Verification of MILS Partition Scheduling Module Using Layered Methods

Abstract: MILS partition scheduling module ensures isolation of data between different domains completely by enforcing secure strategies. Although small in size, it involves complicated data structures and algorithms that make monolithic verification of the scheduling module difficult using traditional verification logic (e.g., separation logic). In this paper, we simplify the verification task by dividing data representation and data operation into different layers and then to link them together by composing a series o… Show more

“…Inappropriate designs of scheduling can negate necessary separation properties and break down the whole system. In this regard, Gao et al [33] presented a layered verification to verify pointer linked-list through function 'list_add_tail' and employ a technique to decouple data structure that significantly reduces the complexity of verification. The original code has 320 lines, compared to 32 lines in the restructured old code (including the data structure).…”

“…Year Verified property Approach Formal language Tool verification effort (LoC) iDola [38] 2014 Exception management Refinement iDola Tsmart-Edola ~20 k RPC stub [44] 2015 Automating capabilities Theorem Proving Isabelle/HOL AutoCorres N/A mCertiKOS [39] 2016 Exception management Refinement Coq CompCert 3 k Gao et al [33] 2021 MILS scheduling Theorem Proving Coq Clightgen ~0.5 k EMS [35] 2021 Exception management Theorem Proving Coq N/A 15 k I/O-SM [40] 2021 I/O separation Refinement Coq Dafny 28,518 HAMR [50] 2021 Application development Refinement HOL AADL 40 k…”

Is Formal Verification of seL4 Adequate to Address the Key Security Challenges of Kernel Design?

“…Inappropriate designs of scheduling can negate necessary separation properties and break down the whole system. In this regard, Gao et al [33] presented a layered verification to verify pointer linked-list through function 'list_add_tail' and employ a technique to decouple data structure that significantly reduces the complexity of verification. The original code has 320 lines, compared to 32 lines in the restructured old code (including the data structure).…”

“…Year Verified property Approach Formal language Tool verification effort (LoC) iDola [38] 2014 Exception management Refinement iDola Tsmart-Edola ~20 k RPC stub [44] 2015 Automating capabilities Theorem Proving Isabelle/HOL AutoCorres N/A mCertiKOS [39] 2016 Exception management Refinement Coq CompCert 3 k Gao et al [33] 2021 MILS scheduling Theorem Proving Coq Clightgen ~0.5 k EMS [35] 2021 Exception management Theorem Proving Coq N/A 15 k I/O-SM [40] 2021 I/O separation Refinement Coq Dafny 28,518 HAMR [50] 2021 Application development Refinement HOL AADL 40 k…”

Is Formal Verification of seL4 Adequate to Address the Key Security Challenges of Kernel Design?