Figure 1 - uploaded by Gerwin Klein
Content may be subject to copyright.
Common criteria evaluation levels.  

Common criteria evaluation levels.  

Source publication
Article
Full-text available
This paper gives a high-level introduction to the topic of formal, interactive, machine-checked software verification in general, and the verification of operating systems code in particular. We survey the state of the art, the advantages and limitations of machine-checked code proofs, and describe two specific ongoing larger-scale verification pro...

Contexts in source publication

Context 1
... standard is used for example by government agencies to specify software assurance requirements in requisitions and regulations. Figure 1 shows a table with the assurance levels on the left, and software artefacts on the top. ...
Context 2
... medium level specification, i.e. the abstract kernel, defines a (Bevier 1988, p. 1). This abstract specification effectively provides a model of several communicating tasks running concur- rently. ...
Context 3
... now turn from the seL4 design to its verification in the L4.verified project. Figure 10 gives an overview of how the design fits into the verification picture. The L4.verified refine- ment approach looks similar to that of UCLA Secure Unix. ...
Context 4
... contains implementa- tions of all important data structures with a high degree of low-level detail like the number of bits that are used to store capabilities, doubly-linked lists implemented by pointers, etc. The second highest layer in figure 10 is the high-level design. It contains a description of all user-visible kernel operations, but leaves out data structures and detail where possible. ...
Context 5
... instance, the scheduler on the abstract level is specified simply by saying pick any thread in the system that is runnable, but in the low-level design, a data structure is provided for track- ing which threads are runnable and which priority they have. The top level of figure 10 is the access control model of seL4 . It abstracts strongly from detail and only specifies how capabilities are distributed in the system. ...
Context 6
... security property proven in L4.verified states that the kernel can effectively isolate subsystems and can enforce flexible global security policies. All specifications in figure 10 have been completed (Cock et al 2008). The security specifi- cation is ca 300 loc, the high-level design 3,000 loc, the low-level design 7,500 loc, and the C code 10,000 loc. ...
Context 7
... project has also completed the machine-checked proof in Isabelle/HOL that the Haskell prototype providing the low- level design of seL4 correctly implements its high-level specification (Cock et al 2008). This fills one of the largest semantic gaps in the chain of figure 10. The refinement proof between abstract and executable specification is 100,000 lines of Isabelle proof. ...

Similar publications

Article
Full-text available
Imparting real world experiences in a software verification and validation (SV&V) course is often a challenge due to the lack of effective active learning tools. This pedagogical requirement is important because graduates are expected to develop software that meets rigorous quality standards in functional and application domains. Realizing the nece...
Article
Full-text available
Software verification becomes more and more diffi- cult as new code modules are produced and published every day. The task poses increasing difficulty, especially as the amount of code being analyzed becomes larger. Research in computer science has attempted to tackle the various problems that arise in software verification and provide with formal...
Article
Full-text available
The contribution addresses the application of formal methods in functional specification, design and verification of real-time software systems in safety-critical applications. We present basic principles of software verification methods directed towards automatic proof of safety properties against the model of the system. Verification of the railw...
Article
Full-text available
The goal of the RERS challenge is to evaluate the effectiveness of various verification and validation approaches on reactive systems, a class of systems that is highly relevant for industrial critical applications. The RERS challenge brings together researchers from different areas of software verification and validation, including static analysis...
Article
Full-text available
This paper presents a framework for evaluate and compare different defect taxonomies. Six well-known taxonomies are evaluated with it and the results are showed. We found deficiencies in every tax-onomy once they are evaluated with the framework.

Citations

... And one of the hardest. Schulz (2017, E's author) Automated theorem proving (ATP) is an important tool both for assisting mathematicians in proving complex theorems as well as for areas such as integrated circuit design, and software and hardware verification (Leroy, 2009;Klein, 2009). Initial research in ATP dates back to 1960s (e.g., Robinson (1965); Knuth & Bendix (1970)) and was motivated partly by the fact that mathematics is a hallmark of human intelligence. ...
Preprint
Traditional automated theorem provers for first-order logic depend on speed-optimized search and many handcrafted heuristics that are designed to work best over a wide range of domains. Machine learning approaches in literature either depend on these traditional provers to bootstrap themselves or fall short on reaching comparable performance. In this paper, we propose a general incremental learning algorithm for training domain specific provers for first-order logic without equality, based only on a basic given-clause algorithm, but using a learned clause-scoring function. Clauses are represented as graphs and presented to transformer networks with spectral features. To address the sparsity and the initial lack of training data as well as the lack of a natural curriculum, we adapt hindsight experience replay to theorem proving, so as to be able to learn even when no proof can be found. We show that provers trained this way can match and sometimes surpass state-of-the-art traditional provers on the TPTP dataset in terms of both quantity and quality of the proofs.
... Automated theorem provers (ATPs) are commonly used in many areas of computer science; for instance, aiding in the design of compilers [1], [2], operating systems [3], and distributed systems [4], [5]). As their applicability has grown in scope, there has been a need for new heuristics and strategies that inform how an ATP searches for proofs, i.e., systems that provide effective proof guidance. ...
... We used gradient-boosted tree search from scikit-optimize 2 to find effective hyperparameters using 10% of the Mizar dataset 3 . This returned the hyperparameter values in Ta All experiments for TRAIL and all its competitors are run with a maximum of 100 seconds time limit per problems. ...
Preprint
Full-text available
Traditional automated theorem provers have relied on manually tuned heuristics to guide how they perform proof search. Recently, however, there has been a surge of interest in the design of learning mechanisms that can be integrated into theorem provers to improve their performance automatically. In this work, we introduce TRAIL, a deep learning-based approach to theorem proving that characterizes core elements of saturation-based theorem proving within a neural framework. TRAIL leverages (a) an effective graph neural network for representing logical formulas, (b) a novel neural representation of the state of a saturation-based theorem prover in terms of processed clauses and available actions, and (c) a novel representation of the inference selection process as an attention-based action policy. We show through a systematic analysis that these components allow TRAIL to significantly outperform previous reinforcement learning-based theorem provers on two standard benchmark datasets (up to 36% more theorems proved). In addition, to the best of our knowledge, TRAIL is the first reinforcement learning-based approach to exceed the performance of a state-of-the-art traditional theorem prover on a standard theorem proving benchmark (solving up to 17% more problems).
... In SASOSes, isolation has been provided with traditional page tables [10,23,32] and recently through intra-address-space hardware isolation mechanisms [34,42,45,47]. Formal verification offers deterministic security guarantees, but has trouble scaling to modern OSes' large codebases [28,29]. Low-overhead runtime protection mechanisms are commonly found in production kernels [15,17]. ...
Conference Paper
Full-text available
OS design is traditionally heavily intertwined with protection mechanisms. OSes statically commit to one or a combination of (1) hardware isolation, (2) runtime checking, and (3) software verification early at design time. Changes after deployment require major refactoring; as such, they are rare and costly. In this paper, we argue that this strategy is at odds with recent hardware and software trends: protections break (Meltdown), hardware becomes heterogeneous (Memory Protection Keys, CHERI), and multiple mechanisms can now be used for the same task (software hardening, verification, HW isolation, etc). In short, the choice of isolation strategy and primitives should be postponed to deployment time. We present FlexOS, a novel, modular OS design whose compartmentalization and protection profile can seamlessly be tailored towards a specific application or use-case at build time. FlexOS offers a language to describe components' security needs/behavior, and to automatically derive from it a compartmentalization strategy. We implement an early proto-type of FlexOS that can automatically generate a large array of different OSes implementing different security strategies.
... Attacks against the replayer. The chance of replayer bugs is slim due to its small size; the absence of blackbox runtime and [49]. Nevertheless, a successful adversary may subvert the replayer's security mechanisms, e.g. ...
Preprint
TinyStack is a novel way for deploying GPU-accelerated computation on mobile and embedded devices. It addresses the high complexity of a modern GPU stack. Without an overhaul of the stack, TinyStack provides a static, fast path for an app to push its computation to GPU. It records GPU executions on the full GPU stack ahead of time and replays the executions with only a small replayer on new input at run time. TinyStack addresses challenges in capturing key CPU/GPU interactions and GPU states, working around proprietary GPU internals, and preventing replay divergence. The resultant replayer is a drop-in replacement of the original GPU stack. It is tiny (as few as 50 KB executable), robust (replaying long executions without divergence), portable (running in a POSIX OS, in TEE, or on baremetal), and quick to launch (speeding up startup by up to two orders of magnitude). We have implemented TinyStack and tested it with a variety of ML frameworks, GPU programming APIs, and integrated GPUs.
... There has been a great deal of work in formal verification of operating system kernels in the last few decades. Klein [20] gives an excellent survey of the work till around 2000. In recent years the most comprehensive work on OS verification has been the work on seL4 [21], which gave a refinement-based proof of the functional correctness of a microkernel using the Isabelle/HOL theorem prover. ...
Preprint
Full-text available
We present a formal verification of the functional correctness of the Muen Separation Kernel. Muen is representative of the class of modern separation kernels that leverage hardware virtualization support, and are generative in nature in that they generate a specialized kernel for each system configuration. These features pose substantial challenges to existing verification techniques. We propose a verification framework called conditional parametric refinement which allows us to formally reason about generative systems. We use this framework to carry out a conditional refinement-based proof of correctness of the Muen kernel generator. Our analysis of several system configurations shows that our technique is effective in producing mechanized proofs of correctness, and also in identifying issues that may compromise the separation property.
... Verification of OS kernels. For a full overview of the verification efforts about operating systems, we refer the reader to Klein [2009] and Zhao et al. [2017]. Among all the OS verification works, we place our emphasis mainly on those conducted at the C or assembly code level. ...
... SeL4 [Klein et al. 2009] is a formally-verified operating system kernel. It achieves multitasking in the kernel by polling timer interrupts at specified preemption points. ...
Article
Full-text available
The reliability and security of safety-critical real-time systems are of utmost importance because the failure of these systems could incur severe consequences (e.g., loss of lives or failure of a mission). Such properties require strong isolation between components and they rely on enforcement mechanisms provided by the underlying operating system (OS) kernel. In addition to spatial isolation which is commonly provided by OS kernels to various extents, it also requires temporal isolation, that is, properties on the schedule of one component (e.g., schedulability) are independent of behaviors of other components. The strict isolation between components relies critically on algorithmic properties of the concrete implementation of the scheduler, such as timely provision of time slots, obliviousness to preemption, etc. However, existing work either only reasons about an abstract model of the scheduler, or proves properties of the scheduler implementation that are not rich enough to establish the isolation between different components. In this paper, we present a novel compositional framework for reasoning about algorithmic properties of the concrete implementation of preemptive schedulers. In particular, we use virtual timeline, a variant of the supply bound function used in real-time scheduling analysis, to specify and reason about the scheduling of each component in isolation. We show that the properties proved on this abstraction carry down to the generated assembly code of the OS kernel. Using this framework, we successfully verify a real-time OS kernel, which extends mCertiKOS, a single-processor non-preemptive kernel, with user-level preemption, a verified timer interrupt handler, and a verified real-time scheduler. We prove that in the absence of microarchitectural-level timing channels, this new kernel enjoys temporal and spatial isolation on top of the functional correctness guarantee. All the proofs are implemented in the Coq proof assistant.
... Formal verification provides a general approach to proving critical properties of systems software [48]. To verify the correctness of a system, developers write a specification of its intended behavior, and construct a machine-checkable proof to show that the implementation satisfies the specification. ...
... Interactive verification. There is a long and rich history of using interactive theorem provers to verify the correctness of systems software [48]. These provers provide expressive logics for developers to manually construct a correctness proof of an implementation with respect to a specification. ...
Conference Paper
This paper presents Serval, a framework for developing automated verifiers for systems software. Serval provides an extensible infrastructure for creating verifiers by lifting interpreters under symbolic evaluation, and a systematic approach to identifying and repairing verification performance bottlenecks using symbolic profiling and optimizations. Using Serval, we build automated verifiers for the RISC-V, x86--32, LLVM, and BPF instruction sets. We report our experience of retrofitting CertiKOS and Komodo, two systems previously verified using Coq and Dafny, respectively, for automated verification using Serval, and discuss trade-offs of different verification methodologies. In addition, we apply Serval to the Keystone security monitor and the BPF compilers in the Linux kernel, and uncover 18 new bugs through verification, all confirmed and fixed by developers.
... Their principal result is producing testing and deductive verification techniques and an adequate memory model, mainly used in checking of correctness of Linux modules. The task of building software and hardware for a drone is being solved in project Crazyflie [12] and the models are given in [13]. It is used in some universities, e.g., at Chalmers University of Technology where students build dynamic models for Crazyflie drone using the modeling language Modelica and then design control algorithms based on them [14]. ...
Article
Full-text available
Currently, the creation of reliable unmanned aerial vehicles (drones) is an important task in science and technology because such devices can have a lot of use-cases in digital economy and modern life, so we need to ensure their reliability. In this article, we propose to assemble a quadcopter from low-cost components in order to obtain a hardware prototype, and also to develop a software solution for the flight controller with high-reliability requirements, which will meet avionics software standards, using existing open-source software solutions. We apply the results as a model for teaching courses «Components of operating systems» and «Software verification». In the study, we analyze the structure of quadcopters and flight controllers for them, and present a self-assembly solution. We describe Ardupilot as open-source software for unmanned aerial vehicles, the appropriate APM controller and methods of PID control. Today's avionics standard of reliable software for flight controllers is a real-time partitioned operating system that is capable to respond to events from devices with an expected speed, as well as to share processor time and memory between isolated partitions. A good example of such OS is the open-source POK (Partitioned Operating Kernel). In its repository, it contains an example design of a system for a quadcopter using AADL language for modeling its hardware and software. We apply such a technique with Model-driven engineering to a demo system that runs on real hardware and contains a flight management process with PID control as a partitioned process. Using a partitioned OS brings the reliability of flight system software to the next level. To increase the level of control logic correctness we propose to use formal verification methods. We also provide examples of verifiable properties at the level of code using the deductive approach as well as at the level of the cyber-physical system using Differential dynamic logic to prove the stability.
... The increasingly important role of virtualization in software systems makes it a prime target for formal verification. In [46], Klein provides a very complete survey of software verification, with a special emphasis on verifying operating systems. Recently, several projects have set out to formally verify the correctness of operating system kernel and hypervisor implementations. ...
Article
Full-text available
This work focuses on the study of constant-time implementations; giving formal guarantees that such implementations are protected against cache-based timing attacks in virtualized platforms where their supporting operating system executes concurrently with other, potentially malicious, operating systems. We develop a model of virtualization that accounts for virtual addresses, physical and machine addresses, memory mappings, page tables, translation lookaside buffer, and cache; and provides an operational semantics for a representative set of actions, including reads and writes, allocation and deallocation, context switching, and hypercalls. We prove a non-interference result on the model that shows that an adversary cannot discover secret information using cache side-channels, from a constant-time victim.
... Thus, web browsers should be developed as rigidly and formally as operating systems. While formal methods are a well-established technique in the development of operating systems (see, e. g., Klein [15] for an overview), there are few proposals for improving the development of web browsers using formal approaches [2,9,12,17]. ...
Conference Paper
At its core, the Document Object Model (DOM) defines a tree-like data structure for representing documents in general and HTML documents in particular. It forms the heart of any rendering engine of modern web browsers. Formalizing the key concepts of the DOM is a pre-requisite for the formal reasoning over client-side JavaScript programs as well as for the analysis of security concepts in modern web browsers. In this paper, we present a formalization of the core DOM, with focus on the node-tree and the operations defined on node-trees, in Isabelle/HOL. We use the formalization to verify the functional correctness of the most important functions defined in the DOM standard. Moreover, our formalization is (1) extensible, i.e., can be extended without the need of re-proving already proven properties and (2) executable, i.e., we can generate executable code from our specification.