Complete formal verification of a non-trivial concurrent OS kernel is widely considered a grand challenge. We present a novel compositional approach for building certified concurrent OS kernels. Concurrency allows interleaved execution of kernel/user modules across different layers of abstraction. Each such layer can have a different set of observable events. We insist on formally specifying these layers and their observable events, and then verifying each kernel module at its proper abstraction level. To support certified linking with other CPUs or threads, we prove a strong contextual refinement property for every kernel function, which states that the implementation of each such function will behave like its specification under any kernel/user context with any valid interleaving. We have successfully developed a practical concurrent OS kernel and verified its (contextual) functional correctness in Coq. Our certified kernel is written in 6500 lines of C and x86 assembly and runs on stock x86 multicore machines. To our knowledge, this is the first proof of functional correctness of a complete, general-purpose concurrent OS kernel with fine-grained locking.
Some light reading for your late Tuesday afternoon.
Or a more civilian Erlang? A Future Rust?
This sounds interesting and promising.
Firstly: an O/S which is verifiable as reliable sounds a great thing of wonder.
Secondly: the concurrent thing will, I think, turn out to be a very big deal. Processors have hit a kind of ceiling around ~4GHz; the improvements continue but they often relate to multi core and lower power.
IFF they get this right: could we see a performance uplift comparable with the performance uplift going from ruby + rails to elixir + phoenix?
Final question: is this an academic exercise or a serious next step to a serious market player with a wealth of device drivers?
Edited 2016-11-15 22:17 UTC
A correct multithreaded os isn’t necessarilyba performant one. I’d go as far as to day that the more easily verifiable multithreading solutions are probably not the most performant.
This mostly shifts the problem of writing error-free code to writing error-free specifications.
In addition, it seems to me that only security against known attack classes was proved. Previously when someone claimed their machine was secure (voting machines with programs in ROM) people devised return oriented programming to get around this.
While it is definitely an improvement, that such a system is and remains secure is still questionable.
Too true. And don’t forget that this proof is only valid for bug and side effect free hardware, should they ever be able to build such a machine.