VOSYSVirtualNet: Low-latency Inter-world Network Channel for Mixed-Criticality Systems

Abstract

Integrating multiple subsystems with different levels of criticality is a well established concept in the automotive domain. To ensure proper temporal and spatial isolation, a highly privileged software component is installed to orchestrate the subsystems. VOSYSmonitor is such a solution, it enables the co-execution of two operating systems on a single System on Chip - A rich operating system, such as Linux, along with a safety critical operating system, fully isolated from each other using ARM TrustZone. But if we take a closer look at specific automotive scenarios (e.g., “displaying warning signs”), reveals that an interaction of the two operating systems might be desirable. In this paper we address this challenge. We present the implementation of a low-latency inter-world network channel. It is built around already existing primitives in both worlds, only implementing the physical layer of the network channel. This ensures a low complexity, meaning only minor modifications have to be made to both operating systems. To prove the feasibility of our design, we built a full prototype that enables a network communication between the two operating systems, while ensuring a proper encapsulation of the safety critical operating system. To validate low reaction times, the design is evaluated with respect to network latency. To complement the measurements, we also performed a number of bandwidth measurements. Finally, we thoroughly discuss potential threat scenarios arising from the network link and how they can be addressed with appropriate countermeasures.