Push-Button Verification of Systems Software

Abstract

Systems software interfaces with hardware, multiplexes resources, and provides common abstractions for modern applications to build on. The correctness and reliability of these systems are critical for the applications and users that depend on them. While formal verification of systems software can be effective at eliminating bugs, it is a non-trivial task, requiring developers to write many lines of proof code for every line of implementation code. This is a considerable engineering effort that requires a high degree of expertise to achieve. This dissertation explores a new approach to designing, specifying, implementing, and verifying systems software in a push-button fashion. By co-designing systems software with automation, we argue it is possible to build correct and reliable systems with substantially less effort. We developed four systems to demonstrate the effectiveness of this approach, using the Z3 satisfiability modulo theories (SMT) solver. First, we developed Yggdrasil, a toolkit for writing file systems. Yggdrasil uses push-button verification with a new definition of file system correctness called crash refinement. Crash refinement is amenable to fully automated reasoning, and it enables developers to implement file systems in a modular way for verification. Second, we developed an OS kernel named Hyperkernel, which has a high degree of proof automation and low proof burden. Hyperkernel introduces three key ideas to achieve proof automation: it finitizes the kernel interface to avoid unbounded loops or recursion; it separates kernel and user address spaces to simplify reasoning about virtual memory; and it performs verification at the LLVM intermediate representation level to avoid modeling complicated C semantics. Third, we developed Nickel, a framework that helps developers design and verify information flow control systems by systematically eliminating covert channels inherent in the interface. Nickel provides a formulation of noninterference amenable to automated verification, allowing developers to specify an intended policy of permitted information flows. Fourth, we present Ratatoskr, showing the feasibility of applying push-button verification to distributed protocols. Together, these contributions demonstrate the effectiveness of treating automation as a first-class design principle, letting developers build verified systems software with substantially less effort.