The Design of a Verifiable Operating System Kernel