Challenges of temporal isolation
Authors
School of Computer Science and Engineering
UNSW,
Sydney 2052, Australia
Published:
Invited Dagstuhl SeminarAbstract
Spatial isolation is well-supported by present hardware and software, e.g. the seL4 microkernel has been proved to support spatial isolation, including the absence of covert storage channels. While the formal arguments about seL4 presently only apply to a single-core version, the extension its functional verification to multicore hardware is in progress, and unlikely to produce issues in terms of spatial isolation.
In contrast, temporal isolation is not only harder to verify, hardware is becoming less predictable, thanks to an increasing number of performance-enhancement tricks, generally based on some form of caching and dynamic scheduling of resources. This makes it increasingly difficult, and in cases impossible, to bound and control non-determinism.
I argue that computer architects have essentially abandoned the instruction-set architecture (ISA) as the contract between hardware and software: by just referring to the ISA, it is impossible to guarantee safety (timeliness) and security (absence of timing channels).
I argue further that it is hopeless to address this problem unless architects agree to a usable contract, i.e. extend the ISA so that timing effects become visible (and thus analysable) or controllable.
In particular, there must be time bounds on all operations. In practice, bounding each individual operation (instruction) may not be enough, as this will lead to massively pessimistic bounds. As future hardware will never be fully utilisable (eg one cannot run all cores because they will overheat), this pessimism may be tolerable in many cases. In others, enough information must be available so that it is at least possible to obtain realistic bounds on the execution time of groups of operations, giving software the opportunity to re-introduce determinism at a higher level.
Examples of this are variations produced by shared state such as various forms of caches and interconnects, which produce variations in execution time that break isolation. Establishing safety requires the ability to bound variations. Establishing security is harder, as it requires establishing determinism, at least at some course granularity. This is possible as long as the hardware provides mechanisms to either partition or flush (with bounded latency) any such shared state.
BibTeX Entry
@misc{Heiser_16:dagstuhl, author = {Gernot Heiser}, howpublished = {Invited Dagstuhl Seminar}, month = oct, title = {Challenges of Temporal Isolation}, year = {2016} }