Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads

Authors:
Xinyu Feng;Zhong Shao;Yu Guo;Yuan Dong
Affiliations:
Toyota Technological Institute at Chicago, Chicago, USA 60637;Department of Computer Science, Yale University, New Haven, USA 06520-8285;Department of Computer Science and Technology, University of Science and Technology of China, Hefei, China 230026;Department of Computer Science and Technology, Tsinghua University, Beijing, China 100084
Venue:
Journal of Automated Reasoning
Year:
2009

Citing 29
Cited 7

Tentative steps toward a development method for interfering programs

ACM Transactions on Programming Languages and Systems (TOPLAS)
Kit: A Study in Operating System Verification

IEEE Transactions on Software Engineering
A syntactic approach to type soundness

Information and Computation
From system F to typed assembly language

POPL '98 Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
An axiomatic basis for computer programming

Communications of the ACM - Special 25th Anniversary Issue
Experience with processes and monitors in Mesa

Communications of the ACM
Monitors: an operating system structuring concept

Communications of the ACM
BI as an assertion language for mutable data structures

POPL '01 Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Enforcing high-level protocols in low-level software

Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation
Separation Logic: A Logic for Shared Mutable Data Structures

LICS '02 Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science
A Semantic Basis for Local Reasoning

FoSSaCS '02 Proceedings of the 5th International Conference on Foundations of Software Science and Computation Structures
A Typed Interrupt Calculus

FTRTFT '02 Proceedings of the 7th International Symposium on Formal Techniques in Real-Time and Fault-Tolerant Systems: Co-sponsored by IFIP WG 2.2
Separation and information hiding

Proceedings of the 31st ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Permission accounting in separation logic

Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Modular verification of concurrent assembly code with dynamic thread creation and termination

Proceedings of the tenth ACM SIGPLAN international conference on Functional programming
Modular verification of assembly code with stack-based control abstractions

Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation
An open framework for foundational proof-carrying code

TLDI '07 Proceedings of the 2007 ACM SIGPLAN international workshop on Types in languages design and implementation
A general framework for certifying garbage collectors and their mutators

Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
OS verification: now!

HOTOS'05 Proceedings of the 10th conference on Hot Topics in Operating Systems - Volume 10
Interrupt Verification via Thread Verification

Electronic Notes in Theoretical Computer Science (ENTCS)
On the relationship between concurrent separation logic and assume-guarantee reasoning

ESOP'07 Proceedings of the 16th European conference on Programming
Type-based analysis of deadlock for a concurrent calculus with interrupts

ESOP'07 Proceedings of the 16th European conference on Programming
A tutorial on satisfiability modulo theories

CAV'07 Proceedings of the 19th international conference on Computer aided verification
Local reasoning for storable locks and threads

APLAS'07 Proceedings of the 5th Asian conference on Programming languages and systems
Using XCAP to certify realistic systems code: machine context management

TPHOLs'07 Proceedings of the 20th international conference on Theorem proving in higher order logics
Oracle semantics for concurrent separation logic

ESOP'08/ETAPS'08 Proceedings of the Theory and practice of software, 17th European conference on Programming languages and systems
Smallfoot: modular automatic assertion checking with separation logic

FMCO'05 Proceedings of the 4th international conference on Formal Methods for Components and Objects
On the correctness of operating system kernels

TPHOLs'05 Proceedings of the 18th international conference on Theorem Proving in Higher Order Logics
A marriage of rely/guarantee and separation logic

CONCUR'07 Proceedings of the 18th international conference on Concurrency Theory

Safe to the last instruction: automated verification of a type-safe operating system

PLDI '10 Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation
Automated verification of a small hypervisor

VSTTE'10 Proceedings of the Third international conference on Verified software: theories, tools, experiments
Pervasive verification of an OS microkernel: inline assembly, memory consumption, concurrent devices

VSTTE'10 Proceedings of the Third international conference on Verified software: theories, tools, experiments
Correctness proofs for device drivers in embedded systems

SSV'10 Proceedings of the 5th international conference on Systems software verification
Modular specification and verification of interprocess communication

Proceedings of the 2010 Conference on Formal Methods in Computer-Aided Design
Integrated semantics of intermediate-language c and macro-assembler for pervasive formal verification of operating systems and hypervisors from VerisoftXT

VSTTE'12 Proceedings of the 4th international conference on Verified Software: theories, tools, experiments
Investigating time properties of interrupt-driven programs

SBMF'12 Proceedings of the 15th Brazilian conference on Formal Methods: foundations and applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Hardware interrupts are widely used in the world's critical software systems to support preemptive threads, device drivers, operating system kernels, and hypervisors. Handling interrupts properly is an essential component of low-level system programming. Unfortunately, interrupts are also extremely hard to reason about: they dramatically alter the program control flow and complicate the invariants in low-level concurrent code (e.g., implementation of synchronization primitives). Existing formal verification techniques--including Hoare logic, typed assembly language, concurrent separation logic, and the assume-guarantee method--have consistently ignored the issues of interrupts; this severely limits the applicability and power of today's program verification systems. In this paper we present a novel Hoare-logic-like framework for certifying low-level system programs involving both hardware interrupts and preemptive threads. We show that enabling and disabling interrupts can be formalized precisely using simple ownership-transfer semantics, and the same technique also extends to the concurrent setting. By carefully reasoning about the interaction among interrupt handlers, context switching, and synchronization libraries, we are able to--for the first time--successfully certify a preemptive thread implementation and a large number of common synchronization primitives. Our work provides a foundation for reasoning about interrupt-based kernel programs and makes an important advance toward building fully certified operating system kernels and hypervisors.