Compositional Verification of a Baby Virtual Memory Manager

  • Alexander Vaynberg
  • Zhong Shao
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7679)


A virtual memory manager (VMM) is a part of an operating system that provides the rest of the kernel with an abstract model of memory. Although small in size, it involves complicated and interdependent invariants that make monolithic verification of the VMM and the kernel running on top of it difficult. In this paper, we make the observation that a VMM is constructed in layers: physical page allocation, page table drivers, address space API, etc., each layer providing an abstraction that the next layer utilizes. We use this layering to simplify the verification of individual modules of VMM and then to link them together by composing a series of small refinements. The compositional verification also supports function calls from less abstract layers into more abstract ones, allowing us to simplify the verification of initialization functions as well. To facilitate such compositional verification, we develop a framework that assists in creation of verification systems for each layer and refinements between the layers. Using this framework, we have produced a certification of BabyVMM, a small VMM designed for simplified hardware. The same proof also shows that a certified kernel using BabyVMM’s virtual memory abstraction can be refined following a similar sequence of refinements, and can then be safely linked with BabyVMM. Both the verification framework and the entire certification of BabyVMM have been mechanized in the Coq Proof Assistant.


Memory Model Operational Semantic Address Space Physical Memory Separation Logic 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alkassar, E., Hillebrand, M.A., Leinenbach, D.C., Schirmer, N.W., Starostin, A., Tsyban, A.: Balancing the load: Leveraging a semantics stack for systems verification. Journal of Automated Reasoning: OS Verification 42, 389–454 (2009)zbMATHCrossRefGoogle Scholar
  2. 2.
    Alkassar, E., Schirmer, N.W., Starostin, A.: Formal Pervasive Verification of a Paging Mechanism. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 109–123. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Cai, H., Shao, Z., Vaynberg, A.: Certified self-modifying code. In: Proc. PLDI 2007, pp. 66–77. ACM, New York (2007)CrossRefGoogle Scholar
  4. 4.
    Calcagno, C., O’Hearn, P., Yang, H.: Local action and abstract separation logic. In: Proc. LICS 2007, pp. 366–378 (July 2007)Google Scholar
  5. 5.
    Coq Development Team. The Coq proof assistant reference manual. The Coq release v8.0 (October 2005)Google Scholar
  6. 6.
    Elphinstone, K., Klein, G., Derrin, P., Roscoe, T., Heiser, G.: Towards a practical, verified kernel. In: Proc. HoTOS 2007, San Diego, CA, USA (May 2007)Google Scholar
  7. 7.
    Feng, X., Shao, Z., Dong, Y., Guo, Y.: Certifying low-level programs with hardware interrupts and preemptive threads. In: Proc. PLDI 2008, pp. 170–182. ACM (2008)Google Scholar
  8. 8.
    Feng, X., Shao, Z., Vaynberg, A., Xiang, S., Ni, Z.: Modular verification of assembly code with stack-based control abstractions. In: PLDI 2006, pp. 401–414 (June 2006)Google Scholar
  9. 9.
    Gargano, M., Hillebrand, M.A., Leinenbach, D., Paul, W.J.: On the Correctness of Operating System Kernels. In: Hurd, J., Melham, T. (eds.) TPHOLs 2005. LNCS, vol. 3603, pp. 1–16. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Gu, L., Vaynberg, A., Ford, B., Shao, Z., Costanzo, D.: Certikos: A certified kernel for secure cloud computing. In: Proc. APSys 2011. ACM (2011)Google Scholar
  11. 11.
    In der Rieden, T.: Verified Linking for Modular Kernel Verification. PhD thesis, Saarland University, Computer Science Department (November 2009)Google Scholar
  12. 12.
    Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: formal verification of an OS kernel. In: Proc. SOSP 2009, pp. 207–220 (2009)Google Scholar
  13. 13.
    Klein, G., Tuch, H.: Towards verified virtual memory in l4. In: TPHOLs Emerging Trends 2004, Park City, Utah, USA (September 2004)Google Scholar
  14. 14.
    Kolanski, R., Klein, G.: Mapped Separation Logic. In: Shankar, N., Woodcock, J. (eds.) VSTTE 2008. LNCS, vol. 5295, pp. 15–29. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    McCreight, A., Shao, Z., Lin, C., Li, L.: A general framework for certifying garbage collectors and their mutators. In: Proc. PLDI 2007, pp. 468–479 (2007)Google Scholar
  16. 16.
    O’Hearn, P.W., Yang, H., Reynolds, J.C.: Separation and information hiding. In: POPL 2004, pp. 268–280 (January 2004)Google Scholar
  17. 17.
    Reynolds, J.C.: Separation logic: A logic for shared mutable data structures. In: Proc. LICS 2002, pp. 55–74 (July 2002)Google Scholar
  18. 18.
    Starostin, A.: Formal Verification of Demand Paging. PhD thesis, Saarland University, Computer Science Department (March 2010)Google Scholar
  19. 19.
    Vaynberg, A., Shao, Z.: Compositional verification of BabyVMM (extended version and Coq proof). Technical Report YALEU/DCS/TR-1463, Yale University (October 2012),

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Alexander Vaynberg
    • 1
  • Zhong Shao
    • 1
  1. 1.Yale UniversityUSA

Personalised recommendations