Trustworthy Systems

The seL4 Foundation – growing through upheaval

Authors

Gernot Heiser

    School of Computer Science and Engineering
    UNSW,
    Sydney 2052, Australia

Published:

On-line

Abstract

The seL4 microkernel is the world's first operating system (OS) kernel with a machine-checked proof of implementation correctness (originally completed in 2009 for 32-bit Arm processors). This was followed by more wold-firsts: proofs of security enforcement, proof of correctness of the executable binary, sound worst-case execution-time analysis.

seL4 had been developed and verified at NICTA, a public-sector research organisation, and open-sourced in 2014. With NICTA being absorbed into CSIRO in 2015, the seL4 developers, known as the Trustworthy Systems (TS) team, became part of CSIRO, and research, development and community support continued there, mostly through funding from the US government (DARPA) and industry. However, uptake remained limited outside the defence sector. In April 2020 we created the seL4 Foundation (as a project of the Linux Foundation) as a way to encourage broader community engagement as well as removing dependency on a single organisation.

The importance of the latter aspect became obvious when in May 2021 CSIRO announced that it was abandoning the Trustworthy Systems group and its research agenda of developing truly secure computer systems. This was a near-death experience for seL4: many of our highly-skilled staff and students had job offers within days. The TS team would have disintegrated within weeks, leaving seL4 orphaned, had not UNSW stepped up and offered to fund the team to the end of the year, giving us much needed breathing space.

This was followed by an amazing rallying of the community. While before we had trouble scaling Foundation membership beyond the half-dozen initial members, companies we never heard of (but who were already building seL4 into their products) joined, increasing the Foundation's membership revenue ten-fold over a period of about 2 months. Many former staff increased their engagement (with backing from their employers), and community contributions increased massively. At the same time the TS continued to hit new firsts, especially on verification and security proofs for seL4 on 64-bit RISC-V. The technology and its ecosystem are very much alive and growing.

Which leaves a number of questions to explore, specifically: (1) why did we not achieve more community engagement before the cataclysmic events of May'20, and (2) why did things suddenly take off after?

I can only attempt to provide (at best partial) answers, and will welcome feedback from other community leaders. However it is clear that (1) had to do with the steep learning curve of seL4, but also organisational barriers. Specifically, seL4 development was not really open until we set up the Foundation, and even then it took a long time to move everything out from CSIRO, a process that was still on-going when the divorce was announced. Yet it became clear that there was far more seL4 adaptation in industry than we were aware of. (2) was clearly enabled by this existing activity: people realised that the whole of seL4 was under threat, and they had to contribute back if they wanted it to live on. Which leaves us with the question of what could we have done differently to get them engaged earlier, and how can we engage even more of the adopters? There are clearly many more out there.

BibTeX Entry

  @misc{Heiser_22:lca,
    author           = {Gernot Heiser},
    howpublished     = {On-line},
    keywords         = {operating systems; seL4},
    month            = jan,
    title            = {The {seL4} {Foundation} -- Growing Through Upheaval},
    video            = {https://youtu.be/sGfyGhP6M_A},
    year             = {2022}
  }

Download