History

Thomas Sewell fc6e57716a Proof updates, working as far as AInvs.		2014-08-11 14:50:56 +10:00
..
ADT_H.thy	Proof updates, working as far as AInvs.	2014-08-11 14:50:56 +10:00
ArchAcc_R.thy	Proof updates, working as far as AInvs.	2014-08-11 14:50:56 +10:00
Arch_R.thy	Proof updates, working as far as AInvs.	2014-08-11 14:50:56 +10:00
Bits_R.thy	remove old levity and taint-mode comments	2014-07-22 18:10:28 +02:00
BuildRefineCache.thy	Import release snapshot.	2014-07-14 21:32:44 +02:00
CNodeInv_R.thy	Proof updates, working as far as AInvs.	2014-08-11 14:50:56 +10:00
CSpace_I.thy	Proof updates, working as far as AInvs.	2014-08-11 14:50:56 +10:00
CSpace_R.thy	Proof updates, working as far as AInvs.	2014-08-11 14:50:56 +10:00
Cache.thy	Import release snapshot.	2014-07-14 21:32:44 +02:00
Corres.thy	Import release snapshot.	2014-07-14 21:32:44 +02:00
Detype_R.thy	Proof updates, working as far as AInvs.	2014-08-11 14:50:56 +10:00
EmptyFail.thy	Import release snapshot.	2014-07-14 21:32:44 +02:00
EmptyFail_H.thy	comment cleanup	2014-07-22 18:10:20 +02:00
Finalise_R.thy	Proof updates, working as far as AInvs.	2014-08-11 14:50:56 +10:00
IncKernelInit.thy	Import release snapshot.	2014-07-14 21:32:44 +02:00
Include.thy	Import release snapshot.	2014-07-14 21:32:44 +02:00
InitLemmas.thy	remove old levity and taint-mode comments	2014-07-22 18:10:28 +02:00
InterruptAcc_R.thy	Import release snapshot.	2014-07-14 21:32:44 +02:00
Interrupt_R.thy	some of the global Isabelle2014 renames	2014-08-09 15:39:20 +10:00
Invariants_H.thy	Proof updates, working as far as AInvs.	2014-08-11 14:50:56 +10:00
Invocations_R.thy	Import release snapshot.	2014-07-14 21:32:44 +02:00
IpcCancel_R.thy	some of the global Isabelle2014 renames	2014-08-09 15:39:20 +10:00
Ipc_R.thy	Proof updates, working as far as AInvs.	2014-08-11 14:50:56 +10:00
KHeap_R.thy	some of the global Isabelle2014 renames	2014-08-09 15:39:20 +10:00
KernelInit_R.thy	comment cleanup	2014-07-22 18:10:20 +02:00
LevityCatch.thy	remove old levity and taint-mode comments	2014-07-22 18:10:28 +02:00
Machine_R.thy	Import release snapshot.	2014-07-14 21:32:44 +02:00
Orphanage.thy	Proof updates, working as far as AInvs.	2014-08-11 14:50:56 +10:00
PageTableDuplicates.thy	Proof updates, working as far as AInvs.	2014-08-11 14:50:56 +10:00
README.md	misc: Proofing and formatting of README.md files.	2014-07-28 13:15:48 +10:00
Refine.thy	Proof updates, working as far as AInvs.	2014-08-11 14:50:56 +10:00
Retype_R.thy	Proof updates, working as far as AInvs.	2014-08-11 14:50:56 +10:00
Schedule_R.thy	remove old levity and taint-mode comments	2014-07-22 18:10:28 +02:00
StateRelation.thy	some of the global Isabelle2014 renames	2014-08-09 15:39:20 +10:00
SubMonad_R.thy	Import release snapshot.	2014-07-14 21:32:44 +02:00
Syscall_R.thy	Proof updates, working as far as AInvs.	2014-08-11 14:50:56 +10:00
TcbAcc_R.thy	Proof updates, working as far as AInvs.	2014-08-11 14:50:56 +10:00
Tcb_R.thy	some of the global Isabelle2014 renames	2014-08-09 15:39:20 +10:00
Untyped_R.thy	Proof updates, working as far as AInvs.	2014-08-11 14:50:56 +10:00
VSpace_R.thy	some of the global Isabelle2014 renames	2014-08-09 15:39:20 +10:00

README.md

Design Spec Refinement Proof

This proof establishes that seL4's design specification is a formal refinement (i.e. a correct implementation) of its abstract specification. This proof also interweaves the definition and proofs of the global invariant for the design specification, and builds on the Abstract Spec Invariant Proof. It is described in the TPHOLS '08 paper.

Building

To build from the l4v/ directory, run:

./isabelle/bin/isabelle build -d . -v -b Refine

Important Theories

The top-level theory where the refinement statement is established over the entire kernel is Refine; the state-relation that relates the state-spaces of the two specifications is defined in StateRelation and the basic correspondence property proved over each kernel function is defined in Corres.