The eChronos project @ Data61 and Breakaway
In collaboration with Breakaway Consulting, the eChronos project builds and formally verifies, a small, versatile, high-assurance real-time operating system (OS) for embedded micro-controllers. In contrast to other OS work at Data61, the eChronos RTOS is for tightly constrained devices without memory management units. Current implementations are available for ARM Cortex M3/M4/M7, PowerPC e500 and Intel 80251 micro-controllers. The RTOS also runs on POSIX platforms (e.g., Linux, MacOS-X, Windows with cygwin or MinGW) for rapid prototyping.
The eChronos RTOS is open source, available under the CSIRO BSD MIT licence on github. For separate commercial licenses, please contact us (see below).
On modern powerful embedded hardware, like in smartphones, OS kernels such as Data61's formally verified seL4 kernel can provide isolation and gatekeeper functionality — controlling what the user-level programs can do with the hardware, or with other programs. For instance, it could stop a malicious app from crashing your smartphone.
On less powerful hardware — such as small medical implant devices, extremely resource-constrained spacecraft, or simple logic controllers used in industrial plants — such gatekeeper functionality is not possible. Instead, these systems run small, so-called real-time operating systems (RTOS) such as the eChronos RTOS. The constrained nature of the hardware devices the RTOS runs on makes it even more challenging to provide assurance and evidence that it works reliably.
The eChronos RTOS is also used on the flight-control processor of the DARPA-funded SMACCM project's research vehicle.
- Oct 2017: Memory protection support in the eChronos RTOS will presented at LCA 2018: Sane Behaviour on Teeny Hardware
- Sep 2017: Licence changed from AGPLv3 to CSIRO BSD MIT.
- Aug 2016: Paper on scheduling proof published.
- Feb 2016: the eChronos RTOS at LCA:
- Aug 2015: Released under AGPLv3, available on github.
- Feb 2014: Formal verification of code-level assertions completed by model checking.
- Jan 2014: the eChronos RTOS flies the SMACCMPilot quadcopter and at the DARPA HACMS demo day.
- Oct 2013: Functional C implementation verification starts on eChronos RTOS code.
- Sep 2013: Example code for PX4 board shipped to project partners.
- Sep 2013: Version 0.0.2 shipped to project partners, support for preemption, semaphores, and strict priority scheduling.
- Apr 2013: Version 0.0.1 shipped to project partners for QEMU and STMF32 discovery board.
- Apr 2013: Proved a number of higher-level properties about the eChronos RTOS specification: schedule fairness and signal handling.
- Nov 2012: First version of a formal functional specification complete.
Problem: Modern critical systems — such as medical devices and car braking systems — rely on software. At the heart of these devices sit real-time operating systems such as the eChronos RTOS.
Software at this level can lead to injury or damage or worse. So it is important that such software be reliable and safe, and it is essential to ensure that it performs precisely as intended.
Approach: Formal machine-checked verification of the eChronos RTOS, initially for functional correctness, later also for worst-case execution time.
eChronos RTOS functionality:
The eChronos RTOS is highly configurable and comes in multiple variants, so only the functionality that is actually needed runs on the device.
- Suitable for devices with constrained resources
- Tasks: user defined, perform syscalls
- Scheduler: round robin or strict priorities
- Multithreading: cooperative or preemptive
- Signals: tasks send and wait for signals
- Interrupts: interrupt handlers raise events
- Synchronisation: mutex and semaphore modules
|Hardware memory protection support (ARMv7m)||Under review, on schedule||Q1 '18||branch: arm_mpu_support|
|Cortex-M0/M0+ platform support (ARMv6m)||In development, on schedule||Q1 '18||branch: [sandbox] cortex-m0*|
|Driver framework integration (libopencm3)||In development, on schedule||Q1 '18||branch: [sandbox] libopencm3*|
|Atmel AVR platform support||In development, on schedule||Q2 '18||branch: atmel_avr_support|
The eChronos RTOS is open source, available under the CSIRO BSD/MIT licence, on github.
The eChronos RTOS is also available for commercial deployment. For separate commercial licenses, please contact us (see below) for further information.
Ihor Kuz, ihor.kuz AT data61.csiro.au
|Darren Cofer, John Backes, Andrew Gacek, Daniel DaCosta, Michael Whalen, Ihor Kuz, Gerwin Klein, Gernot Heiser, Lee Pike, Adam Foltzer, Michael Podhradsky, Douglas Stuart, Jason Graham and Brett Wilson|
Secure mathematically-assured composition of control models
Technical Report, Data61, CSIRO, September, 2017
|June Andronick, Corey Lewis, Daniel Matichuk, Carroll Morgan and Christine Rizkallah|
Proof of OS scheduling behavior in the presence of interrupt-induced concurrency
International Conference on Interactive Theorem Proving, pp. 52–68, Nancy, France, August, 2016
||June Andronick, Corey Lewis and Carroll Morgan|
Controlled Owicki-Gries concurrency: reasoning about the preemptible eChronos embedded operating system
Workshop on Models for Formal Analysis of Real Systems (MARS 2015), pp. 10–24, Suva, Fiji, November, 2015