Verifying the seL4 Microkernel Formal Proof in Mathematics and Computer Science Lukas Stevens 21st June 2018
Outline 2. Design process of seL4 3. Formal methods of the correctness proof 4. Layers of the correctness proof 5. Conclusion 1 1. What is a µ -kernel?
What is a µ -kernel?
What is a kernel anyway? • Necessary abstractions for applications • Interaction via system calls • Loaded into protected memory region Bugs are potentially fatal 2
What is a kernel anyway? • Necessary abstractions for applications • Interaction via system calls • Loaded into protected memory region Bugs are potentially fatal 2
What is a kernel anyway? • Necessary abstractions for applications • Interaction via system calls • Loaded into protected memory region Bugs are potentially fatal 2
What is a kernel anyway? • Necessary abstractions for applications • Interaction via system calls • Loaded into protected memory region Bugs are potentially fatal 2
What is a kernel anyway? • Necessary abstractions for applications • Interaction via system calls • Loaded into protected memory region 2 ⇒ Bugs are potentially fatal
Defjnition: Microkernel ing it outside the kernel, i.e. permitting competing implementations, would prevent the implementation of the system’s required functionality. — Jochen Liedtke 3 A concept is tolerated inside the µ -kernel only if mov-
4 Monolithic kernels and µ -kernels OS based on OS based on Monolithic Kernel Microkernel Applications Applications User Device Drivers Mode UNIX- File Application Device File System IPC Server System Drivers IPC, Virtual Memory, Scheduling Kernel mode etc. Basic IPC, Virtual Memory, Scheduling Hardware Hardware
• Member of the L4 -kernel family • Correctness verifjed with Isabelle • High performance 5 The seL4 µ -kernel
• Correctness verifjed with Isabelle • High performance 5 The seL4 µ -kernel • Member of the L4 µ -kernel family
• Correctness verifjed with Isabelle • High performance 5 The seL4 µ -kernel • Member of the L4 µ -kernel family
• Correctness verifjed with Isabelle • High performance 5 The seL4 µ -kernel • Member of the L4 µ -kernel family
Design process of seL4
Design process for verifjcation Proof Stage 2 Stage 1 Translation Automatic Design Improvement Implementation Implementation Proof Requirements mentation C imple- Specifjcation Abstract Specifjcation Executable Prototype Haskell 6
Design process for verifjcation Proof Stage 2 Stage 1 Translation Automatic Design Improvement Implementation Implementation Proof Requirements mentation C imple- Specifjcation Abstract Specifjcation Executable Prototype Haskell 6
Design process for verifjcation Proof Stage 2 Stage 1 Translation Automatic Design Improvement Implementation Implementation Proof Requirements mentation C imple- Specifjcation Abstract Specifjcation Executable Prototype Haskell 6
Design process for verifjcation Proof Stage 2 Stage 1 Translation Automatic Design Improvement Implementation Implementation Proof Requirements mentation C imple- Specifjcation Abstract Specifjcation Executable Prototype Haskell 6
Design process for verifjcation Proof Stage 2 Stage 1 Translation Automatic Design Improvement Implementation Implementation Proof Requirements mentation C imple- Specifjcation Abstract Specifjcation Executable Prototype Haskell 6
Design process for verifjcation Proof Stage 2 Stage 1 Translation Automatic Design Improvement Implementation Implementation Proof Requirements mentation C imple- Specifjcation Abstract Specifjcation Executable Prototype Haskell 6
Design process for verifjcation Proof Stage 2 Stage 1 Translation Automatic Design Improvement Implementation Implementation Proof Requirements mentation C imple- Specifjcation Abstract Specifjcation Executable Prototype Haskell 6
Formal methods of the correctness proof
Hoare logic P C Q 7 � �� � � �� � � �� � { x = 1 } { x = 2 } x := x + 1
More Hoare logic x and y are even 8 { x = 0 ∧ x = 1 } y := 2 ∗ x { }
More Hoare logic x and y are even 8 { x is even } y := 2 ∗ x { }
More Hoare logic 8 { x is even } y := 2 ∗ x { x and y are even }
Partial correctness of Hoare logic WHILE true DO c 9 { } { }
Data refjnement A concrete system C refjnes an abstract specifjcation A if the behaviour of C is contained in that of A . 10
Data refjnement A concrete system C refjnes an abstract specifjcation A if the behaviour of C is contained in that of A . 10
Data refjnement: Examples • The scheduler selects runnable threads • System calls return non-zero values on error 11
Layers of the correctness proof
Proof structure Executable Specifjcation Abstract Specifjcation C implementation (Semantics) Haskell prototype C implementation Isabelle/HOL Proof Automatic translation 12
Abstract specifjcation The abstract specifjcation is the most high-level layer still fully encapturing the behaviour of the kernel. 13
Scheduler on the abstract level switch_to_thread thread od OR switch_to_idle_thread 14 schedule ≡ do threads ← all_active_tcbs; thread ← select threads;
Executable specifjcation Fill in the details left open by the abstract specifjcation. 15
Haskell implementation of the scheduler tcbSchedDequeue thread accordingly. Check if thread is runnable and act Queue. Try to fjnd runnable thread in thread. Call chooseThread to select next schedule idle thread. priority using chooseThread' or Get runnable thread with highest return True switchToThread thread else do return False if not runnable then do schedule = do runnable <- isRunnable thread chooseThread'' thread = do liftM isJust $ findM chooseThread'' q q <- getQueue prio chooseThread' prio = do when (r == Nothing) $ switchToIdleThread r <- findM chooseThread' (reverse [minBound .. maxBound]) chooseThread = do ... setSchedulerAction ResumeCurrentThread chooseThread ChooseNewThread -> do case action of action <- getSchedulerAction 16
Haskell implementation of the scheduler tcbSchedDequeue thread accordingly. Check if thread is runnable and act Queue. Try to fjnd runnable thread in thread. Call chooseThread to select next schedule idle thread. priority using chooseThread' or Get runnable thread with highest return True switchToThread thread else do return False if not runnable then do schedule = do runnable <- isRunnable thread chooseThread'' thread = do liftM isJust $ findM chooseThread'' q q <- getQueue prio chooseThread' prio = do when (r == Nothing) $ switchToIdleThread r <- findM chooseThread' (reverse [minBound .. maxBound]) chooseThread = do ... setSchedulerAction ResumeCurrentThread chooseThread ChooseNewThread -> do case action of action <- getSchedulerAction 16
Haskell implementation of the scheduler tcbSchedDequeue thread accordingly. Check if thread is runnable and act Queue. Try to fjnd runnable thread in thread. Call chooseThread to select next schedule idle thread. priority using chooseThread' or Get runnable thread with highest return True switchToThread thread else do return False if not runnable then do schedule = do runnable <- isRunnable thread chooseThread'' thread = do liftM isJust $ findM chooseThread'' q q <- getQueue prio chooseThread' prio = do when (r == Nothing) $ switchToIdleThread r <- findM chooseThread' (reverse [minBound .. maxBound]) chooseThread = do ... setSchedulerAction ResumeCurrentThread chooseThread ChooseNewThread -> do case action of action <- getSchedulerAction 16
Haskell implementation of the scheduler tcbSchedDequeue thread accordingly. Check if thread is runnable and act Queue. Try to fjnd runnable thread in thread. Call chooseThread to select next schedule idle thread. priority using chooseThread' or Get runnable thread with highest return True switchToThread thread else do return False if not runnable then do schedule = do runnable <- isRunnable thread chooseThread'' thread = do liftM isJust $ findM chooseThread'' q q <- getQueue prio chooseThread' prio = do when (r == Nothing) $ switchToIdleThread r <- findM chooseThread' (reverse [minBound .. maxBound]) chooseThread = do ... setSchedulerAction ResumeCurrentThread chooseThread ChooseNewThread -> do case action of action <- getSchedulerAction 16
Recommend
More recommend
