J Autom Reasoning (2018) 61:141–189
Toward Compositional Veriﬁcation of Interruptible OS
Kernels and Device Drivers
· Xiongnan Wu
· Zhong Shao
· Ronghui Gu
Received: 1 April 2017 / Accepted: 14 December 2017 / Published online: 23 December 2017
© Springer Science+Business Media B.V., part of Springer Nature 2017
Abstract An operating system (OS) kernel forms the lowest level of any system software
stack. The correctness of the OS kernel is the basis for the correctness of the entire system.
Recent efforts have demonstrated the feasibility of building formally veriﬁed general-purpose
kernels, but it is unclear how to extend their work to verify the functional correctness of
device drivers, due to the non-local effects of interrupts. In this paper, we present a novel
compositional framework for building certiﬁed interruptible OS kernels with device drivers.
We provide a general device model that can be instantiated with various hardware devices, and
a realistic formal model of interrupts, which can be used to reason about interruptible code.
We have realized this framework in the Coq proof assistant. To demonstrate the effectiveness
of our new approach, we have successfully extended an existing veriﬁed non-interruptible
kernel with our framework and turned it into an interruptible kernel with veriﬁed device
drivers. To the best of our knowledge, this is the ﬁrst veriﬁed interruptible operating system
with device drivers.
This is a revised and extended version of the conference paper  under the same title.
University of Electronic Science and Technology of China, Chengdu, Sichuan, China
Yale University, New Haven, CT, USA