Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros.

Published byGiles Ray Modified over 8 years ago

Similar presentations

Presentation on theme: "Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros."— Presentation transcript:

1 Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros

2 Motivation Extensibility is desirable  Integration of independently developed software modules Faults in extension code  entire software system is unreliable  Bugs in third party code  Need to protect distrusted modules from corrupting application data  Allow cooperation

3 First Solution Hardware solution:  Place each module in its own address space  Automatic boundary protection  Use cross-address-space RPC for cooperation between modules – lots of context switches  HIGH PERFORMANCE COST  Maybe a software solution is better

4 Insight!!! Only a relatively small portion of code is distrusted Should only protect against distrusted code!!

5 Second Solution Software approach:  Handle fault isolation within one address space  Segment an address space into fault domains One segment for code, and one for data Segment identifiers One fault domain for each task  Software Encapsulation – distrusted object code must: Jump only to targets in its code segment Write only to addresses within its data segment 0x3AB00000 0x3ABFFFFF 0x3AC00000 0x3ACFFFFF............ Virtual Address Space

6 Segment Matching Handling unsafe instructions:  Jump/store to an address that cannot be statically verified to be in the correct segment  insert checking code before unsafe instructions  four instructions and four dedicated registers (used only by inserted code)  If check fails, trap to system error routine pinpoint offending instruction Target AddressSegment ID ==

7 Address Sandboxing Reduce overhead further Insert code to overwrite the upper bits (segment identifier) of target address  Requires only two instructions  Does not catch illegal addresses  Verifiable  Needs 5 registers Target Address Segment ID

8 Process Resources Same virtual address space  Resources allocated per-address-space basis can still be corrupted (e.g. close files) Solution: distrusted code cannot make system calls directly  cross-fault-domain RPC  trusted arbitration code handles system calls on behalf of the distrusted code  arbitration code can make system calls directly, if the operations are deemed safe

9 Data Sharing Read sharing  easy Write sharing  lazy pointer swizzling  map shared memory region into all segments that need access – at the same offset in each segment 0x3AB00000 0x3ABFFFFF 0x3AC00000 0x3ACFFFFF............ Virtual Address Space 0x3AB12ABC 0x3AC12ABC

10 Implementation details Software Encapsulation:  could use a compiler to generate encapsulated code for distrusted modules  the system can directly modify object code at load time Binary patching – not possible at the time

11 Fast Cross-Fault-Domain RPC Jump table – control transfer  only way to escape a fault domain  only modifiable by trusted segment Customized call and return stubs  copy cross-domain arguments  manage machine state

12 Fast Cross-Fault-Domain RPC Robustness  uses the UNIX signal facilities to catch errors  notifies the caller’s fault domain  trusted modules can use timers to interrupt execution and determine line of action

13 Performance Software encapsulation provides substantial savings over using native OS services

14 Performance Much cheaper than traditional context switches

15 Summary Software fault isolation  Constrain jumps and writes to be within fault domain  Restrict direct access to system calls Cross-fault-domain RPC == jump instructions Need extra instructions and registers, but there is an overall performance improvement

16 Discussion I think limitations of binary patching could be resolved by adding hardware support in terms of new dedicated registers for that purpose (of course this could be done in away to keep the architecture backward compatible). Haven’t that been tried out or got implemented in any systems? Are these fault isolation techniques used in current systems in the first place?

17 Discussion What determines the partitioning of the target address to yield the ideal segment identifier size? What impacts/influences this decision? Is it difficult to find a contiguous region of memory to be used as a fault domain?

18 Discussion Why would programs with "a significant percentage of floating point operations" or which "perform significant amounts of I/O" incur less overhead?

19 Discussion If this method is so effective, why is it not used in place of microkernels? How might this compare to lightweight microkernel approaches such as L3/L4 or LRPC?

20 Discussion What criteria would one use to determine if a software package needs sandboxing or not? The author keeps making reference to "distrusted modules", but why would you be running modules you distrust / the reverse, can you trust anything?

21

Download ppt "Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros."

Similar presentations

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.

Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?

Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?
Lightweight Remote Procedure Call BRIAN N. BERSHAD THOMAS E. ANDERSON EDWARD D. LAZOWSKA HENRY M. LEVY Presented by Wen Sun.

Lightweight Remote Procedure Call BRIAN N. BERSHAD THOMAS E. ANDERSON EDWARD D. LAZOWSKA HENRY M. LEVY Presented by Wen Sun.
Chapter 6 Limited Direct Execution

Chapter 6 Limited Direct Execution
Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.

Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.
“Efficient Software-Based Fault Isolation” (1993) by: Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham PRESENTED BY DAVID KENNEDY.

“Efficient Software-Based Fault Isolation” (1993) by: Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham PRESENTED BY DAVID KENNEDY.
CS 153 Design of Operating Systems Spring 2015

CS 153 Design of Operating Systems Spring 2015
OmniVM Efficient and Language- Independent Mobile Programs Ali-Reza Adl-Tabatabai, Geoff Langdale, Steven Lucco and Robert Wahbe from Carnegie Mellon University.

OmniVM Efficient and Language- Independent Mobile Programs Ali-Reza Adl-Tabatabai, Geoff Langdale, Steven Lucco and Robert Wahbe from Carnegie Mellon University.
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.

Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Kumar R., Singhania A., Castner A., Kohler E Proceedings of Design Automation Conference Pages: 218 - 223 June 2007 2015/7/13.

Kumar R., Singhania A., Castner A., Kohler E Proceedings of Design Automation Conference Pages: June /7/13.
CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman.

CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman.
Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.

Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.
CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.

CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
Protection and the Kernel: Mode, Space, and Context.

Protection and the Kernel: Mode, Space, and Context.
CSC 501 Lecture 2: Processes. Process Process is a running program a program in execution an “instantiation” of a program Program is a bunch of instructions.

CSC 501 Lecture 2: Processes. Process Process is a running program a program in execution an “instantiation” of a program Program is a bunch of instructions.
Eric Keller, Evan Green Princeton University PRESTO 2008 8/22/08 Virtualizing the Data Plane Through Source Code Merging.

Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
Architecture Support for OS CSCI 444/544 Operating Systems Fall 2008.

Architecture Support for OS CSCI 444/544 Operating Systems Fall 2008.

Similar presentations

Ads by Google