IEEE Transactions on Software Engineering - Special issue on formal methods in software practice
Using model checking to debug device firmware
ACM SIGOPS Operating Systems Review - OSDI '02: Proceedings of the 5th symposium on Operating systems design and implementation
Using model checking to debug device firmware
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Applying source-code verification to a microkernel: the VFiasco project
EW 10 Proceedings of the 10th workshop on ACM SIGOPS European workshop
Formalising the L4 microkernel API
CATS '06 Proceedings of the 12th Computing: The Australasian Theroy Symposium - Volume 51
Running the manual: an approach to high-assurance microkernel development
Proceedings of the 2006 ACM SIGPLAN workshop on Haskell
HOTOS'05 Proceedings of the 10th conference on Hot Topics in Operating Systems - Volume 10
Towards multilaterally secure computing platforms-with open source and trusted computing
Information Security Tech. Report
A unified memory model for pointers
LPAR'05 Proceedings of the 12th international conference on Logic for Programming, Artificial Intelligence, and Reasoning
Formalising the L4 microkernel API
CATS '06 Proceedings of the Twelfth Computing: The Australasian Theory Symposium - Volume 51
| Hi-index | 0.00 |
The formal methods community has long known about the need to formally analyze concurrent software, but the operating systems (OS) community has been slow to adopt such methods. The foremost reasons for this are the cultural and knowledge gaps between formalists and OS hackers, fostered by three beliefs: inaccessibility of the tools, the disabling gap between the validated model and actual implementation, and the intractable size of OSs. In this paper, we show these beliefs to be untrue for appropriately structured OSs. We applied formal methods to verify properties of the implementation of the Fluke microkernel's IPC (interprocess communication) subsystem, a major component of the kernel. In particular, we have verified, in many scenarios, certain liveness properties and lack of deadlock, with results that apply to both SMP (scalable multiprocessor) and uniprocessor environments. The SPIN model checker provided an exhaustive concurrency analysis of the IPC subsystem, unattainable through traditional OS testing methods. SPIN is easily accessible to programmers inexperienced with formal methods. We present our results as a starting point for a more comprehensive inclusion of formal methods in practical OS development.