Create a Video View Paper

Fast, Secure, Adaptable: LionsOS Design, Implementation and Performance

This lightning talk explores LionsOS, a radically modular operating system built on the formally verified seL4 microkernel for safety- and security-critical embedded systems. We examine how extreme separation of concerns and static architecture enable both rigorous verification and surprising performance gains, demonstrating that security and speed need not be opposing forces in mixed-criticality systems like aircraft and autonomous vehicles.

Script

In aircraft and autonomous cars, a single software failure can mean catastrophic security breaches. Yet these mixed-criticality systems must run both life-critical components and mundane background tasks on the same hardware, each isolated from the other's failures.

Mixed-criticality systems demand that a navigation computer's operation remains unaffected even if the entertainment system crashes. The researchers built LionsOS to solve this through radical modularity, starting from the formally verified seL4 microkernel, which has mathematical proofs of its security and correctness.

How do you build an operating system where every component can be verified independently?

The authors designed LionsOS around three principles. First, radical simplicity through separation: device drivers, virtualizers, and services each live in isolated modules. Second, least privilege: every component gets only the permissions it absolutely needs. This modularity matters because verification effort scales with the square of specification size, so smaller, isolated components are exponentially easier to prove correct.

Previous microkernel systems suffered poor performance from communication overhead. LionsOS solves this with lock-free queues connecting components and zero-copy data transfer. Location transparency allows processes to migrate across cores without code changes, letting the system optimize resource allocation dynamically.

Rather than rewriting every device driver from scratch, the researchers let LionsOS reuse existing Linux drivers by running them in isolated virtual machines. A driver crash affects only that VM, never the critical components, and teams avoid years of driver development work.

Does all this isolation and verification come at the cost of speed?

When the authors benchmarked LionsOS against Linux using network echo servers, the results defied conventional wisdom. LionsOS handled full network load more efficiently, achieving higher throughput while consuming less CPU. Separation of concerns did not compromise performance; it enhanced it.

This architecture makes formal verification realistic: proving each small module correct is feasible where proving a monolith would be impossible. The system already supports swapping policies at runtime without affecting operation. Current work targets embedded systems, with future extensions potentially addressing more general computing scenarios and enhanced dynamic resource allocation.

LionsOS demonstrates that security, verifiability, and performance can reinforce rather than contradict each other when radical modularity guides every design decision. Visit EmergentMind.com to explore more research and create your own video presentations.