CN113282492A - Operating system kernel formal verification method - Google Patents
Operating system kernel formal verification method Download PDFInfo
- Publication number
- CN113282492A CN113282492A CN202110564820.3A CN202110564820A CN113282492A CN 113282492 A CN113282492 A CN 113282492A CN 202110564820 A CN202110564820 A CN 202110564820A CN 113282492 A CN113282492 A CN 113282492A
- Authority
- CN
- China
- Prior art keywords
- kernel
- state
- verification
- operating system
- state machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3684—Test management for test design, e.g. generating new test cases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/448—Execution paradigms, e.g. implementations of programming paradigms
- G06F9/4498—Finite state machines
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to the technical field of computer operating systems and computer certification methods, in particular to an operating system kernel formal verification method. The method of the invention comprises the following steps: selecting a kernel system call aiming at an operating system as a verification object; summarizing expectations of designers for functions of the system call according to the description of the system call in the design document, and defining a declaration specification according to an invariant or a high-level attribute in an operating system kernel; defining the detailed state machine specification of the system call by referring to the specific implementation of the system call and the design document description; and transmitting the declaration specification and the state machine specification into a formal verification tool for automatic solution. The flow is shown in figure 1. The method can realize formal verification of the kernel of the operating system, thereby proving the security of the kernel of the operating system.
Description
Technical Field
The invention relates to the technical field of computer operating systems and computer certification methods, in particular to an operating system kernel formal verification method based on formal verification tools.
Background
In computers, the operating system is the most basic and important underlying system software. The operating system controls the hardware resources of the computer and provides a running environment for the application programs, which provides a series of basic services, such as managing and configuring memory, determining the priority of the supply and demand of system resources, controlling input and output devices, managing file systems, and the like.
The basic services provided by an operating system need to rely heavily on an important component in the operating system, the operating system kernel. The operating system kernel refers to system software that provides functions such as a hardware abstraction layer, disk and file system control, multitasking, and the like. The kernel is the most basic part of the operating system, and is also the core of the operating system, and is responsible for managing processes, memories, device drivers, files, network systems, and the like of the system, determining the performance and stability of the system, and meanwhile, being a bridge for connecting application programs and hardware. The kernel is usually composed of interrupt service routine, scheduler, memory manager, network service routine, and interprocess communication service routine, and provides basic services for other parts of the operating system.
Formal verification is mainly to prove the target on the basis of deductive reasoning, i.e. to prove the correctness or incorrectness of the target by using a mathematical method according to some formal specification or attribute or some other formal specifications. The formal verification comprises two modes of model detection and theorem proving. The model detection means that a corresponding mathematical model is established for a system problem, so that the model is used for derivation; the theorem proving method generally adopts a theorem auxiliary prover to abstract and describe the problem, and utilizes a mathematical formula theorem method to describe the functionality of the system, so as to adopt a mathematical theorem derivation calculus method to verify.
The theorem proving method in the formal proving method needs to adopt theorem auxiliary provers to verify corresponding theorems, and the theorem auxiliary provers commonly used at the present stage comprise Z3, Isabelle and Coq and the like. Z3 is a general solver for Satisfiability Model Theory (SMT), which is the problem of determining the Satisfiability of first-order logic formulas in combinatorial background theory. The theory involved in SMT enables it to be applied to a variety of problems in the field of practice, and in combination with satisfiability determination methods, SMT plays a great role in software testing, program analysis and verification.
The formal verification method is introduced into the security analysis of the operating system, so that developers can be better helped to find errors in the system, and the personal privacy security of users is guaranteed.
Disclosure of Invention
Aiming at the problem of insufficient security analysis of the existing operating system, the invention provides the operating system kernel security analysis method based on formal verification, which can formally express the system call provided by the operating system kernel to obtain the declaration specification and the state machine specification, thereby utilizing a solver to carry out automatic solution verification. The invention provides a method for verifying the calling safety of an operating system kernel system by using a solver, which comprises the following steps as shown in figure 1:
1. authentication object
Firstly, the kernel of the operating system provides a series of system call functions to help the operating system to complete the designated functions, so that the system calls can operate sensitive data, the kernel state of the operating system is changed, and the kernel security of the operating system is influenced.
Secondly, a part of operating systems provide design documents for users to check, the functions and function components of each module are described in detail in the documents, and the summary of the system calling functions can be completed through official documents and specific source codes.
2. Statement of the Specification
In order to improve the correctness of the kernel verification of the operating system, the invention utilizes the declaration specification to enhance the reliability of the kernel formal verification of the operating system.
The definition of a declarative specification is a formula that describes a class of models. With reference to this definition, the present invention describes the declaration specification as a expectation of the operating system kernel implementer of the system call functionality, i.e., a higher level attribute or invariant that should be satisfied when the system call is executed. Compared with the subsequently defined state machine specification, the declaration specification is higher-level and more intuitive, so that the declaration specification can be used for automatic verification of a solver and is convenient for a verifier to manually check.
The definition of the statement specification mainly adopts a manual mode, and after the definition is finished, the statement specification is proved to be established at each step of the kernel state conversion of the operating system in the state machine specification only under the condition that the statement specification is established in advance, so that the correctness of verification can be ensured.
Whether the kernel function operates correctly is verified by declaring the specification and utilizing the invariant and the high-level attributes in the system call, so that the credibility of the verification process is enhanced, and the verification accuracy is ensured.
3. State machine specification
The state machine is a short name of finite state automata, and is a mathematical model formed by abstracting operation rules of real things. And describing expected kernel behaviors by using a state machine specification, extracting state changes of the kernel of the operating system in the process as each conversion step, and verifying correct operation of system call by using invariant in the state conversion process and defined pre-conditions and post-conditions. The method comprises the following specific steps:
the state machine specification consists of two parts, an abstract kernel state and an abstract state transition to define the system call.
(1) Abstract kernel states
In the formalization certification process of the operating system kernel, the kernel state is a constraint condition for correct operation of each system call, namely, the premise for ensuring correct system call functions is that the system kernel is in a correct environment. Meanwhile, the kernel state of the operating system can help a verifier to better judge whether the system is currently in a normal environment, so that whether the system call is correctly executed is verified.
The kernel state refers to a correct environment state that the kernel of the operating system should maintain, namely, a state under the condition that the operating system normally runs. The abstract kernel state is that the behavioral environment kept by the current kernel is simulated by using codes, and the current environment of the kernel is abstractly represented by using limited programs. Because the process is the most basic unit for resource allocation and scheduling of the operating system, the present invention replaces the current state of the operating system kernel with the state of the process. The abstract kernel state definition should contain the following two parts:
and I, current kernel state. I.e. the current executing process state, contains a series of information such as the unique identifier ID of the process. This section is used to identify the executing process and thereby help the verifier confirm the particular object that performed the system call.
And II, the function of system call. The system call is a specific execution process in the kernel, and the execution process of the system call can be divided into operations on different objects because the function of the system call is realized by the kernel function, and the kernel functions with direct operation objects are utilized to form the function description of the kernel system call of the operating system.
(2) Abstract state transitions
As most system call specifications follow a common rule, namely, the transferred system call parameters are verified firstly, if the verification is passed, the system call is executed, the kernel state is transferred to the next stage, and 0 is returned as a result; if the parameter verification fails, the kernel state is kept unchanged, and a corresponding error prompt code is returned.
After the abstract kernel state definition is completed, the defined kernel state object can be used to simulate the correct system call running condition, and the state transition can be described as follows:
current kernel state SiE.g. S (S is a kernel state set), the system executes the system call P, the P is successfully executed and returns a result 0, the kernel state is transferred to the next stage, and the kernel state is S at the momenti+1E.g., S, at which time the kernel state can be expressed as Si→Si+1。
From the above description, the following state transition specification verification process can be devised:
and I, taking the kernel state and the system call parameter as the input of the verification specification, wherein the kernel state at the moment refers to the state maintained by the kernel before the system call.
And II, acquiring the current execution process information and storing the specific information of the process called by the execution system.
And III, verifying the system calling parameter, determining the correctness of the system calling parameter, and returning a verification condition.
And IV, if the returned result in the III is true, starting to transfer the kernel state to the next stage, firstly copying the kernel state before the system call to a new kernel state, calling a system call kernel function in the new kernel state to modify the corresponding part in the kernel, and obtaining the kernel state of the next stage.
The state machine specification definition also adopts a manual method, the verifier defines the specific function of the system call by using the formal language, and the correctness of the system call is verified by using the definition.
4. Verification model
The application of the tool can effectively reduce the kernel verification difficulty of the operating system and improve the verification efficiency. The theorem proving device utilizes the transmitted verification conditions to carry out automatic proving, thereby greatly reducing the verification cost.
From the above description, a verification model as shown in FIG. 2 can be designed, as detailed below:
(1) high-level attributes which must be satisfied in the execution process of the system call are summarized, and the definition of the declaration specification is carried out by combining the corresponding invariant in the kernel.
(2) According to the design document and the source code, the kernel system calling function of the operating system is described by a formal language, and the state machine specification is defined according to the formal language.
(3) And transmitting the manually defined state machine specification and the declaration specification to a verifier, converting the state machine specification and the declaration specification into a theorem certificate by the verifier, and automatically solving and verifying.
(4) If the solver is successfully verified, the realization of the part of codes can be regarded as safe; and if the verification fails, returning a corresponding test case to help a verifier to troubleshoot possible problems.
Drawings
FIG. 1: operating system kernel verification step
FIG. 2: operating system kernel verification model
Detailed Description
The hardware environment of the invention is a PC host, the CPU of the host is Intel (R) core (TM) i5-4460T, 1.90GHz, the memory is 8GB RAM, 64-bit operating system, and the processor is based on X64.
The software environment of the invention takes Ubuntu 18.04 as a platform and is developed by Python language. The Python version is 3.8.5, the PyCharm version is 2020.3.4, and the solver Z3 version is 4.8.5.0.
The kernel of the operating system to be verified is an open-source Linux kernel, and the version number is 5.0.0.23.
The verification process is mainly divided into two parts, wherein the first part is used for manually defining state machine specifications and declaration specifications, and the second part is used for verifying and returning results by a Z3 solver.
Specification definitions
Take the system call write () as an example. The system call is defined as follows:
| ssize_t write(int fd,const void*buf,size_t size) |
(1) statement of the Specification
The declaration specification defines pseudo code as follows:
description of the drawings: cond is the verification condition returned by the state machine specification, size indicates the number of bytes written, indicator indicates the current data location,
meaning that the object is arbitrary, i.e. for an arbitrary object,
indicating the inclusion.
Declaration specification detailed description:
each write should be an atomic operation, and if one of the verification conditions in the state machine specification is not satisfied, then the write should not be considered complete, while the pre-write state should be restored, i.e., the current write data location should not change.
(2) State machine specification
The state machine specification defines pseudo code as follows:
inputting an algorithm: state, object, buffer
And (3) outputting an algorithm: valid, new _ state
Description of the drawings: the state is a kernel state, fd represents a written file, buffer is a buffer area where written data are located, a getAutowrite () function obtains read-write permission of an incoming object, is _ buffer _ available () judges whether the buffer is accessible, indicator () is a written data position, write () writes data, and inc () advances size on the basis of the current written position.
State machine specification details:
step 1, acquiring a process number of the current execution system call;
step 2, verifying whether the parameters meet the conditions: having write rights to the written object, the data buffer should be accessible, the current written data location should be greater than or equal to the starting location;
step 3, successfully verifying the parameters, entering the next kernel state, and performing write operation;
and Step 4, after the write operation is completed, updating the position of the write data.
(3) Solver solution
Converting the canonical proof to the Z3 solver provable problem:
inputting an algorithm: state, fd, buffer, pid, size
And (3) outputting an algorithm: cond, new
Description of the drawings: state is kernel state, fd is write operation object, buffer is buffer where write data is located, pid is process ID, Solver () creates a Solver, s.add () represents adding constraint condition, is _ buffer _ available () judges whether buffer is accessible, indicator () is write data position, write () writes data, and system calls to return new kernel state new and verification condition cond after executing correctly.
Detailed description of pseudo code:
step 1, verifying whether the following conditions are all satisfied: whether pid is available, whether fd object has write authority, whether buffer is available, whether write data position meets the condition;
step 2, successfully verifying the parameters, transferring to the next kernel state, and performing write operation;
step 3, after the completion, updating the position of the written data;
and Step 4, returning a verification condition cond and a new kernel state new, and further verifying the kernel of the operating system by using the cond and the new combined with the declaration specification by a verifier.
(4) Manual inspection
After the Z3 solver solves the state machine specification, the returned verification condition cond may be used to combine with the declaration specification, and the verifier determines whether all conditions of the write operation are satisfied by using the value of cond. If the cond value is FALSE, the verification condition is not met in the verification process of the write operation, the write operation fails, and the state should be restored to the state before the write operation is performed, that is, the current write data position should not be changed; if cond value is TRUE, the verification condition is satisfied, the write operation is successful, and the position of the write data should be advanced by size before the write operation.
Claims (5)
1. A kernel formal verification method of an operating system is characterized by comprising the following implementation steps:
(1) selecting an operating system kernel system call as a verification object;
(2) designing a declaration specification according to high-level attributes such as expectation of a system calling function in a design document and invariance in the system calling process, so that verification personnel can manually check the declaration and the reliability of the specification of the state machine is improved;
(3) defining a corresponding state machine specification according to a specific implementation of system call and a design document, and describing a system call function and an operating system kernel state transfer condition in a call process in detail;
(4) and (5) transmitting the statement specification and the state machine specification to a formal verification tool, and completing the verification by using the tool.
2. The operating system kernel formal verification method of claim 1, wherein the method comprises, during a declaration specification definition phase:
(1) summarizing system designer expectations for system call functions;
(2) referring to the design document, and inducing information such as high-level attributes or invariants and the like which are required to be met in the kernel system calling stage of the operating system;
(3) and comprehensively defining the declaration specification according to information such as the expectation and invariants of a designer.
3. The operating system kernel formal verification method of claim 1, wherein the method is performed during a state machine specification definition phase:
(1) formally describing the kernel behaviors by using a state machine specification, extracting the state change of the kernel in the system calling process as each conversion step, and verifying the correct operation of the system calling by using the invariant in the state conversion process and the defined preposed and postpositional conditions;
(2) defining an abstract kernel state, wherein the abstract kernel state is obtained by performing abstract description on an operating system kernel by using a program logic structure, and the abstract kernel state comprises two contents of a current kernel state and a system calling function;
(3) and defining abstract state conversion, and simulating the system call operation condition by using the state conversion.
4. The operating system kernel formal verification method according to claim 1 or 3, wherein after the state machine specification is defined, the abstract state transition is verified as follows:
(1) taking the kernel state and the system calling parameter as the input of the verification specification;
(2) acquiring current execution process information, and storing specific information of a process called by an execution system;
(3) verifying the system calling parameter, determining the correctness of the system calling parameter, and returning a verification condition;
(4) and if the verification condition is true, starting to transfer the kernel state to the next stage, and executing the system call function to obtain the kernel state of the next stage.
5. The method for formal verification of the kernel of the operating system according to claim 1, wherein the method performs modeling verification on the system call after the definition of the declaration specification and the state machine specification is completed, and the modeling verification is implemented by the following steps:
(1) summarizing high-level attributes which must be met in the process of executing the system call, and defining the declaration specification by combining with corresponding invariant in the kernel;
(2) defining the state machine specification by a formal language according to the design document and the source code;
(3) the state machine specification and the declaration specification are transmitted to a verifier, the verifier converts the state machine specification and the declaration specification into a theorem certificate, and the solution verification is automatically carried out;
(4) if the solver is successfully verified, the realization of the part of codes can be regarded as safe; and if the verification fails, returning a corresponding test case to help check possible problems.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110564820.3A CN113282492A (en) | 2021-05-24 | 2021-05-24 | Operating system kernel formal verification method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110564820.3A CN113282492A (en) | 2021-05-24 | 2021-05-24 | Operating system kernel formal verification method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113282492A true CN113282492A (en) | 2021-08-20 |
Family
ID=77281053
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110564820.3A Pending CN113282492A (en) | 2021-05-24 | 2021-05-24 | Operating system kernel formal verification method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113282492A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115687166A (en) * | 2023-01-05 | 2023-02-03 | 军事科学院系统工程研究院网络信息研究所 | Formal verification method and system |
| CN115687167A (en) * | 2023-01-05 | 2023-02-03 | 军事科学院系统工程研究院网络信息研究所 | Formal verification method and device for group intelligent operating system |
| CN115827494A (en) * | 2023-01-09 | 2023-03-21 | 军事科学院系统工程研究院网络信息研究所 | Design layer formalization verification method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106708730A (en) * | 2016-11-22 | 2017-05-24 | 北京控制工程研究所 | Formal verification method capable of aiming at embedded real-time operating system |
| CN110347588A (en) * | 2019-06-04 | 2019-10-18 | 北京谦川科技有限公司 | Software verification method, device, computer equipment and storage medium |
| CN111400716A (en) * | 2020-02-25 | 2020-07-10 | 华东师范大学 | Security mechanism verification method based on operating system |
-
2021
- 2021-05-24 CN CN202110564820.3A patent/CN113282492A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106708730A (en) * | 2016-11-22 | 2017-05-24 | 北京控制工程研究所 | Formal verification method capable of aiming at embedded real-time operating system |
| CN110347588A (en) * | 2019-06-04 | 2019-10-18 | 北京谦川科技有限公司 | Software verification method, device, computer equipment and storage medium |
| CN111400716A (en) * | 2020-02-25 | 2020-07-10 | 华东师范大学 | Security mechanism verification method based on operating system |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115687166A (en) * | 2023-01-05 | 2023-02-03 | 军事科学院系统工程研究院网络信息研究所 | Formal verification method and system |
| CN115687167A (en) * | 2023-01-05 | 2023-02-03 | 军事科学院系统工程研究院网络信息研究所 | Formal verification method and device for group intelligent operating system |
| CN115687166B (en) * | 2023-01-05 | 2023-04-07 | 军事科学院系统工程研究院网络信息研究所 | Formal verification method and system |
| CN115827494A (en) * | 2023-01-09 | 2023-03-21 | 军事科学院系统工程研究院网络信息研究所 | Design layer formalization verification method and system |
| CN115827494B (en) * | 2023-01-09 | 2023-05-05 | 军事科学院系统工程研究院网络信息研究所 | Design layer form verification method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Bozzano et al. | The COMPASS approach: Correctness, modelling and performability of aerospace systems | |
| CN108509336B (en) | Operating system standard formalization verification and test method | |
| US10423518B2 (en) | Systems and methods for analyzing violations of coding rules | |
| US10387585B2 (en) | System and method for performing model verification | |
| CN113282492A (en) | Operating system kernel formal verification method | |
| US8326592B2 (en) | Method and system for verifying electronic designs having software components | |
| Zakharov et al. | Configurable toolset for static verification of operating systems kernel modules | |
| US8041554B1 (en) | Method and system for the development of high-assurance microcode | |
| Kim et al. | A comparative study of software model checkers as unit testing tools: An industrial case study | |
| CN112417798B (en) | Time sequence testing method and device, electronic equipment and storage medium | |
| Herber et al. | A HW/SW co-verification framework for SystemC | |
| US10073933B2 (en) | Automatic generation of properties to assist hardware emulation | |
| US5966306A (en) | Method for verifying protocol conformance of an electrical interface | |
| Apvrille et al. | Prototyping an embedded automotive system from its UML/SysML models | |
| Li et al. | Formalizing hardware/software interface specifications | |
| Engels et al. | Model-based verification and validation of properties | |
| CN111679964B (en) | Formal verification method of microkernel operating system interface based on boundary model detection technology | |
| Elmqvist et al. | Safety-oriented design of component assemblies using safety interfaces | |
| Punnoose et al. | Survey of Existing Tools for Formal Verification. | |
| Durand et al. | Model checking AUTOSAR components with CBMC | |
| CN111338761B (en) | 51 single-chip microcomputer virtual interrupt controller and implementation method | |
| US7447621B1 (en) | PLI-less co-simulation of ISS-based verification systems in hardware simulators | |
| Macieira et al. | Device driver generation and checking approach | |
| Ferdinand et al. | Integration of code-level and system-level timing analysis for early architecture exploration and reliable timing verification | |
| Ryzhyk et al. | Improved device driver reliability through hardware verification reuse |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |