Safe to the Last Instruction: Automated Verification of a Type-Safe Operating System Jean Yang MIT CSAIL Chris Hawblitzel Microsoft Research.

Slides:



Advertisements
Similar presentations
Slide 19-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 19.
Advertisements

CSC 360- Instructor: K. Wu Overview of Operating Systems.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Automated and Modular Refinement Reasoning for Concurrent Programs Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc.
1/28 Type safety from the ground up. Chris Hawblitzel (joint work with Jean Yang, Juan Chen, and Gregory Malecha)
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Chorus and other Microkernels Presented by: Jonathan Tanner and Brian Doyle Articles By: Jon Udell Peter D. Varhol Dick Pountain.
Will You Still Compile Me Tomorrow
Extensible Kernels Edgar Velázquez-Armendáriz September 24 th 2009.
CS533 Concepts of Operating Systems Class 20 Summary.
Figure 2.8 Compiler phases Compiling. Figure 2.9 Object module Linking.
Process Management. External View of the OS Hardware fork() CreateProcess() CreateThread() close() CloseHandle() sleep() semctl() signal() SetWaitableTimer()
Microkernels: Mach and L4
Figure 1.1 Interaction between applications and the operating system.
Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.
Extensible Untrusted Code Verification Robert Schneck with George Necula and Bor-Yuh Evan Chang May 14, 2003 OSQ Retreat.
Slide 6-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 6.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
Fast Dynamic Binary Translation for the Kernel Piyus Kedia and Sorav Bansal IIT Delhi.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
Chapter 2 Operating System Overview Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.
hardware and operating systems basics.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.
Protection and the Kernel: Mode, Space, and Context.
CS533 Concepts of Operating Systems Jonathan Walpole.
Checking the Hardware- Software Interface in Spec# Kevin Bierhoff (CMU) Chris Hawblitzel (Microsoft Research)
Presentation of Singularity OS Seminar, winter 2005 by Jacob Munk-Stander November 23 rd, 2005.
Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
Kernel, processes and threads Windows and Linux. Windows Architecture Operating system design Modified microkernel Layered Components HAL Interacts with.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
INTRODUCTION SOFTWARE HARDWARE DIFFERENCE BETWEEN THE S/W AND H/W.
Chapter 4 Storage Management (Memory Management).
Formally Verified Operating Systems SINGULARITY AND SEL4.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Operating Systems Overview Part 2: History (continued)
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Computers Operating System Essentials. Operating Systems PROGRAM HARDWARE OPERATING SYSTEM.
Ihr Logo Operating Systems Internals & Design Principles Fifth Edition William Stallings Chapter 2 (Part II) Operating System Overview.
Can We Make Operating Systems Reliable and Secure? Andrew S. Tanenbaum, Jorrit N. Herder, and Herbert Bos Vrije Universiteit, Amsterdam May 2006 Group.
LINUX System : Lecture 7 Bong-Soo Sohn Lecture notes acknowledgement : The design of UNIX Operating System.
Processes Introduction to Operating Systems: Module 3.
KIT – The cooperation of Forschungszentrum Karlsruhe GmbH and Universität Karlsruhe (TH) SYSTEM ARCHITECTURE GROUP, KARLSRUHE UNIVERSITY A Microkernel.
OPERATING SYSTEM - program that is loaded into the computer and coordinates all the activities among computer hardware devices. -controls the hardware.
Secure Compiler Seminar 4/11 Visions toward a Secure Compiler Toshihiro YOSHINO (D1, Yonezawa Lab.)
Processes CS 6560: Operating Systems Design. 2 Von Neuman Model Both text (program) and data reside in memory Execution cycle Fetch instruction Decode.
We will focus on operating system concepts What does it do? How is it implemented? Apply to Windows, Linux, Unix, Solaris, Mac OS X. Will discuss differences.
The Performance of Micro-Kernel- Based Systems H. Haertig, M. Hohmuth, J. Liedtke, S. Schoenberg, J. Wolter Presentation by: Tim Hamilton.
MIDORI The Windows Killer!! by- Sagar R. Yeole Under the guidance of- Prof. T. A. Chavan.
Chapter 2 Operating System Overview Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros.
Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland.
CS533 Concepts of Operating Systems Jonathan Walpole.
Language Based Operating Systems by Sean Olson What is a virtual machine? What is managed code? Kernels. Memory and security models. What is a language.
CSCI/CMPE 4334 Operating Systems Review: Exam 1 1.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Introduction to Operating Systems Concepts
Computer System Structures
Chapter 2: Operating-System Structures
Processes and threads.
מערכות הפעלה ערן טרומר סמסטר א' תשע"ב
Information Security - 2
Lecture Topics: 11/1 General Operating System Concepts Processes
Operating Systems Lecture 3.
LINUX System : Lecture 7 Lecture notes acknowledgement : The design of UNIX Operating System.
Operating Systems: A Modern Perspective, Chapter 3
System Calls System calls are the user API to the OS
Chapter 2 Operating System Overview
OPERATING SYSTEMS MEMORY MANAGEMENT BY DR.V.R.ELANGOVAN.
Presentation transcript:

Safe to the Last Instruction: Automated Verification of a Type-Safe Operating System Jean Yang MIT CSAIL Chris Hawblitzel Microsoft Research

Safe to the Last Instruction: Automated Verification of a Type-Safe Operating System Jean Yang MIT CSAIL Chris Hawblitzel Microsoft Research

3Safe to the Last Instruction / Jean Yang

4

Memory Safety 5

Type Safety 6Safe to the Last Instruction / Jean Yang

Untyped Unsafe code (GC, stacks, drivers, …) Type-checked OS File System Drivers Applications Microkernel Hardware Previously: “Safe” Systems 7 What currently exists

Safe to the Last Instruction / Jean Yang Untyped Unsafe code (GC, stacks, drivers, …) Type-checked OS File System Drivers Applications Microkernel Hardware End-to-End Safe Systems 8 Verified code (GC, stacks, drivers, …) What we want

Verified Type-checked Verve, a Type-Safe OS Safe to the Last Instruction / Jean Yang Verify partial correctness of low- level Nucleus using Hoare logic based on a hardware spec. Verify an interface to typed assembly for end-to-end safety. Nucleus File System Drivers Applications Microkernel Hardware specification Interface specification 9

The Verve Nucleus Safe to the Last Instruction / Jean Yang10 Verified Type-checked Nucleus File System Drivers Applications Microkernel Hardware specification Interface specification Verified Interface specification x86 instructions Memory bounds Devices GC Heap Allocator and GC [POPL 2009] Stacks Interrupt table Interrupt/error handling Interface specification

Thread Context Invariant function StateInv (s:StackID, state:StackState, …) returns(bool) { (!IsEmpty(state)  … && (IsInterrupted(state)  … && (IsYielded(state)  … && state == StackYielded( StackEbp(s, tMems), StackEsp(s, tMems) + 4, StackRA(s, tMems, fMems)) && … } Safe to the Last Instruction / Jean Yang11

“Load” Specification procedure Load(ptr:int) returns (val:int); requires memAddr(ptr); requires Aligned(ptr); modifies Eip; ensures word(val); ensures val == Mem[ptr]; Safe to the Last Instruction / Jean Yang12

Assembling Verve Verified Safe to the Last Instruction / Jean Yang Boogie/Z3 Translator/ Assembler Source file Compilation tool Verification tool Nucleus.bpl (x86) 13

Boogie to x86 implementation ReadKeyboard(){ call KeyboardStatusIn8(); call eax := And(eax, 1); if (eax != 0) { goto proc; } call eax := mov(256); return; proc: call KeyboardDataIn8(); call eax := And(eax, 255); return; } Safe to the Last Instruction / Jean Yang ReadKeyboard proc in al, 064h and eax, 1 cmp eax, 0 jne ReadKeyboard$proc mov eax, 256 ret ReadKeyboard$skip: in al, 060h and eax, 255 ret 14

Building Verve Verified Safe to the Last Instruction / Jean Yang C# compiler Kernel.cs Boogie/Z3 Translator/ Assembler TAL checker Linker/ISO generator Verve.iso Source file Compilation tool Verification tool Nucleus.bpl (x86)Kernel.obj (x86) 15

Verve Performance Safe to the Last Instruction / Jean Yang Verve functionality Cycles Round-trip yield 98 Round-trip wait + signal ComparisonsCycles L4 (IPC)224 SeL4 (IPC)448 Singularity (yield)2156 Linux (yield)2390 Windows (yield)3554

Low Annotation Burden CopyingMark-sweep Specification Boogie lines1185 Verified Boogie lines Safe to the Last Instruction / Jean Yang x86 instructions person-months 3x code

Verve vs. SeL4? Safe to the Last Instruction / Jean Yang SeL4 Verified microkernel 8,700 lines of C File System Drivers Applications 200,000 lines of Isabelle ~600 lines ARM assembly person-months 18 20x code Verve Verified Nucleus ~1500 lines of x86 C# kernel

Contributions Safe to the Last Instruction / Jean Yang First automatically, mechanically verified OS for type safety. Real system running on x86 with efficient code. Approach for using automated techniques to verify safety. Verified Type-checked Verified nucleus File System Drivers Applications Microkernel Hardware specification Interface specification 19

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.