Proving fairness and implementation correctness of a microkernel scheduler. (English) Zbl 1191.68409
Summary: We report on the formal proof of a microkernel’s key property, namely that its multi-priority process scheduler guarantees progress, i.e., strong fairness. The proof architecture links a layer of behavioral reasoning over system-trace sets with a concrete, fairly realistic implementation written in C. Our microkernel provides an infrastructure for memory virtualization, for communication with hardware devices, for processes (represented as a sequence of assembly instructions, which are executed concurrently over an underlying, formally defined processor), and for inter-process communication (IPC) via synchronous message passing. The kernel establishes process switches according to IPCs and timer-events; the scheduling of process switches, however, follows a hierarchy of priorities, favoring, e.g., system processes over application processes over maintenance processes. Besides the quite substantial models developed in Isabelle/HOL and the formal clarification of their relationship, we provide a detailed analysis what formal requirements a microkernel imposes on the key ingredients (hardware, timers, machine-dependent code) in order to establish the correct operation of the overall system. On the methodological side, we show how early modeling with foresight to the later verification has substantially helped our project.
MSC:
| 68Q60 | Specification and verification (program logics, model checking, etc.) |
| 68N25 | Theory of operating systems |
| 68T15 | Theorem proving (deduction, resolution, etc.) (MSC2010) |
References:
| [1] | Alkassar, E., Hillebrand, M.A.: Formal functional verification of device drivers. In: Woodcock, J., Shankar, N. (eds.) Verified Software: Theories, Tools, and Experiments. LNCS, vol. 5295, pp. 225–239. Springer, New York (2008) |
| [2] | Alkassar, E., Hillebrand, M.A., Leinenbach, D., Schirmer, N.W., Starostin, A.: The Verisoft approach to systems verification. In: Shankar, N., Woodcock, J. (eds.) Verified Software: Theories, Tools, and Experiments. LNCS, vol. 5295, pp. 209–224. Springer, New York (2008) |
| [3] | Alkassar, E., Hillebrand, M.A., Leinenbach, D.C., Schirmer, N.W., Starostin, A., Tsyban, A.: Balancing the load–leveraging a semantics stack for systems verification. J. Autom. Reasoning, Special Issue on Operating System Verification (2009). doi: 10.1007/s10817-009-9123-z · Zbl 1191.68407 |
| [4] | Alkassar, E., Schirmer, N., Starostin, A.: Formal pervasive verification of a paging mechanism. In: TACAS. LNCS, vol. 4963, pp. 109–123. Springer, New York (2008) · Zbl 1134.68394 |
| [5] | Andrews, P.B.: An Introduction to Mathematical Logic and Type Theory: To Truth Through Proof. Kluwer, Dordrecht (2002) · Zbl 1002.03002 |
| [6] | Barnett, M., Chang, B.Y.E., DeLine, R., Jacobs, B., Leino, K.R.M.: Boogie: a modular reusable verifier for object-oriented programs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.P (eds.) Formal Methods for Components and Objects: 4th International Symposium, FMCO 2005. LNCS, vol. 4111, pp. 364–387. Springer, New York (2006) |
| [7] | Basin, D.A., Kuruma, H., Miyazaki, K., Takaragi, K., Wolff, B.: Verifying a signature architecture: a comparative case study. Form. Asp. Comput. 19(1), 63–91 (2007) · Zbl 1111.68075 · doi:10.1007/s00165-006-0012-5 |
| [8] | Bevier, W.R.: Kit and the short stack. J. Autom. Reason. 5(4), 519–530 (1989) |
| [9] | Bevier, W.R., Hunt, W.A., Jr., Moore, J S., Young, W.D.: An approach to systems verification. J. Autom. Reason. 5(4), 411–428 (1989) |
| [10] | Beyer, S., Jacobi, C., Kröning, D., Leinenbach, D., Paul, W.J.: Putting it all together: Formal verification of the VAMP. STTT 8(4–5), 411–430 (2006) · doi:10.1007/s10009-006-0204-6 |
| [11] | Böhme, S., Leino, K.R.M., Wolff, B.: HOL-Boogie–an interactive prover for the Boogie program-verifier. In: Mohamed, O.A., Muñoz, C., Tahar, S. (eds.) TPHOLs. LNCS, vol. 5170, pp. 150–166. Springer, New York (2008) · Zbl 1165.68399 |
| [12] | Brock, B., Kaufmann, M., Moore, J S.: ACL2 theorems about commercial microprocessors. In: FMCAD, pp. 275–293. Springer, New York (1996) |
| [13] | Church, A.: A formulation of the simple theory of types. J. Symb. Log. 5(2), 56–68 (1940) · Zbl 0023.28901 · doi:10.2307/2266170 |
| [14] | Cock, D., Klein, G., Sewell, T.: Secure microkernels, state monads and scalable refinement. In: Mohamed, O.A., Muñoz, C., Tahar, S. (eds.) TPHOLs. LNCS, vol. 5170, pp. 167–182. Springer, New York (2008) · Zbl 1165.68454 |
| [15] | Cohen, E., Moskal, M., Schulte, W., Tobies, S.: A precise yet efficient memory model for C (2008). http://research.microsoft.com/apps/pubs/default.aspx?id=77174 |
| [16] | Daum, M., Dörrenbächer, J., Wolff, B., Schmidt, M.: A verification approach for system-level concurrent programs. In: Woodcock, J., Shankar, N. (eds.) Verified Software: Theories, Tools, and Experiments. LNCS, vol. 5295, pp. 161–176. Springer, New York (2008) |
| [17] | Elphinstone, K., Greenaway, D., Ruocco, S.: Lazy scheduling and direct process switch – merit or myths? In: Workshop on Operating System Platforms for Embedded Real-Time Applications. Pisa, Italy (2007). http://www.ertos.nicta.com.au/publications/papers/Elphinstone_GR_07.pdf |
| [18] | Engler, D.R., Kaashoek, M.F., O’Toole, J.: Exokernel: an operating system architecture for application-level resource management. In: SOSP, pp. 251–266. ACM, New York (1995) |
| [19] | Fagin, R., Williams, J.H.: A fair carpool scheduling algorithm. IBM J. Res. Develop. 27(2), 133–139 (1983) · doi:10.1147/rd.272.0133 |
| [20] | Filliâtre, J.C., Marché, C.: The why/Krakatoa/Caduceus platform for deductive program verification. In: CAV, pp. 173–177, Berlin, 3–7 July 2007 |
| [21] | Fleisch, B.D., Co, M.A.A.: Workplace microkernel and OS: a case study. Softw. Pract. Exp. 28(6), 569–591 (1998) · doi:10.1002/(SICI)1097-024X(199805)28:6<569::AID-SPE158>3.0.CO;2-U |
| [22] | Fox, A.C.J.: Formal specification and verification of ARM6. In: TPHOLs, pp. 25–40, Rome, 8–12 September 2003 |
| [23] | Francez, N.: Fairness. Springer, New York (1986) |
| [24] | Heckmann, R., Ferdinand, C.: Worst-case execution time prediction by static program analysis. White paper, AbsInt Angewandte Informatik GmbH (2004). http://www.absint.com/wcet.htm |
| [25] | Heiser, G., Elphinstone, K., Kuz, I., Klein, G., Petters, S.M.: Towards trustworthy computing systems: taking microkernels to the next level. Oper. Syst. Rev. 41(4), 3–11 (2007) · doi:10.1145/1278901.1278904 |
| [26] | Hillebrand, M.A., Paul, W.J.: On the architecture of system verification environments. In: Haifa Verification Conference, pp. 153–168. Springer, New York (2007) |
| [27] | In der Rieden, T., Tsyban, A.: CVM–a verified framework for microkernel programmers. In: Systems Software Verification. ENTCS, vol. 217, pp. 151–168. Elsevier Science B.V., Amsterdam (2008) |
| [28] | Kaiser, R.: Combining partitioning and virtualization for safety-critical systems. White Paper WP_CPV_10_A4_R10, SYSGO AG (2007). http://www.sysgo.com/news-events/whitepapers/ |
| [29] | Klein, G.: Operating system verification–an overview. In: Sādhanā, vol. 34, no. 1, pp. 27–69. Springer (2009) · Zbl 1192.68432 |
| [30] | Knapp, S., Paul, W.: Realistic worst case execution time analysis in the context of pervasive system verification. In: Reps, T., Sagiv, M., Bauer, J. (eds.) Program Analysis and Compilation, Theory and Practice: Essays Dedicated to Reinhard Wilhelm on the Occasion of his 60th Birthday. Lecture Notes in Computer Science, vol. 4444, pp. 53–81. Springer, New York (2007). http://www.verisoft.de/.rsrc/PublikationSeite/KP06.pdf · Zbl 1149.68405 |
| [31] | Leinenbach, D.: Compiler verification in the context of pervasive system verification. Ph.D. thesis, Saarland University, Saarbrücken (2008). http://www-wjp.cs.uni-sb.de/publikationen/Lei08.pdf |
| [32] | Leinenbach, D., Paul, W.J., Petrova, E.: Towards the formal verification of a C0 compiler: Code generation and implementation correctness. In: SEFM, pp. 2–12. IEEE Computer Society, Los Alamitos (2005) |
| [33] | Liedtke, J.: Improving IPC by kernel design. In: SOSP, pp. 175–188. ACM, New York (1993) |
| [34] | Liedtke, J.: On {\(\mu\)}-kernel construction. In: SOSP, pp. 237–250. ACM, New York (1995) |
| [35] | Liedtke, J.: Towards real microkernels. Commun. ACM 39(9), 70–77 (1996) · doi:10.1145/234215.234473 |
| [36] | Moore, J S.: A grand challenge proposal for formal methods: A verified stack. In: 10th Anniversary Colloquium of UNU/IIST, pp. 161–172. Springer, New York (2002) |
| [37] | Moore, J S., Lynch, T.W., Kaufmann, M.: A mechanically checked proof of the AMD5K86TM floating point division program. IEEE Trans. Comput. 47(9), 913–926 (1998) · doi:10.1109/12.713311 |
| [38] | Ni, Z., Yu, D., Shao, Z.: Using XCAP to certify realistic systems code: Machine context management. In: TPHOLs. LNCS, vol. 4732, pp. 189–206. Springer, New York (2007) · Zbl 1144.68325 |
| [39] | Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: A proof assistant for higher-order logic. LNCS, vol. 2283. Springer, New York (2002) · Zbl 0994.68131 |
| [40] | Petters, S.M., Zadarnowski, P., Heiser, G.: Measurements or static analysis or both? In: Rochange, C. (ed.) WCET. Dagstuhl Seminar Proceedings, vol. 07002. Internationales Begegnungs- und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl, Germany (2007) |
| [41] | Rashid, R., Avadis Tevanin, J., Young, M., Golub, D., Baron, R.: Machine-independent virtual memory management for paged uniprocessor and multiprocessor architectures. IEEE Trans. Comput. 37(8), 896–908 (1988) · doi:10.1109/12.2242 |
| [42] | Ruocco, S.: Real-time programming and L4 microkernels. In: Workshop on Operating System Platforms for Embedded Real-Time Applications, Dresden, Germany (2006). http://www.ertos.nicta.com.au/publications/papers/Ruocco_06.pdf . |
| [43] | Samman, T.: Verifying 50,000 lines of C code. Futures, Microsoft’s European Innovation Magazine, vol. 21. Microsoft Corporate Affairs Europe, Brussels (2008) |
| [44] | Schirmer, N.: A verification environment for sequential imperative programs in Isabelle/HOL. In: LPAR. LNCS, pp. 398–414. Springer, New York (2005). http://isabelle.in.tum.de/\(\sim\)schirmer/pub/hoare-lpar04.html · Zbl 1108.68410 |
| [45] | Schirmer, N.: Verification of sequential imperative programs in Isabelle/HOL. Ph.D. thesis, TU Munich (2006) · Zbl 1108.68410 |
| [46] | Shapiro, J., Doerrie, M.S., Northup, E., Sridhar, S., Miller, M.: Towards a verified, general-purpose operating system kernel. In: FM Workshop on OS Verification. Tech. rep. 0401005T-1, pp. 1–19. National ICT Australia (2004). http://www.coyotos.org/docs/osverify-2004/osverify-2004.pdf |
| [47] | Singal, M., Petters, S.M.: Issues in analysing L4 for its WCET. In: Workshop on Microkernels for Embedded Systems, Sydney, Australia. http://www.ertos.nicta.com.au/publications/papers/Singal_Petters_07.pdf (2007) |
| [48] | Starostin, A., Tsyban, A.: Correct microkernel primitives. In: Systems Software Verification. ENTCS, vol. 217, pp. 169–185. Elsevier Science B.V., Amsterdam (2008) |
| [49] | Starostin, A., Tsyban, A.: Verified process-context switch for C-programmed kernels. In: Shankar, N., Woodcock, J. (eds.) Verified Software: Theories, Tools, and Experiments. LNCS, vol. 5295, pp. 240–254. Springer, New York (2008) |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
