Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads Xinyu Feng Toyota Technological Institute at Chicago Joint work with Zhong.

Slides:



Advertisements
Similar presentations
A Translation from Typed Assembly Language to Certified Assembly Programming Zhong Shao Yale University Joint work with Zhaozhong Ni Paper URL:
Advertisements

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 3 Operating System Organization.
Advanced Development of Certified OS Kernels Zhong Shao Bryan Ford Yale University November Focus Areas: Operating Systems,
Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-
Threads Irfan Khan Myo Thein What Are Threads ? a light, fine, string like length of material made up of two or more fibers or strands of spun cotton,
Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination Xinyu Feng Yale University Joint work with Zhong Shao.
CS533 Concepts of Operating Systems Class 3 Monitors.
CS533 Concepts of Operating Systems Class 20 Summary.
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
CS533 Concepts of Operating Systems Class 3 Monitors.
10/19/2007TTI-C PL-Lunch Certified Concurrent Code with Interrupts Xinyu Feng Joint work with Zhong Shao (Yale University) and Yuan Dong (Tsinghua University)
An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and.
Modular Verification of Assembly Code with Stack-Based Control Abstractions Xinyu Feng Yale University Joint work with Zhong Shao, Alexander Vaynberg,
On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.
Processes 1 CS502 Spring 2006 Processes Week 2 – CS 502.
CS533 - Concepts of Operating Systems 1 Class Discussion.
CPS110: Implementing threads/locks on a uni-processor Landon Cox.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.
Compositional Verification of Termination-Preserving Refinement of Concurrent Programs Hongjin Liang Univ. of Science and Technology of China (USTC) Joint.
COSC 3407: Operating Systems Lecture 3: Processes.
1 Previous lecture review n Out of basic scheduling techniques none is a clear winner: u FCFS - simple but unfair u RR - more overhead than FCFS may not.
Low-Level Program Verification. Components of a Certifying Framework certified code (machine code + proof) specifications: program safety/security/correctness.
Recall: Three I/O Methods Synchronous: Wait for I/O operation to complete. Asynchronous: Post I/O request and switch to other work. DMA (Direct Memory.
Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,
Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts.
Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-
Computers Operating System Essentials. Operating Systems PROGRAM HARDWARE OPERATING SYSTEM.
Advanced Development of Certified OS Kernels DARPA CRASH Site Visit PIs: Zhong Shao & Bryan Ford (Yale University) October 5th, Friday, 2012, Room 307.
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
CSE 451: Operating Systems Section 5 Midterm review.
1 Computer Systems II Introduction to Processes. 2 First Two Major Computer System Evolution Steps Led to the idea of multiprogramming (multiple concurrent.
System Components ● There are three main protected modules of the System  The Hardware Abstraction Layer ● A virtual machine to configure all devices.
Concurrency, Processes, and System calls Benefits and issues of concurrency The basic concept of process System calls.
Department of Computer Science and Software Engineering
CS399 New Beginnings Jonathan Walpole. 2 Concurrent Programming & Synchronization Primitives.
Program Logic for Concurrency Refinement Verification Xinyu Feng University of Science and Technology of China Joint work with Hongjin Liang (USTC) and.
CS533 – Spring Jeanie M. Schwenk Experiences and Processes and Monitors with Mesa What is Mesa? “Mesa is a strongly typed, block structured programming.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Synchronization Emery Berger and Mark Corner University.
Chapter 2 Operating System Overview Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
CSE 153 Design of Operating Systems Winter 2015 Midterm Review.
COT 4600 Operating Systems Fall 2009 Dan C. Marinescu Office: HEC 439 B Office hours: Tu-Th 3:00-4:00 PM.
Managing Processors Jeff Chase Duke University. The story so far: protected CPU mode user mode kernel mode kernel “top half” kernel “bottom half” (interrupt.
Slides created by: Professor Ian G. Harris Operating Systems  Allow the processor to perform several tasks at virtually the same time Ex. Web Controlled.
Threads, SMP, and Microkernels Chapter 4. Processes and Threads Operating systems use processes for two purposes - Resource allocation and resource ownership.
CS 162 Discussion Section Week 2. Who am I? Prashanth Mohan Office Hours: 11-12pm Tu W at.
Introduction to Operating Systems Concepts
Introduction to Operating Systems
Threads & Multithreading
Processes and threads.
Current Generation Hypervisor Type 1 Type 2.
A Practical Verification Framework for Preemptive OS Kernels
CS 6560: Operating Systems Design
CSCS 511 Operating Systems Ch3, 4 (Part B) Further Understanding Threads Dr. Frank Li Skipped sections 3.5 & 3.6 
Low-Level Program Verification
Intro to Processes CSSE 332 Operating Systems
Joint work with Yong Li, Xinyu Feng, Zhong Shao and Yu Zhang
CSCI 511 Operating Systems Ch3, 4 (Part B) Further Understanding Threads Dr. Frank Li Skipped sections 3.5 & 3.6 
Threads, SMP, and Microkernels
Mid Term review CSC345.
Lecture Topics: 11/1 General Operating System Concepts Processes
Separation Logic and Concurrency Verification
February 5, 2004 Adrienne Noble
Operating Systems: A Modern Perspective, Chapter 6
Outline Operating System Organization Operating System Examples
Operating Systems Structure
Chapter 1: Introduction CSS503 Systems Programming
In Today’s Class.. General Kernel Responsibilities Kernel Organization
Chapter 3: Process Management
Threads.
Presentation transcript:

Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads Xinyu Feng Toyota Technological Institute at Chicago Joint work with Zhong Shao (Yale), Yuan Dong (Tsinghua Univ.) and Yu Guo (USTC)

How to verify safety & correctness of OS kernels / Hypervisors? Code loading Many challenges: Interrupts … Device drivers & I/O Concurrency Low-level C/Assembly code Is verification possible? How to do it in a clean & modular way?

Layering of Simplified Kernel Code B: concurrent code with explicit interrupts How to verify ???

Concurrency with Interrupts: Challenges irq0 irq1 (1) (2) (3) (4) (5) Asymmetric preemption between handlers and non-handler code Intertwining between threads and handlers Asymmetric synchronization: cli/sti are different from locks

Our Contributions A Hoare-style program logic for modular verification of low-level programs with interrupts and concurrency.

AIM – I : Single Threaded-Code with Interrupts I1I1 f1:f1: I2I2 f2:f2: ISR ih: … (code heap) C 0 r1r1 12… r2r2 r3r3 …rnrn (data heap) H (register file) R (state) S addu … cli sti iret … j f (program) P::=(C,S,pc) ::=(H,R,ie) ::={f  I} * pc ie

Example: Teeter-Totter while(true){ cli; if([right] == 0){ sti; break; } [right] := [right]-1; [left] := [left]+1; sti; } print(“left wins!”); timer: if([left] == 0){ print(“right wins!”); iret; } [left] := [left]-1; [right] := [right]+1; iret; 50 left right How to guarantee non-interference?

Non-Interference? Program invariant: There is always a partition of memory among concurrent entities, and each concurrent entity only access its own part. But note: The partition is dynamic: ownership of memory can be dynamically transferred. cli/sti can be modeled as operations that trigger memory ownership transfer.

- { P h }INV AIM – I : The Memory Model Non-handler sti iret Handler BA cli … Memory … - { P h }INV The memory partition is logical, not physical!

Separation Logic to Enforce Partition l  n n l p  qp  q pq emp empty heap p  qp  q p  q [Ithtiaq & O’Hearn’01, Reynolds’02]

AIM – I : cli/sti BA INV BB B BA B B cli sti ie = 1ie = 0

Example: Teeter-Totter while(true){ -{emp  ie=1} cli; -{emp * INV}... [right] := [right]-1; [left] := [left]+1; -{INV} sti; -{emp  ie=1} } timer: -{INV} if([left] == 0){ print(“right wins!”); -{INV} iret; } [left] := [left]-1; [right] := [right]+1; -{INV} iret; INV:  m, n. (left  m)  (right  n)  (m+n = 100) 50 left right sti cli

AIM-II : Multi-threaded code with interrupts f1:f1: f2:f2: ih: (code heap) C (state) S (program) P::=(C,S,B,Q,pc) ::=(H,R,ie) cli/sti switch block w unblock w pc 0 r1r1 1 2 … r2r2 r3r3 …rnrn (data heap) H (register file) R ie pc R R R … (ready. queue) Q … w1w1 w2w2 wnwn B

Non-interference? f1:f1: f2:f2: ih: (code heap) C (state) S::=(H,R,ie) cli/sti switch block w unblock w pc 0 r1r1 1 2 … r2r2 r3r3 …rnrn (data heap) H (register file) R ie pc R R R … (ready. queue) Q … w1w1 w2w2 wnwn B Use memory partition to control interference!

AIM – II : Memory Model BA INV A C T1T1 T2T2 INV1

AIM – II : cli/sti T 1 : cli CA INV T1T1 T2T2 INV1 T 1 : CT 1 : A INV T1T1 T2T2 INV1 ie = 1ie = 0 C'A' INV T1T1 T2T2 INV1 T 1 : C'T 1 : A' INV T1T1 T2T2 INV1 T 1 : sti

AIM – II : switch T 1 : CT 1 : A INV T1T1 T2T2 INV1 T 1 : switch T 2 : CT 2 : A INV T1T1 T2T2 INV1 ie = 0 T 2 : switch T 1 : C'T 1 : A' INV T1T1 T2T2 INV1 T 2 : C'T 2 : A' INV T1T1 T2T2 INV1 switch untouched INV1 * INV preserved … sti … cli …

block switch T 1 : CT 1 : A INV T1T1 T2T2 INV1 ? ! T 2 : CT 2 : A INV T1T1 T2T2 INV1 ! T 2 : C'T 2 : A' INV INV1 T1T1 T2T2 T 1 : C'T 1 : A' INV T1T1 INV1 T2T2 ! unblock Thread 1 T2T2 ! AIM-II: block/unblock Thread 2 block

AIM-II : block/unblock Threads block themselves to wait for resources. … w1w1 w2w2 wnwn B locks: wait for resources protected by locks condition variables: wait for conditions to come true R1R1 R2R2 RnRn R can be empty Unifies different semantics of Condition Variables: Mesa style Hoare style Brinch-Hansen style Read our paper for details!

Implementations – An Infrastructure for x86 verification Coq (Higher-Order Logic with Inductive Def.) x86 semantics (a subset) Sep. LogicUtilities (e.g. Queues) AIM Logic & Soundness Locks, Condition variables Timer handler, yield/sleep SCAP switch, block, unblock 26,00012,000 26,0003,000 6,3004,000 Around 82,000 lines of Coq code 3,300 See

Summary Abstract Machine & Program Logic –Hardware interrupts + preemptive threads –Ownership transfer semantics cli, sti, switch, block, unblock Implementations –Infrastructure for x86 code verification –Certified x86 modules Future work –Multi-processor platforms –Liveness properties –Verification of C programs

Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.