L4 microkernel family
L4, like its predecessor L3 microkernel, was created by German computer scientist Jochen Liedtke as a response to the poor performance of earlier microkernel-based operating systems. Liedtke felt that a system designed from the start for high performance, rather than other goals, could produce a microkernel of practical use. His original implementation in hand-coded Intel i386-specific assembly language code in 1993 sparked intense interest in the computer industry. Since its introduction, L4 has been developed for platform independence and also in improving security, isolation, and robustness.
There have been various re-implementations of the original binary L4 kernel interface (ABI) and its successors, including L4Ka::Pistachio (Uni Karlsruhe), L4/MIPS (UNSW), Fiasco (TU Dresden). For this reason, the name L4 has been generalized and no longer only refers to Liedtke's original implementation. It now applies to the whole microkernel family including the L4 kernel interface and its different versions.
A concept is tolerated inside the microkernel only if moving it outside the kernel, i.e., permitting competing implementations, would prevent the implementation of the system's required functionality.
In this spirit, the L4 microkernel provides few basic mechanisms: address spaces (abstracting page tables and providing memory protection), threads and scheduling (abstracting execution and providing temporal protection), and inter-process communication (for controlled communication across isolation boundaries).
An operating system based on a microkernel like L4 provides services as servers in user space that monolithic kernels like Linux or older generation microkernels include internally. For example, in order to implement a secure Unix-like system, servers must provide the rights management that Mach included inside the kernel.
The poor performance of first-generation microkernels, such as Mach, led a number of developers to re-examine the entire microkernel concept in the mid-1990s. The asynchronous in-kernel-buffering process communication concept used in Mach turned out to be one of the main reasons for its poor performance. This induced developers of Mach-based operating systems to move some time-critical components, like file systems or drivers, back inside the kernel. While this somewhat ameliorated the performance issues, it plainly violates the minimality concept of a true microkernel (and squanders their major advantages).
Detailed analysis of the Mach bottleneck indicated that, among other things, its working set is too large: the IPC code expresses poor spatial locality; that is, it results in too many cache misses, of which most are in-kernel. This analysis gave rise to the principle that an efficient microkernel should be small enough that the majority of performance-critical code fits into the (first-level) cache (preferably a small fraction of said cache).
Jochen Liedtke set out to prove that a well designed thinner IPC layer, with careful attention to performance and machine-specific (as opposed to platform independent) design could yield massive real-world performance improvements. Instead of Mach's complex IPC system, his L3 microkernel simply passed the message without any additional overhead. Defining and implementing the required security policies were considered to be duties of the user space servers. The role of the kernel was only to provide the necessary mechanism to enable the user-level servers to enforce the policies. L3, developed in 1988, proved itself a safe and robust operating system, used for many years for example by TÜV SÜD.
After some experience using L3, Liedtke came to the conclusion that several other Mach concepts were also misplaced. By simplifying the microkernel concepts even further he developed the first L4 kernel which was primarily designed with high performance in mind. In order to wring out every bit of performance the entire kernel was written in assembly language, and its IPC was 20 times faster than Mach's. Such dramatic performance increases are a rare event in operating systems, and Liedtke's work triggered new L4 implementations and work on L4-based systems at a number of universities and research institutes, including IBM, where Liedtke started to work in 1996, TU Dresden and UNSW. At IBM's Thomas J. Watson Research Center Liedtke and his colleagues continued research on L4 and microkernel based systems in general, especially the Sawmill OS.
In 1999, Liedtke took over the Systems Architecture Group at the University of Karlsruhe, where he continued the research into microkernel systems. As a proof of concept that a high performance microkernel could also be constructed in a higher level language, the group developed L4Ka::Hazelnut, a C++ version of the kernel that ran on IA-32- and ARM-based machines. The effort was a success — performance was still acceptable — and with its release the pure assembly language versions of the kernels were effectively discontinued.
In parallel to the development of L4Ka::Hazelnut, in 1998 the Operating Systems Group TUD:OS of the TU Dresden (Dresden University of Technology) started to develop their own C++ implementation of the L4 kernel interface, called L4/Fiasco. In contrast to L4Ka::Hazelnut, which does not allow concurrency in the kernel at all and its successor L4Ka::Pistachio, which allows interrupts in the kernel only at specific preemption points, L4/Fiasco was fully preemptible (with the exception of extremely short atomic operations) to achieve a low interrupt latency. This was considered necessary because L4/Fiasco is used as the basis of DROPS, a hard real-time capable operating system, also developed at the TU Dresden. However, the complexities of a fully preemptible design prompted later versions of Fiasco to return to the traditional L4 approach of running the kernel with interrupts disabled, except for a limited number of preemption points.
Up until the release of L4Ka::Pistachio and newer versions of Fiasco, all L4 microkernels had been inherently tied close to the underlying CPU architecture. The next big shift in L4 development was the development of a platform-independent API that still retained the high performance characteristics despite its higher level of portability. Although the underlying concepts of the kernel were the same, the new API provided many significant changes relative to previous L4 versions, including better support for multi-processor systems, looser ties between threads and address spaces, and the introduction of user-level thread control blocks (UTCBs) and virtual registers. After releasing the new L4 API (Version X.2 a.k.a. Version 4) in early 2001, the System Architecture Group at the University of Karlsruhe implemented a new kernel, L4Ka::Pistachio, completely from scratch, now with focus on both high performance as well as portability. It was released under the two-clause BSD license.
Newer Fiasco versions
The L4/Fiasco microkernel has also been extensively improved over the years. It now supports several hardware platforms ranging from x86 through AMD64 to several ARM platforms. Notably, a version of Fiasco (Fiasco-UX) can run as a user-level application on top of Linux.
L4/Fiasco implements several extensions to the L4v2 API. Exception IPC enables the kernel to send CPU exceptions to user-level handler applications. With the help of alien threads it is possible to perform fine-grained control over system calls. X.2-style UTCBs have been added. Furthermore, Fiasco contains mechanisms for controlling communication rights as well as kernel-level resource consumption. On top of Fiasco a collection of basic user level services are developed (called L4Env) that amongst others are used to para-virtualise current Linux version (4.19 as of May 2019) (called L4Linux).
University of New South Wales and NICTA
Development also took place at the University of New South Wales (UNSW), where developers implemented L4 on several 64-bit platforms. Their work resulted in L4/MIPS and L4/Alpha, resulting in Liedtke's original version being retrospectively named L4/x86. Like Liedtke's original kernels, the UNSW kernels (written in a mixture of assembly and C) were unportable and each implemented from scratch. With the release of the highly portable L4Ka::Pistachio, the UNSW group abandoned their own kernels in favor of producing highly tuned ports of L4Ka::Pistachio, including the fastest-ever reported implementation of message passing (36 cycles on the Itanium architecture). The group has also demonstrated that user-level device drivers can perform as well as in-kernel drivers, and developed Wombat, a highly portable version of Linux on L4 that runs on x86, ARM and MIPS processors. On XScale processors, Wombat demonstrates context-switching costs that are up to 50 times lower than in native Linux.
Later the UNSW group, at their new home at NICTA, forked L4Ka::Pistachio into a new L4 version called NICTA::L4-embedded. As the name implies, this was aimed at use in commercial embedded systems, and consequently the implementation trade-offs favored small memory footprints and aimed to reduce complexity. The API was modified to keep almost all system calls short enough that they do not need preemption points to ensure high real-time responsiveness.
In November 2005, NICTA announced that Qualcomm was deploying NICTA's L4 version on their Mobile Station Modem chipsets. This led to the use of L4 in mobile phone handsets on sale from late 2006. In August 2006, ERTOS leader and UNSW professor Gernot Heiser spun out a company called Open Kernel Labs (OK Labs) to support commercial L4 users and further develop L4 for commercial use under the brand name OKL4, in close collaboration with NICTA. OKL4 Version 2.1, released in April 2008, was the first generally available version of L4 which featured capability-based security. OKL4 3.0, released in October 2008, was the last open-source version of OKL4. More recent versions are closed source and based on a rewrite to support a native hypervisor variant called the OKL4 Microvisor. OK Labs also distributed a paravirtualized Linux called OK:Linux, a descendant of Wombat, as well as paravirtualized versions of SymbianOS and Android. OK Labs also acquired the rights to seL4 from NICTA.
Apple mobile application processors beginning with the A7 contain a Secure Enclave coprocessor running an L4 operating system based on the L4-embedded kernel developed at NICTA in 2006. This implies that L4 is now shipping on all iOS devices, the total shipment of which is estimated at 310 million for the year 2015.
High assurance: seL4
In 2006, the NICTA group commenced a from-scratch design of a third-generation microkernel, called seL4, with the aim of providing a basis for highly secure and reliable systems, suitable for satisfying security requirements such as those of Common Criteria and beyond. From the beginning, development aimed for formal verification of the kernel. To ease meeting the sometimes conflicting requirements of performance and verification, the team used a middle-out software process starting from an executable specification written in Haskell. seL4 uses capability-based access control to enable formal reasoning about object accessibility.
A formal proof of functional correctness was completed in 2009. The proof provides a guarantee that the kernel's implementation is correct against its specification, and implies that it is free of implementation bugs such as deadlocks, livelocks, buffer overflows, arithmetic exceptions or use of uninitialised variables. seL4 is claimed to be the first-ever general-purpose operating-system kernel that has been verified.
seL4 takes a novel approach to kernel resource management, exporting the management of kernel resources to user level and subjects them to the same capability-based access control as user resources. This model, which was also adopted by Barrelfish, simplifies reasoning about isolation properties, and was an enabler for later proofs that seL4 enforces the core security properties of integrity and confidentiality. The NICTA team also proved correctness of the translation from C to executable machine code, taking the compiler out of the trusted computing base of seL4. This implies that the high-level security proofs hold for the kernel executable. seL4 is also the first published protected-mode OS kernel with a complete and sound worst-case execution-time (WCET) analysis, a prerequisite for its use in hard real-time systems.
On 29 July 2014, NICTA and General Dynamics C4 Systems announced that seL4, with end to end proofs, was now released under open-source licenses. The kernel source and proofs are under GPLv2, and most libraries and tools are under the 2-clause BSD license.
The researchers state that the cost of formal software verification is lower than the cost of engineering traditional "high-assurance" software despite providing much more reliable results. Specifically, the cost of one line of code during the development of seL4 was estimated at around US$400, compared to US$1,000 for traditional high-assurance systems.
Under the DARPA High-Assurance Cyber Military Systems (HACMS) program, NICTA together with project partners Rockwell Collins, Galois Inc, the University of Minnesota and Boeing developed a high-assurance drone based on seL4, along with other assurance tools and software, with planned technology transfer onto the optionally piloted autonomous Unmanned Little Bird helicopter under development by Boeing. Final demonstration of the HACMS technology took place in Sterling, VA in April 2017. DARPA also funded several Small Business Innovative Research (SBIR) contracts related to seL4 under a program started by Dr. John Launchbury. Small businesses receiving an seL4-related SBIR included: DornerWorks, Techshot, Wearable Inc, Real Time Innovations, and Critical Technologies.
Other research and development
Osker, an OS written in Haskell, targeted the L4 specification; although this project focused on the use of a functional programming language for OS development, not on microkernel research per se.
CodeZero is an L4 microkernel targeting embedded systems with a focus on virtualization and implementation of native OS services. There is a GPL-licensed version, and a version that was relicensed by the developers as closed source and forked in 2010.
The NOVA OS Virtualization Architecture is a research project with focus on constructing a secure and efficient virtualization environment with a small trusted computing base. NOVA consists of a microhypervisor, a user level virtual-machine monitor, and an unprivileged componentised multi-server user environment running on top of it called NUL. NOVA runs on x86-based multi-core systems.
- "Hypervisor Products - General Dynamics Mission Systems". gdmissionsystems.com. Archived from the original on 15 November 2017. Retrieved 26 April 2018.
- "Open Kernel Labs Software Surpasses Milestone of 1.5 Billion Mobile Device Shipments" (Press release). Open Kernel Labs. January 19, 2012. Archived from the original on February 11, 2012.
- Liedtke, Jochen (December 1995). "On µ-Kernel Construction". Proc. 15th ACM Symposium on Operating Systems Principles (SOSP). pp. 237–250. Archived from the original on October 25, 2015.
- Liedtke, Jochen (December 1993). "Improving IPC by kernel design". 14th ACM Symposium on Operating System Principles. Asheville, NC, USA. pp. 175–88.
- Gefflaut, Alain; Jaeger, Trent; Park, Yoonho; Liedtke, Jochen; Elphinstone, Kevin; Uhlig, Volkmar; Tidswell, Jonathon; Deller, Luke; Reuther, Lars (2000). "The Sawmill multiserver approach". ACM SIGOPS European Workshop. Kolding, Denmark. pp. 109–114.
- "Archived copy". Archived from the original on 2011-08-07. Retrieved 2011-08-10.CS1 maint: archived copy as title (link)
- Gray, Charles; Chapman, Matthew; Chubb, Peter; Mosberger-Tang, David; Heiser, Gernot (April 2005). "Itanium—a system implementor's tale". USENIX Annual Technical Conference. Annaheim, CA, USA. pp. 264–278. Archived from the original on 2007-02-17.
- Leslie, Ben; Chubb, Peter; FitzRoy-Dale, Nicholas; Götz, Stefan; Gray, Charles; Macpherson, Luke; Potts, Daniel; Shen, Yueting; Elphinstone, Kevin; Heiser, Gernot (September 2005). "User-level device drivers: achieved performance". Journal of Computer Science and Technology. 20 (5): 654–664. CiteSeerX 10.1.1.59.6766. doi:10.1007/s11390-005-0654-4.
- van Schaik, Carl; Heiser, Gernot (January 2007). "High-performance microkernels and virtualisation on ARM and segmented architectures". 1st International Workshop on Microkernels for Embedded Systems. Sydney, Australia: NICTA. pp. 11–21. Archived from the original on 2015-03-01. Retrieved 2015-10-25.
- Ruocco, Sergio (October 2008). "A Real-Time Programmer's Tour of General-Purpose L4 Microkernels". EURASIP Journal on Embedded Systems. 2008: 1–14. doi:10.1155/2008/234710.
- "NICTA L4 Microkernel to be Utilised in Select QUALCOMM Chipset Solutions" (Press release). NICTA. November 24, 2005. Archived from the original on August 25, 2006.
- "Open Kernel Labs Automotive Virtualization Selected by Bosch for Infotainment Systems" (Press release). Open Kernel Labs. March 27, 2012. Archived from the original on July 2, 2012.
- "iOS Security" (PDF). Apple Inc. September 2015. Archived (PDF) from the original on 2016-02-27.
- Mandt, Tarjei; Solnik, Mathew; Wang, David (July 31, 2016). "Demystifying the Secure Enclave Processor" (PDF). BlackHat USA. Las Vegas, NV, USA. Archived (PDF) from the original on October 21, 2016.
- Elmer-DeWitt, Philip (October 28, 2014). "Forecast: Apple will ship 310 million iOS devices in 2015". Fortune. Archived from the original on September 27, 2015. Retrieved October 25, 2015.
- Derrin, Philip; Elphinstone, Kevin; Klein, Gerwin; Cock; David; Chakravarty, Manuel M. T. (September 2006). "Running the manual: an approach to high-assurance microkernel development". ACM SIGPLAN Haskell Workshop. Portland, Oregon. pp. 60–71.
- Klein, Gerwin; Elphinstone, Kevin; Heiser, Gernot; Andronick, June; Cock, David; Derrin, Philip; Elkaduwe, Dhammika; Engelhardt, Kai; Kolanski, Rafal; Norrish, Michael; Sewell, Thomas; Tuch, Harvey; Winwood, Simon (October 2009). "seL4: Formal verification of an OS kernel" (PDF). 22nd ACM Symposium on Operating System Principles. Big Sky, MT, USA. Archived (PDF) from the original on 2011-07-28.
- Elkaduwe, Dhammika; Derrin, Philip; Elphinstone, Kevin (April 2008). Kernel design for isolation and assurance of physical memory. 1st Workshop on Isolation and Integration in Embedded Systems. Glasgow, UK. doi:10.1145/1435458. Retrieved 2020-02-22.
- Klein, Gerwin; Andronick, June; Elphinstone, Kevin; Murray, Toby; Sewell, Thomas; Kolanski, Rafal; Heiser, Gernot (February 2014). "Comprehensive Formal Verification of an OS Microkernel". ACM Transactions on Computer Systems. 32 (1): 2:1–2:70. CiteSeerX 10.1.1.431.9140. doi:10.1145/2560537.
- "Secure operating system developed by NICTA goes open source" (Press release). NICTA. July 29, 2014. Archived from the original on March 15, 2016.
- Klein, Gerwin; Andronick, June; Elphinstone, Kevin; Murray, Toby; Sewell, Thomas; Kolanski, Rafal; Heiser, Gernot (2014). "Comprehensive formal verification of an OS microkernel" (PDF). ACM Transactions on Computer Systems. 32: 64. CiteSeerX 10.1.1.431.9140. doi:10.1145/2560537. Archived (PDF) from the original on 2014-08-03.
- on YouTube
- "DARPA selects Rockwell Collins to apply cybersecurity technology to new platforms" (Press release). Rockwell Collins. April 24, 2017. Archived from the original on May 11, 2017.
- "DARPA Agency Sponsor Dr. John Launchbury". SBIRSource. 2017. Archived from the original on September 29, 2017. Retrieved May 16, 2017.
- Hallgren, T.; Jones, M.P.; Leslie, R.; Tolmach, A. (2005). "A principled approach to operating system construction in Haskell" (PDF). Proceedings of the Tenth ACM SIGPLAN International Conference on Functional Programming. 40 (9): 116–128. doi:10.1145/1090189.1086380. ISSN 0362-1340. Archived (PDF) from the original on 2010-06-15. Retrieved 2010-06-24.
- "jserv/codezero: Codezero Microkernel". Archived from the original on 2015-08-15. Retrieved 2016-01-25.
- "Archived copy". Archived from the original on January 11, 2016. Retrieved January 25, 2016.CS1 maint: archived copy as title (link)
- Steinberg, Udo; Kauer, Bernhard (April 2010). "NOVA: A Microhypervisor-Based Secure Virtualization Architecture". EuroSys '10: Proceedings of the 5th European Conference on Computer Systems. Paris, France.
- Steinberg, Udo; Kauer, Bernhard (April 2010). "Towards a Scalable Multiprocessor User-level Environment". IIDS'10: Workshop on Isolation and Integration for Dependable Systems. Paris, France.
- Jochen Liedtke, Ulrich Bartling, Uwe Beyer, Dietmar Heinrichs, Rudolf Ruland, Gyula Szalay. Two years of experience with a μ-Kernel based OS, ACM Press 1991
- Liedtke, Jochen; Haeberlen, Andreas; Park, Yoonho; Reuther, Lars; Uhlig, Volkmar (2000-10-22). "Stub-Code Performance is Becoming Important". In Proceedings of the 1st Workshop on Industrial Experiences with Systems Software (WIESS), San Diego, CA, October 2000. Archived from the original (PDF) on 2006-09-05. Retrieved 2006-09-05. (on L4 kernel and compiler)
- Cheng Guanghui, Nicholas Mc Guire. L4/Fiasco/L4Linux Kickstart, Distributed & Embedded Systems Lab - Lanzhou University
- Elphinstone, Kevin; Heiser, Gernot (November 2013). "From L3 to seL4: What Have We Learnt in 20 Years of L4 Microkernels?". 24th ACM SIGOPS Symposium on Operating Systems Principles. Farmington, PA, USA. pp. 133–150. Evolution of L4 design and implementation approaches
- Official website, L4Hq: L4 headquarters, community site for L4 projects
- The L4 microkernel family: Overview over L4 implementations, documentation and projects
- Official TUD:OS Wiki
- L4Ka: Implementations L4Ka::Pistachio and L4Ka::Hazelnut
- UNSW: Implementations for DEC Alpha and MIPS architecture
- OKL4: Commercial L4 version from Open Kernel Labs
- NICTA L4: Research Overview and Publications
- Trustworthy Systems Group at CSIRO's Data61: Present home of the former NICTA group that developed seL4
- Genode Operating System Framework: An offspring of the L4 community
- seL4: A highly secure and reliable system