Towards Verifiable Device Drivers: an Approach Based on Domain-specific Languages Fabrice Mérillon Laurent Réveillère Charles Consel Robin Hansen Renaud Marlet

Although peripheral devices come out at a frantic pace and require fast releases of drivers, little progress has been made to improve the development of drivers. Too often, this development consists of decoding hardware intricacies, based on ambiguous or incomplete documentation , to determine how to operate a device. Then, assembly-level operations need to be used to interact with the device. These low-level operations make the device driver fairly unreadable and prevent safety properties from being checked. This paper presents a language, named Devil, dedicated to deening the functional interface of a device. More precisely, Devil aims at specifying the access mechanisms, the type and layout of data, and behavioral properties involved in operating a device. The beneet of our approach is that, once compiled, a Devil description implements an interface which models an idealized device and abstracts the hardware intricacies. Unlike a general-purpose language, Devil allows a description to be thoroughly veriied; this veriication greatly improves the safety of the communications with the device. The design of Devil is based on key concepts we identiied in analyzing the domain of device drivers. Our language has been used to specify a large number of PC devices including Ethernet, video, sound, interrupt, DMA and mouse controllers.