research-article

Improving interrupt response time in a verifiable protected microkernel

Authors:

Bernard Blackham,

Gernot HeiserAuthors Info & Claims

EuroSys '12: Proceedings of the 7th ACM european conference on Computer Systems

Pages 323 - 336

https://doi.org/10.1145/2168836.2168869

Published: 10 April 2012 Publication History

Abstract

Many real-time operating systems (RTOSes) offer very small interrupt latencies, in the order of tens or hundreds of cycles. They achieve this by making the RTOS kernel fully preemptible, permitting interrupts at almost any point in execution except for some small critical sections. One drawback of this approach is that it is difficult to reason about or formally model the kernel's behavior for verification, especially when written in a low-level language such as C.

An alternate model for an RTOS kernel is to permit interrupts at specific preemption points only. This controls the possible interleavings and enables the use of techniques such as formal verification or model checking. Although this model cannot (yet) obtain the small interrupt latencies achievable with a fully-preemptible kernel, it can still achieve worst-case latencies in the range of 10,000s to 100,000s of cycles. As modern embedded CPUs enter the 1 GHz range, such latencies become acceptable for more applications, particularly when they come with the additional benefit of simplicity and formal models. This is particularly attractive for protected multitasking microkernels, where the (inherently non-preemptible) kernel entry and exit costs dominate the latencies of many system calls.

This paper explores how to reduce the worst-case interrupt latency in a (mostly) non-preemptible protected kernel, and still maintain the ability to apply formal methods for analysis. We use the formally-verified seL4 microkernel as a case study and demonstrate that it is possible to achieve reasonable response-time guarantees. By combining short predictable interrupt latencies with formal verification, a design such as seL4's creates a compelling platform for building mixed-criticality real-time systems.

References

[1]

ARM1136JF-S and ARM1136J-S Technical Reference Manual. ARM Ltd., R1P1 edition, 2005.

[2]

T. P. Baker. Stack-based scheduling for realtime processes. J. Real-Time Syst., 3 (1): 67--99, 1991.

Digital Library

[3]

Christoph Baumann, Bernhard Beckert, Holger Blasum, and Thorsten Bormer. Ingredients of operating system correctness. In Emb. World Conf., Nuremberg, Germany, Mar 2010.

[4]

Sven Beyer, Christian Jacobi, Daniel Kröning, Dirk Leinenbach, and Wolfgang J. Paul. Putting it all together--formal verification of the VAMP. International Journal on Software Tools for Technology Transfer (STTT), 8 (4): 411--430, 2006.

Digital Library

[5]

Bernard Blackham, Yao Shi, Sudipta Chattopadhyay, Abhik Roychoudhury, and Gernot Heiser. Timing analysis of a protected operating system kernel. In 32nd RTSS, Vienna, Austria, Nov 2011.

Digital Library

[6]

Bernard Blackham, Yao Shi, and Gernot Heiser. Protected hard real-time: The next frontier. In 2nd APSys, pages 1:1--1:5, Shanghai, China, Jul 2011.

Digital Library

[7]

M. Campoy, A.P. Ivars, and J.V.B. Mataix. Static use of locking caches in multitask preemptive real-time systems. In Proceedings of IEEE/IEE Real-Time Embedded Systems Workshop, 2001. Satellite of the IEEE Real-Time Systems Symposium.

[8]

Ron Cytron, Jeanne Ferrante, Barry K. Rosen, Mark N. Wegman, and F. Kenneth Zadeck. Efficiently computing static single assignment form and the control dependence graph. ACM Trans. Progr. Lang. & Syst., 13: 451--490, October 1991.

Digital Library

[9]

Matthias Daum, Jan Dörrenbacher, and Burkhart Wolff. Proving fairness and implementation correctness of a microkernel scheduler. JAR: Special Issue Operat. Syst. Verification, 42 (2-4): 349--388, 2009.

Digital Library

[10]

Matthias Daum, Norbert W. Schirmer, and Mareike Schmidt. Implementation correctness of a real-time operating system. In IEEE Int. Conf. Softw. Engin. & Formal Methods, pages 23--32, Hanoi, Vietnam, 2009. IEEE Comp. Soc.

Digital Library

[11]

Jack B. Dennis and Earl C. Van Horn. Programming semantics for multiprogrammed computations. CACM, 9: 143--155, 1966.

Digital Library

[12]

R.P. Draves, Brian N. Bershad, R.F. Rashid, and R.W. Dean. Using continuations to implement thread management and communication in operating systems. In 13th SOSP, Asilomar, CA, USA, Oct 1991.

Digital Library

[13]

Dhammika Elkaduwe, Philip Derrin, and Kevin Elphinstone. A memory allocation model for an embedded microkernel. In 1st MIKES, pages 28--34, Sydney, Australia, Jan 2007. NICTA.

[14]

Xingu Feng, Zhong Shao, Yuan Dong, and Yu Guo. Certifying low-level programs with hardware interrupts and preemptive threads. In PLDI, pages 170--182, Tucson, AZ, USA, Jun 2008.

Digital Library

[15]

Brian Ford, Mike Hibler, Jay Lepreau, Roland McGrath, and Patrick Tullmann. Interface and execution models in the Fluke kernel. In 3rd OSDI, pages 101--115, New Orleans, LA, USA, Feb 1999. USENIX.

Digital Library

[16]

Anthony Fox and Magnus Myreen. A trustworthy monadic formalization of the ARMv7 instruction set architecture. volume 6172 of LNCS, pages 243--258, Edinburgh, UK, Jul 2010. Springer-Verlag.

Digital Library

[17]

Alexey Gotsman and Hongseok Yang. Modular verification of preemptive OS kernels. 16th ICFP, pages 404--417, 2011.

Digital Library

[18]

Gernot Heiser and Ben Leslie. The OKL4 Microvisor: Convergence point of microkernels and hypervisors. In 1st APSys, pages 19--24, New Delhi, India, Aug 2010.

Digital Library

[19]

Michael Hohmuth. The Fiasco kernel: System architecture, 2002. Technical Report TUD-FI02-06-Juli-2002.

[20]

Gerwin Klein. Operating system verification -- an overview. Sadhana, 34 (1): 27--69, Feb 2009.

[21]

Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. seL4: Formal verification of an OS kernel. In 22nd SOSP, pages 207--220, Big Sky, MT, USA, Oct 2009. ACM.

Digital Library

[22]

Xianfeng Li, Yun Liang, Tulika Mitra, and Abhik Roychoudhury. Chronos: A timing analyzer for embedded software. In Science of Computer Programming, Special issue on Experimental Software and Toolkit, volume 69(1-3), Dec 2007.

Digital Library

[23]

Yau-Tsun Li, Sharad Malik, and Andrew Wolfe. Efficient microarchitecture modeling and path analysis for real-time software. In 16th RTSS, pages 298--307, 1995.

Digital Library

[24]

Jochen Liedtke. Improving IPC by kernel design. In 14th SOSP, pages 175--188, Asheville, NC, USA, Dec 1993.

Digital Library

[25]

Jochen Liedtke. On μ-kernel construction. In 15th SOSP, pages 237--250, Copper Mountain, CO, USA, Dec 1995.

Digital Library

[26]

Frank Mehnert, Michael Hohmuth, and Hermann Hartig. Cost and benefit of separate address spaces in real-time operating systems. In 23rd RTSS, Austin, TX, USA, 2002.

Digital Library

[27]

Alexander Metzner. Why model checking can improve WCET analysis. In Rajeev Alur and Doron Peled, editors, Computer Aided Verification, volume 3114 of LNCS, pages 298--301. Springer-Verlag, 2004.

[28]

Isabelle Puaut and David Decotigny. Low-complexity algorithms for static cache locking in multitasking hard real-time systems. In 23rd RTSS, pages 114--123, 2002.

Digital Library

[29]

B. Rieder, P. Puschner, and I. Wenzel. Using model checking to derive loop bounds of general loops within ANSI-C applications for measurement based WCET analysis. In Intelligent Solutions in Embedded Systems, 2008 International Workshop on, pages 1--7, july 2008.

[30]

Matthew Warton. Single kernel stack L4. BE thesis, School Comp. Sci. & Engin., University NSW, Sydney 2052, Australia, Nov 2005.

[31]

Mark Weiser. Program slicing. IEEE Trans. Softw. Engin., SE-10 (4): 352--357, Jul 1984.

Digital Library

Cited By

Lombardi DBarbareschi MBarone SCasola V(2024)A comprehensive evaluation of interrupt measurement techniques for predictability in safety-critical systemsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670451(1-10)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670451
Gigerl BPrimas RMangard S(2023)Secure Context Switching of Masked Software ImplementationsProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3595798(980-992)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3595798
Luckinger FSauter T(2022)Software-Based AUTOSAR-Compliant Precision Clock Synchronization Over CANIEEE Transactions on Industrial Informatics10.1109/TII.2022.314992318:10(7341-7350)Online publication date: Oct-2022
https://doi.org/10.1109/TII.2022.3149923
Show More Cited By

Index Terms

Improving interrupt response time in a verifiable protected microkernel
1. General and reference
  1. Cross-computing tools and techniques
    1. Verification
2. Software and its engineering
  1. Software creation and management
    1. Designing software
    2. Software verification and validation
  2. Software organization and properties
    1. Contextual software domains
      1. Operating systems

Recommendations

Protected hard real-time: the next frontier
APSys '11: Proceedings of the Second Asia-Pacific Workshop on Systems

Hard real-time systems are typically written to execute either on bare metal or on a small real-time executive that offers no memory protection. This model scales poorly as systems become more complex and integrated, as is the trend in industry today. ...
L4 Microkernels: The Lessons from 20 Years of Research and Deployment

The L4 microkernel has undergone 20 years of use and evolution. It has an active user and developer community, and there are commercial versions that are deployed on a large scale and in safety-critical systems. In this article we examine the lessons ...
On Improving Real-Time Interrupt Latencies of Hybrid Operating Systems with Two-Level Hardware Interrupts

In this paper, we propose to implement hybrid operating systems based on two-level hardware interrupts. We analyze and model the worst-case real-time interrupt latency for RTAI and identify the key component for its optimization. Then, we propose our ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSys '12: Proceedings of the 7th ACM european conference on Computer Systems

April 2012

394 pages

ISBN:9781450312233

DOI:10.1145/2168836

General Chair:
Pascal Felber
University of Neuchâtel, Switzerland
,
Program Chairs:
Frank Bellosa
KIT, Germany
,
Herbert Bos
Vrije Universiteit Amsterdam, The Netherlands

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 April 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

EuroSys '12

Sponsor:

SIGOPS

EuroSys '12: Seventh EuroSys Conference 2012

April 10 - 13, 2012

Bern, Switzerland

Acceptance Rates

Overall Acceptance Rate 241 of 1,308 submissions, 18%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

24
Total Citations
View Citations
496
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)0

Reflects downloads up to 26 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lombardi DBarbareschi MBarone SCasola V(2024)A comprehensive evaluation of interrupt measurement techniques for predictability in safety-critical systemsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670451(1-10)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670451
Gigerl BPrimas RMangard S(2023)Secure Context Switching of Masked Software ImplementationsProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3595798(980-992)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3595798
Luckinger FSauter T(2022)Software-Based AUTOSAR-Compliant Precision Clock Synchronization Over CANIEEE Transactions on Industrial Informatics10.1109/TII.2022.314992318:10(7341-7350)Online publication date: Oct-2022
https://doi.org/10.1109/TII.2022.3149923
Andalibi FGarcia P(2021)Near-Native Interrupt Latency in Real-Time Guests: Handler Emulation Through Memory Map MorphingProceedings of the 2021 7th International Conference on Computing and Data Engineering10.1145/3456172.3456197(94-98)Online publication date: 15-Jan-2021
https://dl.acm.org/doi/10.1145/3456172.3456197
Gadepalli PPeach GParmer GEspy JDay Z(2019)Chaos: a System for Criticality-Aware, Multi-Core Coordination2019 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS)10.1109/RTAS.2019.00015(77-89)Online publication date: Apr-2019
https://doi.org/10.1109/RTAS.2019.00015
Lyons AMcLeod KAlmatary HHeiser GOliveira RFelber PHu Y(2018)Scheduling-context capabilitiesProceedings of the Thirteenth EuroSys Conference10.1145/3190508.3190539(1-16)Online publication date: 23-Apr-2018
https://dl.acm.org/doi/10.1145/3190508.3190539
Klein GAndronick JKeller GMatichuk DMurray TO'Connor L(2017)Provably trustworthy systemsPhilosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences10.1098/rsta.2015.0404375:2104(20150404)Online publication date: 4-Sep-2017
https://doi.org/10.1098/rsta.2015.0404
Sewell TKam FHeiser G(2017)High-assurance timing analysis for a high-assurance real-time operating systemReal-Time Systems10.1007/s11241-017-9286-353:5(812-853)Online publication date: 1-Sep-2017
https://dl.acm.org/doi/10.1007/s11241-017-9286-3
Zheng HZhu ZDong XChen BLiu C(2017)Studying shadow page cache to improve isolated drivers' performanceConcurrency and Computation: Practice and Experience10.1002/cpe.408129:10Online publication date: 8-Feb-2017
https://doi.org/10.1002/cpe.4081
Heiser GElphinstone K(2016)L4 MicrokernelsACM Transactions on Computer Systems10.1145/289317734:1(1-29)Online publication date: 6-Apr-2016
https://dl.acm.org/doi/10.1145/2893177
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents