research-article

Free Access

Formally verified software in the real world

Authors:
Gerwin Klein

Data61, CSIRO and UNSW, Sydney, Australia

Data61, CSIRO and UNSW, Sydney, Australia
View Profile

,
June Andronick

Data61, CSIRO and UNSW, Sydney, Australia

Data61, CSIRO and UNSW, Sydney, Australia
View Profile

,
Matthew Fernandez

UNSW, Sydney, Australia and Intel Labs

UNSW, Sydney, Australia and Intel Labs
View Profile

,
Ihor Kuz

Data61, CSIRO and UNSW, Sydney, Australia

Data61, CSIRO and UNSW, Sydney, Australia
View Profile

,
Toby Murray

University of Melbourne, Australia and Data61, CSIRO

University of Melbourne, Australia and Data61, CSIRO
View Profile

,
Gernot Heiser

UNSW, Sydney, Australia and Data61, CSIRO

UNSW, Sydney, Australia and Data61, CSIRO
View Profile

Authors Info & Claims

Communications of the ACM Volume 61 Issue 10October 2018pp 68–77https://doi.org/10.1145/3230627

Published:26 September 2018Publication History

Communications of the ACM

Abstract

Verified software secures the Unmanned Little Bird autonomous helicopter against mid-flight cyber attacks.

Supplemental Material

Available for Download

pdf

p68-klein-appendix.pdf (249.3 KB)

Appendix to "Formally verified software in the real world"

References

Alves-Foss, J., Oman, P.W., Taylor, C., and Harrison, S. The MILS architecture for high-assurance embedded systems. International Journal of Embedded Systems 2, 3--4 (2006), 239--247.Google Scholar
Blackham, B., Shi, Y., Chattopadhyay, S., Roychoudhury, A., and Heiser, G. Timing analysis of a protected operating system kernel. In Proceedings of the 32nd IEEE Real-Time Systems Symposium (Vienna, Austria, Nov. 29-Dec. 2). IEEE Computer Society Press, 2011, 339--348. Google ScholarDigital Library
Boeing. Unmanned Little Bird H-6U; http://www.boeing.com/defense/unmanned-little-bird-h-6u/Google Scholar
Boyton, A., Andronick, J., Bannister, C., Fernandez, M., Gao, X., Greenaway, D., Klein, G., Lewis, C., and Sewell, T. Formally verified system initialisation. In Proceedings of the 15th International Conference on Formal Engineering Methods (Queenstown, New Zealand, Oct. 29-Nov. 1). Springer, Heidelberg, Germany, 2013 70--85.Google Scholar
Chen, H., Ziegler, D., Chajed, T., Chlipala, A., Frans Kaashoek, M., and Zeldovich, N. Using Crash Hoare logic for certifying the FSCQ file system. In Proceedings of the 25th ACM Symposium on Operating Systems Principles (Monterey, CA, Oct. 5--7). ACM Press, New York, 2015, 18--37. Google ScholarDigital Library
Cock, D., Ge, Q., Murray, T., and Heiser, G. The last mile: An empirical study of some timing channels on seL4. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (Scottsdale, AZ, Nov. 3--7). ACM Press, New York, 2014, 570--581. Google ScholarDigital Library
Cock, D., Klein, G., and Sewell, T. Secure microkernels, state monads and scalable refinement. In Proceedings of the 21st International Conference on Theorem Proving in Higher Order Logics (Montreal, Canada, Aug. 18--21). Springer, Heidelberg, Germany, 2008, 167--182. Google ScholarDigital Library
Colbert, E. and Boehm, B. Cost estimation for secure software & systems. In Proceedings of the International Society of Parametric Analysts / Society of Cost Estimating and Analysis 2008 Joint International Conference (Noordwijk, the Netherlands, May 12--14). Curran, Red Hook, NY, 2008.Google Scholar
Davis, J. and Myreen, M.O. The reflective Milawa theorem prover is sound (down to the machine code that runs it). Journal of Automated Reasoning 55, 2 (Aug. 2015), 117--183. Google ScholarDigital Library
Dennis, J.B. and Van Horn, E.C. Programming semantics for multi-programmed computations. Commun. ACM 9, 3 (Mar. 1966), 143--155. Google ScholarDigital Library
Elliott, T., Pike, L., Winwood, S., Hickey, P., Bielman, J., Sharp, J., Seidel, E., and Launchbury, J. Guilt-free Ivory. In Proceedings of the ACM SIGPLAN Haskell Symposium (Vancouver, Canada, Sept. 3--4). ACM Press, New York, 189--200. Google ScholarDigital Library
Fernandez, M. Formal Verification of a Component Platform. Ph.D. thesis. School of Computer Science & Engineering, University of New South Wales, Sydney, Australia, July 2016.Google Scholar
Fernandez, M., Andronick, J., Klein, G., and Kuz, I. Automated verification of RPC stub code. In Proceedings of the 20th International Symposium on Formal Methods (Oslo, Norway, June 22--26). Springer, Heidelberg, Germany, 2015, 273--290.Google Scholar
Floyd, R.W. Assigning meanings to programs. Mathematical Aspects of Computer Science 19, (1967), 19--32.Google ScholarCross Ref
Gonthier, G. A Computer-Checked Proof of the Four-Colour Theorem. Microsoft Research, Cambridge, U.K, 2005; https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/gonthier-4colproof.pdfGoogle Scholar
Gonthier, G., Asperti, A., Avigad, J., Bertot, Y., Cohen, C., Garillot, F., Le Roux, S., Mahboubi, A., O'Connor, R., Biha S.O., Pasca, I., Rideau, L., Solovyev, A., Tassi, E., and Théry, L. A machine-checked proof of the Odd Order Theorem. In Proceedings of the Fourth International Conference on Interactive Theorem Proving, Volume 7998 of LNCS (Rennes, France, July 22--26). Springer, Heidelberg, Germany, 2013, 163--179. Google ScholarDigital Library
Gu, R., Shao, Z., Chen, H., Wu, X.(N.)., Kim, J., Sjöberg, V., and Costanzo, C. CertiKOS: An extensible architecture for building certified concurrent OS kernels. In Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation (Savannah, GA, Nov. 2--4). ACM Press, New York, 2016. Google ScholarDigital Library
Hales, T.C., Adams, M., Bauer, G., Dang, D.T., Harrison, J., Le Hoang, T., Kaliszyk, C., Magron, V., McLaughlin, S., Nguyen, T.T., Nguyen, T.Q., Nipkow, T., Obua, S., Pleso, J., Rute, J., Solovyev, A., Ta, A.H.T., Tran, T.N., Trieu, T.T., Urban, J., Vu, K.K., and Zumkeller, R. A formal proof of the Kepler Conjecture. Forum of Mathematics, Pi, Volume 5. Cambridge University Press, 2017.Google ScholarCross Ref
Hawblitzel, C., Howell, J., Kapritsos, M., Lorch, J.R., Parno, B., Roberts, M.L., Setty, S.T.V., and Zill, B. IronFleet: Proving practical distributed systems correct. In Proceedings of the 25th ACM Symposium on Operating Systems Principles (Monterey, CA, Oct. 5--7). ACM Press, New York, 2015, 1--17. Google ScholarDigital Library
Heiser, G. and Elphinstone, K. L4 microkernels: The lessons from 20 years of research and deployment. ACM Transactions on Computer Systems 34, 1 (Apr. 2016), 1:1--1:29. Google ScholarDigital Library
Kanav, S., Lammich, P., and Popescu, A. A conference management system with verified document confidentiality. In Proceedings of the 26th International Conference on Computer Aided Verification (Vienna, Austria, July 18--22). ACM Press, New York, 2014, 167--183. Google ScholarDigital Library
Klein, G., Andronick, J., Elphinstone, K., Murray, T., Sewell, T., Kolanski, R., and Heiser, G. Comprehensive formal verification of an OS microkernel. ACM Transactions on Computer Systems 32, 1 (Feb. 2014), 2:1--2:70. Google ScholarDigital Library
Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., and Winwood, S. seL4: Formal verification of an OS kernel. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles (Big Sky, MT, Oct. 11--14). ACM Press, New York, 2009, 207--220. Google ScholarDigital Library
Kumar, R., Arthan, R., Myreen, M.O., and Owens, S. Self-formalisation of higher-order logic: Semantics, soundness, and a verified implementation. Journal of Automated Reasoning 56, 3 (Apr. 2016), 221--259. Google ScholarDigital Library
Kumar, R., Myreen, M., Norrish, M., and Owens, S. CakeML: A verified implementation of ML. In Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (San Diego, CA, Jan. 22--24). ACM Press, New York, 2014, 179--191. Google ScholarDigital Library
Kuz, I., Klein, G., Lewis, C., and Walker, A. capDL: A language for describing capability-based systems. In Proceedings of the First ACM Asia-Pacific Workshop on Systems (New Delhi, India, Aug. 30-Sept. 3). ACM Press, New York, 2010, 31--35. Google ScholarDigital Library
Kuz, I., Liu, Y., Gorton, I., and Heiser, G. CAmkES: A component model for secure microkernel-based embedded systems. Journal of Systems and Software (Special Edition on Component-Based Software Engineering of Trustworthy Embedded Systems) 80, 5 (May 2007), 687--699. Google ScholarDigital Library
Leroy, X. Formal verification of a realistic compiler. Commun. ACM 52, 7 (July 2009), 107--115. Google ScholarDigital Library
Murray, T., Matichuk, D., Brassil, M., Gammie, P., Bourke, T., Seefried, S., Lewis, C., Gao, X., and Klein, G. seL4: From general-purpose to a proof of information flow enforcement. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (San Francisco, CA, May 19--22). IEEE Press, Los Alamitos, CA, 2013, 415--429. Google ScholarDigital Library
Pnueli, A., Siegel, M., and Singerman, E. Translation validation. In Proceedings of the Fourth International Conference on Tools and Algorithms for Construction and Analysis of Systems (Lisbon, Portugal, Mar. 28-Apr. 4). Springer, Berlin, Germany, 1998, 151--166. Google ScholarDigital Library
Rushby, J. Design and verification of secure systems. In Proceedings of the Eighth Symposium on Operating System Principles (Pacific Grove, CA, Dec. 14--16). ACM Press, New York, 1981, 12--21. Google ScholarDigital Library
Ryzhyk, L., Chubb, P., Kuz, I., Le Sueur, E., and Heiser, G. Automatic device driver synthesis with Termite. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles (Big Sky, MT, Oct. 11--14). ACM Press, New York, 2009, 73--86. Google ScholarDigital Library
seL4 microkernel code and proofs; https://github.com/seL4/Google Scholar
Sewell, T., Kam, F., and Heiser, G. Complete, high-assurance determination of loop bounds and infeasible paths for WCET analysis. In Proceedings of the 22nd IEEE Real Time and Embedded Technology and Applications Symposium (Vienna, Austria, Apr. 11--14). IEEE Press, 2016.Google ScholarCross Ref
Sewell, T., Myreen, M., and Klein, G. Translation validation for a verified OS kernel. In Proceedings of the 34th Annual ACM SIGPLAN Conference on Programming Language Design and Implementation (Seattle, WA, June 16--22). ACM Press, New York, 2013, 471--481. Google ScholarDigital Library
Sewell, T., Winwood, S., Gammie, P., Murray, T., Andronick, J., and Klein, G. seL4 enforces integrity. In Proceedings of the International Conference on Interactive Theorem Proving (Nijmegen, the Netherlands, Aug. 22--25). Springer, Heidelberg, Germany, 2011, 325--340. Google ScholarDigital Library

Index Terms

Formally verified software in the real world

Recommendations

Formally Verified Next-generation Airborne Collision Avoidance Games in ACAS X
The design of aircraft collision avoidance algorithms is a subtle but important challenge that merits the need for provable safety guarantees. Obtaining such guarantees is nontrivial given the unpredictability of the interplay of the intruder aircraft ...
Read More
A formally verified hybrid system for safe advisories in the next-generation airborne collision avoidance system

The Next-Generation Airborne Collision Avoidance System (ACAS X) is intended to be installed on all large aircraft to give advice to pilots and prevent mid-air collisions with other aircraft. It is currently being developed by the Federal Aviation ...
Read More
A Formally Verified Hybrid System for the Next-Generation Airborne Collision Avoidance System
Proceedings of the 21st International Conference on Tools and Algorithms for the Construction and Analysis of Systems - Volume 9035

The Next-Generation Airborne Collision Avoidance System ACASï X is intended to be installed on all large aircraft to give advice to pilots and prevent mid-air collisions with other aircraft. It is currently being developed by the Federal Aviation ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
Communications of the ACM Volume 61, Issue 10
October 2018
107 pages
ISSN:0001-0782
EISSN:1557-7317
DOI:10.1145/3281635
Editor:
Andrew A. Chien
Association for Computing Machinery, New York, NY
Issue’s Table of Contents
Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 26 September 2018
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- research-article
- Popular
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 29
  Total Citations
  View Citations
- 35,091
  Total Downloads
- Downloads (Last 12 months)279
- Downloads (Last 6 weeks)198
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Formally verified software in the real world

Communications of the ACM

Abstract

Supplemental Material

Available for Download

References

Cited By

Index Terms

Recommendations

Formally Verified Next-generation Airborne Collision Avoidance Games in ACAS X

A formally verified hybrid system for safe advisories in the next-generation airborne collision avoidance system

A Formally Verified Hybrid System for the Next-Generation Airborne Collision Avoidance System