OS verification extended : on the formal verification of device drivers and the correctness of client/server software

This thesis tackles two important challenges in OS verication: The formal verification of device drivers and the correctness of client/server software. Device drivers are an integral part of system software. Not only high-level functionality such as le I/O depends on devices. Even basic OS features, such as demand paging, need correctly implemented drivers. In this thesis, we show how to pervasively integrate devices and their drivers into a language stack reaching from the level of assembly up to high-level languages. This stack is leveraged for the formal verification of a simple hard disk driver, which is subsequently embedded into Verisoft's micro kernel. To the best of our knowledge, this marks the rst formal functional verication of a device driver against a realistic device and system model. Remote procedure calls (RPCs) lie at the heart of any client/server software. In the second part of this thesis, we present a specication of an RPC mechanism and we outline how to verify an implementation of this mechanism at the code level. The formalization is based on a model of user processes running concurrently under a simple OS, which provides inter-process communication and portmapper system calls. A simple theory of non interference permits us to use conventional sequential program analysis between system calls. To the best of our knowledge this is the first treatment of the correctness of an entire RPC mechanism at the code level.Diese Arbeit behandelt zwei wichtige Probleme in der Verikation von Betriebssystemen (BS): Die formale Verikation von Gerätetreibern und die Korrektheit von Client/Server Software. Grundlegende Funktionen eines BS, wie z.B. Demand Paging, setzen korrekt implementierte Treiber voraus. In dieser Arbeit zeigen wir auf, wie Geräte nahtlos in allen Semantikschichten integriert werden können|von Assembler bis hin zu einer C ähnlichen Hochsprache. Diese durchgängige Theorie wird anschließend verwendet, um einen einfachen Festplattentreiber (Teil des Verisoft Mikrokerns) formal zu verifizieren. So weit uns bekannt, stellt dies die erste formale Verikation eines Treibers im Kontext eines realistischen Geräte- und Systemmodells dar. Implementierungen von Client/Server Software basieren oftmals auf Remote Procedure Calls (RPCs). Im zweiten Teil dieser Arbeit, spezizieren wir einen solchen RPC Mechanismus und skizzieren dessen Verikation auf Codeebene. Die Formalisierung basiert auf einem Modell von Benutzerprozessen die nebenläufig in einem einfachen BS ausgeführt werden. Dieses BS stellt Interprozess-Kommunikation und Portmapper Funktionalität über spezielle Systemaufrufe zur Verfügung. Um sequentiell über einzelne Prozesse argumentieren zu können, füuhren wir eine kleine Theorie zur Bestimmung der Abhängigkeit von Systemaufrufen ein. So weit uns bekannt, behandelt diese Arbeit erstmals die Korrektheit eines vollständigen RPC Mechanismus auf Codeebene

The 1st Verified Software Competition, Extended Experience Report

We, the organizers and participants, report our experiences from the 1st Veried Software Competition, held in August 2010 in Edinburgh at the VSTTE 2010 conferenc

The 1st Verified Software Competition, Extended Experience Report

We, the organizers and participants, report our experiences from the 1st Veried Software Competition, held in August 2010 in Edinburgh at the VSTTE 2010 conferenc

Correctness of a Fault−Tolerant Real−Time Scheduler and its Hardware Implementation

We formalize the correctness of a fault-tolerant scheduler in a time-triggered architecture. Where previous research elaborated on real-time protocol correctness, we extend this work to gate-level hardware. This requires a sophisticated analysis of analog bit-level synchronization and transmission. Our case-study is a concrete automotive bus controller (ABC), inspired by the FlexRay standard. For a set of interconnected ABCs, vulnerable to sudden failure, we prove at gate-level, that all operating ABCs are synchronized tightly enough such that messages are broadcast correctly. This includes formal arguments for startup, failures, and reintegration of nodes at arbitrary times. To the best of our knowledge, this is the first effort tackling fault-tolerant scheduling correctness at gate-level

Correctness of a Fault−Tolerant Real−Time Scheduler and its Hardware Implementation

We formalize the correctness of a fault-tolerant scheduler in a time-triggered architecture. Where previous research elaborated on real-time protocol correctness, we extend this work to gate-level hardware. This requires a sophisticated analysis of analog bit-level synchronization and transmission. Our case-study is a concrete automotive bus controller (ABC), inspired by the FlexRay standard. For a set of interconnected ABCs, vulnerable to sudden failure, we prove at gate-level, that all operating ABCs are synchronized tightly enough such that messages are broadcast correctly. This includes formal arguments for startup, failures, and reintegration of nodes at arbitrary times. To the best of our knowledge, this is the first effort tackling fault-tolerant scheduling correctness at gate-level

Formal Correctness of an Automotive Bus Controller Implementation at Gate−Lavel

We formalize the correctness of a real-time scheduler in a time-triggered architecture. Where previous research elaborated on real-time protocol correctness, we extend this work to gate-level hardware. This requires a sophisticated analysis of analog bit-level synchronization and message transmission. Our case-study is a concrete automotive bus controller (ABC). For a set of interconnected ABCs we formally prove at gate-level, that all ABCs are synchronized tight enough such that messages are broadcast correctly. Proofs have been carried out in the interactive theorem prover Isabelle/HOL using the NuSMV model checker. To the best of our knowledge, this is the first effort formally tackling scheduler correctness at gate-level