## User program

CPU 2

CPU 1



CPU 3

CPU n

| User program        | User program        | User program        | <br>User program        |  |
|---------------------|---------------------|---------------------|-------------------------|--|
| Operating<br>System | Operating<br>System | Operating<br>System | <br>Operating<br>System |  |
| CPU 1               | CPU 2               | CPU 3               | <br>CPU n               |  |

| User program        | User program        | User program        |  | User program        |  |  |
|---------------------|---------------------|---------------------|--|---------------------|--|--|
| Operating<br>System | Operating<br>System | Operating<br>System |  | Operating<br>System |  |  |
| Shared Resource     |                     |                     |  |                     |  |  |
| CPU 1               | CPU 2               | CPU 3               |  | CPU n               |  |  |





atomic<sub>2</sub>

atomic<sub>3</sub>

private

CPU 2













CPU 1 — 
$$\frac{1}{\text{atomic}_1}$$
 —  $\frac{1}{\text{private}}$  —  $\frac{1}{\text{atomic}_2}$  —  $\frac{1}{\text{atomic}_3}$  —  $\frac{1}{\text{atomic}_4}$  —  $\frac{1}{\text{atomic$ 





| User program | User program                                           | User program             |  | User program |  |  |  |  |
|--------------|--------------------------------------------------------|--------------------------|--|--------------|--|--|--|--|
| OS Layer     | OS Layer                                               | OS Layer<br>red Resource |  | OS Layer     |  |  |  |  |
| :            | • Shared Resource                                      |                          |  |              |  |  |  |  |
| :            |                                                        |                          |  |              |  |  |  |  |
| OS Layer     |                                                        | OS La Er                 |  |              |  |  |  |  |
|              | OS Layer OS Layer OS Layer OS Layer Shared Resource C1 |                          |  |              |  |  |  |  |
| OS Layer     |                                                        |                          |  |              |  |  |  |  |
| OS Layer     |                                                        |                          |  |              |  |  |  |  |
|              | Shared Resource                                        |                          |  |              |  |  |  |  |
| CPU 1        |                                                        | CPU $arepsilon_{c_1}$    |  |              |  |  |  |  |
|              |                                                        |                          |  |              |  |  |  |  |

 $Asm_{mc}(Boot) \vdash [[CertiKOS \oplus Ctxt]]$ 

 $Asm_{thrd}(Syscall[tid,\varepsilon_{cpu}',\varepsilon_{thrd}']) \vdash \llbracket \mathbf{Ctxt} \rrbracket$ 



 $Asm_{cpu}(Boot[cid, \varepsilon_{cpu}]) \vdash \llbracket \mathbf{CertiKOS} \oplus \mathbf{Ctxt} \rrbracket$   $\square$   $Boot(Asm_{mc})$   $Asm_{mc}(Boot) \vdash \llbracket \mathbf{CertiKOS} \oplus \mathbf{Ctxt} \rrbracket$ 

- Environment
  - Fixed number of CPUs
  - Fixed initial state for all CPUs
  - Fairness assumptions
- Things to solve
  - Hide non-determinism 1
  - Build environmental context for each CPU 2
  - Prove compositionality of multiple per-CPU machines
  - Provide simple environmental context for per-CPU machines



(4)

 $Asm_{sep}(C, L[cid, \varepsilon_{sep}]) \vdash [[Prog]]$ 

 $Asm_{reorder}(C, L[cid, \varepsilon'_{reorder}]) \vdash [[Prog]]$ 

Link with 
$$Asm_{cpu}$$
 (4)

Optimize environmental context

Introduce per-CPU machine (2)

Introduce partial machine (2, 3) and prove linking theorem

Introduce hardware scheduler(1)

 $Asm_{reorder}(Boot[cid, \varepsilon_{reorder}]) \vdash [CertiKOS \oplus Ctxt]]$  $Asm_{split}(Boot[cid, \varepsilon]) \vdash \llbracket \mathbf{CertiKOS} \oplus \mathbf{Ctxt} \rrbracket$  $Asm_{big2}(Boot[cid, \varepsilon]) \vdash [CertiKOS \oplus Ctxt]$  $Asm_{big}(Boot[cid,\varepsilon]) \vdash \llbracket \mathbf{CertiKOS} \oplus \mathbf{Ctxt} \rrbracket$  $Asm_{single}(Boot[cid, \varepsilon]) \vdash [CertiKOS \oplus Ctxt]$  $Asm_{env}(Boot[cid, \varepsilon]) \vdash [[CertiKOS \oplus Ctxt]]$  $Asm_{env}(\parallel_{i \in CoreSet} Boot[CoreSet, \varepsilon_{CoreSet}]) \vdash [CertiKOS \oplus Ctxt]$  $Asm_{oracle}(Boot[\varepsilon_{CoreSet}]) \vdash [CertiKOS \oplus Ctxt]]$  $Asm_{mc}(Boot) \vdash [CertiKOS \oplus Ctxt]$ 

 $Asm_{cpu}(Boot[cid,\varepsilon_{cpu}]) \vdash \llbracket \mathbf{CertiKOS} \oplus \mathbf{Ctxt} \rrbracket$ 

 $Asm_{sep}(Boot[cid, \varepsilon_{sep}]) \vdash [[CertiKOS \oplus Ctxt]]$ 

 $Asm_{reorder}(Boot[cid, \varepsilon'_{reorder}]) \vdash [CertiKOS \oplus Ctxt]]$ 



$$TSched \big[ tid, \varepsilon'_{cpu}, \varepsilon_{thrd} \big] (yield) - (lst, log) \rightarrow (lst, log')$$

$$TSched \cdots \cdots \cdots Asm_{thrd} (TSched \big[ tid, \varepsilon'_{cpu}, \varepsilon_{thrd} \big]) \vdash [\![ CertiKOS_{td} \oplus Ctxt]\!]$$

 $Asm_{cnu}(CSched[cid, \varepsilon'_{cnu}]) \vdash [[CertiKOS_{td} \oplus Ctxt]]$ 

 $CSched[cid, \varepsilon'_{ci}]$  contains software scheduler primitives

- spawn / yield / sleep / wakeup

CSched (Asm<sub>cpu</sub>)

 $CSched[cid, \varepsilon'_{ci}](yield) - (lst, log) \rightarrow (lst/[tid = \cdots, \rho = \cdots, \cdots], log')$ 

- Environment
  - Arbitrary active or available thread set on the CPU
  - Dynamic initial states
- Things to solve
  - Hide context switching between threads 1
  - Build environmental context for each thread
  - Assign proper initial states for each thread
  - Prove compositionality of multiple per-thread machines
  - Use the same compiler for per-CPU/thread machines

(5) Link per-CPU machine compiler with per-thread machine (1, 2, 3)Introduce per-thread machine (1, 2, 3, 4)Introduce multithreaded machine and prove linking theorem C: thread configuration

 $IAsm_{thrd}(C, TLink[tid, \varepsilon'_{cpu}, \varepsilon_{T}^{zip}]) \vdash \llbracket \mathbf{CertiKOS_{td}} \oplus \mathbf{Ctxt} \rrbracket$   $\sqcup IAsm_{mt}(C, TLink[tid, \varepsilon'_{cpu}, \varepsilon_{T}]) \vdash \llbracket \mathbf{CertiKOS_{td}} \oplus \mathbf{Ctxt} \rrbracket$   $| \parallel$ 

 $IAsm_{mt}(C, \parallel_{ti \in TSet} TLink[cid, \varepsilon'_{cpu}]) \vdash [CertiKOS_{td} \oplus Ctxt]$ 

 $Asm_{mt}(C, \|_{ti \in TSet} \ TLink\big[cid, \varepsilon_{cpu}'\,\big]) \vdash \llbracket \mathbf{CertiKOS_{td}} \oplus \mathbf{Ctxt} \rrbracket$ 

 $Asm_{thrd}(C, TSched[tid, \varepsilon'_{cnu}, \varepsilon_{thrd}]) \vdash [CertiKOS_{td} \oplus Ctxt]$ 

abstract relations between two layers  $AbsRelT = \begin{cases}
AbsRelC \\
(context switching incl.) \\
TLink: arbitrary layer for intermediate machines (scheduling primitives are defined in the machine itself) \\
TSched: arbitrary layer with scheduling primitives$ 

(Scheduling has a identity behavior)

Link per-CPU machine (5) compiler with per-thread machine

(1, 2, 3) Introduce per-thread machine

Introduce (1, 2, 3, 4) multithreaded machine and prove linking theorem

 $Asm_{thrd}(PHThread[tid, \varepsilon'_{cpu}, \varepsilon_{thrd}]) \vdash [CertiKOS_{td} \oplus Ctxt]$   $\square$   $LAsm_{thread}(PHPThread[tid, \varepsilon'_{cpu}, \varepsilon_{thred}]) \vdash [CertiKOS_{td} \oplus Ctxt]$ 

$$\begin{split} \mathit{IAsm}_{thrd}(\mathit{PHBThread}\big[\mathit{tid},\varepsilon'_\mathit{cpu},\varepsilon^\mathit{zip}_T\big]) \vdash \llbracket \mathbf{CertiKOS_{td}} \oplus \mathbf{Ctxt} \rrbracket \\ & \qquad \qquad \bigsqcup \rrbracket \\ \mathit{IAsm}_{mt}(\mathit{PHBThread}\big[\mathit{tid},\varepsilon'_\mathit{cpu},\varepsilon_T\big]) \vdash \llbracket \mathbf{CertiKOS_{td}} \oplus \mathbf{Ctxt} \rrbracket \end{split}$$

 $IAsm_{mt}(\|_{ti \in TSet} \ PHBThread[cid, \varepsilon'_{cpu}]) \vdash [\mathbf{CertiKOS_{td}} \oplus \mathbf{Ctxt}]]$   $\square |$   $Asm_{mt}(\|_{ti \in TSet} \ PHBThread[cid, \varepsilon'_{cpu}]) \vdash [\mathbf{CertiKOS_{td}} \oplus \mathbf{Ctxt}]]$ 

 $\qquad \qquad \qquad \bigsqcup \\ Asm_{cpu}(PBThread[cid, \varepsilon'_{cpu}]) \vdash \llbracket \mathbf{CertiKOS_{td}} \oplus \mathbf{Ctxt} \rrbracket$ 

$$st_{TSet} := (tid, \{ti \mapsto lst_{ti}\}, log) \ (\forall ti, ti \in TSet)$$

(With  $\varepsilon'_{c1}$ )



$$st_{TSet} := (tid, \{ti \mapsto lst_{ti}\}, log) \ (\forall ti, ti \in TSet)$$









 $IAsm_{mt}$ 

*n* < *progress* Every thread will generate at least one event within progress steps





Every thread will be eventually scheduled within  $limit \times progress$  steps



Initial state: Calculate initial log to find the proper initial state

Yield rule: 
$$TSched[tid, \varepsilon'_{cpu}, \varepsilon_{thrd}](yield) - (lst, log) \rightarrow (lst, log')$$

TSched ... ... ...  $Asm_{thrd}(TSched[tid, \varepsilon'_{cpu}, \varepsilon_{thrd}]) \vdash [CertiKOS_{td} \oplus Ctxt]$ 
 $\square$ 

CSched (Asm<sub>cpu</sub>) ··· 
$$Asm_{cpu}(CSched[tid, \varepsilon'_{cpu}]) \vdash [CertiKOS_{td} \oplus Ctxt]$$

Initial state: Fixed initial state

Yield rule:  $\mathit{CSched}\left[\mathit{cid}, \varepsilon'_{cpu}\right](\mathit{yield}) - (\mathit{lst}, \mathit{log}) \rightarrow (\mathit{lst}/[\mathit{tid} = \cdots, \rho = \cdots, \cdots], \mathit{log}')$ 

## **Environmental Context Relation**



## **Hide Nondeterminism**

 $Asm_{oracle}(Boot[\varepsilon_{CoreSet}]) \vdash [\![CertiKOS \oplus Ctxt]\!]$ 

Ш

 $Asm_{mc}(Boot) \vdash [[CertiKOS \oplus Ctxt]]$