An approach to systems verification
Journal of Automated Reasoning
Extensibility safety and performance in the SPIN operating system
SOSP '95 Proceedings of the fifteenth ACM symposium on Operating systems principles
From system F to typed assembly language
POPL '98 Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Interface and execution models in the Fluke kernel
OSDI '99 Proceedings of the third symposium on Operating systems design and implementation
Pilot: an operating system for a personal computer
Communications of the ACM
A type theory for memory allocation and data layout
POPL '03 Proceedings of the 30th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
HOTOS '97 Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI)
A principled approach to operating system construction in Haskell
Proceedings of the tenth ACM SIGPLAN international conference on Functional programming
A general framework for certifying garbage collectors and their mutators
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Processes in KaffeOS: isolation, resource management, and sharing in java
OSDI'00 Proceedings of the 4th conference on Symposium on Operating System Design & Implementation - Volume 4
Foundational Typed Assembly Language with Certified Garbage Collection
TASE '07 Proceedings of the First Joint IEEE/IFIP Symposium on Theoretical Aspects of Software Engineering
Certifying low-level programs with hardware interrupts and preemptive threads
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Type-preserving compilation for large-scale optimizing object-oriented compilers
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Automated verification of practical garbage collectors
Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads
Journal of Automated Reasoning
The multikernel: a new OS architecture for scalable multicore systems
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
seL4: formal verification of an OS kernel
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
TACAS'08/ETAPS'08 Proceedings of the Theory and practice of software, 14th international conference on Tools and algorithms for the construction and analysis of systems
Boogie: a modular reusable verifier for object-oriented programs
FMCO'05 Proceedings of the 4th international conference on Formal Methods for Components and Objects
Verified squared: does critical software deserve verified tools?
Proceedings of the 38th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Typed assembly language for implementing OS kernels in SMP/multi-core environments with interrupts
SSV'10 Proceedings of the 5th international conference on Systems software verification
Type safety from the ground up
Proceedings of the 7th ACM SIGPLAN workshop on Types in language design and implementation
From a verified kernel towards verified systems
APLAS'10 Proceedings of the 8th Asian conference on Programming languages and systems
Mostly-automated verification of low-level programs in computational separation logic
Proceedings of the 32nd ACM SIGPLAN conference on Programming language design and implementation
Formally verifying isolation and availability in an idealized model of virtualization
FM'11 Proceedings of the 17th international conference on Formal methods
Modular verification of preemptive OS kernels
Proceedings of the 16th ACM SIGPLAN international conference on Functional programming
Preliminary design of the SAFE platform
PLOS '11 Proceedings of the 6th Workshop on Programming Languages and Operating Systems
Summary of PLOS 2011: the sixth workshop on programming languages and operating systems
ACM SIGOPS Operating Systems Review
TLDI '12 Proceedings of the 8th ACM SIGPLAN workshop on Types in language design and implementation
Large-scale formal verification in practice: a process perspective
Proceedings of the 34th International Conference on Software Engineering
Taking satisfiability to the next level with z3
IJCAR'12 Proceedings of the 6th international joint conference on Automated Reasoning
Verifying security invariants in ExpressOS
Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems
Natural proofs for structure, data, and separation
Proceedings of the 34th ACM SIGPLAN conference on Programming language design and implementation
Translation validation for a verified OS kernel
Proceedings of the 34th ACM SIGPLAN conference on Programming language design and implementation
Comprehensive formal verification of an OS microkernel
ACM Transactions on Computer Systems (TOCS)
Hi-index | 0.00 |
Typed assembly language (TAL) and Hoare logic can verify the absence of many kinds of errors in low-level code. We use TAL and Hoare logic to achieve highly automated, static verification of the safety of a new operating system called Verve. Our techniques and tools mechanically verify the safety of every assembly language instruction in the operating system, run-time system, drivers, and applications (in fact, every part of the system software except the boot loader). Verve consists of a "Nucleus" that provides primitive access to hardware and memory, a kernel that builds services on top of the Nucleus, and applications that run on top of the kernel. The Nucleus, written in verified assembly language, implements allocation, garbage collection, multiple stacks, interrupt handling, and device access. The kernel, written in C# and compiled to TAL, builds higher-level services, such as preemptive threads, on top of the Nucleus. A TAL checker verifies the safety of the kernel and applications. A Hoare-style verifier with an automated theorem prover verifies both the safety and correctness of the Nucleus. Verve is, to the best of our knowledge, the first operating system mechanically verified to guarantee both type and memory safety. More generally, Verve's approach demonstrates a practical way to mix high-level typed code with low-level untyped code in a verifiably safe manner.