Matthew Danish

A Virtualized Separation Kernel for Mixed-Criticality Systems

Multi- and many-core processors are becoming increasingly popular in embedded systems. Many of these processors now feature hardware virtualization capabilities, as found on the ARM Cortex A15 and x86 architectures with Intel VT-x or AMD-V support. Hardware virtualization provides a way to partition physical resources, including processor cores, memory, and I/O devices, among guest virtual machines (VMs). Each VM is then able to host tasks of a specific criticality level, as part of a mixed-criticality system with different timing and safety requirements. However, traditional virtual machine systems are inappropriate for mixed-criticality computing. They use hypervisors to schedule separate VMs on physical processor cores. The costs of trapping into hypervisors to multiplex and manage machine physical resources on behalf of separate guests are too expensive for many time-critical tasks. Additionally, traditional hypervisors have memory footprints that are often too large for many embedded computing systems. In this article, we discuss the design of the Quest-V separation kernel, which partitions services of different criticality levels across separate VMs, or sandboxes. Each sandbox encapsulates a subset of machine physical resources that it manages without requiring intervention from a hypervisor. In Quest-V, a hypervisor is only needed to bootstrap the system, recover from certain faults, and establish communication channels between sandboxes. This not only reduces the memory footprint of the most privileged protection domain but also removes it from the control path during normal system operation, thereby heightening security.

Verifying spatial properties of array computations

Arrays computations are at the core of numerical modelling and computational science applications. However, low-level manipulation of array indices is a source of program error. Many practitioners are aware of the need to ensure program correctness, yet very few of the techniques from the programming research community are applied by scientists. We aim to change that by providing targetted lightweight verification techniques for scientific code. We focus on the all too common mistake of array offset errors as a generalisation of off-by-one errors. Firstly, we report on a code analysis study on eleven real-world computational science code base, identifying common idioms of array usage and their spatial properties. This provides much needed data on array programming idioms common in scientific code. From this data, we designed a lightweight declarative specification language capturing the majority of array access patterns via a small set of combinators. We detail a semantic model, and the design and implementation of a verification tool for our specification language, which both checks and infers specifications. We evaluate our tool on our corpus of scientific code. Using the inference mode, we found roughly 87,000 targets for specification across roughly 1.1 million lines of code, showing that the vast majority of array computations read from arrays in a pattern with a simple, regular, static shape. We also studied the commit logs of one of our corpus packages, finding past bug fixes for which our specification system distinguishes the change and thus could have been applied to detect such bugs.

Lightning Talk: Supporting Software Sustainability with Lightweight Specifications

This is the final version of the article. It first appeared from CEUR Workshop Proceedings via http://ceur-ws.org/Vol-1686/

Units-of-Measure Correctness in Fortran Programs

The authors argue that they can increase confidence in Fortran programs with unit annotations and CamFort units-of-measure analysis.

Operating system development with ATS: work in progress

Typical operating system design is marked by trade-offs between speed and reliability, features and security. Most systems are written in a low-level untyped programming language to achieve optimal hardware usage and for other practical reasons. But, this often results in CPU, memory, and I/O protection flaws due to mistakes in unverified code. On the other hand, fully verified systems are exceedingly hard to construct on any industrial scale. A high-level programming language, with an expressive type system suitable for systems programming, can help alleviate many of these problems without requiring the enormous effort of full verification.

Software and data supporting “Lightning Talk: Supporting Software Sustainability with Lightweight Specifications”

Lightweight specifications support software maintainability by providing a way to verify that any changes to a code base preserve certain program properties. We give two examples of lightweight specifications for numerical code: units-of-measure types which specify the physical units of numerical quantities in a program; and stencil specifications which describe the pattern of data access used in array computations. Not only can we automatically verify that a program correctly implements these requirements but specifications provide documentation for future developers. Specifications can also be inferred and generated automatically in some cases, further reducing programmer effort. We finish by identifying future potential specification techniques to ease the maintenance and comprehension of scientific code.

Using Lightweight Theorem Proving in an Asynchronous Systems Context

As part of the development of a new real-time operating system, an asynchronous communication mechanism, for use between applications, has been implemented in a programming language with an advanced static type system. This mechanism is designed to provide desired properties of asynchronicity, coherency and freshness. We used the features of the type system, including linear and dependent types, to represent and partially prove that the implementation safely upheld coherency and freshness. We believe that the resulting program code forms a good example of how easily linear and dependent types can be applied in practice to prove useful properties of low-level concurrent systems programming, while leaving no traces of runtime overhead.

Applying language-based static verification in an ARM operating system

In recent years, we have seen a proliferation of small, embedded, electronic devices controlled by computer processors as powerful as the ARM®. These devices are now responsible for tasks as varied as flying a plane, talking on a cellphone, or helping to perform surgery. Some of these tasks have severe consequences for a mistake caused by faulty programming or missed deadlines. The best defense against these mistakes is to prevent them from happening in the first place.

Operating system development with ATS: work in progress: (abstract only)

Typical operating system design is marked by trade-offs between speed and reliability, features and security. Most systems are written in a low-level untyped programming language to achieve optimal hardware usage and for other practical reasons. But, this often results in CPU, memory, and I/O protection flaws due to mistakes in unverified code. On the other hand, fully verified systems are exceedingly hard to construct on any industrial scale. A high-level programming language, with an expressive type system suitable for systems programming, can help alleviate many of these problems without requiring the enormous effort of full verification.