The Clustered Multikernel: An Approach to Formal Verification of Multiprocessor OS Kernels

Operating-system kernels are critical software components in computer systems. Building secure, safe and reliable computer systems is facilitated by having strong kernel correctness guarantees. Such guarantees can be obtained by formally verifying a kernel down to the implementation level. Kernel verification has attracted much research interest. For example, the L4.verified project has proved that the implementation of the seL4 microkernel adheres to its formal specification. Nonetheless, due to verification complexity, past research focussed on uniprocessor kernels only. However, with multiprocessor/multicore systems gaining popularity, also in embedded systems, the need for verified multiprocessor kernels arises. To this end, we introduce the clustered multikernel, a point in the design space of multiprocessor kernels. Based on this design, we present a lifting framework, which adds multiprocessor support to a verified uniprocessor kernel and reuses its proofs to obtain a verified multiprocessor kernel with relatively low effort. The lifting framework supports total-store-order (TSO) multiprocessor architectures, which exhibit weak memory ordering. We report on our experience with applying the lifting framework to seL4. All formal specifications and proofs in this work are machinechecked in the interactive theorem prover Isabelle/HOL.