Gernot Heiser

seL4: formal verification of an OS kernel

Complete formal verification is the only known way to guarantee that a system is free of programming errors. We present our experience in performing the formal, machine-checked verification of the seL4 microkernel from an abstract specification down to its C implementation. We assume correctness of compiler, assembly code, and hardware, and we used a unique design approach that fuses formal and operating systems techniques. To our knowledge, this is the first formal proof of functional correctness of a complete, general-purpose operating-system kernel. Functional correctness means here that the implementation always strictly follows our high-level abstract specification of kernel behaviour. This encompasses traditional design and implementation safety properties such as the kernel will never crash, and it will never perform an unsafe operation. It also proves much more: we can predict precisely how the kernel will behave in every possible situation. seL4, a third-generation microkernel of L4 provenance, comprises 8,700 lines of C code and 600 lines of assembler. Its performance is comparable to other high-performance L4 kernels.

The role of virtualization in embedded systems

System virtualization, which enjoys immense popularity in the enterprise and personal computing spaces, is recently gaining significant interest in the embedded domain. Starting from a comparison of key characteristics of enterprise systems and embedded systems, we will examine the difference in motivation for the use of system virtual machines, and the resulting differences in the requirements for the technology. We find that these differences are quite substantial, and that virtualization is unable to meet the special requirements of embedded systems. Instead, more general operating-systems technologies are required, which support virtualization as a special case. We argue that high-performance microkernels, specifically L4, are a technology that provides a good match for the requirements of next-generation embedded systems.

Last-Level Cache Side-Channel Attacks are Practical

We present an effective implementation of the Prime+Probe side-channel attack against the last-level cache. We measure the capacity of the covert channel the attack creates and demonstrate a cross-core, cross-VM attack on multiple versions of GnuPG. Our technique achieves a high attack resolution without relying on weaknesses in the OS or virtual machine monitor or on sharing memory between attacker and victim.

seL4: formal verification of an operating-system kernel

We report on the formal, machine-checked verification of the seL4 microkernel from an abstract specification down to its C implementation. We assume correctness of compiler, assembly code, hardware, and boot code. seL4 is a third-generation microkernel of L4 provenance, comprising 8700 lines of C and 600 lines of assembler. Its performance is comparable to other high-performance L4 kernels. We prove that the implementation always strictly follows our high-level abstract specification of kernel behavior. This encompasses traditional design and implementation safety properties such as that the kernel will never crash, and it will never perform an unsafe operation. It also implies much more: we can predict precisely how the kernel will behave in every possible situation.

Modeling and simulation of tunneling through ultra-thin gate dielectrics

Direct and Fowler-Nordheim tunneling through ultra-thin gate dielectrics is modeled based on an approach for the transmission coefficient (TC) of a potential barrier that is modified by the image force. Under the constraint of equal actions the true barrier is mapped to a trapezoidal pseudobarrier resulting in a TC very close to the numerical solution of the Schrodinger equation for all insulator thicknesses and for all energies of the tunneling electron. The barrier height of the pseudopotential is used as a free parameter and becomes a function of energy in balancing the actions. This function can be approximated by a parabolic relation which makes the TC of arbitrary barriers fully analytical with little loss of accuracy. The model was implemented into a multidimensional device simulator and applied to the self-consistent simulation of gate currents in metal-oxide-semiconductor (MOS) capacitors with gate oxides in the thickness range 15 A–42 A. Excellent agreement with experimental data was obtained us...

Koala: a platform for OS-level power management

Managing the power consumption of computing platforms is a complicated problem thanks to a multitude of hardware configuration options and characteristics. Much of the academic research is based on unrealistic assumptions, and has, therefore, seen little practical uptake. We provide an overview of the difficulties facing power management schemes when used in real systems. We present Koala, a platform which uses a pre-characterised model at run-time to predict the performance and energy consumption of a piece of software. An arbitrary policy can then be applied in order to dynamically trade performance and energy consumption. We have implemented this system in a recent Linux kernel, and evaluated it by running a variety of benchmarks on a number of different platforms. Under some conditions, we observe energy savings of 26% for a 1% performance loss.

User-level device drivers: Achieved performance

Running device drivers as unprivileged user-level code, encapsulated into their own process, has often been proposed as a technique for increasing system robustness. However, in the past, systems based on user-level drivers have generally exhibited poor I/O performance. Consequently, user-level device drivers have never caught on to any significant degree. In this paper we demonstrate that it is possible to build systems which employ user-level device drivers, without significant performance degradation, even for high-bandwidth devices such as Gigabit Ethernet.

Reassessment of the intrinsic carrier density in crystalline silicon in view of band-gap narrowing

The commonly used value of the intrinsic carrier density of crystalline silicon at 300 K is ni=1.00×1010 cm−3. It was experimentally determined by Sproul and Green, J. Appl. Phys. 70, 846 (1991), using specially designed solar cells. In this article, we demonstrate that the Sproul and Green experiment was influenced by band-gap narrowing, even though the dopant density of their samples was low (1014 to 1016 cm−3). We reinterpret their measurements by numerical simulations with a random-phase approximation model for band-gap narrowing, thereby obtaining ni=9.65×109 cm−3 at 300 K. This value is consistent with results obtained by Misiakos and Tsamakis, J. Appl. Phys. 74, 3293 (1993), using capacitance measurements. In this way, long-prevailing inconsistencies between independent measurement techniques for the determination of ni are resolved.

Numerical modeling of highly doped Si:P emitters based on Fermi-Dirac statistics and self-consistent material parameters

P.P.A. is on a Postdoctoral Fellowship from the Australian Research Council ~ARC!. The Center for Photovoltaic Engineering is supported by ARC’s Special Research Centres Scheme. A.C. and M.K. also acknowledge funding by the ARC.

The OKL4 microvisor: convergence point of microkernels and hypervisors

We argue that recent hypervisor-vs-microkernel discussions completely miss the point. Fundamentally, the two classes of systems have much in common, and provide similar abstractions. We assert that the requirements for both types of systems can be met with a single set of abstractions, a single design, and a single implementation. We present partial proof of the existence of this convergence point, in the guise of the OKL4 microvisor, an industrial-strength system designed as a highly-efficient hypervisor for use in embedded systems. It is also a third-generation microkernel that aims to support the construction of similarly componentised systems as classical microkernels. Benchmarks show that the microvisors virtualization performance is highly competitive.