LFCS Seminar: Tuesday 26th May: Dominic Mulligan Tue, 26 May, 4.10pm Venue: IF G.03 Remote participation: URL: https://tinyurl.com/bdhzavhe Title: Nitro Isolation Engine: formally verifying a production hypervisor Abstract Cloud computing relies on hypervisors to enforce isolation betweenco-tenanted virtual machines. Hypervisors are therefore criticalsecurity infrastructure, and assurance of their correctness isparamount. Traditional engineering techniques—code review,testing, fuzzing—provide strong assurance but cannot exhaustivelyverify that isolation holds across all possible execution paths.Formal verification extends and complements these approaches byestablishing mathematical guarantees about system behaviour. This talk presents our experience applying interactive theoremproving to verify a production hypervisor component: the NitroIsolation Engine. This is a trusted, minimalist computing basewritten in Rust, enforcing isolation between virtual machines on AWSGraviton5 EC2 instances. Designed for verification from inception,we have specified the intended behaviour of this component andverified correctness in the Isabelle/HOL interactive theoremprover, producing approximately 260,000 lines of machine-checkedmodels and proofs. Our verification establishes three key classes of property: - Functional correctness: The system behaves as specified for alloperations including virtual machine creation, memory mapping, andabort handling. Our total verification approach additionallyestablishes memory-safety, termination, and absence of runtimeerrors. - Confidentiality: A noninterference-style property demonstratesthat guest virtual machine state remains hidden from an expansivedefinition of observer monitoring system actions, formalised asindistinguishability preservation up to permitteddeclassification flows. - Integrity: Guest virtual machine private state is unaffected byoperations on distinct virtual machines. The talk will discuss the verification approach, key prooftechniques, and challenges in applying formal methods to productionsystems. May 26 2026 16.10 - 17.00 LFCS Seminar: Tuesday 26th May: Dominic Mulligan Dominic Mulligan, Amazon Web Services, Cambridge https://dominicpm.github.io/ Informatics Forum, G.03
LFCS Seminar: Tuesday 26th May: Dominic Mulligan Tue, 26 May, 4.10pm Venue: IF G.03 Remote participation: URL: https://tinyurl.com/bdhzavhe Title: Nitro Isolation Engine: formally verifying a production hypervisor Abstract Cloud computing relies on hypervisors to enforce isolation betweenco-tenanted virtual machines. Hypervisors are therefore criticalsecurity infrastructure, and assurance of their correctness isparamount. Traditional engineering techniques—code review,testing, fuzzing—provide strong assurance but cannot exhaustivelyverify that isolation holds across all possible execution paths.Formal verification extends and complements these approaches byestablishing mathematical guarantees about system behaviour. This talk presents our experience applying interactive theoremproving to verify a production hypervisor component: the NitroIsolation Engine. This is a trusted, minimalist computing basewritten in Rust, enforcing isolation between virtual machines on AWSGraviton5 EC2 instances. Designed for verification from inception,we have specified the intended behaviour of this component andverified correctness in the Isabelle/HOL interactive theoremprover, producing approximately 260,000 lines of machine-checkedmodels and proofs. Our verification establishes three key classes of property: - Functional correctness: The system behaves as specified for alloperations including virtual machine creation, memory mapping, andabort handling. Our total verification approach additionallyestablishes memory-safety, termination, and absence of runtimeerrors. - Confidentiality: A noninterference-style property demonstratesthat guest virtual machine state remains hidden from an expansivedefinition of observer monitoring system actions, formalised asindistinguishability preservation up to permitteddeclassification flows. - Integrity: Guest virtual machine private state is unaffected byoperations on distinct virtual machines. The talk will discuss the verification approach, key prooftechniques, and challenges in applying formal methods to productionsystems. May 26 2026 16.10 - 17.00 LFCS Seminar: Tuesday 26th May: Dominic Mulligan Dominic Mulligan, Amazon Web Services, Cambridge https://dominicpm.github.io/ Informatics Forum, G.03
May 26 2026 16.10 - 17.00 LFCS Seminar: Tuesday 26th May: Dominic Mulligan Dominic Mulligan, Amazon Web Services, Cambridge https://dominicpm.github.io/
