Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as mu C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS mu C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore (approximate to 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore ( 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Zhang Feng,Zhao Yongwang,Ma Dianfu,Niu Wensheng

DOI: https://doi.org/10.1109/isorc.2019.00013

2019-01-01

Abstract:Bugs in memory management of Operating Systems may lead to crashing. This paper presents a case study of formal verification on the buddy memory allocation component of the Zephyr RTOS kernel. The algorithm of the component allows memory blocks of 4-power sizes to be dynamically allocated by efficiently partitioning larger blocks into smaller ones, and then be released supporting immediate and automatic combining of smaller blocks. The execution of memory allocation is preemptive, which means that the allocation may invoke rescheduling when there is no block available for memory requests. In this paper, we provide a fine-grained formal specification of buddy memory allocation and formally verify its safety via invariants and functional correctness. The specification covers all the elements of the data structure as well as all statements of memory initialization, allocation, and release presented in the C source code. During the formal verification, we found a functional flaw in the C code. To the best of our knowledge, this paper is the first effort of formal verification at a fine-grained level on buddy memory allocation in Operating Systems.

Yongwang Zhao,David Sanán

DOI: https://doi.org/10.1007/978-3-030-25543-5_29

2019-01-01

Abstract:Formal verification of concurrent operating systems (OSs) is challenging, and in particular the verification of the dynamic memory management due to its complex data structures and allocation algorithm. Up to our knowledge, this paper presents the first formal specification and mechanized proof of a concurrent buddy memory allocation for a real-world OS. We develop a fine-grained formal specification of the buddy memory management in Zephyr RTOS. To ease validation of the specification and the source code, the provided specification closely follows the C code. Then, we use the rely-guarantee technique to conduct the compositional verification of functional correctness and invariant preservation. During the formal verification, we found three bugs in the C code of Zephyr.

Yu Zhang,Yongwang Zhao,David Sanán,Lei Qiao,Jinkun Zhang

DOI: https://doi.org/10.1007/978-3-030-35540-1_8

2019-01-01

Abstract:Formal verification of real-time services is important because they are usually associated with safety-critical systems. In this paper, we present a verified Two-Level Segregated Fit (TLSF) memory management model. TLSF is a dynamic memory allocator and is designed for real-time operating systems. We formalize the specification of TLSF algorithm based on the client requirements. The specification contains both functional correctness of allocation and free services and invariants and constraints of the global memory state. Then we implement an abstract TLSF memory allocator using state monads in Isabelle/HOL. The allocator model is built from a high-level view and the details of data structures are simplified but it covers all the behavioral principles and procedures of a concrete TLSF implementation. Finally, we verify that our TLSF model is correct w.r.t. the specification using a verification condition generator (VCG) and verification tools in Isabelle/HOL.

Yongwang Zhao,David Sanan

2023-09-17

Abstract:Formal verification of concurrent operating systems (OSs) is challenging, in particular the verification of the dynamic memory management due to its complex data structures and allocation algorithm. An incorrect specification and implementation of the memory management may lead to system crashes or exploitable attacks. This article presents the first formal specification and mechanized proof of a concurrent memory management for a real-world OS concerning a comprehensive set of properties, including functional correctness, safety and security. To achieve the highest assurance evaluation level, we develop a fine-grained formal specification of the Zephyr RTOS buddy memory management, which closely follows the C code easing validation of the specification and the source code. The rely-guarantee-based compositional verification technique has been enforced over the formal model. To support formal verification of the security property, we extend our rely-guarantee framework PiCore by a compositional reasoning approach for integrity. Whilst the security verification of the design shows that it preserves the integrity property, the verification of the functional properties shows several problems. These verification issues are translated into finding three bugs in the C implementation of Zephyr, after inspecting the source code corresponding to the design lines breaking the properties.

Software Engineering

Zhen-jiang QIAN,Yong-jun LIU,Yu-feng YAO,Li TANG,Hao HUANG,Fang-min SONG

DOI: https://doi.org/10.3969/j.issn.0372-2112.2017.01.035

2017-01-01

Abstract:The correctness of design and implementation of operating systems is difficult to be described with the traditional quantitative methods,because of the enormous size and complexity.This paper illustrates our method of formal design and verification of microkernel operating system.We construct the system model with the non-deterministic automaton in the assembly level,and use the Hoare triples to describe the previous and post conditions of the interface functions,as the definitions of function correctness.We take the module of memory management in the self-implemented VSOS (Verified Secure Operating System) as an example,to illustrate our formal method.Meanwhile,we formally describe the constructed memory management model and operation semantics of system behaviors in the Isabelle/HOL theorem prover,and verify the correctness of design and implementation of the memory management.The result shows that the method proposed is feasible and efficient.

Sadegh Dalvandi,Brijesh Dongol

DOI: https://doi.org/10.48550/arXiv.2012.14133

2020-12-28

Abstract:Deductive verification of concurrent programs under weak memory has thus far been limited to simple programs over a monolithic state space. For scalabiility, we also require modular techniques with verifiable library abstractions. This paper addresses this challenge in the context of RC11 RAR, a subset of the C11 memory model that admits relaxed and release-acquire accesses, but disallows, so called, load-buffering cycles. We develop a simple framework for specifying abstract objects that precisely characterises the observability guarantees of abstract method calls. We show how this framework can be integrated with an operational semantics that enables verification of client programs that execute abstract method calls from a library it uses. Finally, we show how implementations of such abstractions in RC11 RAR can be verified by developing a (contextual) refinement framework for abstract objects. Our framework, including the operational semantics, verification technique for client-library programs, and simulation between abstract libraries and their implementations, has been mechanised in Isabelle/HOL.

Programming Languages,Logic in Computer Science

Sadegh Dalvandi,Brijesh Dongol

DOI: https://doi.org/10.48550/arXiv.2108.06944

2021-08-16

Abstract:Deductive verification of concurrent programs under weak memory has thus far been limited to simple programs over a monolithic state space. For scalability, we also require modular techniques with verifiable library abstractions. This paper addresses this challenge in the context of RC11 RAR, a subset of the C11 memory model that admits relaxed and release-acquire accesses, but disallows, so-called, load-buffering cycles. We develop a simple framework for specifying abstract objects that precisely characterises the observability guarantees of abstract method calls. We show how this framework can be integrated with an operational semantics that enables verification of client programs that execute abstract method calls from a library they use. Finally, we show how implementations of such abstractions in RC11 RAR can be verified by developing a (contextual) refinement framework for abstract objects. Our framework, including the operational semantics, verification technique for client-library programs, and simulation between abstract libraries and their implementations, has been mechanised in Isabelle/HOL.

Logic in Computer Science,Programming Languages

Steven Cheng,Lisa Higham,Jalal Kawash

DOI: https://doi.org/10.48550/arXiv.1306.0077

2013-06-01

Distributed, Parallel, and Cluster Computing

Abstract:Multiprocess systems, including grid systems, multiprocessors and multicore computers, incorporate a variety of specialized hardware and software mechanisms, which speed computation, but result in complex memory behavior. As a consequence, the possible outcomes of a concurrent program can be unexpected. A memory consistency model is a description of the behaviour of such a system. Abstract memory consistency models aim to capture the concrete implementations and architectures. Therefore, formal specification of the implementation or architecture is necessary, and proofs of correspondence between the abstract and the concrete models are required. This paper provides a case study of this process. We specify a new model, partition consistency, that generalizes many existing consistency models. A concrete message-passing network model is also specified. Implementations of partition consistency on this network model are then presented and proved correct. A middle level of abstraction is utilized to facilitate the proofs. All three levels of abstraction are specified using the same framework. The paper aims to illustrate a general methodology and techniques for specifying memory consistency models and proving the correctness of their implementations.

Ashish Darbari,Iain Singleton,Michael Butler,John Colley

DOI: https://doi.org/10.48550/arXiv.1605.04744

2016-05-16

Abstract:The HSA Foundation has produced the HSA Platform System Architecture Specification that goes a long way towards addressing the need for a clear and consistent method for specifying weakly consistent memory. HSA is specified in a natural language which makes it open to multiple ambiguous interpretations and could render bugs in implementations of it in hardware and software. In this paper we present a formal model of HSA which can be used in the development and verification of both concurrent software applications as well as in the development and verification of the HSA-compliant platform itself. We use the Event-B language to build a provably correct hierarchy of models from the most abstract to a detailed refinement of HSA close to implementation level. Our memory models are general in that they represent an arbitrary number of masters, programs and instruction interleavings. We reason about such general models using refinements. Using Rodin tool we are able to model and verify an entire hierarchy of models using proofs to establish that each refinement is correct. We define an automated validation method that allows us to test baseline compliance of the model against a suite of published HSA litmus tests. Once we complete model validation we develop a coverage driven method to extract a richer set of tests from the Event-B model and a user specified coverage model. These tests are used for extensive regression testing of hardware and software systems. Our method of refinement based formal modelling, baseline compliance testing of the model and coverage driven test extraction using the single language of Event-B is a new way to address a key challenge facing the design and verification of multi-core systems.

Logic in Computer Science,Software Engineering

Antonin Reitz,Aymeric Fromherz,Jonathan Protzenko

2024-03-14

Abstract:In this work, we present StarMalloc, a verified, security-oriented, concurrent memory allocator that can be used as a drop-in replacement in real-world projects. Using the Steel separation logic framework, we show how to specify and verify StarMalloc, relying on dependent types and modular abstractions to enable efficient verification. As part of StarMalloc, we also develop several generic datastructures and proof libraries directly reusable in future systems verification projects. We finally show that StarMalloc can be used with real-world projects, including the Firefox browser, and evaluate it against 10 state-of-the-art memory allocators, demonstrating its competitiveness.

Programming Languages,Cryptography and Security

Bouillaguet Quentin,Bobot François,Sighireanu Mihaela,Yakobowski Boris

DOI: https://doi.org/10.48550/arXiv.1811.12515

2018-11-30

Abstract:Cooperation between verification methods is crucial to tackle the challenging problem of software verification. The paper focuses on the verification of C programs using pointers and it formalizes a cooperation between static analyzers doing pointer analysis and a deductive verification tool based on first order logic. We propose a framework based on memory models that captures the partitioning of memory inferred by pointer analyses, and complies with the memory models used to generate verification conditions. The framework guided us to propose a pointer analysis that accommodates to various low-level operations on pointers while providing precise information about memory partitioning to the deductive verification. We implemented this cooperation inside the Frama-C platform and we show its effectiveness in reducing the task of deductive verification on a complex case study.

Programming Languages

Lara Bargmann,Heike Wehrheim

DOI: https://doi.org/10.48550/arXiv.2309.01433

2023-09-04

Abstract:Weak memory models specify the semantics of concurrent programs on multi-core architectures. Reasoning techniques for weak memory models are often specialized to one fixed model and verification results are hence not transferable to other memory models. A recent proposal of a generic verification technique based on axioms on program behaviour expressed via weakest preconditions aims at overcoming this specialization to dedicated models. Due to the usage of weakest preconditions, reasoning however takes place on a very low level requiring the application of numerous axioms for deriving program properties, even for a single statement. In this paper, we lift reasoning in this generic verification approach to a more abstract level. Based on a view-based assertion language, we provide a number of novel proof rules for directly reasoning on the level of program constructs. We prove soundness of our proof rules and exemplify them on the write-to-read causality (WRC) litmus test. A comparison to the axiom-based low-level proof reveals a significant reduction in the number of required proof steps.

Logic in Computer Science,Programming Languages

Sadegh Dalvandi,Brijesh Dongol,Simon Doherty

DOI: https://doi.org/10.48550/arXiv.2004.02983

2020-04-09

Abstract:Weak memory presents a new challenge for program verification and has resulted in the development of a variety of specialised logics. For C11-style memory models, our previous work has shown that it is possible to extend Hoare logic and Owicki-Gries reasoning to verify correctness of weak memory programs. The technique introduces a set of high-level assertions over C11 states together with a set of basic Hoare-style axioms over atomic weak memory statements (e.g., reads/writes), but retains all other standard proof obligations for compound statements. This paper takes this line of work further by showing Nipkow and Nieto's encoding of Owicki-Gries in the Isabelle theorem prover can be extended to handle C11-style weak memory models in a straightforward manner. We exemplify our techniques over several litmus tests from the literature and a non-trivial example: Peterson's algorithm adapted for C11. For the examples we consider, the proof outlines can be automatically discharged using the existing Isabelle tactics developed by Nipkow and Nieto. The benefit here is that programs can be written using a familiar pseudocode syntax with assertions embedded directly into the program.

Programming Languages,Logic in Computer Science

Robbert Krebbers

DOI: https://doi.org/10.1007/s10817-016-9369-1

2016-05-10

Journal of Automated Reasoning

Abstract:The core of a formal semantics of an imperative programming language is a memory model that describes the behavior of operations on the memory. Defining a memory model that matches the description of C in the C11 standard is challenging because C allows both high-level (by means of typed expressions) and low-level (by means of bit manipulation) memory accesses. The C11 standard has restricted the interaction between these two levels to make more effective compiler optimizations possible, at the expense of making the memory model complicated. We describe a formal memory model of the (non-concurrent part of the) C11 standard that incorporates these restrictions, and at the same time describes low-level memory operations. This formal memory model includes a rich permission model to make it usable in separation logic and supports reasoning about program transformations. The memory model and essential properties of it have been fully formalized using the Coq proof assistant.

computer science, artificial intelligence

Lennart Beringer,Gordon Stewart,Robert Dockins,Andrew W. Appel

DOI: https://doi.org/10.1007/978-3-642-54833-8_7

2014-01-01

Abstract:We present a new architecture for specifying and proving optimizing compilers in the presence of shared-memory interactions such as buffer-based system calls, shared-memory concurrency, and separate compilation. The architecture, which is implemented in the context of CompCert, includes a novel interaction-oriented model for C-like languages, and a new proof technique, called logical simulation relations, for compositionally proving compiler correctness with respect to this interaction model. We apply our techniques to CompCert’s primary memory-reorganizing compilation phase, Cminorgen. Our results are formalized in Coq, building on the recently released CompCert 2.0.

Simon Doherty,Brijesh Dongol,Heike Wehrheim,John Derrick

DOI: https://doi.org/10.1145/3293883.3295702

2019-02-16

Abstract:This paper develops an operational semantics for a release-acquire fragment of the C11 memory model with relaxed accesses. We show that the semantics is both sound and complete with respect to the axiomatic model of Batty et al. The semantics relies on a per-thread notion of observability, which allows one to reason about a weak memory C11 program in program order. On top of this, we develop a proof calculus for invariant-based reasoning, which we use to verify the release-acquire version of Peterson's mutual exclusion algorithm.

Malay K. Ganai,Aarti Gupta,Pranav Ashar

DOI: https://doi.org/10.48550/arXiv.0710.4666

2007-10-25

Logic in Computer Science

Abstract:We describe verification techniques for embedded memory systems using efficient memory modeling (EMM), without explicitly modeling each memory bit. We extend our previously proposed approach of EMM in Bounded Model Checking (BMC) for a single read/write port single memory system, to more commonly occurring systems with multiple memories, having multiple read and write ports. More importantly, we augment such EMM to providing correctness proofs, in addition to finding real bugs as before. The novelties of our verification approach are in a) combining EMM with proof-based abstraction that preserves the correctness of a property up to a certain analysis depth of SAT-based BMC, and b) modeling arbitrary initial memory state precisely and thereby, providing inductive proofs using SAT-based BMC for embedded memory systems. Similar to the previous approach, we construct a verification model by eliminating memory arrays, but retaining the memory interface signals with their control logic and adding constraints on those signals at every analysis depth to preserve the data forwarding semantics. The size of these EMM constraints depends quadratically on the number of memory accesses and the number of read and write ports; and linearly on the address and data widths and the number of memories. We show the effectiveness of our approach on several industry designs and software programs.

René Haberland

DOI: https://doi.org/10.48550/arXiv.1910.10176

2019-10-22

Logic in Computer Science

Abstract:The article provides an overview of the existing methods of dynamic memory verification; a comparative analysis is carried out; the applicability for solving problems of control, monitoring, and verification of dynamic memory is evaluated. This article is divided into eight sections. The first section introduces formal verification, followed by a section that discusses dynamic memory management problems. The third section discusses Hoare's calculus resumed by heap transformations to the stack. The fifth and sixth sections introduce the concept of dynamic memory shape analysis and the rotation of pointers. The seventh is on separation logic. The last section discusses possible areas of further research, particularly the recognition at recording level of various instances of objects; automation of proofs; "hot" code, that is, software code that updates itself when the program runs; expanding intuitiveness, for instance, on proof explanations.