Tapir: a language for verified OS kernel probes

Abstract

Kernel probes allow code to be inserted into a running operating system kernel to gather information for debugging or profiling. Inserting code into the kernel raises a number of safety issues. Current solutions follow one of the two paths: a VM-based approach, where safety properties are checked dynamically by an interpreter, or a static-analysis approach, where probe code is guaranteed to be safe statically. While more attractive, existing static solutions depend on ad-hoc and error-prone analysis. We propose to explore enforcing safety properties using a type system, thus building our analysis on top of the well-studied ground of type theory.