Acknowledgements

We would like to acknowledge the help and support that we received from our research partners and collaborators during this project.

In particular, we thank the development team of the Isabelle theorem prover for their help and support. Isabelle is the main verification tool used in this project and without its maturity success would not have been possible.

We thank the folks at Galois Inc who have worked with us to develop an open source proof library and theory for fixed-size machine words (e.g. 32 bit integers).

We also would like to acknowledge the contribution of our friendly competition, the German Verisoft project with whom we share some verification technology. In particular we would like to thank Norbert Schirmer whose verification framework for imperative programs we instantiate to the C language.

On the kernel side, the OS hackers at Open Kernel Labs have kept us on track and in connection with real-world customer requirements.

Finally, we thank (and you don't see that often in a research institution) the NICTA executive team who saw through our strange formulas, believed in the project and supported it from the beginning.

Dramatis Personae (aka The Team)

The L4.verified team over time included the following persons (in alphabetical order).

• June Andronick
  Software certification and C verification expert and our team spirit. Yes, we can!
• Timothy Bourke
  Invaluable Isabelle tools, security proofs, and a true engineer.
• Andrew Boyton
  PhD student, security models and proofs.
• David Cock
  The ARM hardware model expert, hardware simulator generator generator, performance tuner, and Research Engineer gone PhD student.
• Jeremy Dawson
  Proof libraries and word arithmetic. Proof automation.
• Philip Derrin
  Kernel design, implementation, verification. You name it, he can do it.
• Kai Engelhardt
  The man for refinement. Keeping us on the right track and preventing us from re-inventing too many wheels in strange shapes.
• Kevin Elphinstone
  Senior kernel expert and lead designer. Chief OS hacker who had to bear with all the strange formulas on our whiteboards.
• Gernot Heiser
  Chief visionary and our most demanding customer. Also NICTA ERTOS group leader, John Lion's Professor at UNSW, CTO and co-founder of Open Kernel Labs.
• Gerwin Klein
  Project leader, management, leadership, proofs, and chief optimist.
• Rafal Kolanski
  IPC modelling, Virtual Memory modelling, the man for Separation Logic.
• Jia Meng
  The connection to the world of first-order and automated proof. Automated termination proofs.
• Catherine Menon
  Refinement proofs and C state relation.
• Michael Norrish
  The C expert. Making Isabelle read messy low-level C programs without disappearing in a cloud of logic.
• Thomas Sewell
  Chief verification engineer. Haskell refinement framework. Tools, models, proofs, ideas, insight: ask Thomas.
• David Tsai
  ARM11 machine and instruction model. Handwritten and generated.
• Harvey Tuch
  The foundation. The C memory model on which everything rests. CISRA PhD prize winner.
• Simon Winwood
  Kernel objects, Types and Retypes. C refinement framework. Who's afraid of an evil proof?