220 likes | 234 Views
Explore challenges in verifying safety & correctness of OS kernels/hypervisors with concurrency, interrupts, & concurrency with interrupts. Learn about a Hoare-style program logic for modular verification of low-level programs, with a focus on memory partitioning and separation logic.
E N D
Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads Xinyu Feng Toyota Technological Institute at Chicago Joint work with Zhong Shao (Yale), Yuan Dong (Tsinghua Univ.) and Yu Guo (USTC)
Many challenges: Low-level C/Assembly code Code loading Concurrency Interrupts Device drivers & I/O … How to verify safety & correctness of OS kernels / Hypervisors? Is verification possible? How to do it in a clean & modular way?
B: concurrent code with explicit interrupts How to verify ??? Layering of Simplified Kernel Code
irq0 irq1 Concurrency with Interrupts: Challenges (1) (4) (3) (2) (5) Asymmetric preemption between handlers and non-handler code Intertwining between threads and handlers Asymmetric synchronization: cli/sti are different from locks
Our Contributions A Hoare-style program logic for modular verification of low-level programs with interrupts and concurrency.
AIM – I : Single Threaded-Code with Interrupts (data heap) H f1: I1 pc addu … cli sti iret … j f 0 1 2 … f2: I2 r1 r2 r3 … rn ih: ISR (register file) R ie … (code heap) C (state) S ::=(H,R,ie) ::={fI}* (program) P ::=(C,S,pc)
Example: Teeter-Totter right left 50 50 while(true){ cli; if([right] == 0){ sti; break; } [right] := [right]-1; [left] := [left]+1; sti; } print(“left wins!”); timer: if([left] == 0){ print(“right wins!”); iret; } [left] := [left]-1; [right] := [right]+1; iret; How to guarantee non-interference?
Non-Interference? Program invariant: There is always a partition of memory among concurrent entities, and each concurrent entity only access its own part. But note: The partition is dynamic: ownership of memory can be dynamically transferred. cli/sti can be modeled as operations that trigger memory ownership transfer.
- { Ph } AIM – I : The Memory Model INV B A Memory Non-handler Handler - { Ph } INV sti … iret cli … The memory partition is logical, not physical!
emp empty heap l n l n pq p q p q pq Separation Logic to Enforce Partition [Ithtiaq & O’Hearn’01, Reynolds’02]
INV cli B B sti B A B B INV INV AIM – I : cli/sti INV B A B ie = 1 ie = 0
sti cli Example: Teeter-Totter right INV: m, n. (left m) (right n) (m+n = 100) left 50 50 while(true){ -{emp ie=1} cli; -{emp * INV} ... [right] := [right]-1; [left] := [left]+1; -{INV} sti; -{emp ie=1} } timer: -{INV} if([left] == 0){ print(“right wins!”); -{INV} iret; } [left] := [left]-1; [right] := [right]+1; -{INV} iret;
… (data heap) H R R R f1: pc pc pc (ready. queue) Q f2: … 2 1 0 w1 ih: r1 r2 r3 … rn w2 (register file) R ie … cli/sti switch block w unblock w pc wn B AIM-II : Multi-threaded code with interrupts (code heap) C (state) S ::=(H,R,ie) (program) P ::=(C,S,B,Q,pc)
… (data heap) H R R R f1: pc pc pc (ready. queue) Q f2: … 2 1 0 ih: r1 r2 r3 … rn (register file) R ie pc cli/sti switch block w unblock w Non-interference? w1 w2 (code heap) C (state) S ::=(H,R,ie) … wn B Use memory partition to control interference!
T1 T2 C A INV1 INV AIM – II : Memory Model INV B A
T1 T1 T2 T2 T1: cli T1: C' T1: C T1: A T1: A' T1: sti INV1 INV1 INV INV T1 T2 C' A' INV1 INV AIM – II : cli/sti T1 T2 C A INV1 INV ie = 1 ie = 0
T1 T1 T2 T2 untouched T1: switch T2: C T2: C' T2: A T2: A' switch INV1 * INV preserved INV1 INV1 INV INV T1 T2 T2: switch T1: C' T1: A' INV1 INV AIM – II : switch T1 T2 T1: C T1: A INV1 INV …sti…cli… ie = 0
T1 ! T2 block T2: C T2: A INV1 INV unblock block T1 ! T2 T1 T2 switch T1: C' T1 : A' T2 : C' T2 : A' INV1 INV INV1 INV AIM-II: block/unblock T1 T2 ? T2 T1: C T1: A INV1 INV ! ! Thread 1 Thread 2
R1 R2 Rn AIM-II : block/unblock Threads block themselves to wait for resources. locks: wait for resources protected by locks condition variables: wait for conditions to come true R can be empty w1 Unifies different semantics of Condition Variables: Mesa style Hoare style Brinch-Hansen style Read our paper for details! w2 … wn B
Sep. Logic Utilities (e.g. Queues) Implementations – An Infrastructure for x86 verification 26,000 12,000 Locks, Condition variables Timer handler, yield/sleep switch, block, unblock AIM Logic & Soundness SCAP 26,000 3,000 6,300 4,000 x86 semantics (a subset) 3,300 Coq (Higher-Order Logic with Inductive Def.) Around 82,000 lines of Coq code See http://flint.cs.yale.edu/publications/aim.html
Summary • Abstract Machine & Program Logic • Hardware interrupts + preemptive threads • Ownership transfer semantics • cli, sti, switch, block, unblock • Implementations • Infrastructure for x86 code verification • Certified x86 modules • Future work • Multi-processor platforms • Liveness properties • Verification of C programs