research-article

Safe to the last instruction: automated verification of a type-safe operating system

Authors:

Chris HawblitzelAuthors Info & Claims

PLDI '10: Proceedings of the 31st ACM SIGPLAN Conference on Programming Language Design and Implementation

Pages 99 - 110

https://doi.org/10.1145/1806596.1806610

Published: 05 June 2010 Publication History

Abstract

Typed assembly language (TAL) and Hoare logic can verify the absence of many kinds of errors in low-level code. We use TAL and Hoare logic to achieve highly automated, static verification of the safety of a new operating system called Verve. Our techniques and tools mechanically verify the safety of every assembly language instruction in the operating system, run-time system, drivers, and applications (in fact, every part of the system software except the boot loader). Verve consists of a "Nucleus" that provides primitive access to hardware and memory, a kernel that builds services on top of the Nucleus, and applications that run on top of the kernel. The Nucleus, written in verified assembly language, implements allocation, garbage collection, multiple stacks, interrupt handling, and device access. The kernel, written in C# and compiled to TAL, builds higher-level services, such as preemptive threads, on top of the Nucleus. A TAL checker verifies the safety of the kernel and applications. A Hoare-style verifier with an automated theorem prover verifies both the safety and correctness of the Nucleus. Verve is, to the best of our knowledge, the first operating system mechanically verified to guarantee both type and memory safety. More generally, Verve's approach demonstrates a practical way to mix high-level typed code with low-level untyped code in a verifiably safe manner.

References

[1]

G. Back, W. C. Hsieh, and J. Lepreau. Processes in kaffeos: isolation, resource management, and sharing in Java. In OSDI'00: Proceedings of the 4th conference on Symposium on Operating System Design & Implementation, pages 23--23, Berkeley, CA, USA, 2000. USENIX Association.

Digital Library

[2]

M. Barnett, B.-Y. E. Chang, R. DeLine, B. Jacobs, and K. R. M. Leino. Boogie: A modular reusable verifier for object-oriented programs. In Formal Methods for Components and Objects (FMCO), volume 4111 of Lecture Notes in Computer Science, 2006.

Digital Library

[3]

A. Baumann, P. Barham, P.-E. Dagand, T. Harris, R. Isaacs, S. Peter, T. Roscoe, A. Schüpbach, and A. Singhania. The multikernel: a new os architecture for scalable multicore systems. In SOSP '09, pages 29--44, 2009.

Digital Library

[4]

B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczynski, D. Becker, C. Chambers, and S. Eggers. Extensibility safety and performance in the SPIN operating system. In SOSP '95: Proceedings of the fifteenth ACM symposium on Operating systems principles, pages 267--283, New York, NY, USA, 1995. ACM.

Digital Library

[5]

W. R. Bevier,W. A. H. Jr., J. S. Moore, andW. D. Young. An approach to systems verification. J. Autom. Reasoning, 5(4):411--428, 1989.

[6]

J. Chen, C. Hawblitzel, F. Perry, M. Emmi, J. Condit, D. Coetzee, and P. Pratikakis. Type-preserving compilation for large-scale optimizing object-oriented compilers. SIGPLAN Not., 43(6):183--192, 2008. ISSN 0362-1340.

Digital Library

[7]

L. M. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS, pages 337--340, 2008.

Digital Library

[8]

M. Fähndrich, M. Aiken, C. Hawblitzel, O. Hodson, G. C. Hunt, J. R. Larus, and S. Levi. Language support for fast and reliable message-based in Singularity OS. In EuroSys, pages 177--190, 2006.

Digital Library

[9]

X. Feng, Z. Shao, Y. Dong, and Y. Guo. Certifying low-level programs with hardware interrupts and preemptive threads. In PLDI, pages 170--182, 2008.

Digital Library

[10]

X. Feng, Z. Shao, Y. Guo, and Y. Dong. Certifying low-level programs with hardware interrupts and preemptive threads. J. Autom. Reason., 42(2-4):301--347, 2009.

Digital Library

[11]

B. Ford, M. Hibler, J. Lepreau, R. McGrath, and P. Tullmann. Interface and execution models in the Fluke kernel. In OSDI, pages 101--115, 1999.

Digital Library

[12]

T. Hallgren, M. P. Jones, R. Leslie, and A. P. Tolmach. A principled approach to operating system construction in Haskell. In ICFP, pages 116--128, 2005.

Digital Library

[13]

C. Hawblitzel and E. Petrank. Automated verification of practical garbage collectors. In POPL, pages 441--453, 2009.

Digital Library

[14]

G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an OS kernel. In Proc. 22nd ACM Symposium on Operating Systems Principles (SOSP), pages 207--220, Big Sky, MT, USA, Oct. 2009. ACM.

Digital Library

[15]

J. Liedtke, K. Elphinstone, S. Schönberg, H. Härtig, G. Heiser, N. Islam, and T. Jaeger. Achieved ipc performance (still the foundation for extensibility). In Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI), Cape Cod, MA, May 5--6 1997. URL http://l4ka.org/publications/.

Digital Library

[16]

C. Lin, A. McCreight, Z. Shao, Y. Chen, and Y. Guo. Foundational typed assembly language with certified garbage collection. Theoretical Aspects of Software Engineering, 2007.

Digital Library

[17]

A. McCreight, Z. Shao, C. Lin, and L. Li. A general framework for certifying garbage collectors and their mutators. In PLDI, pages 468--479, 2007.

Digital Library

[18]

G. Morrisett, D. Walker, K. Crary, and N. Glew. From System F to typed assembly language. In POPL '98: 25th ACM Symposium on Principles of Programming Languages, pages 85--97, Jan. 1998.

Digital Library

[19]

L. Petersen, R. Harper, K. Crary, and F. Pfenning. A type theory for memory allocation and data layout. In POPL, pages 172--184, 2003.

Digital Library

[20]

D. D. Redell, Y. K. Dalal, T. R. Horsley, H. C. Lauer, W. C. Lynch, P. R. McJones, H. G. Murray, and S. C. Purcell. Pilot: an operating system for a personal computer. Commun. ACM, 23(2):81--92, 1980.

Digital Library

Cited By

Meadows C(2025)Type Checking and SecurityEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_867(2681-2683)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_867
Yedidia ZTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Lightweight Fault Isolation: Practical, Efficient, and Secure Software SandboxingProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 210.1145/3620665.3640408(649-665)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620665.3640408
Dharsee KCriswell JCalandrino JTroncoso C(2023)JinnProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620627(6965-6982)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620627
Show More Cited By

Index Terms

Safe to the last instruction: automated verification of a type-safe operating system

Recommendations

Safe to the last instruction: automated verification of a type-safe operating system
PLDI '10

Typed assembly language (TAL) and Hoare logic can verify the absence of many kinds of errors in low-level code. We use TAL and Hoare logic to achieve highly automated, static verification of the safety of a new operating system called Verve. Our ...
Type safety from the ground up
TLDI '11: Proceedings of the 7th ACM SIGPLAN workshop on Types in language design and implementation

Type safety is the most common mechanism for securely running untrusted code from the Internet. When the untrusted code is written in a type-safe language like JavaScript, Java, or C#, the language's type system guarantees that the code cannot damage ...
Type-Safe Layer-Introduced Base Functions with Imperative Layer Activation
COP '15: Proceedings of the 7th ACM International Workshop on Context-Oriented Programming

Layer-introduced base methods, which are the methods with new signatures in a layer and are added to a class, give layers more freedom to organize definitions of context-dependent behavior. However, we need to be careful so as not to call a layer-...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

PLDI '10: Proceedings of the 31st ACM SIGPLAN Conference on Programming Language Design and Implementation

June 2010

514 pages

ISBN:9781450300193

DOI:10.1145/1806596

General Chair:
Ben Zorn
Microsoft Research
,
Program Chair:
Alex Aiken
Stanford University

ACM SIGPLAN Notices Volume 45, Issue 6
PLDI '10
June 2010
496 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/1809028
Issue’s Table of Contents

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 June 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

PLDI '10

Sponsor:

SIGPLAN

PLDI '10: ACM SIGPLAN Conference on Programming Language Design and Implementation

June 5 - 10, 2010

Ontario, Toronto, Canada

Acceptance Rates

Overall Acceptance Rate 406 of 2,067 submissions, 20%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

140
Total Citations
View Citations
837
Total Downloads

Downloads (Last 12 months)87
Downloads (Last 6 weeks)3

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Meadows C(2025)Type Checking and SecurityEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_867(2681-2683)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_867
Yedidia ZTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Lightweight Fault Isolation: Practical, Efficient, and Secure Software SandboxingProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 210.1145/3620665.3640408(649-665)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620665.3640408
Dharsee KCriswell JCalandrino JTroncoso C(2023)JinnProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620627(6965-6982)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620627
Chen XLi ZMesicek LNarayanan VBurtsev A(2023)Atmosphere: Towards Practical Verified Kernels in RustProceedings of the 1st Workshop on Kernel Isolation, Safety and Verification10.1145/3625275.3625401(9-17)Online publication date: 23-Oct-2023
https://dl.acm.org/doi/10.1145/3625275.3625401
Ijaz RBoos KZhong L(2023)Leveraging Rust for Lightweight OS CorrectnessProceedings of the 1st Workshop on Kernel Isolation, Safety and Verification10.1145/3625275.3625398(1-8)Online publication date: 23-Oct-2023
https://dl.acm.org/doi/10.1145/3625275.3625398
Brun MAchermann RChajed THowell JZellweger GLattuada ABaumann ACrooks NSchwarzkopf M(2023)Beyond isolation: OS verification as a foundation for correct applicationsProceedings of the 19th Workshop on Hot Topics in Operating Systems10.1145/3593856.3595899(158-165)Online publication date: 22-Jun-2023
https://dl.acm.org/doi/10.1145/3593856.3595899
Johnson ELaufer EZhao ZGohman DNarayan SSavage SStefan DBrown F(2023)WaVe: a verifiably secure WebAssembly sandboxing runtime2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179357(2940-2955)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179357
McKevitt ZTrivedi ALehman T(2023)SpecCheck: A Tool for Systematic Identification of Vulnerable Transient Execution in gem52023 32nd International Conference on Parallel Architectures and Compilation Techniques (PACT)10.1109/PACT58117.2023.00030(265-278)Online publication date: 21-Oct-2023
https://doi.org/10.1109/PACT58117.2023.00030
Derakhshan FZhang ZVasudevan AJia L(2023)Towards End-to-End Verified TEEs via Verified Interface Conformance and Certified Compilers2023 IEEE 36th Computer Security Foundations Symposium (CSF)10.1109/CSF57540.2023.00021(324-339)Online publication date: Jul-2023
https://doi.org/10.1109/CSF57540.2023.00021
Burtsev AAppel DDetweiler DHuang TLi ZNarayanan VZellweger G(2021)Isolation in RustProceedings of the 11th Workshop on Programming Languages and Operating Systems10.1145/3477113.3487272(76-83)Online publication date: 25-Oct-2021
https://dl.acm.org/doi/10.1145/3477113.3487272
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten