The document discusses the evolution of the F9 microkernel and BitSec hypervisor, focusing on improvements in inter-process communication performance and security features in third-generation microkernels. It highlights key technical concepts such as capability models, memory management, and debugging tools, along with potential bugs and unsolved problems in the system architecture. BitSec is portrayed as a minimal and secure microkernel for high-reliability embedded applications, distinct from a complete operating system.

1. A tour of F9 microkernel and BitSec hypervisorA tour of F9 microkernel and BitSec hypervisor
Louie Lu (Louie Lu ( 呂紹榕呂紹榕 ) <louie.lu@hopebaytech.com>) <louie.lu@hopebaytech.com>
11/24 @ ARRC Tainan11/24 @ ARRC Tainan

2. 11/25/16 2
Content

3. 11/25/16 3
From 2nd
gen to 3nd
gen microkenrel
F9 microkernel feature
BitSec: 3rd
generation IoT Hypervisor

4. 11/25/16 4
From 2nd
Gen to 3rd
Gen
microkernel

5. 11/25/16 5
●
From 2nd
gen to 3nd
gen microkenrel
2nd
Generation microkernel
L3
Qualitative improvement of IPC performance
22 times faster then Mach
1993 [Jochen Liedkte]
L4 family
start from 1995, V2 ABI about L3

6. 11/25/16 6
●
From 2nd
gen to 3nd
gen microkenrel
2nd
Generation microkernel
L3
Qualitative improvement of IPC performance
22 times faster then Mach
1993 [Jochen Liedkte]
L4 family
start from 1995, V2 ABI about L3
Fiasco, the first high level language (C++) and open
source L4 microkernel
L4Ka::Pistachio,
OKL4, from OKLabs

7. 11/25/16 7
●
From 2nd
gen to 3nd
gen microkenrel
2nd
Generation microkernel
L3
Qualitative improvement of IPC performance
22 times faster then Mach
1993 [Jochen Liedkte]
L4 family
start from 1995, V2 ABI about L3
Fiasco, the first high level language (C++) and open
source L4 microkernel
L4Ka::Pistachio,
OKL4, from OKLabs

8. 11/25/16 8
●
From 2nd
gen to 3nd
gen microkenrel
2nd
Generation microkernel
Issues about Ad-hoc
Global thread name space => covert channel
Threads as IPC target => insufficient encapsulation
Single kernel memory pool => DOS attack
Insufficient delegation of authority

9. 11/25/16 9
●
From 2nd
gen to 3nd
gen microkenrel
3rd
Generation microkernel, focus on...
Capability Model
Less system calls (seL4 only have 3 syscalls)
Clear semantics (Async EndPoint ...etc)
Formal Verification

10. 11/25/16 10
●
From 2nd
gen to 3nd
gen microkenrel
Capability Model
Cnode, Caps in seL4
fine-graint permission control
Less system calls (seL4 only have 3 syscalls)
Clear semantics (Async EndPoint ...etc)
Formal Verification

11. 11/25/16 11
●
From 2nd
gen to 3nd
gen microkenrel
Capability Model
Cnode, Caps in seL4
Less system calls (seL4 only have 3 syscalls)
Clear semantics (Async EndPoint ...etc)
Formal Verification
seL4 [SOSO'09]
Verve [PLDI'10]
FSCQ [SOSP'15]
mCertiKOS ['POPL'15]
CoGENT [ASPLOS'16]

12. 11/25/16 12
●
From 2nd
gen to 3nd
gen microkenrel
Formal Verification
seL4 [SOSP'09]
mCertiKOS [POPL'15]
verified sequential kernels

13. 11/25/16 13
●
From 2nd
gen to 3nd
gen microkenrel
Formal Verification
Ironcald [OSDI'14]
verified software stack

14. 11/25/16 14
●
From 2nd
gen to 3nd
gen microkenrel
Formal Verification
FSCQ [SOSP'15]
CoGENT [ASPLOS'16]
verified sequential file systems

15. 11/25/16 15
●
From 2nd
gen to 3nd
gen microkenrel
Formal Verification – Concurrent Memory kernel ?

16. 11/25/16 16
●
From 2nd
gen to 3nd
gen microkenrel
Formal Verification – Concurrent Memory kernel ?
from certikos-osdi16

17. 11/25/16 17
●
From 2nd
gen to 3nd
gen microkenrel
Formal Verification – Concurrent Memory kernel ?
from certikos-osdi16

18. 11/25/16 18
●
From 2nd
gen to 3nd
gen microkenrel
Formal Verification – Concurrent Memory kernel ?
CertiKOS [OSDI'16]
Solve the problem
global changes
I/O concurrency
fine-grained lock
liveness
compiler
cost...

19. 11/25/16 19
●
From 2nd
gen to 3nd
gen microkenrel
The still unsolved problem (From L3 to seL4 20y)
Principled, policy-free control of CPU time.
Handling of multicore processors in the age of
verification.

20. 11/25/16 20
F9 microkernel

21. 11/25/16 21
F9 microkernel
Memory Management
Debugging Tools
The Bug
Unsolved problems

22. 11/25/16 22
F9 microkernel
Memory Management
MPU (Memory Protection Unit)
Fpage
Address Space

23. 11/25/16 23
F9 microkernel - MPU
Protected Memory System Architecture (PMSAv7)
ARMv7-M supports PMSAv7
MPU
Support 8 memory region for setting
Provide access premission control
Provide memory execute setting

24. 11/25/16 24
F9 microkernel - MPU
MPU Register
MPU_TYPE - Type Register
MPU_CTRL - Control Regiser
MPU_RNR - Region Number Register
MPU_RBAR - Region Base Address Register
MPU_RASR - Region Attribute and Size Register

25. 11/25/16 25
F9 microkernel - MPU
MPU – Region Number Register
Select the region to read or write
affect with RBAR, RASR

26. 11/25/16 26
F9 microkernel - MPU
MPU – Region Base Address Register
Setting base address of the region
Setting region is valid or not
Setting which region to writes
So you may just change this value without RNR

27. 11/25/16 27
F9 microkernel - MPU
MPU – Region Attribute and Size Register

28. 11/25/16 28
F9 microkernel - MPU
MPU region size
Can only set region size
with 2 ** n

29. 11/25/16 29
F9 microkernel - MPU
MPU Attribute
eXecute Never
access permissions (user (unprivileged) and privileged)
cache policy
device type and cacheability

30. 11/25/16 30
F9 microkernel - MPU
MPU Attribute
eXecute Never
access permissions (user (unprivileged) and privileged)
cache policy
device type and cacheability

31. 11/25/16 31
F9 microkernel - MPU
MPU Attribute
eXecute Never
access permissions (user (unprivileged) and privileged)
cache policy
device type and cacheability

32. 11/25/16 32
F9 microkernel - MPU
MPU – mpu_setup_region

33. 11/25/16 33
F9 microkernel - Fpage
Fpage
fundamental element for address space

34. 11/25/16 34
F9 microkernel - Fpage
Fpage
fundamental element for address space

35. 11/25/16 35
F9 microkernel - Fpage
Fpage
fundamental element for address space
assign_fpage
map_fpage
unmap_fpage
split_fpage

36. 11/25/16 36
F9 microkernel - Fpage
Fpage
fundamental element for address space
assign_fpage
map_fpage
unmap_fpage
split_fpage

37. 11/25/16 37
F9 microkernel - Fpage
Fpage
fundamental element for address space
assign_fpage
map_fpage
unmap_fpage
split_fpage

38. 11/25/16 38
F9 microkernel - Fpage
Fpage
fundamental element for address space
assign_fpage
map_fpage
unmap_fpage
split_fpage

39. 11/25/16 39
F9 microkernel – Address Space
Address Space (as)
Construct by fpage list
Contain one thread's fpage information
5 API

40. 11/25/16 40
F9 microkenrel – Address Space
Address Space API
as_t *as_create(uint32_t as_spaceid);
void as_destroy(as_t *as);
void as_setup_mpu(as_t *as, memptr_t sp, memptr_t
pc, memptr_t stack_base, size_t stack_size);
void as_map_user(as_t *as);
void as_map_ktext(as_t *as);

41. 11/25/16 41
F9 microkenrel – Address Space
Address Space API
as_t *as_create(uint32_t as_spaceid);
call by:

42. 11/25/16 42
F9 microkenrel – Address Space
Address Space API
as_t *as_create(uint32_t as_spaceid);
code:

43. 11/25/16 43
F9 microkenrel – Address Space
Address Space API
void as_map_user(as_t *as);
Map user text, data and hardware device memory
void as_map_ktext(as_t *as);
Map kernel text, data

44. 11/25/16 44
F9 microkenrel – Address Space
Address Space API
void as_setup_mpu(as_t *as, memptr_t sp, memptr_t
pc, memptr_t stack_base, size_t stack_size);

45. 11/25/16 45
F9 microkenrel – Address Space
Address Space API
as_setup_mpu
protect stack fpages first
then
PC
always-mapped fpages
other

46. 11/25/16 46
F9 microkernel – Memory management
System calls are provided to manage address
spaces:
Grant: The memory page is granted to a new user and
cannot be used anymore by its former user.
Map: This implements shared memory – the memory
page is passed to another task but can be used by both
tasks.
Flush: The memory page that has been mapped to
other users will be flushed out of their address space.

47. 11/25/16 47
F9 microkernel – Memory management
System calls are provided to manage address
spaces:
Grant: The memory page is granted to a new user and
cannot be used anymore by its former user.
Map: This implements shared memory – the memory
page is passed to another task but can be used by both
tasks.
Flush: The memory page that has been mapped to
other users will be flushed out of their address space.

48. 11/25/16 48
F9 microkernel – Memory management
System calls are provided to manage address
spaces:
Grant: The memory page is granted to a new user and
cannot be used anymore by its former user.
Map: This implements shared memory – the memory
page is passed to another task but can be used by both
tasks. (as_map_user/ktext)
Flush: The memory page that has been mapped to
other users will be flushed out of their address space.

49. 11/25/16 49
F9 microkernel – Memory management
System calls are provided to manage address
spaces:
Grant: The memory page is granted to a new user and
cannot be used anymore by its former user.
Map: This implements shared memory – the memory
page is passed to another task but can be used by both
tasks.
Flush: The memory page that has been mapped to
other users will be flushed out of their address space.
(unmap_fpage)

50. 11/25/16 50
F9 microkernel – Memory management
Recursive Address Space:
Initial address space controlled by first process.
Controls all available memory
Other address spaces empty at boot
In F9 microkernel, root thread was the init address space
holder

51. 11/25/16 51
F9 microkernel – Memory management
Recursive Address Space:
Initial address space controlled by first process.
Controls all available memory
Other address spaces empty at boot
In F9 microkernel, root thread was the init address space
holder
Other processes (threads) obtain memory pages from
first or from their other processes that got page from
parent

52. 11/25/16 52
F9 microkernel – Memory management
Recursive Address Space:
Initial address space controlled by first process.
Controls all available memory
Other address spaces empty at boot
In F9 microkernel, root thread was the init address space
holder
Other processes (threads) obtain memory pages from
first or from their other processes that got page from
parent

53. 11/25/16 53
F9 microkernel – Memory management
Recursive Address Space:
Initial address space controlled by first process.
Controls all available memory
Other address spaces empty at boot
In F9 microkernel, root thread was the init address space
holder
Other processes (threads) obtain memory pages from
first or from their other processes that got page from
parent

54. 11/25/16 54
F9 microkernel
Debugging Tools
kdb
kproble
openocd + gdb

55. 11/25/16 55
F9 microkernel – Debugging Tools
KDB
In-kernel debugger is built and run at boot by default
support multiple useful command
easy to adding new command

56. 11/25/16 56
F9 microkernel – Debugging Tools
KDB
In-kernel debugger is built and run at boot by default
support multiple useful command

57. 11/25/16 57
F9 microkernel – Debugging Tools
kprobe
Linux-style kprobe
support banding by symbol name

58. 11/25/16 58
F9 microkernel – Debugging Tools
openocd + gdb
Powerful then st-util
useful command:
http://openocd.org/doc/html/General-Commands.html

59. 11/25/16 59
F9 microkernel – Debugging Tools
openocd + gdb
Powerful then st-util
useful command:
http://openocd.org/doc/html/General-Commands.html

60. 11/25/16 60
F9 microkernel – Debugging Tools
openocd + gdb
useful command:
http://openocd.org/doc/html/General-Commands.html
memory access
mdw / mdh / mdb – Display contents of address addr
mww / mwh /mwb – Writes the specified value at addr

61. 11/25/16 61
F9 microkernel – Debugging Tools
openocd + gdb
useful command:
http://openocd.org/doc/html/General-Commands.html
memory access
mdw / mdh / mdb – Display contents of address addr
mww / mwh /mwb – Writes the specified value at addr
access register value
reg – dump all register value
reg [number | name] [value] – just OP

62. 11/25/16 62
F9 microkernel – The Bug
The Bug
Really matter one

63. 11/25/16 63
F9 microkernel – The Bug
The Bug
Really matter one
Adding new feature for l4test (a test suite from pisachio)
IPC testing via Local destination Id

64. 11/25/16 64
F9 microkernel – The Bug
The Bug
Really matter one
Adding new feature for l4test (a test suite from pisachio)
IPC testing via Local destination Id

65. 11/25/16 65
F9 microkernel – The Bug
The Bug
Really matter one
Adding new feature for l4test (a test suite from pisachio)
IPC testing via Local destination Id

66. 11/25/16 66
F9 microkernel – The Bug
The Bug
Really matter one
Adding new feature for l4test (a test suite from pisachio)
IPC testing via Local destination Id

67. 11/25/16 67
F9 microkernel – The Bug
The Bug - Sender

68. 11/25/16 68
F9 microkernel – The Bug
The Bug - Reciver

69. 11/25/16 69
F9 microkernel – The Bug
The Bug

70. 11/25/16 70
F9 microkernel – The Bug
The Bug

71. 11/25/16 71
F9 microkernel – Unsolved problems
Unsolved problems
Time-slice schedule
User space busy loop hang system
POSIX layer support

72. 11/25/16 72
BitSec

73. 11/25/16 73
BitSec
BitSec is......
BitSec is a microkernel intended for high-reliability
embedded applications on ARMv7-M architecture
processors, such as the Cortex-M4.
BitSec is a third-generation microkernel. Its design is
heavily inspired by EROS/KeyKOS, MINIX 3, and the L4
family, particularly seL4.

74. 11/25/16 74
BitSec
BitSec, like other third-generation microkernel
Focuses on minimality and security,
Expresses all authority through explicit capabilities,
Moves other mechanisms with security implications
outside the kernel,
Blurs the line between a traditional microkernel and a
hypervisor, and
Targets a very small kernel codebase (in BitSec’s case,
less than 2500 sloccount lines of code).

75. 11/25/16 75
BitSec
BitSec, like other third-generation microkernel
Focuses on minimality and security,
Expresses all authority through explicit capabilities,
Moves other mechanisms with security implications
outside the kernel,
Blurs the line between a traditional microkernel and a
hypervisor, and
Targets a very small kernel codebase (in BitSec’s case,
less than 2500 sloccount lines of code).

76. 11/25/16 76
BitSec
BitSec is not...
A complete operating system

77. 11/25/16 77
BitSec
BitSec is not...
A complete operating system
By analogy: putting the Linux kernel on a computer
doesn’t allow one to run Firefox. Linux is only a kernel;
there’s a whole lot of operating system that must be
added to make a complete system.
This is even more true of BitSec than of Linux, because
BitSec’s design is so minimal. Like other third-
generation microkernels, BitSec doesn’t even include
hardware drivers in the kernel.

78. 11/25/16 78
BitSec
BitSec is not...
A complete operating system

79. 11/25/16 79
BitSec
BitSec is not...
A complete operating system
By analogy: putting the Linux kernel on a computer
doesn’t allow one to run Firefox. Linux is only a kernel;
there’s a whole lot of operating system that must be
added to make a complete system.
This is even more true of BitSec than of Linux, because
BitSec’s design is so minimal. Like other third-
generation microkernels, BitSec doesn’t even include
hardware drivers in the kernel.

80. 11/25/16 80
BitSec - Key
BitSec capability: Key
Conceptually, Key combines
A reference to a kernel object
A set of operations on that object that the key enables

81. 11/25/16 81
BitSec - Key
BitSec capability: Key
Implementation, a key is a kernel data structure built
from three part
A brand, which distinguishes kines of keys to particular
object from one another
A generation, which distinguishes keys to successive
objects, created in the same location, from one another.
A pointer to a kernel object.

82. 11/25/16 82
BitSec - Key
BitSec capability: Key
struct

83. 11/25/16 83
BitSec - Key
BitSec capability: Key
struct
keys can be freely copied but not directly created
mint the key from object table

84. 11/25/16 84
BitSec - Key
BitSec capability: Key
Brands
64 bit value chosen when the key was create (minted)
indelible, cannot be alter except by minting a new key
program cannot discover the brand of keys they hold
when a key is copied, the copies bear the same brand

85. 11/25/16 85
BitSec - Key
BitSec capability: Key
keys can be freely copied but not directly created
mint the key from object table
program can only perform three operations on a key
Copy the key into a different key register
Send a message to the object designated by the key
Receive a message from the object designated by the
key

86. 11/25/16 86
BitSec - Key
BitSec capability: Key
keys can be freely copied but not directly created
mint the key from object table
program can not do following without holding addi auth
Determine the kind of kernel object designated by a key
Determine if two keys designate the same kernel object
Determine if two keys give the same rights on their
designated objects

87. 11/25/16 87
BitSec - Key
BitSec capability: Key
keys can be freely copied but not directly created
mint the key from object table
program can not do following without holding addi auth
Determine the kind of kernel object designated by a key
Determine if two keys designate the same kernel object
Determine if two keys give the same rights on their
designated objects

88. 11/25/16 88
BitSec - Key
BitSec capability: Key
Generations and Revocation
used to provide efficient revocation
When program invokes a key
kernel compares the key's generation to a object
generation
If two match, proceeds normally
If not match, object has been invalidated

89. 11/25/16 89
BitSec - Key
BitSec capability: Key
Generations and Revocation
used to provide efficient revocation
When program invokes a key
kernel compares the key's generation to a object
generation
If two match, proceeds normally
If not match, object has been invalidated

90. 11/25/16 90
BitSec – Object Oriented
BitSec design: Object Oriented
Using c++11 standard
Every resource and service that the system can see in
the kernel is represented as an objectbundling together
state and operations on that state.

91. 11/25/16 91
BitSec – Object Oriented
BitSec design: Object Oriented
Using c++11 standard
Every resource and service that the system can see in
the kernel is represented as an objectbundling together
state and operations on that state.
For example: the Keys

92. 11/25/16 92
BitSec – Object Oriented
BitSec design: Object Oriented
Every resource and service that the system can see in
the kernel is represented as an objectbundling together
state and operations on that state.
For example: the Keys

93. 11/25/16 93
BitSec – Object Oriented
BitSec design: Object Oriented
Using c++11 standard
Every resource and service that the system can see in
the kernel is represented as an objectbundling together
state and operations on that state.
For example: the Keys

94. 11/25/16 94
BitSec – Object Oriented
BitSec design: Object Oriented
Using c++11 standard
Every resource and service that the system can see in
the kernel is represented as an objectbundling together
state and operations on that state.
For example: the Keys
And can be usable from C

95. 11/25/16 95
BitSec – Object Oriented
BitSec design: Object Oriented
And can be usable from C
BitSec is implemented in C++11, but was designed to
be usable from legacy languages suchas C and
assembler.
As FreeRTOS/BitSec is entirely C (and C90 at that), this
seems to have worked.

96. 11/25/16 96
BitSec – Future work
BitSec future work
Enhancement of the build systems
porting guest OS to BitSec
(FreeRTOS, Linux, or maybe from stratch)
Formal Verify by CoGENT
Adding network stack ?

97. 11/25/16 97
F9 / BitSec
Demoon stm32f429

98. 11/25/16 98
A tour of F9 microkernel and BitSec hypervisor
Q&A

99. 11/25/16 99
A tour of F9 microkernel and BitSec hypervisor
Thanks

100. 11/25/16 100
References
CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels
http://flint.cs.yale.edu/certikos/publications/certikos-osdi16.pdf
F9 microkernel & ARM hypervisor
https://hackmd.io/s/r16AUMbJe
F9: A secure microkernel for MMUless embedded systems
https://github.com/grapherd/f9-report
F9: A secure and Efficient Microkernel Built for Deeply Embedded Systems
http://www.slideshare.net/jserv/f9-microkernel
Technical Report on the BitSec Kernel
OpenOCD general command
http://openocd.org/doc/html/General-Commands.html