Operating system (OS) kernels achieve isolation between user-level processes using hardware features such as multi-level page tables and translation lookaside buffers (TLBs). The TLB caches address translation, and therefore correctly controlling the TLB is a fundamental security property of OS kernels—yet all large-scale formal OS verification projects we are aware of leave the correct functionality of TLB as an assumption. In this paper, we present a verified sound abstraction of a detailed concrete model of the memory management unit (MMU) of the ARMv7-A architecture. This MMU abstraction revamps our previous address space specific MMU abstraction to include new software-visible TLB features such as caching of globally-mapped and partial translation entries in a two-stage TLB. We use this abstraction as the underlying model to develop a logic for reasoning about low-level programs in the presence of cached address translation. We extract invariants and necessary conditions for correct TLB operation that mirrors the informal reasoning of OS engineers. We systematically show how these invariants adapt to global and partial translation entries. We show that our program logic reduces to a standard logic for user-level reasoning, reduces to side-condition checks for kernel-level reasoning, and can handle typical OS kernel tasks such as context switching.

中文翻译：

---

缓存地址转换下的形式推理

操作系统 (OS) 内核使用硬件功能（例如多级页表和转换后备缓冲区 (TLB)）实现用户级进程之间的隔离。TLB 缓存地址转换，因此正确控制 TLB 是 OS 内核的基本安全属性——但我们知道的所有大规模正式 OS 验证项目都将 TLB 的正确功能作为假设。在本文中，我们提出了 ARMv7-A 架构的内存管理单元 (MMU) 的详细具体模型的经过验证的抽象。此 MMU 抽象改进了我们之前的地址空间特定 MMU 抽象，以包括新的软件可见 TLB 功能，例如在两阶段 TLB 中缓存全局映射和部分转换条目。我们使用这种抽象作为底层模型来开发逻辑，以便在存在缓存地址转换的情况下对低级程序进行推理。我们提取了正确 TLB 操作的不变量和必要条件，反映了操作系统工程师的非正式推理。我们系统地展示了这些不变量如何适应全局和部分翻译条目。我们展示了我们的程序逻辑简化为用户级推理的标准逻辑，简化为内核级推理的边条件检查，并且可以处理典型的操作系统内核任务，例如上下文切换。我们系统地展示了这些不变量如何适应全局和部分翻译条目。我们展示了我们的程序逻辑简化为用户级推理的标准逻辑，简化为内核级推理的边条件检查，并且可以处理典型的操作系统内核任务，例如上下文切换。我们系统地展示了这些不变量如何适应全局和部分翻译条目。我们展示了我们的程序逻辑简化为用户级推理的标准逻辑，简化为内核级推理的边条件检查，并且可以处理典型的操作系统内核任务，例如上下文切换。