Skip to main content

Taste of Research (ToR) Summer Project Proposals


Applications for summer research in Trustworthy Systems for the topics below can be made through



Formal Methods

Theorem Proving

Improving automation in concurrent software verification

June Andronick, Corey Lewis

Abstract: Formal verification of concurrent OS code is one of the main research grand challenges of the Trustworthy Systems group. We have done initial work in modelling and verifying a small real-time operating system, eChronos. In this work, the reasoning about interleaved execution between tasks' code and interrupt code is done using a classical concurrency reasoning method, known as Owicki-Gries, empowered by the automation of a modern interactive theorem prover, Isabelle. We have further developed a framework to reason at the implementation level, either with Owicki-Gries, or with the more compositional Rely-Guarantee.

We are now exploring the verification of the multicore version of seL4, our verified microkernel, a landmark in software verification. A few approaches are being investigated, all currently involving a level of manual work. In this project you will investigate increasing the automation of practical concurrency verification, by designing suitable rules, allowing reuse of annotations, etc.

Research Environment: DATA61's Trustworthy Systems group are world leaders in research and engineering for providing unprecedented security, safety, reliability and efficiency for software systems. Successes include deployment of the OKL4 microkernel in billions of devices, the first formally verified OS kernel, seL4, and a complete seL4-based high-assurance system successfully embedded in an autonomous helicopters from Boeing. You will work with a unique combination of OS and formal methods experts, producing high-impact work with real-world applicability, driven by ambition and team spirit.

Novelty: Your work will contribute to the general feasibility and scalability of practical concurrent software verification.

Outcome: Your work will directly impact the efficiency of the framework and proofs developed for the verification of concurrent OS code.

Reference Material Links:

Open Theory Import for Isabelle/HOL

Gerwin KleinRafal Kolanski

The goal of the OpenTheory project is to allow specifications and proofs to be shared between different theorem prover implementations of higher order logic. Currently, this proof exchange format is supported by the provers HOL Light, HOL4, and ProofPower. The aim of this project is to extend the interactive theorem prover Isabelle/HOL with import facilities for the OpenTheory format, so that Isabelle users can access and re-use the large libraries of proofs written in any of these three provers.

In fact, a basic OpenTheory import facility exists for Isabelle/HOL, which can import OpenTheory article files. What is missing is a proper link up between the OpenTheory standard library and Isabelle/HOL's native library. Aligning different versions of the same logical constant between formal libraries in an efficient manner is an open research problem to which one might apply machine learning or a custom matching algorithm. The task of this project is to design and implement a robust and efficient scheme for importing OpenTheory theories into Isabelle/HOL targeting the native Isabelle libraries correctly.

The project requires knowledge of functional programming in a language such as ML, OCaml, or Haskell. The implementation language for this project is Standard ML.

Novelty:  Proof exchange formats are an exciting new research and engineering direction for interactive provers. The contribution of this project would be to extend the family of provers that can communicate with each other.

Outcome: An extended implementation of OpenTheory import for the prover Isabelle/HOL, that targets its native libraries effectively.

Reference Material Links:




Modelling Routing Protocols

Carroll MorganRobert van Glabbeek

Abstract: Wireless Mesh Networks (WMNs) are a promising technology that is currently being used in a wide range of application areas, including Public Safety, Transportation, Mining, etc. Typically, these networks do not have a central component (router), but each node in the network acts as an independent router, regardless of whether it is connected to another node or not. They allow reconfiguration around broken or blocked paths by "hopping" from node to node until the destination is reached. Unfortunately, the performance of current systems often does not live up to the expectations of end users in terms of performance and reliability, as well as ease of deployment and management.

We explore and develop adaptive network protocols and mechanisms for Wireless Mesh Networks that can overcome the major performance and reliability limitations of current systems. To support the development of these new protocols, the project also aims at new Formal Methods based techniques, which can provide powerful new tools for the design and evaluation of protocols and can provide critical assurance about protocol correctness and performance. Close collaboration with industry partners ensures the use-inspired nature of the project.

The ideal applicant should be interested in applying Formal Methods and logic-based calculi in general; previous knowledge about process algebra is appreciated, but not necessary.

Novelty: Classical routing protocol specifications are usually written in plain English. Often this yields ambiguities, inaccuracies or even contradictions. The use of Formal Methods like process algebra avoids these problems and leads to a precise description of protocols. To compare and evaluate different protocols, we aim at a compendium of standard routing protocol specifications in a unified language.

Outcome: So far we have modelled one of the standard protocols using process algebra, namely AODV, as well as a draft successor protocol that is currently being discussed by the Internet Engineering Task Force (IETF).

The project's work should include the formalisation of a second standard protocol such as OSLR ( or HWMP (
After a faithful specification has been given, the work could include the verification of basic properties of the routing protocol: packet delivery for example guarantees that a packet, which is injected into a network, is finally delivered at the destination (if the destination can be reached).

Reference Material Links:



Optimise seL4 cold-cache / worst-case performance NEW

Gernot Heiser

Abstract: seL4 IPC operations are highly optimised for hot-cache (best case) but far less so for bad/worst-case. This project is to first determine present cold-cache performance by extending the sel4bench suite for cold caches. It is then to analyse and understand what limits present performance and is to improve it, by ensuring cache-friendly datastructure layout and other optimisations. The emphasis will be on the IPC, interrupt and exception ast paths, optionally looking at other parts of the code as well (especially slow paths).

Novelty:seL4 kernel with much improved cold-cache performance, prevention of cold-cache performance regressions.

Power management on seL4 NEW

Gernot Heiser

Abstract: Investigate the requirements for doing power management, i.e. dynamic voltage and frequency scaling (DVFS) and the use of core sleep states on the seL4 microkernel. Understand how power management interacts with seL4's new scheduling model, which uses scheduling contexts for managing time allocation (so-called MCS kernel as it is designed to support mixed-criticality systems). Design a model for securely exporting access to the privileged power-management instructions to usermode. Based on the above, design a usermode power management framework for seL4, implement and evaluate it.

Novelty:Undersstand the implications and trade-offs for doing powermanagement in usermode with a capability-based OS, and interaction with the MCS scheduling model.

Performance limits of real-time operating systems

Gernot Heiser

Abstract: eChronos is a formally-verified RTOS designed for deeply-embedded systems with no memory protection and single-mode execution. Sloth is a system for a similar application domain, which takes the unusual approach of leaving all scheduling to hardware, by running everything in an interrupt context. This limits the use of Sloth to processors where interrupts mode can be entered by software. This project is to evaluate and quantify the performance advantage of Sloth over eChronos.

Novelty: Sloth is presently the world's fastest RTOS. eChronos, which has the advantage of formal verification and less dependence on hardware features, is a more traditionally-designed RTOS. This project will determine whether the performance advantage of Sloth is significant enough to justify the different (and more limiting) design. The results are eminently publishable.

Outcome: A better understanding of RTOS design tradeoffs.

Standard C libraries - which one?

Kevin Elphinstone

Abstract: The project aims to survey existing C library implementations for use in seL4 microkernel. The standard C library is anything but standard, and differing implementations have differing properties. The goal of this project develop criteria for evaluating the goodness of a standard C library (such a performance, completeness, size, modularity), and use the criteria to understand the landscape of C libraries available for open source systems. The goal of the project is to port the most appropriate C library to seL4.

Novelty: An evaluation of existing C libraries in the context of microkernels.

Outcome: A C-library port and evaluation on seL4.

From RefOS to Phoenix.

Kevin Elphinstone

Abstract: RefOS is an immature multiserver OS on seL4. The OS is somewhat fragile and a little neglected. This project is aimed at resurrecting RefOS from the ashes into something usable for future development. The project provides the opportunity for a student to make their mark on the only multiserver OS environment running on seL4. While the project is quite open ended, it can also be tackled in a quite focused and manageable way.

Novelty: Novelty: Tackles issues in building multiserver systems on the worlds only formally verified microkernel.

Outcome: RefOS running in a simple form.

Rump kernels on Camkes

Kevin Elphinstone

Abstract: Rump kernels are a cut-down variant of the BSD operating system design to provide OS services in other contexts. We have a port of Rump kernels to native seL4. This project aims to build on existing work to run Rump kernels in the CAmkES environment on seL4. CAmkES is an embedded component framework for seL4 which would benefit from the increased functionality Rump kernels would provide.

Novelty: Be the first to examine the feasibility of using Rump kernel with a component framework on the world's only verified microkernel.

Outcome: A simple Rump component running in the CAmkES environment.

Using untrusted code in trusted environments.

Kevin Elphinstone

Abstract: Modern computer software systems are large and complex systems. The effort required to develop such a system can be reduced by using existing opensource code bases to avoid the cost of reimplementation. However, including large opensource code bases in high security environments provides a large attack surface that is difficult to both evaluate and ultimately assure is secure.

This topic's goal is to take some baby steps towards being able to utilise open source libraries while minimising exposure to bugs within the libraries using protection boundaries provided by seL4.

Novelty: The is a open research area the student can actively contribute to initial understanding of the area.

Outcome: An initial understanding of what might be achieved, and a simple proof of concept.


ROS native on seL4

Ihor Kuz, Kevin Elphinstone

Abstract: ROS (robotics operating system) is a communication middleware that is widely used for programming robots. It typically runs on a fully-fledged OS, such as Linux, using sockets for communication. This makes it readily accessible, but from the security and safety point of view is a nightmare. The purpose of this project is to produce a native ROS on the seL4 microkernel, depending on a minimal trusted computing base. It involved an assessment of the OS services required by ROS, and design, implementation and evaluation of ROS/seL4.

Novelty: A minimal ROS can enable a security and safety analysis of robotics software, dramatically increasing the trustworthiness of the robots, and opening the way for deployment in critical systems.

Outcome: An seL4-based ROS implementation that can support the high-assurance autonomous trucks developed under the DARPA HACMS program. Performance evaluation against a Linux-based implementation.

Build the world's first secure network stack (+USyd)

Peter Chubb

Abstract: Build the world's first secure network stack by writing it in our special language. At Data61, we developed a new language called Cogent for writing verified by construction software. The Cogent compiler generates C code, a formal specification describing what this code does, and a mathematical machine checked proof that the generated C code corresponds to the generated formal specification. We implemented verified by construction file systems by writing them in this language. The goal of this project is to test the feasibility of implementing a simplified network stack in Cogent. This may contribute to enriching Cogent and you would be encouraged to ask for feature requests to make implementing in this language easier.

Novelty: This will be the first use of the Cogent language in the domain of network stacks.

Outcome: The outcome of this work is testing whether the Cogent language has sufficient expressivity to be used to implement network stacks. This work will be used to extend the Cogent language.

Reference Material Links:

CAmkES on Linux (+USyd)

Ihor Kuz

Abstract: The Trustworthy Systems Research group at Data61 has developed a component platform (CAmkES) for developing microkernel-based systems on seL4 (our formally verified microkernel). While CAmkES helps to ease the difficulty of developing systems on seL4, developing significantly complex systems is still hard, due to the need to develop almost everything (e.g. device drivers, network stacks, display systems, etc.) from scratch. The goal of this project is to develop a version of CAmkES for Linux. This will provide a much richer environment on which to prototype and test CAmkES systems, before porting them to run on seL4.

Novelty: This work will aid in the development of secure systems running on seL4.

Outcome: A version of CAmkES targeted to Linux, and sample systems to test it.

Prerequisites: Students must have a strong background in Operating Systems, have at least completed an Operating Systems course with excellent marks, and have experience with Linux systems programming in C.

Java Script on sel4

Peter Chubb, Kevin Elphinstone

Abstract: Currently there is no managed language that can run natively on seL4. The JavaScript core is sufficiently small and portable it could be a good target for a native seL4 language.

This project involves porting the v8 (or similar) node.JS code to run natively on seL4 on ARM, and porting enough of the nodebot libraries to control some simple things.

Outcome: A javascript interpreter that runs on seL4

Stretch goals include porting Task.js, JavaScript's concurrency framework

Operating System Components

Ihor Kuz, Siwei Zhuang

Abstract: Towards developing a full OS on the seL4 microkernel. In DATA61's Trustworthy Systems team we've developed technology (CAmkES) for building componentised operating systems. Now we want to build up a repository of reusable operating systems components, so that we can easily build new, novel, and customised operating systems. The goal of this project is to develop new operating systems components, and develop some systems using these components as a means to test them.

NoveltyThis work will contribute to a platform for developing secure and safe operating system software.

Outcome:A collection of reusable operating system components.

seL4-based Distributed Systems

Ihor Kuz, Gerwin Klein

Abstract: In Data61's Trustworthy Systems research group we are developing and verifying seL4-based software systems. These systems are limited to run on a single computer, however, real-world systems are largely distributed systems, consisting of multiple networked computers. The time-triggered architecture (TTA) (developed by Hermann Kopetz) provides a computing infrastructure for the design and implementation of dependable distributed embedded systems. Most importantly key algorithms of TTA have been formally verified. The goal of this project is to investigate whether the combination of seL4 and TTA can be used to develop verified seL4-based distributed systems.

Novelty: This will be a first attempt at developing verified seL4-based distributed systems.

Outcome: A prototype seL4-based distributed system combining seL4 and TTA. The results of this project can form the basis of several other research projects further exploring this combination.

Graphical Editor for Building Componentised Operating Systems (+USyd)

Ihor Kuz, Siwei Zhuang

Abstract: Data61's CAmkES (a component-based platform for developing microkernel-based systems on seL4) uses an Architecture Description Language (ADL) to describe the software architecture of an operating system. While the ADL helps to ease the difficulty of designing and building such a system, ADL documents quickly become too complicated to read and manipulate (in a text format) when the operating system becomes non-trivial. The goal of this project is to develop a graphical editor to design such componentised operating systems: allowing users to draw new components and connections and manipulate existing ones, then generate the code that represents their drawn system.

Novelty: This work will contribute to the CAmkES platform and our overall project for developing trustworthy software systems.

Outcome: A graphical editor for designing and developing component-based operating systems.


Fuzz testing a new language and compiler (+USyd)

Ihor Kuz

Abstract: When developing software, the compiler that translates source code to machine instructions is generally assumed to be correct. Incorrect software is more likely to be a product of bugs in the source code than bugs in the translation. However, when high assurance techniques like formal verification are applied to the source code, this relationship is reversed. The compiler becomes the weaker link. Subtle compiler bugs may lurk undiscovered, and may only be triggered when compiling particular code.

Novelty:This will be the first use of the Cogent language outside the domain of file systems. There will also be the opportunity to explore new techniques for program generation as part of this project.

Outcome: The result of this work will be a reusable tool for generating valid Cogent programs. It is expected that this will in turn lead to a more robust Cogent compiler.

Reference Material Links:
Cogent: /projects/TS/filesystems
Trustworthy Systems Research Group (TS):

Secure Systems: Can You Hack an Unhackable System?

Ihor Kuz, Kevin Elphinstone

Abstract: We claim that we can build truly secure software systems, but are we right? In the past years DATA61's Trustworthy Systems team has done much work developing and verifying seL4, a secure, formally verified microkernel. Now we are using seL4 as the basis for developing truly secure software systems. But we want to be sure that these software systems provide the security we desire. We can gain assurance of security in many ways: by testing, attacking (hacking), analysing, and verifying the systems. The goal of this project is to take (or build) example systems and then show (by any of the above means) that they are secure (or not).

Novelty: This will be one of the first practical evaluations of the security of software built on seL4.

Outcome: Insight into how to make seL4-based systems that are secure in theory also really secure in practice.

 seL4-based Distributed Systems

Description of this topic is in the Middleware section.


Programming Languages

Linear type inference in Cogent language

Zilin Chen

Abstract: Cogent is a language we designed and developed for writing provably correct file systems. From Cogent compiler, given a type-correct source program, it spits out an efficient C implementation, a high-level language specification in Isabelle/HOL, a series of intermediate language descriptions and proofs to show that the C code is correct with respect to the high-level spec. Cogent, a purely functional language, features linear type system, which is the key which enables this approach. On the downside, however, our linear type system requires a lot of user annotations in the source programs, which makes them quite verbose. The goal of this project is to research on how linear types, together with effectful computations like allocation and free of memory, can be inferred by the compiler, probably with the aids of model checking.

Novelty: Although there is some preliminary work in this area, it remains an open question. It will be of a good theoretical and practical contribution to the entire language community.

Outcome: The result of this work will be a formal type inference system (possibly with compromises) and its prototypical implementation in Cogent compiler.