Providing spatial isolation for Mixed-Criticality Systems

This work is situated in the domain of hard real-time systems subject to stringer timing constraints, which find industrial applications in many safety-critical sectors, such as the avionics and space. In such critical domains, minimizing the risk of interference among different com- ponents of the same system is mandatory, and to this end, different architectural approaches have been applied in the past; in the aerospace domain, modern state-of- the-art systems adopt an integrated approach, referred to as the Integrated Modular Avionics (IMA) paradigm. This approach allows different applications to share the same hardware resources (the same on-board computer), granting isolation among applications running at different criticality levels. Noticeably, different criticality levels demand different certification assurances; in facts, highly critical components will require greater certification effort compared to low criticality ones. Adopting an integrated approach, it is necessary to grant that faults of any kind in low criticality applications do not cause errors of any kind in higher criticality applications; this requires isolation between applications of different criticality levels. Isolation takes place in three directions, over the temporal, the spatial and the fault axis. According to [1], in the IMA paradigm, isolation is usually pursued through parti- tioning. Partitioning is an approach to achieve isolation through resources allocation, assigning resources (against the spatial and temporal axis) to partitions, composed by groups of functionalities with identical criticality level. An application executing with a dedicated set of resources is called a partition, and partitions are executed under a fixed schedule. Due to the cautionary margin added to the high-watermark execution time of partitions and tasks, which in industrial applications, according to [2], might exceed 50% of this value, systems adopting partitioning in the temporal and spatial dimensions (Time-Space Partitioning, TSP), tend to present low utilization levels. For this reason, starting from [3], different approaches have been developed, referred to as Mixed-Criticality (MCS), aiming to reach higher levels of utilization, compared to those adopting the TSP approach, without renouncing to the isolation guarantees that those systems provide. This work built on the results obtained by [2], which show empirical evidence of the gain in term of system utilization following the adoption of a mixed-criticality scheduling approach, in comparison with a real-world TSP system, the XtratuM hypervisor, described in [4]. We investigate on isolation over the spatial dimension, providing a concrete implementation addressing this isolation axis.