L4 Microkernel

10 Years L4-Based Systems L4/Nizza Secure-System Architecture

TU Dresden Operating Hermann Härtig Systems Group et al. mult.

10 Years Your Passwords, Secrets, ... L4-Based Your Passwords, Secrets, ... Systems

applet

Linux App Firefox jvm

X11

source: Linux Understanding Data Lifetime via Hermann Härtig Whole System Simulation et al. Jim Chow, Ben Pfaff, Tal mult. Garfinkel, Kevin Christopher, TU and Mendel Rosenblum, Dresden Operating keyboard Stanford University Systems Usenix Security 04 Group 2 SEVECOM Budapest 2006

10 Years Outline L4-Based Outline Systems L4 etc . the microkernel vision . early experience: MACH etc . what is L4 ? . L4 and legacy: L4Linux and DDE . DROPS: L4 and Real-Time . L4Env: a multi-server environment for L4 apps Hermann . major L4 projects Härtig et al. mult.

TU L4/Nizza Secure System Architecture Dresden Operating What's Up Next? Systems Group Conclusion 3 SEVECOM Budapest 2006 Microkernels - 10 Years Microkernels - L4-Based vision and earlier experience Systems vision and earlier experience . monolithic systems – large – complex – hard to add real-time – large trusted computing bases Applications Applications User Applications – new additional Mode components often crash system Privileged File Network Kernel Hermann Systems Stacks Härtig Mode et al. Memory Processe mult. Manage Drivers s ment TU Dresden Monolithic Operating Operating System Systems Group Hardware 4 SEVECOM Budapest 2006

10 Years The Microkernel Vision L4-Based The Microkernel Vision Systems . small operating system kernel – kernel-mode action less error prone – allows strict validation . system services implemented as user-level servers with their own address spaces – flexibility – extensibility – customizable Hermann . more robust systems Härtig et al. – protected individual system components (e.g., drivers) mult. – small trusted computing base TU – allow coexistence of different OS personalities Dresden Operating . Systems reuse legacy OS (slightly modified) Group 5 SEVECOM Budapest 2006

10 Years IBM Workplace OS L4-Based IBM Workplace OS Systems

OS/2 OS/400 AIX Windows OS/2 OS/400 AIX Windows Applicati Applicati Applicati Applicati Applicati Applicati Applicati Applicati ons ons ons ons ons ons ons ons

OS/2 DOS OS/400 AIX Windows Personality Personality Personality Personality Personality

Network Power File Server Security Hermann Service Management Härtig Device et al. Default Pager Bootstrap Name Service mult. Support

TU Microkernel Dresden Power Operating ARM MIPS IA32 Alpha Systems PC Group 6 SEVECOM Budapest 2006 Reality in Mid 90ties: 10 Years Reality in Mid 90ties: L4-Based MACH-Based Systems Systems MACH-Based Systems . disappointments – performance – complexity – drivers back in kernel . e.g., IBM is said to have invested and lost over 1 Billion US $

Hermann Härtig et al. mult.

TU Dresden Operating Systems Group 7 SEVECOM Budapest 2006

10 Years L4-Based LL44 MMiicrcrookkeerrnneell Systems Jochen Liedtke(ca 96): “A microkernel does no real work, but does it efficiently”

. kernel provides only inevitable mechanisms no policies enforced by the kernel

what is inevitable? Hermann . Härtig address spaces et al. mult. . threads & scheduling

TU . inter process communication Dresden Operating Systems Group L4/Fiasco(ca 98): first HLL / Real-Time scheduling 8 SEVECOM Budapest 2006 TUDOS: Emphasis on Real-Time 10 Years TUDOS: Emphasis on Real-Time L4-Based and Security Systems and Security approach . run legacy software on legacy OS

Appli- Appli- cation cation

Hermann Härtig legacy OS et al. mult.

TU Dresden Operating Systems L4/Fiasco Microkernel Group Hardware 9 SEVECOM Budapest 2006 TUDOS: Emphasis on Real-Time 10 Years TUDOS: Emphasis on Real-Time L4-Based and Security Systems and Security approach . run legacy software on legacy OS . run critical applications besides legacy OS

Appli- Appli- critical cation cation

Hermann Härtig legacy OS et al. mult.

TU Resource Management Dresden L4Env & Basic Resource Manager Operating Systems L4/Fiasco Microkernel Group Hardware 10 SEVECOM Budapest 2006 TUDOS: Emphasis on Real-Time 10 Years TUDOS: Emphasis on Real-Time L4-Based and Security Systems and Security approach . run legacy software on legacy OS . run critical applications besides legacy OS

Appli- hybrid critical cation

Hermann Härtig legacy OS et al. mult.

TU Resource Management Dresden L4Env & Basic Resource Manager Operating Systems L4/Fiasco Microkernel Group Hardware 11 SEVECOM Budapest 2006 TUDOS: Emphasis on Real-Time 10 Years TUDOS: Emphasis on Real-Time L4-Based and Security Systems and Security approach . run legacy software on legacy OS . run critical applications besides legacy OS – real-time

Appli- Appli- RT Media cation cation Controller Player

Hermann Härtig legacy OS ? et al. mult.

TU Resource Management Dresden L4Env & Basic Resource Manager Operating Systems L4/Fiasco Microkernel Group Hardware 12 SEVECOM Budapest 2006 TUDOS: Emphasis on Real-Time 10 Years TUDOS: Emphasis on Real-Time L4-Based and Security Systems and Security approach . run legacy software on legacy OS . run critical applications besides legacy OS – real-time – high security

Appli- Appli- E-sign VPN cation cation

Hermann Härtig legacy OS ? et al. mult.

TU Resource Management Dresden L4Env & Basic Resource Manager Operating Systems L4/Fiasco Microkernel Group Hardware 13 SEVECOM Budapest 2006 TUDOS: Emphasis on Real-Time 10 Years TUDOS: Emphasis on Real-Time L4-Based and Security Systems and Security approach . run legacy software on legacy OS . run critical applications besides legacy OS – real-time – high security split application: internet transaction put together sign & pay . split applications shopping cart shopping cart and reuse legacy software for Hermann Härtig uncritical parts legacy OS ? et al. mult.

TU Resource Management Dresden L4Env & Basic Resource Manager Operating Systems L4/Fiasco Microkernel Group Hardware 14 SEVECOM Budapest 2006 TUDOS: Emphasis on Real-Time 10 Years TUDOS: Emphasis on Real-Time L4-Based and Security Systems and Security approach

. run critical applications ithout legacy OS

critical

Hermann Härtig et al. mult.

TU Resource Management Dresden L4Env & Basic Resource Manager Operating Systems L4/Fiasco Microkernel Group Hardware 15 SEVECOM Budapest 2006

10 Years What you see ... L4-Based What you see ... Systems

Appli- Appli- Presenter cation cation

L4Linux Server

GUI: DOpE Hermann Härtig Windowmanager: Nitpicker et al. mult. DMphys L4IO Names ... TU L4/Fiasco Microkernel Dresden Operating Systems Hardware Group 16 SEVECOM Budapest 2006

10 Years L4 IPC L4-Based L4 IPC Systems address space A address space B

send(msg,…) receive(msg, …)

Hermann Härtig et al. . synchronous (no buffering) mult. . diverse payloads TU Dresden Operating Systems Group 17 SEVECOM Budapest 2006

10 Years L4 IPC Payloads L4-Based L4 IPC Payloads Systems . registers only (short IPC), fast . strings (long IPC) . access rights (“mappings”) – memory pages transfer page table entries – IO ports – ... can be revoked (“unmap”) Hermann . faults Härtig et al. . mult. interrupts

TU Dresden Operating Systems Group 18 SEVECOM Budapest 2006 LLeeggaacycy SSooffttwwaarree ffoorr LL44:: 10 Years 4 L4-Based L Linux and DDE Systems L Linux and DDE objectives . inherit large base of legacy software binary compatible . get it out of the way for more interesting applications . but reuse it also for interesting applications and . reuse drivers Hermann Härtig et al. mult.

TU Dresden Operating Systems Group 19 SEVECOM Budapest 2006

10 Years L4-Based LLiinnuuxx KKeerrnneell StStrruuccttuurree Systems

User Application Application Application Application Mode Privileged Mode Arch- Depend. System-Call Interface

Linux File Systems Networkin Processes Memory Kernel – VFS g – Scheduling Managemen – File System – Sockets – IPC Impl. t Arch- – Protocols – Page allocation Independ. Device Drivers – Address spaces – Swapping Hermann Arch- Hardware Access Härtig Depend. et al. mult. Software Hardwar TU Hardware CPU, Memory, PCI, Devices, … e Dresden Operating Systems Group 20 SEVECOM Budapest 2006

10 Years L4-Based LLiinnuuxx KKeerrnneell StStrruuccttuurree Systems . Kernel entry – System calls – Exceptions (page faults, …) User Application Application Application A. pSpiglincaatl iodnelivery Mode . Copy from/to user address space

Arch- System-Call Interface Depend. . CPU state, features . Initialization Linux File Systems Networkin . LPowro-lceesvesl emsemoryM emmanoarygement Kernel – VFS g –– SMcMheUd u(plinagge tabMleasn, TaLgBe)men – File System – Sockets . L–o wIPC-level interrupt support Impl. t Arch- – Protocols . Low-level device –s Puapgpeo arltlocation Independ. Device Drivers – Memory-mappe– dA dId/Ore,s sI/ sOp apcoesrts – DMA – Swapping Hermann Arch- Hardware Access Härtig Depend. et al. mult. Privileged Mode L4 TU Dresden Software Operating Hardware Systems Hardware Group CPU, Memory, PCI, Devices, … 21 SEVECOM Budapest 2006

10 Years Linux Systemcalls L4-Based Linux Systemcalls Systems L4Linux Server

Arch-Dependent Syscall Dispatcher L4Linux User Process 2 INT 0x80 1 3 Application Arch-Independent

L4/Fiasco Kernel Hermann Härtig 4 et al. . L Linux server receives exception IPC mult. . L4Linux server handles system call TU . L4Linux server sends an exception reply Dresden Operating . L4 kernel receives reply and sets new state of thread Systems Group 22 SEVECOM Budapest 2006

10 Years Address Spaces L4-Based Address Spaces Systems

Application

Li4nLuxinux K eSrenervler Memory thread_inf Management – Page allocation o – Address spaces – Swapping

Architecture- Dependent Part (l4-i386)

Hermann Härtig et al. mult.

TU L4/Fiasco Dresden Kernel Operating Systems Hardware Group 23 SEVECOM Budapest 2006

10 Years Interrupts L4-Based Interrupts Systems

L4Linux Server

Device Driver

request_irq(irq_no, handler, …) Main Interrupt Thread Threads

Hermann Härtig L4IO et al. mult. L4/Fiasco Kernel

TU Hardware Dresden Operating Systems Group 24 SEVECOM Budapest 2006 4 10 Years L Linux Performance L4-Based L Linux Performance Systems

Time- Sharing (Härtig, Hohmuth, Liedtke, Schönberg, Applications Wolter: The Performance of µ-Kernel based

e Systems, t

u SOSP 1997) n i m

r e Hermann 4 p

L Linux

Härtig s et al. b o mult. j

TU Dresden Operating Systems simulated load Group Fiasco 25 25 SEVECOM Budapest 2006 4 10 Years L Linux Performance L4-Based L Linux Performance Systems

AIM Suite-VII benchmark - jobs per minute 120 Time- Sharing 100 Applications 80

60 e t u n i m

r e p

s b

o 40 j Hermann L4Linux Härtig Monol. Linux et al. 20 L4 Linux mult. MkLinux/kernel MkLinux TU 0 Dresden 0 10 20 30 40 50 60 70 80 90 100 110 Operating AIM simulated load Systems Group Fiasco 26 SEVECOM Budapest 2006

10 Years Later performance results L4-Based Later performance results Systems . somewhat worse . pentium4 – slower context switches – trace caches – ... . L4Env added overhead . constant observation needed

Hermann Härtig et al. mult. . NICTA: L4Linux(“Wombat”) on ARM is faster than

TU Linux Dresden Operating Systems Group 27 SEVECOM Budapest 2006

10 Years LLeegagaccyy DDrriiveverrss:: L4-Based DDeevviiccee DDrriivveerr EnEnvviirroonmnmeenntt Systems DDE structure . unmodified source code of Linux driver is Interface encapsulated by Code emulation library . library provides Original implementation of Driver Linux services as Code Hermann expected by driver Glue Code Härtig et al. mult. Environment

TU status: Dresden Operating supports Linux 2.4 Systems Group drivers 28 SEVECOM Budapest 2006 L4 and Real-Time: DROPS 10 Years L4 and Real-Time: DROPS L4-Based Dresden Real-Time OPerating S. Systems Dresden Real-Time OPerating S. objectives & principles . Real-Time besides Non-Real-Time L4Linux systems . protect the RT applications against crashing legacy SW . resource reservations thru admission procedure . gracefully handle overload, also overload occasionally caused by Real-Time Hermann Härtig applications (media applications) et al. mult. . manage multiple resources

TU Dresden Operating Systems Group 29 SEVECOM Budapest 2006

10 Years RReeaall--TiTimeme AApppplliiccaattiioonsns iinn SeSeppaarraattee L4-Based Systems AAdddrdreessss SpSpaacceess

Legacy Applications Editor, Compiler, … s b u t S

4 L Linux Real-Time Applications Controller, … Hermann Non Real Time Härtig et al. mult. Resource Management L4Env & Basic Resource Manager TU Dresden Operating Fiasco Microkernel Systems Group 30 SEVECOM Budapest 2006

10 Years CCoommmmoonn PPrraaccttiicece,, foforr ExExaammppllee L4-Based RRTT--LLiinnuuxx Systems

Legacy Applications Editor, Compiler, … s b u t S

Real-Time Applications Hermann Non Real Time Controller, … Härtig et al. mult. RT-Executive Linux TU Dresden Operating Systems Group 31 SEVECOM Budapest 2006

10 Years RRTT--LLiinnuuxx LLaatteenncicieess,, L4-Based wwiitthhoouutt prprootteeccttiioonn Systems

log.fl.josephina.rtlinux: a 1 „Interrupt response time: Time from interrupt occurrence 0.1 until first instruction in RT-task“ 0.01 y c n e u q e

r 0.001 F No parallel Load: 13µs 0.0001 (idle)

0 5 10 15 20 25 30 35 40 45 50 IRQ occurence rate (µs) Hermann log.t3.josephina.rtlinux: lat_proc_sh_dynamic Härtig 1 Intel P4 et al. 1.6 GHz mult. 0.1

TU 0.01 Dresden y c n e

Operating u High parallel load: 68µs q e

r 0.001 Systems F (Benchmark, Cache-Flooder) Group 0.0001 32 SEVECOM Budapest 0 5 10 15 20 25 30 35 40 45 50 2006 IRQ occurence rate (µs)

10 Years LL44LLiinnuuxx ++ RRTT llaatteenncicieess,, L4-Based wwiitthh aadddrdreessss ssppaaccee prprootteeccttiioonn Systems

log.fl.josephina.fiasco: a 1

0.1

0.01 y c n e u q e

r 0.001 F No parallel Load: 43µs 0.0001 (idle)

0 5 10 15 20 25 30 35 40 45 50 IRQ occurence rate (µs) Hermann log.t3.josephina.fiasco: lat_proc_sh_dynamic 1 Härtig et al. mult. 0.1

TU 0.01 y

Dresden c n e u q e

Operating r 0.001 F Systems High parallel load: 85µs Group 0.0001 (Benchmark, Cache-Flooder) 33 SEVECOM 0 5 10 15 20 25 30 35 40 45 50 Budapest IRQ occurence rate (µs) 2006

10 Years L4-Based MMoorree oonn DDRROOPPSS EExxpeperriimmeennttss Systems

Legacy Applications Hybrid Applications Real-Time Applications Editor, Compiler, … Multimedia, … Controller, … s b

u Real-Time Network t S File System Protocol

Hermann Disk Driver Network Window Härtig L4Linux Driver System et al. mult. Non Real Time Real Time TU Dresden Operating Systems Resource Management L4Env & Basic Resource Manager Group 34 SEVECOM Fiasco Microkernel Budapest 2006 Dresden Real-Time Operating System

10 Years Overload gracefully tolerated L4-Based Overload gracefully tolerated Systems . hard real-time must be based on worst-case analysis . mobile systems cannot afford that in many cases (media applications) . overload must be tolerated gracefully and predictable . many applications can be split in mandatory and optional parts wcet 95% Hermann Härtig et al. mult.

TU Dresden Operating Systems Group 35 SEVECOM Budapest 2006

10 Years Scheduling and admission L4-Based Scheduling and admission Systems . admit such – that all deadline of mandatory applications are met – that requested quality (=percentage of optional parts is met) . schedule based on budgets such that application processes can react on missed deadlines of optional parts and overused budget . price: Hermann modify applications Härtig et al. mult.

TU Dresden Operating Systems Group 36 SEVECOM Budapest 2006

10 Years LL44EEnnvv:: aa mmuullttii--sseerrvveerr L4-Based eennvviirroonnmmeenntt ffoorr LL44 AApppplliicacattiioonnss Systems supports . basic resource management . basic IO handling . basic naming . event handling (resource deallocation) . loading . ... Hermann based on multiple L4 tasks Härtig et al. mult.

TU Dresden Operating Systems Group 37 SEVECOM Budapest 2006

10 Years Major L4 projects L4-Based Major L4 projects Systems . IBM started (and forgot) it . Dresden – L4/Fiasco: first L4 in HLL and for RT – L4linux, DDE – DROPS – Nizza . Karlsruhe – L4/Pistacchio, fast and portable Hermann Härtig . Sydney et al. mult. – embedded – portability TU Dresden set of loosely coupled projects Operating Systems Group 38 SEVECOM Budapest 2006

10 Years Outline L4-Based Outline Systems L4 etc L4/Nizza Secure System Architecture . security objectives . principles to build . system objectives . Nizza principles . an example: an internet transaction Hermann . more Nizza use cases Härtig et al. . mult. Nizza and “Trusted Computing”

TU Dresden Operating What's Up Next? Systems Group Conclusion 39 SEVECOM Budapest 2006

10 Years Objectives: Security Objectives L4-Based Objectives: Security Objectives Systems . confidentiality no unauthorized access to information . integrity information is either intact, complete and up to date or it can be detected otherwise . recoverability no permanent damage to information . availability Hermann Härtig timeliness of service et al. mult.

TU Dresden Operating Systems Group 40 SEVECOM Budapest 2006

10 Years Remember: Saltzer & Schroeder 73 L4-Based Remember: Saltzer & Schroeder 73 Systems . Economy of Mechanism . Fail-safe Defaults . Complete Mediation . Open Design . Separation of Privilege . Least Privilege . Least Common Mechanism Hermann . Psychological Acceptability Härtig et al. mult.

TU Dresden Operating Systems Group 41 SEVECOM Budapest 2006 L4 and Security: 10 Years L4 and Security: L4-Based The Nizza Architecure Systems The Nizza Architecure objectives . critical applications besides L4Linux assume: L4Linux successfully penetrated . reduce complexity for critical part principles . small trusted computing bases, application specific . extract critical parts of applications Hermann Härtig −> “AppCore” et al. mult. . reuse L4Linux with trusted wrappers TU Dresden Operating Systems Group 42 SEVECOM Budapest 2006

10 Years L4-Based NNiizzzzaa EExaxammppllee ScSceennaarriioo Systems

Linux App Linux App LiLninuuxx A Apppps LLininuuxx A Apppps

X11 X11 Home E-Sign banking ... internet L4Linux L4Linux

Hermann Härtig et al. Minimal mult. Secure User Loader NS GUI Backup I/O Secure Storage Auth. TU Platform Dresden Operating Systems L4/Fiasco Group 43 SEVECOM Budapest 2006

10 Years Digital Rights Management L4-Based Digital Rights Management Systems store video in Linux FS

Firefox

o X11 de vi nd se Player

L4Linux Webserver internet Hermann Härtig et al. mult. TU Secure User Dresden Loader NS GUI Backup I/O Operating Storage Auth. Systems Group Fiasco 44 SEVECOM Budapest 2006

10 Years Digital Rights Management L4-Based Digital Rights Management Systems

store keys in Firefox secure storage

X11

Player keys send L4Linux Webserver internet Hermann Härtig et al. mult. TU Secure User Dresden Loader Secure NS GUI Backup I/O Storage Auth. Operating Storage Systems Group Fiasco 45 SEVECOM Budapest 2006

10 Years Digital Rights Management L4-Based Digital Rights Management Systems read encrypted video from LinuxFS

fetch key from secure storage Firefox

X11

Player

L4Linux

Hermann Härtig et al. mult. TU Secure User Dresden Loader Secure NS GUI Backup I/O Storage Auth. Operating Storage Systems Group Fiasco 46 SEVECOM Budapest 2006

10 Years Digital Rights Management L4-Based Digital Rights Management Systems

play Firefox

X11

Player

L4Linux

Hermann Härtig et al. mult. TU Secure User Dresden Loader Secure NS GUI Backup I/O Storage Auth. Operating Storage Systems Group Fiasco 47 SEVECOM Budapest 2006

10 Years Nizza and “Trusted Computing” L4-Based Nizza and “Trusted Computing” Systems TPMs deliver . authenticated booting . remote attestation . sealed memory

Hermann Härtig et al. mult.

TU Dresden Operating Systems Group 48 SEVECOM Budapest 2006

10 Years L4-Based VVPPNN BBooxx Systems

L4Linux L4Linux intranet internet

Hermann Viaduct Härtig et al. mult. eth0 eth1

TU Dresden Fiasco Operating Systems Group 49 SEVECOM Budapest 2006

10 Years L4-Based VVPPNN BBooxx Systems

DDE DDE

eth0 eth0 Hermann internet Viaduct intranet Härtig et al. mult. Environment Enviroenthm1ent

TU Dresden Fiasco Operating Systems Group 50 SEVECOM Budapest 2006 IInntteerrnneett TTrraannssaactctiioon:n: 10 Years Your password(s), credit card L4-Based Your password(s), credit card Systems nnuummbeberr,, ......

applet

Linux App Firefox jvm

X11

Webserver internet Hermann Linux Härtig et al. mult.

TU Dresden Operating Systems keyboard Group 51 SEVECOM Budapest 2006 IInntteerrnneett TTrraannssaactctiioon:n: 10 Years Your password(s), credit card L4-Based Your password(s), credit card Systems nnuummbeberr,, ......

Firefox

ds X11 oo t g check lec se cart & pay d pay sign an L4Linux Webserver internet Hermann Härtig et al. mult. TU Secure User Dresden Loader NS GUI Backup I/O Operating Storage Auth. Systems Group Fiasco 52 SEVECOM Minimal Secure Budapest 2006 Platform

10 Years Split Internet Transaction L4-Based Split Internet Transaction Systems Web Server Client Machine

Untrusted Browser Cart Signer

Browse / Build Cart Checkout

Ready Cart Ready Initiate Secure Connection

Hermann Display Härtig Webserver Send Cart Cart. et al. Wait for user mult. input Accept / Reject TU Dresden Operating Send Systems Commit Verify & Group Message Exchange Signed Done Hashes 53 SEVECOM to commit Budapest 2006 Verify & transaction Done

10 Years Split Internet Transaction L4-Based Split Internet Transaction Systems put together shopping cart

Firefox

X11 check Home cart banking pay ... L4Linux

Hermann Härtig et al. mult. Minimal TU Secure User Dresden Loader NS GUI Backup I/O Secure Storage Auth. Operating Platform Systems Group Fiasco 54 SEVECOM Budapest 2006

10 Years Split Internet Transaction L4-Based Split Internet Transaction Systems

Firefox View cart and pay

X11 check Home cart banking pay ... L4Linux

Hermann Härtig et al. mult. Minimal TU User Dresden Loader Secure NS GUI Backup I/O Secure Auth. Operating Storage Platform Systems Group Fiasco 55 SEVECOM Budapest 2006

10 Years Split Internet Transaction L4-Based Split Internet Transaction Systems

Firefox

X11 check transmit via Home cart TCP/IP banking pay ... L4Linux

Hermann Härtig et al. mult. Minimal TU Secure User Dresden Loader NS GUI Backup I/O Secure Storage Auth. Operating Platform Systems Group Fiasco 56 SEVECOM Budapest 2006

10 Years L4-Based RReessuullttiinngg CCoompmplleexxiittyy Systems

Original AppCore Application Reduction Scenario LOC MCC LOC MCC Factor (x103) (x103) (x103) (x103) e-commerce 978 151 10 1.5 100X (Browser) VPN Gateway 155 25 74 10 2.1X (FreeS/WAN) Hermann Härtig Email signer 250 45 54 11 4.6X et al. (Thunderbird) mult. TCB TU (Linux+Xserve 1,485 238 100 14 14X Dresden Operating r) Systems Group 57 SEVECOM Budapest 2006

10 Years L4/Nizza Trusted FS L4-Based L4/Nizza Trusted FS Systems

4 L Linux Trusted App

TrustedFS TrustedFS (Untrusted (Trusted Component) Component)

Hermann Härtig et al. mult. GUI Loader ... TU User Dresden Operating Systems Kernel Group Small Kernel TCB 58 SEVECOM Budapest 2006

10 Years Smart Phone Scenario (RT&Sec) L4-Based Smart Phone Scenario (RT&Sec) Systems

Linux App LLininuuxx A Apppps

X11 address GSM E-Sign book stack ... L4Linux

Hermann Härtig et al. Minimal mult. Secure User Loader NS GUI Backup I/O Secure + Storage Auth. TU Real-Time Dresden Operating Platform Systems Fiasco Group 59 SEVECOM Budapest 2006

10 Years Outline L4-Based Outline Systems L4 etc L4/Nizza Secure System Architecture What's Up Next? . applications, applications, applications, ... . hw developments: secure init - IOMMU - VM support . L4 and virtual machines

Hermann . NOVA: local names, ipc control, & VM support Härtig et al. . Bastei: L4Env redone mult. . “fall back” as simple availability management TU Dresden . formal specification (and verification attempts) Operating Systems Group 60 SEVECOM Conclusion Budapest 2006

10 Years Applications: AN.ON case study L4-Based Applications: AN.ON case study Systems conflicting goals(superficially): . Trusted Computing: establish identity, attestate SW-stack . AN.ON hide identity

Hermann Härtig et al. mult.

TU Dresden Operating Systems Group 61 SEVECOM Budapest 2006

X11 Client internet Hermann Härtig AN.ON et al. mult. L4Linux TU Dresden Operating Systems Group L4/Nizza platform 62 SEVECOM Budapest 2006

10 Years Current HW developements L4-Based Current HW developements Systems . secure init (intel LaGrande, AMD Pacifica) – takes BIOS, Loader, etc off the TCB . IO MMUs – allows real enforcement of address spaces without driver modification . VM support – removes ambiguity of some X86 instructions – much more to support efficient virtualization Hermann Härtig et al. mult.

TU Dresden Operating Systems Group 63 SEVECOM Budapest 2006

10 Years Current: Direct Memory Access L4-Based Current: Direct Memory Access Systems

CPU

System Bus

DRAM PCI bridge controller Hermann Härtig I/O et al. device mult. s

u RAM B

TU I

C I/O

Dresden P device Operating Systems Group 64 SEVECOM Budapest 2006

10 Years IO MMUs L4-Based IO MMUs Systems

CPU

System Bus

bridge DRAM controller Hermann Härtig IOMMU I/O et al. device mult. RAM TU I/O Dresden IOMMU device Operating Systems Group 65 SEVECOM Budapest 2006