This proof establishes that seL4's design specification is a formal refinement (i.e. a correct implementation) of its abstract specification. This proof also interweaves the definition and proofs of the global invariant for the design specification, and builds on the Abstract Spec Invariant Proof. It is described in the TPHOLS '08 paper.
To build for the ARM architecture from the l4v/ directory, run:
L4V_ARCH=ARM ./run_tests Refine
The top-level theory where the refinement statement is established over
the entire kernel is Refine; the state-relation that
relates the state-spaces of the two specifications is defined in
StateRelation and the basic correspondence
property proved over each kernel function is defined in
Corres.