Combining Mechanized Proofs and Model-Based Testing in the Formal Analysis of a Hypervisor

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9995)


Virtualization engines play a critical role in many modern software products. In an effort to gain definitive confidence on critical components, our company has invested on the formal verification of the NOVA micro hypervisor, following recent advances in similar academic and industrial operating-system verification projects. There are inherent difficulties in applying formal methods to low-level implementations, and even more under specific constraints arising in commercial software development. In order to deal with these, the chosen approach consists in the splitting of the verification effort by combining the definition of an abstract model of NOVA, the verification of fundamental security properties over this model, and testing the conformance of the model w.r.t. the NOVA implementation. This article reports on our experiences in applying formal methods to verify a hypervisor for commercial purposes. It describes the verification approach, and the security properties under consideration, and reports the results obtained.


Kernel Objects Hypervalent State Untrusted Process Conformance Testing Unprivileged Mode 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Barthe, G., Betarte, G., Campo, J.D., Luna, C.: Formally verifying isolation and availability in an idealized model of virtualization. In: Butler, M., Schulte, W. (eds.) FM 2011. LNCS, vol. 6664, pp. 231–245. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-21437-0_19 CrossRefGoogle Scholar
  2. 2.
    Bertrane, J., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Rival, X.: Static analysis and verification of aerospace software by abstract interpretation. Found. Trends Program. Lang. 2(2–3), 71–190 (2015)CrossRefGoogle Scholar
  3. 3.
    Brat, G., Bushnell, D., Davies, M., Giannakopoulou, D., Howar, F., Kahsai, T.: Verifying the safety of a flight-critical system. In: Bjørner, N., de Boer, F. (eds.) FM 2015. LNCS, vol. 9109, pp. 308–324. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-19249-9_20 CrossRefGoogle Scholar
  4. 4.
    Brucker, A.D., Wolff, B.: On theorem prover-based testing. Formal Aspects Comput. 25(5), 683–721 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Cai, H., Shao, Z., Vaynberg, A.: Certified self-modifying code. In: Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, San Diego, California, USA, June 10–13, 2007, pp. 66–77 (2007)Google Scholar
  6. 6.
    Calcagno, C., et al.: Moving fast with software verification. In: Havelund, K., Holzmann, G., Joshi, R. (eds.) NFM 2015. LNCS, vol. 9058, pp. 3–11. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-17524-9_1 Google Scholar
  7. 7.
    Elphinstone, K., Heiser, G.: From L3 to seL4 - what have we learnt in 20 years of L4 microkernels? In: Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles, SOSP 2013, pp. 133–150. ACM, New York (2013)Google Scholar
  8. 8.
    Feng, X., Shao, Z., Dong, Y., Guo, Y.: Certifying low-level programs with hardware interrupts and preemptive threads. In: Proceedings of the ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation, Tucson, AZ, USA, June 7–13, 2008, pp. 170–182 (2008)Google Scholar
  9. 9.
    Gu, L., Vaynberg, A., Ford, B., Shao, Z., Costanzo, D.: Certikos: a certified kernel for secure cloud computing. In: APSys 2011 Asia Pacific Workshop on Systems, Shanghai, China, July 11-12, 2011, p. 3 (2011)Google Scholar
  10. 10.
    Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: sel4: formal verification of an OS kernel. In: Proceedings of the 22nd ACM Symposium on Operating Systems Principles 2009, SOSP 2009, Big Sky, Montana, USA, October 11–14, 2009, pp. 207–220 (2009)Google Scholar
  11. 11.
    Kosmatov, N., Lemerre, M., Alec, C.: A case study on verification of a cloud hypervisor by proof and structural testing. In: Seidl, M., Tillmann, N. (eds.) TAP 2014. LNCS, vol. 8570, pp. 158–164. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-09099-3_12 Google Scholar
  12. 12.
    Leroy, X.: A formally verified compiler back-end. J. Autom. Reasoning 43(4), 363–446 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Liedtke, J.: Toward real \({\mu }\)-kernels. Commun. ACM 39(9), 70–77 (1996)CrossRefGoogle Scholar
  14. 14.
    Lipton, R.J., Snyder, L.: A linear time algorithm for deciding subject security. J. ACM 24(3), 455–464 (1977)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Liu, T., Huuck, R.: Case study: static security analysis of the android goldfish kernel. In: Bjørner, N., de Boer, F. (eds.) FM 2015. LNCS, vol. 9109, pp. 589–592. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-19249-9_39 CrossRefGoogle Scholar
  16. 16.
    Murray, T.C., Matichuk, D., Brassil, M., Gammie, P., Bourke, T., Seefried, S., Lewis, C., Gao, X., Klein, G.: sel4: from general purpose to a proof of information flow enforcement. In: 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, May 19–22, 2013, pp. 415–429 (2013)Google Scholar
  17. 17.
    Newcombe, C., Rath, T., Zhang, F., Munteanu, B., Brooker, M., Deardeuff, M.: How amazon web services uses formal methods. Commun. ACM 58(4), 66–73 (2015)CrossRefGoogle Scholar
  18. 18.
    Ramananandro, T., Reis, G.D., Leroy, X.: Formal verification of object layout for c++ multiple inheritance. In: Proceedings of the 38th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2011, Austin, TX, USA, January 26–28, 2011, pp. 67–80 (2011)Google Scholar
  19. 19.
    Ramananandro, T., Reis, G.D., Leroy, X.: A mechanized semantics for C++ object construction and destruction, with applications to resource management. In: Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012, Philadelphia, Pennsylvania, USA, January 22–28, 2012, pp. 521–532 (2012)Google Scholar
  20. 20.
    Sewell, T., Winwood, S., Gammie, P., Murray, T., Andronick, J., Klein, G.: seL4 enforces integrity. In: Eekelen, M., Geuvers, H., Schmaltz, J., Wiedijk, F. (eds.) ITP 2011. LNCS, vol. 6898, pp. 325–340. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22863-6_24 CrossRefGoogle Scholar
  21. 21.
    Shao, Z.: Clean-slate development of certified OS kernels. In: Proceedings of the 2015 Conference on Certified Programs and Proofs, Cp. 2015, Mumbai, India, January 15–17, 2015, pp. 95–96 (2015)Google Scholar
  22. 22.
    Shapiro, J.S., Weber, S.: Verifying the eros confinement mechanism. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy, SP 2000, p. 166. IEEE Computer Society, Washington, DC (2000)Google Scholar
  23. 23.
    Steinberg, U., Kauer, B.: Nova: a microhypervisor-based secure virtualization architecture. In: Proceedings of the 5th European Conference on Computer Systems, EuroSys 2010, pp. 209–222. ACM, New York (2010)Google Scholar
  24. 24.
    FireEye Formal Methods Team. Efficiently executable sets used by FireEye. Presented at the 8th Coq Workshop (2016).
  25. 25.
    Zhao, H., Yang, M., Zhan, N., Gu, B., Zou, L., Chen, Y.: Formal verification of a descent guidance control program of a lunar lander. In: Jones, C., Pihlajasaari, P., Sun, J. (eds.) FM 2014. LNCS, vol. 8442, pp. 733–748. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-06410-9_49 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.DresdenGermany

Personalised recommendations