On the Architecture of System Verification Environments

Hillebrand, Mark; Paul, Wolfgang J.

doi:10.1007/978-3-540-77966-7_14

Cited by 13 publications

(7 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The Verisoft project [1,6,8], aims at the complete verification of a computer system from an e-mail client down to the gate level of the processor. Verification of an operating system kernel is therefore one part of the Verisoft project.…”

Section: Related Workmentioning

confidence: 99%

Formal Memory Models for the Verification of Low-Level Operating-System Code

2009

View full text Add to dashboard Cite

This article contributes to the field of operating-systems verification. It presents a formalization of virtual memory that extends to memory-mapped devices. Our formalization consists of a stack of three detailed formal memory models: physical memory (i.e., RAM), physically-addressable memory-mapped devices (including their respective side effects, access and alignment requirements), and page-table based virtual memory. Each model is formally shown to satisfy the plain-memory specification, a memory abstraction that enables efficient reasoning for type-correct programs. This stack of memory models was developed in an attempt to verify Nova, the Robin micro-hypervisor. It is a key component of our verification environment for operating-system kernels based on the interactive theorem prover PVS.

show abstract

Section: Related Workmentioning

confidence: 99%

Formal Memory Models for the Verification of Low-Level Operating-System Code

2009

View full text Add to dashboard Cite

show abstract

“…There is ongoing work in the verification of operating systems, such as the Verisoft [15] and L4.verified [22] projects, that includes automatic verification of interactive I/O at the hardware and device driver level. This is an important branch of verification, but we consider interactions between machine components to play a significantly different role in programs and correctness criteria from concurrent interactions with a human user.…”

Section: Related Workmentioning

confidence: 99%

Automatic verification for interactive graphical programs

Eastlund

Felleisen

2009

Proceedings of the Eighth International Workshop on the ACL2 Theorem Prover and Its Applications

View full text Add to dashboard Cite

Modern software applications come with interactive graphical displays. In the past, verification efforts for such programs have usually ignored the I/O aspects of programs and focused instead on their core functionality. This approach leaves open the question of how errors in the interactive part of the program can affect its overall functionality.In this paper we present an extension of Dracula (the ACL2 development environment for DrScheme) with a simple graphical framework. With Dracula we can automatically prove theorems about interactive graphical programs, guaranteeing their complete behavior. We have successfully verified theorems about a number of interactive programs with Dracula; we have also successfully used Dracula as a motivational tool to introduce students to the world of automated theorem proving. Formal verification has been applied to other forms of I/O; notably, the Sparkle theorem prover can verify a model of concurrent filesystem operations [9]. We go even further and automatically prove correctness theorems about interactive graphical programs. Our approach relies on an event loop with functional callbacks, exploits images as first-class values, and introduces liveness properties. We use ACL2 [16] because it is the most successful industrialstrength theorem prover. Categories and Subject Descriptors1 ACL2 has verified large projects including commercial floating point processors, a complete micro-processor, and a Java virtual machine.In this paper we present Dracula, the first tool providing automatic theorem proving for interactive, graphical programs. The rest of the paper proceeds as follows. We describe the language and user interface of Dracula in section 2 and its graphical toolkit in section 3. Section 4 explains how we prove theorems about Dracula programs, and section 5 details the projects we have verified. We conclude with section 6 on related work and section 7 to summarize our contribution. Dracula [23] is an extension of the ACL2 theorem prover, implemented as a language level in the DrScheme integrated development environment (IDE) [13]. Dracula uses the DrScheme runtime system to simulate ACL2 programs, and the ACL2 theorem prover to reason about them. Every feature of Dracula comes with both an executable behavior and a logical meaning for ACL2. DRACULA: AN IDE FOR ACL2ACL2 stands for "Applicative Common Lisp: a Computational Logic". It consists of a first-order functional language ("Applicative Common Lisp") and a first-order equational logic ("Computational Logic"). The theorem prover infers induction strategies to prove a programmer's conjectures. Figure 1 shows a small program in ACL2 containing a function plus of two arguments and a conjecture plus-natp 1 campus.acm.org/public/pressroom/press_releases/3_ 2006/software.cfm

show abstract

“…Based on prior work stemming from the Verisoft Project [26,3] (in particular VAMP [10], CVM [27,48,49], C0 [31,32] and the proof environment Isabelle/Simpl [45,44]), we have built our key contribution of this paper: It consists of the VAMOS layer, both specification as well as implementation, and a theory layer culminating in the fairness theorem of the VA-MOS scheduler. 1 To our knowledge, such a theorem has been shown over a realistic kernel for the first time.…”

mentioning

confidence: 99%

Proving Fairness and Implementation Correctness of a Microkernel Scheduler

2009

View full text Add to dashboard Cite

We report on the formal proof of a microkernel's key property, namely that its multi-priority process scheduler guarantees progress, i. e., strong fairness. The proof architecture links a layer of behavioral reasoning over system-trace sets with a concrete, fairly realistic implementation written in C.Our microkernel provides an infrastructure for memory virtualization, for communication with hardware devices, for processes (represented as a sequence of assembly instructions, which are executed concurrently over an underlying, formally defined processor), and for inter-process communication (IPC) via synchronous message passing. The kernel establishes process switches according to IPCs and timer-events; the scheduling of process switches, however, follows a hierarchy of priorities, favoring, e. g., system processes over application processes over maintenance processes.Besides the quite substantial models developed in Isabelle/HOL and the formal clarification of their relationship, we provide a detailed analysis what formal requirements a microkernel imposes on the key ingredients (hardware, timers, machine-dependent code) in order to establish the correct operation of the overall system. On the methodological side, we show how early modeling with foresight to the later verification has substantially helped our project.

show abstract

On the Architecture of System Verification Environments

Cited by 13 publications

References 32 publications

Formal Memory Models for the Verification of Low-Level Operating-System Code

Formal Memory Models for the Verification of Low-Level Operating-System Code

Automatic verification for interactive graphical programs

Proving Fairness and Implementation Correctness of a Microkernel Scheduler

Contact Info

Product

Resources

About