A Survey on Kernel Speci cation and Veri cation

Formal methods have been traditionally used to model and verify operating systems Dif ferent methods verify di erent operating systems properties such as process management mutual exclusion and inter process communication Moreover various methods may capture di erent design errors such as deadlocks or unspeci ed receptions The system kernel supports higher level system services Hence kernel veri cation is es sential for the proper operation of the system In addition providing clear kernel speci cation improves the interoperability between its various implementations In this paper we describe commonly used methods for kernel speci cation and veri cation Some methods provide a mathematical model and use logic to prove properties of interest These include PVS and Boyer Moore logic Others use a programming language to simulate the system then apply veri cation tools to capture system errors These include the SPIN tool Distributed operating systems are susceptible to unexpected failure events complicating the issue of system robustness This issue is not addressed explicitly by traditional veri cation methods We present a new STRESS method that can be used to analyze system robustness STRESS is based on a simulation framework and facilitates fault simulation for distributed operating systems and kernels Finally our comparison shows that some of the methods discussed are complementary Thus several methods may be used to obtain better fault coverage of the target system