Presentation is loading. Please wait.

Presentation is loading. Please wait.

01/05/2015Leiden Institute of Advanced Computer Science 1 The Open Kernel Environment - spinning Linux - Herbert Bos Bart Samwel

Published bySophia Knopp Modified over 9 years ago

Similar presentations

Presentation on theme: "01/05/2015Leiden Institute of Advanced Computer Science 1 The Open Kernel Environment - spinning Linux - Herbert Bos Bart Samwel"— Presentation transcript:

1 01/05/2015Leiden Institute of Advanced Computer Science 1 The Open Kernel Environment - spinning Linux - Herbert Bos Bart Samwel {herbertb,bsamwel}@liacs.nl

2 01/05/2015Leiden Institute of Advanced Computer Science 2 Outline Goals + motivation Architecture code loader compiler access to kernel POC Current work Conclusion

3 01/05/2015Leiden Institute of Advanced Computer Science 3 What do we want to do? allow unprivileged users to load native code in Linux kernel in a safe manner security resource control crashes Why? Performance network monitoring/filtering active networks

4 01/05/2015Leiden Institute of Advanced Computer Science 4 Components Safe code loader "who is allowed to load what modules?" ” Extensible compiler "which programmer is allowed to do what?" ” Accessing kernel resources safely "how do we make sure the kernel ’ s integrity is preserved?" ” Make rules for extensible compiler Legislator

5 01/05/2015Leiden Institute of Advanced Computer Science 5 “ SPIN ” Extensible OS "protection is a language issue" allows modules to be loaded in the kernel extensibility based on exported interfaces based on safety properties of Modula-3 type safety, auto storage mgmt, interfaces

6 01/05/2015Leiden Institute of Advanced Computer Science 6 SPIN kernel resources referenced by capabilities pointer to block of mem, type declared in I/F cannot be used inconsistent with type unforgeable, statically checked Protection domain: set of accessible names normally: VM SPIN: explicit namespaces supported by language Code signed by Modula-3 compiler

7 01/05/2015Leiden Institute of Advanced Computer Science 7 The OKE non-privileged users load native code in krnl make resources available depending on “ role ” many different privileges/roles not: separate language for each class of users don ’ t rely on interpreted language "elastic" compiler/language compiler applies extra rules depending on authorisation so: language is customised based on credentials

8 01/05/2015Leiden Institute of Advanced Computer Science 8 OKE Code Loader extend insmod/rmmod CL security policy based on trust mgmt CL has set of policies accepts blob of code + set of credentials checks credentials match: load module no match: reject implemented using KeyNote

9 01/05/2015Leiden Institute of Advanced Computer Science 9 OKE Code Loader module A module B user kernel CODE LOADER module C S credentials user "who is allowed to load what?"

10 01/05/2015Leiden Institute of Advanced Computer Science 10 What are we allowed to do? "why should safe code not be allowed to run in the kernel?" ” we want to restrict access to resources limit number of modules, amount of memory, number of cycles, etc. dependent on users! yet another safe language for specific purpose? restricts towards lowest common denominator instead: one language that is restricted depending on role

11 01/05/2015Leiden Institute of Advanced Computer Science 11 Compiler: elastic languages depending on who the code-loading party is more or less access is given to language constructs resources (incl. kernel functions + data structures) extra checks or functions may be added trivial example: looping • no loops (students) • limited loops (staff) • unrestricted loops (sysadmin) other example: cycle counting • hard max (students) • growing max (staff)  don ’ t count (sysadmin)

12 01/05/2015Leiden Institute of Advanced Computer Science 12 Compiler: elastic languages many potential dangers can be spotted at source level after construction of AST at intermediate code level elastic language = normal language ("C") on which arbitrary restrictions can be placed based on credentials conceptually: separate languages (subsets) restrict at very early stage

13 01/05/2015Leiden Institute of Advanced Computer Science 13 Bygwyn compiler "you can ’ t always get what you want, but you get what you need" compiler is Trusted extensible (extra rules may customise language) customisation depends on authorisation

14 01/05/2015Leiden Institute of Advanced Computer Science 14 Bygwyn issues: object code should be tamperfree user ’ s authorisation should be checked use KeyNote to convey and check authorisation at coarse granularity "role" or user class ” triggers compiler to load extra rules

15 01/05/2015Leiden Institute of Advanced Computer Science 15 Bygwyn compiler BYGWYN my code credentials user extra rules for user (given credentials and policies) module C S "once loaded, who is allowed to do what?" "compile and sign"

16 01/05/2015Leiden Institute of Advanced Computer Science 16 Access to kernel module B foo*(arg) foo(arg) bar(arg) via interface (similar to SPIN) wrapped on the module code by compiler exceptions

17 01/05/2015Leiden Institute of Advanced Computer Science 17 The Legislator Who creates these extra rules? Legislators customisation tools for target language example: the OKE legislator GUI based tick boxes, fill in forms no knowledge of compiler internals needed

18 01/05/2015Leiden Institute of Advanced Computer Science 18 Simple prototype Pascal (friendly grammar) customise almost anything e.g. disallow pointers, restrict pointers, array bounds checks, etc. give “ safe ’ access to kernel packet filtering example between 3 and 5 times faster than BPF often leads to toy languages ” and/or need lot of runtime checks

19 01/05/2015Leiden Institute of Advanced Computer Science 19 Example: array bound checking option 1: don ’ t check option 2: check thoroughly CMP, JMP terminate (e.g. throw exception) option 3: fast check make sure index is always in range: a[i%N] errors are programmer's problem % is slow boundary at power of 2 and chop off high bits: 1 AND which check is used depends on the user ’ s credentials and/or preferences char a[N]; a[i] = x; 099 0127 010000101 001111111 & 000000101

20 01/05/2015Leiden Institute of Advanced Computer Science 20 Tough problems Namespace Pointers NULL dereferences dangling pointers pointer arithmetic, etc. Sharing datastructures with the kernel who frees the data? Recursion

21 01/05/2015Leiden Institute of Advanced Computer Science 21 Tough problems How can we interrupt a module? what if module just obtained a kernel lock? what if deadlock occurs? what if it leaves kernel in inconsistent state? As for the latter issue: if there is danger of that, module should not have received the authorisation to do so encapsulate better for certain users: provide timeouts on locks, etc.

22 01/05/2015Leiden Institute of Advanced Computer Science 22 We really want something like C so we now use modified "Cyclone" Crash-free "C" ” different types of pointer runtime checks (but only where needed) region based protection however, we needed more (+ less) share memory with kernel interrupt modules CPU usage extensibility

23 01/05/2015Leiden Institute of Advanced Computer Science 23 Conclusions simple prototype is a dead end unprivileged users are allowed to load code in kernel can be very fast very much like C Cyclone is very good but needs many changes much work to be done

Download ppt "01/05/2015Leiden Institute of Advanced Computer Science 1 The Open Kernel Environment - spinning Linux - Herbert Bos Bart Samwel"

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
Emmett Witchel Krste Asanović MIT Lab for Computer Science Hardware Works, Software Doesn’t: Enforcing Modularity with Mondriaan Memory Protection.

Emmett Witchel Krste Asanović MIT Lab for Computer Science Hardware Works, Software Doesn’t: Enforcing Modularity with Mondriaan Memory Protection.
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Binary Component Adaptation Ralph Keller and Urs Hölzle Dept. of Computer Science University of California, Santa Barbara 1998.

Binary Component Adaptation Ralph Keller and Urs Hölzle Dept. of Computer Science University of California, Santa Barbara 1998.
The Open Kernel Environment (opening up all levels of the processing hierarchy in a 'safe' manner) Herbert Bos Bart Samwel Leiden University

The Open Kernel Environment (opening up all levels of the processing hierarchy in a 'safe' manner) Herbert Bos Bart Samwel Leiden University
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Chapter 5: Elementary Data Types Properties of types and objects –Data objects, variables and constants –Data types –Declarations –Type checking –Assignment.

Chapter 5: Elementary Data Types Properties of types and objects –Data objects, variables and constants –Data types –Declarations –Type checking –Assignment.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, David Becker, Marc.

Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, David Becker, Marc.
Topic 9 – Introduction To Arrays. CISC105 – Topic 9 Introduction to Data Structures Thus far, we have seen “simple” data types. These refers to a single.

Topic 9 – Introduction To Arrays. CISC105 – Topic 9 Introduction to Data Structures Thus far, we have seen “simple” data types. These refers to a single.
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Pointer. Warning! Dangerous Curves C (and C++) have just about the most powerful, flexible and dangerous pointers in the world. –Most other languages.

Pointer. Warning! Dangerous Curves C (and C++) have just about the most powerful, flexible and dangerous pointers in the world. –Most other languages.
Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.

Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.
1 Hybrid Resource Control for Active Extensions Parveen Patel Jay Lepreau University of Utah.

1 Hybrid Resource Control for Active Extensions Parveen Patel Jay Lepreau University of Utah.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

Similar presentations

Ads by Google