
Automated Verification of a Type-Safe Operating System [pdf] - muraiki
https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/pldi117-yang.pdf
======
sanxiyn
Keyword here is "automated". Quoting, "In the end, the Verve design,
implementation, and verification described in this paper took just 9 person-
months, spread between two people". This is considerably less than, say, seL4,
which took 20 person-years(!). Well, seL4 is larger than Verve, but still.

------
Animats
It's disappointing that little verified OSs like these don't show up little
boxes that need them, such as home DSL routers, printers, webcams, and various
IoT devices. Those all have one job, and run a fixed program or programs. You
want them to do that one job and nothing else. Not act as attack vectors
against other systems.

~~~
ktta
The interesting this out of all this is that Microsoft is the one often doing
research like this, from F*, Project Everest, to complete kernels, but I've
yet to see Windows have any of the new techniques/tools arising from MSR.

I wonder if it is a problem of the research being fairly new, or a lack of
software developers inside Microsoft willing to replace their existing code
and learn new tools and languages.

~~~
pjmlp
Because you are not looking into the right spots:

\- Windows 7 kernel reorganization

\- MDIL .NET AOT compiler for Windows 8 and .NET Native for UWP

\- async/await for .NET

\- generics for .NET

\- UWP based on COM (original idea was called ExtVOS before .NET existed)

\- Task Programming Library for .NET

\- Pico-processes on Windows 10

\- Secure kernel on Windows 10

\- Hyper-V based containers

\- Driver verification framework using a theorem proving framework

\- The P language used for writing Windows 8 USB drivers

I guess they just don't adopt more due to management, and how the windev and
devtools relate to each other in regards to technology adoption.

~~~
ktta
Half of what you mentioned doesn't come close to some of the research you see
MSR publishing. The ones you mentioned are nice, but check out their papers.
Some of their papers are so outlandish (for the lack of a better word), that I
doubt they can even find a proper conference/publication to submit them to.

The most surprised I've been was when they started using P lang for drivers
(which is also used for verification, so your last two points fall under a
single point if I'm not wrong). This was the first time I've seen them using a
new language/tool rather than make additions like the rest of the points you
made. (Also FPGAs in their data centers but that's a different topic)

I'm not deriding their decision to do so, just an observation. Google's X does
research which can possibly be an actual product, and I guess I expected
Microsoft to do the same. Using such cutting-edge research and include it in
their products might earn them cool points from HN, but I'd say the management
is perfectly content with the numbers in front of them. OTOH, I doubt any
manager is willing to take the blame if their initiative fails in a released
product. Microsoft has enough bugs that people complain about as it is (refer
to the front page submission about performance)

~~~
pjmlp
So I feel that I need to provide the background of the items I mentioned

Research on ExtVOS:

\- .NET

\- generics for .NET

\- UWP based on COM (.NET was to be originally based on COM, not CLR which
came to be due to Java's influence)

By products of Singularity and Midori projects:

\- MDIL .NET AOT compiler for Windows 8 and .NET Native for UWP

\- async/await for .NET

\- Task Programming Library for .NET

By products of DrawBridge and IronClad projects:

\- Pico-processes on Windows 10

\- Secure kernel on Windows 10

\- Hyper-V based containers

By products of Dafney, Z3 and theorem proving research:

\- Driver verification framework using a theorem proving framework

\- The P language used for writing Windows 8 USB drivers

~~~
ktta
Looks like I was wrong on multiple counts. Thanks for taking the time.

Any links on the driver verification framework? I've only seen people talk
about using z3 for hardware verification but didn't know about MS doing it and
talking about it publicly (could only find this:
[https://pdfs.semanticscholar.org/b100/b1562ba0e75191d29d4c15...](https://pdfs.semanticscholar.org/b100/b1562ba0e75191d29d4c15bfe4dc1d1f9c3b.pdf))

~~~
pjmlp
Yes, here they are:

"SMT in Verification, Modeling, and Testing at Microsoft"

[https://link.springer.com/chapter/10.1007%2F978-3-642-39611-...](https://link.springer.com/chapter/10.1007%2F978-3-642-39611-3_3)

"Efficient evaluation of pointer predicates with Z3 SMT Solver in SLAM2"

[https://www.microsoft.com/en-us/research/wp-
content/uploads/...](https://www.microsoft.com/en-us/research/wp-
content/uploads/2016/02/axioms.submitted.pdf)

"Tools for Verifying Drivers"

[https://docs.microsoft.com/en-us/windows-
hardware/drivers/de...](https://docs.microsoft.com/en-us/windows-
hardware/drivers/devtest/tools-for-verifying-drivers)

------
Animats
(2010)

Whatever happened to that? Several papers in 2010, then nothing. Wikipedia
says there was a 2013 release.

Microsoft had a later project, Ironclad (2014) which built on that to build
some simple applications.[1] That's an active project at Microsoft.[2]

[1]
[https://www.usenix.org/system/files/conference/osdi14/osdi14...](https://www.usenix.org/system/files/conference/osdi14/osdi14-paper-
hawblitzel.pdf) [2] [https://www.microsoft.com/en-
us/research/project/ironclad/#](https://www.microsoft.com/en-
us/research/project/ironclad/#)

~~~
gsnedders
Quite possibly the same that has happened to other OSes at MSR like
Singularity and Midori: the team moved on to a new research project which
involved writing another new OS.

~~~
pjmlp
I keep hoping one day such projects will have right level of management
support and actually deliver something big into the mainstream.

We got .NET Native, async/await, W10 pico-processes, secure kernel,windows
internal refactoring... out of those projects, but they still feel they could
have been much more with the right amount of management support.

------
cjdrake
Reminded me of this bit from Guido van Rossum's PyCon 2012 keynote:

[https://youtu.be/EBRMq2Ioxsc?t=1374](https://youtu.be/EBRMq2Ioxsc?t=1374)

"I know my operating system kernel will never be proven correct."

~~~
kmicklas
Of course he believes that, he's the creator of a language that doesn't even
have a type system...

~~~
olewhalehunter
well it kind of does but idiomatic python is not very functional

~~~
eru
What does that have to do with functional programming?

(I know Python3 has some optional gradual typing. And I know that Python ain't
very functional---especially if you go by how Guido wants Python to be
written. But I still don't see the connection---apart from that functional
programming and academic theory on typing go hand-in-hand.)

