adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lh-l4v/proof/crefine
History
Miki Tanaka 7ad3ef3b3e wp: update the proofs for the new wp/wpc/wpsimp 2017-03-16 19:39:11 +11:00
..
ADT_C.thy CRefine: updates for Hypervisor stub 2017-02-22 15:26:50 +11:00
Arch_C.thy backport changes to ARM proofs from X64 work in progress 2017-01-27 08:31:07 +11:00
AutoCorresTest.thy autocorres-crefine: update CRefine demo to work after AutoCorres refactor 2016-06-30 14:41:55 +10:00
AutoCorres_C.thy Add license tags for autocorres-crefine files 2016-05-18 15:10:04 +10:00
BuildRefineCache_C.thy word_lib: adjust theory dependencies 2016-05-16 21:11:40 +10:00
CACHE.ML Import release snapshot. 2014-07-14 21:32:44 +02:00
CLevityCatch.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
CSpaceAcc_C.thy move refine/* to refine/ARM/*, parametrise over $L4V_ARCH 2017-01-30 12:22:22 +11:00
CSpace_All.thy Isabelle2016-1: follow Isabelle's choice of meta-forall bindings 2017-01-05 14:25:18 +11:00
CSpace_C.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
CSpace_RAB_C.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
Cache.thy word_lib: adjust theory dependencies 2016-05-16 21:11:40 +10:00
Delete_C.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
DetWP.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
Detype_C.thy backport changes to ARM proofs from X64 work in progress 2017-01-27 08:31:07 +11:00
Fastpath_C.thy wp: update the proofs for the new wp/wpc/wpsimp 2017-03-16 19:39:11 +11:00
Finalise_C.thy CRefine fix for prepareThreadDelete 2017-02-20 09:23:56 +11:00
Include_C.thy move refine/* to refine/ARM/*, parametrise over $L4V_ARCH 2017-01-30 12:22:22 +11:00
Init_C.thy Isabelle2016-1: syntax: use semantic markup instead of "header" 2017-01-05 14:22:24 +11:00
Interrupt_C.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
Invoke_C.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
IpcCancel_C.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
Ipc_C.thy wp: update the proofs for the new wp/wpc/wpsimp 2017-03-16 19:39:11 +11:00
IsolatedThreadAction.thy provide TCB argument for sanitiseRegister 2017-02-12 12:54:42 +11:00
Machine_C.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
Move.thy move refine/* to refine/ARM/*, parametrise over $L4V_ARCH 2017-01-30 12:22:22 +11:00
PSpace_C.thy Partial progress on using array assertions. 2015-12-02 09:05:04 +11:00
README.md misc: Proofing and formatting of README.md files. 2014-07-28 13:15:48 +10:00
Recycle_C.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
Refine_C.thy CRefine: updates for Hypervisor stub 2017-02-22 15:26:50 +11:00
Refine_nondet_C.thy regression: add test to check theory import paths 2016-05-27 16:17:13 +10:00
Retype_C.thy wp: update the proofs for the new wp/wpc/wpsimp 2017-03-16 19:39:11 +11:00
SR_lemmas_C.thy move refine/* to refine/ARM/*, parametrise over $L4V_ARCH 2017-01-30 12:22:22 +11:00
Schedule_C.thy crefine: ARM verification support for "Disable active VCPU when switching to the idle thread" 2017-03-06 16:15:27 +11:00
StateRelation_C.thy Isabelle2016-1: update references to renamed constants and facts 2017-01-05 14:23:05 +11:00
StoreWord_C.thy Isabelle2016-1: update references to renamed constants and facts 2017-01-05 14:23:05 +11:00
SyscallArgs_C.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
Syscall_C.thy wp: update the proofs for the new wp/wpc/wpsimp 2017-03-16 19:39:11 +11:00
TcbAcc_C.thy provide TCB argument for sanitiseRegister 2017-02-12 12:54:42 +11:00
TcbQueue_C.thy Isabelle2016-1: update references to renamed constants and facts 2017-01-05 14:23:05 +11:00
Tcb_C.thy wp: update the proofs for the new wp/wpc/wpsimp 2017-03-16 19:39:11 +11:00
VSpace_C.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
Wellformed_C.thy SELFOUR-421: merge and fix up to ArmConfidentiality proof 2016-09-22 19:21:56 +10:00

README.md

C Refinement Proof

This proof establishes that seL4's C code, once translated into Isabelle/HOL using Michael Norrish's C parser, is a formal refinement (i.e. a correct implementation) of its design specification and, transitively (using the results of the Design Spec Refinement Proof) seL4's C code is also a formal refinement of its abstract specification. In other words, this proof establishes that seL4's C code correctly implements its abstract specification.

The approach used for the proof is described in the TPHOLS '09 [paper][5].

Building

To build from the l4v/proof directory, run:

make CRefine

Important Theories

The top-level theory where the refinement statement is established over the entire kernel is Refine_C; the state-relation that relates the state-spaces of the two specifications is defined in StateRelation_C.

Note that this proof deals with two C-level semantics of seL4: one produced directly by the C parser from the kernel's C code, and another produced by the C spec's Substitute theory. These proofs largely operate on the latter, proving that it corresponds to the design spec. Refinement between the two C-level specs is proved in the CToCRefine theory. The top-level Refine_C theory quotes both refinement properties.