-
vNV-Heap: An Ownership-Based Virtually Non-Volatile Heap for Embedded Systems
Authors:
Markus Elias Gerber,
Luis Gerhorst,
Ishwar Mudraje,
Kai Vogelgesang,
Thorsten Herfet,
Peter Wägemann
Abstract:
The Internet of Batteryless Things might revolutionize our understanding of connected devices by harvesting required operational energy from the environment. These systems come with the system-software challenge that the intermittently powered IoT devices have to checkpoint their state in non-volatile memory to later resume with this state when sufficient energy is available. The scarce energy res…
▽ More
The Internet of Batteryless Things might revolutionize our understanding of connected devices by harvesting required operational energy from the environment. These systems come with the system-software challenge that the intermittently powered IoT devices have to checkpoint their state in non-volatile memory to later resume with this state when sufficient energy is available. The scarce energy resources demand that only modified data is persisted before a power failure, which requires precise modification tracking.
We present vNV-Heap, the first ownership-based virtually Non-Volatile Heap for intermittently powered systems with guaranteed power-failure resilience. The heap exploits ownership systems, a zero-cost (i.e., compile-time) abstraction for example implemented by Rust, to track modifications and virtualize object persistence. To achieve power-failure resilience, our heap is designed and implemented to guarantee bounded operations by static program code analysis: For example, the heap allows for determining a worst-case energy consumption for the operation of persisting modified and currently volatile objects. The evaluation of our open-source implementation on an embedded hardware platform (i.e., ESP32-C3) shows that using our heap abstraction is more energy efficient than existing approaches while also providing runtime guarantees by static worst-case bounds.
△ Less
Submitted 15 May, 2025; v1 submitted 29 January, 2025;
originally announced January 2025.
-
Reverse Engineering the ESP32-C3 Wi-Fi Drivers for Static Worst-Case Analysis of Intermittently-Powered Systems
Authors:
Ishwar Mudraje,
Kai Vogelgesang,
Jasper Devreker,
Luis Gerhorst,
Phillip Raffeck,
Peter Wägemann,
Thorsten Herfet
Abstract:
The Internet of Batteryless Things revolutionizes sustainable communication as it operates on harvested energy. This harvested energy is dependent on unpredictable environmental conditions; therefore, device operations, including those of its networking stack, must be resilient to power failures. Reactive intermittent computing provides an approach for solving this by notifications of impending po…
▽ More
The Internet of Batteryless Things revolutionizes sustainable communication as it operates on harvested energy. This harvested energy is dependent on unpredictable environmental conditions; therefore, device operations, including those of its networking stack, must be resilient to power failures. Reactive intermittent computing provides an approach for solving this by notifications of impending power failures, which is implemented by monitoring the harvested energy buffered in a capacitor. However, to use this power-failure notification and guarantee forward progress, systems must break down tasks into atomic transactions that can be predictably finished before the energy runs out. Thus, static program-code analysis must determine the worst-case energy consumption (WCEC) of all transactions. In Wi-Fi-capable devices, drivers are often closed-source, which avoids the determination of WCEC bounds for transactions since static analysis requires all code along with its semantics.
In this work, we integrate an energy-aware networking stack with reverse-engineered Wi-Fi drivers to enable full-stack WCEC analysis for physical transmission and reception of packets. Further, we extended a static worst-case analysis tool with a resource-consumption model of our Wi-Fi driver. Our evaluation with the RISC-V-based ESP32-C3 platform gives worst-case bounds with our static analysis approach for the transactions of the full communication stack, therefore showing that Wi-Fi-based reactive intermittent computing is feasible.
△ Less
Submitted 3 April, 2025; v1 submitted 29 January, 2025;
originally announced January 2025.
-
VeriFence: Lightweight and Precise Spectre Defenses for Untrusted Linux Kernel Extensions
Authors:
Luis Gerhorst,
Henriette Herzog,
Peter Wägemann,
Maximilian Ott,
Rüdiger Kapitza,
Timo Hönig
Abstract:
High-performance IO demands low-overhead communication between user- and kernel space. This demand can no longer be fulfilled by traditional system calls. Linux's extended Berkeley Packet Filter (BPF) avoids user-/kernel transitions by just-in-time compiling user-provided bytecode and executing it in kernel mode with near-native speed. To still isolate BPF programs from the kernel, they are static…
▽ More
High-performance IO demands low-overhead communication between user- and kernel space. This demand can no longer be fulfilled by traditional system calls. Linux's extended Berkeley Packet Filter (BPF) avoids user-/kernel transitions by just-in-time compiling user-provided bytecode and executing it in kernel mode with near-native speed. To still isolate BPF programs from the kernel, they are statically analyzed for memory- and type-safety, which imposes some restrictions but allows for good expressiveness and high performance. However, to mitigate the Spectre vulnerabilities disclosed in 2018, defenses which reject potentially-dangerous programs had to be deployed. We find that this affects 31% to 54% of programs in a dataset with 844 real-world BPF programs from popular open-source projects. To solve this, users are forced to disable the defenses to continue using the programs, which puts the entire system at risk.
To enable secure and expressive untrusted Linux kernel extensions, we propose VeriFence, an enhancement to the kernel's Spectre defenses that reduces the number of BPF application programs rejected from 54% to zero. We measure VeriFence's overhead for all mainstream performance-sensitive applications of BPF (i.e., event tracing, profiling, and packet processing) and find that it improves significantly upon the status-quo where affected BPF programs are either unusable or enable transient execution attacks on the kernel.
△ Less
Submitted 8 January, 2025; v1 submitted 30 April, 2024;
originally announced May 2024.
-
Migration-Based Synchronization
Authors:
Stefan Reif,
Phillip Raffeck,
Luis Gerhorst,
Wolfgang Schröder-Preikschat,
Timo Hönig
Abstract:
A fundamental challenge in multi- and many-core systems is the correct execution of concurrent access to shared data. A common drawback from existing synchronization mechanisms is the loss of data locality as the shared data is transferred between the accessing cores. In real-time systems, this is especially important as knowledge about data access times is crucial to establish bounds on execution…
▽ More
A fundamental challenge in multi- and many-core systems is the correct execution of concurrent access to shared data. A common drawback from existing synchronization mechanisms is the loss of data locality as the shared data is transferred between the accessing cores. In real-time systems, this is especially important as knowledge about data access times is crucial to establish bounds on execution times and guarantee the meeting of deadlines.We propose in this paper a refinement of our previously sketched approach of Migration-Based Synchronization (MBS) as well as its first practical implementation. The core concept of MBS is the replacement of data migration with control-flow migration to achieve synchronized memory accesses with guaranteed data locality. This leads to both shorter and more predictable execution times for critical sections. As MBS can be used as a substitute for classical locks, it can be employed in legacy applications without code alterations.We further examine how the gained data locality improves the results of worst-case timing analyses and results in tighter bounds on execution and response time. We reason about the similarity of MBS to existing synchronization approaches and how it enables us to reuse existing analysis techniques.Finally, we evaluate our prototype implementation, showing that MBS can exploit data locality with similar overheads as traditional locking mechanisms.
△ Less
Submitted 18 February, 2022;
originally announced February 2022.
-
AnyCall: Fast and Flexible System-Call Aggregation
Authors:
Luis Gerhorst,
Benedict Herzog,
Stefan Reif,
Wolfgang Schröder-Preikschat,
Timo Hönig
Abstract:
Operating systems rely on system calls to allow the controlled communication of isolated processes with the kernel and other processes. Every system call includes a processor mode switch from the unprivileged user mode to the privileged kernel mode. Although processor mode switches are the essential isolation mechanism to guarantee the system's integrity, they induce direct and indirect performanc…
▽ More
Operating systems rely on system calls to allow the controlled communication of isolated processes with the kernel and other processes. Every system call includes a processor mode switch from the unprivileged user mode to the privileged kernel mode. Although processor mode switches are the essential isolation mechanism to guarantee the system's integrity, they induce direct and indirect performance costs as they invalidate parts of the processor state. In recent years, high-performance networks and storage hardware has made the user/kernel transition overhead the bottleneck for IO-heavy applications. To make matters worse, security vulnerabilities in modern processors (e.g., Meltdown) have prompted kernel mitigations that further increase the transition overhead. To decouple system calls from user/kernel transitions we propose AnyCall, which uses an in-kernel compiler to execute safety-checked user bytecode in kernel mode. This allows for very fast system calls interleaved with error checking and processing logic using only a single user/kernel transition. We have implemented AnyCall based on the Linux kernel's eBPF subsystem. Our evaluation demonstrates that system call bursts are up to 55 times faster using AnyCall and that real-world applications can be sped up by 24% even if only a minimal part of their code is run by AnyCall.
△ Less
Submitted 31 January, 2022;
originally announced January 2022.
