EROS is a capability-based operating system for commodity processors which uses a single level storage model. The single level store's persistence is transparent to applications. The performance consequences of support for transparent persistence and capability-based architectures are generally believed to be negative. Surprisingly, the basic operations of EROS (such as IPC) are generally comparable in cost to similar operations in conventional systems. This is demonstrated with a set of microbenchmark measurements of semantically similar operations in Linux. The EROS system achieves its performance by coupling well-chosen abstract objects with caching techniques for those objects. The objects (processes, nodes, and pages) are well-supported by conventional hardware, reducing the overhead of capabilities. Software-managed caching techniques for these objects reduce the cost of persistence. The resulting performance suggests that composing protected subsystems may be less costly than c...

Capability systems can be used to implement higher-level security policies including the *-property if a mechanism exists to ensure confinement. The implementation can be efficient if the "weak" access restriction described in this paper is introduced. In the course of developing EROS, a pure capability system, it became clear that verifying the correctness of the confinement mechanism was necessary in establishing the security of the operating system. This paper presents a verification of the EROS con nement mechanism with respect to a broad class of capability architectures (including EROS). We give a formal statement of the requirements, construct a model of the architecture's security policy and operational semantics, and show that architectures covered by this model enforce the confinement requirements if a small number of initial static checks on the con ned subsystem are satisfied. The method used generalizes to any capability system.

Capabilities define a uniform semantics for system service invocation, enforce separation of concerns and encapsulation, and allow each program to be restricted to exactly that set of authority it requires (the principle of least privilege). Capability systems therefore readily contain and reduce errors at the application level and improve component testability. If carefully architected, a capability system should be both faster and simpler than a comparable access-control-based system. In practice, implementations have failed to demonstrate such performance. This paper provides an architectural overview of EROS, the Extremely Reliable Operating System. EROS is a persistent capability system which provides complete accountability for persistent, consumable and multiplexed resources. By choosing abstractions to leverage conventional hardware protecgion, and exploiting hardware support in the implementation, a fast pure capability architecture can be demonstrated. This paper de...

Abstract. We describe aspects of the formalisation and verification of the L4 µ-kernel. Starting from an abstract model of the virtual memory subsystem in L4, we prove safety properties about this model, and then refine the page table abstraction, one part of the model, towards C source code. All formalisations and proofs have been carried out in the theorem prover Isabelle. 1

We report on the initial stage of an on-going verification project: the formalisation and verification of the L4 µ-kernel. We describe an abstract model of the virtual memory subsystem in L4, prove safety properties about this model, and describe refinement of the abstract model towards the implementation of L4. All formalisations and proofs have been carried out in the theorem prover Isabelle.

This paper gives an overview of a pilot project on the specification and verification of the L4 highperformance microkernel. Of the three aspects examined in the project, we describe one in more detail: the formalisation of the kernel's Application Programming Interface using the B Method. We conclude that machine-supported formal verification of software is at a turning point; that it is now feasible, and desirable, to formally verify production-quality operating systems.

This paper gives an overview of a pilot project on the specification and verification of the L4 highperformance microkernel. Of the three aspects examined in the project, we describe one in more detail: the formalisation of the kernel's Application Programming Interface using the B Method. We conclude that machine-supported formal verification of software is at a turning point; that it is now feasible, and desirable, to formally verify production-quality operating systems.

The increasing dependence of modern society on information systems increases the need for secure operating system kernels. Formal methods offer a way to achieve such high-level security, however they require a significant investment of time, and are not well suited for large kernels such as that of Linux. µ-kernels offer an alternative which is both elegant, and possibly small enough to make formal specification tractable. The L4 Pilot project aims to investigate various approaches towards the formalisation of the L4 µ-kernel and evaluating its feasibility. In order to