Safe to the last instruction

Jean Yang, Chris Hawblitzel
<span title="2011-12-01">2011</span> <i title="Association for Computing Machinery (ACM)"> <a target="_blank" rel="noopener" href="" style="color: black;">Communications of the ACM</a> </i> &nbsp;
Typed assembly language (TAL) and Hoare logic can verify the absence of many kinds of errors in low-level code. We use TAL and Hoare logic to achieve highly automated, static verification of the safety of a new operating system called Verve. Our techniques and tools mechanically verify the safety of every assembly language instruction in the operating system, run-time system, drivers, and applications (in fact, every part of the system software except the boot loader). Verve consists of a
more &raquo; ... us" that provides primitive access to hardware and memory, a kernel that builds services on top of the Nucleus, and applications that run on top of the kernel. The Nucleus, written in verified assembly language, implements allocation, garbage collection, multiple stacks, interrupt handling, and device access. The kernel, written in C# and compiled to TAL, builds higher-level services, such as preemptive threads, on top of the Nucleus. A TAL checker verifies the safety of the kernel and applications. A Hoare-style verifier with an automated theorem prover verifies both the safety and correctness of the Nucleus. Verve is, to the best of our knowledge, the first operating system mechanically verified to guarantee both type and memory safety. More generally, Verve's approach demonstrates a practical way to mix high-level typed code with low-level untyped code in a verifiably safe manner. UNTRUSTED TRUSTED Beat compiler Linker ISO generator Assembler Nucleus.beat BoogieAsm Spec.bpl Nucleus.bpl (x86) BootLdr.exe Kernel.cs Bartok compiler C# compiler App.cs Kernel.obj (x86) SafeOS.iso (bootable CD-ROM image) TAL checker Boogie/Z3 VERIFIED Figure 2 . Building the Verve system: trusted, untrusted components Beyond the TAL checker and Boogie/Z3 verifiers, Figure 2 shows additional components in Verve's trusted computing base: the assembler, the linker, the ISO CD-ROM image generator, and the boot loader. In addition, the trusted computing base includes the specification of correctness for the Nucleus's BoogiePL code. This includes specifications of the behavior of functions exported by the Nucleus, shown in Figure 1 . (For example, the specification of "YieldTo" ensures that the Nucleus sets the stack pointer to the top of the correct stack during a yield.) It also includes specifications for assembly language instructions and for interaction with hardware devices and memory; we took some of these specifications from existing work [13] , and wrote some of them from scratch. All Boogie specifications are written as first-order logic formulas in the BoogiePL language. By expressing and checking properties at a low level (assembly language), we can ensure non-trivial properties with high confidence. The bulk of this paper focuses on these properties, with an emphasis on the specification and verification of the Nucleus's correctness properties. The next section discusses the Nucleus's design, and subsequent sections discuss specification and verification.
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="">doi:10.1145/2043174.2043197</a> <a target="_blank" rel="external noopener" href="">fatcat:a45iryrgefgm3pvcmgtgcsflia</a> </span>
<a target="_blank" rel="noopener" href="" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href=""> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> </button> </a>