Applying Language-based Static Verification in an ARM Operating - - PowerPoint PPT Presentation

applying language based static verification in an arm
SMART_READER_LITE
LIVE PREVIEW

Applying Language-based Static Verification in an ARM Operating - - PowerPoint PPT Presentation

Feb 07, 2023 104 likes •375 views

Applying Language-based Static Verification in an ARM Operating System Matthew Danish Boston University md@bu.edu 9 May 2013 What do we want? Correctness Flexibility Responsiveness Practicality Predictability What do we want?

slide-1
SLIDE 1

Applying Language-based Static Verification in an ARM Operating System

Matthew Danish

Boston University md@bu.edu

9 May 2013

slide-2
SLIDE 2

What do we want?

Correctness Responsiveness Predictability Practicality Flexibility

slide-3
SLIDE 3

What do we want?

Correctness Responsiveness Predictability Practicality Flexibility

General Purpose OS Real Time OS

slide-4
SLIDE 4

What do we want?

Correctness Responsiveness Predictability Practicality Flexibility

General Purpose OS Real Time OS

slide-5
SLIDE 5

Programming Languages and Types

◮ Choosing or designing languages for systems

◮ Unix: C ◮ SPIN: Modula-3 ◮ Singularity: Sing# ◮ seL4: Isabelle, Haskell and C ◮ House: Haskell

"Partial specifications" T ypes Language OS

slide-6
SLIDE 6

Programming Languages and Types

◮ Choosing or designing languages for systems

◮ Unix: C ◮ SPIN: Modula-3 ◮ Singularity: Sing# ◮ seL4: Isabelle, Haskell and C ◮ House: Haskell

"Partial specifications" T ypes Language OS

slide-7
SLIDE 7

Advanced types Low level efficiency

seL4 House Unix SPIN Singularity

slide-8
SLIDE 8

Advanced types Low level efficiency

seL4 House Unix SPIN Singularity

Can we have more advanced types and low level efficiency?

slide-9
SLIDE 9

ATS

◮ ML-like, strong C integration, LF-style theorem proving ◮ Linear types (a.k.a. view types), dependent types ◮ Separation of proof-world and program-world,

(proof | program)

◮ Practical, functional programming in system setting

slide-10
SLIDE 10

Terrier OS

◮ ARM, TI OMAP4 MP-core, SMP, USB support ◮ Exploring advanced types in assisting OS development ◮ Compact and uncluttered design, with message-passing ◮ Work in progress

slide-11
SLIDE 11

Challenges

◮ Bringing high level functional programming into OS ◮ Using advanced types to tackle common problems ◮ Interfacing with the low level code where needed ◮ Avoiding performance impacts

slide-12
SLIDE 12

Functional programming

◮ Nested functions ◮ Tail recursion elimination ◮ Higher order functions ◮ Style

slide-13
SLIDE 13

Resource management

◮ Linear reasoning: avoid memory leaks ◮ “Must be used once and exactly once” ◮ Typical pattern: allocate, transform, and release

let val (proof_var | pointer_var) = alloc ( ) val x = do_something (proof_var | pointer_var) in free (proof_var | pointer_var)

slide-14
SLIDE 14

Synchronization

◮ Linear reasoning for synchronization ◮ Ensure proper lock management ◮ Correct sequencing of steps

let val (outer | _) = outer_lock ( ) in let val (inner | _) = inner_lock (outer | ) in ... let val (outer | _) = inner_unlock (inner | ) in

  • uter_unlock (outer |

)

slide-15
SLIDE 15

Safe use of pointers

◮ Concept: “value of type t is stored at address l” ◮ ATS “@-view”: type @ address

fun alloc_pair( ): [ l: addr ] ( (int, int) @ l | ptr l) fun free_pair {l: addr} (pf: (int, int) @ l | p: ptr l)

◮ Pointers: a “dependent type” i.e. a type indexed by a value ◮ In this case: the value is the address ◮ The “@-view” validates the pointer

slide-16
SLIDE 16

Array bounds checking

◮ Integer constraint solver ◮ Automatic bounds checks ◮ array: dependent type indexed by length ◮ Array access must be within 0 ≤ i < n

fun f {n: int | n > 3} (A: array (int, n), len: int n): int = let val x = A [ 0 ] in if len > 4 then x + A [ 4 ] else x

slide-17
SLIDE 17

Integer constraints

◮ Not just limited to arrays ◮ Example from scheduler ◮ “exists tick t such that t > now”

val [ now: int ] now: tick now = timer_32k_value( ) fun is_earlier_than {n, m: nat} (tn: tick n, tm: tick m): bool (n < m) ... val future: [ t: int | t > now ] tick t = ...

slide-18
SLIDE 18

Avoiding overhead

◮ Erasure of statics ◮ Flat types, C data representation ◮ Templates

slide-19
SLIDE 19

ATS integration

ATS file Generated C Object file Object file C file Linked Kernel atsopt gcc gcc ld

◮ ATS acts as preprocessor ◮ No run-time and minimal static support ◮ ATS in both kernel and program components

slide-20
SLIDE 20

Protection

A B C A B C

Virtual Address Physical Address

◮ Hardware memory protection optional ◮ Can rely on hardware protections when needed ◮ Or can switch to static verification when ready

slide-21
SLIDE 21

Protection

A B C A B C

Virtual Address Physical Address

◮ All programs take advantage of ELF features for relocation ◮ Kernel has load-time linker which rewrites binary ◮ Can rewrite binaries into the two different memory models

slide-22
SLIDE 22

Putting it together

◮ The role of type systems in OS development ◮ Application of advanced types for better assurance ◮ Incremental approach to verification ◮ Straightforward machine translation to C ◮ Depends on compiler and hardware correctness

slide-23
SLIDE 23

Advanced types Low level efficiency

seL4 House Unix SPIN Singularity

slide-24
SLIDE 24

Advanced types Low level efficiency

T errier seL4 House Unix SPIN Singularity

slide-25
SLIDE 25

seL4 and Terrier

seL4

◮ Haskell prototype,

Isabelle specification, refinement proof between specification and C

◮ Entire kernel, big effort ◮ Top-down

Terrier

◮ Written directly in

C/ATS mix, ATS types

◮ Flexible, selective effort ◮ Bottom-up

slide-26
SLIDE 26

Future work

◮ Writing more proofs ◮ Adding further hardware support ◮ Deploying on an experiment