Zhenjiang Qian,Hao Huang,Fangmin Song

DOI: https://doi.org/10.1007/978-3-319-02726-5_2

2013-01-01

Abstract:The correctness of the operating systems is difficult to be described with the quantitative methods, because of the complexity. Using the rigorous formal methods to verify the correctness of the operating systems is a recognized method. The existing projects of formal design and verification focus on the validation of code level. In this paper, we present a \"light-weight\" formal method of design and verification for OS. We propose an OS state automaton model (OSSA) as a link between the system design and verification, and describe the correctness specifications of the system based on this model. We implement the trusted operating system (verified trusted operating system, VTOS) as a prototype, to illustrate the method of consistency verification of system design and safety requirements with formalized theorem prover Isabelle/HOL. The result shows that this approach is feasible.

Zhen-jiang QIAN,Yong-jun LIU,Yu-feng YAO,Li TANG,Hao HUANG,Fang-min SONG

DOI: https://doi.org/10.3969/j.issn.0372-2112.2017.01.035

2017-01-01

Abstract:The correctness of design and implementation of operating systems is difficult to be described with the traditional quantitative methods,because of the enormous size and complexity.This paper illustrates our method of formal design and verification of microkernel operating system.We construct the system model with the non-deterministic automaton in the assembly level,and use the Hoare triples to describe the previous and post conditions of the interface functions,as the definitions of function correctness.We take the module of memory management in the self-implemented VSOS (Verified Secure Operating System) as an example,to illustrate our formal method.Meanwhile,we formally describe the constructed memory management model and operation semantics of system behaviors in the Isabelle/HOL theorem prover,and verify the correctness of design and implementation of the memory management.The result shows that the method proposed is feasible and efficient.

Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore ( 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

QIAN Zhen-jiang,LIU Wei,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.11.072

2012-01-01

Abstract:This paper introduces the concepts of formal design and verification for the Operating System(OS),and elaborates the framework and foundational methods of formal design and verification.It compares and analyzes the monolithic kernel and micro kernel architectures of the OS.Meanwhile,it investigates multiple design and verification projects in depth,focusing on the verification objectives,the methodology,the advantages and limitations,and the progression.It summarizes the state of the art,analyzes and outlooks the trends of the formal design and verification for the OS.What is more,from the aspects of model design,verification tools,code implementation and verification reuse,it advances the ideas of formal design and verification.

Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as mu C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS mu C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore (approximate to 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

LI Kang-jie,QIAN Zhen-jiang,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2013.03.044

2013-01-01

Computer Science

Abstract:It is difficult to describe the correctness and security of the operate system(OS) by quantitative analysis.Formal method is the acknowledged standard one in design and verification for OS.Based on the operate system object semantics model(OSOSM),we designed and verified the interruption mechanism of microkernel architecture using formal method,which was realized on our self-implemented verified trusted operate system(VTOS).Meanwhile,we used the theorem prover Isabelle/HOL to formally describe the design process,and verify the integrality of the interruption mechanism of VTOS.Our research plays certain referential significance on formal design and verification of OS.

Adriana Nicolae,Paul Irofti,Ioana Leustean

2023-11-07

Abstract:The seL4 microkernel is currently the only kernel that has been fully formally verified. In general, the increased interest in ensuring the security of a kernel's code results from its important role in the entire operating system. One of the basic features of an operating system is that it abstracts the handling of devices. This abstraction is represented by device drivers - the software that manages the hardware. A proper verification of the software component could ensure that the device would work properly unless there is a hardware <a class="link-external link-http" href="http://failure.In" rel="external noopener nofollow">this http URL</a> this paper, we choose to model the behavior of a device driver and build the proof that the code implementation matches the expected behavior. The proof was written in Isabelle/HOL, the code translation from C to Isabelle was done automatically by the use of the C-to-Isabelle Parser and AutoCorres tools. We choose Isabelle theorem prover because its efficiency was already shown through the verification of seL4 microkernel.

Cryptography and Security,Logic in Computer Science,Operating Systems

Qiang Zhang,Jianzhong Qiao,Qingyang Meng,Yu Chen

DOI: https://doi.org/10.1016/j.cose.2020.101733

IF: 5.105

2020-01-01

Computers & Security

Abstract:Formal verification of an OS kernel is widely considered a major challenge; however, traditional interactive theorem provers used in OS kernel verification require manually written proofs and come with a non-trivial cost. In this paper, we propose a formal verification framework to build a verifiably correct OS kernel, named iv6, with a high degree of proof automation and a low burden of proof. Using this framework, programmers only need to write the specification as required, and it can be translated into the corresponding implementation of C code automatically. The verification framework can guarantee that the behaviour of the implementation code adheres to its specifications. Iv6 introduces four key ideas to achieve proof automation: its interfaces and corresponding specifications are designed to be finite to avoid unbounded loops or recursion; it separates kernel and user address spaces using a kernel page table isolation approach to simplify reasoning about virtual memory; it partitions the modules of a kernel state machine according to a state transition function to improve verification performance; and to avoid modelling complicated C semantics, it performs verification at the LLVM intermediate representation level. A total of 48 system calls and some high-level system properties in iv6 have been verified using this method. Experience shows that this framework can reduce the impact of human error on kernel development and make the verification of iv6 more efficient and straightforward.

Sai-Jun He,Ming Zhang

DOI: https://doi.org/10.1109/ICMA.2007.4304116

2007-01-01

Abstract:The close interactions between hardware and software of trustworthy systems demand co-simulation. Due to their diverse applications and often strict physical constraints, trustworthy systems are increasingly component-based and include only the necessary components for their missions. For this reason, we present a novel component-based approach to hardware-software co-simulation systems using OR1200. In our approach, a component model for trustworthy systems which unifies the concepts of hardware components and software components is defined. In our proposed system, it uses an Instruction Set Simulator (ISS) instead of OR1200 CPU when simulating the SoC system, and makes use of socket, shared memory and Programming Language Interface (PLI) function to communicate and transfer data between processes. The proposed system is illustrated by an application in H.264 decoding system that is practical and effective. © 2007 IEEE.

Qian Zhenjiang,Liu Wei,Huang Hao

IF: 1.019

2014-01-01

Chinese Journal of Electronics

Abstract:Microkernel integrity is an important aspect of security for the whole microkernel system. Many of the research works on microkernel integrity focus on analysis and safeguards against the existing kernel attacks, and security enhancements for the vulnerabilities of system design and implementation aspects. The formal methods for operating system design and verification ensure the system's high level of security. The existing formalization work and research for operating system mainly focus on the code-level verification of program correctness. In this paper, we propose a formal abstraction model of microkernel in order to accurately describe the semantics of every kernel behavior, and achieve the description of the whole kernel. Based on the model we illustrate the microkernel integrity criterions and elaborate on the integrity mechanism. Meanwhile, we formally verify the completeness and consistency between the mechanism and the definition of the microkernel integrity. We use the self-implemented operating system VTOS (Verified trusted operating system) as an example to illustrate the design method for the microkernel integrity.

Yulun Wu,Bohua Zhan,Bican Xia

2024-03-20

Abstract:We present the design and implementation of a tool for semi-automatic verification of functional specifications of operating system modules. Such verification tasks are traditionally done in interactive theorem provers, where the functionalities of the module are specified at abstract and concrete levels using data such as structures, algebraic datatypes, arrays, maps and so on. In this work, we provide encodings to SMT for these commonly occurring data types. This allows verification conditions to be reduced into a form suitable for SMT solvers. The use of SMT solvers combined with a tactic language allows semi-automatic verification of the specification. We apply the tool to verify functional specification for key parts of the uC-OS/II operating system, based on earlier work giving full verification of the system in Coq. We demonstrate a large reduction in the amount of human effort due to increased level of automation.

Symbolic Computation,Logic in Computer Science

Yansong ZHENG,Dong TONG,Hao LI,Jiufeng PANG,Keyi WANG,Xu CHENG

DOI: https://doi.org/10.3321/j.issn:0479-8023.2009.06.010

2009-01-01

Abstract:The authors study a method that develops a SoC hardware kernel for MS Windows. The method captures the basic system function specification of hardware kernel through multiple simulation execution and gradual drawoff, on the premise that the system is MS Windows compatible. The experiment indicates that the complexity of the hardware kernel is simpler drastically than that of the whole system, and that the requirement of hardware kernel among MS Windows versions is different obviously. Moreover, the SoC hardware kernel for MS Windows 98 is verified on the FPGA prototype.

Petr N. Devyanin,Alexey V. Khoroshilov,Victor V. Kuliamin,Alexander K. Petrenko,Ilya V. Shchepetkov

DOI: https://doi.org/10.1007/978-3-662-43652-3_30

2014-01-01

Abstract:The paper presents a work-in-progress on formal verification of operating system security model, which integrates control of confidentiality and integrity levels with role-based access control. The main goal is to formalize completely the security model and to prove its consistency and conformance to basic correctness requirements concerning keeping levels of integrity and confidentiality. Additional goal is to perform data flow analysis of the model to check whether it can preserve security in the face of certain attacks. Alloy and Event-B were used for formalization and verification of the model. Alloy was applied to provide quick constraint-based checking and uncover various issues concerning inconsistency or incompleteness of the model. Event-B was applied for full-scale deductive verification. Both tools worked well on first steps of model development, while after certain complexity was reached Alloy began to demonstrate some scalability issues.

Hong Ying Tang,Zhen Jiang Qian,Hao Huang

DOI: https://doi.org/10.4028/www.scientific.net/amr.765-767.837

2013-01-01

Advanced Materials Research

Abstract:As the manager of the data stored in the disk, the security of the file system is an important aspect of the operating system. Given the high logicalness and unambiguousness of the formal methods, also the module independence of the micro-kernel, this paper abstracts a formal model from the file system implementation based on micro-kernel, and then gives the axiomatic semantics of the initialization; finally, gives the correctness assertions of file system initialization, then verify the correctness of the formal model of file system aided with Isabelle/HOL.

ZUO Hang,JIN Yu-feng

2007-01-01

Abstract:Along with the increment of complexity in digital ASIC design,there are more and more difficulties in verification of the HDL design.According to a kind of Ethernet exchange chip program,gives a modeling verification method,which is based on OpenVera language.It has been proved that this method can make the combined simulation of RTL and reference model conveniently,improve the recovery rate,reduce the task and shorten the time of test and verify effectively.

Xige ZHANG,ZHU Jiacheng,MA Jun,SHEN Lixiang,ZHOU Jiahui,MU Dejun,Jiacheng ZHU,Jun MA,Lixiang SHEN,Jiahui ZHOU,Dejun MU

DOI: https://doi.org/10.1051/jnwpu/20244210092

2024-02-01

Xibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University

Abstract:Large scale integrate circuits is facing serious threat such as design vulnerabilities, side channels, and hardware Trojans. Traditional functional verification method is difficult to ensure high test coverage, and it is also difficult to detect security vulnerabilities such as side channels and stealthy hardware Trojans. Formal verification methods focus on the equivalence and functional correctness of design, and are difficult to meet security and reliability verification needs. The present work proposes a hardware security and reliability verification method from formal model. The present method can develop formal models for describing the security and reliability behaviour of hardware designs. It can detect potential security vulnerabilities in hardware designs. Experimental results show that the verification method is effective in detecting sensitive information leakage and modification caused by side channels and hardware Trojans.

Martin Kardos,Yuhong Zhao

DOI: https://doi.org/10.1007/1-4020-8149-9_3

2004-01-01

Abstract:System level design incorporating system modeling and formal specification in combination with formal verification can substantially contribute to the correctness and quality of the embedded systems and consequently help reduce the development costs. Ensuring the correctness of the designed system is, of course, a crucial design criterion especially when complex distributed (realtime) embedded systems are considered. Therefore, this paper aims at presenting a verification framework designated for formal verification and validation of UML-based design of embedded systems. It first introduces an approach of using the AsmL language for acquiring formal models of the UML semantics and consequently presents an on-the-fly model checking technique designed to run the formal verification directly over those semantic models.

Liu Wei,Li Xun,Huang Wei,Huang Hao,Zhixian Chen

DOI: https://doi.org/10.1109/CSSS.2011.5973957

2011-01-01

Abstract:Kernel-level attacks can compromise the security of an operating system by tampering with key data and control flow in the kernel. Current approaches defend against these attacks by applying data integrity or control flow integrity control methods. However, they focus on only a certain aspect and cannot give a complete integrity monitoring solution. This paper tries our best to find out all resorts that violate the kernel integrity of operating system by analyzing what objects an action of the kernel relies on and affects. Then we examine all these objects to avoid them from being tamped with and also monitor whether the effect of an action of the kernel is the same as the semantics specified by the original design. Our operating system integrity surveillance system (OSISS) is implemented in a virtual machine monitor (VMM) and it can detect abnormity of an action by monitoring the data integrity and control flow integrity with acceptable performance loss. © 2011 IEEE.

Shan Zhou,Jinbo Wang,Jiao Jia,Chi Zhang,Ruixue Wang

DOI: https://doi.org/10.1109/tr.2022.3166548

IF: 5.883

2022-01-01

IEEE Transactions on Reliability

Abstract:System on programmable chip (SOPC) is a kind of system on a programmable chip. The system architecture is superior to the traditional design pattern. The system has an on-chip bus between the processor and the programmable logic, which forms a high bandwidth, low latency, connection, and has rich flexible customization of IP. It also has advantages of low power consumption and high performance. The application in the field of high reliable proportion rising year by year. However, the change of system architecture and the expansion of software scale have brought great impact on the simulation test method and the physical test method. The existing dynamic testing methods are based on limited testing scenarios to investigate the system. It is difficult to find hidden errors in the design of complex connection segments, such as the errors in the on-chip bus transmission, the errors in the hardware and software coupling, and so on. Due to system scale of the state-space explosion problem and various forms IP, SOPC cannot apply formal verification techniques. In this article, we propose a SOPC formalized validation framework. It is based on polymorphous IP abstraction modeling, common formal properties analysis, and modeling methods in system architecture and other high-risk areas. The experimental results show that the proposed algorithm and the established SOPC formal verification framework can introduce the formal verification technique to SOPC high-risk area verification, and it can be used as the guidance of SOPC formal verification.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Ashish Darbari,Iain Singleton,Michael Butler,John Colley

DOI: https://doi.org/10.48550/arXiv.1605.04744

2016-05-16

Abstract:The HSA Foundation has produced the HSA Platform System Architecture Specification that goes a long way towards addressing the need for a clear and consistent method for specifying weakly consistent memory. HSA is specified in a natural language which makes it open to multiple ambiguous interpretations and could render bugs in implementations of it in hardware and software. In this paper we present a formal model of HSA which can be used in the development and verification of both concurrent software applications as well as in the development and verification of the HSA-compliant platform itself. We use the Event-B language to build a provably correct hierarchy of models from the most abstract to a detailed refinement of HSA close to implementation level. Our memory models are general in that they represent an arbitrary number of masters, programs and instruction interleavings. We reason about such general models using refinements. Using Rodin tool we are able to model and verify an entire hierarchy of models using proofs to establish that each refinement is correct. We define an automated validation method that allows us to test baseline compliance of the model against a suite of published HSA litmus tests. Once we complete model validation we develop a coverage driven method to extract a richer set of tests from the Event-B model and a user specified coverage model. These tests are used for extensive regression testing of hardware and software systems. Our method of refinement based formal modelling, baseline compliance testing of the model and coverage driven test extraction using the single language of Event-B is a new way to address a key challenge facing the design and verification of multi-core systems.

Logic in Computer Science,Software Engineering