VTOS: Research on Methodology of “Light-Weight” Formal Design and Verification for Microkernel OS

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8233)


The correctness of the operating systems is difficult to be described with the quantitative methods, because of the complexity. Using the rigorous formal methods to verify the correctness of the operating systems is a recognized method. The existing projects of formal design and verification focus on the validation of code level. In this paper, we present a “light-weight” formal method of design and verification for OS. We propose an OS state automaton model (OSSA) as a link between the system design and verification, and describe the correctness specifications of the system based on this model. We implement the trusted operating system (verified trusted operating system, VTOS) as a prototype, to illustrate the method of consistency verification of system design and safety requirements with formalized theorem prover Isabelle/HOL. The result shows that this approach is feasible.


Microkernel OS Formal Design Formal Verification System Correctness 


  1. 1.
    Clarke, E.M., Grumberg, O., Peled, D.A.: Model Checking. The MIT Press, Cambridge (1999)Google Scholar
  2. 2.
    Jackson, D.: Alloy: A lightweight object modelling notation. ACM Transactions on Software Engineering and Methodology 11(2), 256–290 (2002)CrossRefGoogle Scholar
  3. 3.
    Denney, R.: Succeeding with Use Cases: Working Smart to Deliver Quality. Addison-Wesley Professional Publishing, Boston (2005)Google Scholar
  4. 4.
    Agerholm, S., Larsen, P.G.: A lightweight approach to formal methods. In: Hutter, D., Stephan, W., Traverso, P., Ullmann, M. (eds.) FM-Trends 1998. LNCS, vol. 1641, pp. 168–183. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  5. 5.
    Nipkow, T., Paulson, L.C., Wenzel, M.T.: Isabelle/HOL: A Proof Assistant for Higher-Order Logic. LNCS, vol. 2283. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Bertot, Y., Casteran, P.: Interactive Theorem Proving and Program Development. Springer, Heidelberg (2004)CrossRefzbMATHGoogle Scholar
  7. 7.
    Klein, G., Andronick, J., Elphinstone, K., et al.: seL4: Formal verification of an operating system kernel. Communications of the ACM 53(6), 107–115 (2010)CrossRefGoogle Scholar
  8. 8.
    Walker, B.J., Kemmerer, R.A., Popek, G.J.: Specification and verification of the UCLA Unix security kernel. Communications of the ACM 23(2), 118–131 (1980)CrossRefzbMATHGoogle Scholar
  9. 9.
    Robinson, L., Roubine, O.: Special: A Specification and Assertion Language. Technical Report, Stanford Research Institute (1977)Google Scholar
  10. 10.
    Shapiro, J.S., Smith, J.M., Farber, D.J.: EROS: A fast capability system. In: 17th SOSP, pp. 170–185. ACM, New York (1999)Google Scholar
  11. 11.
    Shapiro, J.S., Sridhar, S., Doerrie, M.S.: BitC Language Specification. Technical Report (1996)Google Scholar
  12. 12.
    Hohmuth, M., Tews, H., Stephens, S.G.: Applying source-code verification to a microkernel: the VFiasco project. Technical Report (2002)Google Scholar
  13. 13.
    Owre, S., Rushby, J.M., Shankar, N.: PVS: A prototype verification system. In: Kapur, D. (ed.) CADE 1992. LNCS, vol. 607, pp. 748–752. Springer, Heidelberg (1992)Google Scholar
  14. 14.
    Tews, H., Weber, T., Volp, M., Poll, E., Eekelen, M., Rossum, P.: Nova Micro-Hypervisor Verification Formal, machine-checked verification of one module of the kernel source code. Technical Report (2008)Google Scholar
  15. 15.
    Klein, G., Elphinstone, K., Heiser, G., et al.: seL4: Formal verification of an OS kernel. In: 22nd SOSP, pp. 207–220. ACM, New York (2009)CrossRefGoogle Scholar
  16. 16.
    Heiser, G., Murray, T., Klein, G.: It’s time for trustworthy systems. In: 33rd S & P, pp. 67–70. IEEE Computer Society, Washington (2012)Google Scholar
  17. 17.
    Sewell, T., Winwood, S., Gammie, P., Murray, T., Andronick, J., Klein, G.: seL4 enforces integrity. In: Van Eekelen, M., Geuvers, H., Schmaltz, J., Wiedijk, F. (eds.) ITP 2011. LNCS, vol. 6898, pp. 325–340. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  18. 18.
    Blackham, B., Shi, Y., Chattopadhyay, S., Roychoudhury, A.: Timing analysis of a protected operating system kernel. In: 32nd RTSS, pp. 339–348. IEEE Computer Society, Washington (2011)Google Scholar
  19. 19.
    Shao, Z.: Certified Software. Communications of the ACM 53(12), 56–66 (2010)CrossRefGoogle Scholar
  20. 20.
    Stampoulis, A., Shao, Z.: Static and User-Extensible Proof Checking. In: 39th POPL, pp. 273–284. ACM, New York (2012)CrossRefGoogle Scholar
  21. 21.
    Stampoulis, A., Shao, Z.: VeriML: Typed Computation of Logical Terms inside a Language with Effects. In: 15th ICFP, pp. 333–344. ACM, New York (2010)Google Scholar
  22. 22.
    Barendregt, H.P., Geuvers, H.: Proof-assistants using dependent type systems. Elsevier, Amsterdam (1999)Google Scholar
  23. 23.
    Feng, X.: An Open Framework for Certified System Software. Ph.D. dissertation. Yale University, New Haven (2007)Google Scholar
  24. 24.
    Guo, Y., Feng, X., Shao, Z., Shi, P.: Modular Verification of Concurrent Thread Management. In: Jhala, R., Igarashi, A. (eds.) APLAS 2012. LNCS, vol. 7705, pp. 315–331. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  25. 25.
    Vaynberg, A., Shao, Z.: Compositional Verification of a Baby Virtual Memory Manager. In: Hawblitzel, C., Miller, D. (eds.) CPP 2012. LNCS, vol. 7679, pp. 143–159. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  26. 26.
    Liang, H.J., Feng, X., Fu, M.: A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations. In: 39th POPL, pp. 455–468. ACM, New York (2012)CrossRefGoogle Scholar
  27. 27.
    Tan, G., Shao, Z., Feng, X., Cai, H.X.: Weak Updates and Separation Logic. New Generation Comput. 29(1), 3–29 (2011)CrossRefzbMATHGoogle Scholar
  28. 28.
    Fu, M., Li, Y., Feng, X., Shao, Z., Zhang, Y.: Reasoning about Optimistic Concurrency Using a Program Logic for History. In: Gastin, P., Laroussinie, F. (eds.) CONCUR 2010. LNCS, vol. 6269, pp. 388–402. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  29. 29.
    Ferreira, R., Feng, X., Shao, Z.: Parameterized Memory Models and Concurrent Separation Logic. In: Gordon, A.D. (ed.) ESOP 2010. LNCS, vol. 6012, pp. 267–286. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  30. 30.
    Feng, X., Shao, Z., Dong, Y., Guo, Y.: Certifying low-level programs with hardware interrupts and preemptive threads. In: 30th PLDI, pp. 170–182. ACM, New York (2008)Google Scholar
  31. 31.
    Alkassar, E., Hillebrand, M.A., Leinenbach, D., Schirmer, N.W., Starostin, A.: The Verisoft Approach to Systems Verification. In: Shankar, N., Woodcock, J. (eds.) VSTTE 2008. LNCS, vol. 5295, pp. 209–224. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  32. 32.
    Daum, M., Dorrenbacher, J., Bogan, S.: Model stack for the pervasive verification of a microkernel-based operating system. In: 5th VERIFY, pp. 56–70., Aachen (2008)Google Scholar
  33. 33.
    Alkassar, E., Cohen, E., Hillebrand, M.A., Kovalev, M., Paul, W.J.: Verifying shadow page table algorithms. In: 10th FMCAD, pp. 267–270. IEEE Press, New York (2010)Google Scholar
  34. 34.
    Alkassar, E., Cohen, E., Hillebrand, M.A., Pentchev, H.: Modular specification and verification of interprocess communication. In: 10th FMCAD, pp. 167–174. IEEE Press, New York (2010)Google Scholar
  35. 35.
    Baumann, C., Beckert, B., Blasum, H., Bormer, T.: Ingredients of operating system correctness. In: Embedded World 2010 Conference (2010)Google Scholar
  36. 36.
    Baumann, C., Bormer, T., Blasum, H., Tverdyshev, S.: Proving memory separation in a microkernel by code level verification. In: 14th ISORCW, pp. 25–32. IEEE Computer Society, Washington (2011)Google Scholar
  37. 37.
    Wentzlaff, D., Agarwal, A.: Factored Operating Systems (FOS): The Case for a Scalable Operating System for Multicores. ACM SIGOPS Operating Systems Review 43(2), 76–85 (2009)CrossRefGoogle Scholar
  38. 38.
    Li, W.: Mathematical Logic: Basic Principles and Formal Calculus. Science China Press, Beijing (2007) (in Chinese)Google Scholar
  39. 39.
    Marker, D.: Model Theory An Introduction. Oxford University Press, Oxford (1990)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2013

Authors and Affiliations

  1. 1.State Key Laboratory for Novel Software TechnologyNanjing UniversityNanjingChina
  2. 2.Department of Computer Science and TechnologyNanjing UniversityNanjingChina
  3. 3.Department of InformaticsKing’s College LondonLondonUnited Kingdom

Personalised recommendations