2009. LNCS, vol. 5850, pp. 806–809. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  3. 3.
    Hartmanis, J., Stearns, R.E.: On the Computational Complexity of Algorithms. Transactions of the American Mathematical Society 117, 285–306 (1965)MathSciNetzbMATHCrossRefGoogle Scholar
  4. 4.
    MIPS Technologies 1225 Charleston Road, Mountain View, CA: MIPS32 Architecture for Programmers Volume II: The MIPS32 Instruction Set, 2.5 edn. (2005)Google Scholar
  5. 5.
    Freescale semiconductor: Programming Environments Manual for 32-Bit Implementations of the PowerPCTMArchitecture (2005)Google Scholar
  6. 6.
    Advanced Micro Devices: AMD64 Architecture Programmer’s Manual: vol. 1-3 (2010)Google Scholar
  7. 7.
    Intel Santa Clara, CA, USA: Intel®64 and IA-32 Architectures Software Developer’s Manual, vol. 1-3b (2010)Google Scholar
  8. 8.
    Cohen, E., Schirmer, B.: From Total Store Order to Sequential Consistency: A Practical Reduction Theorem. In: Kaufmann, M., Paulson, L. (eds.) ITP 2010. LNCS, vol. 6172, pp. 403–418. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  9. 9.
    Berg, C., Jacobi, C.: Formal Verification of the VAMP Floating Point Unit. In: Margaria, T., Melham, T.F. (eds.) CHARME 2001. LNCS, vol. 2144, pp. 325–339. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Beyer, S., Jacobi, C., Kröning, D., Leinenbach, D., Paul, W.: Instantiating Uninterpreted Functional Units and Memory System: Functional Verification of the VAMP. In: Geist, D., Tronci, E. (eds.) CHARME 2003. LNCS, vol. 2860, pp. 51–65. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Verisoft Consortium: The Verisoft Project (2003-2007),
  12. 12.
    Oracle: Virtualbox x86 virtualization project,
  13. 13.
    The Bochs open source community: The Bochs ia-32 emulator project,
  14. 14.
    The Qemu open source community: Qemu processor emulator project,
  15. 15.
    Lamport, L.: How to make a multiprocessor computer that correctly executes multiprocess programs. IEEE Trans. Comput. 28(9), 690–691 (1979)zbMATHCrossRefGoogle Scholar
  16. 16.
    Sewell, P., Sarkar, S., Owens, S., Nardelli, F.Z., Myreen, M.O.: x86-TSO: a rigorous and usable programmer’s model for x86 multiprocessors. Commun. ACM 53(7), 89–97 (2010)CrossRefGoogle Scholar
  17. 17.
    Sweazey, P., Smith, A.J.: A class of compatible cache consistency protocols and their support by the IEEE futurebus. In: Proceedings of the 13th Annual International Symposium on Computer Architecture, ISCA 1986, pp. 414–423. IEEE Computer Society Press, Los Alamitos (1986)Google Scholar
  18. 18.
    Chen, X., Yang, Y., Gopalakrishnan, G., Chou, C.T.: Efficient methods for formally verifying safety properties of hierarchical cache coherence protocols. Formal Methods in System Design 36, 37–64 (2010)zbMATHCrossRefGoogle Scholar
  19. 19.
    Paul, W.: A Pipelined Multi Core MIPS Machine - Hardware Implementation and Correctness Proof (2012),
  20. 20.
    Degenbaev, U.: Formal Specification of the x86 Instruction Set Architecture. PhD thesis, Saarland University, Saarbrücken (2011)Google Scholar
  21. 21.
    Baumann, C.: Formal specification of the x87 floating-point instruction set. Master’s thesis, Saarland University, Saarbrücken (2008)Google Scholar
  22. 22.
    Schmaltz, S.: Towards Pervasive Formal Verification of Multi-Core Operating Systems and Hypervisors Implemented in C (DRAFT). PhD thesis, Saarland University, Saarbrücken (2012)Google Scholar
  23. 23.
    Kovalev, M.: TLB Virtualization in the Context of Hypervisor Verification (DRAFT). PhD thesis, Saarland University, Saarbrücken (2012)Google Scholar
  24. 24.
    Degenbaev, U., Paul, W.J., Schirmer, N.: Pervasive Theory of Memory. In: Albers, S., Alt, H., Näher, S. (eds.) Efficient Algorithms. LNCS, vol. 5760, pp. 74–98. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  25. 25.
    Owens, S.: Reasoning about the Implementation of Concurrency Abstractions on x86-TSO. In: D’Hondt, T. (ed.) ECOOP 2010. LNCS, vol. 6183, pp. 478–503. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  26. 26.
    Schmaltz, S., Shadrin, A.: Integrated Semantics of Intermediate-Language C and Macro-Assembler for Pervasive Formal Verification of Operating Systems and Hypervisors from VerisoftXT. In: Joshi, R., Müller, P., Podelski, A. (eds.) VSTTE 2012. LNCS, vol. 7152, pp. 18–33. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  27. 27.
    Leinenbach, D.: Compiler Verification in the Context of Pervasive System Verification. PhD thesis, Saarland University, Saarbrücken (2008)Google Scholar
  28. 28.
    Leroy, X.: Formal verification of a realistic compiler. Communications of the ACM 52(7), 107–115 (2009)CrossRefGoogle Scholar
  29. 29.
    Gargano, M., Hillebrand, M., Leinenbach, D., Paul, W.: On the correctness of operating system kernels. In: Hurd, J., Melham, T. (eds.) Theorem Proving in High Order Logics, Oxford, U.K. Springer (2005)Google Scholar
  30. 30.
    Alkassar, E.: OS Verification Extended - On the Formal Verification of Device Drivers and the Correctness of Client/Server Software. PhD thesis, Saarland University, Saarbrücken (2009)Google Scholar
  31. 31.
    Shadrin, A.: Mixed Low- and High Level Programming Languages Semantics.Automated Verification of a Small Hypervisor: Putting It All Together. PhD thesis, Saarland University, Saarbrücken (2012)Google Scholar
  32. 32.
    Ball, T., Levin, V., Rajamani, S.K.: A decade of software model checking with slam. Commun. ACM 54(7), 68–76 (2011)CrossRefGoogle Scholar
  33. 33.
    Hillebrand, M., In der Rieden, T., Paul, W.: Dealing with i/o devices in the context of pervasive system verification. In: Proceedings of the 23rd IEEE International Conference on Computer Design: VLSI in Computers and Processors (ICCD 2005), San Jose, CA, USA, October 2-5, pp. 309–316. IEEE (2005)Google Scholar
  34. 34.
    Tverdyshev, S.: Formal Verification of Gate-Level Computer Systems. PhD thesis, Saarland University, Computer Science Department (2009)Google Scholar
  35. 35.
    Hillebrand, M., Tverdyshev, S.: Formal Verification of Gate-Level Computer Systems. In: Frid, A., Morozov, A., Rybalchenko, A., Wagner, K.W. (eds.) CSR 2009. LNCS, vol. 5675, pp. 322–333. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  36. 36.
    Müller, S., Paul, W.: Computer Architecture, Complexity and Correctness. Springer (2000)Google Scholar
  37. 37.
    Alkassar, E., Schirmer, N., Starostin, A.: Formal Pervasive Verification of a Paging Mechanism. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 109–123. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  38. 38.
    Alkassar, E., Hillebrand, M.A., Leinenbach, D.C., Schirmer, N.W., Starostin, A., Tsyban, A.: Balancing the load: Leveraging semantics stack for systems verification, vol. 42(2-4), pp. 389–454 (2009)Google Scholar
  39. 39.
    Appel, A.W.: Verified Software Toolchain. In: Barthe, G. (ed.) ESOP 2011. LNCS, vol. 6602, pp. 1–17. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  40. 40.
    Baumann, C.: Reordering and simulation in concurrent systems. Technical report, Saarland University, Saarbrücken (2012)Google Scholar
  41. 41.
    Schirmer, N.: Verification of Sequential Imperative Programs in Isabelle/HOL. PhD thesis, Technische Universität München (2006)Google Scholar
  42. 42.
    Microsoft Research: The VCC webpage,
  43. 43.
    Cohen, E., Dahlweid, M., Hillebrand, M., Leinenbach, D., Moskal, M., Santen, T., Schulte, W., Tobies, S.: VCC: A Practical System for Verifying Concurrent C. In: Berghofer, S., Nipkow, T., Urban, C., Wenzel, M. (eds.) TPHOLs 2009. LNCS, vol. 5674, pp. 23–42. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  44. 44.
    Cohen, E., Moskal, M., Schulte, W., Tobies, S.: Local Verification of Global Invariants in Concurrent Programs. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 480–494. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  45. 45.
    Cohen, E., Moskal, M., Tobies, S., Schulte, W.: A precise yet efficient memory model for C. Electron. Notes Theor. Comput. Sci. 254, 85–103 (2009)CrossRefGoogle Scholar
  46. 46.
    Maus, S.: Verification of Hypervisor Subroutines written in Assembler. PhD thesis, Universität Freiburg (2011)Google Scholar
  47. 47.
    Maus, S., Moskal, M., Schulte, W.: Vx86: x86 Assembler Simulated in C Powered by Automated Theorem Proving. In: Meseguer, J., Roşu, G. (eds.) AMAST 2008. LNCS, vol. 5140, pp. 284–298. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  48. 48.
    Paul, W., Schmaltz, S., Shadrin, A.: Completing the Automated Verification of a Small Hypervisor – Assembler Code Verification. In: Eleftherakis, G., Hinchey, M., Holcombe, M. (eds.) SEFM 2012. LNCS, vol. 7504, pp. 188–202. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  49. 49.
    Klein, G., Andronick, J., Elphinstone, K., Heiser, G., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: Formal verification of an operating system kernel. Communications of the ACM 53(6), 107–115 (2010)CrossRefGoogle Scholar
  50. 50.
    Daum, M., Schirmer, N.W., Schmidt, M.: Implementation correctness of a real-time operating system. In: 7th IEEE International Conference on Software Engineering and Formal Methods (SEFM 2009), Hanoi, Vietnam, November 23-27, pp. 23–32. IEEE (2009)Google Scholar
  51. 51.
    Daum, M., Dörrenbächer, J., Bogan, S.: Model stack for the pervasive verification of a microkernel-based operating system. In: Beckert, B., Klein, G. (eds.) 5th International Verification Workshop (VERIFY 2008). CEUR Workshop Proceedings, vol. 372, pp. 56–70. (2008)Google Scholar
  52. 52.
    Dörrenbächer, J.: Formal Specification and Verification of a Microkernel. PhD thesis, Saarland University, Saarbrücken (2010)Google Scholar
  53. 53.
    Hillebrand, M.A., Leinenbach, D.C.: Formal verification of a reader-writer lock implementation in C. Electron. Notes Theor. Comput. Sci. 254, 123–141 (2009)CrossRefGoogle Scholar
  54. 54.
    Alkassar, E., Cohen, E., Hillebrand, M., Pentchev, H.: Modular specification and verification of interprocess communication. In: Formal Methods in Computer Aided Design. IEEE (2010)Google Scholar
  55. 55.
    Alkassar, E., Cohen, E., Kovalev, M., Paul, W.: Verification of TLB Virtualization Implemented in C. In: Joshi, R., Müller, P., Podelski, A. (eds.) VSTTE 2012. LNCS, vol. 7152, pp. 209–224. Springer, Heidelberg (2012)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Ernie Cohen
    • 1
  • Wolfgang Paul
    • 2
  • Sabine Schmaltz
    • 2
  1. 1.MicrosoftUSA
  2. 2.Saarland UniversityGermany

Personalised recommendations