MCS safety – an OS perspective
Authors
School of Computer Science and Engineering
UNSW,
Sydney 2052, Australia
Published:
Award Talk at RTAS'26Abstract
Mixed-criticality real-time systems (MCS) must guarantee the timeliness of critical activities in irrespective of the behaviour of less critican activities, even where the latter have tighter timeliness requirements (and therefore must preempt) the critical ones. This implies a need to prevent less critical activities from uncontrolled interference with critical activities. Preventing such interference requires strong spatial and temporal isolation between activities — a core duty of the operating system (OS).
The seL4 microkernel, with its comprehensive formal verification, has provided provable spatial isolation for about 15 years. Some degree of temporal isolation was added later, with a complete and sound worst-case execution time (WECT) analysis and, in the newer MCS version, a new scheduling model making time a capability-protected resource. The talk describes these isolation feature and their status, and some of our recent work aiming at providing provable MCS schedulability guarantees.
The talk also addresses the usability aspects of seL4, in particular the difficulty of building performant designs on top of the microkernel. It introduces the new LionsOS, an OS aimed to support a wide range of embedded/cyberphysical application domains, that simplifies system construction by adopting a static architecture. LionsOS is already mature enough to be used in production systems and is currently undergoing formal verification, with the aim of providing end-to-end proofs of security and real-time safety.
BibTeX Entry
@misc{Heiser_26:rtas,
author = {Gernot Heiser},
howpublished = {Award Talk at RTAS'26},
location = {Saint Malo, FR},
month = may,
novideo = {none://youtu.be/watch?v=wP48V34lDhk},
title = {{MCS} Safety -- An {OS} Perspective},
url = {https://trustworthy.systems/publications/papers/Heiser_26:rtas.abstract.pml},
year = {2026}
}
Slides
BibTeX