Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore ( 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as mu C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS mu C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore (approximate to 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

YH Zhang,LN He,ZH Xu,XL Yan,LY Wang

DOI: https://doi.org/10.1109/icasic.2003.1277542

2003-01-01

Abstract:A reusable SoC verification environment is presented in this paper. This versatile environment, which is based on VSI Alliance IP bus standard, is in accordance with pervasive rules of IP reusing, and hence is suitable for varieties of designs. Through collaborating with other EDA tools, the environment has powerful capability to support HW/SW co-simulation and digital/analog co-simulation. To be user friendly, the environment is well organized to accommodate new IPs easily. It is configurable for verifications from system-level prototyping to gate level simulation. This environment works well for verifications of digital, analog and mixed-signal SoC designs.

CHEN Chao-chao,ZENG Qing-kai

DOI: https://doi.org/10.3969/j.issn.1000-3428.2009.11.044

2009-01-01

Abstract:【Abstract】Model checking is a technique that relies on building a finite model of the system and checks whether the desired properties hold in that model. The check is performed as an exhaustive state space search. This paper introducesa model for L4 microkernel memory management system, gives formal description for operations such as Grant, Map, Flush, proposes and verifies some safety properties using SPIN model checker. 【Key words】L4 microkernel; address space primitives; model check 计 算,,机 ,工 程 Computer Engineering 第 V 1 概述

Leping Zhang,Yongwang Zhao,Jianxin Li

DOI: https://doi.org/10.1007/978-3-031-57249-4_11

2024-01-01

Abstract:The L4 API (Application Programming Interface) is a core component of the operating system, which serves as the interface between user-level processes and the microkernel, facilitating communication and interaction. It is crucial to ensure the correctness and reliability of the API. This paper proposes a comprehensive formal specification and verification for the L4 microkernel API. The specification is reusable for all implementations on architectures supported by the microkernel. To further improve reusability (e.g., for the L4 family), a parameterized model is abstracted, which mainly includes variables related to L4 components and safety properties built on them. The desired properties are composed of 350 functional correctness and 39 safety properties, where the safety properties cover existing invariants of the microkernel. Several rewriting rules and reasoning steps are proposed for verification to improve proof efficiency. The proofs of the specification w.r.t these properties are accomplished in the theorem prover Isabelle/HOL, and the results show that all definitions, lemmas, and proofs pass the prover’s check. During modeling and verification, 10 bugs in the source code are found, all of which are fixed in this paper.

Shan Zhou,Jinbo Wang,Jiao Jia,Chi Zhang,Ruixue Wang

DOI: https://doi.org/10.1109/tr.2022.3166548

IF: 5.883

2022-01-01

IEEE Transactions on Reliability

Abstract:System on programmable chip (SOPC) is a kind of system on a programmable chip. The system architecture is superior to the traditional design pattern. The system has an on-chip bus between the processor and the programmable logic, which forms a high bandwidth, low latency, connection, and has rich flexible customization of IP. It also has advantages of low power consumption and high performance. The application in the field of high reliable proportion rising year by year. However, the change of system architecture and the expansion of software scale have brought great impact on the simulation test method and the physical test method. The existing dynamic testing methods are based on limited testing scenarios to investigate the system. It is difficult to find hidden errors in the design of complex connection segments, such as the errors in the on-chip bus transmission, the errors in the hardware and software coupling, and so on. Due to system scale of the state-space explosion problem and various forms IP, SOPC cannot apply formal verification techniques. In this article, we propose a SOPC formalized validation framework. It is based on polymorphous IP abstraction modeling, common formal properties analysis, and modeling methods in system architecture and other high-risk areas. The experimental results show that the proposed algorithm and the established SOPC formal verification framework can introduce the formal verification technique to SOPC high-risk area verification, and it can be used as the guidance of SOPC formal verification.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Adriana Nicolae,Paul Irofti,Ioana Leustean

2023-11-07

Abstract:The seL4 microkernel is currently the only kernel that has been fully formally verified. In general, the increased interest in ensuring the security of a kernel's code results from its important role in the entire operating system. One of the basic features of an operating system is that it abstracts the handling of devices. This abstraction is represented by device drivers - the software that manages the hardware. A proper verification of the software component could ensure that the device would work properly unless there is a hardware <a class="link-external link-http" href="http://failure.In" rel="external noopener nofollow">this http URL</a> this paper, we choose to model the behavior of a device driver and build the proof that the code implementation matches the expected behavior. The proof was written in Isabelle/HOL, the code translation from C to Isabelle was done automatically by the use of the C-to-Isabelle Parser and AutoCorres tools. We choose Isabelle theorem prover because its efficiency was already shown through the verification of seL4 microkernel.

Cryptography and Security,Logic in Computer Science,Operating Systems

Robert J. Colvin,Ian J. Hayes,Scott Heiner,Peter Höfner,Larissa Meinicke,Roger C. Su

2024-07-30

Abstract:Developers of low-level systems code providing core functionality for operating systems and kernels must address hardware-level features of modern multicore architectures. A particular feature is pipelined "out-of-order execution" of the code as written, the effects of which are typically summarised as a "weak memory model" - a term which includes further complicating factors that may be introduced by compiler optimisations. In many cases, the nondeterminism inherent in weak memory models can be expressed as micro-parallelism, i.e., parallelism within threads and not just between them. Fortunately Jones' rely/guarantee reasoning provides a compositional method for shared-variable concurrency, whether that be in terms of communication between top-level threads or micro-parallelism within threads. In this paper we provide an in-depth verification of the lock algorithm used in the seL4 microkernel, using rely/guarantee to handle both interthread communication as well as micro-parallelism introduced by weak memory models.

Logic in Computer Science

Xing Xianglei,Zhou Yu,Du Sidan

DOI: https://doi.org/10.3969/j.issn.1000-386X.2009.05.004

2009-01-01

Abstract:Inter-processor communication is a main problem in embedded applications adopting SMP(Symmetrical multi-processing)system.Based on the study of the inter-processor communication mechanism of ARM11 MPCore processor,in this article it analyzes the implementation of this mechanism in depth with linux-2.6.19.The corresponding validation has been done on the RealView Emulation Baseboard.The result of the experiment indicates that the inter-processor communication mechanism can reduce the interactive time of multithreading down to 16.7% of the original,sequentially this raises the performance of the parallel computation system.

GONG Li-min,LI Tian-ning,MAO Bing,XIE Jun-yuan

DOI: https://doi.org/10.3969/j.issn.1001-3695.2001.04.011

2001-01-01

Abstract:In this paper, we narrate the structure and implement of message queue, share memory and semaphore, and then introduce our model for mandatory access control which guarantees higher security property of Linux system.

Zhen-jiang QIAN,Yong-jun LIU,Yu-feng YAO,Li TANG,Hao HUANG,Fang-min SONG

DOI: https://doi.org/10.3969/j.issn.0372-2112.2017.01.035

2017-01-01

Abstract:The correctness of design and implementation of operating systems is difficult to be described with the traditional quantitative methods,because of the enormous size and complexity.This paper illustrates our method of formal design and verification of microkernel operating system.We construct the system model with the non-deterministic automaton in the assembly level,and use the Hoare triples to describe the previous and post conditions of the interface functions,as the definitions of function correctness.We take the module of memory management in the self-implemented VSOS (Verified Secure Operating System) as an example,to illustrate our formal method.Meanwhile,we formally describe the constructed memory management model and operation semantics of system behaviors in the Isabelle/HOL theorem prover,and verify the correctness of design and implementation of the memory management.The result shows that the method proposed is feasible and efficient.

LI Kang-jie,QIAN Zhen-jiang,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2013.03.044

2013-01-01

Computer Science

Abstract:It is difficult to describe the correctness and security of the operate system(OS) by quantitative analysis.Formal method is the acknowledged standard one in design and verification for OS.Based on the operate system object semantics model(OSOSM),we designed and verified the interruption mechanism of microkernel architecture using formal method,which was realized on our self-implemented verified trusted operate system(VTOS).Meanwhile,we used the theorem prover Isabelle/HOL to formally describe the design process,and verify the integrality of the interruption mechanism of VTOS.Our research plays certain referential significance on formal design and verification of OS.

Yun-min ZHU,Li-wei ZHANG,Sheng-yuan WANG,Yuan DONG,Su-qin ZHANG

DOI: https://doi.org/10.3321/j.issn:0372-2112.2009.z1.001

2009-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:2 Abstract As the multi-core processor is widely used and advanced high-trusted software is required, the verification of parallel programs for multi-core processor becomes more and more important. This paper presents a proof framework about the verification of parallel programs, including the definition of our abstract machine, the formal specification for object code, logic inference rules and the proof of soundness theory. We certify the code at an assembly-level directly in order to disregard the correctness of compilers. The classic spin-lock technology is introduced to implement the mutually exclusive access to shared memory. Our proof framework supports Hoare-logic style reasoning. In addition, we use high-order logic to describe both operational semantics and security-policy, so the partial correctness of multi-core parallel programs can be verified in our system.

Qiang Zhang,Jianzhong Qiao,Qingyang Meng,Yu Chen

DOI: https://doi.org/10.1016/j.cose.2020.101733

IF: 5.105

2020-01-01

Computers & Security

Abstract:Formal verification of an OS kernel is widely considered a major challenge; however, traditional interactive theorem provers used in OS kernel verification require manually written proofs and come with a non-trivial cost. In this paper, we propose a formal verification framework to build a verifiably correct OS kernel, named iv6, with a high degree of proof automation and a low burden of proof. Using this framework, programmers only need to write the specification as required, and it can be translated into the corresponding implementation of C code automatically. The verification framework can guarantee that the behaviour of the implementation code adheres to its specifications. Iv6 introduces four key ideas to achieve proof automation: its interfaces and corresponding specifications are designed to be finite to avoid unbounded loops or recursion; it separates kernel and user address spaces using a kernel page table isolation approach to simplify reasoning about virtual memory; it partitions the modules of a kernel state machine according to a state transition function to improve verification performance; and to avoid modelling complicated C semantics, it performs verification at the LLVM intermediate representation level. A total of 48 system calls and some high-level system properties in iv6 have been verified using this method. Experience shows that this framework can reduce the impact of human error on kernel development and make the verification of iv6 more efficient and straightforward.

Zhiyong Shan,Yang Yu,Tzi-cker Chiueh

DOI: https://doi.org/10.48550/arXiv.1609.04781

2016-09-15

Operating Systems

Abstract:As OS-level virtualization technology usually imposes little overhead on virtual machine start-up and running, it provides an excellent choice for building intrusion/fault tolerant applications that require redundancy and frequent invocation. When developing Windows OS-level virtual machine, however, people will inevitably face the challenge of confining Windows Inter-Process Communications (IPC). As IPC on Windows platform is more complex than UNIX style OS and most of the programs on Windows are not open-source, it is difficult to discover all of the performed IPCs and confine them. In this paper, we propose three general principles to confine IPC on Windows OS and a novel IPC confinement mechanism based on the principles. With the mechanism, for the first time from the literature, we successfully virtualized RPC System Service (RPCSS) and Internet Information Server (IIS) on Feather-weight Virtual Machine (FVM). Experimental results demonstrate that multiple IIS web server instances can simultaneously run on single Windows OS with much less performance overhead than other popular VM technology, offering a good basis for constructing dependable system.

He Zhang,Gerwin Klein,Mark Staples,June Andronick,Liming Zhu,Rafal Kolanski

DOI: https://doi.org/10.1109/icssp.2012.6225979

2012-01-01

Abstract:The L4.verified project successfully completed a large-scale machine-checked formal verification at the code level of the functional correctness of the seL4 operating system microkernel. The project applied a middle-out process, which is significantly different from conventional software development processes. This paper reports a simulation model of this process; it is the first simulation model of a formal verification process. The model aims to support further understanding and investigation of the dynamic characteristics of the process and to support planning and optimization of future process enactment. We based the simulation model on a descriptive process model and information from project logs, meeting notes, and version control data over the project's history. Simulation results from the initial version of the model show the impact of complex coupling among the activities and artifacts, and frequent parallel as well as iterative work during execution. We examine some possible improvements on the formal verification process in light of the simulation results.

ZHANG Liang,YI Jiang-fang,TONG Dong,CHENG Xu,WANG Ke-yi

2011-01-01

Abstract:Simulation is the major technique used for processor verification.In the late of the verification process,simulation requires a lot of expert time and computer resources to verify residual complicated functional points,which slows down the verification progress.This paper introduces a test generation method based on model checking engine to address this problem.First,an abstract microprocessor model focuses on these uncovered functional points is constructed using local modeling strategy.Second,model checker reads this abstract model and automatically produces test generator directives.Finally,these directives guide random test generator to generate test programs that cover the specified functional points.Experiments on verifying PKUnity UniCore32 microprocessor demonstrated that this method spent little time to cover these uncovered coverage tasks and increased the verification efficiency.

Mitul S Nagar,Haresh A Suthar,Chintan Panchal

DOI: https://doi.org/10.48550/arXiv.2009.00223

2020-09-01

Hardware Architecture

Abstract:Today's microprocessors have grown significantly in complexity and functionality. Most of today's processors provide at least three levels of memory hierarchy, are heavily pipelined, and support some sort of cache coherency protocol. These features are extremely complex and sophisticated, and present their own set of unique verification challenges. Verification is clearly not a point tool, but is part of a process that starts from initial product conception and is to some degrees complete when the product goes to market. Functional verification is necessary to verify the functionality at RTL level. Complex micro-processors like ARM are high performance, low cost and low power 32-bit RISC processors. In our paper complex microprocessor is ARM cortex M3, developed for the embedded applications having low interrupt latency, low gate count, 3- stage pipelining, branch prediction, THUMB and THUMB-2 instruction set. Functional verification is used to verify that the circuit full fills each abstract assertion under the implementation mapping. we explore several aspects of processor design, including caches, pipeline depth, ALUs, and bypass logic.The verification was done concurrently with the design implementation of the processor.

Ding Xie,He Hu,Zhang Yanjun,Sun Yihe,Yu Yongkang

DOI: https://doi.org/10.1109/icasic.2005.1611418

2005-01-01

Abstract:Microprocessor cores are a big challenge in the verification field because of their complexity and specific applications. Simulation-based test vector generator μGP can generate test set more efficiently than a random approach without need of skilled engineers. In this paper we establish our verification of a 9-stage pipelined DSP with VLIW architecture on assistance of a test program generator. By adding a few manual test vectors statement coverage can attain up to 99.9%. This result shows the feasibility and effectiveness of our method. ©2005 IEEE.

Xie Z.,Wang T.,Yong S.,Chen X.,Su J.,Wang X.

DOI: https://doi.org/10.13209/j.0479-8023.2014.031

2014-01-01

Abstract:With a verification environment based on the UVM (universal verification Methodology) verification methodology and UVM1.1 standard library, building a reference model through the aspect-oriented paradigm and separation of properties of function, timing and structure and generating the high functional coverage test cases based on knowledge base at the transaction level, the integrated verification platform took the PKU-DSPII as example, to implement RISC CPU-oriented functional verification and domain reuse. Experimental results show that the reusability is enhanced significantly and the coverage efficiency of the test cases improves about 7% relatively.