research-article

L4 Microkernels: The Lessons from 20 Years of Research and Deployment

Authors:
Gernot Heiser

NICTA and UNSW, Sydney, Australia

NICTA and UNSW, Sydney, Australia
View Profile

,
Kevin Elphinstone

NICTA and UNSW, Sydney, Australia

NICTA and UNSW, Sydney, Australia
View Profile

Authors Info & Claims

ACM Transactions on Computer Systems Volume 34 Issue 1Article No.: 1pp 1–29https://doi.org/10.1145/2893177

Published:06 April 2016Publication History

ACM Transactions on Computer Systems

Abstract

The L4 microkernel has undergone 20 years of use and evolution. It has an active user and developer community, and there are commercial versions that are deployed on a large scale and in safety-critical systems. In this article we examine the lessons learnt in those 20 years about microkernel design and implementation. We revisit the L4 design articles and examine the evolution of design and implementation from the original L4 to the latest generation of L4 kernels. We specifically look at seL4, which has pushed the L4 model furthest and was the first OS kernel to undergo a complete formal verification of its implementation as well as a sound analysis of worst-case execution times. We demonstrate that while much has changed, the fundamental principles of minimality, generality, and high inter-process communication (IPC) performance remain the main drivers of design and implementation decisions.

References

Mike Accetta, Robert Baron, William Bolosky, David Golub, Richard Rashid, Avadis Tevanian, and Michael Young. 1986. Mach: A new kernel foundation for UNIX development. In Proceedings of the 1986 Summer USENIX Technical Conference. US, 93--112.Google Scholar
Michael T. Alexander. 1972. Organization and features of the Michigan terminal system. In AFIPS Conference Proceedings, 1972 Spring Joint Computer Conference. 585--591.Google Scholar
Apple Inc. 2015. iOS security--iOS 9.0 or later. https://www.apple.com/business/docs/iOS Security Guide.pdf, September 2015.Google Scholar
Andrew Baumann, Paul Barham, Pierre-Evariste Dagand, Tim Harris, Rebecca Isaacs, Simon Peter, Timothy Roscoe, Adrian Schüpbach, and Akhilesh Singhania. 2009. The multikernel: A new OS architecture for scalable multicore systems. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles.Google ScholarDigital Library
Bernard Blackham and Gernot Heiser. 2012. Correct, fast, maintainable choose any three&excl; In Proceedings of the Asia-Pacific Workshop on Systems (APSys). 7.Google Scholar
Bernard Blackham, Yao Shi, Sudipta Chattopadhyay, Abhik Roychoudhury, and Gernot Heiser. 2011. Timing analysis of a protected operating system kernel. In Proceedings of the IEEE Real-Time Systems Symposium. 339--348.Google ScholarDigital Library
Bernard Blackham, Yao Shi, and Gernot Heiser. 2012. Improving interrupt response time in a verifiable protected microkernel. In Proceedings of the EuroSys Conference. 323--336.Google ScholarDigital Library
Per Brinch Hansen. 1970. The nucleus of a multiprogramming operating system. Commun. ACM 13 (1970), 238--250.Google ScholarDigital Library
Alan C. Bromberger, A. Peri Frantz, William S. Frantz, Ann C. Hardy, Norman Hardy, Charles R. Landau, and Jonathan S. Shapiro. 1992. The KeyKOS nanokernel architecture. In Proceedings of the USENIX Workshop on Microkernels and Other Kernel Architectures. 95--112.Google Scholar
J. Bradley Chen and Brian N. Bershad. 1993. The impact of operating system structure on memory system performance. In Proceedings of the 14th ACM Symposium on Operating Systems Principles. 120--133.Google Scholar
Michael Condict, Don Bolinger, Dave Mitchell, and Eamonn McManus. 1994. Microkernel Modularity with Integrated Kernel Performance. Technical report. OSF Research Institute.Google Scholar
Jack B. Dennis and Earl C. Van Horn. 1966. Programming semantics for multiprogrammed computations. Commun. ACM 9 (1966), 143--155.Google ScholarDigital Library
Dhammika Elkaduwe, Philip Derrin, and Kevin Elphinstone. 2008. Kernel design for isolation and assurance of physical memory. In Proceedings of the 1st Workshop on Isolation and Integration in Embedded Systems.Google ScholarDigital Library
Keir Fraser, Steven Hand, Rolf Neugebauer, Ian Pratt, Andrew Warfield, and Mark Williamson. 2004. Safe hardware access with the Xen virtual machine monitor. In Proceedings of the 1st Workshop on Operating System and Architectural Support for the On-Demand IT Infrastructure (OASIS).Google Scholar
Eran Gabber, Christopher Small, John Bruno, José Brustoloni, and Avi Silberschatz. 1999. The Pebble component-based operating system. In Proceedings of the 1999 USENIX Annual Technical Conference. 267--282.Google Scholar
Charles Gray, Matthew Chapman, Peter Chubb, David Mosberger-Tang, and Gernot Heiser. 2005. Itanium—a system implementor’s tale. In Proceedings of the 2005 USENIX Annual Technical Conference. 264--278.Google Scholar
Andreas Haeberlen. 2003. Managing Kernel Memory Resources from User Level. Diploma Thesis. Dept of Computer Science, University of Karlsruhe. http://os.ibds.kit.edu/english/97_639.php.Google Scholar
Norman Hardy. 1985. KeyKOS architecture. ACM Operating Systems Review 19, 4 (Oct. 1985), 8--25.Google ScholarDigital Library
Hermann Härtig, Robert Baumgartl, Martin Borriss, Claude-Joachim Hamann, Michael Hohmuth, Frank Mehnert, Lars Reuther, Sebastian Schönberg, and Jean Wolter. 1998. DROPS—OS support for distributed multimedia applications. In Proceedings of the 8th SIGOPS European Workshop.Google Scholar
Hermann Härtig, Michael Hohmuth, Jochen Liedtke, Sebastian Schönberg, and Jean Wolter. 1997. The performance of μ-kernel-based systems. In Proceedings of the 16th ACM Symposium on Operating Systems Principles. 66--77.Google ScholarDigital Library
Hermann Härtig and Michael Roitzsch. 2006. Ten years of research on L4-based real-time systems. In Proceedings of the 8th Real-Time Linux Workshop.Google Scholar
Gernot Heiser. 2009. The Motorola Evoke QA4: A Case Study in Mobile Virtualization. White paper. Open Kernel Labs. Retrieved from https://www.researchgate.net/profile/Gernot_Heiser/publication/242743911_The_Motorola_Evoke_QA4_A_Case_Study_in_Mobile_Virtualization/links/00b7d53acc2c9d970d000000.pdf.Google Scholar
Gernot Heiser, Etienne Le Sueur, Adrian Danis, Aleksander Budzynowski, Tudor-Ioan Salomie, and Gustavo Alonso. 2013. RapiLog: Reducing system complexity through verification. In Proceedings of the EuroSys Conference. 323--336.Google ScholarDigital Library
Gernot Heiser and Ben Leslie. 2010. The OKL4 microvisor: Convergence point of microkernels and hypervisors. In Proceedings of the Asia-Pacific Workshop on Systems (APSys). 19--24.Google ScholarDigital Library
Michael Hohmuth and Hermann Härtig. 2001. Pragmatic nonblocking synchronization for real-time systems. In Proceedings of the 2001 USENIX Annual Technical Conference.Google ScholarDigital Library
Michael Hohmuth and Hendrik Tews. 2005. The VFiasco approach for a verified operating system. In Proceedings of the 2nd Workshop on Programming Languages and Operating Systems (PLOS).Google Scholar
Trent Jaeger, Kevin Elphinstone, Jochen Liedtke, Vsevolod Panteleenko, and Yoonho Park. 1999. Flexible access control using IPC redirection. In Proceedings of the 7th Workshop on Hot Topics in Operating Systems.Google ScholarCross Ref
J. Leslie Keedy. 1979. On the Programming of Device Drivers for In-Process Systems. Monads Report 5. Dept. of Computer Science, Monash University, Clayton VIC, AU.Google Scholar
Gerwin Klein, June Andronick, Kevin Elphinstone, Toby Murray, Thomas Sewell, Rafal Kolanski, and Gernot Heiser. 2014. Comprehensive formal verification of an OS microkernel. ACM Trans. Comput. Syst. 32, 1 (Feb. 2014), 2:1--2:70.Google ScholarDigital Library
Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal verification of an OS kernel. In Proceedings of the ACM Symposium on Operating Systems Principles. 207--220.Google ScholarDigital Library
Adam Lackorzynski and Alexander Warg. 2009. Taming subsystems: Capabilities as universal resource access control in L4. In Proceedings of the 2nd Workshop on Isolation and Integration in Embedded Systems. 25--30.Google ScholarDigital Library
Adam Lackorzynski, Alexander Warg, Marcus Völp, and Hermann Härtig. 2012. Flattening hierarchical scheduling. In Proceedings of the International Conference on Embedded Software. 93--102.Google ScholarDigital Library
Ben Leslie, Peter Chubb, Nicholas FitzRoy-Dale, Stefan Götz, Charles Gray, Luke Macpherson, Daniel Potts, Yueting (Rita) Shen, Kevin Elphinstone, and Gernot Heiser. 2005a. User-level device drivers: Achieved performance. J. Comput. Sci. Technol. 20, 5 (Sept. 2005), 654--664.Google ScholarCross Ref
Ben Leslie, Carl van Schaik, and Gernot Heiser. 2005b. Wombat: A portable user-mode Linux for embedded systems. In 6th Linux.conf.au. Canberra.Google Scholar
Roy Levin, Ellis S. Cohen, William M. Corwin, Fred J. Pollack, and William A. Wulf. 1975. Policy/mechanism separation in HYDRA. In Proceedings of the 5th ACM Symposium on Operating Systems Principles. 132--140.Google Scholar
Jochen Liedtke. 1993a. Improving IPC by kernel design. In Proceedings of the 14th ACM Symposium on Operating Systems Principles. 175--188.Google ScholarDigital Library
Jochen Liedtke. 1993b. A persistent system in real use: Experience of the first 13 years. In Proceedings of the 3rd IEEE International Workshop on Object Orientation in Operating Systems (IWOOOS). IEEE, 2--11.Google ScholarCross Ref
Jochen Liedtke. 1995. On μ-kernel construction. In Proceedings of the 15th ACM Symposium on Operating Systems Principles. 237--250.Google Scholar
Jochen Liedtke. 1996. Towards real microkernels. Commun. ACM 39, 9 (Sept. 1996), 70--77.Google ScholarDigital Library
Jochen Liedtke, Ulrich Bartling, Uwe Beyer, Dietmar Heinrichs, Rudolf Ruland, and Gyula Szalay. 1991. Two years of experience with a μ-kernel based OS. ACM Operat. Syst. Rev. 25, 2 (April 1991), 51--62.Google ScholarDigital Library
Jochen Liedtke, Kevin Elphinstone, Sebastian Schönberg, Herrman Härtig, Gernot Heiser, Nayeem Islam, and Trent Jaeger. 1997a. Achieved IPC performance (still the foundation for extensibility). In Proceedings of the 6th Workshop on Hot Topics in Operating Systems. 28--31.Google ScholarCross Ref
Jochen Liedtke, Nayeem Islam, and Trent Jaeger. 1997b. Preventing denial-of-service attacks on a μ-kernel for WebOSes. In Proceedings of the 6th Workshop on Hot Topics in Operating Systems. IEEE, 73--79.Google Scholar
Steven B. Lipner. 1975. A comment on the confinement problem. In Proceedings of the 5th ACM Symposium on Operating Systems Principles. ACM, 192--196.Google ScholarDigital Library
Richard J. Lipton and Lawrence Snyder. 1977. A linear time algorithm for deciding subject security. J. ACM 24, 3 (1977), 455--464.Google ScholarDigital Library
Anna Lyons and Gernot Heiser. 2014. Mixed-criticality support in a high-assurance, general-purpose microkernel. In Proceedings of the Workshop on Mixed Criticality Systems. 9--14.Google Scholar
Paul E. McKenney, Dipankar Sarma, Andrea Arcangelli, Andi Kleen, Orran Krieger, and Rusty Russell. 2002. Read copy update. In Proceedings of the Ottawa Linux Symposium.Google Scholar
Toby Murray, Daniel Matichuk, Matthew Brassil, Peter Gammie, Timothy Bourke, Sean Seefried, Corey Lewis, Xin Gao, and Gerwin Klein. 2013. seL4: From general purpose to a proof of information flow enforcement. In Proceedings of the IEEE Symposium on Security and Privacy. 415--429.Google ScholarDigital Library
Roger M. Needham and R. D. H. Walker. 1977. The Cambridge CAP computer and its protection system. In Proceedings of the 6th ACM Symposium on Operating Systems Principles. ACM, New York, NY, 1--10.Google ScholarDigital Library
Michael Norrish. 1998. C Formalised in HOL. Ph.D. Dissertation. University of Cambridge Computer Laboratory.Google Scholar
Abi Nourai. 2005. A Physically-Addressed L4 Kernel. BE Thesis. School of Computer Science and Engineering, Sydney, Australia. Available from publications page at http://ssrg.nicta.com.au/.Google Scholar
John K. Ousterhout. 1990. Why aren’t operating systems getting faster as fast as hardware? In Proceedings of the 1990 Summer USENIX Technical Conference. 247--56.Google Scholar
Sean Peters, Adrian Danis, Kevin Elphinstone, and Gernot Heiser. 2015. For a microkernel, a big lock is fine. In Proceedings of the Asia-Pacific Workshop on Systems (APSys).Google ScholarDigital Library
Kaushik Kumar Ram, Jose Renato Santos, and Yoshio Turner. 2010. Redesigning Xen’s memory sharing mechanism for safe and efficient I/O virtualization. In Proceedings of the 2nd Workshop on I/O Virtualization.Google ScholarDigital Library
Richard Rashid, Avadis Tevanian, Jr., Michael Young, David Golub, Robert Baron, David Black, William J. Bolosky, and Jonathan Chew. 1988. Machine-independent virtual memory management for paged uniprocessor and multiprocessor architectures. IEEE Trans. Comput. C-37 (1988), 896--908.Google Scholar
Thomas Sewell, Simon Winwood, Peter Gammie, Toby Murray, June Andronick, and Gerwin Klein. 2011. seL4 enforces integrity. In Proceedings of the International Conference on Interactive Theorem Proving. 325--340.Google ScholarCross Ref
Jonathan S. Shapiro. 2003. Vulnerabilities in synchronous IPC designs. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarCross Ref
Jonathan S. Shapiro, Jonathan M. Smith, and David J. Farber. 1999. EROS: A fast capability system. In Proceedings of the 17th ACM Symposium on Operating Systems Principles. US, 170--185.Google Scholar
Livio Soares and Michael Stumm. 2010. FlexSC: Flexible system call scheduling with exception-less system calls. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation.Google Scholar
Udo Steinberg. 2013. Personal communication.Google Scholar
Udo Steinberg and Bernhard Kauer. 2010. NOVA: A microhypervisor-based secure virtualization architecture. In Proceedings of the 5th EuroSys Conference. 209--222.Google ScholarDigital Library
Udo Steinberg, Jean Wolter, and Hermann Härtig. 2005. Fast component interaction for real-time systems. In Euromicro Conference on Real-Time Systems. Palma de Mallorca, ES, 89--97.Google ScholarDigital Library
Andrew S. Tanenbaum. 2016. Lessons learned from 30 years of MINIX. Commun. ACM 59, 3 (2016), 70--78.Google ScholarDigital Library
Volkmar Uhlig. 2005. Scalability of Microkernel-Based Systems. Ph.D. Dissertation. University of Karlsruhe, Karlsruhe, Germany.Google Scholar
Michael von Tessin. 2012. The clustered multikernel: An approach to formal verification of multiprocessor OS kernels. In 2nd Workshop on Systems for Future Multi-core Architectures. Bern, Switzerland, 1--6.Google Scholar
Michael von Tessin. 2013. The Clustered Multikernel: An Approach to Formal Verification of Multiprocessor Operating-System Kernels. Ph.D. Thesis. School of Computer Science and Engineering, UNSW, Sydney, Australia.Google Scholar
Matthew Warton. 2005. Single Kernel Stack L4. BE Thesis. School of Computer Science and Engineering, Sydney, Australia.Google Scholar
Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières. 2011. Making information flow explicit in HiStar. Commun. ACM 54, 11 (Nov. 2011), 93--101.Google ScholarDigital Library

Index Terms

L4 Microkernels: The Lessons from 20 Years of Research and Deployment
1. Software and its engineering
  1. Software creation and management
    1. Designing software
  2. Software organization and properties
    1. Contextual software domains
      1. Operating systems

Recommendations

From L3 to seL4 what have we learnt in 20 years of L4 microkernels?
SOSP '13: Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles

The L4 microkernel has undergone 20 years of use and evolution. It has an active user and developer community, and there are commercial versions which are deployed on a large scale and in safety-critical systems. In this paper we examine the lessons ...
Read More
seL4: formal verification of an OS kernel
SOSP '09: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles

Complete formal verification is the only known way to guarantee that a system is free of programming errors.

We present our experience in performing the formal, machine-checked verification of the seL4 microkernel from an abstract specification down to ...
Read More
Comprehensive formal verification of an OS microkernel

We present an in-depth coverage of the comprehensive machine-checked formal verification of seL4, a general-purpose operating system microkernel.

We discuss the kernel design we used to make its verification tractable. We then describe the functional ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Computer Systems Volume 34, Issue 1
April 2016
91 pages
ISSN:0734-2071
EISSN:1557-7333
DOI:10.1145/2912578
Editor:
Todd C. Mowry
Carnegie Mellon University, Pittsburgh, PA
Issue’s Table of Contents
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 6 April 2016
- Accepted: 1 November 2015
- Received: 1 September 2015
Published in tocs Volume 34, Issue 1

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
IPC
L4
Microkernels
formal verification
message passing
minimality
performance
real time
seL4
virtualization
worst-case execution time
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 48
  Total Citations
  View Citations
- 1,503
  Total Downloads
- Downloads (Last 12 months)138
- Downloads (Last 6 weeks)22
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

L4 Microkernels: The Lessons from 20 Years of Research and Deployment

ACM Transactions on Computer Systems

Abstract

References

Cited By

Index Terms

Recommendations

From L3 to seL4 what have we learnt in 20 years of L4 microkernels?

seL4: formal verification of an OS kernel

Comprehensive formal verification of an OS microkernel

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

L4 Microkernels: The Lessons from 20 Years of Research and Deployment

ACM Transactions on Computer Systems

Abstract

References

Cited By

Index Terms

Recommendations

From L3 to seL4 what have we learnt in 20 years of L4 microkernels?

seL4: formal verification of an OS kernel

Comprehensive formal verification of an OS microkernel

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media