M³: Taking Microkernels to the Next Level

Current microkernels have shown to provide advantages in terms of security, robustness, and flexibility of systems. However, in recent years, the hardware added new challenges that need to be addressed as well, demanding approaches that include the hardware into the picture. First, hardware is getting more and more heterogeneous and consists not only of general-purpose cores, but contains also various accelerators. Second, system designers need to integrate untrusted third-party components (e.g., accelerators or modems) to meet today's performance, energy, and development-time demands. And third, security vulnerabilities such as Meltdown, Spectre, and Fallout have shown that today's complex general-purpose cores should not be trusted anymore to properly enforce isolation boundaries between different software components. In my talk, I will present a new system architecture that takes existing microkernel ideas to the "next level" to address the mentioned challenges. We use a hardware/operating system co-design consisting of a small and simple hardware component, called trusted communication unit (TCU), that we add next to each processing element (core, accelerator, modem, etc.) and an operating system, called M³, that takes advantage of it. The TCU provides a uniform interface for all processing elements, simplifying the management and usage of heterogeneous processing elements, and enables secure communication between arbitrary processing elements. M³ is designed as a microkernel-based system and runs its components on different processing elements with TCU-based communication channels between them. To account for the security vulnerabilities in today's cores, M³ places components onto different and physically isolated processing elements by default, but allows sharing of processing elements as a fallback.