Separation Logic: A Logic for Shared Mutable Data Structures
LICS '02 Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science
Separation and information hiding
Proceedings of the 31st ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Modular verification of assembly code with stack-based control abstractions
Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
A general framework for certifying garbage collectors and their mutators
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Local Action and Abstract Separation Logic
LICS '07 Proceedings of the 22nd Annual IEEE Symposium on Logic in Computer Science
Towards a practical, verified kernel
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
Certifying low-level programs with hardware interrupts and preemptive threads
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
VSTTE '08 Proceedings of the 2nd international conference on Verified Software: Theories, Tools, Experiments
Journal of Automated Reasoning
seL4: formal verification of an OS kernel
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
Formal pervasive verification of a paging mechanism
TACAS'08/ETAPS'08 Proceedings of the Theory and practice of software, 14th international conference on Tools and algorithms for the construction and analysis of systems
CertiKOS: a certified kernel for secure cloud computing
Proceedings of the Second Asia-Pacific Workshop on Systems
On the correctness of operating system kernels
TPHOLs'05 Proceedings of the 18th international conference on Theorem Proving in Higher Order Logics
Hi-index | 0.00 |
A virtual memory manager (VMM) is a part of an operating system that provides the rest of the kernel with an abstract model of memory. Although small in size, it involves complicated and interdependent invariants that make monolithic verification of the VMM and the kernel running on top of it difficult. In this paper, we make the observation that a VMM is constructed in layers: physical page allocation, page table drivers, address space API, etc., each layer providing an abstraction that the next layer utilizes. We use this layering to simplify the verification of individual modules of VMM and then to link them together by composing a series of small refinements. The compositional verification also supports function calls from less abstract layers into more abstract ones, allowing us to simplify the verification of initialization functions as well. To facilitate such compositional verification, we develop a framework that assists in creation of verification systems for each layer and refinements between the layers. Using this framework, we have produced a certification of BabyVMM, a small VMM designed for simplified hardware. The same proof also shows that a certified kernel using BabyVMM's virtual memory abstraction can be refined following a similar sequence of refinements, and can then be safely linked with BabyVMM. Both the verification framework and the entire certification of BabyVMM have been mechanized in the Coq Proof Assistant.