35 lines
1.2 KiB
Markdown
35 lines
1.2 KiB
Markdown
Design Spec Refinement Proof
|
|
============================
|
|
|
|
This proof establishes that seL4's [design specification](../../spec/design/)
|
|
is a formal *refinement* (i.e. a correct implementation) of its
|
|
[abstract specification](../../spec/abstract/). This proof also
|
|
interweaves the definition and proofs of the global invariant for the
|
|
design specification, and builds on the [Abstract Spec Invariant
|
|
Proof](../invariant-abstract/). It is described in the TPHOLS '08
|
|
[paper][1].
|
|
|
|
[1]: http://nicta.com.au/pub?id=483 "Secure Microkernels, State Monads and Scalable Refinement"
|
|
|
|
Building
|
|
--------
|
|
|
|
Make sure that the `L4V_ARCH` environment variable is set to the desired
|
|
target architecture. If in doubt, use `L4V_ARCH=ARM`.
|
|
|
|
To build from the `l4v/` directory, run:
|
|
|
|
./isabelle/bin/isabelle build -d . -v -b Refine
|
|
|
|
Important Theories
|
|
------------------
|
|
|
|
The top-level theory where the refinement statement is established over
|
|
the entire kernel is [`Refine`](ARM/Refine.thy); the state-relation that
|
|
relates the state-spaces of the two specifications is defined in
|
|
[`StateRelation`](ARM/StateRelation.thy) and the basic correspondence
|
|
property proved over each kernel function is defined in
|
|
[`Corres`](ARM/Corres.thy).
|
|
|
|
|