Skip to main content
Log in

Balancing the Load

Leveraging a Semantics Stack for Systems Verification

  • Published:
Journal of Automated Reasoning Aims and scope Submit manuscript

Abstract

We have developed a stack of semantics for a high-level C-like language and low-level assembly code, which has been carefully crafted to support the pervasive verification of system software. It can handle mixed-language implementations and concurrently operating devices, and permits the transferral of properties to the target architecture while obeying its resource restrictions. We demonstrate the applicability of our framework by proving the correct virtualization of user memory in our microkernel, which implements demand paging. This verification target is of particular interest because it has a relatively simple top-level specification and it exercises all parts of our semantics stack. At the bottom level a disk driver written in assembly implements page transfers via a swap disk. A page-fault handler written in C uses the driver to implement the paging algorithm. It guarantees that a step of the currently executing user can be simulated at the architecture level. Besides the mere theoretical and technical difficulties the project also bore the social challenge to manage the large verification effort, spread over many sites and people, concurrently contributing to and maintaining a common theory corpus. We share our experiences and elaborate on lessons learned.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Alkassar, E., Bogan, S., Paul, W.: Proving the correctness of client/server software. Sādhanā 34(1), 145–192 (2009)

    MATH  MathSciNet  Google Scholar 

  2. Alkassar, E., Hillebrand, M.A.: Formal functional verification of device drivers. In: Shankar, N., Woodcock, J. (eds.) Proceedings, Verified Software: Theories, Tools, Experiments Second International Conference, VSTTE 2008. LNCS, vol. 5295, Toronto, Canada, 6–9 October 2008, pp. 225–239. Springer, New York (2008)

    Google Scholar 

  3. Alkassar, E., Hillebrand, M., Knapp, S., Rusev, R., Tverdyshev, S.: Formal device and programming model for a serial interface. In: Beckert, B. (ed.) Proceedings, 4th International Verification Workshop (VERIFY), Bremen, Germany, pp. 4–20. CEUR-WS.org (2007)

  4. Alkassar, E., Hillebrand, M.A., Leinenbach, D., Schirmer, N.W., Starostin, A.: The Verisoft approach to systems verification. In: Shankar, N., Woodcock, J. (eds.) Proceedings, Verified Software: Theories, Tools, Experiments Second International Conference, VSTTE 2008. LNCS, vol. 5295, Toronto, Canada, 6–9 October 2008, pp. 209–224. Springer, New York (2008)

    Google Scholar 

  5. Alkassar, E., Schirmer, N., Starostin, A.: Formal pervasive verification of a paging mechanism. In: Ramakrishnan, C.R., Rehof, J. (eds.) 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS08). LNCS, vol. 4963, pp. 109–123. Springer, New York (2008)

    Chapter  Google Scholar 

  6. Ballarin, C.: Locales and locale expressions in Isabelle/Isar. In: Berardi, S., Coppo, M., Damiani, F. (eds.) Types for Proofs and Programs, International Workshop, TYPES 2003, Revised Selected Papers. LNCS, vol. 3085, Torino, Italy, 30 April–4 May 2003, pp. 34–50. Springer, New York (2003)

    Google Scholar 

  7. Ballarin, C.: Interpretation of locales in Isabelle: theories and proof contexts. In: Borwein, J.M., Farmer, W.M. (eds.) Proceedings, Mathematical Knowledge Management, 5th International Conference, MKM 2006. LNCS, vol. 4108, Wokingham, UK, 11–12 August 2006, pp. 31–43. Springer, New York (2006)

    Google Scholar 

  8. Bevier, W.R., Hunt, W.A., Jr., Moore, J S., Young, W.D.: An approach to systems verification. JAR 5(4), 411–428 (1989)

    Google Scholar 

  9. Beuster, G., Henrich, N., Wagner, M.: Real world verification—experiences from the Verisoft email client. In: Sutcliffe, G., Schmidt, R., Schulz, S. (eds.) Proceedings of the FLoC’06 Workshop on Empirically Successful Computerized Reasoning (ESCoR 2006). CEUR Workshop Proceedings, August 2006, vol. 192, pp. 112–125. CEUR-WS.org (2006)

  10. Beyer, S., Jacobi, C., Kroening, D., Leinenbach, D., Paul, W.: Instantiating uninterpreted functional units and memory system: functional verification of the VAMP. In: Geist, D., Tronci, E. (eds.) Proceedings of the 12th Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME). LNCS, vol. 860, pp. 51–65. Springer, New York (2003)

    Google Scholar 

  11. Beyer, S., Jacobi, C., Kroening, D., Leinenbach, D., Paul, W.: Putting it all together: formal verification of the VAMP. Int. J. Softw. Tools Technol. Transf. 8(4–5), 411–430 (2006)

    Article  Google Scholar 

  12. Bogan, S.: Formal Specification of a Simple Operating System. PhD thesis, Saarland University, Computer Science Department (2008)

  13. Burstall, R.: Some techniques for proving correctness of programs which alter data structures. In: Meltzer, B., Michie, D. (eds) Machine Intelligence 7, pp. 23–50. Edinburgh University Press, Edinburgh (1972)

    Google Scholar 

  14. Condea, C.: Design and implementation of a page fault handler in C0. Master’s thesis, Saarland University (2006)

  15. Daum, M., Dörrenbächer, J., Bogan, S.: Model stack for the pervasive verification of a microkernel-based operating system. In: Beckert, B., Klein, G. (eds.) Proceedings, 5th International Verification Workshop (VERIFY). CEUR Workshop Proceedings, vol. 372, Sydney, Australia, August 2008, pp. 56–70. CEUR-WS.org (2008)

  16. Daum, M., Dörrenbächer, J., Wolff, B.: Proving fairness and implementation correctness of a microkernel scheduler. J. Autom. Reason. (Special Issue on Operating Systems Verification). (2009). doi:10.1007/s10817-009-9119-8

    MATH  Google Scholar 

  17. Daum, M., Dörrenbächer, J., Wolff, B., Schmidt, M.: A verification approach for system-level concurrent programs. In: Shankar, N., Woodcock, J. (eds.) Proceedings, Verified Software: Theories, Tools, Experiments Second International Conference, VSTTE 2008. LNCS, vol. 5295, Toronto, Canada, 6–9 October 2008, pp. 161–176. Springer, New York (2008)

    Google Scholar 

  18. Dalinger, I., Hillebrand, M., Paul, W.: On the verification of memory management mechanisms. In: Borrione, D., Paul, W. (eds.) Proceedings of the 13th Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME 2005). LNCS, vol. 3725, pp. 301–316. Springer, New York (2005)

    Chapter  Google Scholar 

  19. Daum, M., Maus, S., Schirmer, N., Seghir, M.N.: Integration of a software model checker into Isabelle. In: Sutcliffe, G., Voronkov, A. (eds.) Proceedings, Logic for Programming, Artificial Intelligence, and Reasoning, 12th International Conference, LPAR 2005. LNCS, vol. 3835, Montego Bay, Jamaica, 2–6 December 2005, pp. 381–395. Springer, New York (2005)

    Google Scholar 

  20. Gargano, M., Hillebrand, M., Leinenbach, D., Paul, W.: On the correctness of operating system kernels. In: Hurd, J., Melham, T.F. (eds.) 18th International Conference on Theorem Proving in Higher Order Logics (TPHOLs 2005). LNCS, vol. 3603, pp. 1–16. Springer, New York (2005)

    Google Scholar 

  21. Heiser, G., Elphinstone, K., Kuz, I., Klein, G., Petters, S.M.: Towards trustworthy computing systems: taking microkernels to the next level. SIGOPS Oper. Syst. Rev. 41(4), 3–11 (2007)

    Article  Google Scholar 

  22. Hennessy, J.L., Patterson, D.A.: Computer Architecture: A Quantitative Approach, 2nd edn. Morgan Kaufmann, San Mateo (1996)

    MATH  Google Scholar 

  23. Hillebrand, M.A., Paul, W.: On the architecture of system verification environments. In: Yorav, K. (ed.) Hardware and Software, Verification and Testing, Third International Haifa Verification Conference, HVC 2007. LNCS, vol. 4899, Haifa, Israel, 23–25 October 2007, pp. 153–168. Springer, New York (2008)

    Google Scholar 

  24. In der Rieden, T., Tsyban, A.: CVM—a verified framework for microkernel programmers. In: Huuck, R., Klein, G., Schlich, B. (eds.) 3rd Intl Workshop on Systems Software Verification (SSV 2008). Electronic Notes in Theoretical Computer Science, vol. 217C. Elsevier Science B.V., Oxford (2008)

    Google Scholar 

  25. Kleymann, T.: Hoare logic and auxiliary variables. Form. Asp. Comput. 11(5), 541–566 (1999)

    Article  MATH  Google Scholar 

  26. Klein, G.: Operating system verification—an overview. Sādhanā 34(1), 27–70 (2009)

    MATH  Google Scholar 

  27. Leinenbach, D.C.: Compiler Verification in the Context of Pervasive System Verification. PhD thesis, Saarland University, Computer Science Department (2008)

  28. Langenstein, B., Nonnengart, A., Rock, G., Stephan, W.: Verification of distributed applications. In: Saglietti, F., Oster, N. (eds.) Computer Safety, Reliability, and Security, 26th International Conference, SAFECOMP 2007. LNCS, vol. 4680, Nuremberg, Germany, 18–21 September 2007, pp. 315–328. Springer, New York (2007)

    Google Scholar 

  29. Leinenbach, D., Petrova, E.: Pervasive compiler verification—from verified programs to verified systems. In: Huuck, R., Klein, G., Schlich, B. (eds.) 3rd intl Workshop on Systems Software Verification (SSV 2008). Electronic Notes in Theoretical Computer Science, vol. 217C, pp. 23–40. Elsevier Science B.V., Oxford (2008)

    Google Scholar 

  30. Mueller, S.M., Paul, W.J.: Computer Architecture: Complexity and Correctness. Springer, New York (2000)

    MATH  Google Scholar 

  31. Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: a proof assistant for higher-order logic. LNCS, vol. 2283. Springer, New York (2002)

    MATH  Google Scholar 

  32. Ni, Z., Yu, D., Shao, Z.: Using XCAP to certify realistic systems code: machine context management. In: TPHOLs ’07. LNCS, pp. 189–206, Kaiserslautern, 10–13 September 2007

  33. Paulson, L.C.: Isabelle: a generic theorem prover. LNCS, vol. 828. Springer, New York (1994)

    MATH  Google Scholar 

  34. Petrova, E.: Verification of the C0 Compiler Implementation on the Source Code Level. PhD thesis, Saarland University, Computer Science Department (2007)

  35. Schirmer, N.: A verification environment for sequential imperative programs in Isabelle/HOL. In: Baader, F., Voronkov, A. (eds.) Logic for Programming, Artificial Intelligence, and Reasoning, 11th International Conference, LPAR 2004. LNCS, vol. 3452, pp. 398–414. Springer, New York (2005)

    Google Scholar 

  36. Schirmer, N.: Verification of Sequential Imperative Programs in Isabelle/HOL. PhD thesis, Technical University of Munich (2006)

  37. Starostin, A., Tsyban, A.: Correct microkernel primitives. In: Huuck, R., Klein, G., Schlich, B. (eds.) 3rd Intl Workshop on Systems Software Verification (SSV 2008). Electronic Notes in Theoretical Computer Science, vol. 217C, pp. 169–185. Elsevier Science B.V., Oxford (2008)

    Google Scholar 

  38. Starostin, A., Tsyban, A.: Verified process-context switch for C-programmed kernels. In: Shankar, N., Woodcock, J. (eds.) Proceedings, Verified Software: Theories, Tools, Experiments Second International Conference, VSTTE 2008. LNCS, vol. 5295, Toronto, Canada, 6–9 October 2008, pp. 240–254. Springer, New York (2008)

    Google Scholar 

  39. Tverdyshev, S., Shadrin, A.: Formal verification of gate-level computer systems. In: Rozier, K.Y. (ed.) LFM 2008: Sixth NASA Langley Formal Methods Workshop, NASA Scientific and Technical Information (STI), pp. 56–58. NASA, Washington, DC (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Eyad Alkassar.

Additional information

Work supported by the German Federal Ministry of Education and Research (BMBF) under grant 01 IS C38. Work of the first and the third author supported by DFG Graduiertenkolleg “Leistungsgarantien für Rechnersysteme”. Work of the fifth author supported by the International Max Planck Research School for Computer Science (IMPRS-CS).

Rights and permissions

Reprints and permissions

About this article

Cite this article

Alkassar, E., Hillebrand, M.A., Leinenbach, D.C. et al. Balancing the Load. J Autom Reasoning 42, 389–454 (2009). https://doi.org/10.1007/s10817-009-9123-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10817-009-9123-z

Keywords

Navigation