Presentation is loading. Please wait.

Presentation is loading. Please wait.

Safe to the Last Instruction: Automated Verification of a Type-Safe Operating System Jean Yang MIT CSAIL Chris Hawblitzel Microsoft Research.

Published bySarah Barker Modified over 8 years ago

Similar presentations

Presentation on theme: "Safe to the Last Instruction: Automated Verification of a Type-Safe Operating System Jean Yang MIT CSAIL Chris Hawblitzel Microsoft Research."— Presentation transcript:

1 Safe to the Last Instruction: Automated Verification of a Type-Safe Operating System Jean Yang MIT CSAIL Chris Hawblitzel Microsoft Research

2 Safe to the Last Instruction: Automated Verification of a Type-Safe Operating System Jean Yang MIT CSAIL Chris Hawblitzel Microsoft Research

3 3Safe to the Last Instruction / Jean Yang

4 4

5 Memory Safety 5

6 Type Safety 6Safe to the Last Instruction / Jean Yang

7 Untyped Unsafe code (GC, stacks, drivers, …) Type-checked OS File System Drivers Applications Microkernel Hardware Previously: “Safe” Systems 7 What currently exists

8 Safe to the Last Instruction / Jean Yang Untyped Unsafe code (GC, stacks, drivers, …) Type-checked OS File System Drivers Applications Microkernel Hardware End-to-End Safe Systems 8 Verified code (GC, stacks, drivers, …) What we want

9 Verified Type-checked Verve, a Type-Safe OS Safe to the Last Instruction / Jean Yang Verify partial correctness of low- level Nucleus using Hoare logic based on a hardware spec. Verify an interface to typed assembly for end-to-end safety. Nucleus File System Drivers Applications Microkernel Hardware specification Interface specification 9

10 The Verve Nucleus Safe to the Last Instruction / Jean Yang10 Verified Type-checked Nucleus File System Drivers Applications Microkernel Hardware specification Interface specification Verified Interface specification x86 instructions Memory bounds Devices GC Heap Allocator and GC [POPL 2009] Stacks Interrupt table Interrupt/error handling Interface specification

11 Thread Context Invariant function StateInv (s:StackID, state:StackState, …) returns(bool) { (!IsEmpty(state)  … && (IsInterrupted(state)  … && (IsYielded(state)  … && state == StackYielded( StackEbp(s, tMems), StackEsp(s, tMems) + 4, StackRA(s, tMems, fMems)) && … } Safe to the Last Instruction / Jean Yang11

12 “Load” Specification procedure Load(ptr:int) returns (val:int); requires memAddr(ptr); requires Aligned(ptr); modifies Eip; ensures word(val); ensures val == Mem[ptr]; Safe to the Last Instruction / Jean Yang12

13 Assembling Verve Verified Safe to the Last Instruction / Jean Yang Boogie/Z3 Translator/ Assembler Source file Compilation tool Verification tool Nucleus.bpl (x86) 13

14 Boogie to x86 implementation ReadKeyboard(){ call KeyboardStatusIn8(); call eax := And(eax, 1); if (eax != 0) { goto proc; } call eax := mov(256); return; proc: call KeyboardDataIn8(); call eax := And(eax, 255); return; } Safe to the Last Instruction / Jean Yang ReadKeyboard proc in al, 064h and eax, 1 cmp eax, 0 jne ReadKeyboard$proc mov eax, 256 ret ReadKeyboard$skip: in al, 060h and eax, 255 ret 14

15 Building Verve Verified Safe to the Last Instruction / Jean Yang C# compiler Kernel.cs Boogie/Z3 Translator/ Assembler TAL checker Linker/ISO generator Verve.iso Source file Compilation tool Verification tool Nucleus.bpl (x86)Kernel.obj (x86) 15

16 Verve Performance Safe to the Last Instruction / Jean Yang Verve functionality Cycles Round-trip yield 98 Round-trip wait + signal 216 16 ComparisonsCycles L4 (IPC)224 SeL4 (IPC)448 Singularity (yield)2156 Linux (yield)2390 Windows (yield)3554

17 Low Annotation Burden CopyingMark-sweep Specification Boogie lines1185 Verified Boogie lines43094854 Safe to the Last Instruction / Jean Yang x86 instructions13771489 17 9 person-months 3x code

18 Verve vs. SeL4? Safe to the Last Instruction / Jean Yang SeL4 Verified microkernel 8,700 lines of C File System Drivers Applications 200,000 lines of Isabelle ~600 lines ARM assembly 120-240 person-months 18 20x code Verve Verified Nucleus ~1500 lines of x86 C# kernel

19 Contributions Safe to the Last Instruction / Jean Yang First automatically, mechanically verified OS for type safety. Real system running on x86 with efficient code. Approach for using automated techniques to verify safety. Verified Type-checked Verified nucleus File System Drivers Applications Microkernel Hardware specification Interface specification http://www.codeplex.com/singularity 19

Download ppt "Safe to the Last Instruction: Automated Verification of a Type-Safe Operating System Jean Yang MIT CSAIL Chris Hawblitzel Microsoft Research."

Similar presentations

Slide 19-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 19.

Slide 19-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 19.
CSC 360- Instructor: K. Wu Overview of Operating Systems.

CSC 360- Instructor: K. Wu Overview of Operating Systems.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Automated and Modular Refinement Reasoning for Concurrent Programs Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc.

Automated and Modular Refinement Reasoning for Concurrent Programs Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc.
1/28 Type safety from the ground up. Chris Hawblitzel (joint work with Jean Yang, Juan Chen, and Gregory Malecha)

1/28 Type safety from the ground up. Chris Hawblitzel (joint work with Jean Yang, Juan Chen, and Gregory Malecha)
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Chorus and other Microkernels Presented by: Jonathan Tanner and Brian Doyle Articles By: Jon Udell Peter D. Varhol Dick Pountain.

Chorus and other Microkernels Presented by: Jonathan Tanner and Brian Doyle Articles By: Jon Udell Peter D. Varhol Dick Pountain.
Will You Still Compile Me Tomorrow

Will You Still Compile Me Tomorrow
Extensible Kernels Edgar Velázquez-Armendáriz September 24 th 2009.

Extensible Kernels Edgar Velázquez-Armendáriz September 24 th 2009.
CS533 Concepts of Operating Systems Class 20 Summary.

CS533 Concepts of Operating Systems Class 20 Summary.
Figure 2.8 Compiler phases. 2.8.1 Compiling. Figure 2.9 Object module. 2.8.2 Linking.

Figure 2.8 Compiler phases Compiling. Figure 2.9 Object module Linking.
Process Management. External View of the OS Hardware fork() CreateProcess() CreateThread() close() CloseHandle() sleep() semctl() signal() SetWaitableTimer()

Process Management. External View of the OS Hardware fork() CreateProcess() CreateThread() close() CloseHandle() sleep() semctl() signal() SetWaitableTimer()
Microkernels: Mach and L4

Microkernels: Mach and L4
Figure 1.1 Interaction between applications and the operating system.

Figure 1.1 Interaction between applications and the operating system.
Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.

Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.
Extensible Untrusted Code Verification Robert Schneck with George Necula and Bor-Yuh Evan Chang May 14, 2003 OSQ Retreat.

Extensible Untrusted Code Verification Robert Schneck with George Necula and Bor-Yuh Evan Chang May 14, 2003 OSQ Retreat.
Slide 6-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 6.

Slide 6-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 6.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.

Copyright Arshi Khan1 System Programming Instructor Arshi Khan.

Similar presentations

Ads by Google