Fast, Secure, Adaptable: LionsOS Design, Implementation and Performance
Gernot Heiser, Ivan Velickovic, Peter Chubb, Alwin Joshy, Anuraag Ganesh, Bill Nguyen, Cheng Li, Courtney Darville, Guangtao Zhu, James Archer, Jingyao Zhou, Krishnan Winter, Lucy Parker, Szymon Duchniewicz, Tianyi Bai
TL;DR
LionsOS tackles the challenge of building a high-assurance OS for security- and safety-critical embedded systems by basing its design on the formally verified seL4 microkernel and enforcing radical simplicity through strict modularity and use-case-specific policies. The system uses a static architecture with fine-grained separation of concerns, SPSC queues, and per-client virtualisers to isolate devices while enabling high performance, even on system-call intensive workloads. Empirical results show LionsOS can outperform Linux on networking tasks and scales across Arm and x86 platforms, aided by driver VMs for legacy device support and a lightweight, per-client file system and networking stack that stay out of the TCB. The work demonstrates that modularity and verification-friendly design can coexist with high performance in embedded contexts, and the open-source LionsOS release provides a practical path toward dependable, configurable, and extensible secure OS components for cyber-physical systems.
Abstract
We present LionsOS, an operating system for security- and safety-critical embedded systems. LionsOS is based on the formally verified seL4 microkernel and designed with verification in mind. It uses a static architecture and features a highly modular design driven by strict separa- tion of concerns and a focus on simplicity. We demonstrate that LionsOS achieves excellent performance on system-call intensive workloads.