Hyperkernel: Push-Button Verification of an OS Kernel, SOSP 2017
Some system calls traditionally require loops, such as loading an executable file or killing/freeing a process. What changes does the Hyperkernel interface make to avoid such “loopy” operations? Do you think such changes are necessary? Briefly explain using one example.
Compare Figure 10 from the Hyperkernel paper to Tables 2 and 3 from the Dune paper (“getpid”, “trap”, “appel1”, and “appel2”). Why do you think Dune performs much better on “appel1” and “appel2” than Hyperkernel?
Hyperkernel’s declarative specification describes several properties that the state-machine specification must maintain, such as memory isolation. Compare them to seL4’s abstract and executable specification. What are the main differences between their guarantees?
Provide a list of questions you would like to discuss in class. Feel free to provide any comments on the paper and related topics (e.g., which parts you like and which parts you find confusing). For example, you may wish to comment on the bugs Hyperkernel was able to find in xv6. Do you think catching these bugs earlier in xv6’s development would have been useful?