格温·克莱因(Gerwin Klein)是高级首席研究员金宝博娱乐NICTA, Australia’s National Centre of Excellence for ICT Research, and Conjoint Associate Professor at theUniversity of New South Wales在澳大利亚悉尼。He is leading NICTA’s Formal Methods research discipline and was the leader of the L4.verified project that created the first machine-checked proof of functional correctness of a general-purpose microkernel in 2009. He joined NICTA in 2003 after receiving his PhD from Technische Universität München, Germany, where he formally proved type-safety of the Java Bytecode Verifier in the theorem prover Isabelle/HOL.
His research interests are in formal verification, programming languages, and low-level systems. Gerwin has won a number of awards together with his team, among them the 2011 MIT TR-10 award for the top ten emerging technologies world-wide, NICTA’s Richard E. Newton impact award for the kernel verification work, the best paper award from SOSP’09 for the same, and an award for the best PhD thesis in Germany in 2003 for his work on bytecode verification. When he is not proving theorems and working on trustworthy software, he enjoys travelling and dabbling in martial arts and photography. Together with Tobias Nipkow he has just published an online draft of the text book具体语义使用Isabelletheorem prover.
Highlightsof Klein’s thoughts, from the interview below:
- Verifying code not designed for verification is very difficult and costly. Such “post-mortem verification” has other disadvantages as well.
- 程序设计师可以使用抽象,模块化和明确的体系结构选择,以帮助使复杂的系统与人类透明。金宝博官方
- There are two ways probability can play a role in verification: (1) direct probabilistic reasoning, in the logic or in a setting where the program itself is probabilistic, or (2) standard non-probabilistic reasoning paired with subjectively uncertain reasoning about what a guarantee means for the overall probability that the system will work as intended.
- 真正的自主系统似乎还有很长的路要走金宝博官方,但是如果您可以制造出真正出乎意料的行为的系统,那么您就无法使其安全。
Luke Muehlhauser:在您即将发表的论文中”全面的正式验证操作系统微粒,”您和您的合着者描述了用于确保其验证的内核设计(SEL4)。您还讨论了保持正式证明当前的过程,“随着系统的要求,设计和实施在将近十年的时间里,它[更改]。”金宝博官方
How “micro” is the seL4 microkernel? That is, what standard functionality does it provide, and what functionality (that is common in larger OS kernels) does it不是提供?
格温·克莱因(Gerwin Klein): It is pretty micro: it is a true micro-kernel in the L4 tradition. This means it is very small compared to traditional monolithic OS kernels: Linux has on the order of a few million lines of code, seL4 has on the order of 10,000 lines of C. seL4 provides only the core mechanisms that you need to build an OS. These include threads and scheduling, virtual memory, interrupts and asynchronous signals, as well as synchronous message passing. The maybe most important feature of seL4 is its strong access control mechanism that can be used together with the rest to build isolated components with controlled communication between them. These components could be small isolated device drivers or an entire Linux guest OS, the developer can choose the granularity.
理念是:如果一种机制严格需要实现特权硬件访问,则在内核中,但是如果可以使用其他机制作为用户级任务实现它,则它在内核之外。令人惊讶的功能可能出现在外面:例如,设备驱动程序,图形,文件和文件系统,网络堆栈,甚至磁盘分页。金宝博官方您(希望)得到的是,棘手的复杂性集中在内核中,用户级的操作系统组件变得更加模块化。
阅读更多 ”