About
131
Publications
22,195
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
5,643
Citations
Introduction
Current institution
Current position
- Principal Investigator
Additional affiliations
December 2016 - April 2017
Publications
Publications (131)
Microarchitectural timing channels are a well-known mechanism for information leakage. Time protection has recently been demonstrated as an operating-system mechanism able to prevent them. However, established theories of information-flow security are insufficient for verifying time protection, which must distinguish between (legal) overt and (ille...
This paper presents a framework aimed at significantly reducing the cost of proving functional correctness for low-level operating systems components. The framework is designed around a new functional programming language, Cogent. A central aspect of the language is its uniqueness type system, which eliminates the need for a trusted runtime or garb...
We describe our ongoing research that aims to eliminate microarchitectural timing channels through time protection, which eliminates the root cause of these channels, competition for capacity-limited hardware resources. A proof-ofconcept implementation of time protection demonstrated the approach can be effective a nd l ow o verhead, b ut also that...
Operating system (OS) kernels achieve isolation between user-level processes using hardware features such as multi-level page tables and translation lookaside buffers (TLBs). The TLB caches address translation, and therefore correctly controlling the TLB is a fundamental security property of OS kernels—yet all large-scale formal OS verification pro...
Timing channels are a significant and growing security threat in computer systems, with no established solution. We have recently argued that the OS must provide time protection, in analogy to the established memory protection, to protect applications from information leakage through timing channels. Based on a recently-proposed implementation of t...
Timing channels are a significant and growing security threat in computer systems, with no established solution. We have recently argued that the OS must provide time protection, in analogy to the established memory protection, to protect applications from information leakage through timing channels. Based on a recently-proposed implementation of t...
The language Cogent allows low-level operating system components to be modelled as pure mathematical functions operating on algebraic data types, which makes it highly suitable for verification in an interactive theorem prover. Furthermore, the Cogent compiler translates these models into imperative C programs, and provides a proof that this compil...
Current approaches to cyberresiliency rely on patching systems after a vulnerability is discovered. What is needed is a clean-slate, mathematically based approach for building secure software. We developed new tools based on formal methods for building software for unmanned air vehicles that is provably secure against cyberattacks.
Verified software secures the Unmanned Little Bird autonomous helicopter against mid-flight cyber attacks.
Operating system (OS) kernels achieve isolation between user-level processes using multi-level page tables and translation lookaside buffers (TLBs). Controlling the TLB correctly is a fundamental security property—yet all large-scale formal OS verification projects leave correct functionality of the TLB as an assumption. We present a logic for reas...
The use of Hoare logic in combination with weakest preconditions and strongest postconditions is a standard tool for program verification, known as backward and forward reasoning. In this paper we extend these techniques to allow backward and forward reasoning for separation logic. While the former is derived directly from the standard operators of...
Property-based testing can play an important role in reducing the cost of formal verification: It has been demonstrated to be effective at detecting bugs and finding inconsistencies in specifications, and thus can eliminate effort wasted on fruitless proof attempts. We argue that in addition, property-based testing enables an incremental approach t...
We present recent work on building and scaling trustworthy systems with formal, machine-checkable proof from the ground up, including the operating system kernel, at the level of binary machine code. We first give a brief overview of the seL4 microkernel verification and how it can be used to build verified systems. We then show two complementary t...
The main security mechanism for enforcing memory isolation in operating systems is provided by page tables. The hardware-implemented Translation Lookaside Buffer (TLB) caches these, and therefore the TLB and its consistency with memory are security crit- ical for OS kernels, including formally verified kernels such as seL4. If performance is paramo...
We present a framework aimed at significantly reducing the cost of verifying certain classes of systems software, such as file systems. Our framework allows for equational reasoning about systems code written in our new language, Cogent. Cogent is a restricted, polymorphic, higher-order, and purely functional language with linear types and without...
We present a framework aimed at significantly reducing the cost of verifying certain classes of systems software, such as file systems. Our framework allows for equational reasoning about systems code written in our new language, Cogent. Cogent is a restricted, polymorphic, higher-order, and purely functional language with linear types and without...
Our language Cogent simplifies verification of systems software using a certifying compiler, which produces a proof that the generated C code is a refinement of the original Cogent program. Despite the fact that Cogent itself contains a number of refinement layers, the semantic gap between even the lowest level of Cogent semantics and the generated...
We present an approach to writing and formally verifying high-assurance file-system code in a restricted language called Cogent, supported by a certifying compiler that produces C code, high-level specification of Cogent, and translation correctness proofs. The language is strongly typed and guarantees absence of a number of common file system impl...
We present an approach to writing and formally verifying high-assurance file-system code in a restricted language called Cogent, supported by a certifying compiler that produces C code, high-level specification of Cogent, and translation correctness proofs. The language is strongly typed and guarantees absence of a number of common file system impl...
We present an approach to writing and formally verifying high-assurance file-system code in a restricted language called Cogent, supported by a certifying compiler that produces C code, high-level specification of Cogent, and translation correctness proofs. The language is strongly typed and guarantees absence of a number of common file system impl...
We present an approach to writing and formally verifying high-assurance file-system code in a restricted language called Cogent, supported by a certifying compiler that produces C code, high-level specification of Cogent, and translation correctness proofs. The language is strongly typed and guarantees absence of a number of common file system impl...
This special issue collects current efforts towards the construction of formal proofs with the use of interactive theorem provers, which combine formal proof-checking and proof-finding tools with human guidance.
We present a self-certifying compiler for the COGENT systems language. COGENT
is a restricted, polymorphic, higher-order, and purely functional language with
linear types and without the need for a trusted runtime or garbage collector.
It compiles to efficient C code that is designed to interoperate with existing
C functions. The language is suited...
Formal verification has been successfully applied to provide strong correctness guarantees of software systems, but its application to large code bases remains an open challenge. The technique of component-based software development, traditionally employed for engineering benefit, also aids reasoning about such systems. While there exist compositio...
Formal methods, and particularly formal verification, is becoming more feasible to use in the engineering of large highly dependable software-based systems, but so far has had little rigorous empirical study. Its artefacts and activities are different to those of conventional software engineering, and the nature and drivers of productivity for form...
Formal methods tools have been shown to be effective at finding defects in and
verifying the correctness of safety-critical systems, many of which require some form of certification. However, there are still many issues that must be addressed before formal verification tools can be used as part of the certification of safety-critical systems. For e...
Program analysis, also known as static analysis, describes a whole field of techniques for the static (i.e. compile-time) analysis of programs.
So far we have proved properties of IMP, like type soundness, or properties of tools for IMP, like compiler correctness, but almost never properties of individual IMP programs. The Isabelle part of the book has taught us how to prove properties of functional programs, but not of imperative ones.
To talk about semantics, we first need a programming language. This chapter defines one: a minimalistic imperative programming language called IMP. The main aim of this chapter is to introduce the concepts of commands and their abstract syntax, and to use them to illustrate two styles of defining the semantics of a programming language: big-step an...
This chapter presents a first application of programming language semantics: proving compiler correctness. To this end, we will define a small machine language based on a simple stack machine. Stack machines are common lowlevel intermediate languages; the Java Virtual Machine is one example. We then write a compiler from IMP to this language and pr...
So far we have worked exclusively with various operational semantics which are defined by inference rules that tell us how to execute some command. But those rules do not tell us directly what the meaning of a command is. This is what denotational semantics is about: mapping syntactic objects to their denotation or meaning. In fact, we are already...
The methods of the previous chapter suffice to define the arithmetic and Boolean expressions of the programming language IMP that is the subject of this book. In this chapter we define their syntax and semantics, write little optimizers for them and show how to compile arithmetic expressions to a simple stack machine. Of course we also prove the co...
The core syntax of formulas (form below) provides the standard logical constructs, in decreasing order of precedence.
This chapter introduces HOL as a functional programming language and shows how to prove properties of functional programs by induction.
This chapter introduces HOL as a functional programming language and shows how to prove properties of functional programs by induction.
This chapter introduces types into IMP, first a traditional programming language type system, then more sophisticated type systems for information flow analysis. Why bother with types? Because they prevent mistakes. They are a simple, automatic way to find obvious problems in programs before these programs are ever run.
In Chapter 10 we saw a number of automatic program analyses, and each one was hand crafted. Abstract Interpretation is a generic approach to automatic program analysis. In principle, it covers all of our earlier analyses. In this chapter we ignore the optimizing program transformations that accompany certain analyses.
Apply-scripts are unreadable and hard to maintain. The language of choice for larger proofs is Isar. The two key features of Isar are (1) It is structured, not linear. (2) It is readable without its being run because you need to state what you are proving at any given point. Whereas apply-scripts are like assembly language programs, Isar proofs are...
Part I of this book is a practical introduction to working with the Isabelle proof assistant. It teaches you how to write functional programs and inductive definitions and how to prove properties about them in Isabelle’s structured proof language. Part II is an introduction to the semantics of imperative languages with an emphasis on applications l...
It is a great verification challenge to prove properties of complete computer systems on the source code level. The L4.verified project achieved a major step towards this goal by mechanising a proof of functional correctness of the seL4 kernel. They expressed correctness in terms of data refinement with a coarse-grained specification of the kernel’...
Context: Recent projects such as L4.verified (the verification of the seL4 microkernel) have demonstrated that large-scale formal program verification is now becoming practical.
Objective: We address an important but unstudied aspect of proof engineering: proof productivity.
Method: We extracted size and effort data from the history of the developm...
We present an approach for automatically generating provably correct abstractions from C source code that are useful for practical implementation verification. The abstractions are easier for a human verification engineer to reason about than the implementation and increase the productivity of interactive code proof. We guarantee soundness by autom...
File systems are too important, and current ones are too buggy, to remain unverified. Yet the most successful verification methods for functional correctness remain too expensive for current file system implementations-we need verified correctness but at reasonable cost. This paper presents our vision and ongoing work to achieve this goal for a new...
In this talk, I will give an overview of the various formal verification projects around the evolving seL4 microkernel, and discuss our experience in large scale proof engineering and maintenance.
In particular, the presentation will draw a picture of what these verifications mean and how they fit together into a whole. Among these are a number of...
We present an in-depth coverage of the comprehensive machine-checked formal verification of seL4, a general-purpose operating system microkernel.
We discuss the kernel design we used to make its verification tractable. We then describe the functional correctness proof of the kernel's C implementation and we cover further steps that transform this r...
We introduce a purely functional domain specific language, CDSL, which aims to substantially reduce the cost of producing efficient, verified file system code. Given an executable specification of a file system, the CDSL compiler generates C code and, when fully implemented, will also generate an Isabelle/HOL proof linking the specification and the...
This paper describes ongoing work on a new technique for reducing the cost of assurance of large software systems by building on a verified component platform. From a component architecture description, we automatically derive a formal model of the system and a semantics for the runtime behaviour of generated inter-component communication code. We...
File systems are too important, and current ones are too buggy, to remain unverified. Yet the most successful verification methods for functional correctness remain too expensive for current file system implementations --- we need verified correctness but at reasonable cost. This paper presents our vision and ongoing work to achieve this goal for a...
The safety and security of software systems depends on how they are initially configured. Manually writing program code that establishes such an initial configuration is a tedious and error-prone engineering process. In this paper we present an automatic and formally verified initialiser for component-based systems built on the general-purpose micr...
We extend the existing formal verification of the seL4 operating system microkernel from 9500 lines of C source code to the binary level. We handle all functions that were part of the previous verification. Like the original verification, we currently omit the assembly routines and volatile accesses used to control system hardware.
More generally,...
In contrast to testing, mathematical reasoning and formal verification can show the absence of whole classes of security vulnerabilities. We present the, to our knowledge, first complete, formal, machine-checked verification of information flow security for the implementation of a general-purpose microkernel; namely seL4. Unlike previous proofs of...
Size and effort estimation is a significant challenge for the management of large-scale formal verification projects. We report on an initial study of relationships between the sizes of artefacts from the development of seL4, a formally-verified embedded systems microkernel. For each API function we first determined its COSMIC Function Point (CFP)...
We present an approach for automatically generating provably correct abstractions from C source code that are useful for practical implementation verification. The abstractions are easier for a human verification engineer to reason about than the implementation and increase the productivity of interactive code proof. We guarantee soundness by autom...
While intransitive noninterference is a natural property for any secure OS kernel to enforce, proving that the implementation of any particular general-purpose kernel enforces this property is yet to be achieved. In this paper we take a significant step towards this vision by presenting a machine-checked formulation of intransitive noninterference...
This volume contains the papers accepted at the 7th Systems Software
Verification Conference (SSV 2012), held in Sydney, November 28-30, 2012.
The aim of SSV workshops and conference series is to bring together
researchers and developers from both academia and industry who are facing real
software and real problems with the goal of finding real, ap...
This volume contains the papers accepted at the 7th Systems Software Verification Conference (SSV 2012), held in Sydney, November 28-30, 2012. The aim of SSV workshops and conference series is to bring together researchers and developers from both academia and industry who are facing real software and real problems with the goal of finding real, ap...
National Information and Communications Technology Australia (NICTA) is the largest ICT research center in Australia, having been established 10 years ago in 2002. It has five laboratories in four Australian capital cities: Sydney, Canberra, Melbourne, and Brisbane. There are currently around 700 staff and Ph.D. students working at NICTA. In June 2...
We present an Isabelle/HOL library with a generic type class implementation of separation algebra, develop basic separation logic concepts on top of it, and implement generic automated tactic support that can be used directly for any instantiation of the library. We show that the library is usable by multiple example instantiations that include str...
Before low-level imperative code can be reasoned about in an interactive theorem prover, it must first be converted into a logical representation in that theorem prover. Accurate translations of such code should be conservative, choosing safe representations over representations convenient to reason about. This paper bridges the gap between conserv...
Large-scale verification projects pose particular challenges. Issues include proof exploration, efficiency of the edit-check cycle, and proof refactoring for documentation and maintainability. We draw on insights from two large-scale verification projects, L4.verified and Verisoft, that both used the Isabelle/HOL prover. We identify the main challe...
The L4.verified project was a rare success in large-scale, formal verification: it provided a formal, machine-checked, code-level proof of the full functional correctness of the seL4 microkernel. In this paper we report on the development process and management issues of this project, highlighting key success factors. We formulate a detailed descri...
The L4.verified project successfully completed a large-scale machine-checked formal verification at the code level of the functional correctness of the seL4 operating system microkernel. The project applied a middle-out process, which is significantly different from conventional software development processes. This paper reports a simulation model...
A formalisation of generic, fixed size machine words in Isabelle/HOL. An earlier version of this formalisation is described in [1].
The time has arrived for truly trustworthy systems, backed by machine-checked proofs of security and reliability. Research demonstrates that formal whole-system analysis that applies to the C and binary implementation level is feasible, including proofs of integrity, authority confinement, confidentiality, and worst-case execution time. Because the...
We prove that the seL4 microkernel enforces two high-level access control properties: integrity and authority confinement.
Integrity provides an upper bound on write operations. Authority confinement provides an upper bound on how authority may
change. Apart from being a desirable security property in its own right, integrity can be used as a gener...
This document shows how to typset mathematics in Isabelle-based documents in a style close to that in ordinary computer science papers. 1
The L4.verified project has produced a formal, machine- checked Isabelle/HOL proof that the C code of the seL4 OS microkernel
correctly implements its abstract implementation. This paper briefly summarises the proof, its main implications and assumptions,
reports on the experience in conducting such a large-scale verification, and finally lays out...
Computer systems are routinely deployed in life- and mission-critical situations, yet their security, safety or dependability can in most cases not be assured to the degree warranted by the application. In other words, trusted computer systems are rarely really trustworthy. We believe that this is highly unsatisfactory, and have embarked on a large...
Last year, the NICTA L4.verified project produced a formal machine-checked Isabelle/HOL proof that the C code of the seL4 OS microkernel correctly implements its abstract implementation. This papers gives a brief overview of the proof together with its main implications and assumptions, and paints a vision on how this verified kernel can be used fo...
Last year, the L4.verified project produced a formal, machine-checked Isabelle/HOL proof that the C code of the seL4 OS microkernel
correctly implements its abstract implementation. In my presentation I will summarise the proof together with its main implications
and assumptions, I will describe in which kinds of systems this formally verified kern...
Capabilities provide an access control model that can be used to construct systems where safety of protection can be precisely de- termined. However, in order to be certain of the security provided by such systems it is necessary to verify that their capability dis- tributions do in fact fulfil requirements relating to isolation and information flo...
We report on the formal, machine-checked verication of the seL4 microkernel from an abstract specication down to its C implementation. We assume correctness of compiler, assembly code, hardware, and boot code. seL4 is a third-generation microkernel of L4 provenance, comprising 8,700 lines of C and 600 lines of assembler. Its performance is comparab...
We present an overview of the different refinement frameworks used in the L4.verified project to formally prove the functional correctness of the seL4 microker-nel. The verification is conducted in the interactive theorem prover Isabelle/HOL and proceeds in two large refinement steps: one proof between two monadic, functional specifications in HOL...
Complete formal verification is the only known way to guarantee that a system is free of programming errors. We present our experience in performing the formal, machine-checked verification of the seL4 microkernel from an abstract specification down to its C implementation. We assume correctness of compiler, assembly code, and hardware, and we used...
This paper presents a machine-checked high-level security analysis of seL4 — an evolution of the L4 kernel series targeted to secure, embedded devices. We provide an abstract specification of the seL4 access control system in terms of a classical take-grant model together with a formal proof of its decidability. Using the decidability property we s...
We report on our experience using Haskell as an executable specifi- cation language in the formal verification of the seL4 microkernel. The verification connects an abstract operational specification in the theorem prover Isabelle/HOL to a C implementation of the mi- crokernel. We describe how this project differs from other efforts, and examine th...
We report on our experience using Haskell as an executable specification language in the formal verification of the seL4 microkernel. The verification connects an abstract operational specification in the theorem prover Isabelle/HOL to a C implementation of the microkernel. We describe how this project differs from other efforts, and examine the ef...
This paper presents the formal Isabelle/HOL framework we use to prove refinement between an executable, monadic specification and the C implementation of the seL4 microkernel. We describe the refinement framework itself, the automated tactics it supports, and the connection to our previous C verification framework. We also report on our experience...
This paper presents a separation-logic framework for reason- ing about low-level C code in the presence of virtual memory. We describe our abstract, generic Isabelle/HOL framework for reasoning about virtual memory in separation logic, and we instantiate this framework to a pre- cise, formal model of ARMv6 page tables. The logic supports the usual...
A number of papers have been published to provide information about formal verification of computing system operating systems (OS) to assure its safety, security, or functional correctness. These papers inform about advancements in theorem proving, model checking, and static analysis from the leading research groups working on OS verification. The...
This paper gives a high-level introduction to the topic of formal, interactive, machine-checked software verification in general,
and the verification of operating systems code in particular. We survey the state of the art, the advantages and limitations
of machine-checked code proofs, and describe two specific ongoing larger-scale verification pro...
Two years ago Gernot Heiser demanded in this venue Your System is Secure? Prove it! [5] He also mentioned the L4.verified [3] project at NICTA which is doing just that. This proof is now completed and in this article I'm showing what we have proved and what that means for security. The seL4 microkernel: Correct! The basic idea goes back to the 1970...
This paper presents a machine-checked high-level security analysis of seL4—an evolution of the L4 kernel series targeted to secure, embedded devices. We provide an abstract specification of the seL4 access control system together with a formal proof that shows how confined subsystems can be enforced. All proofs and specifications in this paper are...
We present Mapped Separation Logic, an instance of Separa- tion Logic for reasoning about virtual memory. Our logic is formalised in the Isabelle/HOL theorem prover and it allows reasoning on properties about page tables, direct physical memory access, virtual memory access, and shared memory. Mapped Separation Logic fully supports all rules of abs...
We present a scalable, practical Hoare Logic and refinement calculus for the nondeterministic state monad with exceptions
and failure in Isabelle/HOL. The emphasis of this formalisation is on large-scale verification of imperative-style functional
programs, rather than expressing monad calculi in full generality. We achieve scalability in two dimen...
As computer systems become increasingly mission-critical, used in life-critical situations, and relied upon to protect intellectual prop- erty, operating-system reliability is becoming an ever growing con- cern. In the past, mission- and life-critical embedded systems con- sisted of simple microcontrollers running a small amount of soft- ware that...
We present a formal model of memory that both captures the low-level features of C's pointers and memory, and that forms the basis for an expressive implementation of separation logic. At the low level, we do not commit common oversimplifications, but correctly deal with C's model of programming language values and the heap. At the level of separat...
Hoare logic is widely used for software specification and verification. Fre- quently we need to prove the total correctness of a program: to prove that the program not only satisfies its pre- and post-conditions but also terminates. We have implemented a termination checker for Isabelle's Hoare logic. The tool can be used as an oracle, where Isabel...
Abstract In the paper we examine one of the issues in designing, specifying, implementing and formally verifying a small operating system kernel — how,to provide a productive and iterative development,methodology,for both operating system developers and formal methods,practitioners. We espouse the use of functional programming,languages,as a medium...
We propose a development methodology for designing and proto- typing high assurance microkernels, and describe our application of it. The methodology is based on rapid prototyping and iterative re- finement of the microkernel in a functional programming language. The prototype provides a precise semi-formal model, which is also combined with a mach...
