Sabine Schmaltz

Invariants, modularity, and rights

The quest for modular concurrency reasoning has led to recent proposals that extend program assertions to include not just knowledge about the state, but rights to access the state. We argue that these rights are really just sugar for knowledge that certain updates preserve certain invariants.

Theory of Multi Core Hypervisor Verification

From 2007 to 2010, researchers from Microsoft and the Verisoft XT project verified code from Hyper-V, a multi-core x-64 hypervisor, using VCC, a verifier for concurrent C code. However, there is a significant gap between code verification of a kernel (such as a hypervisor) and a proof of correctness of a real system running the code. When the project ended in 2010, crucial and tricky portions of the hypervisor product were formally verified, but one was far from having an overall theory of multi core hypervisor correctness even on paper. For example, the kernel code itself has to set up low-level facilities such as its call stack and virtual memory map, and must continue to use memory in a way that justifies the memory model assumed by the compiler and verifier, even though these assumptions are not directly guaranteed by the hardware. Over the last two years, much of the needed theory justifying the approach has been worked out. We survey progress on this theory and identify the work that is left to be done.

Completing the automated verification of a small hypervisor - assembler code verification

In [1] the almost complete formal verification of a small hypervisor with the automated C code verifier VCC [2] was reported: the correctness of the C portions of the hypervisor and of the guest simulation was established; the verification of the assembler portions of the code was left as future work. Suitable methodology for the verification of Macro Assembler programs in VCC was given without soundness proof in [3]. A joint semantics of C + Macro Assembler necessary for such a soundness proof was introduced in [4]. In this paper i) we observe that for two instructions (that manipulate stack pointers) of the hypervisor code the C + Macro Assembler semantics does not suffice; therefore we extend it to C + Macro Assembler + assembler, ii) we argue the soundness of the methodology from [3] with respect to this new semantics, iii) we apply the methodology from [3] to formally verify the Macro Assembler + assembler portions of the hypervisor from [1], completing the formal verification of the small hypervisor in the automated tool VCC.

Integrated semantics of intermediate-language c and macro-assembler for pervasive formal verification of operating systems and hypervisors from VerisoftXT

Pervasive formal verification of operating systems and hypervisors is, due to their safety-critical aspects, a highly relevant area of research. Many implementations consist of both assembler and C functions. Formal verification of their correctness must consider the correct interaction of code written in these languages, which is, in practice, ensured by using matching application binary interfaces (ABIs). Also, these programs must be able to interact with hardware. We present an integrated operational small-step semantics model of intermediate-language C and Macro-Assembler code execution for pervasive operating systems and hypervisor verification. Our semantics is based on a compiler calling convention that defines callee- and caller-save registers. We sketch a theory connecting this semantic layer with an ISA-model executing the compiled code for use in a pervasive verification context. This forms a basis for soundness proofs of tools used in the VerisoftXT project and is a crucial step towards arguing formal correctness of execution of the verified code on a gate-level hardware model.

Towards the pervasive formal verification of multi-core operating systems and hypervisors implemented in C

Short Abstract This thesis deals with a semantic model stack for verification of functional correctness of multicore hypervisors or operating systems. In contrast to implementations based on single-core architectures, there are additional features and resulting challenges for verifying correctness properties in the multi-core case, e.g. weak memory models (store buffers), or an inter processor interrupt mechanism. The Verisoft XT project had the goal of verifying correctness of the Microsoft Hyper-V hypervisor and achieved great code verification results using the concurrent C verification tool VCC developed by our project partners during the project. A sound mathematical theory to support code verification was not established. To remedy this shortcoming, we sketch a model stack for a simplified multi-core architecture based on a simplified MIPS model for system programmers and illustrate on a high level of abstraction how to obtain a simulation between neighboring models. A hardware model for this architecture is formalized at a detailed level of abstraction of the model stack. In addition, this thesis provides operational semantics for a quite simple intermediate language for C as well as an extension of this semantics with specification (ghost) state and code which can serve as a basis for arguing the soundness of VCC. Due to the powerful nature of specification code, a simulation between annotated and original program is not trivial. Thus, we give a pencil and paper proof. Kurzzusammenfassung Diese Arbeit befasst sich mit einem semantischen Modell-Stack für die Verifikation der Korrektheit von Multi-Core Hypervisoren oder Betriebssystemen. Im Gegensatz zu auf Implementierungen auf Single-Core Architekturen stellen sich im Multi-Core Fall zusätzliche Herausforderungen für die Verifikation von Korrektheitseigenschaften, z.B. durch schwache Speichermodelle oder die Existenz eines Inter-Prozessor-Interrupt Mechanismus. Das Verisoft XT Projekt, welches zum Ziel hatte die Korrektheit des Microsoft Hyper-V Hypervisors zu verifizieren, erreichte unter Benutzung des Verifikationstools VCC hervorragende Resultate im Bereich der Codeverifikation. Die Erstellung einer fundierten mathematischen Theorie um diese Resultate zu untermauern wurde vernachlässigt. Um diesen Mangel zu beheben, skizzieren wir einen Modell-Stack für eine vereinfachte Multi-Core Architektur basierend auf einem vereinfachten MIPS-Modell für Systemprogrammierer und illustrieren wie eine Simulation zwischen benachbarten Modellen erreicht wird. Ein Hardwaremodell für die Architektur wird auf einer detaillierten Abstraktionsebene präsentiert. Zusätzlich enthält diese Arbeit die operationale Semantik einer Zwischensprache für C und deren Erweiterung um Spezifikationszustand und -code welche als Basis für einen Korrektheitsbeweis des Tools VCC dienen kann. Da aufgrund der mächtigen Spezifikationssprache eine Simulation zwischen annotiertem und originalem Programm nicht trivial ist, führen wir den Beweis auf Papier.

A Generic Operating System Kernel

The authors explain physical and virtual machines, including the topics of communicating virtual machines, the concrete kernel, the runvm primitive, simulation of CVM steps, and page fault handling.

Understanding Decimal Addition

In this chapter the authors use decimal addition to introduce important ideas relating to natural numbers, Peano’s axioms and computer arithmetic.

Compiler Consistency Revisited

In this chapter the authors show how to reconstruct a well-formed C0 configuration, they explain garbage collection, and they discuss C0 and assembly.

Some Assembler Programs

In this chapter the authors review some assembler programs, including the topics of MIPS programs and software multiplication and division.

The Language C0

In this chapter the authors introduce language C0, with sections explaining its grammar, declarations, configurations, expression evaluation, statement execution, and proving correctness.