1 / 19

Safe to the Last Instruction: Automated Verification of a Type-Safe Operating System

Safe to the Last Instruction: Automated Verification of a Type-Safe Operating System. Jean Yang MIT CSAIL. Chris Hawblitzel Microsoft Research. Safe to the Last Instruction: Automated Verification of a Type-Safe Operating System. Jean Yang MIT CSAIL. Chris Hawblitzel Microsoft Research.

loe
Download Presentation

Safe to the Last Instruction: Automated Verification of a Type-Safe Operating System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Safe to the Last Instruction:Automated Verification of a Type-Safe Operating System Jean Yang MIT CSAIL ChrisHawblitzel Microsoft Research

  2. Safe to the Last Instruction:Automated Verification of a Type-Safe Operating System Jean Yang MIT CSAIL ChrisHawblitzel Microsoft Research

  3. Safe to the Last Instruction / Jean Yang

  4. Safe to the Last Instruction / Jean Yang

  5. Memory Safety Safe to the Last Instruction / Jean Yang

  6. Type Safety Safe to the Last Instruction / Jean Yang

  7. Previously: “Safe” Systems Type-checked OS Applications Drivers File System Microkernel What currently exists Untyped Unsafe code (GC, stacks, drivers, …) Hardware Safe to the Last Instruction / Jean Yang

  8. End-to-End Safe Systems Type-checked OS Applications Drivers File System Microkernel What we want Untyped Unsafe code (GC, stacks, drivers, …) Verified code (GC, stacks, drivers, …) Hardware Safe to the Last Instruction / Jean Yang

  9. Verve, a Type-Safe OS Type-checked Applications Drivers File System Microkernel Verified Interface specification Nucleus Hardware specification Safe to the Last Instruction / Jean Yang Verify partial correctness of low-level Nucleususing Hoare logic based on a hardware spec. Verify an interface to typed assembly for end-to-end safety.

  10. The Verve Nucleus Type-checked Applications Interface specification Drivers File System GC Heap Interrupt table Microkernel Interrupt/error handling Allocator and GC [POPL 2009] Verified Interface specification Verified Stacks Interface specification Nucleus x86 instructions Memory bounds Devices Hardware specification Safe to the Last Instruction / Jean Yang

  11. Thread Context Invariant functionStateInv (s:StackID, state:StackState, …) returns(bool) { (!IsEmpty(state)  …&& (IsInterrupted(state)  … && (IsYielded(state)  … && state == StackYielded( StackEbp(s, tMems) , StackEsp(s, tMems) + 4 , StackRA(s, tMems, fMems)) && … } Safe to the Last Instruction / Jean Yang

  12. “Load” Specification procedureLoad(ptr:int) returns(val:int); requiresmemAddr(ptr); requiresAligned(ptr); modifiesEip; ensuresword(val); ensuresval == Mem[ptr]; Safe to the Last Instruction / Jean Yang

  13. Assembling Verve Source file Verification tool Compilation tool Verified Nucleus.bpl (x86) Boogie/Z3 Translator/ Assembler Safe to the Last Instruction / Jean Yang

  14. Boogie to x86 implementationReadKeyboard(){ call KeyboardStatusIn8(); calleax := And(eax, 1); if (eax != 0) { goto proc; } calleax := mov(256); return; proc: call KeyboardDataIn8(); calleax := And(eax, 255); return; } ReadKeyboard proc in al, 064h andeax, 1 cmpeax, 0 jneReadKeyboard$proc moveax, 256 ret ReadKeyboard$skip: in al, 060h and eax, 255 ret Safe to the Last Instruction / Jean Yang

  15. Building Verve Kernel.cs Source file Verification tool Compilation tool C# compiler Verified Nucleus.bpl (x86) Kernel.obj (x86) Boogie/Z3 TAL checker Translator/ Assembler Linker/ISO generator Verve.iso Safe to the Last Instruction / Jean Yang

  16. Verve Performance Safe to the Last Instruction / Jean Yang

  17. Low Annotation Burden 3x code 9 person-months Safe to the Last Instruction / Jean Yang

  18. Verve vs. SeL4? Applications Drivers File System 120-240 person-months SeL4 Verified microkernel 8,700 lines of C Verve C# kernel Verified Nucleus ~1500 lines of x86 ~600 lines ARM assembly 200,000 lines of Isabelle 20x code Safe to the Last Instruction / Jean Yang

  19. Contributions Type-checked Applications Drivers File System Microkernel Verified Interface specification Verified nucleus Hardware specification http://www.codeplex.com/singularity Safe to the Last Instruction / Jean Yang First automatically, mechanically verified OSfortype safety. Real system running on x86 with efficient code. Approach for using automated techniques to verify safety.

More Related