The Sel4 Microkernel – a Robust, Resilient, and Open-Source Foundation for Ground Vehicle Electronics Architecture

2019 NDIA GROUND VEHICLE SYSTEMS ENGINEERING AND TECHNOLOGY SYMPOSIUM CYBER/VEA TECHNICAL SESSION AUGUST 13-15, 2019 - NOVI, MICHIGAN

The seL4 Microkernel – A Robust, Resilient, and Open-Source Foundation for Ground Vehicle Electronics Architecture

Robbie VanVossen1, Jesse Millwood1, Chris Guikema1, Leonard Elliott2, Jarvis Roach1

1DornerWorks, Grand Rapids, MI 2GVSC, Warren, MI

ABSTRACT There has been a lot of interest in the secure embedded L4 (seL4) microkernel in recent years as the basis of a cyber-security platform because it has been formally proven to be correct and free of common defects. However, while the seL4 microkernel has a formal proof of correctness, it does so at the cost of deferring functionality to the user space that most developers and system integrators would deem necessary for real life products and solutions, and use of formal proofs for user space can be prohibitively expensive. DornerWorks took an approach to bypass the need for native seL4 user space applications to develop a representative real-world system for GVSC VEA based on seL4 by enabling its virtual machine monitor functionality for ARMv8 platforms, allowing feature rich software stacks to be run in isolation guaranteed by the seL4 formal proofs. This paper describes that system and the efforts undertaken to achieve real world functionality.

Citation: R. VanVossen, J. Millwood, C. Guikema, L. Elliott, J. Roach, “The seL4 Microkernel – A Robust, Resilient, and Open-Source Foundation for Ground Vehicle Electronics Architecture”, In Proceedings of the Ground Vehicle Systems Engineering and Technology Symposium (GVSETS), NDIA, Novi, MI, Aug. 13-15, 2019.

1. INTRODUCTION Military ground vehicles often host powerful Safety and security concerns over computer weapons, are connected to larger military systems within military ground vehicles bear many communication networks, and are responsible for similarities to those that have been recently critical functions during tactical operations. For reported for commercial automotive systems, these reasons, the electronics and computers within however there are several important distinctions. these vehicles need to function with a high-level of assurance. Historically, a lower level of rigor was observed during ground vehicle system DISTRIBUTION A. APPROVED FOR development. This is due to many factors, including PUBLIC RELEASE; DISTRIBUTION the lack of a need for the level of rigor associated UNLIMITED with airworthiness certification and because, OPSEC #: 2716 originally the electronics within these systems were Proceedings of the 2018 Ground Vehicle Systems Engineering and Technology Symposium (GVSETS) standalone. The essence and severity of this requirements. These additional costs are borne even deficiency was recently highlighted in a when projects attempt the easiest levels of Government Accountability Office report titled certification, where the goal is only proving the “Weapon Systems Cybersecurity: DOD Just software does what it is intended to do. The effort Beginning to Grapple with Scale of to provide assurance that the software does not do Vulnerabilities” [1] which presented an what it is not intended to do, necessary for the investigation revealing that major military systems higher level of criticality, requires additional including aircraft, ships, combat vehicles, and reviews and analyses that substantially add to the satellites could easily be compromised. Clearly final bill. more work needs to be done to protect military Data shows that developing software to the lowest ground vehicle electronics. To accomplish this, level criticality in the DO-178 standard, design these systems will need to meet more rigorous assurance level (DAL-E), adds 0.11 to 0.44 hours, security certification standards. depending on the development team’s experience, “Software certification is expensive” is a truism per line of source code (SLOC) to generate the in the ever-increasing number of industries that requirements, design documentation, source code, require it. All safety and security certification verification, analyses, and review evidence, standards, such as Common Criteria for security, collectively known as certification artifacts [2]. The DO-178C for aviation, IEC 62304 for medical, IEC most critical level, DAL-A, takes between 0.67 and 61508 and its derivatives like ISO-26262 for 2.68 hours per SLOC. By these metrics, a automotive, share the same goal of providing a microkernel on the order of 15,000 SLOC would guarantee, or an assurance, that software developed require between 10,050 and 40,200 hours to to such a standard does what it is intended to do, develop to DAL-A. At the other end of the and at higher criticality levels, does not do what it spectrum, the Linux kernel grew by 225,000 SLOC was not intended to do. To the uninitiated, this from 2017 to 2018 [3] to a grand total of around 25 seemingly simple goal requires a surprising amount million SLOC. Based on the metrics given above, of effort above and beyond what is required to “just which may be on the low side for such a large and get the software working”. Defining and complex code base, Linux would require 2.75 documenting what exactly is meant by “working”, million to 11 million hours of development just to in the form of defining a specification, is a common achieve DAL-E, and while Linux does not need to task or objective in software process standards. be entirely developed from scratch, testing alone This is true, even when certifying to the least can account for as much as 90% of the total labor critical levels, and it takes time and effort to do effort [4] in development. correctly and unambiguously. Correct and Formal methods, or mathematically based complete requirements allow a team to develop techniques, can be used for the specification, tests and other means to verify that the software development, and verification of software to reduce meets the specification. Even teams that are in the these costs in the long run. The very act of capturing practice of testing their software may find the requirements using formal notations forces a more additional effort to write tests sufficient to exercise explicit, and hence more unambiguous, set of all of the requirements surprising. A natural requirements, removing a source of errors very consequence of better testing is a higher level of early in the software development lifecycle. Also, defects found in software and requirements. This formally defined requirements can be used to carry tends to further drive development cost up, even if out formal analyses to verify useful properties of all the project is disciplined enough and has the luxury formally defined artifacts, such as consistency of of avoiding churn caused by a change in the and between requirements, design, and software;