Micro-core
The bigger the system, the more potential bugs, so the microkernel has an advantage in reducing bugs, and seL4 is one of the smallest cores in the world. But the performance of seL4 can be compared with the best-performing micro-cores today.
As a microkernel, SEL4 provides a small number of services to the application, such as the creation and management of virtual memory address space abstraction, threading and interprocess communication IPC. So little service is done by 8700 lines of c code. SeL4 is a new product of the high performance L4 Microkernel family, which has the services required by the operating system, such as threading, IPC, virtual memory, interrupts, etc.
Formal validation
In addition to the microkernel, another feature of SeL4 is complete formal validation.
The implementation of seL4 always strictly satisfies the protocol of the kernel behavior of the previous abstraction layer, it will not crash and perform unsafe operation in any case, even can deduce the behavior of seL4 in all cases accurately, it is remarkable.
The study found that common attack methods are not valid for seL4, such as cache overflow vulnerabilities often used by malicious programs.
Using the process-oriented language Haskell implements a kernel prototype, which is used to participate in formal validation, and finally, according to it, the kernel is re-implemented in C language as the final kernel. Incidentally, SeL4 has two Team,kernel team and verification team, and the two team is Haskell prototype.
In the process of developing the kernel with C, SeL4 has the following limitations for using C:
1. Stack variables must not be referenced and, if necessary, replace them with global variables
2. Disable function pointers
3. Union not supported
The formal verification (formal validation) of seL4 is divided into two steps: The abstract specification (Abstraction specification) and the executable specification (executable specification), executable Between specification and implementation (implementation). There are two broad methods for formal verification:model checking (fully automatic) and interactive mathematical proofs (interactive mathematical proof), which require manual operation. SeL4 validation is used in the form of mathematical proofs from Isabelle/hol, which belong to the latter.
Specifically, the formal verification step for SeL4:
1. Write the abstract specification (in Isabelle) of all Microkernel objects (kernel object), such as IPC, Syscall, dispatch, etc.
2. Write the executable specification (in Haskell) as above, and prove that it correctly realizes the first step of the abstract specification, using the principle of state machine, abstract Specification each step of the state transition, executable specification produces the only corresponding state transitions.
3. Write C implementation. Through a SML-written C-isabelle converter, and the Haskabelle joint form to prove that the C code and the second step of the Haskell definition of the same semantics.
The implementation of SEL4 is proved to be bug-free(no bug), such as buffer overflow, null pointer exception, etc. Another point is that the C code is converted into binary code that can be run directly on the hardware, and seL4 can ensure that the conversion process is not error-safe. SeL4 is the world's first (and now also the only) OS that has been proven to be secure from a strong degree.
SeL4 is the first, and still only, Protected-mode OS kernel with a sound and complete timeliness analysis. Among others this means, it has provable upper bounds on interrupt latencies (as well as latencies of any other kernel Operations). It's therefore the only kernel with memory protection, which can give you hard real-time guarantees. From this paragraph of English can be seen, seL4 hard real-time very strong.
In fact, the OS Verification (verification) began 40 years ago, and seL4 is exciting, one is that it has a strong attribute (properties): Functional correctness (functional correctness), Integrity (integrity) and confidentiality (confidentiality), the second is that these properties have been validated to the code level, first C, and now binary. Compared to the previous verification of the OS, SeL4 did more thorough, but it is through the work of predecessors, seL4 can be so excellent.
Kernel details
SeL4 's API call is in two steps: First, checking, validates the parameter, and then determines whether the call is authorized to execute; Second, execute, execute the call, and never fail.
The combined checking phases of all kernel calls is a substantial fraction of the kernel. It appears that checking the kernel calls is a very important part.
Next, let's look at kernel objects:
- Cnodes is used to store capabilities, giving the thread permission to invoke methods on an object
- The thread Control Blocks represents the execution of threads
- IPC endpoints facilitates inter-threading communication
- Virtual address space Objects to create the dummy addresses for one or more threads
- Interrupt Objects allows applications to receive and confirm interrupts from hardware devices
- Untyped memory It's the cornerstone of the seL4 RAM allocation.
Let's get to know an OS and its memory management is essential. The memory allocation module can be independently verified. All references to this memory must be invalid before re-using a piece of memory. SeL4 does not dynamically allocate memory for kernel objects, and kernel objects are created by the application-controlled memory area through untyped memory, which allows for precise control over the physical memory used by the application and the isolation of physical memory between programs and programs.
SeL4 is a single-core stack of operating systems, during the boot-up period, SEL4 will pre-allocate memory for kernel-required memory such as code area, data area and stack.
SeL4 implements a capability-based access control model . Each user-space thread has an associated capability space (CSpace) that contains the capabilities that the thread handles, which means it manages the resources that the thread accesses.
CNode has some slots that require 16 bytes of physical memory per slot, which can save exactly one capability. Like other objects, Cnode must be created by SeL4 untyped retype () in the appropriate amount of untyped memory.
SeL4 describes a thread with the TCB(thread control block), each TCB to a cspace and vspace (which can be shared with other threads), and a TCB typically has an IPC buffer.
SEL4 provides a messaging mechanism for communication between threads.
The SeL4 employs a preemptive rotation scheduling mechanism of 256 priority, when one thread creates or modifies another thread, it can only set the priority of the other to be lower or the same as it, with the thread priority using the function SeL4 TCB Configure () and SeL4 TCB SetPriority () to set.
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
Open source Micro Core seL4 microkernel