Presentation is loading. Please wait.

Presentation is loading. Please wait.

Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads Xinyu Feng Toyota Technological Institute at Chicago Joint work with Zhong.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads Xinyu Feng Toyota Technological Institute at Chicago Joint work with Zhong."— Presentation transcript:

1 Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads Xinyu Feng Toyota Technological Institute at Chicago Joint work with Zhong Shao (Yale), Yuan Dong (Tsinghua Univ.) and Yu Guo (USTC)

2 How to verify safety & correctness of OS kernels / Hypervisors? Code loading Many challenges: Interrupts … Device drivers & I/O Concurrency Low-level C/Assembly code Is verification possible? How to do it in a clean & modular way?

3 Layering of Simplified Kernel Code B: concurrent code with explicit interrupts How to verify ???

4 Concurrency with Interrupts: Challenges irq0 irq1 (1) (2) (3) (4) (5) Asymmetric preemption between handlers and non-handler code Intertwining between threads and handlers Asymmetric synchronization: cli/sti are different from locks

5 Our Contributions A Hoare-style program logic for modular verification of low-level programs with interrupts and concurrency.

6 AIM – I : Single Threaded-Code with Interrupts I1I1 f1:f1: I2I2 f2:f2: ISR ih: … (code heap) C 0 r1r1 12… r2r2 r3r3 …rnrn (data heap) H (register file) R (state) S addu … cli sti iret … j f (program) P::=(C,S,pc) ::=(H,R,ie) ::={f  I} * pc ie

7 Example: Teeter-Totter while(true){ cli; if([right] == 0){ sti; break; } [right] := [right]-1; [left] := [left]+1; sti; } print(“left wins!”); timer: if([left] == 0){ print(“right wins!”); iret; } [left] := [left]-1; [right] := [right]+1; iret; 50 left right How to guarantee non-interference?

8 Non-Interference? Program invariant: There is always a partition of memory among concurrent entities, and each concurrent entity only access its own part. But note: The partition is dynamic: ownership of memory can be dynamically transferred. cli/sti can be modeled as operations that trigger memory ownership transfer.

9 - { P h }INV AIM – I : The Memory Model Non-handler sti iret Handler BA cli … Memory … - { P h }INV The memory partition is logical, not physical!

10 Separation Logic to Enforce Partition l  n n l p  qp  q pq emp empty heap p  qp  q p  q [Ithtiaq & O’Hearn’01, Reynolds’02]

11 AIM – I : cli/sti BA INV BB B BA B B cli sti ie = 1ie = 0

12 Example: Teeter-Totter while(true){ -{emp  ie=1} cli; -{emp * INV}... [right] := [right]-1; [left] := [left]+1; -{INV} sti; -{emp  ie=1} } timer: -{INV} if([left] == 0){ print(“right wins!”); -{INV} iret; } [left] := [left]-1; [right] := [right]+1; -{INV} iret; INV:  m, n. (left  m)  (right  n)  (m+n = 100) 50 left right sti cli

13 AIM-II : Multi-threaded code with interrupts f1:f1: f2:f2: ih: (code heap) C (state) S (program) P::=(C,S,B,Q,pc) ::=(H,R,ie) cli/sti switch block w unblock w pc 0 r1r1 1 2 … r2r2 r3r3 …rnrn (data heap) H (register file) R ie pc R R R … (ready. queue) Q … w1w1 w2w2 wnwn B

14 Non-interference? f1:f1: f2:f2: ih: (code heap) C (state) S::=(H,R,ie) cli/sti switch block w unblock w pc 0 r1r1 1 2 … r2r2 r3r3 …rnrn (data heap) H (register file) R ie pc R R R … (ready. queue) Q … w1w1 w2w2 wnwn B Use memory partition to control interference!

15 AIM – II : Memory Model BA INV A C T1T1 T2T2 INV1

16 AIM – II : cli/sti T 1 : cli CA INV T1T1 T2T2 INV1 T 1 : CT 1 : A INV T1T1 T2T2 INV1 ie = 1ie = 0 C'A' INV T1T1 T2T2 INV1 T 1 : C'T 1 : A' INV T1T1 T2T2 INV1 T 1 : sti

17 AIM – II : switch T 1 : CT 1 : A INV T1T1 T2T2 INV1 T 1 : switch T 2 : CT 2 : A INV T1T1 T2T2 INV1 ie = 0 T 2 : switch T 1 : C'T 1 : A' INV T1T1 T2T2 INV1 T 2 : C'T 2 : A' INV T1T1 T2T2 INV1 switch untouched INV1 * INV preserved … sti … cli …

18 block switch T 1 : CT 1 : A INV T1T1 T2T2 INV1 ? ! T 2 : CT 2 : A INV T1T1 T2T2 INV1 ! T 2 : C'T 2 : A' INV INV1 T1T1 T2T2 T 1 : C'T 1 : A' INV T1T1 INV1 T2T2 ! unblock Thread 1 T2T2 ! AIM-II: block/unblock Thread 2 block

19 AIM-II : block/unblock Threads block themselves to wait for resources. … w1w1 w2w2 wnwn B locks: wait for resources protected by locks condition variables: wait for conditions to come true R1R1 R2R2 RnRn R can be empty Unifies different semantics of Condition Variables: Mesa style Hoare style Brinch-Hansen style Read our paper for details!

20 Implementations – An Infrastructure for x86 verification Coq (Higher-Order Logic with Inductive Def.) x86 semantics (a subset) Sep. LogicUtilities (e.g. Queues) AIM Logic & Soundness Locks, Condition variables Timer handler, yield/sleep SCAP switch, block, unblock 26,00012,000 26,0003,000 6,3004,000 Around 82,000 lines of Coq code 3,300 See http://flint.cs.yale.edu/publications/aim.html

21 Summary Abstract Machine & Program Logic –Hardware interrupts + preemptive threads –Ownership transfer semantics cli, sti, switch, block, unblock Implementations –Infrastructure for x86 code verification –Certified x86 modules Future work –Multi-processor platforms –Liveness properties –Verification of C programs

22 Thank you!

Download ppt "Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads Xinyu Feng Toyota Technological Institute at Chicago Joint work with Zhong."

Similar presentations

A Translation from Typed Assembly Language to Certified Assembly Programming Zhong Shao Yale University Joint work with Zhaozhong Ni Paper URL:

A Translation from Typed Assembly Language to Certified Assembly Programming Zhong Shao Yale University Joint work with Zhaozhong Ni Paper URL:
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 3 Operating System Organization.
Advanced Development of Certified OS Kernels Zhong Shao Bryan Ford Yale University November 2010 Focus Areas: Operating Systems,

Advanced Development of Certified OS Kernels Zhong Shao Bryan Ford Yale University November Focus Areas: Operating Systems,
Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-

Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-
Threads Irfan Khan Myo Thein What Are Threads ? a light, fine, string like length of material made up of two or more fibers or strands of spun cotton,

Threads Irfan Khan Myo Thein What Are Threads ? a light, fine, string like length of material made up of two or more fibers or strands of spun cotton,
Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination Xinyu Feng Yale University Joint work with Zhong Shao.

Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination Xinyu Feng Yale University Joint work with Zhong Shao.
CS533 Concepts of Operating Systems Class 3 Monitors.

CS533 Concepts of Operating Systems Class 3 Monitors.
CS533 Concepts of Operating Systems Class 20 Summary.

CS533 Concepts of Operating Systems Class 20 Summary.
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.

Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
CS533 Concepts of Operating Systems Class 3 Monitors.

CS533 Concepts of Operating Systems Class 3 Monitors.
10/19/2007TTI-C PL-Lunch Certified Concurrent Code with Interrupts Xinyu Feng Joint work with Zhong Shao (Yale University) and Yuan Dong (Tsinghua University)

10/19/2007TTI-C PL-Lunch Certified Concurrent Code with Interrupts Xinyu Feng Joint work with Zhong Shao (Yale University) and Yuan Dong (Tsinghua University)
An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and.

An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and.
Modular Verification of Assembly Code with Stack-Based Control Abstractions Xinyu Feng Yale University Joint work with Zhong Shao, Alexander Vaynberg,

Modular Verification of Assembly Code with Stack-Based Control Abstractions Xinyu Feng Yale University Joint work with Zhong Shao, Alexander Vaynberg,
On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.

On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.
Processes 1 CS502 Spring 2006 Processes Week 2 – CS 502.

Processes 1 CS502 Spring 2006 Processes Week 2 – CS 502.
CS533 - Concepts of Operating Systems 1 Class Discussion.

CS533 - Concepts of Operating Systems 1 Class Discussion.
CPS110: Implementing threads/locks on a uni-processor Landon Cox.

CPS110: Implementing threads/locks on a uni-processor Landon Cox.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.
Compositional Verification of Termination-Preserving Refinement of Concurrent Programs Hongjin Liang Univ. of Science and Technology of China (USTC) Joint.

Compositional Verification of Termination-Preserving Refinement of Concurrent Programs Hongjin Liang Univ. of Science and Technology of China (USTC) Joint.
COSC 3407: Operating Systems Lecture 3: Processes.

COSC 3407: Operating Systems Lecture 3: Processes.

Similar presentations

Ads by Google