Trustworthy Systems

Challenges of temporal isolation


Gernot Heiser

    School of Computer Science and Engineering
    Sydney 2052, Australia


Invited Dagstuhl Seminar


Spatial isolation is well-supported by present hardware and software, e.g. the seL4 microkernel has been proved to support spatial isolation, including the absence of covert storage channels. While the formal arguments about seL4 presently only apply to a single-core version, the extension its functional verification to multicore hardware is in progress, and unlikely to produce issues in terms of spatial isolation.

In contrast, temporal isolation is not only harder to verify, hardware is becoming less predictable, thanks to an increasing number of performance-enhancement tricks, generally based on some form of caching and dynamic scheduling of resources. This makes it increasingly difficult, and in cases impossible, to bound and control non-determinism.

I argue that computer architects have essentially abandoned the instruction-set architecture (ISA) as the contract between hardware and software: by just referring to the ISA, it is impossible to guarantee safety (timeliness) and security (absence of timing channels).

I argue further that it is hopeless to address this problem unless architects agree to a usable contract, i.e. extend the ISA so that timing effects become visible (and thus analysable) or controllable.

In particular, there must be time bounds on all operations. In practice, bounding each individual operation (instruction) may not be enough, as this will lead to massively pessimistic bounds. As future hardware will never be fully utilisable (eg one cannot run all cores because they will overheat), this pessimism may be tolerable in many cases. In others, enough information must be available so that it is at least possible to obtain realistic bounds on the execution time of groups of operations, giving software the opportunity to re-introduce determinism at a higher level.

Examples of this are variations produced by shared state such as various forms of caches and interconnects, which produce variations in execution time that break isolation. Establishing safety requires the ability to bound variations. Establishing security is harder, as it requires establishing determinism, at least at some course granularity. This is possible as long as the hardware provides mechanisms to either partition or flush (with bounded latency) any such shared state.

BibTeX Entry

    author           = {Gernot Heiser},
    howpublished     = {Invited Dagstuhl Seminar},
    month            = oct,
    title            = {Challenges of Temporal Isolation},
    year             = {2016}