Open and cost-effective virtualization techniques and supporting separation kernel for the embedded systems industry

Executive Summary:

VOS4ES project provides a highly extendible, open source virtualization layer and a set of supporting tools that allow SMEs to have access to virtualization technologies at a low cost and with high flexibility concerning its adaptation to specific requirements as opposed to existing proprietary solutions

The main result of VOS4ES project is the VOS4ES virtualization layer, which allows the concurrent execution of hard-real time and non-critical applications of different security levels over the same hardware. The VOS4ES virtualization layer includes the HW and guest OS (for POSIX compatible PartiKLe OS, Linux and Android OS) adaptations libraries to make VOS4ES compatible with several hardware platforms and operating systems and the configuration management and executable image generation tool to allow the configuration and building of the virtualization layer according to the case specific requirements.

Moreover, a set of VOS4ES supporting tools are provided including: a monitoring tool that enables real time monitoring of predefined system characteristics in order to allow a continuous system execution overview and add reporting capabilities; and a testing and validation tool that provides a framework to allow the generation and execution of automated system tests for validation purposes and performance analysis of the VOS4ES virtualization layer and the guest applications.

Finally, a set of embedded applications are developed for validation of the VOS4ES framework in different application domains, i.e. video surveillance, automotive and telecommunications sectors.

VOS4ES project provides a highly extendible, open source virtualization layer and a set of supporting tools that allow SMEs to have access to virtualization technologies at a low cost and with high flexibility concerning its adaptation to specific requirements as opposed to existing proprietary solutions

Within VOS4ES project, the VOS4ES virtualization layer, which allows the concurrent execution of hard-real time and non-critical applications of different security levels over the same hardware is provided along with a set of supporting tools. The VOS4ES virtualization layer includes the HW and guest OS (for POSIX compatible PartiKLe OS, Linux and Android OS) adaptations libraries to make VOS4ES compatible with several hardware platforms and operating systems and the configuration management and executable image generation tool to allow the configuration and building of the virtualization layer according to the case specific requirements.

Moreover, a monitoring tool is provided that enables real time monitoring of predefined system characteristics in order to allow a continuous system execution overview and add reporting capabilities; and a testing and validation tool that provides a framework to allow the generation and execution of automated system tests for validation purposes and performance analysis of the VOS4ES virtualization layer and the guest applications.

Finally, a set of embedded applications are developed for validation of the VOS4ES framework in different application domains, i.e. video surveillance, automotive and telecommunications sectors.

Following the overall assessment of the VO4ES results, the VOS4ES framework was proved to be applicable in several environments including automotive, avionics, telecoms and video surveillance facilitating the time and spatial isolation of critical and non-critical applications. All in all, the VOS4ES approach is assessed as positive while it is foreseen to be used in future developments of embedded systems in several application domains where the use of VOS4ES virtualization framework could facilitate the quality of the delivered subsystems, while decreasing their development and equipment costs.

Project Context and Objectives:

The use of embedded systems is nowadays spreading at an increasing speed, to all aspects of modern life as well as all phases of industrial production. Their use extends from everyday non-critical or soft real-time consumer electronics and telecommunications equipment, to highly critical automotive, railway, automation control and aerospace systems, which satisfy the most stringent real-time constraints. Regardless of the application criticality, however, the need for high integrity and high availability systems as well as for systems that handle their data in a secure way is common and solutions demanding.

In order to follow these technology tendencies, there is a growing interest in enabling multiple critical applications to share a single processor and memory with non-critical and of different security level ones.

Partitioned software architectures seem to be the future of secure systems. They have evolved to fulfil security and highly critical real-time systems requirements where predictability is an extremely important factor.

The significant technological know-how and the high cost required for using virtualization technologies has prevented European SMEs which develop embedded systems, from adopting these advanced technologies and exploiting the competitive advantages of the existing virtualization solutions and especially secure partitioning techniques in their systems.

In this concept, VOS4ES provides a highly extendible, open source virtualization layer which allows the concurrent execution of hard-real time and non-critical applications of different security levels over the same hardware. Additionally, a set of supporting tools is provided including:

• the configuration management and executable image generation tool to allow the configuration and building of the virtualization layer according to the case specific requirements;
• the monitoring tool that enables real time monitoring of predefined system characteristics in order to allow a continuous system execution overview and add reporting capabilities; and
• the testing and validation tool that provides a framework to allow the generation and execution of automated system tests for validation purposes and performance analysis of the VOS4ES virtualization layer and the guest applications.

Furthermore, toward the evaluation of the VOS4ES approach three use cases have been defined and implemented originating from the video surveillance, automotive and telecommunication sector. The following use cases were designed and developed within the project:

• Video Surveillance Use Case is an innovative video monitoring platform where third party developers may install and test computer vision algorithms in a real video recording device.
• Automotive Use Case is an automotive platform based on Time and Space Partitioning concept (synergetic application with the POSTO project), which enables the execution of critical real time and non-critical non-real time applications on top of the VOS4ES virtualization framework by combining a navigation application that receives information from a CAN application that has access to the CAN bus of a vehicle (velocity, temperature, etc.).
• Data transmission use case presents the implementation of an ISW Switcher based on VOS4ES approach that allows selecting one or several attached wireless modems in order to increase transmission availability, reliability and/or throughput.

The project started on 01/11/2011 and ended on 31/10/2013. The partners involved in this project are TELETEL, VISUAL TOOLS, CMAE, DELTA, BITGEAR, MILTECH, ITTI, UPVLC and FENTISS.

The main project objectives of the project are:

• To create the VOS4ES virtualization layer based on the existing XtratuM hypervisor.
• To adapt several OSs for execution over the VOS4ES virtualization layer.
• To design and develop the VOS4ES supporting tools framework to support the VOS4ES virtualization layer configuration and building and the whole system’s execution control, debugging, validation and performance analysis.
• To assess and evaluate the effectiveness of the VOS4ES virtualization layer and supporting tools framework through the realization of a set of representative pilots from the space, avionics, automotive and communications areas, to be administered by the participating SMEs.
• To widely disseminate the knowledge to be generated by the project and promote the adoption of the VOS4ES approach at the European Level.
• To exploit the VOS4ES results for the benefit of the participating SMEs.

The solution that the VOS4ES approach offers is mainly targeting SMEs or other organizations which develop embedded systems and want to benefit of virtualization and secure partitioning technologies by adopting these advanced technologies and exploiting the competitive advantages of virtualization techniques in their systems. The benefits for the SMEs include but are not limited to:

• Development of new products that require the coexistence of hard-real time applications with noncritical ones over the same hardware without compromising the critical aspects of the system.
• Development of new products and services that integrate multiple systems of different security levels in the same hardware with guaranteed security of the handled information.
• Simplification of existing SMEs products architectures due to hardware sharing, resulting in improved product competence.
• Reduction of size, weight and power consumption of products because of hardware sharing.
• New products with real-time characteristics, based on existing non-critical legacy code. Re-use of non-trusted legacy code (e.g. code developed for Linux, POSIX, C, etc.) at zero adaptation cost and man-time effort to implement safety critical applications.
• Increased robustness of the delivered applications, since they will be based on the safety critical and secure infrastructure the VOS4ES hypervisor ensures.
• Lower development costs and shorter time-to-market, as a result of the use of the same VOS4ES highly adaptable and extendible infrastructure as a base for a vast variety of delivered products.
• Lower development equipment costs, as a result of hardware sharing by many applications.
• Testing costs reduction and testing quality increase, since the system under test will be possible to execute on the same environment with the production system, and under real use situations.
• Promotion of cooperation of SMEs with companies which develop or use widespread applications executed over general purpose operating systems (i.e. Windows, Linux, etc.), which have no realtime characteristics, combined on a platform that satisfies real-time requirements.
• Access to virtualization technologies previously exploited only by big companies, with profound new opportunities for profit and financial development.

Figure 1: VOS4ES high-level architecture

The VOS4ES virtualization framework is based on the existing XtratuM hypervisor and contains additional modules including:

• New Hardware Abstraction Layer (HAL) alternatives for VOS4ES compatibility with as x86 HW platforms.
• A set of guest OSs adaptors (e.g. Linux, Android OS).
• An integrated monitoring module.
• Hierarchical fault management mechanisms.
• Additional scheduling policy alternatives.
• A testing framework for validation, execution control and performance analysis.

The general architecture of the VOS4ES virtualization layer and the supporting tools framework is illustrated in Figure 1.

The main components of the VOS4ES framework include:

• The VOS4ES guest OS adaptations library: a set of pre-adapted OSs ready to execute on top of the VOS4ES virtualization layer and use the services provided by its virtualization engine.
• The VOS4ES hardware adaptations library: a set of Hardware Abstraction Layers (HALs) to add portability to the VOS4ES virtualization layer over different underlying HW platforms by offering a high-level abstraction of the strictly necessary parts of the underlying hardware: processor, interrupts, hardware clocks, hardware timers, virtual memory, etc.
• The VOS4ES virtualization layer: The core component of the VOS4ES virtualization framework based on the existing XtratuM hypervisor, the hypercall APIs, the hypervisor engine (i.e. partition scheduler, fault management mechanism, interpartition communication mechanisms, system trace mechanism and health monitoring), the driver/communication extensions and the hardware adaptation library.
• The VOS4ES configuration management and executable image generation tool: a set of tools used for the configuration of the entire system and for the creation of the binary image, ready to be executed on the target machine.
• The run-time support modules: it will include the Testing and Validation module and the Monitoring module. The Testing and Validation module provides the essential framework to support the system’s and guest applications, testing and validation functionalities. The Monitoring module enables the monitoring of predefined system characteristics in order to allow a continuous system execution overview and add reporting capabilities regarding the system behaviour.

Project Results:

3.2.1 CONFIGURATION MANAGEMENT AND EXECUTABLE IMAGE GENERATION TOOL

In order to enable the deployment of the VOS4ES partitioned software architecture, the system integrator is provided with a complete set of tools for the final system configuration and image generation. The partitioned system based on VOS4ES virtualisation layer is configured in two levels. The first level affects the source code to customize the resulting XtratuM executable image. At this level, there are also some architecture specific configuration variables to be configured. In VOS4ES, the configuration customises the x86 processor required features. The second level affects the resources allocated to partitions during runtime. The system configuration is done with an XML configuration file.

During the configuration phase, the system integrator and the partition developer are involved. The system integrator has to agree with the one or more partition developers upon the resources allocated to each partition, based on the requirements of each application. As a result, an XML configuration file is generated by the system integrator, which contains a detailed description of the distribution of memory resources, scheduling parameters and hardware resources among the partitions. Finally, during execution, XtratuM enforces, for each partition, the constraints imposed by the allocated resources. Additionally, the configuration file is checked for validity, firstly, against an XML Schema definition and, secondly, against the set of ranges for the values of the parameters.

The result of the partition development process results in an Executable and Linking Format (ELF) file. This file is taken by the executable image generation tool and converted to XtratuM Executable Format (XEF) file. The XEF format is similar to ELF, it contains a series of sections that shall be loaded into memory. However, it simplifies some parts and includes new relevant information. For the format conversion, a tool is used known as elf2xef which was available at the beginning of the project and no relevant modifications are performed.

Finally, the XtratuM system image container (xmpack) and bootable image creator (rswbuild) tools are provided which manipulates the XtratuM system container (the container is a simple filesystem designed to contain the XtratuM hypervisor core and zero or more partitions) and creates a bootable file by combining the resident software code with the container file, respectively.

Figure 4 depicts the procedure for packaging an XtratuM based application. On the system, four main elements can be found:

• XtratuM. The hypervisor is compiled and delivered as a binary image.
• Configuration file. The configuration file is parsed and compiled into a binary format that XtratuM can read.
• Partition images. Each partition has to be compiled and linked into a single image file.
• Resident software. This is the application bootloader. In the case of x86, the bootloader is multiboot compliant. This allows us to boot the application with, for example, GRUB.

Figure 4: XtratuM applications build procedure

3.2.2 VOS4ES MONITORING TOOL

VOS4ES provides an innovative monitoring mechanism to trace errors or abnormal situations generated during the operation of the systems either by the hardware platform or the executed application. This tool enables the monitoring of predefined system characteristics and present them graphically in order to allow a continuous system execution overview and add reporting capabilities.

The VOS4ES Monitoring tool (VMT) is used to receive Health Monitoring and Trace Events supported by XtratuM hypervisor and display them to the analyser tool.

The VOS4ES Monitoring tool is composed by the following main modules, as is shown in Figure 5.

• The Supervisor Monitoring Partition at VOS4ES platform that gathers HM and Trace Events produced in VOS4ES virtualization layer and transmits them through the serial interface.
• The Trace Auditing Module at the Test Workstation, which receives data from the serial port and manages them appropriately to be used for online (direct forwarding to the analyser tool) or offline (conversion to PCAP record format and storage) analysis.
• The Wireshark Analyzer Tool at the Test Workstation which, decodes and displays Health Monitoring and Trace Events received from the trace auditing module through a named pipe interface during online monitoring or reads from a monitoring log file during offline monitoring.

Figure 5: VOS4ES Monitoring Tool System Overview

In details, the following implementations have been carried out:

• Designed and implemented the Monitoring Agent Module.
• Designed and implemented the Serial I/O Driver at XtratuM Platform.
• Designed and implemented the Trace Auditing Module.
• Designed and implemented the Serial I/O Driver at Test Workstation.
• Designed and implemented the Wireshark Trace Auditing Dissector.

3.2.3 VOS4ES TESTING FRAMEWORK

In the context of VOS4ES project, an integrated SW validation environment is introduced, the VOS4ES testing framework, to address the need for:

• Validation of the VOS4ES virtualisation layer according to functional and non-functional requirements.
• Execution control operations for controlling the execution of hosted real-time applications (e.g. partition execution changing, partitions execution enabling or disabling etc.).
• Performance analysis of the target system (e.g. execution time analysis etc.).

Figure 6: VOS4ES Testing Framework Architecture Design

The VOS4ES testing framework architecture is shown in Figure 6.

As shown in Figure 6 the main components of VOS4ES Testing Framework include:

• At the Test Workstation

o Test Management and Execution environment: is based on the xUnit framework and TELETEL’s iSAFT TestRunner graphical test execution environment which provides compatibility with all widely used OS platforms, supports a wide range of physical interfaces including CAN bus, SpaceWire and MIL-STD-1553, Ethernet, Serial for connection with the underling system under test and provides an open architecture easy to interface with widely used third-party simulators (e.g. TSIM and QEMU) and new physical interfaces.
o Test Suite Library: includes a broad range of test cases towards the Time & Space Secure Partitioning Validation of the VOS4ES framework.
o Test Adapters module: includes wrapped test procedures, i.e. client stubs used by Test Suite Library, for the communication with the serial interface at the test workstation. Additionally, it provides the capability to the developer to add their client stub functions.

• At the VOS4ES platform

o Validation module: is consisted by two main component: the TestDispatcher and the Test Adapter. The TestDispatcher receives the Message from TestWorkstation through serial port, and forwards the test to the corresponding partition. In addition, it receives the test result through IPC channel and forwards it to the TestWorkstation through Serial Port. The Test Adapter receives the Test Vector (block of data that specifies the test procedure to be executed) in order to call the corresponding service for test. In addition, it sends the Test Result through IPC channel to the system partition. The Test Adapter component is resided in every partition that it is needed to be tested or will be used for testing purposes.

In details, the following implementations have been carried out:

• Designed in detail and implemented the initial VOS4ES Test Suite Library.
• Designed and implemented the initial VOS4ES Validation module including the TestDispatcher and Test Adapter.
• Designed and implemented the initial VOS4ES test adapter module for the Test Workstations including the TestAdaptersLibrary, ClientSupport, XDRLibrary and XDRTransport sub-components.

3.2.3.1 VOS4ES VALIDATION TEST SUITE

As part of the VOS4ES Testing Framework a set of test cases has been designed and implemented that form the VOS4ES Validation test suite which was used for the validation of the framework for the validation of the VOS4ES virtualisation layer. The set of test cases, which are developed in VOS4ES testing framework, covers a wide range of tests towards the evaluation of VOS4ES virtualisation layer and applications and their validation with respect to execution control, safety, security and performance issues. The basic categories of test cases defined in the VOS4ES project can be divided as follows:

• Safety validation

o Inter-partition Communication Management
o Partition Management
o Process Management
o Time Management
o Failures Isolation

• Security validation

o Security Audit
o User Data Protection
o Security Management
o Protection of the TSF
o Hypervisor Stack Leaks
o Hypervisor Slot Overrun
o Corruption of application data space and control
o Corruption of the service API parameters

• Performance evaluation

o Timing Analysis

Within the VOS4ES validation test suite a set of safety validation tests are defined aiming to verify that the kernel achieves the desired level of safety within the partitioned architecture in the frame of real-time embedded systems. The basis for these tests is derived from the ARINC-653 specification [3], which verifies the compliance of an OS kernel to a service API defined by the specification. ARINC-653 standardizes an Application Executive (APEX) Interface and the functionality that should be offered by an OS through it as a set of services provided to safety critical applications. Safety is achieved through the satisfaction of two main characteristics: dependability (i.e. spatial and temporal isolation) and fault tolerance (i.e. health monitoring).

The VOS4ES test suite based on ARINC-653 regards the intended behaviours of all API services of the VOS4ES virtualisation layer as the elements under test aiming at the verification of (a) the expected behaviour and (b) the expected results.

Each assertion is the basis for one or more test cases. Test cases are implemented by test procedures which fall in one of the two following categories, according to the conditions under which the test is to be performed.

• Service Functional Test Procedures: examines one intended behaviour each time and its expected results under normal conditions aiming at verifying the correct implementation of a service.
• Service Robustness Test Procedures: examines the behaviour of a service used in an erroneous way by use of error injection methods or stimulation of specific conditions to verify the ability of the OS to handle certain kinds of errors and react as predetermined.

In order to address the security functional and assurance requirements for a class of separation kernels, the Separation Kernel Protection Profile (SKPP) [4] has been defined. The purpose of the SKPP is to provide a Common Criteria protection profile for high assurance separation kernels. Unlike those traditional security kernels which perform all trusted functions for a secure operating system, a separation kernel’s primary security function is to partition (separate) the subjects and resources of a system into security policy-equivalence classes, and to enforce the rules for authorized information flows between and within partitions.

The SKPP prescribes many measures aimed at increasing security. The SKPP mandates that the kernel's functionality be simplified and limited to separating resources to prevent subjects in one partition from interacting with subjects in other partitions. The separation kernel allocates all exported resources under its control into partitions. The partitions are isolated except for explicitly allowed information flows. The actions of a subject in one partition are isolated from (i.e. cannot be detected by or communicated to) subjects in another partition, unless that flow has been allowed. The partitions and flows are defined in configuration data. The separation kernel provides to its hosted software programs high-assurance partitioning and information flow control properties that are both tamperproof and non-bypassable. These capabilities provide a configurable trusted foundation for a variety of system architectures.

In this concept, a set of test cases based on the SKPP profile concerning security has been defined for the validation of XtratuM in the context of VOS4ES Project. Each test case has a certain objective and covers a subset of security requirements with regards to one kind of attack among (Privilege (partition type), Confidentiality, Integrity, DoS, Safety).

Finally, a set of performance evaluation test cases has been defined which provide performance related metrics for the virtualisation framework and the applications executed on top of it. The performance metrics include timing analysis, i.e. execution time calculations and validation of time constraints, and conformance with non-functional requirements.

3.3 VOS4ES USE CASES FOR VALIDATION PURPOSES

3.3.1 VIDEO SURVEILLANCE USE CASE

VxaC is designed as an innovative video monitoring platform where third party developers may install and test computer vision algorithms in a real video recording device.

In top of XtratuM, different partitions are running in an isolate way, one dealing with the digital video recorder tasks (i.e. video capturing) and other one dealing with algorithms.

VxaC differs from other products and projects (i.e.VX+3) in the capabilities needed by the hypervisor, since in this case it is mandatory to be compatible with monocore devices and allow large volumes of data transferred or accessed by partitions, mainly for transferring the images captured in the VTDVR partition to the partition where algorithms are installed.

Figure 7: Video Surveillance use case partition architecture

VxaC enables the creation of innovative video monitoring products based on new or existing computer vision algorithms, without investing too much time and money on selecting the hardware and developing video recording, processing and storing modules. This solution resolves the problems related to slow reaction to the client and market requirements and provides and easy and fast entry to new markets with video monitoring demands.

Regarding the exploitation paths, two different channels are foreseen: First one based on VT's international network of distributors and installers, where the added value through smart video analysis will enable high margin products to be sold. The second one is based Turnkey projects developed by the VT sister company Envitel, enabling them to focus on applications and not in the underlying platform, enabling rapid development, fast integration, fast testing and, thus, a shorter time for providing solutions.

3.3.2 AUTOMOTIVE USE CASE

Automotive industry is evolving to provide enhanced safety and more services to the users in terms of entertainment and connectivity in the car area. Applying virtualization to distributed embedded systems can help to increase the scalability while preserving the required isolation, safety, and reliability. Taking into account the interest of SMEs that are working on the automotive sector, relevant applications and the VOS4ES approach, an automotive use case has been identified that will be also used for the further exploitation of VOS4ES results.

Figure 8: Automotive use case partition architecture

The automotive use case has aims at verifying the robustness of the developed virtualization technologies in a real world example of the automotive sector. Following the tendency of modern cars to provide an increasing number of services like GPS navigation with entertainment multimedia services and all these combined with the highly critical functionalities of the car itself, each partition will be the host for an application of different criticality level. The demonstrator will also verify the compatibility of the virtualization layer with a variety of different Operating Systems and will implement the following applications:

- Car functionalities and sensors monitoring
- Soft real time applications (e.g. GPS navigation)

The automotive use case includes a highly critical application related with the car’s functionalities and sensors monitoring, a medium critical application related with human machine interface and real-time applications, and a low critical application related with monitoring/debugging, as illustrated in Figure 8.

This use case provides a solution which enables the demonstration of VOS4ES results in for the automotive industry based on new or existing SME solutions, in order to showcase the advantages of virtualisation in terms of simplified integration of multiple systems of different criticality and lower development equipment costs along with reduction of testing costs based on VOS4ES supporting tools.

3.3.3 DATA TRANSMISSION USE CASE

The VOS4ES framework was used to implement ISW Switcher that allows selecting one or several attached wireless modems in order to increase transmission availability, reliability and/or throughput. It results in better transmission parameters for communication applications and services. ISW Switcher can work in mobile (Figure 9b), nomadic and fixed (Figure 9a) applications offering redundancy and flexibility.

Figure 9: Detection of IP addresses by both USB modems.

The solution is based on a customized software router that switches in the function of QoS measured for a few interfaces available in the communication device. It can be used for automotive or railways but also for ships, aircrafts and even satellite links but rather in the ground segment. Other application areas are automation (e.g. monitoring and surveillance) or security and safety. The device is easily to integrate with end user environment because its Ethernet output can be connected directly to the end user applications, networks, nodes or equipment. Next, as many modems as needed can be attached to its Ethernet and/or USB inputs.

ISW Switcher improves availability of applications and services as well as reliability of transmission to download or upload any data. The transmission handled by ISW Switcher can be:

• data transmission;
• video streaming from external camera(s) (e.g. connected via USB port).

To monitor QoS of transmission links ISW Switcher has a channel probe implemented. This functionality is split between data source and sink, and is based on client-server model that lets easily monitoring channel QoS parameters (throughput, delay, jitter).

ISW Switcher selects interface(s) of the best transmission parameters among all available ones taking into account the instant throughput, delay, etc. It can meet user/application needs, because it can attempt to track the behaviour of data source. In the case of video streaming the final implementation will allow adapting a rate of the video encoder to match it to the throughput of the radio link.

Smart Switcher can:

• multiplex among interfaces to select one that has available link when the other are down due to failure or lack of network coverage;
• be a load balancer that routes streams/sessions from different applications via different interfaces when they cannot deliver the throughput needed by the data sources;
• split one data stream among several interfaces when transmission conditions limit the throughput of the link in order to perform a superposition of transmission bandwidths available from interfaces operated in a location.

ISW Switcher can affect network resilience and overall robustness against transmission failures. It also increases operability and facilitates to run e.g. back-up systems with redundancy support.

Above applications can help building M2M in WSN and even Internet of Things environment. ISW Switcher can also offer voice communication using VoIP (Voice over IP) technique.

Proposed application can be customised for users according to their needs, e.g. the number of modems, algorithm for selection of routing, mass, dimensions, etc. A procedure for routing switching that selects one or several transmission links can be customized with:

• the routing algorithm that:
• can be multi-step and multi-variable based on a decision tree customized by the user;
• can work autonomous or can be fully and remotely controlled by the user;
• the switching process that:
• can run dynamically and automatically or statically according to user’s presets;
• should be seamless for transmitted data.

Potential Impact:

4.1 IMPACT

VOS4ES mainly concerns (but is not limited to) SMEs active in the development of safety critical and non-critical with high reliability constrains SW components for embedded systems. An important objective of such SMEs is to minimize the cost of their subsystems which can be feasible by allowing hardware resource sharing among applications of different safety criticality and security levels, in a safe and secure way and cannot be addressed with internal investments in resources, due to their limited budgets and resources.

In this concept, the VOS4ES virtualization framework will constitute an open-source hypervisor based virtualization solution for the growing and highly competitive group of European SMEs, specializing in the development of embedded systems in different industrial sectors (e.g. avionics, automotive systems, consumer electronics, telecommunications systems, etc.). The software will be distributed freely under the GPLv2 scheme for Free Open Source Software.

The market survey and assessment in VOS4ES project is done around the following areas:

• The trends and forecasts of embedded systems market.
• The current trends and technological innovations in the real-time operating systems, tools and services market.
• The recent projects in the technological areas of virtualisation technology for embedded systems.

4.1.1 EMBEDDED SYSTEMS MARKET

The overall market of embedded real-time operating systems can be classified as in Figure 10, which shows the technologies involved, the main industrial segments and the various geographic regions. The embedded systems market can be divided into sectors that concern top safety critical applications (i.e. automotive/rail, medical, aerospace) and sectors of less stringent safety requirements (i.e. consumer electronics, mobile phones, industrial automation, telecom). However, a failure of any system that could entail a very high financial loss is not to be ignored and therefore a vendor that can provide reliable applications of high availability and integrity can potentially capture a respectable portion of the embedded systems market, regardless of market specific area. Based on the general trend and engineering expertise for reducing product development costs and timeline the embedded services revenue is estimated to increase over 7% on the following years (Figure 11).

The availability of new processors for embedded applications has raised new potentials for these applications. Embedded applications now have more functionality and, as a consequence, are more complex. Thus, there is growing interest in enabling multiple applications of different criticality to share a single processor and memory. To facilitate such a model, the execution time and memory space of each application must be protected from other applications in the system. Partitioned software architectures are the key component to share applications on the same hardware while increasing the security and robustness of the system.

Figure 10: Market definition and segmentation (adapted from VDC Research, 2010)

Figure 11: Market embedded Services revenue (VDC Research, 2012)

From challenging economic conditions to increasing time-to-market pressures and cost reduction requirements, engineers developing embedded systems must contend with a variety of obstacles. Frequently, these obstacles are in direct conflict with the mounting complexity now associated with many new embedded systems. Increasing mobility needs and intensifying requirements around safety- and/or security-critical applications have increasingly complicated embedded development. Furthermore, the potential benefits of migrating to multicore processors are often overshadowed by an inability to effectively manage the added performance and additional cores enabled by this type of architecture. Mobile and embedded virtualization solutions have emerged in recent years as an approach through which to address many of these challenges.

According to the “Embedded Systems: Technologies and Markets” analysis published by BCC Research, the global market for embedded systems is expected to increase from $101 billion in 2009 to an estimated $158 billion by the end of 2015. Specifically, embedded hardware was worth $108 billion in 2010 and is expected to reach $152 billion in 2015. Embedded software generated $4.2 billion in 2010. This should increase to $6.1 billion in 2015, for a compound annual growth rate of 7.8% (Figure 12).

Figure 12: Embedded technology market (Source: BCC Research, January 2012)

The advantages of virtualization for enterprise systems – which range from potential overhead savings through server consolidation to increased flexibility and data storage capacity – differ slightly as compared to mobile and embedded systems. Many of these differences, of course, are due to the specifications inherent in many embedded designs, including power and memory constraints, and the often small form factor of embedded devices. The top benefits, as shown in Figure 13, include the ability to easily port designs to new hardware platforms, the secure partitioning of guest operating systems, and the ability to easily run and manage multiple OSs.

Figure 13: Advantages of the virtualization usage in embedded systems (adapted from VDC Research, 2011)

4.1.2 REAL-TIME OPERATING SYSTEMS, TOOLS AND SERVICES

Nowadays, SMEs have many choices in deciding what target operating system to integrate in their embedded systems depending on their need. The key parameter is that device/system functionality is driving complexity and increased software content, which in turn leads to more sophisticated system interfaces, complex graphical elements, wired and wireless capabilities, and others. As a result, the types of operating systems used in target devices are shifting from no formal and in-house developed, i.e. RYO (Roll-Your-Own), to a variety of other commercial and open source offerings. While the use of commercially licensed (not open source) operating systems is expected to remain fairly stable, almost 50% of the surveyed engineers report that their target OS is selected on a project-by-project basis (Figure 14).

Real-time applications demand timeliness and predictability, and the operating systems targeting these applications meet these demands by paying special attention to a host of OS features like: (i) Multitasking, (ii) Synchronization, (iii) Interrupt and Event Handling, (iv) Input/Output, (v) Inter-task Communication, (vi) Timers and Clocks, and (vii) Memory Management. Various RTOSs (Real-Time OS) implementing these standards, differ in their implementation choices and strategies. Leading solutions for the embedded space include Green Hills Software’s INTEGRITY Multivisor, LynuxWorks’ LynxSecure, Real-Time Systems’ RTS Hypervisor, SYSGO’s PikeOS, TenAsys’ eVM for Windows, and Wind River’s Wind River Hypervisor. In the mobile space, Open Kernel Labs’ OKL4 Microvisor and Red Bend Software’s VLX are among the most widely used solutions, while VMware – an enterprise/IT virtualization leader – is expected to raise its profile in mobile.

Figure 14: Survey results on the type of operating system used (adapted from VDC Research, 2010)

Commercial operating systems form a continuum of functionality, performance, and price. These operating systems range from those that offer a basic preemptive scheduler, a few key system services, are usually inexpensive, come with modifiable source code and are royalty free to those more sophisticated operating systems that typically include a lot of functionality beyond the basic scheduler and can be quite expensive. With such a variety of operating systems and features to choose from, it can be difficult to decide which is best for a given project. Many developers make their decision based on performance, functionality, or compatibility with their choice of compiler, debugger, and other development tools as shown in Figure 15.

In addition, while the use of multi-core and operating system virtualization technologies is currently limited to a small percentage of projects under development (see Figure 17), an increasing percentage of embedded engineers are expecting to incorporate these technologies in future projects. The reality of these expectations are being matched by supplier messaging and the availability of training seminars and product support for both operating systems and tools solutions to support both multi-core and virtualization environments. Operating system virtualization specifically offers advanced capabilities in terms of meeting the challenge caused by silicon obsolescence, migrating legacy software assets for which significant investments have been made, and providing an environment where multiple guest operating systems and applications can operate in isolation.

Figure 15: Important characteristics for selecting Embedded Operating System (adapted from VDC Research, 2010)

For enterprise IT applications, virtualization has emerged as a key strategy to control costs by consolidating servers, therefore reducing the related hardware, floor and in-rack space, power consumption, and cooling. In the same time it offers an increase of availability, reliability, redundancy and performance, leading to a new approach to such computing infrastructures like cloud computing, grid and clusters that can be easy implemented and managed.

In just a few years, virtualization has moved from an experimental technology used only in test and development environments to a core infrastructure platform. Now, many businesses plan for all new servers to be virtualized and the use of virtual servers has overcome the implementation of physical servers.

Although there are several contributing factors, server consolidation is the primary force that is driving the wholesale adoption of virtualization. Server consolidation lets organizations increase the rate of server hardware utilization while simultaneously decreasing the power costs and management requirements. In addition, high-availability technologies such as vMotion and Live Migration have also emancipated virtual machines (VMs) from their physical hosts, creating the foundation for the dynamic data center where VMs can be moved between hosts automatically in response to changing workloads. Virtualization is a core mainstream technology that will definitely alter the IT landscape for the foreseeable future. IDC studies have shown that one out of every five servers is virtualized today but it seems clear that those numbers will be reversed in just a few years, and virtual servers will far outnumber physical ones.

Figure 16: Virtualization Most Important Applications [source: Wikibon Survey July 2013]

As virtualization abstracts the server from the underlying hardware, virtualization technology is applied in more infrastructures such as cloud computing and mobile computing platforms (Figure 16). The cloud is an emerging trend that tends to rely on virtualization, such as Amazon’s EC2 and Windows Azure’s Hyper-V, and many services are built on virtual servers. The cloud abstracts the service or application from the underlying infrastructure and lets you manage multiple servers and applications as part of an overreaching service. The cloud is beginning to be a viable option for businesses and services are emerging that will provide businesses with compelling and ready-to-use solutions (e.g. Windows Intune, Microsoft Office 365). The current uptake might be slow, but the adoption of cloud technologies is sure to grow, transferring parts of the IT infrastructure to off-premises hosting companies.

Furthermore, mobile computing platforms and smartphones such as the iPhone, Android, BlackBerry, and Windows Phone, have evolved into way more than just phones. The growth of mobile apps and Internet connectivity has made smartphones useful productivity devices that could make use of the virtualization technology. Virtualization of mobile devices would allow carrying one device with multiple virtualized environments which could support different levels of confidentiality and applicability. Despite the increased attention and dedication to virtualization from mobile and embedded software vendors, little impact has been made on the approaches of embedded engineers, the vast majority of whom remains less familiar with the concept of virtualization for embedded systems. Thus, the expectations of mobile and embedded virtualization adoption from the supply side seem to outpace the reality of adoption from the demand side. As it is reported by the VDC research experts, it is not expected that embedded engineers’ familiarity of virtualization will reach a tipping point in the coming years, especially given the continued emphasis on the technology exhibited by the leading vendors in this space. However, the current level of familiarity in the engineering community is an indication that the potential of the mobile and embedded virtualization market remains largely untapped.

In a survey of 172 practitioners conducted by the Wikibon community regarding multi-hypervisor intentions, respondents were asked the number of servers that would be virtualized in the next 12-24 months (Figure 16 and Figure 17). Notably, a greater adoption of virtualisation technology is foreseen in the following years, mainly due to the maturity of hypervisors generally and the availability of more and more solutions (VMware, PikeOS). Moreover, while some performance concerns remain regarding virtualization, it is believed that the availability of high-performance flash-only or flash-enhanced storage will eliminate IO and performance bottlenecks as an issue in most installations by 2016.

Figure 17: Expected Growth of Virtualization (adapted from Wikibon survey, 2013)

4.2 INNOVATION AND BENEFITS

The innovative aspects of the VOS4ES concept and approach can be summarised as follows:

• Provision a certifiable virtualization layer compatible with several popular HW platforms and a set of guest OSs adapted for it under an open source license.
• Provision of an open and extensible technology that can be adapted to specific requirements.
• Offer mechanisms for secure inter-communication between the guest OSs, enhanced with encryption and security services.
• Provide hierarchical health monitoring mechanisms to manage fault situations and allowing local or remote system attestation.
• Provide integrated monitoring and execution control, as well as debugging and validation tools for continuous overview, administration, debugging and validation of the guest OSs and applications.
• Provide an integrated run-time module that supports performance and timing analysis.

Based on the above innovation points, the benefits for the SMEs include but are not limited to:

• Development of new products that require the coexistence of hard-real time applications with non-critical ones over the same hardware without compromising the critical aspects of the system.
• Development of new products and services that integrate multiple systems of different security levels in the same hardware with guaranteed security of the handled information.
• Simplification of existing SMEs products architectures due to hardware sharing, resulting in improved product competence.
• Lower development equipment costs, reduction of size, weight and power consumption of products because of hardware sharing.
• New products with real-time characteristics, based on existing non-critical legacy code. Re-use of non-trusted legacy code (e.g. code developed for Linux, POSIX, C, etc.) at zero adaptation cost and man-time effort to implement safety critical applications.
• Increased robustness of the delivered applications, since they will be based on the safety critical and secure infrastructure the VOS4ES hypervisor ensures.
• Testing costs reduction and testing quality increase, since the system under test will be possible to execute on the same environment with the production system, and under real use situations.
• Access to virtualization technologies previously exploited only by big companies, with profound new opportunities for profit and financial development.

4.3 SWOT ANALYSIS

Table 1 provides the Strengths, Weaknesses, Opportunities and Threats (SWOT) analysis of the VOS4ES project.

Strengths Weaknesses

• Certifiable virtualization layer under an open source license
• Open and extensible technology
• Isolate safety critical partitions from unauthorized access
• Increased availability, flexibility and security for integrated software
• Testing costs reduction and testing quality increase
• Availability of real-time supporting tools for monitoring and testing of integrated embedded applications
• Lower development equipment costs, as a result of hardware sharing
• Simplification of existing SMEs products architectures
• Increased robustness of the delivered applications, since they will be based on the safety critical and secure infrastructure the VOS4ES hypervisor ensures
• Processors without a virtualization feature can be used
• Oriented also to real-time applications • System integration and interoperability challenges depending on the underlining hardware
• Para-virtualisation technology limits integration of closed source OS
• Lower performance depending on deployed OS and number of partitions
• Available only for Intel CPUs
• More complicated configuration process than in commercial virtualization systems
• Additional efforts needed to adapt the virtualisation layer to new hardware devices
• More complicated configuration process than in commercial virtualization systems
• Additional efforts needed to use some on board hardware devices
• In some markets the hardware changes fast, this requires an effort to adapt the hypervisor to new devices

Opportunities Threats

• Lower development costs and shorter time-to-market
• Facilitate validation and certification procedure through the provided supporting tools
• Minimise time to market of new products based on virtualised approach since a tested partition could be reused in different products
• Better position in the embedded software market of real-time critical and non-critical applications
• Key enabler for adaptation of virtualisation technology by SMEs • Compatibility issues with hardware devices that are not supported by the VOS4ES virtualisation layer
• Proprietary and closed source operating systems, e.g. Microsoft Windows OS, could not be integrated

Table 1: VOS4ES SWOT analysis

4.4 DISSEMINATION

The dissemination activities performed during the project course, are listed below:

- Maintained the VOS4ES website, available at www.vos4es.eu and performed continuous updates.
- Prepared the VOS4ES brochure.
- Prepared VOS4ES project video and made available over the public Internet through the VOS4ES web site and YouTube (www.youtube.com) popular video sharing platform.
- Prepared tutorial videos of the VOS4ES virtualisation framework and made available over the public Internet through the YouTube (www.youtube.com) popular video sharing platform.
- Presented VOS4ES activities and results in scientific conferences and workshops including
- Presented VOS4ES results in the joint POSTO-MODUS workshop in Athens on 04th of October 2013.
- Presented VOS4ES approach in the “XVI Jornadas de Tiempo Real” event held in Valencia on February 2013 in which a special session took place regarding virtualization and TSP techniques.
- A selected list of publications in scientific workshops and conferences includes:

• One papers has been presented at the 14th Real-Time Linux Workshop (October 18-20, Chapel Hill, USA):

o “Linux porting to the XtratuM Hypervisor for x86 processors”, Salvador Peiró, Miguel Masmano, Patricia Balbastre and José Simó

• One paper has been presented at the Real-Time Systems Symposium 2013 entitled “XtratuM hypervisor for mixed-criticality systems”, by Alfons Crespo, Patricia Balbastre and José Simó.
• One paper has been presented at the National Symposium on Telecommunications and Computer Communications 2013, 04th - 06th September 2013.

o “Virtualization Platform VOS4ES for real-time applications”, Henryk Gierszal, Sandra Brzykca, Karina Pawlina, Krzysztof Romanowski, Łukasz Kiedrowski

- Project presentations have been conducted in scientific/technical workshops and conferences at:
- The 7th ESA Workshop on Avionics Data, Control and Software Systems (ADCSS-2013), 22th -23th October in Noordwijk, Netherlands.
- DASIA – Data Systems In Aerospace 2013, 14th -16th May in Porto, Portugal- Organised the VOS4ES workshop in Valencia on 04th of July 2013.
- Planned the VOS4ES presentation at the ERTS 2014 conference in Toulouse, France, on 05th - 07th of February 2014.
- Establishment and maintenance of the VOS4ES Special Interest Group (SIG).
- Liaison with other projects (MODUS, POSTO, HITGATE).

4.5 EXPLOITATION

The VOS4ES project is targeting SMEs which develop embedded systems in order to adopt and exploit the competitive advantages of the virtualization solutions and especially secure partitioning techniques in their systems. The SMEs involved in the project are already active in the embedded systems market in various domains, i.e. avionics, space, consumer electronics, automotive, IT and telecommunications, with established product lines and constantly struggling to improve services and products and growing their market shares. In order to maintain their competitive edge, they need to adopt new technologies to achieve higher quality levels for critical and non-critical systems and applications and also minimise the hardware cost of their solutions, as in the case of virtualisation technology and partitioned software architectures which seem to be the future of secure embedded systems.

Considering the above, the exploitation strategy of the VOS4ES results on behalf of the VOS4ES SMEs, namely MILTECH, VISUAL TOOLS, CMAE, BITGEAR, ITTI, DELTA is twofold:

• Each SME will exploit the features and configurations of the VOS4ES virtualisation layer and the supporting tools that will be delivered, according to the specificities of each SME solution.
• Each SME will exploit the VOS4ES virtualisation layer and the supporting tools for experimentation and development of new embedded system solutions.

The current position of the participating SMEs in the different markets provides a significant advantage for the exploitation of the VOS4ES virtualization framework since the VOS4ES scope is generic and target different industrial sectors, within which companies are developing systems and products and require the hardware resource sharing among applications of different safety criticality and security levels, in a safe and secure way.

Finally, the RTD Performers, namely TELETEL, UPV and FENTISS, will provide maintenance and support services to the SMEs for 2 years after the end of the project, free of charge. Beyond that period, the RTD Performers might be assigned by the SME the upgrade and the evolutive maintenance of the VOS4ES virtualisation framework and supporting tools under special financial agreements.

5. REFERENCES

[1] Integrated Modular Avionics (IMA), http://en.wikipedia.org/wiki/Integrated_modular_avionics
[2] Alves-Foss, W. S. Harrison, P. Oman and C. Taylor (2007). "The MILS Architecture for High Assurance Embedded Systems", International Journal of Embedded Systems.
[3] Avionics Application Software Standard Interface: ARINC Specification 653P1-3.
[4] U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, Version 1.03 Information Assurance Directorate, National Security Agency, 29 June 2007.

List of Websites:

http://www.vos4es.eu/