Correct OS kernel ? Proof ? Done !

The basic idea goes back to the 1970s: since then people have been trying to formally verify operating systems [4,10]. It’s the obvious place to start when you are serious about meaningful assurance for critical systems. The idea for formal verification is that programs are just mathematics in the end. And if you want to show beyond doubt that something is true in mathematics, you prove it. If you want to be sure that the proof is right, you do it fully formally so that it can be machine-checked. It was clear early on that this is possible in principle, but enthusiasm ebbed off after an initial flurry of activity around the late ’70s and early ’80s. Mathematical semantics for real programming languages were not developed far enough, machine support for theorem proving was only starting to appear, and the whole problem seemed infeasible for any real program of interesting size. Full formal program verification was like controlled fusion power: about 30 years of research in the future. In contrast to controlled fusion, 30 years later things have changed. With the formal verification of the seL4 microkernel we have reached an important milestone: the first commercially viable microkernel, formally verified all the way down to its low-level C implementation [8]. The proof is machine-checked from first principles in the theorem prover Isabelle/HOL [2], and it was an order of magnitude cheaper to build than a traditional software certification. seL4 is a small microkernel in the L4 family [1]: 8,700 lines of C and 600 lines of assembly. It is not Linux with millions of lines of code. Instead, it provides the basic mechanisms to build an OS: threads, message passing, interrupts, virtual memory, and strong access control with capabilities. Network, file systems, and device drivers are implemented in user space in microkernel systems and it has been shown that this can be achieved with high performance. Our proof does precisely what the dream of the ’70s was: we define formally in an abstract specification what it means for the kernel to be correct. We describe what it does for each input (trap instruction, interrupt, etc), but not necessarily how it is done. Then we prove mathematically that the C implementation always correctly implements this specification. The proof goes down to the level of the C implementation and assumes the correctness of things below that level: compiler, linker, assembly code, hardware, low-level cache management and TLB. We also assume correctness of the boot code. This is still a long list, but each proof has to stop somewhere. This is what we picked. With more resources, it is possible to eliminate almost all of the assumptions above. There are, for instance, a number of recent research projects on verified optimising C compilers. We did not only prove the code correct, we also did extensive design proofs and validation.