Slashdot Mirror

← Back to Stories (view on slashdot.org)

World's First Formally-Proven OS Kernel

Posted by Soulskill on from the wait-for-it dept.

An anonymous reader writes "Operating systems usually have bugs — the 'blue screen of death,' the Amiga Hand, and so forth are known by almost everyone. NICTA's team of researchers has managed to prove that a particular OS kernel is guaranteed to meet its specification. It is fully, formally verified, and as such it exceeds the Common Criteria's highest level of assurance. The researchers used an executable specification written in Haskell, C code that mapped to Haskell, and the Isabelle theorem prover to generate a machine-checked proof that the C code in the kernel matches the executable and the formal specification of the system." Does it run Linux? "We're pleased to say that it does. Presently, we have a para-virtualized version of Linux running on top of the (unverified) x86 port of seL4. There are plans to port Linux to the verified ARM version of seL4 as well." Further technical details are available from NICTA's website.

24 of 517 comments (clear)

  1. spec? by polar+red · · Score: 5, Insightful

    but is the spec useable ? bugfree ?

    --
    Yes, I'm left. You have a problem with that?
    1. Re:spec? by jadrian · · Score: 4, Insightful

      To verify the software meets its specification the specification itself must formalised in the theorem prover. This in turn gives you the possibility of proving properties of the spec itself.

    2. Re:spec? by JasterBobaMereel · · Score: 5, Informative

      It only means it meets the spec, not that the spec is correct ...

      It does not mean that the faulty or erratic hardware cannot crash the system

      It does not mean that other programs cannot crash and lose your data ...

      It does not mean that buggy device drivers can make your system unusable

      It does not mean that the system is perfect, only that it will always do what it is supposed to ... which may not be what you want ...

      --
      Puteulanus fenestra mortis
  2. Amiga Hand? by ArcadeNut · · Score: 4, Informative

    Or do you mean the "Guru Meditation Error"?

    --
    Visit the Arcade Restoration Workshop @ http://www.arcaderestoration.com
  3. The Amiga Hand? by johannesg · · Score: 5, Interesting

    The Amiga Hand was the boot screen, not an error screen. You're thinking of the famous Guru Meditation.

    Besides, who says that the Amiga kernel did _not_ meet the specifications? Have you read them? Does it mention "crash free" anywhere?

    The Haskell code is called a "specfication", but if it is Haskell code, surely it should count as a _program_ already? How can you prove that that program is bug-free? How about conceptual bugs?

    Was the toolchain verified? How about the hardware on which it runs?

    What overhead does this approach have? Are the benefits worth it?

    I'm not saying this is all bullshit, but it looks like me that they are pointing to one program, calling it a "specification", and then demonstrating machine translation / verification to a similar program. I'm not sure if I buy that methodology.

    1. Re:The Amiga Hand? by Anonymous Coward · · Score: 5, Informative

      The missing word is formal.

      They use a formal specification, which is then formally verified.

      The overhead? It took something like 5 years for a 10,000 line program. The benefit is if the specification is right, the program should be right.

      Other questions are answered in the FAQ linked in the summary and this page.

    2. Re:The Amiga Hand? by Tom · · Score: 4, Interesting

      How can you prove that that program is bug-free? How about conceptual bugs?

      Formal verification does not tackle conceptual bugs. What it does is prove that the implementation conforms to the specification. If your specification is false, then it is false, but the implementation will correctly implement the false behaviour. In other words, this checks whether the house and the building plan are identical. If the plan has a window where there shouldn't be one, then that window will be there, because it's on the plan.

      What overhead does this approach have? Are the benefits worth it?

      RTFA. The amount of work required is staggering (four years, 200,000 theorems to prove) but since it's a verification of code, not additional testing code, there is zero overhead when the system is running.

      --
      Assorted stuff I do sometimes: Lemuria.org
    3. Re:The Amiga Hand? by Chris+Mattern · · Score: 4, Insightful

      The benefit is if the specification is right, the program should be right.

      We'll have to prove the specification does what we want, then. Of course, then we have to make sure our conception of what we want is right...

      Personally, I think it's elephants all the way down.

  4. Re:Yeah right by oji-sama · · Score: 5, Funny

    It's not a bug, it's a formally proved feature ^.^

    --
    It is what it is.
  5. Give me six lines of code... by Joce640k · · Score: 4, Funny

    "If you give me six lines of code written by the most diligent of programmers, I will surely find enough in them to crash the OS" - Cardinal Ritchielieu

    --
    No sig today...
    1. Re:Give me six lines of code... by Telecommando · · Score: 5, Funny

      Every program contains at least one bug, and can be shortened by at least
      one instruction. By induction, every program can be reduced to a single
      instruction which doesn't work. /old, I know.

      --
      Beta sux! Join the Slashcott! http://hardware.slashdot.org/comments.pl?sid=4760465&cid=46173047
    2. Re:Give me six lines of code... by ranulf · · Score: 4, Funny
      > By induction, every program can be reduced to a single instruction which doesn't work.

      HACF?

    3. Re:Give me six lines of code... by Anonymous Coward · · Score: 5, Funny

      /*
        *
        *
        *
        *
        */

  6. Knuth on proven correct: by John+Hasler · · Score: 5, Insightful

    "Beware of bugs in the above code. I have only proven it correct, not tested it."

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  7. Re:Apps running on top will crash... so by John+Hasler · · Score: 5, Informative

    > Even if we have a perfect kernel, it won't insulate us from bugs in the
    > software running on top of that kernel, so do we really gain much?

    Since a kernel crash kills all your applications and background processes, kills your network connection, requires you to reboot, and can scribble anywhere on the disk, yes.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  8. Then a driver blows it all up.. by tjstork · · Score: 4, Funny

    Suddenly after that, the proven kernel will be brought to its knees when someone adds a driver for an old graphics card.

    --
    This is my sig.
  9. Proven? by mseeger · · Score: 5, Insightful

    There is an old corollary that says, you cannot get from the informal to the formal by formal means. All they have proven is, that two specifications contain the same bugs. Both specification were formal (Haskell, C). This is the same as having Perl and Python code and you to prove they implement the same functionality. Neither is a proof, it is bug free (informal definition of bug, not if a bug is specified it isn't a bug).

  10. Re:Godel's Incompleteness Theorem? by TheSunborn · · Score: 4, Insightful

    Godel's Incompleteness Theorem just say(In this context) that there exists infinite many kernels that are correct but which can not be proven correct. It does not say that no kernel can be proven correct.

    So they just happen to write one of the kernels that could be proven.

  11. Re:Provable? by jamesh · · Score: 5, Insightful

    I thought any sufficiently complex system was impossible to prove correct.

    Then obviously this OS is not sufficiently complex.

  12. Re:Apps running on top will crash... so by Tom · · Score: 4, Insightful

    Yes, it gains you a lot.

    Firefox crashing means your userland memory is fucked up and can't be trusted anymore. No problem, kill it, clean it and restart the application.

    A kernel crash leads to undefined behaviour on the ring 0 level. You don't want that, it's where root exploits live.

    Furthermore, we have a lot of really, really strong kernel-level security extensions, like SELinux, whose only two vulnerable spots are kernel-level exploits and weak security policies. If you can remove one of them, you've done a lot to improve security.

    --
    Assorted stuff I do sometimes: Lemuria.org
  13. Good News and Bad News by Jacques+Chester · · Score: 4, Insightful

    First off, as an Australian and a nerd, I am very proud.

    Now.

    Good news: there is now a formally verified microkernel. 8,700 lines of C and 600 odd lines of ARM assembly. Awesome.

    Bad news: it took 200,000 lines of manually-generated proof and approximately 25 person-years by PhDs to verify the aforementioned microkernel.

    Conclusion: formal verification of software is not going to take off any time soon.

    --

    Classical Liberalism: All your base are belong to you.

  14. Re:Empty promises... by ezzzD55J · · Score: 5, Insightful

    Most faults on most platforms are caused by hardware faults

    bullshit.

  15. You mean they aren't all tested like this? by Remus+Shepherd · · Score: 4, Insightful

    As someone who does not work in IT, count me as surprised that not all OSes are tested this rigorously.

    --
    Genocide Man -- Life is funny. Death is funnier. Mass murder can be hilarious.
  16. A truly marvelous by autophile · · Score: 4, Funny

    I have written a truly marvelous bug-free operating system, however there is not enough space on this disk to include it here.

    --
    Towards the Singularity.