MIKES 2007 First International Workshop on Microkernels for Embedded Systems Editors: Ihor Kuz and Stefan M. Petters Program Committee Chair: Kevin Elphinstone National ICT Australia 223 Anzac Parade Kensington NSW 2052 Australia {firstname.lastname}@nicta.com.au Technical Report January 2007 ISSN 1833-9646 Copyright 2007 National ICT Australia. All rights reserved. The copyright of this collection is with National ICT Australia. The copyright of the individual articles remains with their authors. National ICT Australia is funded by the Australian Government's Department of Communications, Information Technology, and the Arts and the Australian Research Council through Backing Australia's Ability and the ICT Research Centre of Excellence programs. Table of Contents Forword…………………………………………………………………………………………………… 4 Formalizing Information Flow in a Haskell Hypervisor…………………………………… 5 Rebekah Leslie, Levent Erkok, and Flemming Andersen High-Performance Microkernels and Virtualisation on ARM and Segmented……. 11 Architectures Carl van Schaik and Gernot Heiser Automated Object Layout Optimization in a Portable Microkernel………………….. 22 Uwe Dannowski A Memory Allocation Model For An Embedded Microkernel…………………………… 29 Dhammika Elkaduwe, Philip Derrin, and Kevin Elphinstone L4-Based Real Virtual Machines: An API Proposal………………………………………… 36 Sebastian Biemueller and Uwe Dannowski A Declarative Approach to Extensible Interface Compilation…………………………… 43 Nicholas FitzRoy-Dale Evolution of the PikeOS Microkernel……………………………………………………………. 50 Robert Kaiser and Stephan Wagner Issues on Analysing L4 for its WCET…………………………………………………………… 58 Mohit Singal and Stefan M. Petters 3 Foreword The First International Workshop on MicroKernels for Embedded Systems was conceived to provide a forum for the discussion of issues in the application of microkernels in the embedded systems domain, including emerging problems, novel concepts, analysis approaches, and case studies. The workshop attracted submissions from both academia and industry. The submitted papers were peer reviewed by an expert program committee. I wish to express my gratitude to the members program committee who contributed their time to provide high quality reviews, which eased the job of selecting a quality program. The authors were given the opportunity to revise and re-submit final versions of their papers based on the reviews, and on the discussions that developed at the workshop. The papers contained herein are the final versions submitted after the workshop. I'd like to thank our guest speaker David Kleidermacher of Green Hills Software who provided an interesting overview of a successful commercial microkernel for embedded systems. I'd also like to thank the discussion panel: Gernot Heiser, National ICT Australia and UNSW; Timothy Roscoe, ETH, Zurich; Andrew Tanenbaum, Vrije Universiteit; and David Kleidermacher. The panel discussion proved lively, insightful, and entertaining for all present. I also wish to thanks Stefan M. Petters and Ihor Kuz, who did much of the organising of the event. Kevin Elphinstone Program Chair Program Committee Kevin Elphinstone, NICTA/UNSW, Australia (Chair) Andrew Tanenbaum, Vrije Universiteit, Amsterdam, Netherlands Gerwin Klein, NICTA/UNSW, Australia Hermann Haertig, TU Dresden, Germany Jonathan S. Shapiro, The Johns Hopkins University, USA Neil Audsley, University of York, UK Sebastian Schönberg, Intel, Hillsboro, USA Volkmar Uhlig, IBM Watson, USA 4 Formalizing Information Flow in a Haskell Hypervisor Rebekah Leslie Levent Erkok¨ and Flemming Andersen Portland State University Intel Corporation Abstract— Separation kernels are the holy grail of secure sys- separation for HHV becomes a more tenable goal than with tems, remaining elusive despite years of research into their design, other techniques. implementation, and analysis. Though separation kernel research In this paper, we concentrate on the formulation of correct- has achieved many successes, the disconnect between information flow theory and system implementation is a significant barrier to ness and security properties of the communication mechanisms further progress. In this paper, we show how a particular branch in HHV, because these are the source of all legal information of information flow theory, noninterference, can be utilized to flow in our design. We formally characterize the information formulate correctness and security properties of a microkernel- flow relationships induced by these communication primitives style hypervisor. Thus, we not only provide a first step towards using a notation based on higher-order logic, similar to the a formally verified separation kernel, but also reduce the gap between information flow theory and operating systems practice. P-logic programming logic for Haskell [8]. More importantly, we develop specification patterns for expressing correctness properties in terms of noninterference concepts. In defining I. INTRODUCTION these patterns, we take advantage of higher-order functions to extract common aspects of noninterference-style properties. Noninterference provides a concise and general way to For instance, we abstract over the kernel state and kernel formalize the information flow relationships between compo- operations so that we can instantiate the patterns in different nents of a system. A noninterference security policy specifies contexts and formulate assertions about particular operations which components, or domains, may not interfere with each in a generic way. Hence, our work provides a link between the other, where a domain u interferes with a domain v if v theory of noninterference and the actual practice of building can observe the effects of u’s execution [1]. The generality secure microkernels. of such policies makes them useful for capturing a wide We organize the remainder of the paper as follows. Section variety of security requirements, including separation. A key II describes the foundational concepts of HHV and outlines the benefit of noninterference is that there are existing frameworks communication mechanisms. Section III presents the system for reasoning about systems governed by a noninterference model used by our hypervisor. Section IV introduces the policy [1], [2], thus reducing the barriers to verifying such noninterference specification patterns that are the basis of our systems formally. property formulations. Section V defines the desired informa- Our interest in noninterference stems from our efforts to tion flow behavior of HHV, both as an informal specification develop a hypervisor with formally verified separation between and as a set of formal properties. We discuss related work in user-level processes. The design of our hypervisor is similar Section VI and present our conclusions in Section VII. to secure microkernel APIs such as seL4 [3] and L4sec [4], but we use the term hypervisor to emphasize our intent II. COMMUNICATION IN HHV to employ our system as a platform for secure, separate The fundamental abstractions in HHV are protection do- execution. Such an execution environment is an essential part mains—the basic unit of resource protection—and execution of many high assurance systems, and is increasingly important contexts—the unit of execution. A protection domain (PD) in light of recent hardware developments, such as multi- corresponds to an address space in other systems; an execution core platforms based on Intel°R Virtualization Technology and context (EC) corresponds to a thread. HHV is a migrating Intel°R Trusted Execution Technology [5]. thread system [9], so there is a single execution context per Following the approach of the Programatica [6] and seL4 [3] processor that moves between protection domains with the projects, we are writing a model of our hypervisor, called logical flow of control. HHV, in the functional language Haskell [7]. The mathematical Each EC contains a representation of the processor state— semantics and strong type system of Haskell make our model such as the general purpose registers and the instruction easier to reason about than a low-level implementation. By pointer—for the running domain. We store this hardware combining the use of a high-level functional language with context using a record type, called Context, which contains a the application of an existing reasoning framework, proving field for each hardware register. When a domain is not running, HHV preserves the processor state in a region of memory Levent Erkok¨ is now at Galois Connections, Inc. called the save/restore area (SRA). 5 Protection domains communicate through uni-directional by the portal masks. channels called portals.A portal traversal causes a context switch from the initiator of the traversal (the source domain) to saveContext :: Mask ! Context ! PDID ! Kernel () the target of the traversal (the destination domain), potentially computeTransfer :: Mask ! Context ! Context transferring a message from the source to the destination in loadContext :: Portal ! SRA ! Context the process. There are two modes of communication in HHV: computePass :: Mask ! Context ! Context ! Context direct data transfer via registers and indirect data transfer through shared resources, such as memory pages.1 In this Fig. 1. Functions for preserving domain state and performing a message transfer. These functions are used by the context switch operation to imple- paper, we focus on the information flow properties of direct ment the dynamic message-transfer semantics specified by the portal masks. data transfer, although we have also formally