Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore ( 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as mu C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS mu C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore (approximate to 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Zhen-jiang QIAN,Yong-jun LIU,Yu-feng YAO,Li TANG,Hao HUANG,Fang-min SONG

DOI: https://doi.org/10.3969/j.issn.0372-2112.2017.01.035

2017-01-01

Abstract:The correctness of design and implementation of operating systems is difficult to be described with the traditional quantitative methods,because of the enormous size and complexity.This paper illustrates our method of formal design and verification of microkernel operating system.We construct the system model with the non-deterministic automaton in the assembly level,and use the Hoare triples to describe the previous and post conditions of the interface functions,as the definitions of function correctness.We take the module of memory management in the self-implemented VSOS (Verified Secure Operating System) as an example,to illustrate our formal method.Meanwhile,we formally describe the constructed memory management model and operation semantics of system behaviors in the Isabelle/HOL theorem prover,and verify the correctness of design and implementation of the memory management.The result shows that the method proposed is feasible and efficient.

Asankhaya Sharma

DOI: https://doi.org/10.48550/arXiv.1302.4796

2013-02-20

Abstract:Over the last several years the tools used for model checking have become more efficient and usable. This has enabled users to apply model checking to industrial-scale problems, however the task of validating the implementation of the model is usually much harder. In this paper we present an approach to do end to end verification and validation of a real time system using the SPIN model checker. Taking the example of the cardiac pacemaker system proposed in the SQRL Pacemaker Formal Methods Challenge we demonstrate our framework by building a formal model for the cardiac pacemaker in SPIN, checking for desirable temporal properties of the model (expressed as LTL formulas), generating C code from the model (by refinement of PROMELA) and validating the generated implementation (using SPIN). We argue that a state of the art model checking tool like SPIN can be used to do formal specification as well as validation of the implementation. To evaluate our approach we show that our pacemaker model is expressive enough to derive consistent operating modes and that the refinement rules preserve LTL properties.

Programming Languages,Software Engineering

GAO Yan-Yan,LI Xi,ZHOU Xue-Hai

2011-01-01

Abstract:Inter-process communication(IPC) mechanism is one of the key technologies of microkernel operating system.In this paper we present a formal method to model and verify the IPC implementation.The source code of L4 IPC implementation is translated into Abstract model which is described in Promela,and the Abstract model can be verified with Spin directly.The experimental results show the feasibility and practicality of the method.

YANG Jun,GE Hai-tong,ZHENG Fei-jun,YAN Xiao-lang

DOI: https://doi.org/10.3321/j.issn:1008-9497.2006.04.012

2006-01-01

Abstract:Being a formal verification method,model checking is used frequently in hardware and software design.Firstey the Kripke structure which is used to describe the behavior of a system and the CTL logic which is used to describe the property of a system were introduced.Then two model checking algorithms were introduced: one is the labeling algorithm,the other is the algorithm based on fixpoint.In the end,the symbolic model checking which can reduce the possibility of memory explosion was introduced.

Leping Zhang,Yongwang Zhao,Jianxin Li

DOI: https://doi.org/10.1007/978-3-031-57249-4_11

2024-01-01

Abstract:The L4 API (Application Programming Interface) is a core component of the operating system, which serves as the interface between user-level processes and the microkernel, facilitating communication and interaction. It is crucial to ensure the correctness and reliability of the API. This paper proposes a comprehensive formal specification and verification for the L4 microkernel API. The specification is reusable for all implementations on architectures supported by the microkernel. To further improve reusability (e.g., for the L4 family), a parameterized model is abstracted, which mainly includes variables related to L4 components and safety properties built on them. The desired properties are composed of 350 functional correctness and 39 safety properties, where the safety properties cover existing invariants of the microkernel. Several rewriting rules and reasoning steps are proposed for verification to improve proof efficiency. The proofs of the specification w.r.t these properties are accomplished in the theorem prover Isabelle/HOL, and the results show that all definitions, lemmas, and proofs pass the prover’s check. During modeling and verification, 10 bugs in the source code are found, all of which are fixed in this paper.

He Zhang,Gerwin Klein,Mark Staples,June Andronick,Liming Zhu,Rafal Kolanski

DOI: https://doi.org/10.1109/icssp.2012.6225979

2012-01-01

Abstract:The L4.verified project successfully completed a large-scale machine-checked formal verification at the code level of the functional correctness of the seL4 operating system microkernel. The project applied a middle-out process, which is significantly different from conventional software development processes. This paper reports a simulation model of this process; it is the first simulation model of a formal verification process. The model aims to support further understanding and investigation of the dynamic characteristics of the process and to support planning and optimization of future process enactment. We based the simulation model on a descriptive process model and information from project logs, meeting notes, and version control data over the project's history. Simulation results from the initial version of the model show the impact of complex coupling among the activities and artifacts, and frequent parallel as well as iterative work during execution. We examine some possible improvements on the formal verification process in light of the simulation results.

Tatsuya Abe,Tomoharu Ugawa,Toshiyuki Maeda,Kousuke Matsumoto

DOI: https://doi.org/10.48550/arXiv.1608.05893

2016-08-21

Software Engineering

Abstract:Software model checking suffers from the so-called state explosion problem, and relaxed memory consistency models even worsen this situation. What is worse, parameterizing model checking by memory consistency models, that is, to make the model checker as flexible as we can supply definitions of memory consistency models as an input, intensifies state explosion. This paper explores specific reasons for state explosion in model checking with multiple memory consistency models, provides some optimizations intended to mitigate the problem, and applies them to McSPIN, a model checker for memory consistency models that we are developing. The effects of the optimizations and the usefulness of McSPIN are demonstrated experimentally by verifying copying protocols of concurrent copying garbage collection algorithms. To the best of our knowledge, this is the first model checking of the concurrent copying protocols under relaxed memory consistency models.

Yongwang Zhao,David Sanan

2023-09-17

Abstract:Formal verification of concurrent operating systems (OSs) is challenging, in particular the verification of the dynamic memory management due to its complex data structures and allocation algorithm. An incorrect specification and implementation of the memory management may lead to system crashes or exploitable attacks. This article presents the first formal specification and mechanized proof of a concurrent memory management for a real-world OS concerning a comprehensive set of properties, including functional correctness, safety and security. To achieve the highest assurance evaluation level, we develop a fine-grained formal specification of the Zephyr RTOS buddy memory management, which closely follows the C code easing validation of the specification and the source code. The rely-guarantee-based compositional verification technique has been enforced over the formal model. To support formal verification of the security property, we extend our rely-guarantee framework PiCore by a compositional reasoning approach for integrity. Whilst the security verification of the design shows that it preserves the integrity property, the verification of the functional properties shows several problems. These verification issues are translated into finding three bugs in the C implementation of Zephyr, after inspecting the source code corresponding to the design lines breaking the properties.

Software Engineering

Yatin A. Manerkar,Daniel Lustig,Margaret Martonosi

DOI: https://doi.org/10.48550/arXiv.2003.04892

2020-03-09

Distributed, Parallel, and Cluster Computing

Abstract:Modern SoCs are heterogeneous parallel systems comprised of components developed by distinct teams and possibly even different vendors. The memory consistency model (MCM) of processors in such SoCs specifies the ordering rules which constrain the values that can be read by load instructions in parallel programs running on such systems. The implementation of required MCM orderings can span components which may be designed and implemented by many different teams. Ideally, each team would be able to specify the orderings enforced by their components independently and then connect them together when conducting MCM verification. However, no prior automated approach for formal hardware MCM verification provided this. To bring automated hardware MCM verification in line with the realities of the design process, we present RealityCheck, a methodology and tool for automated formal MCM verification of modular microarchitectural ordering specifications. RealityCheck allows users to specify their designs as a hierarchy of distinct modules connected to each other rather than a single flat specification. It can then automatically verify litmus test programs against these modular specifications. RealityCheck also provides support for abstraction, which enables scalable verification by breaking up the verification of the entire design into smaller verification problems. We present results for verifying litmus tests on 7 different designs using RealityCheck. These include in-order and out-of-order pipelines, a non-blocking cache, and a heterogeneous processor. Our case studies cover the TSO and RISC-V (RVWMO) weak memory models. RealityCheck is capable of verifying 98 RVWMO litmus tests in under 4 minutes each, and its capability for abstraction enables up to a 32.1% reduction in litmus test verification time for RVWMO.

Yunja Choi

DOI: https://doi.org/10.1002/stvr.1482

2012-08-29

Abstract:Model checking is an effective technique used to identify subtle problems in software safety using a comprehensive search algorithm. However, this comprehensiveness requires a large number of resources and is often too expensive to be applied in practice. This work strives to find a practical solution to model‐checking automotive operating systems for the purpose of safety analysis, with minimum requirements and a systematic engineering approach for applying the technique in practice. The paper presents methods for converting the Trampoline kernel code into formal models for the model checker SPIN, a series of experiments using an incremental verification approach, and the use of embedded C constructs for performance improvement. The conversion methods include functional modularization and treatment for hardware‐dependent code, such as memory access for context switching. The incremental verification approach aims at increasing the level of confidence in the verification even when comprehensiveness cannot be provided because of the limitations of the hardware resource. We also report on potential safety issues found in the Trampoline operating system during the experiments and present experimental evidence of the performance improvement using the embedded C constructs in SPIN. Copyright © 2012 John Wiley & Sons, Ltd. This paper presents methods for converting the Trampoline kernel code into formal models for the model checker SPIN and a series of experiments using an incremental verification approach. The conversion methods include functional modularization and treatment for hardware‐dependent code, such as memory access for context switching. It also reports on potential safety issues found in the Trampoline operating system during the experiments and presents experimental evidence of the performance improvement using the embedded C constructs in SPIN. Copyright © 2012 John Wiley & Sons, Ltd.

ZHANG Pin,LUO Gui-ming

2007-01-01

Journal of Computer Applications

Abstract:Unified Modeling Language(UML)is the most commonly used method in software system design and analysis,and how to verify that the UML model satisfies some properties is a very important issue.Model Checking is an efficient automatic technique for the improvement of system's reliability,and this paper is a research into how to check UML model through the Simple PROMELA Interpreter(SPIN)model-checker.After describing the UML model using formal method,we first used hierarchical automata to express statecharts diagram.In addition,we translated the statecharts and part of the class diagram into PROMELA based on the operational semantic of hierarchical automata,and verified the model by using Simple Promela Interpreter(SPIN)to test if it satisfied the LTL properties.We also verified the consistency between sequence diagram and statecharts diagram by using LTL formula to express sequence diagram.Finally,based on the method,we developed a model checker tool called UMLChecker.

Zhang Feng,Zhao Yongwang,Ma Dianfu,Niu Wensheng

DOI: https://doi.org/10.1109/isorc.2019.00013

2019-01-01

Abstract:Bugs in memory management of Operating Systems may lead to crashing. This paper presents a case study of formal verification on the buddy memory allocation component of the Zephyr RTOS kernel. The algorithm of the component allows memory blocks of 4-power sizes to be dynamically allocated by efficiently partitioning larger blocks into smaller ones, and then be released supporting immediate and automatic combining of smaller blocks. The execution of memory allocation is preemptive, which means that the allocation may invoke rescheduling when there is no block available for memory requests. In this paper, we provide a fine-grained formal specification of buddy memory allocation and formally verify its safety via invariants and functional correctness. The specification covers all the elements of the data structure as well as all statements of memory initialization, allocation, and release presented in the C source code. During the formal verification, we found a functional flaw in the C code. To the best of our knowledge, this paper is the first effort of formal verification at a fine-grained level on buddy memory allocation in Operating Systems.

Robert J. Colvin,Ian J. Hayes,Scott Heiner,Peter Höfner,Larissa Meinicke,Roger C. Su

2024-07-30

Abstract:Developers of low-level systems code providing core functionality for operating systems and kernels must address hardware-level features of modern multicore architectures. A particular feature is pipelined "out-of-order execution" of the code as written, the effects of which are typically summarised as a "weak memory model" - a term which includes further complicating factors that may be introduced by compiler optimisations. In many cases, the nondeterminism inherent in weak memory models can be expressed as micro-parallelism, i.e., parallelism within threads and not just between them. Fortunately Jones' rely/guarantee reasoning provides a compositional method for shared-variable concurrency, whether that be in terms of communication between top-level threads or micro-parallelism within threads. In this paper we provide an in-depth verification of the lock algorithm used in the seL4 microkernel, using rely/guarantee to handle both interthread communication as well as micro-parallelism introduced by weak memory models.

Logic in Computer Science

ZHANG Liang,YI Jiang-fang,TONG Dong,CHENG Xu,WANG Ke-yi

2011-01-01

Abstract:Simulation is the major technique used for processor verification.In the late of the verification process,simulation requires a lot of expert time and computer resources to verify residual complicated functional points,which slows down the verification progress.This paper introduces a test generation method based on model checking engine to address this problem.First,an abstract microprocessor model focuses on these uncovered functional points is constructed using local modeling strategy.Second,model checker reads this abstract model and automatically produces test generator directives.Finally,these directives guide random test generator to generate test programs that cover the specified functional points.Experiments on verifying PKUnity UniCore32 microprocessor demonstrated that this method spent little time to cover these uncovered coverage tasks and increased the verification efficiency.

Jade Alglave,Daniel Kroening,Vincent Nimal,Michael Tautschnig

DOI: https://doi.org/10.48550/arXiv.1207.7264

2012-07-30

Abstract:Despite multiprocessors implementing weak memory models, verification methods often assume Sequential Consistency (SC), thus may miss bugs due to weak memory. We propose a sound transformation of the program to verify, enabling SC tools to perform verification w.r.t. weak memory. We present experiments for a broad variety of models (from x86/TSO to Power/ARM) and a vast range of verification tools, quantify the additional cost of the transformation and highlight the cases when we can drastically reduce it. Our benchmarks include work-queue management code from PostgreSQL.

Logic in Computer Science,Software Engineering

June Andronick,Ross Jeffery,Gerwin Klein,Rafal Kolanski,Mark Staples,He Zhang,Liming Zhu

DOI: https://doi.org/10.1109/icse.2012.6227120

2012-01-01

Abstract:The L4.verified project was a rare success in large-scale, formal verification: it provided a formal, machine-checked, code-level proof of the full functional correctness of the seL4 microkernel. In this paper we report on the development process and management issues of this project, highlighting key success factors. We formulate a detailed descriptive model of its middle-out development process, and analyze the evolution and dependencies of code and proof artifacts. We compare our key findings on verification and re-verification with insights from other verification efforts in the literature. Our analysis of the project is based on complete access to project logs, meeting notes, and version control data over its entire history, including its long-term, ongoing maintenance phase. The aim of this work is to aid understanding of how to successfully run large-scale formal software verification projects.

Qian Ke,Chunlu Wang,Haixia Wang,Yongqiang Lyu,Zihan Xu,Dongsheng Wang

DOI: https://doi.org/10.1109/dsc55868.2022.00015

2022-01-01

Abstract:A new class of transient execution-based attacks, as known as Microarchitectural Data Sampling (MDS), were discovered in recent studies, such as RIDL, Fallout, and ZombieLoad, which have imposed severe threats to general-purpose processors. In MDS attacks, the attacker can steal the information from privileged CPU internal buffers, such as store buffers, line fill buffers, and load ports. To prevent these buffers from leaking information, processor vendors proposed mitigation via microcode update that overwrites CPU internal buffers as soon as the privilege levels are changed. However, the problem if a given architecture is safe against MDS attacks is still to be fully solved.In this study, we propose a formal verification method based on model checking to verify the microarchitectural security against MDS attacks. We formulate the MDS attacks as operation sequences, and set up a behavior model to describe the microarchitectural design correlated MDS attacks. A operation sequence is considered as an MDS attack if the operation sequence can obtain transient illegal data leaked from internal buffers during the operations. We enumerate all the possible sequences by binary decision diagram (BDD)-based statechart traversal, and output all the counterexamples. The experimental results show that the proposed method can sufficiently check the MDS attacks, and a kind of attack is detected to be able to bypass the mitigation proposed by Intel, which was contemporarily proposed as CacheOut attack.

Xiangpeng Zhao,Quan Long,Zongyan Qiu

DOI: https://doi.org/10.1007/11901433_24

2006-01-01

Abstract:UML is widely accepted and extensively used in software modeling. However, using different diagrams to model different aspects of a system brings the risk of inconsistency among diagrams. In this paper, we investigate an approach to check the consistency between the sequence diagrams and statechart diagrams using the SPIN model checker. To deal with the hierarchy structure of statechart diagrams, we propose a formalism called Split Automata, a variant of automata, which is helpful to bridge the statechart diagrams to SPIN efficiently. Compared with the existing work on model checking UML which do not have formal verification for their translation from UML to the model checker, we formally define the semantics and prove that the automatically translated model (i.e. Split Automata) does simulate the UML model. In this way, we can guarantee that the translated model does represent the original model.