License: Creative Commons Attribution 4.0 International license (CC BY 4.0)
When quoting this document, please refer to the following
DOI: 10.4230/LIPIcs.TYPES.2022.1
URN: urn:nbn:de:0030-drops-184449
URL: http://dagstuhl.sunsite.rwth-aachen.de/volltexte/2023/18444/
Go to the corresponding LIPIcs Volume Portal


Mulligan, Dominic P.

All Watched Over by Machines of Loving Grace

pdf-format:
LIPIcs-TYPES-2022-1.pdf (0.8 MB)


Abstract

Modern operating systems are typically built around a trusted system component called the kernel which amongst other things is charged with enforcing system-wide security policies. Crucially, this component must be kept isolated from untrusted software at all times, which is facilitated by exploiting machine-oriented notions of separation: private memories, privilege levels, and similar.
Modern proof-assistants are typically built around a trusted system component called the kernel which is charged with enforcing system-wide soundness. Crucially, this component must be kept isolated from untrusted automation at all times, which is facilitated by exploiting programming-language notions of separation: module-private data structures, type-abstraction, and similar.
Whilst markedly different in purpose, in some essential ways operating system and proof-assistant kernels are tasked with the same job, namely enforcing system-wide invariants in the face of unbridled interaction with untrusted code. Yet the mechanisms through which the two types of kernel protect themselves are significantly different.
In this paper, we introduce Supervisionary, the kernel of a programmable proof-checking system for Gordon’s HOL, organised in a manner more reminiscent of an operating system than a typical LCF-style proof-checker. Supervisionary’s kernel executes at a relative level of privilege compared to untrusted automation, with trusted and untrusted system components communicating across a limited system call boundary. Kernel objects, managed on behalf of user-space by Supervisionary, are referenced by handles and are passed back-and-forth by system calls. Unusually, Supervisionary has no "metalanguage" in the LCF sense, as the language used to implement the kernel, and the language used to implement automation, need not be the same. Any programming language can be used to implement automation for Supervisionary, providing the resulting binary respects the kernel calling convention and binary interface, with no risk to system soundness. Lastly, Supervisionary allows arbitrary programming languages to be endowed with facilities for proof-checking. Indeed, the handles that Supervisionary uses to denote kernel objects may be thought of as an extremely expressive form of capability - in the computer security sense of that word - and can potentially be used to enforce fine-grained correctness and security properties of programs at runtime.

BibTeX - Entry

@InProceedings{mulligan:LIPIcs.TYPES.2022.1,
  author =	{Mulligan, Dominic P.},
  title =	{{All Watched Over by Machines of Loving Grace}},
  booktitle =	{28th International Conference on Types for Proofs and Programs (TYPES 2022)},
  pages =	{1:1--1:23},
  series =	{Leibniz International Proceedings in Informatics (LIPIcs)},
  ISBN =	{978-3-95977-285-3},
  ISSN =	{1868-8969},
  year =	{2023},
  volume =	{269},
  editor =	{Kesner, Delia and P\'{e}drot, Pierre-Marie},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/opus/volltexte/2023/18444},
  URN =		{urn:nbn:de:0030-drops-184449},
  doi =		{10.4230/LIPIcs.TYPES.2022.1},
  annote =	{Keywords: Proof assistant design, operating systems, HOL, LCF, Supervisionary, system description, capabilities}
}

Keywords: Proof assistant design, operating systems, HOL, LCF, Supervisionary, system description, capabilities
Collection: 28th International Conference on Types for Proofs and Programs (TYPES 2022)
Issue Date: 2023
Date of publication: 28.07.2023
Supplementary Material: Software (Source Code): https://github.com/DominicPM/supervisionary archived at: https://archive.softwareheritage.org/swh:1:dir:7478757cd08c06735cf3a1a056246d0200100c45


DROPS-Home | Fulltext Search | Imprint | Privacy Published by LZI