Download PDFOpen PDF in browser

Towards High-Assurance Multiprocessor Virtualisation

16 pagesPublished: May 15, 2012


Virtualisation is increasingly being used in security-critical systems to provide isolation between system components. Being the foundation of any virtualised system, hypervisors need to provide a high degree of assurance with regards to correctness and isolation. Microkernels, such as seL4, can be used as hypervisors. Functional correctness of seL4's uniprocessor C implementation has been formally verified. The framework employed to verify seL4 is tailored to facilitate reasoning about sequential programs. However, we want to be able to use the full power of multiprocessor/multicore systems, and at the same time, leverage the high assurance seL4 already gives us for uniprocessors.

This work-in-progress paper explores possible multiprocessor designs of seL4 and their amenability to verification. For the chosen design, it contributes a formal multiprocessor execution model to lift seL4's uniprocessor model and proofs into a multiprocessor context using only minor modifications. The theorems proving the validity of the lift operation are machine-checked in Isabelle/HOL and walked-through in the paper.

Keyphrases: interactive theorem proving, Isabelle/HOL, isolation, seL4 microkernel, Virtualisation

In: Markus Aderhold, Serge Autexier and Heiko Mantel (editors). VERIFY-2010. 6th International Verification Workshop, vol 3, pages 110--125

BibTeX entry
  author    = {Michael von Tessin},
  title     = {Towards High-Assurance Multiprocessor Virtualisation},
  booktitle = {VERIFY-2010. 6th International Verification Workshop},
  editor    = {Markus Aderhold and Serge Autexier and Heiko Mantel},
  series    = {EPiC Series in Computing},
  volume    = {3},
  pages     = {110--125},
  year      = {2012},
  publisher = {EasyChair},
  bibsource = {EasyChair,},
  issn      = {2398-7340},
  url       = {},
  doi       = {10.29007/rhn3}}
Download PDFOpen PDF in browser