The Verisoft Approach to Systems Verification

The Verisoft project aims at the pervasive formal verification from the application layer over the system level software, comprising a microkernel and a compiler, down to the hardware. The different layers of the system give rise to various abstraction levels to conduct the reasoning steps efficiently. The lower the abstraction level the more details and invariants are necessary to ensure overall system correctness. Illustrated by a page-fault handler we discuss the layers and the trade-off between efficiency of reasoning at a more abstract layer versus the development of meta-theory to transfer the verification results between the layers. 1 Motivation and Challenges The layer of system software confines the essential components of modern computer architectures. Any flaw up to this level has a decisive impact on the robustness, safety, and security of applications running on top of it. An operating system kernel that might fail to guarantee isolation of processes can hardly serve as a trustworthy computing basis to process security critical data. Hence, the design and verification of the crucial system level parts by the most rigorous means is an effort both worthwhile and promising. Examining the system design up to the level of a microkernel, we typically have to deal with at least the following layers: hardware, assembler, and the C programming language. The different layers come along with a rise in abstraction regarding formal models and reasoning about them. However, the final goal is to provide objective evidence that the actual running system behaves correctly. The lower the layer the ‘correctness theorem’ holds on the better. Ideally, ? Work was supported by the German Research Foundation (DFG) within the program ‘Performance Guarantees for Computer Systems’. ?? Work was supported by the German Federal Ministry of Education and Research (BMBF) within the Verisoft project under grant 01 IS C38. ? ? ? Work was supported by the International Max Planck Research School for Computer Science (IMPRS-CS). this is a theorem in the domain of physics. For computer science a transistor or gate-level hardware model is a realistic target to state the final correctness result. Employing higher abstraction levels to improve effectiveness of reasoning demands that we close the ‘semantic gap’ and bring the results down to the hardware level. This is the very idea of pervasive or systems verification [1,2]. In Verisoft every abstraction layer is justified by meta-theorems that allow transferring the results to the low-level models. All the development is mechanized in the uniform logical framework of the interactive theorem prover Isabelle/HOL and hence it is rigorously checked that all the results fit together.3 The goal of this paper is to provide an informal overview of the different layers and their connection. This bird’s eye view easily gets lost in detailed technical papers on parts of this work that were already or are simultaneously published. Related Work. First attempts to use theorem provers to specify and even prove correct operating systems were made as early as the 1970ies in PSOS [3] and UCLA Secure Unix [4]. However, a missing or to a large extent underdeveloped tool environment made mechanized verification futile. With the CLI stack [1], a new pioneering approach for pervasive systems verification was undertaken. The goal of this project was to build a system from verified, hierarchically stacked components. In extension to their seminal work the Verisoft project aims at a more realistic system architecture regarding both hardware and system software. In particular, devices are integrated into the Verisoft system stack. For realistic systems, this is already required for booting or scheduling in a microkernel. It is theoretically challenging, since devices are a concurrent source of computation and break the abstraction of sequential programs. The project L4.verified [5] focuses on the verification of an efficient microkernel, rather than on formal pervasiveness, as no compiler correctness or an accurate device interaction is considered. The microkernel is implemented in a larger subset of C as C0 (the C-like programming language used in Verisoft), including pointer arithmetic and an explicit low-level memory model [6]. However, with inline assembler code we gain an even more expressive semantics as machine registers become visible if necessary. So far, only exemplary portions of kernel code were reported to be verified, the virtual memory subsystem uses no demand paging [7]. For code verification L4.verified relies on Verisoft’s Hoare environment [8]. In the FLINT project, an assembly code verification framework is developed and code for context switching on a x86 architecture was formally proven [9]. A program logic for assembler code is presented, but no integration of results into high-level programming languages is undertaken. The VFiasco project [10] aims at the verification of the microkernel Fiasco implemented in a subset of C++ and embedded into PVS. There is no attempt to map the results to the machine level. Overview. In Sect. 2 we give an overview of the Verisoft system stack and our approach towards pervasive verification. We proceed in Sect. 3 by introducing the C0 language stack from a Hoare logic down to a low-level small-step C0 3 Theory files are available at http://www.verisoft.de/VerisoftRepository.html.