mixed-criticality support in a high-assurance, general
TRANSCRIPT
![Page 1: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/1.jpg)
NICTA Copyright 2014 From imagination to impact 1
Mixed-Criticality Support in a High-Assurance,
General-Purpose Microkernel
UNSW Australia & NICTA
Anna Lyons, Gernot Heiser
![Page 2: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/2.jpg)
NICTA Copyright 2014 From imagination to impact 2
seL4
Untrusted
Not critical
Trusted
Critical
Could be OS guests
![Page 3: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/3.jpg)
NICTA Copyright 2014 From imagination to impact 3
seL4
Untrusted
Not critical
Trusted
Critical
Single core (for now) Has memory management unit
![Page 4: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/4.jpg)
NICTA Copyright 2014 From imagination to impact 4
seL4
Untrusted
Not critical
Trusted
Critical
![Page 5: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/5.jpg)
NICTA Copyright 2014 From imagination to impact 5
seL4
Untrusted
Not critical
Trusted
Critical
Shared resource
Shared resource
![Page 6: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/6.jpg)
NICTA Copyright 2014 From imagination to impact 6
seL4
Functional Correctness [SOSP’09]
Integrity [ITP’11]
Timeliness (known WCET) [RTSS’11,EuroSys’12]
Translation Correctness [PLDI’13]
Non-interference [S&P’13]
Fast (258 cycle IPC roundtrip on 1GHz Cortex-A9)
Minimal TCB (~9000 SLoC)
Safety: specifically temporal properties.
![Page 7: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/7.jpg)
NICTA Copyright 2014 From imagination to impact 7
Goals of this work
• Real-time scheduling support
• Temporal isolation (beyond total static partitions)
• Asymmetric temporal protection
• support for criticality mode changes
• Bounded resource sharing
• across criticalities
TIME = FIRST CLASS RESOURCE
![Page 8: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/8.jpg)
NICTA Copyright 2014 From imagination to impact 8
Mechanisms
1.Scheduling contexts
2.Thread criticalities
3.Temporal exceptions
![Page 9: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/9.jpg)
NICTA Copyright 2014 From imagination to impact 9
This talk
1)seL4 concepts
2)Time as a resource
3)Mode switch support
4)Resource sharing
!
!
![Page 10: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/10.jpg)
NICTA Copyright 2014 From imagination to impact 10
1)seL4 concepts
2)Time as a resource
3)Mode switch support
4)Resource sharing
!
!
![Page 11: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/11.jpg)
NICTA Copyright 2014 From imagination to impact
seL4 design principles
• Minimality principle
• Fast
• Possible to verify – avoid concurrency
– avoid unnecessary complexity
– kernel should not require re-verification if user-level changes
11
![Page 12: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/12.jpg)
NICTA Copyright 2014 From imagination to impact
What is a capability?
• unforgeable access token
• stored in the c-space of an app – threads can share c-spaces
• invoked by user-level to perform an action – no capability, no action
• can be copied, moved between c-spaces
12
![Page 13: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/13.jpg)
NICTA Copyright 2014 From imagination to impact
seL4 basics: sync endpoints
13
e
Synchronous endpoints: essentially message ports, which senders/waiters queue on until both are
present to receive a message
tseL4_Call
![Page 14: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/14.jpg)
NICTA Copyright 2014 From imagination to impact
seL4 basics: sync endpoints
14
e
Synchronous endpoints: essentially message ports, which senders/waiters queue on until both are
present to receive a message
ttseL4_Call
seL4_Call
![Page 15: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/15.jpg)
NICTA Copyright 2014 From imagination to impact
seL4 basics: sync endpoints
15
e
Synchronous endpoints: essentially message ports, which senders/waiters queue on until both are
present to receive a message
ttseL4_Call
seL4_Call
sseL4_Wait
![Page 16: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/16.jpg)
NICTA Copyright 2014 From imagination to impact
seL4 basics: sync endpoints
16
e
Synchronous endpoints: essentially message ports, which senders/waiters queue on until both are
present to receive a message
tt
seL4_Call
s
r
![Page 17: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/17.jpg)
NICTA Copyright 2014 From imagination to impact
seL4 basics: sync endpoints
17
e
Synchronous endpoints: essentially message ports, which senders/waiters queue on until both are
present to receive a message
tt
seL4_Call
s
r
seL4_ReplyWait
![Page 18: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/18.jpg)
NICTA Copyright 2014 From imagination to impact
seL4 basics: sync endpoints
18
e
Synchronous endpoints: essentially message ports, which senders/waiters queue on until both are
present to receive a message
t
seL4_Call
s
seL4_ReplyWait
![Page 19: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/19.jpg)
NICTA Copyright 2014 From imagination to impact
seL4 basics: async endpoints
19
ae
Async endpoints (AE): essentially message ports, which accumulate messages until a waiter is
present. Waiters queue until a message is present.
s
seL4_Wait
![Page 20: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/20.jpg)
NICTA Copyright 2014 From imagination to impact
seL4 basics: async endpoints
20
ae
Async endpoints (AEP): essentially message ports, which accumulate messages until a waiter is present. Waiters queue until a message is present.
s
seL4_Wait
interruptasync message
kernel timer message
A bound async endpoint has a special 1:1 relationship with a thread — and only the bound
thread is allowed to wait a bound AEP
![Page 21: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/21.jpg)
NICTA Copyright 2014 From imagination to impact
4KB 4KB
4KB 4KB
seL4 Memory Model
21
seL4
Initial Task
1GB
512MB
![Page 22: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/22.jpg)
NICTA Copyright 2014 From imagination to impact
seL4 Memory Model
22
seL4
Initial Task
1GB4KB
4KB
4KB4KB
512MB
![Page 23: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/23.jpg)
NICTA Copyright 2014 From imagination to impact
Meet seL4: Summary
• capability based
• communication via endpoints – synchronous or asynchronous
• all resources managed at user-level
• initial task gets capabilities to everything in the system
23
![Page 24: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/24.jpg)
NICTA Copyright 2014 From imagination to impact 24
1)seL4 concepts
2)Time as a resource
3)Mode switch support
4)Resource sharing
!
!
![Page 25: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/25.jpg)
NICTA Copyright 2014 From imagination to impact
Resource kernels*
• Timeliness of resource access – reservations
• Efficient resource utilisation
• Enforcement & Protection
• Access to multiple resource types
* [Rajkumar et al. 2001]
25
![Page 26: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/26.jpg)
NICTA Copyright 2014 From imagination to impact
Resource kernel mechanisms
• Admission
• Scheduling
• Enforcement
• Accounting
26
Which mechanisms belong in a microkernel?
![Page 27: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/27.jpg)
NICTA Copyright 2014 From imagination to impact
Resource kernel mechanisms
• Admission (policy)
• Scheduling
• Enforcement
• Accounting
27
![Page 28: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/28.jpg)
NICTA Copyright 2014 From imagination to impact
Scheduling Contexts
• Implements processor “reservation”
• adapted from Fiasco [Steinberg 2010]
• Upper bound
• No priority
• Rate = e / p
• Full or Partial
• Only 1 per thread
e = 2! p = 3
e = 250! p = 1000
28
![Page 29: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/29.jpg)
NICTA Copyright 2014 From imagination to impact
Full reservations
255254253...3210
t1
29
t2
t3
e = 4! p = 4
e = 5! p = 5
e = 4 ! p = 4!
![Page 30: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/30.jpg)
NICTA Copyright 2014 From imagination to impact
Partial reservations
30
255254253...3210
t1
e = 2!p = 4!
Scheduling contexts act as sporadic servers
![Page 31: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/31.jpg)
NICTA Copyright 2014 From imagination to impact 31
255254253...3210
Release Queuet1
e = 2!p = 4!
Partial reservations
Scheduling contexts act as sporadic servers
![Page 32: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/32.jpg)
NICTA Copyright 2014 From imagination to impact
Admission
• New control capability, seL4_SchedControl.
• Controls population of scheduling context parameters.
• Must take into account priorities
seL4
Admission Policy
32
![Page 33: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/33.jpg)
NICTA Copyright 2014 From imagination to impact
Scheduling Basic Rate Monotonic
255254253...3210
t1
33
t2
10%
t3
40% e = 10! p = 100
e = 2! p = 4
e = 4 ! p = 20
25%
![Page 34: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/34.jpg)
NICTA Copyright 2014 From imagination to impact
Scheduling Low priority tasks in slack
34
255254253...3210
t1t2t3
e = 5! p = 30
e = 20! p = 40
e = 4 ! p = 20
t3
e = 4 ! p = 20
![Page 35: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/35.jpg)
NICTA Copyright 2014 From imagination to impact
Time as a resource: summary
• scheduling contexts – full or partial
– act as upper bounds
– disjoint from priority
• user-level admission – allows for mixed RT/RR scheduling
– not full flexibility of user-level scheduling
35
![Page 36: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/36.jpg)
NICTA Copyright 2014 From imagination to impact 36
This talk
1)seL4 concepts
2)Time as a resource
3)Mode switch support
4)Resource sharing
!
!
![Page 37: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/37.jpg)
NICTA Copyright 2014 From imagination to impact
Task model
while (1) { /* job release */ doJob(); /* job completion */ seL4_Wait(bep); }
37
Bound async endpoint where device interrupts,
async messages or kernel timer trigger job release
If job completion does not occur before the
budget expires, send a temporal exception or
rate-limit.
![Page 38: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/38.jpg)
NICTA Copyright 2014 From imagination to impact
Criticality
• New thread field
• Range set at compile time
• seL4_SetCriticality
• invokes sched_control cap
• HI -> LO is lazy
• LO -> HI is immediate, and O(n)
38
210
t
t
t t
![Page 39: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/39.jpg)
NICTA Copyright 2014 From imagination to impact
Criticality mode change
• Assumptions:
• infrequent (if they occur at all)
• short in duration
• Kernel provides ability to
• change params of excepting thread
• postpone all lower criticality threads
• alter priorities of threads
39
![Page 40: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/40.jpg)
NICTA Copyright 2014 From imagination to impact
Asymmetric Protection
40
255254253...3210
t1t2t3
e = 2! p = 10
e = 1! p = 5
e = 3 ! p = 20
t4
e = 4 ! p = 19
252
t5
e = 100! p = 100
Low Criticality High Criticality
t0
e = 100 ! p = 100
Temporal Exception
SchedControl_Extend() SchedControl_SetCriticality()
![Page 41: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/41.jpg)
NICTA Copyright 2014 From imagination to impact
Asymmetric Protection
41
255254253...3210
t1t3
e = 5! p = 10
e = 3 ! p = 20
252
t5
e = 100! p = 100
Low Criticality High Criticality
t0
e = 100 ! p = 100
Restores criticality when system is idle
![Page 42: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/42.jpg)
NICTA Copyright 2014 From imagination to impact
Criticality: Summary
• Temporal exceptions – optional (not required for rate-based threads)
– handler must have own budget
• New thread field: criticality
• New kernel invocation: set criticality – although temporal exception handler can take
other actions
42
![Page 43: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/43.jpg)
NICTA Copyright 2014 From imagination to impact 43
This talk
1)seL4 concepts
2)Time as a resource
3)Mode switch support
4)Resource sharing
!
!
![Page 44: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/44.jpg)
NICTA Copyright 2014 From imagination to impact
Resource Sharing
44
e
Thread Resource!Server
seL4_Call seL4_Wait
seL4_ReplyWait
![Page 45: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/45.jpg)
NICTA Copyright 2014 From imagination to impact
NCP vs. PIP vs HLP vs PCP
45
Priority Inversion Bound
Imp
lem
enta
tio
n C
om
ple
xity Priority Ceiling!
Protocol
Highest Lockers!Protocol
Priority Inheritance!Protocol
Non-preemptive Critical Sections
![Page 46: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/46.jpg)
NICTA Copyright 2014 From imagination to impact
Resource Sharing
46
e
Thread Resource!Server
seL4_Call seL4_Wait
seL4_ReplyWait
![Page 47: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/47.jpg)
NICTA Copyright 2014 From imagination to impact
Resource Sharing
47
e
Thread
Resource!Server
seL4_ReplyWait
![Page 48: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/48.jpg)
NICTA Copyright 2014 From imagination to impact
Resource Sharing
48
e
Thread
Resource!Server
seL4_ReplyWait
seL4_Call
???
![Page 49: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/49.jpg)
NICTA Copyright 2014 From imagination to impact
NCP vs. PIP vs HLP vs PCP
49
Priority Inversion Bound
Imp
lem
enta
tio
n C
om
ple
xity Priority Ceiling!
Protocol
Highest Lockers!Protocol
Priority Inheritance!Protocol
Non-preemptive Critical Sections
![Page 50: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/50.jpg)
NICTA Copyright 2014 From imagination to impact
Active Servers (no temporal isolation)
50
e
A
Server
B
seL4_Wait
![Page 51: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/51.jpg)
NICTA Copyright 2014 From imagination to impact
Active Servers (no temporal isolation)
51
e
A
Server
B
seL4_Call
![Page 52: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/52.jpg)
NICTA Copyright 2014 From imagination to impact
Active Servers (no temporal isolation)
52
e
A
Server
B
seL4_ReplyWait
![Page 53: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/53.jpg)
NICTA Copyright 2014 From imagination to impact
Active Servers (no temporal isolation)
53
e
A
Server
BseL4_Call
![Page 54: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/54.jpg)
NICTA Copyright 2014 From imagination to impact
Scheduling context donation
• seL4_Call – where server is passive, donate scheduling context to server,
otherwise do nothing
– Must *trust* the server (use async for untrusted)
• seL4_ReplyWait
– donates it back
– reply cap represents a guarantee that the scheduling context will be returned
54
![Page 55: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/55.jpg)
NICTA Copyright 2014 From imagination to impact
Scheduling context donation
55
e
A
Server
B
seL4_Wait
![Page 56: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/56.jpg)
NICTA Copyright 2014 From imagination to impact
Scheduling context donation
56
e
A
Server
B
seL4_Call
![Page 57: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/57.jpg)
NICTA Copyright 2014 From imagination to impact
Scheduling context donation
57
e
A
Server
B
![Page 58: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/58.jpg)
NICTA Copyright 2014 From imagination to impact
Scheduling context donation
58
e
A
Server
B
seL4_ReplyWait
![Page 59: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/59.jpg)
NICTA Copyright 2014 From imagination to impact
Summary: Resource sharing (so far)
• Scheduling context donation – only on Synchronous IPC with atomic send/
recv operation
• Active and passive servers – Passive servers must always be trusted
59
![Page 60: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/60.jpg)
NICTA Copyright 2014 From imagination to impact
Budget Expiry
60
 e
A
Server
B
![Page 61: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/61.jpg)
NICTA Copyright 2014 From imagination to impact
Budget Expiry
61
 e
A
Server
B
![Page 62: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/62.jpg)
NICTA Copyright 2014 From imagination to impact
Alteratives for budget expiry
• Multithreaded servers – COMPOSITE [Parmer 2010]
– possible with our impl.
• Bandwidth Inheritance + helping – Fiasco [Steinberg et.al. 2010]
– we avoid this to avoid dependency trees/chains
• Temporal exceptions!
62
![Page 63: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/63.jpg)
NICTA Copyright 2014 From imagination to impact
Exception + Rollback
63
 eServerB
ATemporal fault! handler
![Page 64: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/64.jpg)
NICTA Copyright 2014 From imagination to impact
Exception + Rollback
64
 eServerB
ATemporal fault! handler
![Page 65: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/65.jpg)
NICTA Copyright 2014 From imagination to impact
Criticality change
65
 eServer (HI criticality)B (LO criticality)
A (HI criticality)Temporal fault! handler
![Page 66: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/66.jpg)
NICTA Copyright 2014 From imagination to impact
Criticality change
66
 eServer (HI criticality)B (LO criticality)
A (HI criticality)Temporal fault! handler
home
seL4_SetCriticality
![Page 67: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/67.jpg)
NICTA Copyright 2014 From imagination to impact
Exception + rollback
• Other actions possible on exception – like emergency reservation
• Rollback propagates to handle chains: • if a reply transfers an empty scheduling
context, another temporal exception is raised
• User must implement rollback – middleware layer can do this
67
![Page 68: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/68.jpg)
NICTA Copyright 2014 From imagination to impact
Summary: Resource sharing
• Multithreaded servers possible
• Budget expiry triggers temporal exceptions – which can be used to rollback or help a server
• So does criticality change – if lower criticality thread using server
68
![Page 69: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/69.jpg)
NICTA Copyright 2014 From imagination to impact
Endgame
• Temporal isolation, asymmetric protection, safe bounded resource sharing achieved through scheduling contexts, criticality,
temporal exceptions.
seL4
69
Untrusted Non critical
Trusted Critical
shared resource
shared resource
![Page 70: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/70.jpg)
NICTA Copyright 2014 From imagination to impact
References + Credits
70
![Page 71: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/71.jpg)
NICTA Copyright 2014 From imagination to impact
References• B. Blackham, Y. Shi, S. Chattopadhyay, A. Roychoudhury and G. Heiser. Timing analysis of a
protected operating system kernel. In 32nd RTSS, pp. 339–348, Vienna, Austria, November, 2009.
• DO178B Standard. http://en.wikipedia.org/wiki/DO-178B.
• G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an OS kernel. In 22nd SOSP, pages 207–220, Big Sky, MT, USA, Oct. 2009.
• A. K. Mok. Fundamental Design Problems of Distributed Systems for the Hard Real-Time Environment. PhD thesis, 1983.
• T .Murray, .D Matichuk, M. Brassil, P. Gammie, T. Bourke, S. Seefried, C. Lewis, X. Gao and G. Klein. seL4: From general purpose to a proof of information flow enforcement. IEEE Symposium on Security and Privacy, pp. 415-429, San Francisco, CA, May, 2013.
71
![Page 72: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/72.jpg)
NICTA Copyright 2014 From imagination to impact
References• Raj Rajkumar, Kanaka Juvva, Anastasio Molano, and Shuichi Oikawa. Resource kernels:
a resource- centric approach to real-time and multimedia systems. In Readings in multimedia computing and networking, pages 476–490. Morgan Kaufmann Publishers Inc., 2001. ISBN 1-55860-651-3. URL http://portal.acm.org.viviena.library.unsw.edu.au/citation.cfm?id=383915.
• Udo Steinberg, Alexander Bo ttcher, and Bernhard Kauer. Timeslice donation in component-based sys- tems. In Workshop on Operating System Platforms for Embedded Real-Time Applications (OSPERT), Brussels, Belgium, 2010.
• Fiasco. http://os.inf.tu-dresden.de/fiasco/overview.html
• Gabriel Parmer. The case for thread migration: Predictable IPC in a customizable and reliable OS. In Workshop on Operating System Platforms for Embedded Real-Time Applications (OSPERT), Brussels, Belgium, July 2010.
72
![Page 73: Mixed-Criticality Support in a High-Assurance, General](https://reader033.vdocument.in/reader033/viewer/2022042408/625e7e67fbc92c1a58668ba5/html5/thumbnails/73.jpg)
NICTA Copyright 2014 From imagination to impactNICTA Copyright 2013 From imagination to impact
Image + Font Credits
• Fonts sourced from Font squirrel
• All other images are in the public domain (mostly from openclipart)
73