The eChronos project @ TS and Breakaway

Outline

In collaboration with Breakaway Consulting, the eChronos project builds and formally verifies, a small, versatile, high-assurance real-time operating system (OS) for embedded micro-controllers. In contrast to other OS work at TS, the eChronos RTOS is for tightly constrained devices without memory management units. Current implementations are available for ARM Cortex M3/M4/M7, PowerPC e500 and Intel 80251 micro-controllers. The RTOS also runs on POSIX platforms (e.g., Linux, MacOS-X, Windows with cygwin or MinGW) for rapid prototyping.

License

The eChronos RTOS is open source, available github. For separate commercial licenses, please contact us (see below).

Deployment

On modern powerful embedded hardware, like in smartphones, OS kernels such as TS's formally verified seL4 kernel can provide isolation and gatekeeper functionality — controlling what the user-level programs can do with the hardware, or with other programs. For instance, it could stop a malicious app from crashing your smartphone.

On less powerful hardware — such as small medical implant devices, extremely resource-constrained spacecraft, or simple logic controllers used in industrial plants — such gatekeeper functionality is not possible. Instead, these systems run small, so-called real-time operating systems (RTOS) such as the eChronos RTOS. The constrained nature of the hardware devices the RTOS runs on makes it even more challenging to provide assurance and evidence that it works reliably.

The eChronos RTOS is also used on the flight-control processor of the DARPA-funded SMACCM project's research vehicle.

News

Jan 2018: Memory protection support in the eChronos RTOS was presented at LCA 2018: Sane Behaviour on Teeny Hardware
Aug 2016: Paper on scheduling proof published.
Feb 2016: the eChronos RTOS at LCA:
- Tutorial: The eChronos Real-Time Operating System — Just what you want, when you want it
- Hardware projects using eChronos and lwIP: toward high-assurance IoT
Aug 2015: Released under AGPLv3, available on github.
Feb 2014: Formal verification of code-level assertions completed by model checking.
Jan 2014: the eChronos RTOS flies the SMACCMPilot quadcopter and at the DARPA HACMS demo day.
Oct 2013: Functional C implementation verification starts on eChronos RTOS code.
Sep 2013: Example code for PX4 board shipped to project partners.
Sep 2013: Version 0.0.2 shipped to project partners, support for preemption, semaphores, and strict priority scheduling.
Apr 2013: Version 0.0.1 shipped to project partners for QEMU and STMF32 discovery board.
Apr 2013: Proved a number of higher-level properties about the eChronos RTOS specification: schedule fairness and signal handling.
Nov 2012: First version of a formal functional specification complete.

Technical Overview

Problem: Modern critical systems — such as medical devices and car braking systems — rely on software. At the heart of these devices sit real-time operating systems such as the eChronos RTOS.

Software at this level can lead to injury or damage or worse. So it is important that such software be reliable and safe, and it is essential to ensure that it performs precisely as intended.
Approach: Formal machine-checked verification of the eChronos RTOS, initially for functional correctness, later also for worst-case execution time.
eChronos RTOS functionality:

The eChronos RTOS is highly configurable and comes in multiple variants, so only the functionality that is actually needed runs on the device.
- Suitable for devices with constrained resources
- Tasks: user defined, perform syscalls
- Scheduler: round robin or strict priorities
- Multithreading: cooperative or preemptive
- Signals: tasks send and wait for signals
- Interrupts: interrupt handlers raise events
- Synchronisation: mutex and semaphore modules

Availability

The eChronos RTOS is open source, available on github.

The eChronos RTOS is also available for commercial deployment. For separate commercial licenses, please contact us (see below) for further information.

People

Past

Adrian Danis
Alexander Kroh
Ben Leslie
Corey Lewis
Gerwin Klein
Ihor Kuz
Robert Sison
Seb Holzapfel

Publications

		Darren Cofer, John Backes, Andrew Gacek, Daniel DaCosta, Michael Whalen, Ihor Kuz, Gerwin Klein, Gernot Heiser, Lee Pike, Adam Foltzer, Michael Podhradsky, Douglas Stuart, Jason Graham and Brett Wilson Secure mathematically-assured composition of control models Technical Report, Data61, CSIRO, September, 2017
		June Andronick, Corey Lewis, Daniel Matichuk, Carroll Morgan and Christine Rizkallah Proof of OS scheduling behavior in the presence of interrupt-induced concurrency International Conference on Interactive Theorem Proving, pp. 52–68, Nancy, France, August, 2016
		June Andronick, Corey Lewis and Carroll Morgan Controlled Owicki-Gries concurrency: reasoning about the preemptible eChronos embedded operating system Workshop on Models for Formal Analysis of Real Systems (MARS 2015), pp. 10–24, Suva, Fiji, November, 2015

Trustworthy Systems