





















| Architecture                                                   | Intra-core<br>Cycles | Inter-core<br>Cycles |
|----------------------------------------------------------------|----------------------|----------------------|
|                                                                |                      |                      |
| MIPS-64 100MHz dual core                                       | 109                  | 690                  |
| Pentium 3                                                      | 305                  |                      |
| AMD-64                                                         | 230                  |                      |
| Itanium 2                                                      | 36                   |                      |
| overhead generally within 20% of ssentially as fast as it gets | bare hardwai         | re cost              |













## L4 History: X.1 API Experimental "Version X" API Improved hardware abstraction Various experimental features (performance, security, generality) Portability experiments Implementations Pentium: assembler, Liedtke (IBM), 97–98 Proprietary Hazelnut (Pentium+ARM), C, Liedtke et al (Karlsruhe), 98–99 Open source (GPL)



UNSW

NICTA L4-embedded (N1) API, 05–06

Transitional API (aiming to support strong isolation/security).
De-featured (timeouts, "long" IPC, recursive mappings).
Reduced memory footprint for embedded systems

NICTA::Pistachio-embedded
Derived from L4KA::Pistachio
ARM7/9, x86, MIPS
unreleased (incomplete) ports to PPC 405, SPARC, Blackfin student projects
Open source (BSD License)

DISSW

OKL4 API

Further evolution of N1 API, NICTA::Pistachio-embedded code base

PiC control (information-flow control).

Kernel resource management

Commerciall-strength code base

Used in mobile phone handsets (presently >300M deployed).

Professional services for L4 users

Commercialisation of present NICTA microkernel research

SeL4 Project

Conducted by NICTA in close collaboration with OK
API suitable for highly secure systems (military, banking etc)
Complete control over communication and system resources
Proofs of security properties (Common Criteria)
Suitable for formal verification of implementation

Status:
Semi-formal specification in Haskell

"Executable spec": Haskell implementation plus ISA simulator
C-only implementation, performance at par with OKL4
Formal (machine-checked) proof of isolation properties
Drives on-going OKL4 API evolution
OKL4 2.1 release represents significant step towards seL4 security features
full capability model since early '09

Described Project

L4.verified Project

Conducted by NICTA in close collaboration with OK

Mathematical proof of implementation correctness ("bug-free kernel")

Machine-checked proofs

Closely linked with sel4 project

Never done before!

Status:

Proofs of several subsystems

Extensive proof libraries

Completed refinement to Haskell level (Dec '07)

most formally-verified general-purpose kernel ever

Completely verified kernel August '09

complete proof chain from security properties to C implementation





# Outline Introduction: What are microkernels? Microkernel Performance L4 History and Future Basic L4 concepts



















### L4 Exception Handling

## **UNSW**

- → Interrupts

  - Modelled as hardware "thread" sending messages
     Received by registered (user-level) interrupt-handler thread
     Interrupt acknowledged by handler via syscall (optionally waiting for next)
     Timer interrupt handled in-kernel
- Page Faults

  Kernel fakes IPC message from faulting thread to its pager

  Pager requests root task to set up a mapping

  Pager replies to faulting client, message intercepted by kernel

- Other Exceptions
   Kernel fakes IPC message from exceptor thread to its exception handler
   Exception handler may reply with message specifying new IP, SP
   Can be signal handler, emulation code, stub for IPCing to server, ...

### Features not in Kernel

**UNSW** 

- → System services (file systems, network stacks, ...)
- Implemented by user-level serves
   VM management
   Performed by user-level pagers

- Device drivers
   User-level threads registered for interrupt IPC
   Map device registers