About the TUD:OS Demo CD Features of the TUD:OS Demo CD TUD:OS Screenshots Download the TUD:OS Demo CD Contact the TU Dresden OS Group
About the TUD:OS Demo CD
FEATURES OF THE TUD:OS DEMO CD
TUD:OS Screenshots
Download the TUD:OS Demo CD
Contact the TU Dresden OS Group
Impressum
Maintainer
Webmaster
TUDOS
L4Linux - A virtualized Linux on a componentized, small kernel system

L4Linux - A virtualized Linux on a componentized, small kernel system

Adam Lackorzynski
2006-03-11

Welcome to the interactive presentation of L4Linux. L4Linux is a virtualized Linux kernel running on an L4 micro-kernel. It is binary compatible with normal Linux and can thus run any unmodified Linux distribution. There are several scenarios in which one or multiple virtualized legacy operating systems are needed or handy to build different systems. We are going through some of them in the following pages.

History

L4Linux was invented in 1996 in Dresden's Operating System Group. Initially it was based on Linux 2.0. Ports to more recent Linux versions have followed since then. The current L4Linux version is based on 2.6 and is kept up to date with the released Linux versions. We aim at modifying Linux as little as possible.

Architecture

The system in which L4Linux runs looks as follows:

Starting from the bottom, there is a micro-kernel running in privileged mode. In the de-privileged mode above some basic services provide the foundation for more advanced applications. Those basic services include a memory manager, a name server, a program loader and some more components. L4Linux utilizes those core services. By the way, the GUI you currently see is also a native service which is used by L4Linux for graphical interaction.

Usage Scenarios

L4Linux can be used in different scenarios, among them:

  • Running your legacy applications on a micro-kernel based system.

  • Running your security sensitive applications side by side with your commodity applications downloaded from the Internet with the micro-kernel ensuring that both classes are properly separated.

  • Reuse functionality of the legacy operating system in your micro-kernel based system, e.g. use the disk and filesystem drivers in L4Linux to access the disk from your L4 application.

  • Machine consolidation: Run multiple instances of L4Linux on one machine to reduce your maintenance needs for many physical machines. The micro-kernel ensures that the virtual machines are isolated from each other.

  • Secure your privacy! Use L4Linux to run your comfortable Internet browsing and E-mail software and use small and trusted software on the micro-kernel side to sign or decrypt your messages. The legacy operating system will never see your private keys!

  • Multi Compartment Workstation: Use one virtual machine for every security level in your organization, eliminating the need for multiple physical machines. Once again the micro-kernel makes sure each virtual machine is properly isolated from the other ones.

The following pages will show some scenarios in more detail.

VPN Gateway

In this scenario two L4Linux instances are used to build a Virtual Private Network gateway. One L4Linux, the outer one, sends and receives data from the public interned while the inner L4Linux sends and receives data from the internal intra-net. The en- and decryption of the data stream is done by a small component that runs independent from the Linuxes and is the only path for communication and has a very low profile for attacks.

The Viaduct is a small component that only relies on a few other L4 components. It is therefore quite easy to understand and audit. An attacker may take over the outer Linux but has very little chances to corrupt either the Viaduct or the inner Linux. Its trusted computing base (TCB) is small compared to the code involved when placing the encryption component into a conventional legacy operating system.

The code reused from the legacy operating system are mainly the network card driver and the networking software, namely the TCP/IP stack.

Machine Consolidation

L4Linux can be started multiple times and thus run several virtual machines in parallel on one physical machine. Depending on the needs an L4Linux instance may be granted access to the physical hardware of the machine, relaying device access for the other instances. Hardware access may also be implemented by specialized L4 components.

In this example the L4 driver may be a network server which handles all network traffic for the virtual machines. The device L4Linux may have an IDE driver compiled in and accesses the disk on behalf of the green L4Linux instances. Disk virtualization will then be done in the device L4Linux. The green instances without hardware access need to have device drivers that talk to the corresponding servers. For example, there needs to be a virtual disk driver in the green L4Linux-es that talks to the device Linux. Such a driver is usually called "stub driver".

Running L4Linux

The simplest way to run L4Linux is to use a hardware independent setup as it is done for this demo.

This demo boots up an L4Linux with a simple and small RAM disk, it will not touch the disks in the host system. The RAM disk is small and only contains a very basic set of programs. For a demo with a more complete user land, please refer to the other setups.

By clicking here (in the Demo-CD version of this document) a new window should come up, showing the Tux in the left upper corner and the familiar Linux boot up scrolling. A shell prompt should appear shortly after that.

Click into the window with your mouse to enter commands.

In the window you can switch virtual Linux console with Alt-F2, Alt-F3 and so on, as usual.

To close the virtual machine, just issue "halt" and the machine will shut down and the window will close. All resources will be freed.

Running Multiple Instances of L4Linux

There is nothing special about running multiple instances of L4Linux. Just start another copy (in the Demo-CD version of this document), and another one (in the Demo-CD version of this document)...

If no more resources like free memory are available no more instances will appear. Just shut down a currently running instance and you should be able to start another one.

Reboot the machine

Click here (in the Demo-CD version of this document) to reboot your machine.