Comprehensive formal verification of an OS microkernel

Klein, Gerwin; Andronick, June; Elphinstone, Kevin; Murray, Toby; Sewell, Thomas; Kolanski, Rafal; Heiser, Gernot

doi:10.1145/2560537

Cited by 289 publications

(263 citation statements)

References 78 publications

Supporting

Mentioning

259

Contrasting

Unclassified

Order By: Relevance

“…A comprehensive verification of the seL4 microkernel is reported in [19]. This includes verification of the scheduler and other areas of the kernel, and a proof that the binary code of the kernel correctly implements the C source code.…”

Section: Related Workmentioning

confidence: 99%

“…It is also relevant to embedded systems where size and speed constraints necessitate tight coupling between operating system components. Indeed, Klein et al [19] note that the call graph of seL4 shows high levels of interdependency between components. Gotsman and Yang demonstrate their approach by verifying a scheduler based on the Linux 2.6.11 scheduler.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Modelling and Verifying a Priority Scheduler for an SCJ Runtime Environment

Freitas

Baxter

Cavalcanti

et al. 2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Safety-Critical Java (SCJ) is a version of Java suitable for programming real-time safety-critical systems; it is the result of an international standardisation effort to define a subset of the Real-Time Specification for Java (RTSJ). SCJ programs require the use of specialised virtual machines. We present here the result of our verification of the scheduler of the only SCJ virtual machine up to date with the standard and publicly available, the icecap HVM. We describe our approach for analysis of (SCJ) virtual machines, and illustrate it using the icecap HVM scheduler. Our work is based on a state-rich process algebra that combines Z and CSP, and we take advantage of well established tools.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Modelling and Verifying a Priority Scheduler for an SCJ Runtime Environment

Freitas

Baxter

Cavalcanti

et al. 2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…They are used to guarantee the correctness of compilers [1], operating systems [2], hardware [3], as well as to certify mathematical results that involve computation [4]. The Mizar system [5] is one of the oldest computer systems used to certify proofs.…”

Section: Introductionmentioning

confidence: 99%

Progress in the Independent Certiﬁcation of Mizar Mathematical Library in Isabelle

Kaliszyk

Pąk

2017

Annals of Computer Science and Information Systems

View full text Add to dashboard Cite

Abstract-The Mizar Mathematical Library is one of the largest collections of machine understandable formal proofs encompassing many areas of today mathematics including results from algebra, analysis, topology, and lattice theory. The Mizar system has so far been the only tool able to completely process, certify, and make use of these developments. In this paper, we present the progress in the development of an independent certification mechanism of Mizar proofs based on the Isabelle logical framework. The approach allows rechecking the Mizar formal proofs based on a more succinct and more precisely specified formal infrastructure. Additionally, it necessitates a full formal specification of the mechanisms that ensure the correctness of the defined objects, in particular, the proofs that such mechanisms are correct. The development already covers an important part of the Mizar library foundations. We improve the mechanism for defining Mizar structures and show that it permits simpler validation of proof developments involving such objects. To demonstrate this, we perform a complete translation of the Mizar net of basic algebraic structures including their attributes and certify all the corresponding proofs in Isabelle.

show abstract

“…Thus, to verify that P [C] satisfies a certain property, it may be sufficient to check that P [A] satisfies the property. The latter check involves reasoning about a simpler component (namely A) and can reduce the work of a prover by an order of magnitude [22]. Finally, a refinement-based proof is more modular and transparent, since it breaks down the task of reasoning about a complex implementation into smaller tasks, each of which is more manageable for both a human and a prover.…”

Section: Introductionmentioning

confidence: 99%

Refinement-Based Verification of the FreeRTOS Scheduler in VCC

Divakaran

D’Souza

Kushwah

et al. 2015

Formal Methods and Software Engineering

View full text Add to dashboard Cite

Abstract. We describe our experience with verifying the schedulerrelated functionality of FreeRTOS, a popular open-source embedded real-time operating system. We propose a methodology for carrying out refinement-based proofs of functional correctness of abstract data types in the popular code-level verifier VCC. We then apply this methodology to carry out a full machine-checked proof of the functional correctness of the FreeRTOS scheduler. We describe the bugs found during this exercise, the fixes made, and the effort involved.

show abstract

Comprehensive formal verification of an OS microkernel

Cited by 289 publications

References 78 publications

Modelling and Verifying a Priority Scheduler for an SCJ Runtime Environment

Modelling and Verifying a Priority Scheduler for an SCJ Runtime Environment

Progress in the Independent Certiﬁcation of Mizar Mathematical Library in Isabelle

Refinement-Based Verification of the FreeRTOS Scheduler in VCC

Contact Info

Product

Resources

About