Welcome to the L4 webpages! If you are new to this site, please start exploring it at the overview page. What's new June L4Re and Fiasco. Novemer Wiki available A wiki is now available at wiki.
|Published (Last):||16 October 2006|
|PDF File Size:||20.7 Mb|
|ePub File Size:||20.64 Mb|
|Price:||Free* [*Free Regsitration Required]|
Animats on Sept 20, The paper doesn't mention QNX at all. QNX is similar to early L4, but they've taken slightly different paths. L4 got rid of "long message passing", in favor of shared memory and interrupt-like IPC. This is great for the kernel - no copying delays and no buffering problems. But it means that communicating processes have to share some memory pages and cooperate properly.
If the shared memory page is something like a chain of linked buffers, one side may be able to screw up the other side. If that's how you talk to the file system, it may be possible to attack the file system process that way.
This won't crash the kernel. The code for this is tiny. The problem is that the giant Linux kernel is still there, just a bit more isolated from the hardware.
The total amount of code that can break has not been reduced significantly. There are efforts to build OSes directly on L4 kernels as well. Most notably Genode. L4 can be used that way, but in purpose-built systems it can also just be used as a simple stratum on which to build applications directly. If you were using L4 to build a baseband package, for instance, you probably wouldn't run a full OS on top of it.
On a related note, QNX was open source for a while, before it was bought by Blackberry. Do you know if anyone managed to snag a copy of it? It was available for free on a floppy, but never open source. On the same day, QNX source code access was restricted from the public and hobbyists. Exactly this -- So, someone must have grabbed a copy of the source at that time, and I'd love to have a read through it one day.
Animats on Sept 21, Kind of off-topic, but where can I find the OKL4 source code? All I have found is a really old version that doesn't seem to have much in common with the current one. This is from , not sure if it's that old.
I think the latest version is 5 or 6. The one you pointed to seems to be pretty old: OKL4 Release 2. L4 was created partly due to how much Mach failed in performance and such. The first generation by Liedkte was something like 5 times faster in overhead than Mach solutions hosting Linux. Calling, e. That is completely untrue. Take a look at the ipc directory in the Chromium source, for example. Yes, I'd assume it's more heavily used in the higher-level application layer.
I was talking about basic UNIX functions. Even Unix signals are delivered as Mach exceptions first. I would really love to see more commentary from high-level systems people on how suitable SEL4 is as the basis for a general purpose OS. It seems like it's security guarantees would be driving a lot more outside investment than it has received. I'm having really big expectations on seL4. The modularity of a microkernel with the security of formal methods is something that would give hope of solving some really fundamental problems with the "IoT scene".
Edit: oh, and you can still run seL4 as hypervisor and run Linux on top of it to get the usual Embedded Linux stack where your CPU has enough juice. And still keep the critical systems safe behind seL4's capability system. Best of both worlds? Dunno, hopefully seL4 will be there someday in production quality. L4 is great, but it doesn't solve application security problems.
L4 by itself doesn't do much, and whatever you build on top of it if you're not yourself using formal methods, which very few real product teams do isn't going to inherit its security. True, seL4 verification doesn't solve the application level security problem but it makes it more approachable in several ways. Instead, concrete and verified semantics are available. This makes application specification and verification easier, and safer. Fortunately, verification is cumulative - The seL4 project has driven the state-of-the-art of verification tool forwards by a considerable degree.
CPU manufacturers have been loath to do this for various reasons. The full verification of seL4 came a lot earlier by about a decade than I thought possible. Klein, Proof Engineering Considered Essential. What's your sense of the number of IoT vulnerabilities that are due to misconstrued OS semantics? Mine and I've done a bit of work here, but not that much is that there aren't that many. Really I think it depends on what you're doing. If the work you're doing is fundamentally kernel work if it's all about interacting with the security boundaries of the hardware not just "interacting with hardware", like getting the bits from an RF codec, but manipulating hardware shared by attackers, like the iPhone SEP then L4 is a pretty huge security win.
Otherwise: the problem you have isn't your OS, but the programming language you're using to build with. IoT isn't really target for these things. Language or spec-level security is more important. I agree with you there. Isolation mechanisms are still important for many embedded devices, though, if security is a concern.
Here's a few I've seen in various products or academic programs: 1. Device driver isolation. Wacky drivers can take down the system. Better to take down and restart the driver. QNX was first I know of that did this with excellent reliability benefits. Many of them do now in RTOS space. MINIX 3 takes it to desktops and servers.
Monitors like in Copilot system or for recovery-oriented computing that expects input to crash or subvert main process. So, outside process is necessary for detection of anomalous behavior and recovery. Periodic restarts are another trick used in that field to clear out subtle errors that build up over time or persistent malware.
Best to be in different address spaces. Dedicated process, as in Nizza and Turaya, for containing application secrets where external processes can call to have random numbers generated, signatures performed, etc but not actually access the internals. Same thing for logging purposes where interface between main app and logging component is write-only.
Prevents accidental or malicious elimination of audit trail. I did that myself many times. Shapiro et al did it for repo security. That's important in real-time systems where a number of tasks are running where one can screw with the other. Watchdog timers are also popular here. Also is a strategy for eliminating covert, timing channels at partition level for select few that need that.
The problem is it takes more than just implementing the "kernel" as in low-level access aka HAL work under L4. You need to apply that compartmentalization all the way through the stack, and even subdivide applications into smaller chunks of responsibility. What you typically get is a neat subdivision of all the HAL bits, but everyone stops once they're plugging in applications.
It's not all bad - at least you can be reasonably confident that one compromised app, or part of the HAL, can't be trivially used to compromise the rest of the system. But, as you say elsewhere here, if there's just one thing you're doing, then all that effort didn't really improve things.
I wonder if anyone will manage to create a tool for Rust that can map out code partitions, or near partitions, based on access patterns of object ownership. At some tipping point a little bit of data sharing could be refactored into message passing and finish the job right.
If done well, formal verification of kernel level services and how these use runtime protection built in hardware can absolutely reduce the attack surface of application level code. The key is to move critical services that attackers would wish to exploit into a formally verified sandbox. That is the real power of systems like seL4, even though seL4 isn't itself really geared toward the sort of chipsets commonly used in consumer grade IoT products. Can you describe this with an example of a realistic use of L4-enabled sandboxing for a single-function IoT device?
I've done some L4 work so you don't need to spend a lot of time explaining. General purpose OSs like iOS? No question: L4 is a major win. But that's not what the discussion here is really about. Case in point: cryptography, authentication, and authorization are each very sensitive operations which are prone to both gadget attacks and sidechannel attacks.
Sandboxing these operations by creating well-defined boundaries between application code and these algorithms and protocols can ensure that application level bugs cannot creep into these critical services. This is classical defense in depth strategy, but enforced through both runtime and formal methods. You wouldn't, SEL4 isn't designed for embedded systems.
The L4 µ-Kernel Family
It had previously been considered as the basis of the Hurd , with efforts towards a "next generation" of the Hurd initially focusing on L4. Dissatisfaction with early L4 implementations led to work on other experimental microkernels that ultimately led nowhere. One aspect of earlier L4 implementations that was deemed unsatisfactory was the lack of capability support. Later L4 implementations remedied this, but attention had already shifted to the experimental microkernels, being seen as necessary for addressing resource management problems identified in the Mach microkernel traditionally employed by the Hurd, also perceived as issues for other microkernels. This shift towards research moved attention away from L4 and - arguably - from attempts to overhaul the Hurd. On such matters, Richard Stallman apparently remarked that "to keep changing platforms means never getting it done". These have all been largely superseded by more recent implementations such as Fiasco.
L4 microkernel family
Animats on Sept 20, The paper doesn't mention QNX at all. QNX is similar to early L4, but they've taken slightly different paths. L4 got rid of "long message passing", in favor of shared memory and interrupt-like IPC. This is great for the kernel - no copying delays and no buffering problems. But it means that communicating processes have to share some memory pages and cooperate properly. If the shared memory page is something like a chain of linked buffers, one side may be able to screw up the other side.
Firerouge on Jan 19, It doesn't really provide extra security for processes managed by the Linux kernel, but it allows you to co locate Linux and some other code. I could see a model where you have an untrusted Linux land running next to some unikernel like rtos-esque components that are protected from the Linux side. The sel4 guys had a CTF where they ran hard realtime heleicopter software next to a Linux kernel on the same system, and gave you a root shell to the Linux side to start off with.