(12) United States Patent (10) Patent No.: US 8,341,602 B2 Hawblitzel Et Al
Total Page:16
File Type:pdf, Size:1020Kb
USOO83416O2B2 (12) United States Patent (10) Patent No.: US 8,341,602 B2 Hawblitzel et al. (45) Date of Patent: Dec. 25, 2012 (54) AUTOMATED VERIFICATION OF A 7.65 E: $39. St. 727 TYPE-SAFE OPERATING SYSTEM 7,818,729- W - B1 * 10/2010 PlumOTley, et al.JT. .......... T17,140. 8, 104,021 B2* 1/2012 Erli tal. T17,126 (75) Inventors: Chris Hawblitzel, Redmond, WA (US); 8,127,280 B2 * 2/2012 E. al T17.136 Jean Yang, Cambridge, MA (US) 8,132,002 B2 * 3/2012 Lo et al. ......... ... 713, 164 8, 181,021 B2 * 5/2012 Ginter et al. .................. T13, 164 (73) Assignee: Microsoft Corporation, Redmond, WA 2004/0172638 A1 9, 2004 Larus (US) 2005, OO65973 A1 3/2005 Steensgaard et al. 2005, 0071387 A1 3, 2005 Mitchell (*) Notice: Subject to any disclaimer, the term of this (Continued) patent is extended or adjusted under 35 U.S.C. 154(b) by 442 days. OTHER PUBLICATIONS Klein et al., seL4: formal verification of an OS kernel, Oct. 2009, 14 (21) Appl. No.: 12/714,468 pages, <http://delivery.acm.org/10.1145/1630000/1629596.p207 klein.pdf>.* (22) Filed: Feb. 27, 2010 (Continued) (65) Prior Publication Data US 2010/O192130 A1 Jul 29, 2010 Primary Examiner — Thuy Dao ul. Z9, (74) Attorney, Agent, or Firm — Lyon & Harr, LLP; Mark A. Related U.S. Application Data Watson (63) Continuation-in-part of application No. 12/362.444, (57) ABSTRACT filed on Jan. 29, 2009. An Automated, Static Safety Verifier uses typed assembly 51) Int. C language (TAL) and Hoare logic to achieve highly automated, (51) o,F o/44 2006.O1 static verification of type and memory safety of an operating ( .01) system (OS). Various techniques and tools mechanically G06F 9/45 (2006.01) Verify the safety of every assembly language instruction in the HD4L 29/06 (2006.01) OS, run-time system, drivers, and applications, except the (52) U.S. Cl. ........ 717/126,717/136; 717/140; 717/168; boot loader (which can be separately verified). The OS 713/164 includes a "Nucleus' for accessing hardware and memory, a (58) Field of Classification Search ............... ... ... None kernel that builds services running on the Nucleus, and appli See application file for complete search history. cations that run on top of the kernel. The Nucleus, written in Verified assembly language, implements allocation, garbage (56) References Cited collection, multiple stacks, interrupt handling, and device access. The kernel, written in C# and compiled to TAL, builds U.S. PATENT DOCUMENTS higher-level services, such as preemptive threads, on top of 5,485,613 A 1/1996 Engelstad the Nucleus. A Hoare-style verifier with automated theorem 6,219,7876,128,774. AB1 * 10/20004/2001 NeculaBrewer ......................... 713/167 prover verifies safety and correctness of the Nucleus. ATAL 6,925,637 B2 8/2005 Thomas checker verifies safety of the kernel and applications. 7,139,784 B2 11/2006 Knobe 7,233,733 B2 6/2007 Derby 20 Claims, 5 Drawing Sheets KERNE (TAL) APPLICATION 24 (TAL) GarbageCollect NUCLEUS GetStackState AllocObject (BoogiepL) Allacy actor e Rese:Stack hrow g g YieldTo s s A. 2 4 s s s adfield wgaTextwrite FaultHandlar riteField Tryreadkeyboard ErrorHandlar O readStack Startimer Interrupthandler writeStack SendEoi Fatalandler 225 v. v.2 s x86 HARDWARE 220 "SafeoS"STRUCTURE SHOWINGXEMPLARY FUNCTIONSEXPORTED BY NUCLEUS US 8,341.602 B2 Page 2 U.S. PATENT DOCUMENTS 10th ACM SIGPLAN Int’l Conf. on Functional Programming, ICFP 2005/0114842 A1* 5/2005 Fleehart et al. ............... 717/126 2005, pp. 116-128, Sep. 26-28, 2005, Tallinn, Estonia. 2006/0085433 A1 4/2006 Bacon Klein, G. K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. 2006/0265438 Al 11/2006 Shankar Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. 2006/0277539 A1* 12/2006 Amarasinghe et al. ....... 717/168 Sewell. H. Tuch, S. Winwood, seA: Formal verification of an OS 2007/0174370 A1 7/2007 Detlefs kernel, Proc. of the 22nd ACM Symposium on Operating Systems 2007/0285271 A1 12/2007 Erlingsson Principles 2009, SOSP 2009, Oct. 11-14, 2009, pp. 207-220, Big Sky, 2008/0010327 A1 1/2008 Steensgaard Montana, USA. 2008/0148244 A1* 6/2008 Tannenbaum et al. ........ 717/136 2012/0084759 A1* 4/2012 Candlea et al. ........... 717/126 Lin, C., A. McCreight, Z. Shao, Y. Chen, Y. Guo, Foundational typed assembly language with certified collecton, First Joint IEEE/IFIP OTHER PUBLICATIONS Symposium on Theoretical Aspects of Software Engg. TASE 2007, Jun. 5-8, 2007, pp. 326-338, Shanghai, China. Heiser et al., Towards trustworthy computing systems: taking Maeda, T., Safe execution of user programs in Kernel mode using microkernels to the next level, Jul. 2007, 9 pages, <http://delivery. typed assembly language, Master Thesis, Feb. 5, 2002, pp. 1-36, The acm.org/10.1145/1280000/1278904/p3-heiser.pdf>.* University of Tokyo, Tokyo, Japan. Yang et al., Safe to the last instruction: automated verification of a type-safe operating system, Dec. 2011.9 pages, <http://deliveryacm. Makholm, H., A region-based memory manager for prolog, Proc. of org/10.1145/2050000/2043 197p123-yang.pdf>.* the 2nd Int'l Symposium on Memory Management, ISMM2000, Jan. Barnett, M., B.-Y. E. Chang, R. DeLine, B. Jacobs, K. Rustan, M. 2001, pp. 25-34, vol. 36, No. 1, ACM New York, NY, USA. Leino, Boogie: A modular reusable verifier for object-oriented pro Maus, S., M. Moskal, W. Schulte, Vx86: x86 Assembler simulated in grams, 4th Int'l Symposium on Formal Methods for Components and C powered by automated theorem proving, Proc. of teh 12th Int’l Objects, FMCO 2005, Nov. 1-4, 2005, pp. 364-387, Springer, Conf. on Algebraic Methodology and Software Tech., AMAST 2008, Amsterdam, The Netherlands , Jul. 28-31, 2008, pp. 284-298, Springer, Urbana, IL, USA. Baumann, A. P. Barham, P.-E. Dagand, T. L. Harris, R. Isaacs, S. McCreight, A. Z. Shao, C. Lin, L. Li. A general framework for Peter, T. Roscoe, A. Schipbach, A. Singhania, The Multikernel: A certifying garbage collectors and their mutators, Proc. of the ACM new OS architecture for scalable multicore systems, Proc. of the 22nd SIGPLAN 2007 Conf. on Programming Language Design and ACM Symposium on Operating Sys’s Principles, SOSP 2009, Oct. Implementation, PLDI 2007, Jun. 11-13, 2007, pp. 468-479, San 11-14, 2009, pp. 29-44. Big Sky, Montana, USA. Diego, California, USA. Bevier, W. R. W. A. Hunt Jr., J. S. Moore, W. D. Young. An approach Miller, J. S., G. J. Rozas, Garbage collection is fast, but a stack is to systems verification, Technical Report 41, Computational Logic, faster, Al Memo No. 1462, Massachusetts Institute of Technology Inc., Apr. 1989, 19 page. Artificial Intelligence Laboratory, Mar. 1994, pp. 1-36, Cambridge, Bevier, W. R. Kit: A study in operating system verification, Technical MA, USA. Report 28, Computational Logic, Inc., Aug. 1988, 28 pages. Morrisett, J. G. D. Walker, K. Crary, N. Glew, From system F to Chen, J. C. Hawblitzel, F. Perry, M. Emmi, J. Condit, D. Coetzee, P. typed assembly language, ACM Trans. Program. Lang. Syst., May Pratikaki. Type-preserving compilation for large-scale optimizing 1999, pp. 527-568, vol. 21, No. 3. object-oriented compilers, Proc. of the ACM SIGPLAN 2008 Conf. de Moura, L. M. N. Bjorner, Z3: An efficient SMT solver, Proc. of the on Programming Language Design and Implementation. PLDI 14th Int’l Conf. on Tools and Algorithms for the Construction and 2008, Jun. 7-13, 2008, pp. 183-192, Tucson, AZ, USA. Analysis of Sys's, TACAS 2008, Held as Part of the Joint European Edelman, J. R. Machine code verification using the bogor frame Conf. on Theory and Practice of Software, ETAPS 2008, Mar. work, Master of Science thesis, Brigham Young University, Aug. 29-Apr. 6, 2008, pp. 337-340, Budapest, Hungary. 2008, 39 pages. Ni, Z., D. Yu, Z. Shao. Using XCAP to certify realistic systems code: Fahndrich, M., M. Aiken, C. Hawblitzel, O. Hodson, G. C. Hunt, J. R. Machine context management, Proc. 20th Int’l Conf. Theorem Prov Larus, S. Levi, Language support for fast and reliable message-based ing in Higher Order Logics, TPHOLS 2007, Sep. 10-13, 2007, pp. communication in singularity OS, Proc. of the 2006 EuroSys Conf. 189-206, vol. 4732, Springer, Kaiserslautern, Germany. Apr. 18-21, 2006, pp. 177-190, Leuven, Belgium. Petersen, L., R. Harper, K. Crary, F. Pfenning. A type theory for Feng, X. Z. Shao, Y. Guo, Y. Dong, Certifying low-level programs memory allocation and data layout, The 30th SIGPLAN-SIGACT with hardware interrupts and preemptive threads, J. Autom. Reason Symposium on Principles of Programming Languages, Jan. 15-17, ing, Apr. 2009, vol. 42, No. 2-4, pp. 301-347. 2003, pp. 172-184, New Orleans, Louisisana, USA. Feng, X. Z. Shao, Y. Dong, Y. Guo, Certifying low-level programs Tillman, N., Pex now a DevLabs project, Nikolai Tillman's Blog, with hardware interrupts and preemptive threads, Proc. of the ACM retrieved from http://blogs.msdn.com/nikolait, May 21, 2008, pp. SIGPLAN 2008 Conf. on Programming Language Design and 1-14. Implementation, PLDI 2008, Jun. 7-13, 2008, pp. 170-182, Tucson, Vechev, M. T. E. Yahav, D. F. Bacon, N. Rinetzky, CGCExplorer: A AZ, USA. semi-automated search procedure for provably correct concurrent Feng, X. Z. Shao, Modular verification of concurrent assembly code collectors, Proc. pf the ACM SIGPLAN 2007 Conf. on Programming with dynamic thread creation and termination, Proc. of the 10th ACM Language Design and Implementation, PLDI2007, Jun. 11-13, 2007, SIGPLAN Int’l Conf. on Functional Programming, ICFP2005, Sep. pp. 456-467, San Diego, California, USA.