Virtual Open Systems Scientific Publications

Introduction

The Automotive domain is currently undergoing a paradigm shift. Manufacturers alter their system architectures from having a single processing unit for individual subsystems, towards the integration of multiple subsystems with a full spectrum of different safety requirements. In-Vehicle Infotainment systems for example, reside on the very low end of this criticality spectrum and the car control unit resides on the very high end. All are integrated on a single Electronic Control Unit (ECU), by capitalizing on the performance of powerful heterogeneous multi core platforms. But, these automotive mixed-criticality systems [1] pose new challenges on the system software [2]-[4]. To accommodate the increased complexity, automotive manufacturers leverage alternative software architectures to execute several software stacks concurrently. In this context, a highly privileged orchestrating entity provides full spatial and temporal isolation of the different software components. virtualization plays a key role in this trend, but off-the-shelf virtualization solutions (e.g. Xen [5], KVM [6], Hyper-V [7], etc.) are more trimmed towards performance rather than the maximum level of isolation (cf. [8]-[10]). Therefore, they do not provide the level of temporal and spatial isolation required by the automotive domain. Also, with regards to certification (e.g. ISO 26262 [11]) these conventional solutions are lacking behind for the above reasons. Instead, automotive manufacturers use highly specialized certified kernels [12]-[14] to fulfill the demanded safety requirements. These solutions are very similar in their design (e.g., leveraging hardware processor extensions such as ARM TrustZone [15], [16] or ARM VE [17]), but have more predictable timing characteristics, than their off-the-shelf counter parts. Running on top of these privileged components, the General Purpose Operating System (GPOS) Linux found a widespread adoption due to its versatility and ability to produce a rich user interface for the In-Vehicle Infotainment (IVI) system. It is accompanied by a Special-Purpose Operating System (SPOS), which handles mission-critical tasks (e.g., displaying speed, engine torque and/or warning signs). In this context, both components serve a dedicated purpose, without the perceived need of interaction. However, a closer look at specific scenarios, reveals that an interaction between systems is required. Then, the strict spatial isolation - initially one of the key requirements of the said system architecture - must be thinned. In this context, establishing a network link between the components raises two questions. First, can the latency requirements from the critical application, be fulfilled? Second, can the integrity of the critical application be upheld, while efficiently exchanging information with the non-critical system? In this paper these open research questions are addressed. We present the design of an architecture that enables a low-latency network link between SPOS and GPOS, taking safety and security requirements into account. Its feasibility is demonstrated with a full prototype implementation called VOSYSVirtualNet. The prototype is based on a highly privileged firmware called VOSYSmonitor [13], that runs in the monitor mode of modern ARM-based System-on-Chips (SoCs). The communicating endpoints of VOSYSVirtualNet are a Linux running in the non-secure world and a FreeRTOS running in the secure world. We verify the low-latency with a number of benchmarks and put the results into context by comparing them against a reference system. Finally, the security concerns are addressed by referring to the safety and security aspects that are included in the design of VOSYSVirtualNet. The rest of the paper is structured as follows. Section II provides preliminaries and background information. The architecture of VOSYSVirtualNet is presented in Section III and evaluated in Section IV. Then, security implications of our design are discussed in Section V, while related work is presented in Section VI. Finally, we conclude and present future work in Section VII and Section VIII, respectively.