3 research outputs found
Modal Abstractions for Virtualizing Memory Addresses
Operating system kernels employ virtual memory management (VMM) subsystems to
virtualize the addresses of memory regions in order to to isolate untrusted
processes, ensure process isolation and implement demand-paging and
copy-on-write behaviors for performance and resource controls. Bugs in these
systems can lead to kernel crashes. VMM code is a critical piece of
general-purpose OS kernels, but their verification is challenging due to the
hardware interface (mappings are updated via writes to memory locations, using
addresses which are themselves virtualized). Prior work on VMM verification has
either only handled a single address space, trusted significant pieces of
assembly code, or resorted to direct reasoning over machine semantics rather
than exposing a clean logical interface.
In this paper, we introduce a modal abstraction to describe the truth of
assertions relative to a specific virtual address space, allowing different
address spaces to refer to each other, and enabling verification of instruction
sequences manipulating multiple address spaces. Using them effectively requires
working with other assertions, such as points-to assertions in our separation
logic, as relative to a given address space. We therefore define virtual
points-to assertions, which mimic hardware address translation, relative to a
page table root. We demonstrate our approach with challenging fragments of VMM
code showing that our approach handles examples beyond what prior work can
address, including reasoning about a sequence of instructions as it changes
address spaces. All definitions and theorems mentioned in this paper including
the operational model of a RISC-like fragment of supervisor-mode x86-64, and a
logic as an instantiation of the Iris framework, are mechanized inside Coq
Rely-guarantee Reasoning about Concurrent Reactive Systems: The PiCore Framework, Languages Integration and Applications
The rely-guarantee approach is a promising way for compositional verification
of concurrent reactive systems (CRSs), e.g. concurrent operating systems,
interrupt-driven control systems and business process systems. However,
specifications using heterogeneous reaction patterns, different abstraction
levels, and the complexity of real-world CRSs are still challenging the
rely-guarantee approach. This article proposes PiCore, a rely-guarantee
reasoning framework for formal specification and verification of CRSs. We
design an event specification language supporting complex reaction structures
and its rely-guarantee proof system to detach the specification and logic of
reactive aspects of CRSs from event behaviours. PiCore parametrizes the
language and its rely-guarantee system for event behaviour using a
rely-guarantee interface and allows to easily integrate 3rd-party languages via
rely-guarantee adapters. By this design, we have successfully integrated two
existing languages and their rely-guarantee proof systems without any change of
their specification and proofs. PiCore has been applied to two real-world case
studies, i.e. formal verification of concurrent memory management in Zephyr
RTOS and a verified translation for a standardized Business Process Execution
Language (BPEL) to PiCore.Comment: Submission to ACM Transactions on Programming Languages and Systems
in 202