Post on 22-Feb-2016
description
transcript
Safe to the Last Instruction:Automated Verification of a Type-Safe Operating System
Jean YangMIT CSAIL
Chris HawblitzelMicrosoft Research
Safe to the Last Instruction:Automated Verification of a Type-Safe Operating System
Jean YangMIT CSAIL
Chris HawblitzelMicrosoft Research
Safe to the Last Instruction / Jean Yang 3
Safe to the Last Instruction / Jean Yang 4
Safe to the Last Instruction / Jean Yang 5
Memory Safety
Safe to the Last Instruction / Jean Yang 6
Type Safety
Safe to the Last Instruction / Jean Yang 7
Untyped
Unsafe code(GC, stacks, drivers, …)
Type-checked OS
File SystemDrivers
Applications
Microkernel
Hardware
Previously: “Safe” Systems
What currently exists
Safe to the Last Instruction / Jean Yang 8
Untyped
Unsafe code(GC, stacks, drivers, …)
Type-checked OS
File SystemDrivers
Applications
Microkernel
Hardware
End-to-End Safe Systems
Verified code(GC, stacks, drivers, …)
What we want
Safe to the Last Instruction / Jean Yang 9
VerifiedType-checked
Verve, a Type-Safe OS• Verify partial
correctness of low-level Nucleus using Hoare logic based on a hardware spec.
• Verify an interface to typed assembly for end-to-end safety.
Nucleus
File SystemDrivers
Applications
Microkernel
Hardware specification
Interface specification
Safe to the Last Instruction / Jean Yang 10
The Verve Nucleus
VerifiedType-checked
Nucleus
File SystemDrivers
Applications
Microkernel
Hardware specification
Interface specification
VerifiedInterface specification
x86 instructionsMemory bounds
Devices
GC Heap
Allocator and GC[POPL 2009] Stacks
Interrupt table
Interrupt/error handling
Interface specification
Safe to the Last Instruction / Jean Yang 11
Thread Context Invariantfunction StateInv (s:StackID, state:StackState, …) returns(bool) { (!IsEmpty(state) …&& (IsInterrupted(state) …&& (IsYielded(state) …
&& state == StackYielded( StackEbp(s, tMems), StackEsp(s, tMems) + 4, StackRA(s, tMems, fMems)) && …
}
Safe to the Last Instruction / Jean Yang 12
“Load” Specificationprocedure Load(ptr:int)returns (val:int);requires memAddr(ptr);requires Aligned(ptr);modifies Eip;ensures word(val);ensures val == Mem[ptr];
13
Assembling VerveVerifie
d
Safe to the Last Instruction / Jean Yang
Boogie/Z3
Translator/Assembler
Source file
Compilation toolVerification tool
Nucleus.bpl (x86)
Safe to the Last Instruction / Jean Yang 14
Boogie to x86implementation ReadKeyboard(){
call KeyboardStatusIn8();call eax := And(eax, 1);if (eax != 0) { goto proc; }call eax := mov(256);return;proc:call KeyboardDataIn8();call eax := And(eax, 255);return;
}
ReadKeyboard procin al, 064hand eax, 1cmp eax, 0jne ReadKeyboard$procmov eax, 256ret
ReadKeyboard$skip:in al, 060hand eax, 255ret
15
Building VerveVerifie
d
Safe to the Last Instruction / Jean Yang
C# compiler
Kernel.cs
Boogie/Z3
Translator/Assembler
TAL checker
Linker/ISO generator
Verve.iso
Source file
Compilation toolVerification tool
Nucleus.bpl (x86) Kernel.obj (x86)
Safe to the Last Instruction / Jean Yang 16
Verve PerformanceVerve
functionalityCycles
Round-trip yield
98
Round-tripwait + signal
216
Comparisons Cycles
L4 (IPC) 224
SeL4 (IPC) 448
Singularity (yield) 2156
Linux (yield) 2390
Windows (yield) 3554
Safe to the Last Instruction / Jean Yang 17
Low Annotation BurdenCopying Mark-sweep
Specification Boogie lines 1185Verified Boogie lines 4309 4854
x86 instructions 1377 1489
9 person-months
3x code
Safe to the Last Instruction / Jean Yang 18
Verve vs. SeL4?Se
L4
Verified microkernel8,700 lines of C
File SystemDrivers
Applications
200,000 lines of Isabelle
~600 lines ARM assembly
120-240 person-months
20x code
Verv
eVerified Nucleus~1500 lines of x86
C# kernel
Safe to the Last Instruction / Jean Yang 19
Contributions• First automatically,
mechanically verified OS for type safety.
• Real system running on x86 with efficient code.
• Approach for using automated techniques to verify safety.Verified
Type-checked
Verified nucleus
File SystemDrivers
Applications
Microkernel
Hardware specification
Interface specification
http://www.codeplex.com/singularity