Michael Hohmuth

The performance of μ-kernel-based systems

First-generation μ-kernels have a reputation for being too slow and lacking sufficient flexibility. To determine whether L4, a lean second-generation μ-kernel, has overcome these limitations, we have repeated several earlier experiments and conducted some novel ones. Moreover, we ported the Linux operating system to run on top of the L4 μ-kernel and compared the resulting system with both Linux running native, and MkLinux, a Linux version that executes on top of a first-generation Mach-derived μ-kernel. For L 4 Linux, the AIM benchmarks report a maximum throughput which is only 5% lower than that of native Linux. The corresponding penalty is 5 times higher for a co-located in-kernel version of MkLinux, and 7 times higher for a user-level version of MkLinux. These numbers demonstrate both that it is possible to implement a high-performance conventional operating system personality above a μ-kernel, and that the performance of the μ-kernel is crucial to achieve this. Further experiments illustrate that the resulting system is highly extensible and that the extensions perform well. Even real-time memory management including second-level cache allocation can be implemented at user-level, coexisting with L 4 Linux.

OS-controlled cache predictability for real-time systems

Cache-partitioning techniques have been invented to make modern processors with an extensive cache structure useful in real-time systems where task switches disrupt cache working sets and hence make execution times unpredictable. This paper describes an OS-controlled application-transparent cache-partitioning technique. The resulting partitions can be transparently assigned to tasks for their exclusive use. The major drawbacks found in other cache-partitioning techniques, namely waste of memory and additions on the critical performance path within CPUs, are avoided using memory coloring techniques that do nor require changes within the chips of modern CPUs or on the critical path for performance. A simple filter algorithm commonly used in real-time systems, a matrix-multiplication algorithm and the interaction of both are analysed with regard to cache-induced worst case penalties. Worst-case penalties are determined for different widely-used cache architectures. Some insights regarding the impact of cache architectures on worst-case execution are described.

The Nizza secure-system architecture

The trusted computing bases (TCBs) of applications running on todays commodity operating systems have become extremely large. This paper presents an architecture that allows to build applications with a much smaller TCB. It is based on a kernelized architecture and on the reuse of legacy software using trusted wrappers. We discuss the design principles, the architecture and some components, and a number of usage examples

Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors

Secure systems are best built on top of a small trusted operating system: The smaller the operating system, the easier it can be assured or verified for correctness.In this paper, we oppose the view that virtual-machine monitors (VMMs) are the smallest systems that provide secure isolation because they have been specifically designed to provide little more than this property. The problem with this assertion is that VMMs typically do not support interprocess communication, complicating the use of untrusted components inside a secure systems.We propose extending traditional VMMs with features for secure message passing and memory sharing to enable the use of untrusted components in secure systems. We argue that moving system components out of the TCB into the untrusted part of the system and communicating with them using IPC reduces the overall size of the TCB.We argue that many secure applications can make use of untrusted components through trusted wrappers without risking security properties such as confidentiality and integrity.

Applying source-code verification to a microkernel: the VFiasco project

We present the VFiasco project, in which we apply source-code verification to a complete operating-system kernel written in C++. The aim of the VFiasco project is to establish security-relevant properties of the Fiasco microkernel.Source-code verification works by reasoning about the semantics of the full source code of a program. Traditionally it is limited to small programs written in an academic programming language. The projects main challenges are to enable high-level reasoning about typed data starting from only low-level knowledge about the hardware, and to develop a clean semantics for the subset of C++ used by the kernel. In this extended abstract we present our ideas for tackling these challenges. We focus on a type-safe object store that is based on a hardware model that closely resembles the IA32 virtual-memory architecture and on guarantees provided by the kernel itself. We also briefly touch on the semantics for C++.Please find the full version of this paper at http://www.vfiasco.org/objstore.pdf.

Cost and benefit of separate address spaces in real-time operating systems

The combination of a real-time executive and an off-the-shelf time-sharing operating system has the potential of providing both predictability and the comfort of a large application base. To isolate the real-time section from a significant class of faults in the (ever-growing) time-sharing operating system, address spaces can be used to encapsulate the time-sharing subsystem. However, in practice, designers seldom use address spaces for this purpose, fearing that the extra cost induced limits the systems predictability. To analyze this cost, we compared in detail two systems with almost identical interfaces-both are a combination of the Linux operating system and a small real-time executive. Our analysis revealed that for interrupt-response times, the delay and jitter caused by address spaces are similar to or even smaller than those caused by caches and blocked interrupts. As a side effect of our analysis, we observed that published figures on predictability must be carefully checked whether or not such hardware features are included in the analysis. This paper is a follow-up of an earlier publication at the 3rd Real-Time Linux workshop. It is different in that we have further optimized our microkernel and examined more hardware.