GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → seL4 → L4v

seL4 / L4v

Licence: other
seL4 specification and proofs

Labels

proof

Projects that are alternatives of or similar to L4v

Disel
Distributed Separation Logic: a framework for compositional verification of distributed protocols and their implementations in Coq
Stars: ✭ 85 (-74.85%)
Mutual labels:  proof
gapt
GAPT: General Architecture for Proof Theory
Stars: ✭ 83 (-75.44%)
Mutual labels:  proof
examples
Examples of NuID's zero knowledge authentication and key management facilities in various languages and frameworks. Open an Issue or PR if you'd like to see your favorite tool here.
Stars: ✭ 42 (-87.57%)
Mutual labels:  proof
Verdi Raft
An implementation of the Raft distributed consensus protocol, verified in Coq using the Verdi framework
Stars: ✭ 143 (-57.69%)
Mutual labels:  proof
proofable-image
Build trust into your image by creating a blockchain certificate for it
Stars: ✭ 17 (-94.97%)
Mutual labels:  proof
ra
Basic Analysis, undergraduate real analysis textbook
Stars: ✭ 33 (-90.24%)
Mutual labels:  proof
Generic Syntax
A Scope-and-Type Safe Universe of Syntaxes with Binding, Their Semantics and Proofs
Stars: ✭ 55 (-83.73%)
Mutual labels:  proof
LPL
📚Solutions to Language, Proof and Logic (2nd Edition)
Stars: ✭ 21 (-93.79%)
Mutual labels:  proof
imm
Intermediate Memory Model (IMM) and compilation correctness proofs for it
Stars: ✭ 15 (-95.56%)
Mutual labels:  proof
vulcan
A JavaScript propositional logic and resolution library
Stars: ✭ 56 (-83.43%)
Mutual labels:  proof
coq-to-ocaml-to-js
Proof of concept to generate safe and fast JavaScript
Stars: ✭ 25 (-92.6%)
Mutual labels:  proof
haal
Hääl - Anonymous Electronic Voting System on Public Blockchains
Stars: ✭ 96 (-71.6%)
Mutual labels:  proof
Planeverb
Project Planeverb is a CPU based real-time wave-based acoustics engine for games. It comes with an integration with the Unity Engine.
Stars: ✭ 22 (-93.49%)
Mutual labels:  proof
Iron
Coq formalizations of functional languages.
Stars: ✭ 114 (-66.27%)
Mutual labels:  proof
Diffy
🎞️💓🍿 Love streaming - It's always best to watch a movie together ! 🤗
Stars: ✭ 37 (-89.05%)
Mutual labels:  proof
Bootstrap Dark
The Definitive Guide to Dark Mode and Bootstrap 4 - A proof of concept
Stars: ✭ 54 (-84.02%)
Mutual labels:  proof
Groth16BatchVerifier
Batch verification proposal for the zkSNARK verification with the same(!) circuit
Stars: ✭ 17 (-94.97%)
Mutual labels:  proof
Merkle Patricia Tree
Project is in active development and has been moved to the EthereumJS VM monorepo.
Stars: ✭ 277 (-18.05%)
Mutual labels:  proof
InfSeqExt
A Coq library for reasoning (co)inductively on infinite sequences using LTL-like modal operators
Stars: ✭ 12 (-96.45%)
Mutual labels:  proof
fitchjs
Fitch style proof constructor
Stars: ✭ 19 (-94.38%)
Mutual labels:  proof
View All Similar Projects ➔

DOI

The L4.verified Proofs

This is the L4.verified git repository with formal specifications and proofs for the seL4 microkernel.

Most proofs in this repository are conducted in the interactive proof assistant Isabelle/HOL. For an introduction to Isabelle, see its official website and documentation.

Setup

This repository is meant to be used as part of a Google repo setup. Instead of cloning it directly, follow the instructions at the manifest git repo.

Dependencies

For software dependencies and Isabelle setup, see the setup.md file in the docs directory.

Contributing

Contributions to this repository are welcome. Please read CONTRIBUTING.md for details.

Overview

The repository is organised as follows.

  • docs: documentation on conventions, style, etc.

  • spec: a number of different formal specifications of seL4

    • abstract: the functional abstract specification of seL4

    • sep-abstract: an abstract specification for a reduced version of seL4 that is configured as a separation kernel

    • haskell: Haskell model of the seL4 kernel, kept in sync with the C code

    • machine: the machine interface of these two specifications

    • cspec: the entry point for automatically translating the seL4 C code into Isabelle

    • capDL: a specification of seL4 that abstracts from memory content and concrete execution behaviour, modelling the protection state of the system in terms of capabilities. This specification corresponds to the capability distribution language capDL that can be used to initialise user-level systems on top of seL4.

    • take-grant: a formalisation of the classical take-grant security model, applied to seL4, but not connected to the code of seL4.

    • There are additional specifications that are not tracked in this repository, but are generated from other files:

      • design: the design-level specification of seL4, generated from the Haskell model.
      • c: the C code of the seL4 kernel, preprocessed into a form that can be read into Isabelle. This is generated from the seL4 repository.

  • proof: the seL4 proofs

    • invariant-abstract: invariants of the seL4 abstract specification
    • refine: refinement between abstract and design specifications
    • crefine: refinement between design specification and C semantics
    • access-control: integrity and authority confinement proofs
    • infoflow: confidentiality and intransitive non-interference proofs
    • asmrefine: Isabelle/HOL part of the seL4 binary verification
    • drefine: refinement between capDL and abstract specification
    • sep-capDL: a separation logic instance on capDL
    • capDL-api: separation logic specifications of selected seL4 APIs

  • lib: generic proof libraries, proof methods and tools. Among these, further libraries for fixed-size machine words, a formalisation of state monads with nondeterminism and exceptions, a generic verification condition generator for monads, a recursive invariant prover for these (crunch), an abstract separation logic formalisation, a prototype of the Eisbach proof method language, a prototype levity refactoring tool, and others.

  • tools: larger, self-contained proof tools

    • asmrefine: the generic Isabelle/HOL part of the binary verification tool
    • c-parser: a parser from C into the Simpl language in Isabelle/HOL. Includes a C memory model.
    • autocorres: an automated, proof-producing abstraction tool from C into higher-level Isabelle/HOL functions, based on the C parser above
    • haskell-translator: a basic python script for converting the Haskell prototype of seL4 into the executable design specification in Isabelle/HOL.

  • misc: miscellaneous scripts and build tools

  • camkes: an initial formalisation of the CAmkES component platform on seL4. Work in progress.

  • sys-init: specification of a capDL-based, user-level system initialiser for seL4, with proof that the specification leads to correctly initialised systems.

Hardware requirements

Almost all proofs in this repository should work within 4GB of RAM. Proofs involving the C refinement, will usually need the 64bit mode of polyml and about 16GB of RAM.

The proofs distribute reasonably well over multiple cores, up to about 8 cores are useful.

jEdit

We provide a jEdit macro that is very useful when working with large theory files, goto-error, which moves the cursor to the first error in the file.

To install the macro, run the following commands in the directory verification/l4v/:

mkdir -p ~/.isabelle/jedit/macros
cp misc/jedit/macros/goto-error.bsh ~/.isabelle/jedit/macros/.

You can add keybindings for this macro in the usual way, by going to Utilities -> Global Options -> jEdit -> Shortcuts.

Additionally, our fork of Isabelle/jEdit has an updated indenter which is more proof-context aware than the 'original' indenter. Pressing ctrl+i while some apply-script text is selected should auto-indent the script while respecting subgoal depth and maintaining the relative indentation of multi-line apply statements.

Running the Proofs

If Isabelle is set up correctly, a full test for the proofs in this repository can be run with the command

./run_tests

from the directory l4v/.

Not all of the proof sessions can be built directly with the isabelle build command. The seL4 verification proofs depend on Isabelle specifications that are generated from the C source code and Haskell model. Therefore, it's recommended to always build using the supplied makefiles, which will ensure that these generated specs are up to date.

To do this, enter one level under the l4v/ directory and run make <session-name>. For example, to build the C refinement proof session, do

cd l4v/proof
make CRefine

As another example, to build the session for the Haskell model, do

cd l4v/spec
make ExecSpec

See the HEAPS variable in the corresponding Makefile for available targets.

Proof sessions that do not depend on generated inputs can be built directly with

./isabelle/bin/isabelle build -d . -v -b <session name>

from the directory l4v/. For available sessions, see the corresponding ROOT files in this repository. There is roughly one session corresponding to each major directory in the repository.

For interactively exploring, say the invariant proof of the abstract specification with a pre-built logic image for the abstract specification and all of the invariant proof's dependencies, run

./isabelle/bin/isabelle jedit -d . -R AInvs

in l4v/ and open one of the files in proof/invariant-abstract.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].