Hermann Härtig

The performance of μ-kernel-based systems

First-generation μ-kernels have a reputation for being too slow and lacking sufficient flexibility. To determine whether L4, a lean second-generation μ-kernel, has overcome these limitations, we have repeated several earlier experiments and conducted some novel ones. Moreover, we ported the Linux operating system to run on top of the L4 μ-kernel and compared the resulting system with both Linux running native, and MkLinux, a Linux version that executes on top of a first-generation Mach-derived μ-kernel. For L 4 Linux, the AIM benchmarks report a maximum throughput which is only 5% lower than that of native Linux. The corresponding penalty is 5 times higher for a co-located in-kernel version of MkLinux, and 7 times higher for a user-level version of MkLinux. These numbers demonstrate both that it is possible to implement a high-performance conventional operating system personality above a μ-kernel, and that the performance of the μ-kernel is crucial to achieve this. Further experiments illustrate that the resulting system is highly extensible and that the extensions perform well. Even real-time memory management including second-level cache allocation can be implemented at user-level, coexisting with L 4 Linux.

OS-controlled cache predictability for real-time systems

Cache-partitioning techniques have been invented to make modern processors with an extensive cache structure useful in real-time systems where task switches disrupt cache working sets and hence make execution times unpredictable. This paper describes an OS-controlled application-transparent cache-partitioning technique. The resulting partitions can be transparently assigned to tasks for their exclusive use. The major drawbacks found in other cache-partitioning techniques, namely waste of memory and additions on the critical performance path within CPUs, are avoided using memory coloring techniques that do nor require changes within the chips of modern CPUs or on the critical path for performance. A simple filter algorithm commonly used in real-time systems, a matrix-multiplication algorithm and the interaction of both are analysed with regard to cache-induced worst case penalties. Worst-case penalties are determined for different widely-used cache architectures. Some insights regarding the impact of cache architectures on worst-case execution are described.

Reducing TCB complexity for security-sensitive applications: three case studies

The large size and high complexity of security-sensitive applications and systems software is a primary cause for their poor testability and high vulnerability. One approach to alleviate this problem is to extract the security-sensitive parts of application and systems software, thereby reducing the size and complexity of software that needs to be trusted. At the system software level, we use the Nizza architecture which relies on a kernelized trusted computing base (TCB) and on the reuse of legacy code using trusted wrappers to minimize the size of the TCB. At the application level, we extract the security-sensitive portions of an already existing application into an AppCore. The AppCore is executed as a trusted process in the Nizza architecture while the rest of the application executes on a virtualized, untrusted legacy operating system. In three case studies of real-world applications (e-commerce transaction client, VPN gateway and digital signatures in an e-mail client), we achieved a considerable reduction in code size and complexity. In contrast to the few hundred thousand lines of current application software code running on millions of lines of systems software code, we have AppCores with tens of thousands of lines of code running on a hundred thousand lines of systems software code. We also show the performance penalty of AppCores to be modest (a few percent) compared to current software.

Measuring energy consumption for short code paths using RAPL

Measuring the energy consumption of software components is a major building block for generating models that allow for energy-aware scheduling, accounting and budgeting. Current measurement techniques focus on coarse-grained measurements of application or system events. However, fine grain adjustments in particular in the operating-system kernel and in application-level servers require power profiles at the level of a single software function. Until recently, this appeared to be impossible due to the lacking fine grain resolution and high costs of measurement equipment. In this paper we report on our experience in using the Running Average Power Limit (RAPL) energy sensors available in recent Intel CPUs for measuring energy consumption of short code paths. We investigate the granularity at which RAPL measurements can be performed and discuss practical obstacles that occur when performing these measurements on complex modern CPUs. Furthermore, we demonstrate how to use the RAPL infrastructure to characterize the energy costs for decoding video slices.

The Nizza secure-system architecture

The trusted computing bases (TCBs) of applications running on todays commodity operating systems have become extremely large. This paper presents an architecture that allows to build applications with a much smaller TCB. It is based on a kernelized architecture and on the reuse of legacy software using trusted wrappers. We discuss the design principles, the architecture and some components, and a number of usage examples

DROPS: OS support for distributed multimedia applications

The characterising new requirement for distributed multimedia applications is the coexistence of dynamic real-time and non-real-time applications on hosts and networks. While some networks (e.g., ATM) in principle have the capability to reserve bandwidth on shared links, host systems usually do not. DROPS (Dresden Real-time OPerating System) is being built to remedy that situation by providing resource managers that allow the reservation of resources in advance and enforce that reservations. It allows the coexistence of timesharing applications (with no reservations) and real-time applications (with reservations). By outlining the principle architecture, some design decisions, and first results, the paper demonstrates how these objectives can be met using straightforward OS technology. It argues that middleware for diverse platforms cannot meet these objectives efficiently without proper core operating system support.

Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors

Secure systems are best built on top of a small trusted operating system: The smaller the operating system, the easier it can be assured or verified for correctness.In this paper, we oppose the view that virtual-machine monitors (VMMs) are the smallest systems that provide secure isolation because they have been specifically designed to provide little more than this property. The problem with this assertion is that VMMs typically do not support interprocess communication, complicating the use of untrusted components inside a secure systems.We propose extending traditional VMMs with features for secure message passing and memory sharing to enable the use of untrusted components in secure systems. We argue that moving system components out of the TCB into the untrusted part of the system and communicating with them using IPC reduces the overall size of the TCB.We argue that many secure applications can make use of untrusted components through trusted wrappers without risking security properties such as confidentiality and integrity.

Virtualization as an enabler for security in mobile devices

Virtualization, a well established technology in the desktop and server domain, is currently investigated and analyzed with respect to its potential within mobile devices. The paper argues that mobile devices, which are targeting a completely open setup (e.g. Linux based), are facing severe security challenges. Thus, virtualization will be discussed as an enabler for security in mobile devices. Virtualization approaches and elements are discussed in detail taking this use case and existing limitations of mobile embedded devices into account.

Fast component interaction for real-time systems

Open real-time systems provide for co-hosting hard-, soft- and non-real-time applications. Microkernel-based designs in addition allow for these applications to be mutually protected. Thus, trusted servers can coexist next to untrusted applications. These systems place a heavy burden on the performance of the message-passing mechanism, especially when based on microkernel-like inter-process communication. In this paper we introduce capacity-reserve donation (in short Credo), a mechanism for the fast interaction of interdependent components, which is applicable to common real-time resource-access models. We implemented Credo by extending L4s message-passing mechanism to provide proper resource accounting and time-donation control, thereby preserving desired real-time properties. We were able to achieve priority inheritance and stack-based priority-ceiling resource sharing with virtually no overhead added to L4s message-passing implementation. By providing a. mechanism that does not impose performance penalties, while still guaranteeing correct real-time behaviour, Credo allows for the usage of microkernels in general-purpose but also in specialized systems.

Quality-assuring scheduling-using stochastic behavior to improve resource utilization

We present a unified model for admission and scheduling, applicable for various active resources such as CPU or disk to assure a requested quality in situations of temporary overload. The model allows us to predict and control the behavior of applications based on given quality requirements. It uses the variations in the execution time, i.e., the time any active resource is needed We split resource requirements into a mandatory part which must be available and an optional part which should be available as often as possible but at least with a certain percentage. In combination with a given distribution for the execution time we can move away from worst-case reservations and drastically reduce the amount of reserved resources for applications which can tolerate occasional deadline misses. This increases the number of admittable applications. For example, with negligible loss of quality our system can admit more than two times the disk bandwidth than a system based on the worst-case. Finally, we validated the predictions of our model by measurements using a prototype real-time system and observed a high accuracy between predicted and measured values.