Presentation is loading. Please wait.

Presentation is loading. Please wait.

G22.3250-001 Robert Grimm New York University Xen and Nooks.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "G22.3250-001 Robert Grimm New York University Xen and Nooks."— Presentation transcript:

1 G22.3250-001 Robert Grimm New York University Xen and Nooks

2 Agenda  Altogether now: The three questions  The (gory) details of Xen  We already covered Disco, so let’s focus on the details  Nooks  The grand tour

3 Altogether Now: The Three Questions  What is the problem?  What is new or different?  What are the contributions and limitations?

4 The (Gory) Details of Xen

5 The Details of Xen  Memory management  x86 has hardware-accessed page tables and TLB  Guest OS’s responsible for managing page tables  Provide machine memory (from their reservations)  Have direct read-only access  Defer to Xen for (batched) updates  CPU  Guest OS’s run in otherwise unused ring 1  Privileged instructions need to be processed by Xen  Though, the x86 makes life a little difficult (how?)  Fast exception handler does not require Xen interaction  Must execute outside ring 0 (what does Xen need to do?)

6 The Details of Xen (cont.)  Device I/O  Xen presents idealized device abstraction  Data is transferred through shared-memory buffer rings  Upcalls are delivered through event delivery mechanism

7 The Gory Details  Control transfer  Hypercalls: synchronous software traps to VMM  Events: asynchronous, possibly batched upcalls to VMs  Data transfer through I/O rings  Separate descriptors from actual data  Zero-copy transfer for data  Support batching and re-ordering

8 The Gory Details (cont.)  Virtual memory  Remember: Guest OS’s manage page tables (not shadows)  Exposes names and allocation  Validated by types and reference counts  Page directory/table, local/global descriptor table, writable  Page directory and tables pinned  Cannot be swapped (why?)  Physical memory  Controlled through balloon driver  Pins pages, which are then returned to VMM  Mapped into machine memory  Xen publishes machine-to-physical mapping (necessary for what?)

9 Nooks

10 Nooks in One Slide  An isolation and recovery service  Manages kernel-space extensions  Targeted at commodity kernels  Implemented in Linux, should be easily portable to other OSs  Detects, removes, and restarts misbehaving extensions  But not malicious ones

11 Why Do We Need Safe Extensions for Commodity Kernels?  Cost of failures continues to rise  Downtime of mission-critical systems  Staffing for help-desk  Extensions are common-place  70% of Linux code  35,000 different drivers with 120,000 versions for Windows XP  Extensions are leading cause of failures  85% of failures for Windows XP  7 times more bugs in drivers than in rest of kernel for Linux

12 Why Not Use X?  Capabilities, segments  Need specialized hardware, no support for recovery  Micro-, pico-, exo-kernels  No support for recovery, some performance concerns  Transactions  Sloooooooooooooooooooowwwwwwwwww  Type-safe languages and runtimes  Not backwards compatible  Software fault isolation  No support for recovery

13 Why Not Use X? (cont.)  Virtual machines  Still have drivers in VMM  But lead us to important insight  Only virtualize interface between kernel and extensions  In other words, we don’t need to be perfect, just good enough.

14 Nooks Architecture  Two principles  Design for fault resistance, not fault tolerance  Design for mistakes, not abuse  Three goals  Isolation  Recovery  Backward compatibility

15 Nooks Architecture: Four Functions  Isolation  Lightweight protection domains for extensions  What is the trust relationship?  Extension procedure call (XPC)  Interposition  Wrappers for all kernel  extension crossings  Manage control and data flow  Object-tracking  List of kernel data structures modified by extension  Recovery  Removal, restarting of extensions

16 Nooks Implementation  Additional layer for Linux 2.4.18  Same privilege for all code (ring 0)  Memory protection through page tables Compared to 2.4 million lines in Linux kernel

17 Isolation  Lightweight protection domains  Private memory structures for each extension  Heap, stacks, memory-mapped I/O regions, buffers  Different page tables for kernel and each extension (why?)  Kernel can read and write all memory  Each extension can only write its own memory  XPC  Saves caller’s context, finds stack, changes page tables  May be deferred  Amortize cost over several logical transfers

18 Interposition & Wrappers  How to interpose?  Bind extensions to wrappers instead of kernel functions  Explicitly interpose on extension initialization call  Replace function pointers with wrapped versions  What about kernel objects?  Some are read only  done  Some are written by extensions  Non-performance-critical updates through XPC  Performance-critical updates on shadow copy, synchronized through a deferred XPC on next regular XPC  Call-by-what?

19 More on Wrappers: What They Do, How to Write Them  Check parameters for validity  Implement call-by-value-result for kernel objects  Perform XPC  Skeleton generated by tool  Body written by hand

20 Even More on Wrappers: Code Sharing

21 Object Tracker  Currently supports 43 types  E.g., tasklets, PCI devices, inodes  Records addresses of all objects  Used for one XPC only: table attached to task structure  Used across several XPCs: hash table  Keeps mapping between kernel and extension versions  Tracks object lifetimes  Single XPC call  Explicit allocation and deallocation  Semantics of object (e.g., timer data structure)

22 Recovery  Triggered by  Parameter validation, livelock detection, exceptions, signals  Performed by  Recovery manager  Cleans up after extension  User-mode agent  Determines recovery policy  Performed in several stages  Disable interrupts, unwind tasks, release resources, unload extension, reload and init extension, re-enable interrupts

23 Limitations  Extensions run in kernel mode  May execute privileged instructions  May loop forever (but Nooks detects livelock)  Parameter checking is incomplete  Recovery safe only for dynamically loaded extensions

24 Evaluation  The two eff’s  Effectiveness (reliability)  Efficiency (performance)

25 Effectiveness Nooks prevents 99% of system crashes But catches only a limited number of non-fatal failures Why the differences?

26 Efficiency  XPC rate serves as performance indicator  Three broad categories

27 Efficiency (cont.)  There’s more code to run  The code runs more slowly

28 Discussion  If only we had a software/tagged TLB…  What about end-to-end benchmarking?  All/most drivers managed by Nooks  Typical application mix  Server/desktop environment  How many wrappers is enough wrappers?  Remember the code-sharing slide…  How general is Nooks?  Only one communication pattern is supported  Kernel  extension, but not between extensions  So, when should we use Nooks?

Download ppt "G22.3250-001 Robert Grimm New York University Xen and Nooks."

Similar presentations

Nooks: Safe Device Drivers with Lightweight Kernel Protection Domains Mike Swift, Steve Martin Hank Levy, Susan Eggers, Brian Bershad University of Washington.

Nooks: Safe Device Drivers with Lightweight Kernel Protection Domains Mike Swift, Steve Martin Hank Levy, Susan Eggers, Brian Bershad University of Washington.
MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 3 Memory Management Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,

MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 3 Memory Management Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,
XEN AND THE ART OF VIRTUALIZATION Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, lan Pratt, Andrew Warfield.

XEN AND THE ART OF VIRTUALIZATION Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, lan Pratt, Andrew Warfield.
Chorus and other Microkernels Presented by: Jonathan Tanner and Brian Doyle Articles By: Jon Udell Peter D. Varhol Dick Pountain.

Chorus and other Microkernels Presented by: Jonathan Tanner and Brian Doyle Articles By: Jon Udell Peter D. Varhol Dick Pountain.
Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,

Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,
The Kernel Abstraction. Challenge: Protection How do we execute code with restricted privileges? – Either because the code is buggy or if it might be.

The Kernel Abstraction. Challenge: Protection How do we execute code with restricted privileges? – Either because the code is buggy or if it might be.
Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.

Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.

Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
G22.3250-001 Robert Grimm New York University Disco.

G Robert Grimm New York University Disco.
Xen and the Art of Virtualization A paper from the University of Cambridge, presented by Charlie Schluting For CS533 at Portland State University.

Xen and the Art of Virtualization A paper from the University of Cambridge, presented by Charlie Schluting For CS533 at Portland State University.
Nooks: an architecture for safe device drivers Mike Swift, The Wild and Crazy Guy, Hank Levy and Susan Eggers.

Nooks: an architecture for safe device drivers Mike Swift, The Wild and Crazy Guy, Hank Levy and Susan Eggers.
G22.3250-001 Robert Grimm New York University Extensibility: SPIN and exokernels.

G Robert Grimm New York University Extensibility: SPIN and exokernels.
Introduction to Kernel

Introduction to Kernel
1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.

1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.
OPERATING SYSTEMS Introduction

OPERATING SYSTEMS Introduction
Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T.

Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T.
Threads CS 416: Operating Systems Design, Spring 2001 Department of Computer Science Rutgers University

Threads CS 416: Operating Systems Design, Spring 2001 Department of Computer Science Rutgers University
CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman.

CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman.
1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.

1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.
Xen and the Art of Virtualization Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, Andrew Warfield.

Xen and the Art of Virtualization Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, Andrew Warfield.

Similar presentations

Ads by Google