Program Committee

• Nathan Burow, MIT Lincoln Laboratory

• Nathan Dautenhahn, Rice University

• Amit Levy, Princeton University

• Pierre Olivier, University of Manchester

• Dan Williams Virginia Tech

• Gerd Zellweger, Feldera

Vikram Narayanan, University of Utah

Program Committee

Nathan Burow, MIT Lincoln Laboratory

Nathan Dautenhahn, Rice University

Trent Jaeger, Pennsylvania State University

Shravan Narayan, University of Texas, Austin

Ruslan Nikolaev, Pennsylvania State University

Pierre Olivier, University of Manchester

Gerd Zellweger, VMware Research

November 3, 2024

• 13:00 - 13:05 Opening remarks

• 13:05 - 14:10 Keynote 1 by Deian Stefan (UCSD). Verus Using light-weight verification to secure the WebAssembly sandbox

• 14:10 - 14:30 Robust and Immediate Resource Reclamation with M³. Viktor Reusch (Barkhausen Institut), Nils Asmussen (Barkhausen Institut), Michael Roitzsch (Barkhausen Institut)

• 14:30 - 14:50 Kicking the Firmware Out of the TCB with the Miralis Virtual Firmware Monitor. Charly Castes (EPFL), Neelu S. Kalani (EPFL), Sofia Saltovskaia (EPFL), Noé Terrier (EPFL), Abel Vexina Wilkinson (EPFL), Edouard Bugnion (EPFL)

• 14:50 - 15:10 Bridge: A Leak-Free Hardware-Software Architecture for Parallel Embedded Systems. Gongqi Huang (Princeton University), Leon Schuermann (Princeton University), Amit Levy (Princeton University)

• 15:10 - 15:30 Veld: Verified Linux Drivers. Xiangdong Chen (University of Utah), Zhaofeng Li (University of Utah), Jerry Zhang (University of Utah), Anton Burtsev (University of Utah)

15:30 - 16:00 Coffee break (Overlaps with SOSP)

• 16:00 - 17:00 Keynote 2 by Anish Athalye (MIT). Formally Verifying Secure and Leakage-Free Systems: From Application Specification to Circuit-Level Implementation.

October 13, 2025

• 9:00 - 9:05 Opening remarks Anton Burtsev and Pierre Olivier

• 9:05 - 10:05 Keynote 1: Why change the kernel when you have seL4? Gernot Heiser (University of New South Wales)

Abstract Breaking up monetlithic kernels (which I take means Linux) is no doubt a commendable exercise. Recent additions to computer architectures that provide intra-address-space protection are an enabler of this and come with relatively low overhead.

While interesting for exploring the design space, these mechanisms have drawbacks, especially as using them limits a design to recent processors. Furthermore, they are not standardised across architectures, making it more difficult to keep kernel code mostly portable.

But are these really necessary? I argue they are not, and the combination of good old dual-mode execution paired with page-based virtual memory is all you need — as long as you pick the right design. And the right design got to be based on a microkernel, or rather The Microkernel, i.e. seL4.

There are never-dying claims that this leads to poor design. Our experience shows otherwise: kernel overheads are in the noise with a highly-tuned microkernel and a good design.

Consequently, my recommendation is to avoid dealing with fancy hardware extensions, and (a) de-privilege the (Linux) kernel by running it on seL4 and (b) modularise the resulting user-mode code.

• 10:05am - 10:25am OS Kernel Isolation for Context-violation Bugs. Yosuke Tanimoto, Hiroshi Yamada (TUAT)

• 10:25am - 10:45am reInstruct: Toward OS-aware CPU microcode reprogramming. Yubo Wang, Ruslan Nikolaev (The Pennsylvania State University); Binoy Ravindran (Virginia Tech)

10:45am - 11:15am Coffee break

• 11:15am - 12:15pm Keynote 2: CHERI: Opening a new design space for operating systems. David Chisnall (University of Cambridge)

Abstract The CHERI project began 15 years ago, with a goal of enabling fine-grained compartmentalisation within a process. It rapidly became clear that fine-grained compartmentalisation required safe sharing, and the only way to do sharing safely was to use existing programming-language abstractions to represent the model. This observation made us extend CHERI to be able to support object-granularity memory safety within a single security context, thereby enabling safe sharing of objects, not pages.CHERI has since graduated from being purely a research project. RISC-V International is finalising the specification for a CHERI RISC-V base architecture and multiple companies have announced CHERI chips or IP cores.

The invention of the memory-management unit (MMU) allows process isolation and virtual machines, but also led to things like cheap copy-on-write mechanisms, zygote models for fast process creation, shared memory abstractions and a large space of operating-system design choices to explore. New points in this space are still being discovered and explored today. CHERI has far less history, yet provides the same potentials. This talk will discuss two approaches to CHERI adoption in OS design: CheriBSD, which provides a fully backwards-compatible memory-safe POSIX system, and CHERIoT RTOS, which is a clean-slate design showing how CHERI enables new OS design patterns.

• 12:15pm - 12:35pm Compartment, Crash, and Continue: Toward Resilient Monolithic OS Kernels. Shih-Wei Li, Shih-Hung Tang, Yi-Lin Hsu (National Taiwan University)

• 12:35pm - 12:55pm Joyride: Rethinking Linux?s network stack design for better performance, security, and reliability. Yanlin Du, Ruslan Nikolaev (The Pennsylvania State University)

October 23, 2023

• 08:30 - 08:35    Opening remarks
• 08:35 - 09:35    Keynote by Chris Hawblitzel (Microsoft). Verus: Fast Formal Verification of Rust Programs Using Ownership and Automated Theorem Proving.

Session 1: Operating Systems

• 09:35 - 09:55    Leveraging Rust for Lightweight OS Correctness. Ramla Ijaz (Yale University), Kevin Boos (Theseus Systems), Lin Zhong (Yale University)

• 09:55 - 10:15    Atmosphere: Towards Practical Verified Kernels in Rust. Xiangdong Chen (University of Utah), Zhaofeng Li (University of Utah), Vikram Narayanan (University of Utah), Anton Burtsev (University of Utah)

10:15 - 10:40    Coffee break

Session 2: Hardware

• 10:40 - 11:00    Specifying the de-facto OS of a production SoC. Ben Fiedler (ETH Zurich), Roman Meier (ETH Zurich), Jasmin Schult (ETH Zurich), Daniel Schwyn (ETH Zurich), Timothy Roscoe (ETH Zurich)

• 11:00 - 11:20    The K2 Architecture for Modular Hardware Security Modules. Anish Athalye (MIT), Frans Kaashoek (MIT), Nickolai Zeldovich (MIT), Joseph Tassarotti (New York University)

Session 3: Secure Interfaces

• 11:20 - 11:40    CIVSCOPE: Analyzing Potential Memory Corruption Bugs in Compartment Interfaces by Establishing Lower Bound and Upper Bound. Yi Chien (Rice University), Vlad-Andrei Bădoiu (University Politehnica of Bucharest), Yudi Yang (Rice University), Yuqian Huo (Rice University), Kelly Kaoudis (Trail of Bits), Hugo Lefeuvre (The University of Manchester), Pierre Olivier (The University of Manchester), Nathan Dautenhahn (Rice University)

• 11:40 - 12:00    Encapsulated Functions: Fortifying Rust’s FFI in Embedded Systems. Leon Schuermann (Princeton University), Amit Levy (Princeton University), Arun Thomas (zeroRISC Inc.)