The kernel is the most safety- and security-critical component of many computer systems, as the most severe bugs lead to complete system crash or exploit. It is thus desirable to guarantee that a kernel is free from these bugs using formal methods, but the high cost and expertise required to do so are deterrent to wide applicability. We propose a method that can verify both absence of runtime errors (i.e. crashes) and absence of privilege escalation (i.e. exploits) in embedded kernels from their binary executables. The method can verify the kernel runtime independently from the application, at the expense of only a few lines of simple annotations. When given a specific application, the method can verify simple kernels without any human intervention. We demonstrate our method on two different use cases: we use our tool to help the development of a new embedded real-time kernel, and we verify an existing industrial real-time kernel executable with no modification. Results show that the method is fast, simple to use, and can prevent real errors and security vulnerabilities.

中文翻译：

---

没有崩溃，没有漏洞利用：嵌入式内核的自动验证

内核是许多计算机系统中对安全性和安全性至关重要的组件，因为最严重的错误会导致整个系统崩溃或利用。因此，期望使用正式方法来确保内核没有这些错误，但是这样做所需的高昂成本和专业知识阻碍了广泛的应用。我们提出了一种方法，该方法可以从嵌入式二进制文件的二进制可执行文件中验证运行时错误（即崩溃）和特权升级（即漏洞利用）的缺失。该方法可以独立于应用程序验证内核运行时，而仅花费几行简单注释即可。当给出特定的应用程序时，该方法可以验证简单的内核，而无需任何人工干预。我们在两个不同的用例上演示我们的方法：我们使用我们的工具来帮助开发新的嵌入式实时内核，并验证了现有的工业实时内核可执行文件，而无需进行任何修改。结果表明，该方法快速，易于使用，可以防止实际错误和安全漏洞。