Host: Japan Society for Software Science and Technology
With the recent dissemination of embedded systems, it has become important to certify low-level software such as specialized operating systems. Our work aims at providing a framework to carry out convincingly such certifications. In this paper, we illustrate our approach by formalizing in the Coq proof assistant an important property of memory management in Topsy, an operating system for active-network cards. The difficulty in such a certification is twofold: we need to (1) identify relevant modules in the concrete implementation, and (2) model properly the memory management policy implemented over memory protection mechanisms of the hardware. Using Separation Logic (an extension of Hoare Logic with memory operations and spatial assertion language), we have extracted, formalized, and specified the relevant parts of the boot-loader, the memory and the thread management modules of Topsy, and we are now in the process of certifying Memory Isolation, i.e. the property that user ! threads cannot read or write outside of their memory space. We believe that a large part of our formalization (in particular, the Coq implementation of Separation Logic) is reusable in the context of other certifications.