sel4 formal verification of an os kernel
play

seL4: Formal Verification of an OS Kernel . - PowerPoint PPT Presentation

Jun 04, 2023 •9 likes •169 views

seL4: Formal Verification of an OS Kernel . seL4: Formal Verification of an OS Kernel . Marek.Sapota@students.mimuw.edu.pl December 15, 2010 . . . . . . seL4: Formal Verification of an OS Kernel About seL4 What is seL4? Secure

  1. seL4: Formal Verification of an OS Kernel . seL4: Formal Verification of an OS Kernel . Marek.Sapota@students.mimuw.edu.pl December 15, 2010 . . . . . .

  2. seL4: Formal Verification of an OS Kernel About seL4 What is seL4? Secure Embedded L4 Formally verified kernel from the L4 family Runs on ARMv6 and x86 architectures (there is no proof for x86) “Complete, general-purpose operating-system kernel” 8 ‘ 700 lines of C and 600 lines of assembler Microkernel that provides address spaces, threads, IPC and authorisation capabilities . . . . . .

  3. seL4: Formal Verification of an OS Kernel About seL4 What is proved? Behaviour precisely specified at abstract level Implementation is proved to follow abstract level specification and do nothing more Proof of termination and execution safety . . . . . .

  4. seL4: Formal Verification of an OS Kernel About seL4 What is not proved? Abstract specification making any sense Device drivers (not being part of the kernel) Memory allocation Several low level parts implemented in assembler Boot code Compiler correctness Hardware correctness eorem prover correctness . . . . . .

  5. seL4: Formal Verification of an OS Kernel About seL4 What does it give us? It’s impossible to make a buffer overflow aack No NULL pointer dereferencing No accidental uses of pointers to wrong type of data No memory leaks No arithmetic overflows and exceptions in kernel code (eg. no division by zero errors) . . . . . .

  6. seL4: Formal Verification of an OS Kernel Proof overview About proof Proof is done using Isabelle/HOL theorem prover. ere are several proof assumptions: Valid compiler (GCC) Hardware correctness eorem prover is correct Proof was only done for ARMv6 architecture with one CPU. . . . . . .

  7. seL4: Formal Verification of an OS Kernel Proof overview About proof e proof and implementation is split into three phases: Abstract specification — system interface Executable specification — Haskell prototype C implementation . . . . . .

  8. seL4: Formal Verification of an OS Kernel Abstract specification Abstract specification Defines the system interface, describes what the system does, but not how. Every implementation refining this specification will be binary compatible with seL4. Properties: 4 ‘ 900 lines of Isabelle proof Enough detail to specify outer interface of the kernel No implementation details, data structures are high level (sets, lists, trees, etc.) . . . . . .

  9. seL4: Formal Verification of an OS Kernel Executable specification Haskell prototype Executable specification fills in details le by abstract specification and describes how the system works. Prototype properties: 5 ‘ 700 lines of code, 13 ‘ 000 lines of Isabelle proof Runnable with modified QEMU Deterministic (only le non-determinism is hardware) Proved to implement abstract specification Automatically translated to Isabelle script . . . . . .

  10. seL4: Formal Verification of an OS Kernel Executable specification Haskell prototype ere are some restrictions that make automatic translation to Isabelle possible: No substantial use of laziness Restricted use of type classes All functions are proved to terminate . . . . . .

  11. seL4: Formal Verification of an OS Kernel C implementation C implementation C implementation is a manual reimplementation of Haskell code. Haskell runtime is much bigger than the kernel itself and would be hard to be proved correct Garbage collection is not suitable for real-time environments C allows low level optimisations Automatic translation would be easier to prove, but it wouldn’t allow any low level optimisations Properties: 8 ‘ 700 lines of code, 15 ‘ 000 lines of Isabelle proof . . . . . .

  12. seL4: Formal Verification of an OS Kernel C implementation Assembler parts For some direct interaction with hardware assembler is used. For example cache and TLB flushes require direct instructions to hardware. is low level parts of code are not proved correct, but they are traditionally tested. . . . . . .

  13. seL4: Formal Verification of an OS Kernel Verification effort Lines of code 5 ‘ 700 lines of Haskell 8 ‘ 700 lines of C 600 lines of assembler Total of 200 ‘ 000 lines of Isabelle script (including generated proofs) . . . . . .

  14. seL4: Formal Verification of an OS Kernel Verification effort Time Abstract specification - 4 person months Haskell prototype - 2 person years C implementation - 3 person months Total of 2 . 2 person years SLOCCount estimates cost of seL4 implementation at 4 person years, in comparison it took 6 person years to implement Pistachio kernel Cost of proof - 20 person years ( 9 person years for tools, frameworks and automation, 11 person years for seL4 specific proo) All together — design, documentation, implementation and verification — about 25 – 30 person years, to do this again it would be about 10 person years . . . . . .

  15. seL4: Formal Verification of an OS Kernel Conclusions Conclusions Formal verification is achievable for microkernels Performance does not need to be sacrificed for verification Detour via Haskell improved productivity . . . . . .

  16. seL4: Formal Verification of an OS Kernel Future What next? Verification of assembly parts Version of kernel for multi-CPU machines . . . . . .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Provably Trustworthy Systems seL4 and beyond Gerwin Klein Royal Society Meeting on Verified

Provably Trustworthy Systems seL4 and beyond Gerwin Klein Royal Society Meeting on Verified

Provably Trustworthy Systems seL4 and beyond Gerwin Klein Royal Society Meeting on Verified trustworthy software systems April 2016 data61.csiro.au Formal verification of real systems is happening! Formal verification of real systems

981 views • 75 slides
Verifying the seL4 Microkernel Formal Proof in Mathematics and Computer Science Lukas Stevens

Verifying the seL4 Microkernel Formal Proof in Mathematics and Computer Science Lukas Stevens

Verifying the seL4 Microkernel Formal Proof in Mathematics and Computer Science Lukas Stevens 21st June 2018 Outline 2. Design process of seL4 3. Formal methods of the correctness proof 4. Layers of the correctness proof 5. Conclusion 1 1.

754 views • 64 slides
Eliminating bugs in BPF JITs using automated formal verification Luke Nelson with Jacob van Ge

Eliminating bugs in BPF JITs using automated formal verification Luke Nelson with Jacob van Ge

Eliminating bugs in BPF JITs using automated formal verification Luke Nelson with Jacob van Ge ff en, Emina Torlak, and Xi Wang BPF is used throughout the kernel Many uses for BPF: tracing, networking, security, etc. In-kernel JIT

849 views • 48 slides
Verified seL4 on Secure RISC-V Processors and Other News in seL4 Land Gernot Heiser |

Verified seL4 on Secure RISC-V Processors and Other News in seL4 Land Gernot Heiser |

Verified seL4 on Secure RISC-V Processors and Other News in seL4 Land Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser LCA, Gold Coast, QLD, 2020-01-15 https://trustworthy.systems What is seL4? A 30-Year Dream 3 | LCA |

886 views • 36 slides
Specification and verification in the field: Applying formal methods to BPF just-in-time

Specification and verification in the field: Applying formal methods to BPF just-in-time

Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel Luke Nelson, Jacob Van Geffen, Emina Torlak, and Xi Wang University of Washington Goal: formally verified (e)BPF JITs in the

267 views • 22 slides
Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry 1 Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal verification Machine-checked proof Automatic and interactive approaches HOL Light Floating point

366 views • 25 slides
Building Trustworthy Systems on seL4 Ihor Kuz seL4 Summit:

Building Trustworthy Systems on seL4 Ihor Kuz seL4 Summit:

Building Trustworthy Systems on seL4 Ihor Kuz seL4 Summit: 25 September 2019 www.data61.csiro.au Overview What is a Trustworthy System? What does

747 views • 26 slides
Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic 1 Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal verification Machine-checked proof Automatic and interactive approaches HOL Light

539 views • 19 slides
Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms 1 Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of bugs Formal verification Levels of verification HOL Light Formalizing mathematics

353 views • 19 slides
Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA http://www.clifford.at/papers/2018/riscv-formal/ About assertion based formal verification (formal ABV) Assertion based verification (ABV) Uses

781 views • 39 slides
Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal Verification Yosys-STMBMC iCE40 FPGAs Bounded Model Checking (Project IceStorm) Using any SMT-LIB2 solver (using QF_AUFBV logic) Xilinx

706 views • 56 slides
Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim Kobeissi PROSECCO: Pro gramming Sec urely with C rypt o graphy. Team at INRIA Paris specializing in applied cryptography and formal verification.

357 views • 14 slides
Capabilities in seL4 Types of Authority Resource Management Implementation Model

Capabilities in seL4 Types of Authority Resource Management Implementation Model

Capabilities in seL4 David Cock Background Microkernel Systems seL4 & Barrelfish Authorisation and Delegation Capabilities in seL4 Types of Authority Resource Management Implementation Model Representation David Cock Operations

1.41k views • 118 slides
E- -Series: Series: Water Mist Extinguishers Water Mist Extinguishers E E- -Series: Series:

E- -Series: Series: Water Mist Extinguishers Water Mist Extinguishers E E- -Series: Series:

E- -Series: Series: Water Mist Extinguishers Water Mist Extinguishers E E- -Series: Series: Water Mist Water Mist E Extinguisher Extinguisher E- -Series: Series: Breakthrough in modern firefighting Breakthrough in modern firefighting

698 views • 23 slides
Creating wellness, producing value Extroversion: Growing international presence. 3rd

Creating wellness, producing value Extroversion: Growing international presence. 3rd

, HELEX 16 OCTOBER 2018 Creating wellness, producing value Extroversion: Growing international presence. 3rd largest European soap producer. Local Production: Great production capacity, with ability to increase further,

297 views • 27 slides
Construction Engineering & Inspection Services Transit Bus Stop Infrastructure for the

Construction Engineering & Inspection Services Transit Bus Stop Infrastructure for the

1 Construction Engineering & Inspection Services Transit Bus Stop Infrastructure for the Broward County Transit Division (BCT) Presented By: Calvin, Giordano & Associates, Inc. RFP No. V2114585P1 Firm

416 views • 12 slides
Centre of Excellence: Tata Steel way to Process Safety Moving the Culture from Compliance

Centre of Excellence: Tata Steel way to Process Safety Moving the Culture from Compliance

Tata Steel Slide Centre of Excellence: Tata Steel way to Process Safety Moving the Culture from Compliance to Risk Management 8 th August,2019 CII, 13 th Safety Symposium & Exposition Process Safety Management Tata Steel Slide 1

391 views • 38 slides
Presentation June 2018 Disclaimer Certain information contained in this presentation, including

Presentation June 2018 Disclaimer Certain information contained in this presentation, including

Investor Presentation June 2018 Disclaimer Certain information contained in this presentation, including information and statements which may contain words such as objective, estimates, would, will, contemplates,

555 views • 22 slides
Discovery Drilling Team, Location, Targets September 2019 The views expressed in this

Discovery Drilling Team, Location, Targets September 2019 The views expressed in this

Discovery Drilling Team, Location, Targets September 2019 The views expressed in this presentation are based on information derived from Kincora Copper Ltds (Kincora) own internal and publicly available sources that have not be

571 views • 21 slides
Learn what IT experts from Forrester Research, PayPal, and NextBio know about big data Speakers

Learn what IT experts from Forrester Research, PayPal, and NextBio know about big data Speakers

Turn Big Data into Fresh Insight Learn what IT experts from Forrester Research, PayPal, and NextBio know about big data Speakers Mike Gualtieri, Principal Analyst, Forrester Research Saran Mandair, Senior Director of IT, Big Data

818 views • 12 slides
Draft presentation for the Annual Project Board Istanbul, 2 February 2017 Regional Partnerships

Draft presentation for the Annual Project Board Istanbul, 2 February 2017 Regional Partnerships

Draft presentation for the Annual Project Board Istanbul, 2 February 2017 Regional Partnerships Advisor, P4 (BERA)* Dmitri Mariyasin (2016)/ Ivan Zverzhanovski Partnership Development RM &SSC: Mara Niculescu, IRH Specialist, P3 RM

606 views • 11 slides

More recommend