Professional Documents
Culture Documents
Formally Verified Software in The Real World
Formally Verified Software in The Real World
Formally Verified Software in The Real World
DOI:10.1145/ 3230627
One might think surviving such
Verified software secures the Unmanned an attack is not a big deal, certainly
that military aircraft would be robust
Little Bird autonomous helicopter against against cyber attacks. In reality, a
mid-flight cyber attacks. “red team” of professional penetra-
tion testers hired by the Defense Ad-
BY GERWIN KLEIN, JUNE ANDRONICK, MATTHEW FERNANDEZ, vanced Research Projects Agency
IHOR KUZ, TOBY MURRAY, AND GERNOT HEISER (DARPA) under its High-Assurance
Cyber Military Systems (HACMS)
Formally
program had in 2013 compromised
the baseline version of the ULB, de-
signed for safety rather than secu-
rity, to the point where it could have
Verified
crashed it or diverted to any location
of its choice. In this light, risking
an in-flight attack with a human on
board indicates that something had
Software in
changed dramatically.
This article explains that change
and the technology that enabled it.
Specifically, it is about technology de-
compromised some subsystems but could not affect ˽˽ High assurance can be retrofitted to
suitable existing systems with only
the safe operation of the aircraft. moderate redesign and refactoring.
was done by Boeing engineers, not by tecture, enforce the desired security Formal Verification
formal verification researchers. property, and our verified component Mathematical correctness proofs of pro-
By far, not all the software on the framework, CAmkES. The CAmkES grams go back to at least the 1960s,14
HACMS vehicles was built on the basis framework integrates with architec- but for a long time, their real-world
of mathematical models and reason- ture analysis tools from Rockwell Col- benefit to software development was
ing; the field of formal verification is lins and the University of Minnesota, limited in scale and depth. However, a
not yet ready for such scale. However, along with trusted high-assurance number of impressive breakthroughs
HACMS demonstrated that significant software components using domain- have been seen in recent years in the
improvement is feasible by applying specific languages from Galois Inc. formal code-level verification of real-
formal techniques strategically to the The HACMS achievements are life systems, from the verified C com-
most critical parts of the overall sys- based on the software engineer’s trusty piler CompCert28 to the verified seL4
tem. The HACMS approach works for old friend—modularization. What is microkernel,22,23,33 verified conference
systems in which the desired secu- new is that formal methods provide system CoCon,21 verified ML compiler
IMAGE: COPYRIGHT © BOEING. ALL RIGH TS RESERVED.
rity property can be achieved through proof that interfaces are observed and CakeML,25 verified interactive theorem
purely architecture-level enforcement. module internals are encapsulated. provers Milawa,9 and Candle,24 veri-
Its foundation is our verified microker- This guaranteed enforcement of mod- fied crash-resistant file system FSCQ,5
nel, seL4, discussed later, which guar- ularization allows engineers, like those verified distributed system IronFleet,19
antees isolation between subsystems at Boeing, who are not formal-method and verified concurrent kernel frame-
except for well-defined communica- experts, to construct new or even ret- work CertiKOS,17 as well as significant
tion channels that are subject to the rofit existing systems, as discussed mathematical theorems, including the
system’s security policy. This isolation later, and achieve high resilience, even Four Colour Theorem,15 mechanized
is leveraged by system-level compo- though the tools do not yet provide an proof of the Kepler Conjecture,18 and
nent architectures that, through archi- overall proof of system security. Odd Order Theorem.16 None of these
O C TO B E R 2 0 1 8 | VO L. 6 1 | N O. 1 0 | C OM M U N IC AT ION S OF T HE ACM 69
contributed articles
Figure 1. Isolation and controlled communi- hold—through other means of verifi- other publicly available software in hu-
cation with seL4. cation like testing. Moreover, in many man history in terms not only of lines
cases systems consist of a combina- of proof but strength of properties
Untrusted VM Untrusted Trusted tion of verified and non-verified code, proved. At the heart of this verification
and in them, formal verification acts story sits the proof of “functional cor-
Guest apps Native apps Native apps
as a lens, focusing review, testing, and rectness” of the kernel’s C implemen-
Guest OS debugging on the system’s critical non- tation,23 guaranteeing every behavior
verified code. of the kernel is predicted by its formal
seL4
abstract specification; see the online
Hardware seL4 appendix (dl.acm.org/citation.cfm?
We begin with the foundation for build- doid=3230627&picked=formats) for an
ing provably trustworthy systems—the idea of how these proofs look. Following
are toy systems. For instance, Comp- operating system (OS) kernel, the sys- this guarantee, we added further proofs
Cert is a commercial product, the seL4 tem’s most critical part and enabler we explain after first introducing the
microkernel is used in aerospace, au- of cost-effective trustworthiness of the main kernel mechanisms.
tonomous aviation, and as an Internet entire system. seL4 API. The seL4 kernel provides a
of Things platform, and the CoCon The seL4 microkernel provides a minimal set of mechanisms for imple-
system has been used in multiple full- formally verified minimal set of mecha- menting secure systems: threads, ca-
scale scientific conferences. nisms for implementing secure sys- pability management, virtual address
These verification projects required tems. Unlike standard separation ker- spaces, inter-process communication
significant effort, and for verification nels31 they are purposefully general and (IPC), signaling, and interrupt delivery.
to be practical for widespread use, the so can be combined for implementing a The kernel maintains its state in
effort needs to decrease. Here, we dem- range of security policies for a range of “kernel objects.” For example, for each
onstrate how strategically combining system requirements. thread in a system there is a “thread
formal and informal techniques, par- One of the main design goals of object” that stores information about
tially automating the formal ones, and seL4 (see the sidebar “Proof Effort”) scheduling, execution, and access con-
carefully architecting the software to is to enforce strong isolation between trol. User-space programs can refer to
maximize the benefits of isolated com- mutually distrusting components that kernel objects only indirectly through
ponents, allowed us to dramatically in- may run on top of it. The mechanisms “capabilities”10 that combine a refer-
crease the assurance of systems whose support its use as a hypervisor to, say, ence to an object with a set of access
overall size and complexity is orders- host entire Linux operating systems rights to this object. For example, a
of-magnitude greater than that of the while keeping them isolated from se- thread cannot start or stop another
systems mentioned earlier. curity-critical components that might thread unless it has a capability to the
Note we primarily use formal veri- run alongside, as outlined in Figure 1. corresponding thread object.
fication to provide proofs about cor- In particular, this functionality allows Threads communicate and syn-
rectness of code that a system’s safety system designers to deploy legacy chronize by sending messages through
or security relies on. But it has other components that may have latent vul- IPC “endpoint” objects. One thread
benefits as well. For example, code nerabilities alongside highly trustwor- with a send capability to an appropri-
correctness proofs make assumptions thy components. ate endpoint can message another
about the context in which the code is The seL4 kernel is unique among thread that has a receive capability to
run (such as behavior of hardware and general-purpose microkernels. Not that endpoint. “Notification” objects
configuration of software). Since for- only does it deliver the best perfor- provide synchronization through sets
mal verification makes these assump- mance in its class, 20 its 10,000 lines of binary semaphores. Virtual address
tions explicit, developer effort can of C code have been subjected to translation is managed by kernel ob-
focus on ensuring the assumptions more formal verification than any jects that represent page directories,
Figure 2. Kernel objects for an example seL4-based system with two threads communicating via an endpoint.
A B
CSpace CSpace
Thread ObjectA Thread Object
VSpace EP B
CNodeA1 CNodeB1
PDA
PTA1
Receive
Send
CONTEXT
CNodeA2
CONTEXT
FRAME
...
...
...
FRAME
...
...
... VSpace
O C TO B E R 2 0 1 8 | VO L. 6 1 | N O. 1 0 | C OM M U N IC AT ION S OF T HE ACM 71
contributed articles
representative of the ULB, and is, at hicle’s flight behavior. The operating behavior of that component, keys can-
this level of abstraction, the same as assumption is that the camera is un- not be leaked, as no other component
the ULB architecture. trusted and potentially compromised, has access to them; the link between
The figure includes two main com- or malicious, that its drivers and the Linux and the crypto component in Fig-
puters: a mission computer that com- legacy payload software are poten- ure 4 is for message passing only and
municates with the ground-control tially compromised, and any outside does not give access to memory. Only
station and manages mission-payload communication is likewise potentially authenticated messages can reach the
software (such as for controlling a compromised. For the purpose of this CAN bus, as the crypto component is
camera); and a flight computer with example, we assume a correct and the only connection to the driver. Un-
the task of flying the vehicle, reading strong cryptography implementation, trusted payload software and WiFi are,
sensor data, and controlling motors. or the key cannot be guessed, and that as part of the Linux VM, encapsulated
The computers communicate via an basic radio jamming and denial-of-ser- by component isolation and can com-
internal network, a controller area net- vice by overwhelming the ground sta- municate to the rest of the system only
work, or CAN bus, on the quadcopter, tion radio link are out of scope. via the trusted crypto component.
a dedicated Ethernet on the ULB. On Figure 4 outlines how we design It is easy to imagine that this kind
the quadcopter, the mission computer the quadcopter architecture to achieve of architecture analysis could be auto-
also has an insecure WiFi link, giving these properties. We use a virtual ma- mated to a high degree through model
us the opportunity to demonstrate fur- chine (VM) running Linux as a contain- checking and higher-level mechanized
ther security techniques. ment vessel for legacy payload soft- reasoning tools. As observed in MILS
The subsystem under consider- ware, camera drivers, and WiFi link. systems,1 component boundaries in
ation in this example is the mission We isolate the cryptography control an architecture are not just a conve-
computer. Four main properties must module in its own component, with nient decomposition tool for modu-
be enforced: only correctly authenti- connections to the CAN bus compo- larity and code management but,
cated commands from the ground sta- nent, to the ground station link, and with enforced isolation, provide ef-
tion are sent to the flight computer; to the Linux VM for sending image- fective boundaries for formal reason-
cryptographic keys are not leaked; no recognition data back to the ground ing about the behavior of the system.
additional messages are sent to the station. The purpose of the crypto However, the entire argument hinges
flight computer; and untrusted pay- component is to forward (only) autho- on the fact that component boundar-
load software cannot influence the ve- rized messages to the flight computer ies in the architecture are correctly en-
via the CAN interface stack and send forced at runtime in the final, binary
Figure 3. Autonomous-air-vehicle architecture. back diagnostic data to the ground sta- implementation of the system.
tion. The radio-link component sends The mechanisms of the seL4 kernel
WiFi
and receives raw messages that are en- discussed earlier can achieve this en-
Ground Mission
Station Link Computer crypted, decrypted, and authenticated, forcement, but the level of abstraction
Camera respectively, by the crypto component. of the mechanisms is in stark contrast
Establishing the desired system to the boxes and arrows of an architec-
NET
properties is now reduced purely to the ture diagram; even the more abstract
isolation properties and information- access-control policy still contains
Flight
Sensors Motors flow behavior of the architecture, and far more detail than the architecture
Computer
to the behavior of the single trusted diagram. A running system of this size
crypto component. Assuming correct contains tens of thousands of kernel
objects and capabilities that are cre-
Figure 4. Simplified quadcopter mission-computer architecture. ated programmatically, and errors in
configuration could lead to security
violations. We next discuss how we not
only automate the configuration and
Radio Data
Link
Linux VM construction of such code but also how
Driver
we can automatically prove that archi-
WiFi tecture boundaries are enforced.
and
Camera
Crypto Verified Componentization
The same way reasoning about secu-
Non-critical
rity becomes easier with the formal ab-
CAN bus
CAN
Critical
Untrusted stractions of security policies, abstrac-
Driver Trusted tion also helps in building systems.
Contained
The CAmkES component platform,27
which runs on seL4 abstracts over the
seL4 low-level kernel mechanisms, provides
communication primitives, as well as
support for decomposing a system into
CONTEXT
CONTEXT
Receive
Send
connectors use endpoint objects, and
...
...
CAmkES generates glue code to mar- VSpace VSpace
shal and unmarshal messages and
send them over IPC endpoints. Like-
wise, a dataport connector is imple-
mented through shared memory,
initialized system + proof
shared frame objects present in the ad-
dress spaces of two components, and
optionally restricting the direction of
communication. Finally, an event con- Figure 6. RPC-generated code.
nector is implemented using seL4’s
notification mechanism. A B
CAmkES also generates, in the cap- g() {
DL language,26 a low-level specification f(); ...
of the system’s initial configuration of handwritten }
kernel objects and capabilities. This
capDL specification is the input for the f() { g_stub() {
generic seL4 initializer that runs as the //glue: //glue:
// marshalling // seL4_Recv(ep,...)
first task after boot and performs the // unmarshalling
generated // seL4_Send(ep,...) seL4
necessary seL4 operations to instanti- // seL4_Recv(ep,...) // g_invoke()
ate and initialize the system.4 // unmarshalling // marshalling
} // seL4_Send(ep,...)
In summary, a component platform }
provides free code. The component ar-
chitecture describes a set of boxes and
arrows, and the implementation task is
reduced to simply filling in the boxes; tomate large parts of system construc- lent to calling g. The lemma the system
the platform generates the rest while tion without expanding the trusted generates ensures the invocation of the
enforcing the architecture. computing base. generated RPC glue code f behaves as
With a traditional component plat- Developers rarely look at the output a direct invocation of g, as if it were co-
form, the enforcement process would of code generators, focusing instead on located with the caller.
mean the generated code increases the the functionality and business logic of To be useful, the proofs the system
trusted computing base of the system, their systems. In the same way, we in- generates must be composable with
as it has the ability to influence the tend the glue code proofs to be artifacts (almost) arbitrary user-provided proofs,
functionality of the components. How- that do not need to be examined, mean- both of the function g and of the contexts
ever, CAmkES also generates proofs. ing developers can focus on proving the where g and f are used. To enable this
Automated proofs. While generat- correctness of their handwritten code. composability, the specification of the
ing glue code, CAmkES produces for- Mirroring the way a header generated by connectors is parameterized through
mal proofs in Isabelle/HOL, following CAmkES gives the developer an API for user-provided specifications of remote
a translation-validation approach,30 the generated code, the top-level gener- functions. In this way, proof engineers
demonstrating that the generated glue ated lemma statements produce a proof can reason about their architecture,
code obeys a high-level specification API. The lemmas describe the expected providing specifications and proofs for
and the generated capDL specification behavior of the connectors. In the ex- their components, and rely on specifica-
is a correct refinement of the CAmkES ample of RPC glue code outlined in Fig- tions for the generated code.
description.12 We have also proved that ure 6, the generated function f provides To date, we have demonstrated this
the generic seL4 initializer correctly a way to invoke a remote function g in process end-to-end using a specific
sets up the system in the desired ini- another component. To preserve the CAmkES RPC connector.12,13 Extending
tial configuration. In doing so, we au- abstraction, calling f must be equiva- the proof generator to support other
O C TO B E R 2 0 1 8 | VO L. 6 1 | N O. 1 0 | C OM M U N IC AT ION S OF T HE ACM 73
contributed articles
connectors, allowing construction of izer satisfies the one described in the mission-computer functionality. The
more diverse verified systems, should given specification.4 This proof holds system was built and re-engineered by
be simpler to achieve, because other for a precise model of the initializer Boeing engineers, using the methods,
connector patterns (data ports and but not yet at the implementation lev- tools, and components provided by the
events) are significantly less complex el. Compared to the depth of the rest HACMS partners.
than RPC. of the proof chain, this limitation may Step 1. Virtualization. The first step
Next to communication code, appear weak, but it is already more for- was to take the system as is and run it
CAmkES produces the initial access mal proof than would be required for in a VM on top of a secure hypervisor
control configuration that is designed the highest level (EAL7) of a Common (see Figure 7). In the seismic-retrofit
to enforce architecture boundaries. To Criteria security evaluation. metaphor, doing so corresponds to
prove the two system descriptions— situating the system on a more flex-
capDL and CAmkES—correspond, we Seismic Security Retrofit ible foundation. A VM on top of seL4
consider the CAmkES description as In practice, there are few opportuni- in this system consists of one CAmkES
an abstraction of the capDL descrip- ties to engineer a system from scratch component that includes a virtual ma-
tion. We use the established frame- for security, so the ability to retrofit chine monitor (VMM) and the guest
work36 mentioned earlier to infer for security is crucial for engineer- operating system, in this case Linux.
authority of one object over another ing secure systems. Our seL4-based The kernel provides abstractions of
object from a capDL description to lift framework supports an iterative pro- the virtualization hardware, while the
reasoning to a policy level. Addition- cess we call “seismic security retrofit,” VMM manages these abstractions for
ally, we have defined rules for inferring as a regular structural architect might the VM. The seL4 kernel constrains not
authority between components in a retrofit an existing building for great- only the guest but also the VMM, so the
CAmkES description. The produced er resilience against earthquakes. VMM implementation does not need
proof ensures the capDL objects, when We illustrate the process by walking to be trusted to enforce isolation. Fail-
represented as an authority graph through an example that incremental- ure of the VMM will lead to failure of
with objects grouped per component, ly adapts the existing software archi- the guest but not to failure of the com-
have the same intergroup edges as the tecture of an autonomous air vehicle, plete system.
equivalent graph between CAmkES moving it from a traditional testing Depending on system configura-
components.12 Intuitively, this corre- approach to a high-assurance sys- tion, the VM may have access to hard-
spondence between the edges means tem with theorems backed by formal ware devices through para-virtualized
an architecture analysis of the policy methods. While this example is based drivers, pass-through drivers, or both.
inferred by the CAmkES description on work done for a real vehicle—the In the case of pass-through drivers,
will hold for the policy inferred by the ULB—it is simplified for presentation developers can make use of a system
generated capDL description, which in and does not include all details. MMU or IOMMU to prevent hardware
turn is proved to satisfy authority con- The original vehicle architecture devices and drivers in the guest from
finement, integrity, and confidential- is the same as the architecture out- breaching isolation boundaries. Note
ity, as mentioned earlier. lined in Figure 3. Its functionality is that simply running a system in a VM
Finally, to prove correct initializa- split over two separate computers: a adds no additional security or reliabil-
tion, CAmkES leverages the generic flight computer that controls the ac- ity benefits. Instead, the reason for this
initializer that will run as the first user tual flying and the mission computer first step is to enable step 2.
task following boot time. In seL4, this that performs high-level tasks (such as Step 2. Multiple VMs. The second
first (and unique) user task has access ground-station communication and step in a seismic retrofit strengthens
to all available memory, using it to cre- camera-based navigation). The origi- existing walls. In software, the devel-
ate objects and capabilities accord- nal version of the mission computer oper can improve security and reli-
ing to the detailed capDL description was a monolithic software application ability by splitting the original system
it takes as input. We proved that the running on Linux. The rest of the ex- into multiple subsystem partitions,
state following execution of the initial- ample concentrates on a retrofit of this each consisting of a VM running the
Figure 7. All functionality in a single VM. Figure 8. Functionality split into multiple VMs. Figure 9. Functionality in native components.
O C TO B E R 2 0 1 8 | VO L. 6 1 | N O. 1 0 | C OM M U N IC AT ION S OF T HE ACM 75
contributed articles
Fisher for having the vision to start the International Conference (Noordwijk, the Netherlands, Proceedings of the First ACM Asia-Pacific Workshop
May 12–14). Curran, Red Hook, NY, 2008. on Systems (New Delhi, India, Aug. 30–Sept. 3). ACM
program. John Launchbury coined 9. Davis, J. and Myreen, M.O. The reflective Milawa Press, New York, 2010, 31–35.
the term “seismic security retrofit.” theorem prover is sound (down to the machine code 27. Kuz, I., Liu, Y., Gorton, I., and Heiser, G. CAmkES:
that runs it). Journal of Automated Reasoning 55, 2 A component model for secure microkernel-based
We thank Lee Pike for feedback on an (Aug. 2015), 117–183. embedded systems. Journal of Systems and Software
earlier draft. We would also like to ac- 10. Dennis, J.B. and Van Horn, E.C. Programming (Special Edition on Component-Based Software
semantics for multi-programmed computations. Engineering of Trustworthy Embedded Systems) 80, 5
knowledge our HACMS project part- Commun. ACM 9, 3 (Mar. 1966), 143–155. (May 2007), 687–699.
ners from Rockwell Collins, the Univer- 11. Elliott, T., Pike, L., Winwood, S., Hickey, P., Bielman, 28. Leroy, X. Formal verification of a realistic compiler.
J., Sharp, J., Seidel, E., and Launchbury, J. Guilt-free Commun. ACM 52, 7 (July 2009), 107–115.
sity of Minnesota, Galois, and Boeing. Ivory. In Proceedings of the ACM SIGPLAN Haskell 29. Murray, T., Matichuk, D., Brassil, M., Gammie, P.,
While we concentrated on the oper- Symposium (Vancouver, Canada, Sept. 3–4). ACM Bourke, T., Seefried, S., Lewis, C., Gao, X., and Klein, G.
Press, New York, 189–200. seL4: From general-purpose to a proof of information
ating system aspects of the HACMS 12. Fernandez, M. Formal Verification of a Component flow enforcement. In Proceedings of the 2013 IEEE
Platform. Ph.D. thesis. School of Computer Science & Symposium on Security and Privacy (San Francisco,
project here, the rapid construction CA, May 19–22). IEEE Press, Los Alamitos, CA, 2013,
Engineering, University of New South Wales, Sydney,
of high-assurance systems includes Australia, July 2016. 415–429.
13. Fernandez, M., Andronick, J., Klein, G., and Kuz, 30. Pnueli, A., Siegel, M., and Singerman, E. Translation
many further components, including I. Automated verification of RPC stub code. In validation. In Proceedings of the Fourth International
a trusted build, as well as architecture Proceedings of the 20th International Symposium on Conference on Tools and Algorithms for Construction
Formal Methods (Oslo, Norway, June 22–26). Springer, and Analysis of Systems (Lisbon, Portugal, Mar. 28–
and security-analysis tools. This mate- Heidelberg, Germany, 2015, 273–290. Apr. 4). Springer, Berlin, Germany, 1998, 151–166.
rial is based on research sponsored by 14. Floyd, R.W. Assigning meanings to programs. 31. Rushby, J. Design and verification of secure systems.
Mathematical Aspects of Computer Science 19, In Proceedings of the Eighth Symposium on Operating
the U.S. Air Force Research Laboratory (1967), 19–32. System Principles (Pacific Grove, CA, Dec. 14–16).
and the Defense Advanced Research 15. Gonthier, G. A Computer-Checked Proof of the Four- ACM Press, New York, 1981, 12–21.
Colour Theorem. Microsoft Research, Cambridge, U.K, 32. Ryzhyk, L., Chubb, P., Kuz, I., Le Sueur, E., and Heiser,
Projects Agency under agreement 2005; https://www.microsoft.com/en-us/research/wp- G. Automatic device driver synthesis with Termite. In
number FA8750-12-9-0179. The U.S. content/uploads/2016/02/gonthier-4colproof.pdf Proceedings of the 22nd ACM Symposium on Operating
16. Gonthier, G., Asperti, A., Avigad, J., Bertot, Y., Cohen, Systems Principles (Big Sky, MT, Oct. 11–14). ACM
government is authorized to repro- C., Garillot, F., Le Roux, S., Mahboubi, A., O’Connor, Press, New York, 2009, 73–86.
duce and distribute reprints for gov- R., Biha S.O., Pasca, I., Rideau, L., Solovyev, A., Tassi, 33. seL4 microkernel code and proofs; https://github.
E., and Théry, L. A machine-checked proof of the com/seL4/
ernmental purposes notwithstanding Odd Order Theorem. In Proceedings of the Fourth 34. Sewell, T., Kam, F., and Heiser, G. Complete, high-
any copyright notation thereon. The International Conference on Interactive Theorem assurance determination of loop bounds and infeasible
Proving, Volume 7998 of LNCS (Rennes, France, July paths for WCET analysis. In Proceedings of the 22nd
views and conclusions contained here- 22–26). Springer, Heidelberg, Germany, 2013, 163–179. IEEE Real Time and Embedded Technology and
Applications Symposium (Vienna, Austria, Apr. 11–14).
in are those of the authors and should 17. Gu, R., Shao, Z., Chen, H., Wu, X.(N.)., Kim, J., Sjöberg, V.,
IEEE Press, 2016.
and Costanzo, C. CertiKOS: An extensible architecture
not be interpreted as necessarily repre- for building certified concurrent OS kernels. In 35. Sewell, T., Myreen, M., and Klein, G. Translation
validation for a verified OS kernel. In Proceedings
senting the official policies or endorse- Proceedings of the 12th USENIX Symposium on
of the 34th Annual ACM SIGPLAN Conference on
Operating Systems Design and Implementation
ments, either expressed or implied, (Savannah, GA, Nov. 2–4). ACM Press, New York, 2016. Programming Language Design and Implementation
18. Hales, T.C., Adams, M., Bauer, G., Dang, D.T., Harrison, (Seattle, WA, June 16–22). ACM Press, New York,
of the Air Force Research Laboratory, 2013, 471–481.
J., Le Hoang, T., Kaliszyk, C., Magron, V., McLaughlin, S.,
Defense Advanced Research Projects Nguyen, T.T., Nguyen, T.Q., Nipkow, T., Obua, S., Pleso, 36. Sewell, T., Winwood, S., Gammie, P., Murray, T.,
J., Rute, J., Solovyev, A., Ta, A.H.T., Tran, T.N., Trieu, T.T., Andronick, J., and Klein, G. seL4 enforces integrity.
Agency, or U.S. government. In Proceedings of the International Conference
Urban, J., Vu, K.K., and Zumkeller, R. A formal proof
of the Kepler Conjecture. Forum of Mathematics, Pi, on Interactive Theorem Proving (Nijmegen, the
Volume 5. Cambridge University Press, 2017. Netherlands, Aug. 22–25). Springer, Heidelberg,
References
19. Hawblitzel, C., Howell, J., Kapritsos, M., Lorch, J.R., Germany, 2011, 325–340.
1. Alves-Foss, J., Oman, P.W., Taylor, C., and Harrison, S.
The MILS architecture for high-assurance embedded Parno, B., Roberts, M.L., Setty, S.T.V., and Zill, B.
systems. International Journal of Embedded Systems IronFleet: Proving practical distributed systems
Gerwin Klein (gerwin.klein@data61.csiro.au) is a Chief
2, 3-4 (2006), 239–247. correct. In Proceedings of the 25th ACM Symposium on
Research Scientist at Data61, CSIRO, and Conjoint
2. Blackham, B., Shi, Y., Chattopadhyay, S., Operating Systems Principles (Monterey, CA, Oct. 5–7).
Professor at UNSW, Sydney, Australia.
Roychoudhury, A., and Heiser, G. Timing analysis of a ACM Press, New York, 2015, 1–17.
protected operating system kernel. In Proceedings of 20. Heiser, G. and Elphinstone, K. L4 microkernels: The June Andronick (june.andronick@data61.csiro.au) is a
the 32nd IEEE Real-Time Systems Symposium (Vienna, lessons from 20 years of research and deployment. Principal Research Scientist at Data61, CSIRO, Conjoint
Austria, Nov. 29–Dec. 2). IEEE Computer Society ACM Transactions on Computer Systems 34, 1 (Apr. Associate Professor at UNSW, Sydney, Australia, and
Press, 2011, 339–348. 2016), 1:1–1:29. the leader of the Trustworthy Systems group at Data61,
3. Boeing. Unmanned Little Bird H-6U; http://www. 21. Kanav, S., Lammich, P., and Popescu, A. A known for the formal verification of the seL4 operating
boeing.com/defense/unmanned-little-bird-h-6u/ conference management system with verified system microkernel.
4. Boyton, A., Andronick, J., Bannister, C., Fernandez, document confidentiality. In Proceedings of the
M., Gao, X., Greenaway, D., Klein, G., Lewis, C., and 26th International Conference on Computer Aided Matthew Fernandez (matthew.fernandez@gmail.com)
Sewell, T. Formally verified system initialisation. In Verification (Vienna, Austria, July 18–22). ACM Press, participated in this project while he was a Ph.D. student
Proceedings of the 15th International Conference New York, 2014, 167–183. at UNSW, Sydney, Australia, and is today a researcher at
on Formal Engineering Methods (Queenstown, New 22. Klein, G., Andronick, J., Elphinstone, K., Murray, T., Intel Labs, USA.
Zealand, Oct. 29–Nov. 1). Springer, Heidelberg, Sewell, T., Kolanski, R., and Heiser, G. Comprehensive
Ihor Kuz (ihor.kuz@data61.csiro.au) is a Principal
Germany, 2013 70–85. formal verification of an OS microkernel. ACM Research Engineer at Data61, CSIRO , and also a Conjoint
5. Chen, H., Ziegler, D., Chajed, T., Chlipala, A., Frans Transactions on Computer Systems 32, 1 (Feb. 2014), Associate Professor at UNSW, Sydney, Australia.
Kaashoek, M., and Zeldovich, N. Using Crash 2:1–2:70.
Hoare logic for certifying the FSCQ file system. In 23. Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Toby Murray (toby.murray@unimelb.edu.au) is a lecturer
Proceedings of the 25th ACM Symposium on Operating Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., at the University of Melbourne, Australia, and a Senior
Systems Principles (Monterey, CA, Oct. 5–7). ACM Kolanski, R., Norrish, M., Sewell, T., Tuch, H., and Research Scientist at Data61, CSIRO.
Press, New York, 2015, 18–37. Winwood, S. seL4: Formal verification of an OS kernel.
6. Cock, D., Ge, Q., Murray, T., and Heiser, G. The last mile: In Proceedings of the 22nd ACM Symposium on Gernot Heiser (gernot@unsw.edu.au) is a Scientia
An empirical study of some timing channels on seL4. Operating Systems Principles (Big Sky, MT, Oct. 11–14). Professor and John Lions Chair of Computer Science at
In Proceedings of the ACM SIGSAC Conference on ACM Press, New York, 2009, 207–220. UNSW, Sydney, Australia, a Chief Research Scientist at
Computer and Communications Security (Scottsdale, 24. Kumar, R., Arthan, R., Myreen, M.O., and Owens, S. Data61, CSIRO, and a fellow of the ACM, the IEEE, and
AZ, Nov. 3–7). ACM Press, New York, 2014, 570–581. Self-formalisation of higher-order logic: Semantics, the Australian Academy of Technology and Engineering.
7. Cock, D., Klein, G., and Sewell, T. Secure microkernels, soundness, and a verified implementation. Journal of
state monads and scalable refinement. In Automated Reasoning 56, 3 (Apr. 2016), 221–259.
Proceedings of the 21st International Conference on 25. Kumar, R., Myreen, M., Norrish, M., and Owens,
Theorem Proving in Higher Order Logics (Montreal, S. CakeML: A verified implementation of ML. In
Canada, Aug. 18–21). Springer, Heidelberg, Germany, Proceedings of the 41st ACM SIGPLAN-SIGACT
2008, 167–182. Symposium on Principles of Programming Languages
8. Colbert, E. and Boehm, B. Cost estimation for (San Diego, CA, Jan. 22–24). ACM Press, New York,
secure software & systems. In Proceedings of 2014, 179–191.
the International Society of Parametric Analysts / 26. Kuz, I., Klein, G., Lewis, C., and Walker, A. capDL: A Copyright held by authors.
Society of Cost Estimating and Analysis 2008 Joint language for describing capability-based systems. In Publication rights licensed to ACM. $15.00
O C TO B E R 2 0 1 8 | VO L. 6 1 | N O. 1 0 | C OM M U N IC AT ION S OF T HE ACM 77