Abstract
Multi- and many-core processors are becoming increasingly popular in embedded systems. Many of these processors now feature hardware virtualization capabilities, as found on the ARM Cortex A15 and x86 architectures with Intel VT-x or AMD-V support. Hardware virtualization provides a way to partition physical resources, including processor cores, memory, and I/O devices, among guest virtual machines (VMs). Each VM is then able to host tasks of a specific criticality level, as part of a mixed-criticality system with different timing and safety requirements. However, traditional virtual machine systems are inappropriate for mixed-criticality computing. They use hypervisors to schedule separate VMs on physical processor cores. The costs of trapping into hypervisors to multiplex and manage machine physical resources on behalf of separate guests are too expensive for many time-critical tasks. Additionally, traditional hypervisors have memory footprints that are often too large for many embedded computing systems. In this article, we discuss the design of the Quest-V separation kernel, which partitions services of different criticality levels across separate VMs, or sandboxes. Each sandbox encapsulates a subset of machine physical resources that it manages without requiring intervention from a hypervisor. In Quest-V, a hypervisor is only needed to bootstrap the system, recover from certain faults, and establish communication channels between sandboxes. This not only reduces the memory footprint of the most privileged protection domain but also removes it from the control path during normal system operation, thereby heightening security.
- Luca Abeni and Giorgio Buttazzo. 1998. Integrating multimedia applications in hard real-time systems. In Proceedings of the 19th IEEE Real-Time Systems Symposium. 4--13. Google ScholarDigital Library
- Darren Abramson, Jeff Jackson, Sridhar Muthrasanallur, Gil Neiger, Greg Regnier, Rajesh Sankaran, Ioannis Schoinas, Rich Uhlig, Balaji Vembu, and John Wiegert. 2006. Intel virtualization technology for directed I/O. Intel Technology Journal 10, 3 (August 2006), 179--192.Google ScholarCross Ref
- Keith Adams and Ole Agesen. 2006. A comparison of software and hardware techniques for x86 virtualization. In Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems. 2--13. Google ScholarDigital Library
- SYSGO AG. 2015. PikeOS Hypervisor. (2015). http://www.sysgo.com/products/pikeos-rtos-and-virtualization-concept.Google Scholar
- David H. Albonesi. 1999. Selective cache ways: On-demand cache resource allocation. In ACM/IEEE International Symposium on Microarchitecture (MICRO’99). 248--259. Google ScholarDigital Library
- Jim Alves-Foss, W. Scott Harrison, Paul Oman, and Carol Taylor. 2006. The MILS architecture for high-assurance embedded systems. International Journal of Embedded Systems 2 (2006), 239--247.Google ScholarCross Ref
- ARINC. 2008. ARINC 653 - An Avionics Standard for Safe, Partitioned Systems. Wind River Systems/IEEE Seminar. (August 2008).Google Scholar
- AUTOSAR. 2015. AUTomotive Open System ARchitecture. (2015). http://www.autosar.org.Google Scholar
- Algirdas Avižienis. 1967. Design of fault-tolerant computers. In Proceedings of the Fall Joint Computer Conference. 733--743. Google ScholarDigital Library
- Algirdas Avižienis. 1975. Fault-tolerance and fault-intolerance: Complementary approaches to reliable computing. In Proceedings of the International Conference on Reliable Software. 458--464. Google ScholarDigital Library
- Algirdas Avižienis. 1985. The n-version approach to fault-tolerant software. IEEE Transactions on Software Engineering (1985), 1491--1501. Google ScholarDigital Library
- Gaurav Banga, Peter Druschel, and Jeffrey C. Mogul. 1999. Resource containers: A new facility for resource management in server systems. In Proceedings of the 3rd USENIX Symposium on Operating Systems Design and Implementation. Google ScholarDigital Library
- Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. 2003. Xen and the art of virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles. 164--177. Google ScholarDigital Library
- Andrew Baumann, Paul Barham, Pierre-Evariste Dagand, Tim Harris, Rebecca Isaacs, Simon Peter, Timothy Roscoe, Adrian Schüpbach, and Akhilesh Singhania. 2009. The multikernel: A new OS architecture for scalable multicore systems. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles. 29--44. Google ScholarDigital Library
- Adam Belay, Andrea Bittau, Ali Mashtizadeh, David Terei, David Mazières, and Christos Kozyrakis. 2012. Dune: Safe user-level access to privileged CPU features. In the 10th USENIX Conference on Operating Systems Design and Implementation. 335--348. Google ScholarDigital Library
- Adam Belay, George Prekas, Ana Klimovic, Samuel Grossman, Christos Kozyrakis, and Edouard Bugnion. 2014. IX: A protected dataplane operating system for high throughput and low latency. In 11th USENIX Symposium on Operating Systems Design and Implementation. USENIX Association, Broomfield, CO, 49--65. Google ScholarDigital Library
- David Elliott Bell and Leonard J. LaPadula. 1976. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report ESD-TR-75-306. Mitre Corporation, Bedford, MA.Google Scholar
- Guillem Bernat and Alan Burns. 1999. New results on fixed priority aperiodic servers. In Proceedings of the 20th IEEE Real-Time Systems Symposium. 68--78. Google ScholarDigital Library
- Kenneth J. Biba. 1975. Integrity Considerations for Secure Computer Systems. Technical Report MTR-3153. Mitre Corporation.Google Scholar
- Silas Boyd-Wickizer, Haibo Chen, Rong Chen, Yandong Mao, M. Frans Kaashoek, Robert Morris, Aleksey Pesterev, Lex Stein, Ming Wu, Yue hua Dai, Yang Zhang, and Zheng Zhang. 2008. Corey: An operating system for many cores. In The 8th USENIX Symposium on Operating Systems Design and Implementation. 43--57. Google ScholarDigital Library
- Reto Buerki and Adrian-Ken Rueegsegger. 2015. Muen Separation Kernel. (2015). http://muen.sk/.Google Scholar
- Edouard Bugnion, Scott Devine, and Mendel Rosenblum. 1997. Disco: Running commodity operating systems on scalable multiprocessors. In Proceedings of the 16th ACM Symposium on Operating Systems Principles. 143--156. Google ScholarDigital Library
- Jichuan Chang and Gurindar S. Sohi. 2007. Cooperative cache partitioning for chip multiprocessors. In International Conference on Supercomputing. 242--252. Google ScholarDigital Library
- John Chapin, Mendel Rosenblum, Scott Devine, Tirthankar Lahiri, Dan Teodosiu, and Anoop Gupta. 1995. Hive: Fault containment for shared-memory multiprocessors. In Proceedings of the 15th ACM Symposium on Operating Systems Principles. 12--25. Google ScholarDigital Library
- Juan A. Colmenares, Gage Eads, Steven Hofmeyr, Sarah Bird, Miquel Moretó, David Chou, Brian Gluzman, Eric Roman, Davide B. Bartolini, Nitesh Mor, Krste Asanović, and John D. Kubiatowicz. 2013. Tessellation: Refactoring the OS around explicit resource containers with continuous adaptation. In Design Automation Conference (DAC’13). Google ScholarDigital Library
- Alfons Crespo, Ismael Ripoll, and Miguel Masmano. 2010. Partitioned embedded architecture based on hypervisor: The xtratum approach. In The European Dependable Computing Conference. 67--72. Google ScholarDigital Library
- Matthew Danish, Ye Li, and Richard West. 2011. Virtual-CPU scheduling in the quest operating system. In Proceedings of the 17th Real-Time and Embedded Technology and Applications Symposium. 169--179. Google ScholarDigital Library
- Z. Deng, J. W. S. Liu, and J. Sun. 1997. A scheme for scheduling hard real-time applications in open system environment. In Proceedings of the 9th Euromicro Workshop on Real-Time Systems.Google Scholar
- Adam Dunkels. 2015. lwIP -- A Lightweight TCP/IP Stack. (2015). http://savannah.nongnu.org/projects/lwip/.Google Scholar
- Haakon Dybdahl, Per Stenström, and Lasse Natvig. 2006. A cache-partitioning aware replacement policy for chip multiprocessors. High Performance Computing 4297 (2006), 22--34. Google ScholarDigital Library
- Petros Efstathopoulos, Maxwell Krohn, Steve VanDeBogart, Cliff Frey, David Ziegler, Eddie Kohler, David Mazires, Frans Kaashoek, and Robert Morris. 2005. Labels and event processes in the asbestos operating system. In Proceedings of the 20th ACM Symposium on Operating Systems Principles. ACM Press, New York, NY, 17--30. DOI:http://dx.doi.org/10.1145/1095810.1095813 Google ScholarDigital Library
- T. M. Ghazalie and T. P. Baker. 1995. Aperiodic servers in a deadline scheduling environment. Real-Time Systems 9, 1 (July 1995), 31--68. Google ScholarDigital Library
- Abel Gordon, Nadav Amit, Nadav Har’El, Muli Ben-Yehuda, Alex Landau, Assaf Schuster, and Dan Tsafrir. 2012. ELI: Bare-metal performance for I/O virtualization. In Proceedings of the 17th International Conference on Architectural Support for Programming Languages and Operating Systems. 411--422. Google ScholarDigital Library
- Mentor Graphics. 2015. Mentor Embedded Hypervisor. (2015). http://www.mentor.com/embedded-software/hypervisor/.Google Scholar
- Irfan Habib. 2008. Virtualization with KVM. Linux Journal 2008, 166 (2008), 8. Google ScholarDigital Library
- Intel Corporation. 2015. Intel 64 and IA-32 Architectures Software Developer’s Manual, Volume 3: System Programming Guide. http://www.intel.com.Google Scholar
- Ravi Iyer. 2004. CQoS: A framework for enabling QoS in shared caches of CMP platforms. In Proceedings of the 18th Annual International Conference on Supercomputing. 257--266. Google ScholarDigital Library
- Barry Kauler. 2015. Puppy Linux. (2015). http://www.puppylinux.org.Google Scholar
- Seongbeom Kim, Dhruba Chandra, and Yan Solihin. 2004. Fair cache sharing and partitioning in a chip multiprocessor architecture. In Parallel Architectures and Compilation Techniques (PACT’04). Google ScholarDigital Library
- Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal verification of an OS kernel. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles. 207--220. Google ScholarDigital Library
- M. Lewandowski, M. Stanovich, T. Baker, K. Gopalan, and A. Wang. 2007. Modeling device driver effects in real-time schedulability analysis: Study of a network driver. In Proceedings of the 13th IEEE Real Time and Embedded Technology and Applications Symposium. Google ScholarDigital Library
- Luis E. Leyva-del-Foyo, Pedro Mejia-Alvarez, and Dionisio de Niz. 2006. Predictable interrupt management for real time kernels over conventional PC hardware. In Proceedings of the 12th IEEE Real-Time and Embedded Technology and Applications Symposium. Google ScholarDigital Library
- Ye Li, Richard West, Zhuoqun Cheng, and Eric Missimer. 2014. Predictable communication and migration in the Quest-V separation kernel. In Proceedings of the 35th IEEE Real-Time Systems Symposium (RTSS’14). Rome, Italy.Google ScholarCross Ref
- Jochen Liedtke, Hermann Härtig, and Michael Hohmuth. 1997. OS-controlled cache predictability for real-time systems. In Proceedings of the 3rd IEEE Real-Time Technology and Applications Symposium. Google ScholarDigital Library
- Chun Liu, Anand Sivasubramaniam, and Mahmut Kandemir. 2004. Organizing the last line of defense before hitting the memory wall for CMPs. In Proceedings of the International Symposium on High-Performance Computer Architecture. 176--185. Google ScholarDigital Library
- C. L. Liu and James W. Layland. 1973. Scheduling algorithms for multiprogramming in a hard real-time environment. Journal of the ACM 20, 1 (1973), 46--61. Google ScholarDigital Library
- Rose Liu, Kevin Klues, Sarah Bird, Steven Hofmeyr, Krste Asanović, and John Kubiatowicz. 2009. Tessellation: Space-time partitioning in a manycore client OS. In 1st USENIX Workshop on Hot Topics in Parallelism. Google ScholarDigital Library
- Robert E. Lyons and Wouter Vanderkulk. 1962. The use of triple-modular redundancy to improve computer reliability. IBM Journal of Research and Development 6, 2 (1962), 200--209. Google ScholarDigital Library
- Clifford Mercer, Stefan Savage, and Hideyuki Tokuda. 1993. Processor capacity reserves: An abstraction for managing processor usage. In Proceedings of the 4th Workshop on Workstation Operating Systems. 129--134.Google ScholarCross Ref
- Ruslan Nikolaev and Godmar Back. 2013. VirtuOS: An operating system with kernel virtualization. In Proceedings of the 24th ACM Symposium on Operating Systems Principles. 116--132. Google ScholarDigital Library
- Shuichi Oikawa and Ragunathan Rajkumar. 1998. Linux/RK: A portable resource kernel in Linux. In Proceedings of the 19th IEEE Real-Time Systems Symposium.Google Scholar
- David L. Parnas, A. John van Schouwen, and Shu Po Kwan. 1990. Evaluation of safety-critical software. Communications of the ACM (June 1990), 636--648. Google ScholarDigital Library
- PCI-SIG. 2015. PCI Configuration Space. (2015). https://www.pcisig.com/.Google Scholar
- Simon Peter, Jialin Li, Irene Zhang, Dan R. K. Ports, Doug Woos, Arvind Krishnamurthy, Thomas Anderson, and Timothy Roscoe. 2014. Arrakis: The operating system is the control plane. In Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation. 1--16. Google ScholarDigital Library
- Nauman Rafique, Won-Taek Lim, and Mithuna Thottethodi. 2006. Architectural support for operating system-driven cmp cache management. In Proceedings of the 15th International Conference on Parallel Architectures and Compilation Techniques. 2--12. Google ScholarDigital Library
- Parthasarathy Ranganathan, Sarita V. Adve, and Norman P. Jouppi. 2000. Reconfigurable caches and their application to media processing. In Proceedings of the 27th Annual International Symposium on Computer Architecture. 214--224. Google ScholarDigital Library
- John Regehr. 2001. HLS: A framework for composing soft real-time schedulers. In Proceedings of the 22nd IEEE Real-Time Systems Symposium. 3--14. Google ScholarDigital Library
- Wind River. 2014. Wind River Hypervisor. (2014). http://www.windriver.com/products/hypervisor/.Google Scholar
- John M. Rushby. 1981. Design and verification of secure systems. In Proceedings of the 8th ACM Symposium on Operating Systems Principles. 12--21. Google ScholarDigital Library
- Rusty Russell. 2008. Virtio: Towards a de-facto standard for virtual I/O devices. SIGOPS Operating Systems Review 42, 5 (2008), 95--103. Google ScholarDigital Library
- Insik Shin and Insup Lee. 2003. Periodic resource model for compositional real-time guarantees. In Proceedings of the 24th IEEE Real-Time Systems Symposium. 2--13. Google ScholarDigital Library
- Green Hills Software. 2015a. INTEGRITY-178B RTOS. (2015). http://www.ghs.com/products/safety_critical/integrity-do-178b.html.Google Scholar
- Green Hills Software. 2015b. INTEGRITY Multivisor. (2015). http://www.ghs.com/products/rtos/integrity_virtualization.html.Google Scholar
- Brinkley Sprunt, Lui Sha, and John Lehoczky. 1989. Aperiodic task scheduling for hard real-time systems. Real-Time Systems Journal 1, 1 (1989), 27--60.Google ScholarCross Ref
- M. Spuri and G. Buttazzo. 1994. Efficient aperiodic service under earliest deadline scheduling. In Proceedings of the 15th IEEE Real-Time Systems Symposium.Google Scholar
- Marco Spuri and Giorgio Buttazzo. 1996. Scheduling aperiodic tasks in dynamic priority systems. Real-Time Systems 10 (1996), 179--210.Google ScholarCross Ref
- Shekhar Srikantaiah, Mahmut Kandemir, and Mary Jane Irwin. 2008. Adaptive set pinning: Managing shared caches in CMPs. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems. Google ScholarDigital Library
- Mark Stanovich, Theodore P. Baker, An I Wang, and Michael Gonzalez Harbour. 2010. Defects of the POSIX sporadic server and how to correct them. In Proceedings of the 16th IEEE Real-Time and Embedded Technology and Applications Symposium. Google ScholarDigital Library
- Jay K. Strosnider, John P. Lehoczky, and Lui Sha. 1995. The deferrable server algorithm for enhanced aperiodic responsiveness in hard real-time environments. IEEE Transactions on Computers 44, 1 (January 1995), 73--91. Google ScholarDigital Library
- G. Edward Suh, Larry Rudolph, and Srinivas Devadas. 2004. Dynamic partitioning of shared cache memory. Journal of Supercomputing 28, 1 (April 2004), 7--26. Google ScholarDigital Library
- Jakub Szefer, Eric Keller, Ruby B. Lee, and Jennifer Rexford. 2011. Eliminating the hypervisor attack surface for a more secure cloud. In Proceedings of the 18th ACM Conference on Computer and Communications Security. 401--412. Google ScholarDigital Library
- LYNX Software Technologies. 2015. LynxSecure Embedded Hypervisor and Separation Kernel. (2015). http://www.lynx.com/products/hypervisors/.Google Scholar
- Siemens Corporate Technology. 2014. Jailhouse Partitioning Hypervisor. (October 2014). https://github.com/siemens/jailhouse.Google Scholar
- David Wentzlaff and Anant Agarwal. 2009. Factored operating systems (FOS): The case for a scalable operating system for multicores. SIGOPS Operating Systems Review 43, 2 (2009), 76--85. Google ScholarDigital Library
- Richard West, Puneet Zaroo, Carl Waldspurger, Xiao Zhang, and Haoqiang Zheng. 2008. Online Computation of Cache Occupancy and Performance. Filed with the USPTO. (October 14, 2008). Related to United States Patent Number US 8,429,665 B2. April 23, 2013.Google Scholar
- Richard West, Puneet Zaroo, Carl A. Waldspurger, and Xiao Zhang. 2010. Online cache modeling for commodity multicore processors. Operating Systems Review 44, 4 (December 2010). Special VMware Track. Google ScholarDigital Library
- Richard West, Puneet Zaroo, Carl A. Waldspurger, and Xiao Zhang. 2013. Multicore Technology: Architecture, Reconfiguration and Modeling. CRC Press, ISBN-10: 1439880638, Chapter 8. Google ScholarDigital Library
- Daniel Williams, Wei Hu, Jack W. Davidson, Jason D. Hiser, John C. Knight, and Anh Nguyen-Tuong. 2009. Security through diversity: Leveraging virtual machine technology. IEEE Security & Privacy 7, 1 (Jan. 2009), 26--33. Google ScholarDigital Library
- Rafal Wojtczuk and Joanna Rutkowska. 2011. Following the White Rabbit: Software Attacks Against Intel VT-d Technology. (April 2011). Inivisible Things Lab.Google Scholar
- Ting Yang, Tongping Liu, Emery D. Berger, Scott F. Kaplan, and J. Eliot B. Moss. 2008. Redline: First class support for interactivity in commodity operating systems. In Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation. Google ScholarDigital Library
- Ying Ye, Richard West, Zhuoqun Cheng, and Ye Li. 2014. COLORIS: A dynamic cache partitioning system using page coloring. In Proceedings of the 23rd International Conference on Parallel Architectures and Compilation Techniques. Google ScholarDigital Library
- Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazieres. 2006. Making information flow explicit in histar. In Proceedings of the 2nd USENIX Symposium on Operating Systems Design and Implementation. 263--278. Google ScholarDigital Library
- Nickolai Zeldovich, Hari Kannan, Michael Dalton, and Christos Kozyrakis. 2008. Hardware enforcement of application security policies using tagged memory. In Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation. Google ScholarDigital Library
- Yuting Zhang and Richard West. 2006. Process-aware interrupt scheduling and accounting. In Proceedings of the 27th IEEE Real-Time Systems Symposium. Google ScholarDigital Library
Index Terms
- A Virtualized Separation Kernel for Mixed-Criticality Systems
Recommendations
A virtualized separation kernel for mixed criticality systems
VEE '14: Proceedings of the 10th ACM SIGPLAN/SIGOPS international conference on Virtual execution environmentsMulti- and many-core processors are becoming increasingly popular in embedded systems. Many of these processors now feature hardware virtualization capabilities, such as the ARM Cortex A15, and x86 processors with Intel VT-x or AMD-V support. Hardware ...
A virtualized separation kernel for mixed criticality systems
VEE '14Multi- and many-core processors are becoming increasingly popular in embedded systems. Many of these processors now feature hardware virtualization capabilities, such as the ARM Cortex A15, and x86 processors with Intel VT-x or AMD-V support. Hardware ...
Hardware-Based I/O Virtualization for Mixed Criticality Real-Time Systems Using PCIe SR-IOV
CSE '13: Proceedings of the 2013 IEEE 16th International Conference on Computational Science and EngineeringVirtualized or partitioned real-time embedded systems consolidate mixed-criticality applications on a common (multi-core) platform. Such embedded systems need high performance solutions for secure and safe sharing of Input/Output (I/O) subsystems. This ...
Comments