How to verify safety correctness of OS kernels /Hypervisors? Many challenges: Is verification possible? Low-level C/Assembly code Code loading Concurrency How to do it in a Interrupts clean modular way? Device drivers l/OHow to verify safety & correctness of OS kernels / Hypervisors? Code loading Many challenges: Interrupts … Device drivers & I/O Concurrency Low-level C/Assembly code Is verification possible? How to do it in a clean & modular way?