Kevin Elphinstone

• PhD
• Professor at UNSW Sydney

In the paper, we argue that it is worthwhile to revisit building microkernel-based multiserver operating systems, and introduce a multiserver OS architecture. We argue that recent formal verification of microkernels provides a compelling platform for constructing general purpose systems, and that existing systems are not appropriate to take advanta...

The trade-off between coarse- and fine-grained locking is a well understood issue in operating systems. Coarse-grained locking provides lower overhead under low contention, fine-grained locking provides higher scalability under contention, though at the expense of implementation complexity and re- duced best-case performance. We revisit this trade-...

The L4 microkernel has undergone 20 years of use and evolution. It has an active user and developer community, and there are commercial versions that are deployed on a large scale and in safety-critical systems. In this article we examine the lessons learnt in those 20 years about microkernel design and implementation. We revisit the L4 design arti...

It is well-established that high-end scalability requires fine-grained locking, and for a system like Linux, a big lock degrades performance even at moderate core counts. Nevertheless, we argue that a big lock may be fine-grained enough for a microkernel designed to run on closely-coupled cores (sharing a cache), as with the short system calls typi...

We present an in-depth coverage of the comprehensive machine-checked formal verification of seL4, a general-purpose operating system microkernel. We discuss the kernel design we used to make its verification tractable. We then describe the functional correctness proof of the kernel's C implementation and we cover further steps that transform this r...

The L4 microkernel has undergone 20 years of use and evolution. It has an active user and developer community, and there are commercial versions which are deployed on a large scale and in safety-critical systems. In this paper we examine the lessons learnt in those 20 years about microkernel design and implementation. We revisit the L4 design paper...

Advances in formal software verification has produced an operating system that is guaranteed mathematically to be correct and enforce access isolation. Such an operating system could potentially consolidate safety and security critical software on a single device where previously multiple devices were used. One of the barriers to consolidation on c...

Systems software like databases and language runtimes typically manage memory themselves to exploit application knowledge unavailable to the OS. Traditionally deployed on dedicated machines, they are designed to be statically configured with memory sufficient for peak load. In virtualization scenarios (cloud computing, server consolidation), howeve...

The market of embedded processors far surpasses the market of personal computers and servers. While being more prolific than their desktop counterparts, the progress in semiconductor technology has also brought unprecedented computing power to embedded systems. On the back of these opportunities the complexity of embedded applications is rising dra...

Computer systems are routinely deployed in life- and mission-critical situations, yet their security, safety or dependability can in most cases not be assured to the degree warranted by the application. In other words, trusted computer systems are rarely really trustworthy. We believe that this is highly unsatisfactory, and have embarked on a large...

We report on the formal, machine-checked verication of the seL4 microkernel from an abstract specication down to its C implementation. We assume correctness of compiler, assembly code, hardware, and boot code. seL4 is a third-generation microkernel of L4 provenance, comprising 8,700 lines of C and 600 lines of assembler. Its performance is comparab...

This paper proposes a generalized framework to build large, complex systems where security guarantees can be given for the overall system's implementation. The work builds on the formally proven correct seL4 micro-kernel and on its fine-grained access control. This access control mechanism allows large untrusted components to be isolated in a way t...

This paper presents a machine-checked high-level security analysis of seL4 — an evolution of the L4 kernel series targeted to secure, embedded devices. We provide an abstract specification of the seL4 access control system in terms of a classical take-grant model together with a formal proof of its decidability. Using the decidability property we s...

We report on our experience using Haskell as an executable specifi- cation language in the formal verification of the seL4 microkernel. The verification connects an abstract operational specification in the theorem prover Isabelle/HOL to a C implementation of the mi- crokernel. We describe how this project differs from other efforts, and examine th...

We report on our experience using Haskell as an executable specification language in the formal verification of the seL4 microkernel. The verification connects an abstract operational specification in the theorem prover Isabelle/HOL to a C implementation of the microkernel. We describe how this project differs from other efforts, and examine the ef...

Componentised systems, in particular those with fault confinement through address spaces, are currently emerging as a hot topic in embedded systems research. This paper extends the unified rate-based scheduling framework RBED in several dimensions to fit the requirements of such systems: We have removed the requirement that the deadline of a task i...

Complete formal verification is the only known way to guarantee that a system is free of programming errors. We present our experience in performing the formal, machine-checked verification of the seL4 microkernel from an abstract specification down to its C implementation. We assume correctness of compiler, assembly code, and hardware, and we used...

This paper presents a machine-checked high-level security analysis of seL4—an evolution of the L4 kernel series targeted to secure, embedded devices. We provide an abstract specification of the seL4 access control system together with a formal proof that shows how confined subsystems can be enforced. All proofs and specifications in this paper are...

Embedded systems are evolving into increasingly complex software systems. One approach to managing this software complexity is to divide the system into smaller, tractable components and provide strong isolation guarantees between them. This paper focuses on one aspect of the system's behaviour that is critical to any such guarantee: management of...

As computer systems become increasingly mission-critical, used in life-critical situations, and relied upon to protect intellectual prop- erty, operating-system reliability is becoming an ever growing con- cern. In the past, mission- and life-critical embedded systems con- sisted of simple microcontrollers running a small amount of soft- ware that...

Abstract In the paper we examine one of the issues in designing, specifying, implementing and formally verifying a small operating system kernel — how,to provide a productive and iterative development,methodology,for both operating system developers and formal methods,practitioners. We espouse the use of functional programming,languages,as a medium...

In this paper, we question whether hypervisors are really acting as a disruptive force in OS research, instead argu- ing that they have so far changed very little at a techni- cal level. Essentially, we have retained the conventional Unix-like OS interface and added a new ABI based on PC hardware which is highly unsuitable for most purposes. Despit...

We propose a development methodology for designing and proto- typing high assurance microkernels, and describe our application of it. The methodology is based on rapid prototyping and iterative re- finement of the microkernel in a functional programming language. The prototype provides a precise semi-formal model, which is also combined with a mach...

Running device drivers as unprivileged user-level code, encapsulated into their own process, has often been proposed as a technique for increasing system robust- ness. However, in the past, systems based on user-level drivers have generally ex- hibited poor I/O performance. Consequently, user-level device drivers have never caught on to any signifi...

Device drivers are a significant source of system instability. In this paper, we make the case for running device drivers at user-level to improve robustness and resource management. We present a frame- work for running drivers at user-level whose goal is to provide similar performance when compared to in-kernel drivers. We also present initial pro...

Kernel memory is a resource that must be managed carefully in order to ensure the efficiency and safety of the system. The use of an inappropriate management policy can weaken the isolation between subsystems, lead to suboptimal performance, and even make the kernel vulnerable to denial-of-service attacks. Yet, many existing kernels use only a sing...

Most modern wide-address computer architecture do not prescribe a page table format, but instead feature a software-loaded TLB, which gives the operating system complete flexibility in the implementation of page tables. Such flexibility is necessary, as to date no single page table format has been established to perform best under all loads. With t...

Model of Address Spaces We describe address spaces as mappings. oe 0 : V ! R[fOEg is the initial address space, where V is the set of virtual pages, R the set of available physical (real) pages and OE the nilpage which cannot be accessed. Further address spaces are defined recursively as mappings oe : V ! (Sigma Theta V ) [fOEg, where Sigma is the...

Persistence has long been difficult to integrate into operating systems. The main problem is that pointers lose their meaning once they are taken out of their address-space. We present a distributed system which has a single address-space encompassing all virtual memory of every node in the system. This design has become possible (and practicable)...

With the development of 64-bit microprocessors, it is now possible to combine local, secondary and remote storage into a large single address-space. This results in a uniform method for naming and accessing objects regardless of their location, removes the distinction between persistent and transient data, and simplifies the migration of data and p...

Single address space systems (SASOS) provide a programming model that is well suited to supporting persistent object systems. In this paper we show that stability can be implemented in the Mungi SASOS without incurring overhead in excess of the inherent cost of shadow-paging. Our approach is based on the introduction of aliasing into the SASOS mode...

Single-address-space operating systems (SASOS) are an attractive model for making the best use of the wide address space provided by the latest generations of microprocessors.

The Mungi operating system features a single 64 bit persistent address space encompassing all data in the system. This differs dramatically from current generation operating systems in which each process has its own address space and persistent data is stored in a filesystem.

Several factors are rapidly increasing the demands being placed on virtual memory implementations. Large address spaces, increasing sparseness, and novel operating systems are not well supported by traditional tree-based page tables. New approaches are needed to overcome these problems.

The introduction of 64-bit microprocessors has increased demands placed on virtual memory systems. The availability of large address spaces has led to a flurry of new applications and operating systems that further stress virtual memory systems. Consequently,muchinterest has recently focussed on translation lookaside buffer (TLB) performance and pa...

This document describes release 1.0 of the application programming interface to the kernel of the Mungi single-address-space operating system. This interface will, in general, only be used by low-level software, most applications are expected to use a higher-level interface implemented as system libraries. Such libraries will be described in separa...

Microkernels are minimal but highly flexible kernels. Both conventional and non-classical operating systems can be built on top or adapted to run on top of them. Microkernel-based architectures should particularly support extensibility and customizability, robustness including reliability and fault tolerance, protection and security. After desastro...

this paper, we define the SawMill multiserver approach. This approach consists of: (1) an architecture upon which efficient and robust multiserver systems can be constructed and (2) a set of protocol design guidelines for solving key multiserver problems. First, the SawMill architecture consists of a set of user-level servers executing on the L4 mi...

We present a framework that allows applications to build and customize VM services on the LA microkernel. While the LA microkernel's abstractions are quite powerful, using these abstractions effectively requires higher-level paradigms. We propose the dataspace paradigm which provides a modular VM framework. The modularity introduced by the dataspac...

You can read it as a paper that treats a concrete problem motivated in Section 1: How can we permit untrusted user processes to pin their virtual pages in memory most flexibly and as unlimited as possible? From this point of view, the paper presents a general solution that is theoretically and experimentally reasonably substantiated. However, you c...

We present a framework that allows applications to build and customize VM services on the L4 microkernel. While the L4 microkernel's abstractions are quite powerful, using these abstractions effectively requires higher-level paradigms. We propose the dataspace paradigm which provides a modular VM framework. The modularity introduced by the dataspac...

Main memory is typically significantly slower than the processors that use it. Such slow memory is then amortized by fast caches. Effective scheduling, particularly for soft or hard real-time, has therefore to include cache control, even on uniprocessors. Although cache scheduling is currently still an open research issue, we assume in this paper t...

this paper, we propose an IPC mechanism that restores synchronous IPC semantics over transparent monitors. The key feature of this mechanism is that system monitors are considered as an extension of the kernel, so the source and destination are treated as if the kernel is still processing the IPC. However, there are a number of possible monitoring...

this paper, we dene the SawMill multiserver approach. This approach consists of: (1) an architecture upon which ecient and robust multiserver systems can be constructed and (2) a set of protocol design guidelines for solving key multiserver problems. First, the SawMill architecture consists of a set of user-level servers executing on the L4 microke...

Guarded Page Tables implement huge sparsely occupied address spaces efficiently and have the advantages of multi-level tables (tree structure, hierarchy, sharing). We present an implementation of guarded page tables on the R4600 processor. This is an excerpt of a paper published in OSR 30(1), Jan 96. 1 Guarded Page Tables Guarded Page Tables have b...

Model of Address Spaces We describe address spaces as mappings. oe 0 : V ! R[fOEg is the initial address space, where V is the set of virtual pages, R the set of available physical (real) pages and OE the nilpage which cannot be accessed. Further address spaces are defined recursively as mappings oe : V ! (Sigma Theta V ) [fOEg, where Sigma is the...

Persistence has long been difficult to integrate into operating systems. The main problem is that pointers lose their meaning once they are taken out of their address-space. We present a distributed system which has a single address-space encompassing all virtual memory of every node in the system. This design has become possible (and practicable)...

We present a mechanism for inter-process communication (IPC) redirection that enables efficient and flexible access control for micro-kernel systems. In such systems, services are implemented at user level, so IPC is the only means of communication between them. Thus, the system must be able to mediate IPCs to enforce its access control policy. Suc...

You can read it as a paper that treats a concrete problem motivated in the first section: how can we permit untrusted user processes to pin their virtual pages in memory most flexibly and as unlimited as possible? From this point of view, the paper presents a general solution that is theoretically and experimentally reasonably substantiated. Howeve...

Single-Address-Space Operating Systems (SASOS) are an attractive model for making the best use of the wide address space provided by the latest generations of microprocessors. SASOS remove the address space boundaries which make data sharing between processes difficult and expensive in traditional operating systems. They offer the potential of sign...

Extensibility can be based on cross-address-space interprocess communication (IPC) or on grafting application-specific modules into the operating system. For comparing both approaches, we need to explore the best achievable performance for both models. This paper reports the achieved performance of cross-address-space communication for the L4 micro...

Extensibility can be based on cross-address-space interprocess communication (IPC) or on grafting application-specific modules into the operating system. For comparing both approaches, we need to explore the best achievable performance for both models. This paper reports the achieved performance of cross-address-space communication for the L4 micro...

The Mungi single address space operating system provides a protected procedure call mechanism named protection domain extension (PDX). The PDX call executes in a protection domain which is the union of (a subset of) the caller's domain, and a fixed domain associated with the procedure. On return, the caller's original protection domain is re-establ...

Single address space systems (SASOS) provide a programming model that is well suited to supporting persistent object systems. In this paper we show that stability can be implemented in the Mungi SASOS without incurring overhead in excess of the inherent cost of shadow-paging. Our approach is based on the introduction of a limited form of aliasing i...

The Distributed Systems Group at the University of New South Wales is constructing a distributed operating system based on global virtual memory (GVM). The system combines local and remote storage into a single large virtual address space. This provides a uniform method for naming and accessing objects regardless of their location, removes the dist...

Introduction The Distributed Systems Group at the University of New South Wales is currently constructing a distributed operating system based on global virtual memory (GVM). Unlike previously published systems, our system combines local and remote storage into a single large virtual address space. This provides a uniform method for naming and acce...

With the development of 64-bit microprocessors, it is now possible to combine local, secondary and remote storage into a large single address-space. This results in a uniform method for naming and accessing objects regardless of their location, removes the distinction between persistent and transient data, and simplifies the migration of data and p...

The Mungi single address space operating system provides a protected procedure call mechanism named protection domain extension (PDX). The PDX call executes in a protection domain which is the union of (a subset of) the caller's domain, and a fixed domain associated with the procedure. On return, the caller's original protection domain is re-establ...

Virtual memory is a feature of most operating systems. It presents a level of indirection between the addresses that an application views, and the physical memory addresses used by the hardware. The benefits of virtual memory include: security, reliability, application transparent relocation of physical memory, and cache partitioning. The page tabl...

The Mungi operating system features a single 64 bit persistent address space encompassing all data in the system. This differs dramatically from current generation operating systems in which each process has its own address space and persistent data is stored in a filesystem. This report is a preliminary investigation of address space management is...

Automotive components present unique challenges in reliability, security, performance and cost. Con- solidation of different functions in multi-purpose units drives up complexity, and raises not only reli- ability concerns, but also the issue of liability for sub-component suppliers. It is of foremost im- portance to guarantee reliability and secur...

L4 is a small microkernel that is used as a basis for several operat- ing systems. L4 seems an ideal basis for embedded systems that possess and use memory protection. It could provide a reliable, robust, and secure embedded plat- form. This paper examines L4's suitability as a basis for trustworthy embedded systems. It motivates the use of a micro...

High-end embedded systems featuring millions of lines of code, with varying degrees of assurance, are becom- ing commonplace. These devices are typically expected to meet diverse application requirements within tight re- source budgets. Their growing complexity makes it in- creasingly difficult to ensure that they are secure and robust. One approac...

The L4 microkernel, like many first and second generation microkernels, was designed to maximise best-eort perfor- mance. One component of its functionality critical to overall system performance is its interprocess communication prim- itive. L4 uses two techniques to minimise communication costs: direct process switching and lazy queue management....

This paper argues that a pragmatic approach is needed for integrat- ing design and formalisation of complex systems. We report on our approach to designing the seL4 operating system microkernel API and its formalisation in Isabelle/HOL. The formalisation consists of the systematic translation of significant parts of the functional pro- gramming lan...

Kernel memory is a resource that must be managed care- fully in order to ensure the efficiency and availability of the system. The use of an inappropriate policy would lead to suboptimal performance and even make the sys- tem susceptible to denial of service attacks. In this paper, we argue that user-level managers, with their domain specific knowl...

In the paper we examine one of the issues in designing, specifying, implementing and formally verifying a small operating system kernel — how to provide a productive and iterative development methodology for both operating system developers and formal methods practitioners. We espouse the use of functional programming lan-guages as a medium for pro...