Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as mu C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS mu C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore (approximate to 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore ( 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

XiaoHui Sun,JinLin Wang,Xiao Chen

DOI: https://doi.org/10.1109/rtc.2007.4382781

2007-01-01

Abstract:Memory management has become an important part in developing real-time and embedded applications. The conventional dynamic storage allocation (DSA) algorithms have been considered inappropriate for real-time applications due to the unbounded response time and fragmentation problem. There are some new allocators designed to meet the requirements nowadays. Two-Level Segregated Fit memory allocator (TLSF) was proposed and widely used in the Real-Time Operating Systems (RTOS) like RTLinux. It has a bounded response time and quite good performance. However, there are still some problems with this algorithm and it could be improved. Here we discuss some improvements of the TLSF algorithm. Experiments show it has low fragmentation and faster response time.

Ke Jiang,David Sanan,Yongwang Zhao,Shuanglong Kan,Yang Liu

DOI: https://doi.org/10.1109/iceccs.2019.00023

2019-01-01

Abstract:Buddy memory allocation algorithms are widely adopted by various memory management systems for managing memory layouts. Rigorous mathematical proofs provide strong assurance to improve the confidence on the reliability of a memory management system. In this paper, we model and formally verify, in the interactive theorem prover Isabelle/HOL, a buddy memory allocation model, which preserves functional correctness and security properties. Firstly, we construct a specification consisting of operations to allocate and dispose memory blocks according to a buddy memory allocation algorithm. Then we verify that the specification preserves key invariants over the memory to guarantee functional correctness of the algorithm. Finally, we verify that the specification also preserves the integrity of the memory. Therefore, they do not affect other memory blocks previously allocated.

Antonin Reitz,Aymeric Fromherz,Jonathan Protzenko

2024-03-14

Abstract:In this work, we present StarMalloc, a verified, security-oriented, concurrent memory allocator that can be used as a drop-in replacement in real-world projects. Using the Steel separation logic framework, we show how to specify and verify StarMalloc, relying on dependent types and modular abstractions to enable efficient verification. As part of StarMalloc, we also develop several generic datastructures and proof libraries directly reusable in future systems verification projects. We finally show that StarMalloc can be used with real-world projects, including the Firefox browser, and evaluate it against 10 state-of-the-art memory allocators, demonstrating its competitiveness.

Programming Languages,Cryptography and Security

Yongwang Zhao,David Sanan

2023-09-17

Abstract:Formal verification of concurrent operating systems (OSs) is challenging, in particular the verification of the dynamic memory management due to its complex data structures and allocation algorithm. An incorrect specification and implementation of the memory management may lead to system crashes or exploitable attacks. This article presents the first formal specification and mechanized proof of a concurrent memory management for a real-world OS concerning a comprehensive set of properties, including functional correctness, safety and security. To achieve the highest assurance evaluation level, we develop a fine-grained formal specification of the Zephyr RTOS buddy memory management, which closely follows the C code easing validation of the specification and the source code. The rely-guarantee-based compositional verification technique has been enforced over the formal model. To support formal verification of the security property, we extend our rely-guarantee framework PiCore by a compositional reasoning approach for integrity. Whilst the security verification of the design shows that it preserves the integrity property, the verification of the functional properties shows several problems. These verification issues are translated into finding three bugs in the C implementation of Zephyr, after inspecting the source code corresponding to the design lines breaking the properties.

Software Engineering

Zhang Feng,Zhao Yongwang,Ma Dianfu,Niu Wensheng

DOI: https://doi.org/10.1109/isorc.2019.00013

2019-01-01

Abstract:Bugs in memory management of Operating Systems may lead to crashing. This paper presents a case study of formal verification on the buddy memory allocation component of the Zephyr RTOS kernel. The algorithm of the component allows memory blocks of 4-power sizes to be dynamically allocated by efficiently partitioning larger blocks into smaller ones, and then be released supporting immediate and automatic combining of smaller blocks. The execution of memory allocation is preemptive, which means that the allocation may invoke rescheduling when there is no block available for memory requests. In this paper, we provide a fine-grained formal specification of buddy memory allocation and formally verify its safety via invariants and functional correctness. The specification covers all the elements of the data structure as well as all statements of memory initialization, allocation, and release presented in the C source code. During the formal verification, we found a functional flaw in the C code. To the best of our knowledge, this paper is the first effort of formal verification at a fine-grained level on buddy memory allocation in Operating Systems.

Zhen-jiang QIAN,Yong-jun LIU,Yu-feng YAO,Li TANG,Hao HUANG,Fang-min SONG

DOI: https://doi.org/10.3969/j.issn.0372-2112.2017.01.035

2017-01-01

Abstract:The correctness of design and implementation of operating systems is difficult to be described with the traditional quantitative methods,because of the enormous size and complexity.This paper illustrates our method of formal design and verification of microkernel operating system.We construct the system model with the non-deterministic automaton in the assembly level,and use the Hoare triples to describe the previous and post conditions of the interface functions,as the definitions of function correctness.We take the module of memory management in the self-implemented VSOS (Verified Secure Operating System) as an example,to illustrate our formal method.Meanwhile,we formally describe the constructed memory management model and operation semantics of system behaviors in the Isabelle/HOL theorem prover,and verify the correctness of design and implementation of the memory management.The result shows that the method proposed is feasible and efficient.

Yongwang Zhao,David Sanán

DOI: https://doi.org/10.1007/978-3-030-25543-5_29

2019-01-01

Abstract:Formal verification of concurrent operating systems (OSs) is challenging, and in particular the verification of the dynamic memory management due to its complex data structures and allocation algorithm. Up to our knowledge, this paper presents the first formal specification and mechanized proof of a concurrent buddy memory allocation for a real-world OS. We develop a fine-grained formal specification of the buddy memory management in Zephyr RTOS. To ease validation of the specification and the source code, the provided specification closely follows the C code. Then, we use the rely-guarantee technique to conduct the compositional verification of functional correctness and invariant preservation. During the formal verification, we found three bugs in the C code of Zephyr.

David Sanan,Liu Yang,Zhao Yongwang,Xing Zhenchang,Mike Hinchey

DOI: https://doi.org/10.1109/iceccs.2015.23

2015-01-01

Abstract:In order to facilitate proof of correctness, micro-kernels are based on simplicity, providing an application only with the minimal set of features it needs in order to to work. However, simplicity alone does not guarantee the absence of bugs and software errors, and the complexity of an OS often makes such problems difficult to find and fix. In this work, we prove the functional correctness of an abstract model for the C implementation of the cyclic linked list in the real-time micro-kernel FreeRTOS, which is used in the FreeRTOS scheduler, its correctness being of critical importance for the real-time properties of FreeRTOS. The formal specification of the functional properties of FreeRTOS also provides a guide for a correct use of the functions that the implementation provides, since it lacks checks on the data. Additionally, we prove the correctness of the machine code resulting from compiling the implementation targeting the ARM architecture. Following a verification approach based on refinement, we first construct the abstract model of the implementation, where we prove both the cyclic linked list invariant and the correctness of the implementation behaviour for any list in the heap using separation logic. Second, we leverage existing machine code verification frameworks to get a HOL model of the FreeRTOS linked list compiled machine code, and we apply forward simulation to prove that such a machine code model refines the abstract model, and therefore satisfies the properties already proven over the specification.

Yong Li,Yu Zhang,Yi-Yun Chen,Ming Fu

DOI: https://doi.org/10.1007/s11390-010-9369-2

2010-01-01

Abstract:Transactional memory (TM) is an easy-using parallel programming model that avoids common problems associated with conventional locking techniques. Several researchers have proposed a large amount of alternative hardware and software TM implementations. However, few ones focus on formal reasoning about these TM programs. In this paper, we propose a framework at assembly level for reasoning about lazy software transactional memory (STM) programs. First, we give a software TM implementation based on lightweight locks. These locks are also one part of the shared memory. Then we define the semantics of the model operationally, and the lightweight locks in transaction are non-blocking, avoiding deadlocks among transactions. Finally we design a logic — a combination of permission accounting in separation logic and concurrent separation logic — to verify various properties of concurrent programs based on this machine model. The whole framework is formalized using a proof-carrying-code (PCC) framework.

Rui Guo,Hong An,Ruiling Dou,Ming Cong,Yaobin Wang,Qi Li

DOI: https://doi.org/10.1109/apcsac.2008.4625443

2008-01-01

Abstract:Thread level speculation (TLS) and transactional memory (TM) are both proposed to address the problem of productivity in multi-core era. Both of them require similar underlying support. In this paper we propose a low-design-complexity approach to effective unified support for both TLS & TM, by extending a scalable TM model to support TLS. The baseline TM model chosen is LogTM. A distributed hardware arbitration mechanism is also proposed to intensify scalability. This method takes advantage of hardware resources introduced by TM, resulting simplified hardware design. Moreover it provides rich semantics of both TLS and TM to programmers.Five representative benchmarks have been adopted to evaluate performance characteristics of our TLS model under different memory access patterns. Influence of design choices such as interconnection is also studied. The evaluation shows that the new system performs well in most of the benchmarks in spite of its simplicity, resulting average region speedups around 3.5 at four threads.

Sadegh Dalvandi,Brijesh Dongol

DOI: https://doi.org/10.48550/arXiv.2208.00315

2022-07-30

Programming Languages

Abstract:Transactional memory (TM) is an intensively studied synchronisation paradigm with many proposed implementations in software and hardware, and combinations thereof. However, TM under relaxed memory, e.g., C11 (the 2011 C/C++ standard) is still poorly understood, lacking rigorous foundations that support verifiable implementations. This paper addresses this gap by developing TMS2-RA, a relaxed operational TM specification. We integrate TMS2-RA with RC11 (the repaired C11 memory model that disallows load-buffering) to provide a formal semantics for TM libraries and their clients. We develop a logic, TARO, for verifying client programs that use TMS2-RA for synchronisation. We also show how TMS2-RA can be implemented by a C11 library, TML-RA, that uses relaxed and release-acquire atomics, yet guarantees the synchronisation properties required by TMS2-RA. We benchmark TML-RA and show that it outperforms its sequentially consistent counterpart in the STAMP benchmarks. Finally, we use a simulation-based verification technique to prove correctness of TML-RA. Our entire development is supported by the Isabelle/HOL proof assistant.

Gongming Li,Hong An,Qi Li,Bobin Deng,Wenbo Dai

DOI: https://doi.org/10.1109/icpads.2012.77

2014-01-01

Abstract:Thread-Level Speculation (TLS) was researched to automatically parallelize portions of serial programs for execution, and transactional memory (TM) was studied as a promising alternative of lock for parallel programming due to its simplicity. Both TLS and TM require similar underlying support. In the paper, we present SeTM (Sequential Transactional Memory), a hardware enhanced TM system which supports TLS at minor extra cost. Signature is an effective way to buffer speculative states in TM and TLS. But it cripples TM and TLS performance due to its false-positive in terms of conflict detection, especially for conflict-intensive TLS. SeTM adopts R/W bits and signature concurrently to ameliorate this bad influence. Additionally, SeTM introduces fast rollback mechanism, which provides fast abort recovery for eager log-based HTM and TLS. The most important contribution of SeTM is conflict-tolerant mechanism, which tolerates some ambiguous data conflicts in TLS. Six representative benchmarks have been adopted to evaluate our model. Our experimental results show that our scheme improves the execution performance of most tested codes at a modest hardware cost. For a set of important scientific loops, we report the highest speedup of 6.5 with 15 cores. Besides, experimental results also show good scalability of SeTM system.

Yang Zheng,Lei Hang

DOI: https://doi.org/10.23940/ijpe.19.11.p19.29983007

2019-01-01

International Journal of Performability Engineering

Abstract:Blockchain technology is one of the newest technologies in computer science and has been employed in many important fields. The correctness verification of smart contracts must be protected by the most reliable technology. One of the most reliable methods for s the security and reliability of smart contracts is a formal symbolic virtual machine based on higher-order logic proof system. Therefore, the present work proposes a formal specification framework of memory architecture as the basis for the symbolic execution and theorem proving combination. The framework is independent and customizable. It formalizes logic addresses, nonintrusive application programming interfaces, physical memory structures, and auxiliary tools in Coq. Simple case studies are employed to demonstrate its effectiveness. Finally, the proposed GERM framework is verified in Coq.

Hongyu Fan,Zhihang Sun,Fei He

DOI: https://doi.org/10.1145/3579835

IF: 1.714

2023-01-01

ACM Transactions on Programming Languages and Systems

Abstract:Automatically verifying multi-threaded programs is difficult because of the vast number of thread interleavings, a problem aggravated by weak memory consistency. Partial orders can help with verification because they can represent many thread interleavings concisely. However, there is no dedicated decision procedure for solving partial-order constraints. In this article, we propose a novel ordering consistency theory for concurrent program verification that is applicable not only under sequential consistency, but also under the TSO and PSO weak memory models. We further develop an efficient theory solver, which checks consistency incrementally, generates minimal conflict clauses, and includes a custom propagation procedure. We have implemented our approach in a tool, called Zord , and have conducted extensive experiments on the SV-COMP 2020 ConcurrencySafety benchmarks. Our experimental results show a significant improvement over the state-of-the-art.

Sharar Ahmadi,Brijesh Dongol,Matt Griffin

DOI: https://doi.org/10.1016/j.scico.2024.103088

IF: 1.039

2024-01-30

Science of Computer Programming

Abstract:Security-critical applications often rely on memory isolation mechanisms to ensure integrity of critical data (e.g., keys) and program instructions (e.g., implementing an attestation protocol). These include software-based security microvisor S μV or hardware-based (e.g., TrustLite or SMART) techniques. Here, we must guarantee that during an execution of a program, none of the assembly-level instructions corresponding to the program violate the imposed memory access restrictions. We focus on two security architectures (S μV and TrustLite). We use Binary Analysis Platform (BAP) to generate assembly-level code in an intermediate language (BIL) for a compiled C program. This is then translated to Isabelle/HOL theories. We develop an operational semantics by defining a collection of transition rules for a subset of BIL (called AIRv2) that is sufficient for our work. We develop an adversary model and define conformance predicates for each assembly-level instruction. A conformance predicate holds iff the associated memory access restriction imposed by the underlying security architecture is satisfied. We generate a set of programs covering all possible cases in which an assembly-level instruction attempts to violate at least one of the conformance predicates. For S μV, we capture all such violations not only by checking specific lines of the program but also by applying the operational semantics for every machine-state transition. This shows that the memory access restrictions of S μV is operationally maintained. For TrustLite, we capture all such violations by checking specific lines of the program. Also, we provide an example to show how we can use the operational semantics to capture such violations.

computer science, software engineering

Ashish Darbari,Iain Singleton,Michael Butler,John Colley

DOI: https://doi.org/10.48550/arXiv.1605.04744

2016-05-16

Abstract:The HSA Foundation has produced the HSA Platform System Architecture Specification that goes a long way towards addressing the need for a clear and consistent method for specifying weakly consistent memory. HSA is specified in a natural language which makes it open to multiple ambiguous interpretations and could render bugs in implementations of it in hardware and software. In this paper we present a formal model of HSA which can be used in the development and verification of both concurrent software applications as well as in the development and verification of the HSA-compliant platform itself. We use the Event-B language to build a provably correct hierarchy of models from the most abstract to a detailed refinement of HSA close to implementation level. Our memory models are general in that they represent an arbitrary number of masters, programs and instruction interleavings. We reason about such general models using refinements. Using Rodin tool we are able to model and verify an entire hierarchy of models using proofs to establish that each refinement is correct. We define an automated validation method that allows us to test baseline compliance of the model against a suite of published HSA litmus tests. Once we complete model validation we develop a coverage driven method to extract a richer set of tests from the Event-B model and a user specified coverage model. These tests are used for extensive regression testing of hardware and software systems. Our method of refinement based formal modelling, baseline compliance testing of the model and coverage driven test extraction using the single language of Event-B is a new way to address a key challenge facing the design and verification of multi-core systems.

Logic in Computer Science,Software Engineering

Céline Bellanger,Pierre-Loïc Garoche,Matthieu Martel,Célia Picard

DOI: https://doi.org/10.4204/EPTCS.395.14

2023-11-16

Abstract:Signal Temporal Logic (STL) is a convenient formalism to express bounded horizon properties of autonomous critical systems. STL extends LTL to real-valued signals and associates a non-singleton bound interval to each temporal operators. In this work we provide a rigorous encoding of non-nested discrete-time STL formulas into Lustre synchronous observers. Our encoding provides a three-valued online semantics for the observers and therefore enables both the verification of the property and the search of counter-examples. A key contribution of this work is an instrumented proof of the validity of the implementation. Each node is proved correct with respect to the original STL semantics. All the experiments are automated with the Kind2 model-checker and the Z3 SMT solver.

Logic in Computer Science

Jiabin Zhu,Wenchao Huang,Yan Xiong

DOI: https://doi.org/10.1109/bigcom.2018.00038

2018-01-01

Abstract:Memory isolation is an important property ensured by many security systems, e.g., shielding systems, for programs, e.g., the untrusted OS and security critical applications, executed on the systems. The property states that each of the programs cannot intentionally or unintentionally read or write memory allocated for other programs. In this paper, we propose a general framework to formally model and verify systems that ensure memory isolation based on ARM processors. Specifically, first, we propose a general model for the systems in the framework. The model shows how to change configurations on ARM processors, e.g., extended page tables or configurations used for specifying memory in the secure world, without of violating the isolation. Then, we propose a general refinement strategy to model the memory management of the systems through the general model. If the memory management can be modeled by using the strategy, the memory management ensures memory isolation. We have used the framework to model and verify memory management of a security system, which is called as OSP and utilizes both of virtualization extensions on ARM processors and ARM TrustZone to isolate memory of programs. Our result shows that the system actually ensures the isolation for the programs executed on the system.