Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slides for Drawbridge Jeff Chase.

Published byJayson Baker Modified over 9 years ago

Similar presentations

Presentation on theme: "Slides for Drawbridge Jeff Chase."— Presentation transcript:

1 Slides for Drawbridge Jeff Chase

2 Drawbridge Rethinking the Library OS from the Top Down

3

4

5 Operating Systems: The Classical View
Each process has a private virtual address space and one or more threads. Programs run as independent processes. data data Protected system calls ...and upcalls (e.g., signals) Protected OS kernel mediates access to shared resources. Threads enter the kernel for OS services. The kernel code and data are protected from untrusted processes.

6 Some questions What functions can/should be in the kernel?
What functions can/should be in a library? What are the tradeoffs? What about sharing? Resource management? From Drawbridge: registry, COM, files, display… What are the costs/benefits of a “minimal” kernel ABI? Security? Portability? Transportability? (Migration) Why is Microsoft interested in Drawbridge? Why now? How does it differ from earlier microkernels, e.g., Mach?

7 OS Platform: A Model Applications/services. May interact and serve one another. API Libraries/frameworks: packaged code used by multiple applications API Protection boundary OS platform: same for all applications on a system E,g,, classical OS kernel OS mediates access to shared resources. That requires protection and isolation. [RAD Lab]

8 Example: heap manager Program (app) OS kernel “break” Heap manager
Stack free “0xA” alloc “0xA” alloc “0xB” “ok” “break” Heap manager 4096 sbrk system call Dynamic data (heap/BSS) “Set break (4096)” OS kernel

9 “binder” message driver in kernel
“Subsystems” A server process may provide trusted system functions to other processes, outside of the kernel. E.g., this code is trusted, but like other processes it cannot manipulate the hardware state except by invoking the kernel. Example: Android Activity Manager subsystem provides many functions of Android, e.g., component launch and brokering of component interactions. With no special kernel support! It uses same syscalls as anyone else. AMS controls app contexts by forking them with a trusted lib, and issuing RPC commands to that lib. Android AMS subsystem JVM+lib Linux kernel “binder” message driver in kernel

10 “OS as a service”

11 Point of “OS as a Service”
Kernel support for fast cross-domain call (“local RPC) enables OS services to be provided as user programs, outside the kernel, over a low-level “microkernel” syscall interface. This low-level syscall interface is not an API: it is hidden from applications, which are built to use the higher-level OS service APIs. Many systems use this structure. Android uses it. Android is a collection of libraries and services over a “standard” Linux kernel, with binder supported added to the kernel as a plug-in module (a special device driver). This structure originated with research “microkernel” systems in the 1980s, most notably the Mach project at CMU. The kernel code base for MacOSX derives substantially from Mach. Windows uses this structure to some extent. Microsoft’s first modern OS was Windows NT (released in 1993). NT was strongly influenced by the research work in microkernels.

12 Native virtual machines (VMs)
Slide a hypervisor underneath the kernel. New OS layer: also called virtual machine monitor (VMM). Kernel and processes run in a virtual machine (VM). The VM “looks the same” to the OS as a physical machine. The VM is a sandboxed/isolated context for an entire OS. Can run multiple VM instances on a shared computer. hypervisor

13 guest VM1 guest VM2 guest VM3 guest or tenant VM contexts
P1A P2B P3C OS kernel 1 OS kernel 2 OS kernel 3 hypervisor/VMM host

14 Image/Template/Virtual Appliance
A virtual appliance is a program for a virtual machine. Sometimes called a VM image or template The image has everything needed to run a virtual server: OS kernel program file system application programs The image can be instantiated as a VM on a cloud. Not unlike running a program to instantiate it as a process

15 Thank you, VMware

16 Containers Note: lightweight container technologies offer a similar abstraction, but the VMs share a common kernel. E.g., Docker

17 Drawbridge thread ABI/API

18 Bascule thread ABI (refines Drawbridge)

19 Bascule/Drawbridge thread ABI

20 Bascule/Drawbridge semaphore ABI

21 Bascule/Drawbridge event ABI

22 Drawbridge I/O: streams
The primary I/O mechanism in Drawbridge is an I/O stream. I/O streams are byte streams that may be memory-mapped or sequentially accessed. Streams are named by URIs…Supported URI schemes include file:, pipe:, tcp:, udp:, pipe.srv:, http.srv, tcp.srv:, and udp.srv:. The latter four schemes are used to open inbound I/O streams for server applications:

23 Butler W. Lampson Butler Lampson is a Technical Fellow at Microsoft Corporation and an Adjunct Professor at MIT…..He was one of the designers of the SDS 940 time-sharing system, the Alto personal distributed computing system, the Xerox 9700 laser printer, two-phase commit protocols, the Autonet LAN, the SPKI system for network security, the Microsoft Tablet PC software, the Microsoft Palladium high-assurance stack, and several programming languages. He received the ACM Software Systems Award in 1984 for his work on the Alto, the IEEE Computer Pioneer award in 1996 and von Neumann Medal in 2001, the Turing Award in 1992, and the NAE’s Draper Prize in 2004.

24 Accountability vs. Freedom
Partition world into two parts: Green Safer/accountable Red Less safe/unaccountable Two aspects, mostly orthogonal User Experience Isolation mechanism Separate hardware with air gap VM Process isolation Red-Green is our name for the creation of two different environments for each user in which to do their computing. One environment is carefully managed to keep out attacks – code and data are only allowed if of known trusted origin – because we know that the implementation will have flaws and that ordinary users trust things that they shouldn’t. This is the “Green” environment; important data is kept in it. But because lots of work, and lots of entertainment, requires accessing things on the Internet about which little is known, or is even feasible to know, regarding their trustworthiness (so it can not be carefully managed), we need to provide an environment in which this can be done – this is the “Red” environment. The Green environment backs up both environments, and when some bug or user error causes the Red environment to become corrupt, it is restored to a previous state (see the recovery slide); this may entail loss of data, which is why important data is kept on the Green side, where it is less likely to be lost. Isolation between the two environments is enforced using IPsec. The big unknown is the user experience, at this point. We know different models: The KVM switch model (as in NetTop) The X-Windows model (with windows actually fronting for an execution on some other machine) What the users will find preferable is an open question, still. More to the point, the security of the system depends on separation that will be visible to the user. There will be things that the user will not be allowed to do because of the security policy. What also needs to be researched is the best way to communicate that separation to the user. The KVM switch model, in which the user envisions two separate PCs that have to use network shares to share files might be the simplest to grasp. Implementation is still a matter of debate within the company – and even within the team. Today we are going to talk about the VM-based isolation solution

25 Total: N+m attacks/yr on all assets
Without R|G: Today Less trustworthy Less accountable entities More trustworthy More accountable entities (N >> m) m attacks/yr N attacks/yr Less valuable assets More My Computer Almost everyone has a “red” machine Security settings optimized for immediate productivity not long-term security So… The untrustworthy or unaccountable get to interact with important assets Entities - Programs - Network hosts - Administrators Total: N+m attacks/yr on all assets

26 With R|G (N >> m) m attacks/yr N attacks/yr More valuable assets
Less trustworthy Less accountable entities More trustworthy More accountable entities (N >> m) m attacks/yr N attacks/yr More valuable assets My Green Computer My Red Computer Less valuable assets Entities - Programs - Network hosts - Administrators N attacks/yr on less valuable assets m attacks/yr on more valuable assets

27 Must Get Configuration Right
Keep valuable stuff out of red Keep hostile agents out of green Less valuable assets My Red Computer More My Green Computer Valuable Asset Less trustworthy Less accountable entities More trustworthy More accountable Hostile agent

28 Why R|G? Problems: Solution: Isolated work environments:
Any OS will always be exploitable The richer the OS, the more bugs Need internet access to get work done, have fun The internet is full of bad guys Solution: Isolated work environments: Green: important assets, only talk to good guys Don’t tickle the bugs, by restricting inputs Red: less important assets, talk to anybody Blow away broken systems Good guys: more trustworthy / accountable Bad guys: less trustworthy or less accountable

Download ppt "Slides for Drawbridge Jeff Chase."

Similar presentations

Virtualisation From the Bottom Up From storage to application.

Virtualisation From the Bottom Up From storage to application.
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
Chorus and other Microkernels Presented by: Jonathan Tanner and Brian Doyle Articles By: Jon Udell Peter D. Varhol Dick Pountain.

Chorus and other Microkernels Presented by: Jonathan Tanner and Brian Doyle Articles By: Jon Udell Peter D. Varhol Dick Pountain.
Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-

Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-
1 Accountability and Freedom Butler Lampson Microsoft October 27, 2005.

1 Accountability and Freedom Butler Lampson Microsoft October 27, 2005.
Introduction to Operating Systems CS-2301 B-term 20081 Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.

Introduction to Operating Systems CS-2301 B-term Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.
Introduction to Virtualization

Introduction to Virtualization
CS-3013 & CS-502, Summer 2006 Virtual Machine Systems1 CS-502 Operating Systems Slides excerpted from Silbershatz, Ch. 2.

CS-3013 & CS-502, Summer 2006 Virtual Machine Systems1 CS-502 Operating Systems Slides excerpted from Silbershatz, Ch. 2.
INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.

INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.
Virtualization and the Cloud

Virtualization and the Cloud
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.

A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
OS Concepts An Introduction operating systems. At the end of this module, you should have a basic understanding of what an operating system is, what it.

OS Concepts An Introduction operating systems. At the end of this module, you should have a basic understanding of what an operating system is, what it.
Chapter 6 - Implementing Processes, Threads and Resources Kris Hansen Shelby Davis Jeffery Brass 3/7/05 & 3/9/05 Kris Hansen Shelby Davis Jeffery Brass.

Chapter 6 - Implementing Processes, Threads and Resources Kris Hansen Shelby Davis Jeffery Brass 3/7/05 & 3/9/05 Kris Hansen Shelby Davis Jeffery Brass.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
Processes Part I Processes & Threads* *Referred to slides by Dr. Sanjeev Setia at George Mason University Chapter 3.

Processes Part I Processes & Threads* *Referred to slides by Dr. Sanjeev Setia at George Mason University Chapter 3.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?

Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
1 Introduction to Cloud Security Former Intel CEO, Andy Grove: “only the paranoid survive”

1 Introduction to Cloud Security Former Intel CEO, Andy Grove: “only the paranoid survive”
Chapter 8 Windows 2000. 2 Outline Programming Windows 2000 System structure Processes and threads in Windows 2000 Memory management The Windows 2000 file.

Chapter 8 Windows Outline Programming Windows 2000 System structure Processes and threads in Windows 2000 Memory management The Windows 2000 file.

Similar presentations

Ads by Google