Gernot Heiser

Panel discussion and an extended Q&A session on the state of microkernel-based operating systems in 2021 and related topics. The panelists (in order of acceptance):

• Martin Decky (HelenOS, Huawei)
• Jakub Jermar (Kernkonzept, HelenOS)
• Norman Feske (Genode Labs)
• Julian Stecklina (Cyberus)
• Udo Steinberg (BedRock Systems)
• Matthias Lange (Kernkonzept)
• Gernot Heiser (seL4)

The discussion will smoothly evolve into the traditional and less formal "microkernel dinner". Please bring your own food and beverages.

Other people: Jakub Jermář Martin Děcký Norman Feske Julian Stecklina Udo Steinberg Matthias Lange

I will provide an update on developments in the seL4 ecosystem in the past 12 months. Highlights include the creation of the seL4 Foundation and some of its activities since, and the functional correctness proof of seL4 on the RISC-V architecture. I will also discuss our work on time protection, a principled and systematic approach to prevention of timing channels and on-going work on its formal verification.

I will give an overview of where seL4 stands today in terms of functionality, verification, ecosystem, deployment and community. The focus will be on what has happened in seL4 land over the past 12 months, which is a lot: seL4 Foundation, RISC-V support and introducing time protection.

The biggest news of the year is that we are in the process of setting up the seL4 Foundation, as an open, transparent and neutral organisation tasked with growing the seL4 ecosystem. It will bring together developers of the seL4 kernel, developers of seL4-based components and frameworks, and those deploying seL4-based systems. Its focus will be on coordinating, directing and standardising development of the seL4 ecosystem in order to reduce barriers to adoption, raising funds for accelerating development, and ensuring clarity of verification claims. I will report on the state of this.

The other big development is that we are closing in on completing verified seL4 on the open RISC-V architecture. This includes the functional correctness proof (that guarantees that the kernel is free of implementation bugs), the binary correctness proof (which guarantees that the compiler did not introduce bugs) and the tranition to the new mixed-criticality scheduling model, which supports the safe co-location of critical real-time software with untrusted components, even if the latter can preempt the former.

Finally, on the research side we have introduced the new concept of time protection (the temporal equivalent of the established memory protection) that allows us to systematically prevent information leakage through timing channels.

This talk will cover the developments of and around seL4 over the past 4 years, covering new and improved functionality for supporting mixed-criticality real-time systems, status and future of its formal verification, an overview of past and future deployments, and an assessment of the state of seL4's open-source ecosystem.

seL4 is the world's first (and still only real-world suitable) operating system (OS) kernel with a machine-checked, formal (mathematical) proof of implementation correctness. It has further proofs of security enforcement (the CIA properties of confidentiality, integrity and availability). It is also, the only protected-mode OS (as far as the open literature goes) with a complete and sound worst-case execution-time analysis, the key to supporting hard real-time applications.

Much has happened since I last talked about seL4 at FOSDEM 4 years ago, half a year after it had been open-sourced (GPL). In the meantime it has flown a full-size helicopter in autonomous mode while withstanding a cyber-attack (which easily succeeded when the chopper was running on Linux), driven autonomous trucks, and flown in space. It's in commercially developed security-critical systems in use in multiple defence forces and is making its way into commercial safety-critical systems.

Arguably, seL4's greatest weakness is a spartanic development environment and a paucity of components running on top, at the moment it's mostly BYO Ethernet driver and file system. We, the developers at Data61 have to accept some blame for that: we weren't sufficiently proactive in encouraging community contributions. Note that this was not because we don't want them, but simply because we were too busy.

We're in the process of changing that, in collaboration with the DARPA-funded US seL4 Center of Excellence, which is focussed on providing open-source tools and components on top of se4, but also provide development services to commercial users. On our end we are working on better documenting what is there, and what is maintained and by whom. We hope to encourage people to adopt existing userland components/tools and contribute further ones. A major enabler of this is a device-driver framework that defines driver interfaces and protocols. We hope to release this soon. The DARPA-sponsored first seL4 Summit held in Washington in Nov'18 with 140 attendees demonstrated the growing ecosystem and user base, including companies building frameworks for medical devices and autonomous vehicles. I hope this talk will also help to build the community.

On the research side, seL4 has made great progress in the past 4 years. It has been enhanced by a new scheduling model with capability-based control over time, arguably the first and only OS with a principled treatment of time as a resource, and the first able to support mixed-criticality real-time systems without sacrificing utilisation. This enhancement is presently undergoing verification, and lives in the MCS branch until verification is completed, after which it will become the mainline version.

The kernel's correctness and security proofs have grown to about 1 million lines (all open source) and have been maintained over ten years of evolution of the code base, now also including functional correctness on the x86 architecture. A RISC-V port is available and is undergoing formal verification as well. This is by far the larges, maintained proof base in the world, and has led to the new discipline of proof engineering to manage maintenance and evolution.

There is further work on pushing the mathematical guarantees into userland, especially the CAmkES component architecture and the Cogent language system, aimed at producing systems components (drivers, file systems, network stacks) that can be verified at a cost that is not far from that of traditional quality-assurance processes. Both frameworks are also open source (tools are GPLed while libraries are BSD). CAmkES is mature and in routine use for building secure systems, Cogent is still rapidly evolving, but is increasingly used by externals.

Finally we are working on ways for preventing information leakage through timing channels, considered an unsolvable problem by most.

seL4, a member of the L4 family of microkernels, and the world’s highest-assured operating system kernel, has recently joined the FLOSS community. This talk will provide an overview of what seL4 is, what it can and cannot do, and where we see it heading in the future.

I will start of briefly summarising the concept of a microkernel, and the core principles which characterise the L4 microkernel family. I will then introduce the core concepts of seL4, and what distinguishes it functionally from other L4 kernels.

What makes seL4 really special is its formal verification. I will explain what this is, and what exactly we have proved about seL4, and discuss what this means in practice, especially as far as security, safety and reliability are concerned. I will also indicate where we are planning to take seL4, i.e. a high-level summary of our on-going research and development projects.

Having covered the technical aspects, I will discuss the development process of the seL4 ecosystem, both past and present. I will specifically discuss the licensing status of various bits of this ecosystem, and how it is likely to develop. In particular I will indicate suggest the best way for the community to contribute to this ecosystem, and help develop it to the benefit of us all.

NOTE: Lecture will be provided via Skype