

School of Computer Science & Engineering COMP9242 Advanced Operating Systems





### **Copyright Notice**

### These slides are distributed under the Creative Commons Attribution 3.0 License

- You are free:
  - to share—to copy, distribute and transmit the work
  - to remix-to adapt the work
- under the following conditions:
  - Attribution: You must attribute the work (but not in any way that suggests that the author endorses you or your use of the work) as follows:

"Courtesy of Gernot Heiser, UNSW Sydney"

The complete license text can be found at http://creativecommons.org/licenses/by/3.0/legalcode

```
COMP9242 2020T2 W05b: Microkernel D&I
```

© Gernot Heiser 2019 – CC Attribution License

### L4 Microkernels – Deployed by the Billions



## L4: The Quest for a Real Microkernel

COMP9242 2020T2 W05b: Microkernel D&I



### L4 IPC Performance Over the Years

|                                       |      |                                 | $\frown$            |                         |        |
|---------------------------------------|------|---------------------------------|---------------------|-------------------------|--------|
| Name                                  | Year | Processor                       | MHz                 | Cycles                  | μs     |
| Original                              | 1993 | i486                            | 50                  | 250                     | 5.00   |
| Original                              | 1997 | Pentium                         | 160                 | 121                     | 0.75   |
| L4/MIPS                               | 1997 | MIPS R4700                      | 100                 | 86                      | 0.86   |
| L4/Alpha                              | 1997 | Alpha 21064                     | 433                 | 45                      | 0.10   |
| Hazelnut                              | 2002 | Pentium 4                       | 1,400               | 2,000                   | 1.38   |
| Pistachio                             | 2005 | Itanium                         | 1,500               | 36                      | 0.02   |
| OKL4                                  | 2007 | Arm XScale 255                  | 400                 | 151                     | 0.64   |
| NOVA                                  | 2010 | x86 i7 Bloomfield (32-bit)      | 2,660               | 288                     | 0.11   |
| seL4                                  | 2013 | ARM11                           | 532                 | 188                     | 0.35   |
| seL4                                  | 2018 | x86 i7 Haswell (64-bit)         | 3,400               | 442                     | 0.13   |
| seL4                                  | 2018 | Arm Cortex A9                   | 1,000               | 303                     | 0.30   |
| seL4                                  | 2020 | RISC-V HiFive (64-bit, no ASID) | 1,500               | 500                     | 0.33   |
|                                       |      |                                 |                     | $\overline{\mathbf{V}}$ |        |
| COMP9242 2020T2 W05b: Microkernel D&I |      |                                 | © Gernot Heiser 201 | 9 – CC Attribution L    | icense |

### Minimality: Source Lines of Code (SLOC)

|              |                                                                         |                                                                                                                                                                                                   | $\sim$                                                                                                              |
|--------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
| Architecture | C/C++                                                                   | asm                                                                                                                                                                                               | total                                                                                                               |
| i486         | 0 k                                                                     | 6.4 k                                                                                                                                                                                             | 6.4 k                                                                                                               |
| Alpha        | 0 k                                                                     | 14.2 k                                                                                                                                                                                            | 14.2 k                                                                                                              |
| MIPS64       | 6.0 k                                                                   | 4.5 k                                                                                                                                                                                             | 10.5 k                                                                                                              |
| x86          | 10.0 k                                                                  | 0.8 k                                                                                                                                                                                             | 10.8 k                                                                                                              |
| x86          | 22.4 k                                                                  | 1.4 k                                                                                                                                                                                             | 23.0 k                                                                                                              |
| ARMv5        | 7.6 k                                                                   | 1.4 k                                                                                                                                                                                             | 9.0 k                                                                                                               |
| ARMv6        | 15.0 k                                                                  | 0.0 k                                                                                                                                                                                             | 15.0 k                                                                                                              |
| x86          | 36.2 k                                                                  | 1.1 k                                                                                                                                                                                             | 37.6 k                                                                                                              |
| ARMv6        | 9.7 k                                                                   | 0.5 k                                                                                                                                                                                             | 10.2 k                                                                                                              |
|              | i486<br>Alpha<br>MIPS64<br>x86<br>x86<br>ARMv5<br>ARMv5<br>ARMv6<br>x86 | i486       0 k         Alpha       0 k         MIPS64       6.0 k         x86       10.0 k         x86       22.4 k         ARMv5       7.6 k         ARMv6       15.0 k         x86       36.2 k | i4860 k6.4 kAlpha0 k14.2 kMIPS646.0 k4.5 kx8610.0 k0.8 kx8622.4 k1.4 kARMv57.6 k1.4 kARMv615.0 k0.0 kx8636.2 k1.1 k |

COMP9242 2020T2 W05b: Microkernel D&I

UNSW © Gernot Heiser 2019 - CC Attribution License



### Traditional L4: Recursive Address Spaces



# Solved processes of authority ⇒ impacts for the processes of authority ⇒ impacts for the processes of the processes

11 COMP9242 2020T2 W05b: Microkernel D&I













Note: not yet

JUNSW

in mainline!





### L4 Scheduler Optimisation: Lazy Scheduling



### Sel4 Scheduler: Benno Scheduling











- Problem: ad-hoc approach to security and resource management
  - Global thread name space  $\Rightarrow$  covert channels [Shapiro'03]
  - Threads as IPC targets  $\Rightarrow$  insufficient encapsulation
  - Single kernel memory pool  $\Rightarrow$  DoS attacks
  - No delegation of authority  $\Rightarrow$  impacts flexibility, performance
  - Unprincipled management of time\_

left a number of issues unsolved

COMP9242 2020T2 W05b; Microkernel D&I

Solved by scheduling contexts & time-out exceptions

© Gernot Heiser 2019 – CC Attribution License

### Lessons & Principles

35 COMP9242 2020T2 W05b: Microkernel D&I

| Original L4 Design an<br>Implement. Tricks [SOSP'93]<br>Process kernel<br>Virtual TCB array<br>Lazy scheduling<br>Direct process switch<br>Non-preemptible<br>Non-preemptible<br>Non-standard calling convention<br>Assembler | <ul> <li>Design Decisions [SOSP'95]</li> <li>Synchronous IPC</li> <li>Rich message structure,<br/>arbitrary out-of-line messages</li> <li>Zero-copy register messages</li> <li>User-mode page-fault handlers</li> <li>User-mode page-fault handlers</li> <li>IPC timeouts</li> <li>Hierarchical IPC control</li> <li>User-mode device drivers</li> <li>Process hierarchy</li> <li>Recursive address-space construction</li> </ul> | Reflecting on Changes         Original L4 design had two major shortcomings:         1. Insufficient/impractical resource control         • Poor/non-existent control over kernel memory use         • Inflexible & costly process hierarchies (policy!)         • Arbitrary limits on number of address spaces and threads (policy!)         • Poor information hiding (IPC addressed to threads)         • Insufficient mechanisms for authority delegation         2. Over-optimised IPC abstraction, mangles:         • Communication         • Synchronisation         • Memory management – sending mappings         • Scheduling – time-slice donation |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 36 COMP9242 2020T2 W05b: Microkernel D&I                                                                                                                                                                                      | © Gernot Heiser 2019 – CC Attribution License 🕃 UNSW                                                                                                                                                                                                                                                                                                                                                                              | 37 COMP9242 2020T2 W05b: Microkernel D&I © Gernot Heiser 2019 – CC Attribution License 🕃 UNS                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |

### **Osel4** Design Principles

- Fully delegatable access control
- All resource management is subject to user-defined policies
  - Applies to kernel resources too!
- Performance on par with best-performing L4 kernels
  - Prerequisite for real-world deployment!
- · Suitability for real-time use
- Important for safety-critical systems
- Suitable for *formal verification*
  - Requires small size, avoid complex constructs

© Gernot Heiser 2019 – CC Attribution License

39

Largely in line with

traditional L4 approach!

#### A Thirty-Year Dream! Early attempts to make operating systems secure mere-found and Bick diffuse in existing systems. As these florts failed, it became clear that piecemeal alterations ere unlikely ever to succeed 1201. A more systematic sethod was required, presumably one that controlled the stem's doign and implementation. Then socure opera-stem's doign and implementation. Editor Our research seeks to develop means by which an Specification and ted in a st genuous claim that the last bug had been eliminated, par ticularly since production systems are rarely static, and er Verification of the operating system can be shown data secure, meaning that UCLA Unix† Security direct access to data must be possible only if the recorded Kernel protection policy permits it. The two major components Bruce J. Walker, Richard A. Kemmerer, and Gerald J. Popek University of California, Los Angeles in both protection decisions and enforcement, b them into keynel modules; and (2) applying verification methods to that kernel software in Data Secure Unix, a kernel structured operating sys-, was constructed as part of an ongoing effort at LA to develop procedures by which operating systems be produced and shown secure. Program verification part, the verific ed by Roi Communication February 1980 Volume 23 the ACM Number 2 rds and Phy ALPHARD, formal specifications, Univ. securit nei CR Categories: 4.29, 4.35, 6.35 COMP9242 2020T2 W05b: Microkernel D&I © Gernot Heiser 2019 - CC Attribution License