Trustworthy Systems

LionsOS: Towards a truly dependable operating system

Authors

Gernot Heiser

    School of Computer Science and Engineering
    UNSW,
    Sydney 2052, Australia

Published:

Keynote at International Conference on Dependable Systems and Networks (DSN)

Abstract

The formal verification of the seL4 microkernel, completed almost 15 years ago, was a major step towards making a truly dependable OS a reality, but not more than a first step. While seL4 has now been deployed in a number of defence and civilian projects, and cars running an seL4-based OS will be on the road this year, the sad reality is that there are probably more failures than successes in seL4 deployment. We have to conclude that it is not sufficient to provide an open-source microkernel and hoping the community will build practical systems around it. Coming up with a good design of an seL4-based system, including re-use of legacy services, requires far too much expertise.

The Trustworthy Systems Group at UNSW has therefore embarked on a project to design, implement and verify a complete seL4-based OS, Lions OS (named after the author of the Lions Book that taught Unix to generations of programmers). The name is program: we aim to make the project feasible by applying some of the core principles of Unix: simplicity and clean design. In addition, we are restricting ourselves (for now, at least) to systems with a static architecture, i.e. the set of components and (the ceiling of) the communication channels connecting them are fixed at system build time. This restriction is compatible with at least the vast majority of cyberphysical, IoT and other embedded systems.

Specifically, our aim is to build an OS that is (a) provably secure and reliable, (b) performing comparably to insecure mainstream systems such as Linux, and (c) adaptable to a wide range of use cases within the target domain. A core ingredient for making end-to-end verification scale to a complete OS is the Pancake language, a new systems language with a verified compiler which we will use to implement at least part of Lions OS. We have just released a first, open-source version of Lions OS. While still rudimentary, our experience so far is that a highly modular architecture, if done well, can result in a well-performing system, while keeping modules simple enough to verify them with automated techniques. Our roadmap for Lions OS includes end-to-end correctness and security proofs, formal reasoning about timeliness of mixed criticality systems, and provable elimination of information leakage through microarchitectural timing channels.

BibTeX Entry

  @misc{Heiser_24:dsn,
    author           = {Gernot Heiser},
    howpublished     = {Keynote at International Conference on Dependable Systems and Networks (DSN)},
    month            = jun,
    title            = {{LionsOS}: Towards a truly dependable operating system},
    year             = {2024}
  }

Download