Efficient Formal Verification for the Linux Kernel

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11724)


Formal verification of the Linux kernel has been receiving increasing attention in recent years, with the development of many models, from memory subsystems to the synchronization primitives of the real-time kernel. The effort in developing formal verification methods is justified considering the large code-base, the complexity in synchronization required in a monolithic kernel and the support for multiple architectures, along with the usage of Linux on critical systems, from high-frequency trading to self-driven cars. Despite recent developments in the area, none of the proposed approaches are suitable and flexible enough to be applied in an efficient way to a running kernel. Aiming to fill such a gap, this paper proposes a formal verification approach for the Linux kernel, based on automata models. It presents a method to auto-generate verification code from an automaton, which can be integrated into a module and dynamically added into the kernel for efficient on-the-fly verification of the system, using in-kernel tracing features. Finally, a set of experiments demonstrate verification of three models, along with performance analysis of the impact of the verification, in terms of latency and throughput of the system, showing the efficiency of the approach.


Verification Linux kernel Automata Testing 


  1. 1.
    Akesson, K., Fabian, M., Flordal, H., Malik, R.: Supremica - an integrated environment for verification, synthesis and simulation of discrete event systems. In: 2006 8th International Workshop on Discrete Event Systems, pp. 384–385, July 2006.
  2. 2.
    Alglave, J., Maranget, L., McKenney, P.E., Parri, A., Stern, A.: Frightening small children and disconcerting grown-ups: concurrency in the Linux Kernel. In: Proceedings of the Twenty-Third International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2018, pp. 405–418. ACM, New York (2018).
  3. 3.
    Ball, T., Cook, B., Levin, V., Rajamani, S.K.: Technical Report MSR-TR-2004-08 - SLAM and Static Driver Verifier: Technology Transfer of Formal Methods inside Microsoft - Microsoft Research, January 2004.
  4. 4.
    Ball, T., Rajamani, S.K.: The SLAM project: debugging system software via static analysis. In: Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2002, pp. 1–3. ACM, New York (2002).
  5. 5.
    Basler, G., Donaldson, A., Kaiser, A., Kroening, D., Tautschnig, M., Wahl, T.: satabs: a bit-precise verifier for C programs. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 552–555. Springer, Heidelberg (2012). Scholar
  6. 6.
    Blackham, B., Shi, Y., Chattopadhyay, S., Roychoudhury, A., Heiser, G.: Timing analysis of a protected operating system kernel. In: Proceedings of the 32nd IEEE Real-Time Systems Symposium (RTSS11), Vienna, Austria, pp. 339–348, November 2011Google Scholar
  7. 7.
    Cassandras, C.G., Lafortune, S.: Introduction to Discrete Event Systems, 2nd edn. Springer, Heidelberg (2010)zbMATHGoogle Scholar
  8. 8.
    Chaki, S., Clarke, E.M., Groce, A., Jha, S., Veith, H.: Modular verification of software components in C. IEEE Trans. Softw. Eng. 30(6), 388–402 (2004). Scholar
  9. 9.
    Chaki, S., Clarke, E., Ouaknine, J., Sharygina, N., Sinha, N.: Concurrent software verification with states, events, and deadlocks. Formal Aspects Comput. 17(4), 461–483 (2005). Scholar
  10. 10.
    Chishiro, H.: RT-Seed: real-time middleware for semi-fixed-priority scheduling. In: 2016 IEEE 19th International Symposium on Real-Time Distributed Computing (ISORC) (2016)Google Scholar
  11. 11.
    Condliffe, J.: U.S. military drones are going to start running on Linux, July 2014.
  12. 12.
    Corbet, J.: The kernel lock validator, May 2006.
  13. 13.
    Corbet, J.: Linux at NASDAQ OMX, October 2010.
  14. 14.
    Corbet, J.: Jump label, October 2010.
  15. 15.
    Cotroneo, D., Di Leo, D., Natella, R., Pietrantuono, R.: A case study on state-based robustness testing of an operating system for the avionic domain. In: Flammini, F., Bologna, S., Vittorini, V. (eds.) SAFECOMP 2011. LNCS, vol. 6894, pp. 213–227. Springer, Heidelberg (2011). Scholar
  16. 16.
    Cotroneo, D., Leo, D.D., Fucci, F., Natella, R.: SABRINE: state-based robustness testing of operating systems. In: Proceedings of the 28th IEEE/ACM International Conference on Automated Software Engineering, ASE 2013, Piscataway, NJ, USA, pp. 125–135. IEEE Press (2013).
  17. 17.
    Cucinotta, T., et al.: A real-time service-oriented architecture for industrial automation. IEEE Trans. Ind. Inform. 5(3), 267–277 (2009). Scholar
  18. 18.
    Dronamraju, S.: Linux kernel documentation - uprobe-tracer: Uprobe-based event tracing, May 2019.
  19. 19.
    Dubey, A., Karsai, G., Abdelwahed, S.: Compensating for timing jitter in computing systems with general-purpose operating systems. In: 2009 IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing, pp. 55–62, March 2009.
  20. 20.
    Ellson, J., Gansner, E., Koutsofios, L., North, S.C., Woodhull, G.: Graphviz—open source graph drawing tools. In: Mutzel, P., Jünger, M., Leipert, S. (eds.) GD 2001. LNCS, vol. 2265, pp. 483–484. Springer, Heidelberg (2002). Scholar
  21. 21.
    Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2002, pp. 58–70. ACM, New York (2002).
  22. 22.
    Hiramatsu, M.: Linux tracing technologies: Kprobe-based event tracing, May 2019.
  23. 23.
    Klein, G., et al.: seL4: formal verification of an OS Kernel. In: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, SOSP 2009, pp. 207–220. ACM, New York (2009).
  24. 24.
    Kroening, D., Tautschnig, M.: CBMC – C bounded model checker. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 389–391. Springer, Heidelberg (2014). Scholar
  25. 25.
    Lamport, L.: The temporal logic of actions. ACM Trans. Program. Lang. Syst. 16(3), 872–923 (1994). Scholar
  26. 26.
    Lei, B., Liu, Z., Morisset, C., Li, X.: State based robustness testing for components. Electron. Notes Theoret. Comput. Sci. 260, 173–188 (2010). Scholar
  27. 27.
    Linux Kernel Documentation: Linux tracing technologies, May 2019.
  28. 28.
  29. 29.
    Matni, G., Dagenais, M.: Automata-based approach for kernel trace analysis. In: 2009 Canadian Conference on Electrical and Computer Engineering, pp. 970–973, May 2009.
  30. 30.
    de Oliveira, D.B.: How can we catch problems that can break the preempt\(\_\)rt preemption model? November 2018.
  31. 31.
    de Oliveira, D.B.: Mind the gap between real-time linux and real-time theory, November 2018.
  32. 32.
    de Oliveira, D.B.: Companion page: Efficient formal verification for the linux kernel, May 2019.
  33. 33.
    de Oliveira, D.B., Cucinotta, T., de Oliveira, R.S.: Untangling the intricacies of thread synchronization in the PREEMPT\(\_\)RT Linux Kernel. In: Proceedings of the IEEE 22nd International Symposium on Real-Time Distributed Computing (ISORC), Valencia, Spain, May 2019Google Scholar
  34. 34.
    de Oliveira, D.B., de Oliveira, R.S.: Timing analysis of the PREEMPT\(\_\)RT Linux kernel. Softw.: Pract. Exp. 46(6), 789–819 (2016). Scholar
  35. 35.
    Phoronix Test Suite: Open-source, automated benchmarking, May 2019.
  36. 36.
    Poimboeuf, J.: Introducing kpatch: dynamic kernel patching, February 2014.
  37. 37.
    Pullum, L.L.: Software Fault Tolerance Techniques and Implementation. Artech House Inc., Norwood (2001)zbMATHGoogle Scholar
  38. 38.
    Rostedt, S.: Secrets of the Ftrace function tracer. Linux Weekly News, January 2010. Accessed 09 May 2017
  39. 39.
    San Vicente Gutiérrez, C., Usategui San Juan, L., Zamalloa Ugarte, I., Mayoral Vilches, V.: Real-time Linux communications: an evaluation of the Linux communication stack for real-time robotic applications, August 2018.
  40. 40.
    Shahpasand, R., Sedaghat, Y., Paydar, S.: Improving the stateful robustness testing of embedded real-time operating systems. In: 2016 6th International Conference on Computer and Knowledge Engineering (ICCKE), pp. 159–164, October 2016.
  41. 41.
    Spear, A., Levy, M., Desnoyers, M.: Using tracing to solve the multicore system debug problem. Computer 45(12), 60–64 (2012). Scholar
  42. 42.
    The Linux Foundation: Automotive grade Linux, May 2019.
  43. 43.
    Witkowski, T., Blanc, N., Kroening, D., Weissenbacher, G.: Model checking concurrent Linux device drivers. In: Proceedings of the Twenty-second IEEE/ACM International Conference on Automated Software Engineering, ASE 2007, pp. 501–504. ACM, New York (2007).

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.RHEL Platform/Real-time TeamRed Hat, Inc.PisaItaly
  2. 2.RETIS LabScuola Superiore Sant’AnnaPisaItaly
  3. 3.Department of Systems AutomationUFSCFlorianópolisBrazil

Personalised recommendations