verifying the sel4 microkernel
play

Verifying the seL4 Microkernel Formal Proof in Mathematics and - PowerPoint PPT Presentation

Apr 02, 2024 •103 likes •754 views

Verifying the seL4 Microkernel Formal Proof in Mathematics and Computer Science Lukas Stevens 21st June 2018 Outline 2. Design process of seL4 3. Formal methods of the correctness proof 4. Layers of the correctness proof 5. Conclusion 1 1.

  1. Verifying the seL4 Microkernel Formal Proof in Mathematics and Computer Science Lukas Stevens 21st June 2018

  2. Outline 2. Design process of seL4 3. Formal methods of the correctness proof 4. Layers of the correctness proof 5. Conclusion 1 1. What is a µ -kernel?

  3. What is a µ -kernel?

  4. What is a kernel anyway? • Necessary abstractions for applications • Interaction via system calls • Loaded into protected memory region Bugs are potentially fatal 2

  5. What is a kernel anyway? • Necessary abstractions for applications • Interaction via system calls • Loaded into protected memory region Bugs are potentially fatal 2

  6. What is a kernel anyway? • Necessary abstractions for applications • Interaction via system calls • Loaded into protected memory region Bugs are potentially fatal 2

  7. What is a kernel anyway? • Necessary abstractions for applications • Interaction via system calls • Loaded into protected memory region Bugs are potentially fatal 2

  8. What is a kernel anyway? • Necessary abstractions for applications • Interaction via system calls • Loaded into protected memory region 2 ⇒ Bugs are potentially fatal

  9. Defjnition: Microkernel ing it outside the kernel, i.e. permitting competing implementations, would prevent the implementation of the system’s required functionality. — Jochen Liedtke 3 A concept is tolerated inside the µ -kernel only if mov-

  10. 4 Monolithic kernels and µ -kernels OS based on OS based on Monolithic Kernel Microkernel Applications Applications User Device Drivers Mode UNIX- File Application Device File System IPC Server System Drivers IPC, Virtual Memory, Scheduling Kernel mode etc. Basic IPC, Virtual Memory, Scheduling Hardware Hardware

  11. • Member of the L4 -kernel family • Correctness verifjed with Isabelle • High performance 5 The seL4 µ -kernel

  12. • Correctness verifjed with Isabelle • High performance 5 The seL4 µ -kernel • Member of the L4 µ -kernel family

  13. • Correctness verifjed with Isabelle • High performance 5 The seL4 µ -kernel • Member of the L4 µ -kernel family

  14. • Correctness verifjed with Isabelle • High performance 5 The seL4 µ -kernel • Member of the L4 µ -kernel family

  15. Design process of seL4

  16. Design process for verifjcation Proof Stage 2 Stage 1 Translation Automatic Design Improvement Implementation Implementation Proof Requirements mentation C imple- Specifjcation Abstract Specifjcation Executable Prototype Haskell 6

  17. Design process for verifjcation Proof Stage 2 Stage 1 Translation Automatic Design Improvement Implementation Implementation Proof Requirements mentation C imple- Specifjcation Abstract Specifjcation Executable Prototype Haskell 6

  18. Design process for verifjcation Proof Stage 2 Stage 1 Translation Automatic Design Improvement Implementation Implementation Proof Requirements mentation C imple- Specifjcation Abstract Specifjcation Executable Prototype Haskell 6

  19. Design process for verifjcation Proof Stage 2 Stage 1 Translation Automatic Design Improvement Implementation Implementation Proof Requirements mentation C imple- Specifjcation Abstract Specifjcation Executable Prototype Haskell 6

  20. Design process for verifjcation Proof Stage 2 Stage 1 Translation Automatic Design Improvement Implementation Implementation Proof Requirements mentation C imple- Specifjcation Abstract Specifjcation Executable Prototype Haskell 6

  21. Design process for verifjcation Proof Stage 2 Stage 1 Translation Automatic Design Improvement Implementation Implementation Proof Requirements mentation C imple- Specifjcation Abstract Specifjcation Executable Prototype Haskell 6

  22. Design process for verifjcation Proof Stage 2 Stage 1 Translation Automatic Design Improvement Implementation Implementation Proof Requirements mentation C imple- Specifjcation Abstract Specifjcation Executable Prototype Haskell 6

  23. Formal methods of the correctness proof

  24. Hoare logic P C Q 7 � �� � � �� � � �� � { x = 1 } { x = 2 } x := x + 1

  25. More Hoare logic x and y are even 8 { x = 0 ∧ x = 1 } y := 2 ∗ x { }

  26. More Hoare logic x and y are even 8 { x is even } y := 2 ∗ x { }

  27. More Hoare logic 8 { x is even } y := 2 ∗ x { x and y are even }

  28. Partial correctness of Hoare logic WHILE true DO c 9 { } { }

  29. Data refjnement A concrete system C refjnes an abstract specifjcation A if the behaviour of C is contained in that of A . 10

  30. Data refjnement A concrete system C refjnes an abstract specifjcation A if the behaviour of C is contained in that of A . 10

  31. Data refjnement: Examples • The scheduler selects runnable threads • System calls return non-zero values on error 11

  32. Layers of the correctness proof

  33. Proof structure Executable Specifjcation Abstract Specifjcation C implementation (Semantics) Haskell prototype C implementation Isabelle/HOL Proof Automatic translation 12

  34. Abstract specifjcation The abstract specifjcation is the most high-level layer still fully encapturing the behaviour of the kernel. 13

  35. Scheduler on the abstract level switch_to_thread thread od OR switch_to_idle_thread 14 schedule ≡ do threads ← all_active_tcbs; thread ← select threads;

  36. Executable specifjcation Fill in the details left open by the abstract specifjcation. 15

  37. Haskell implementation of the scheduler tcbSchedDequeue thread accordingly. Check if thread is runnable and act Queue. Try to fjnd runnable thread in thread. Call chooseThread to select next schedule idle thread. priority using chooseThread' or Get runnable thread with highest return True switchToThread thread else do return False if not runnable then do schedule = do runnable <- isRunnable thread chooseThread'' thread = do liftM isJust $ findM chooseThread'' q q <- getQueue prio chooseThread' prio = do when (r == Nothing) $ switchToIdleThread r <- findM chooseThread' (reverse [minBound .. maxBound]) chooseThread = do ... setSchedulerAction ResumeCurrentThread chooseThread ChooseNewThread -> do case action of action <- getSchedulerAction 16

  38. Haskell implementation of the scheduler tcbSchedDequeue thread accordingly. Check if thread is runnable and act Queue. Try to fjnd runnable thread in thread. Call chooseThread to select next schedule idle thread. priority using chooseThread' or Get runnable thread with highest return True switchToThread thread else do return False if not runnable then do schedule = do runnable <- isRunnable thread chooseThread'' thread = do liftM isJust $ findM chooseThread'' q q <- getQueue prio chooseThread' prio = do when (r == Nothing) $ switchToIdleThread r <- findM chooseThread' (reverse [minBound .. maxBound]) chooseThread = do ... setSchedulerAction ResumeCurrentThread chooseThread ChooseNewThread -> do case action of action <- getSchedulerAction 16

  39. Haskell implementation of the scheduler tcbSchedDequeue thread accordingly. Check if thread is runnable and act Queue. Try to fjnd runnable thread in thread. Call chooseThread to select next schedule idle thread. priority using chooseThread' or Get runnable thread with highest return True switchToThread thread else do return False if not runnable then do schedule = do runnable <- isRunnable thread chooseThread'' thread = do liftM isJust $ findM chooseThread'' q q <- getQueue prio chooseThread' prio = do when (r == Nothing) $ switchToIdleThread r <- findM chooseThread' (reverse [minBound .. maxBound]) chooseThread = do ... setSchedulerAction ResumeCurrentThread chooseThread ChooseNewThread -> do case action of action <- getSchedulerAction 16

  40. Haskell implementation of the scheduler tcbSchedDequeue thread accordingly. Check if thread is runnable and act Queue. Try to fjnd runnable thread in thread. Call chooseThread to select next schedule idle thread. priority using chooseThread' or Get runnable thread with highest return True switchToThread thread else do return False if not runnable then do schedule = do runnable <- isRunnable thread chooseThread'' thread = do liftM isJust $ findM chooseThread'' q q <- getQueue prio chooseThread' prio = do when (r == Nothing) $ switchToIdleThread r <- findM chooseThread' (reverse [minBound .. maxBound]) chooseThread = do ... setSchedulerAction ResumeCurrentThread chooseThread ChooseNewThread -> do case action of action <- getSchedulerAction 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

seL4 Microkernel Status Update Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser

seL4 Microkernel Status Update Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser

seL4 Microkernel Status Update Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser FOSDEM, Bruxelles, 2020-02-02 https://trustworthy.systems What is seL4? seL4: Assurance and Performance The worlds first operating- Worlds

253 views • 23 slides
The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser |

The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser |

The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser RTCSA Keynote, Aug20 https://trustworthy.systems What Is Needed For Mixed-Criticality? During a

539 views • 29 slides
Capabilities in seL4 Types of Authority Resource Management Implementation Model

Capabilities in seL4 Types of Authority Resource Management Implementation Model

Capabilities in seL4 David Cock Background Microkernel Systems seL4 &amp; Barrelfish Authorisation and Delegation Capabilities in seL4 Types of Authority Resource Management Implementation Model Representation David Cock Operations

1.41k views • 118 slides
Verified seL4 on Secure RISC-V Processors and Other News in seL4 Land Gernot Heiser |

Verified seL4 on Secure RISC-V Processors and Other News in seL4 Land Gernot Heiser |

Verified seL4 on Secure RISC-V Processors and Other News in seL4 Land Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser LCA, Gold Coast, QLD, 2020-01-15 https://trustworthy.systems What is seL4? A 30-Year Dream 3 | LCA |

886 views • 36 slides
Building Trustworthy Systems on seL4 Ihor Kuz seL4 Summit:

Building Trustworthy Systems on seL4 Ihor Kuz seL4 Summit:

Building Trustworthy Systems on seL4 Ihor Kuz seL4 Summit: 25 September 2019 www.data61.csiro.au Overview What is a Trustworthy System? What does

747 views • 26 slides
Introduction to a microkernel microkernel maybe self supporting initially they are built on a host

Introduction to a microkernel microkernel maybe self supporting initially they are built on a host

slide 1 gaius Introduction to a microkernel microkernel maybe self supporting initially they are built on a host and downloaded to a target during Operating systems we will be developing a microkernel which has been written in: Modula-2, C and

526 views • 28 slides
Unit 15: Experimental Microkernel Systems 15.2. Chorus: Microkernel and User-space Actors AP

Unit 15: Experimental Microkernel Systems 15.2. Chorus: Microkernel and User-space Actors AP

Unit 15: Experimental Microkernel Systems 15.2. Chorus: Microkernel and User-space Actors AP 9/01 CHORUS: a new Look at Microkernel- based Operating Systems OS structuring: modular set of system servers which sit on top of a minimal

599 views • 42 slides
seL4: Formal Verification of an OS Kernel . Marek.Sapota@students.mimuw.edu.pl December 15, 2010

seL4: Formal Verification of an OS Kernel . Marek.Sapota@students.mimuw.edu.pl December 15, 2010

seL4: Formal Verification of an OS Kernel . seL4: Formal Verification of an OS Kernel . Marek.Sapota@students.mimuw.edu.pl December 15, 2010 . . . . . . seL4: Formal Verification of an OS Kernel About seL4 What is seL4? Secure

169 views • 16 slides
From L3 to seL4 Background What Have We Learnt in 20 Years of L4 From L3 to L4 L3

From L3 to seL4 Background What Have We Learnt in 20 Years of L4 From L3 to L4 L3

From L3 to seL4 What Have We Learnt in 20 Years of L4 Microkernels? K. Elphinstone, G. Heiser From L3 to seL4 Background What Have We Learnt in 20 Years of L4 From L3 to L4 L3 Microkernels? L4 L4 Development Presented by Andrew

943 views • 41 slides
Controlling hardware from a microkernel consider a microkernel which controls a robot: robot the

Controlling hardware from a microkernel consider a microkernel which controls a robot: robot the

Low lev el control in a HLL slide 1 gaius Controlling hardware from a microkernel consider a microkernel which controls a robot: robot the software has to tell the robot where to move Low lev el control in a HLL slide 2 gaius Controlling

729 views • 30 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

681 views • 34 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
Side-channel attacks in a microkernel environment Thomas Frase Thomas.b.Frase@student.hs-rm.de

Side-channel attacks in a microkernel environment Thomas Frase Thomas.b.Frase@student.hs-rm.de

Side-channel attacks in a microkernel environment Thomas Frase Thomas.b.Frase@student.hs-rm.de Fabian Seiberling Fabian.b.Seiberling@student.hs-rm.de 1st Wiesbaden Workshop on 13.02.2014 Advanced Microkernel Operating Systems Table of

580 views • 27 slides
+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides
Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers Dining Philosophers Peter Welch and Neil Brown Peter Welch and Neil Brown School of Computing, University of Kent, UK School of Computing,

675 views • 44 slides
Microkernel virtualization under one roof - dare the impossible - Alexander Bttcher &lt;

Microkernel virtualization under one roof - dare the impossible - Alexander Bttcher &lt;

Microkernel virtualization under one roof - dare the impossible - Alexander Bttcher &lt; alexander.boettcher@genode-labs.com &gt; Outline 1. Introduction 2. Kernel interfaces 3. VM interface harmonization 4. VMMs harmonized 5. Conclusion

941 views • 55 slides
Formal Specification and Verification Viorica Sofronie-Stokkermans e-mail:

Formal Specification and Verification Viorica Sofronie-Stokkermans e-mail:

Formal Specification and Verification Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de Some of the slides are based on or inspired by material by Wolfgang Ahrendt, Bernhard Beckert, Reiner H ahnle, Andreas Podelski 1 Motivation

1.11k views • 55 slides
Synthesis, Verification, and Synthesis, Verification, and Inductive Learning Inductive Learning

Synthesis, Verification, and Synthesis, Verification, and Inductive Learning Inductive Learning

Synthesis, Verification, and Synthesis, Verification, and Inductive Learning Inductive Learning Sanjit A. Seshia EECS Department UC Berkeley Joint work with Susmit Jha (UTC) Dagstuhl Seminar Verified SW Working Group August 2014 July

661 views • 28 slides
Linear algebra and differential equations (Math 54): Lecture 1 Vivek Shende January 22, 2019

Linear algebra and differential equations (Math 54): Lecture 1 Vivek Shende January 22, 2019

Linear algebra and differential equations (Math 54): Lecture 1 Vivek Shende January 22, 2019 Hello and welcome to class! I am Vivek Shende I will be teaching you this semester. My office hours 2-4 pm on Friday, 873 Evans hall. Come ask

1.57k views • 155 slides
Rewriting with extensionality Roberto Di Cosmo LIENS (CNRS) - DMI Ecole Normale Sup erieure

Rewriting with extensionality Roberto Di Cosmo LIENS (CNRS) - DMI Ecole Normale Sup erieure

Rewriting with extensionality Roberto Di Cosmo LIENS (CNRS) - DMI Ecole Normale Sup erieure 45, Rue dUlm 75005 Paris - France E-mail: dicosmo@dmi.ens.fr WWW: http://www.ens.fr/ dicosmo April 10, 1999 A brief survey of rewriting in

429 views • 21 slides
Agent-Based Systems Michael Rovatsos mrovatso@inf.ed.ac.uk Lecture 2 Abstract Agent

Agent-Based Systems Michael Rovatsos mrovatso@inf.ed.ac.uk Lecture 2 Abstract Agent

Agent-Based Systems Agent-Based Systems Michael Rovatsos mrovatso@inf.ed.ac.uk Lecture 2 Abstract Agent Architectures 1 / 16 Agent-Based Systems Where are we? Last time . . . Introduced basic and advanced aspects of agency

461 views • 16 slides
Muhammad Taimoor Khan and Wolfgang Schreiner Doktoratskolleg and Research Institute for Symbolic

Muhammad Taimoor Khan and Wolfgang Schreiner Doktoratskolleg and Research Institute for Symbolic

Towards the Formal Specification and Verification of Maple Programs Muhammad Taimoor Khan and Wolfgang Schreiner Doktoratskolleg and Research Institute for Symbolic Computation Austria July 13, 2012 Towards the Formal Specification and

204 views • 16 slides
CS 2334: Lab 6 Abstract Classes &amp; Interfaces Andrew H. Fagg: CS2334: Lab 6 1 Abstract Class

CS 2334: Lab 6 Abstract Classes &amp; Interfaces Andrew H. Fagg: CS2334: Lab 6 1 Abstract Class

CS 2334: Lab 6 Abstract Classes &amp; Interfaces Andrew H. Fagg: CS2334: Lab 6 1 Abstract Class Few important points to remember about abstract classes: An abstract class is a class that is declared abstract It can, but does not

382 views • 11 slides
Computer certified efficient exact reals in Coq Robbert Krebbers Joint work with Bas Spitters 1

Computer certified efficient exact reals in Coq Robbert Krebbers Joint work with Bas Spitters 1

Computer certified efficient exact reals in Coq Robbert Krebbers Joint work with Bas Spitters 1 Radboud University Nijmegen August 26, 2011 @ The Coq Workshop Berg en Dal, The Netherlands 1 The research leading to these results has received

681 views • 23 slides

More recommend