Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast Dynamic Binary Translation for the Kernel Piyus Kedia and Sorav Bansal IIT Delhi.

Published bySydney Morton Modified over 8 years ago

Similar presentations

Presentation on theme: "Fast Dynamic Binary Translation for the Kernel Piyus Kedia and Sorav Bansal IIT Delhi."— Presentation transcript:

1 Fast Dynamic Binary Translation for the Kernel Piyus Kedia and Sorav Bansal IIT Delhi

2 Applications of Dynamic Binary Translation (DBT)  OS Virtualization  Testing and Verification of Compiled Programs  Profiling and Debugging  Software Fault Isolation  Dynamic Optimizations  Program Shepherding  … and more

3 A Short Introduction to Dynamic Binary Translation (DBT) Dispatcher Execute Block Start Translate Block Native code Block terminates with branch to dispatcher instruction

4 Code Cache Dispatcher cached? Execute from Code Cache Start Translate Block Native code Store in code cache no yes

5 DBT Overheads User-level DBT well understood Near-native performance for application-level workloads DBT for the Kernel requires more mechanisms Efficiently handling exceptions and interrupts Case studies: VMware’s Software Virtualization DynamoRio-Kernel (DRK) [ASPLOS ’12]

6 Interposition on Starting (Entry) Points Dispatcher cached? Execute from Code Cache Start Translate Block Native code Store in code cache no yes Start

7 IDT now points to the dispatcher Dispatcher cached? Execute from Code Cache Translate Block Native code Store in code cache no yes Interrupt Descriptor Table

8 What does the dispatcher do? Before transferring control to the code cache, the dispatcher: 1.Converts interrupt state on stack to native values (e.g., PC)

9 What does the dispatcher do? Before transferring control to the code cache, the dispatcher: 1.Converts interrupt state on stack to native values (e.g., PC) CS register PC Flags Guest Stack SP CS register Native PC Flags Guest Stack SP

10 What does the dispatcher do? Before transferring control to the code cache, the dispatcher: 2. Emulates Precise Exceptions 1.Converts interrupt state on stack to native values (e.g., PC)

11 What does the dispatcher do? Before transferring control to the code cache, the dispatcher: 1.Converts interrupt state on stack to native values (e.g., PC) 2. Emulates Precise Exceptions Precise Exceptions Before the execution of an exception handler, all instructions up to the executing instruction should have executed, and everything afterwards must not have executed.

12 What does the dispatcher do? Before transferring control to the code cache, the dispatcher: 1.Converts interrupt state on stack to native values (e.g., PC) 2. Emulates Precise Exceptions Rolls back partially executed translations Precise Exceptions pushstore add sub load mov pop Executed Exception handler executes

13 What does the dispatcher do? Before transferring control to the code cache, the dispatcher: 1.Converts interrupt state on stack to native values (e.g., PC) 2. Emulates Precise Exceptions Rollback partially executed translations 3. Emulates Precise Interrupts

14 What does the dispatcher do? Before transferring control to the code cache, the dispatcher: 1.Converts interrupt state on stack to native values (e.g., PC) 2. Emulates Precise Exceptions Rollback partially executed translations 3. Emulates Precise Interrupts Precise Interrupts pushstore add sub load mov pop Interrupt handler executes Executed Delays interrupt delivery till start of next native instruction

15 Effect on Performance Applications with high interrupt and exception activity exhibit large DBT overheads

16 VMware’s Software Virtualization Overheads benchmarks Data from “Comparison of Software and Hardware Techniques for x86 Virtualization” K. Adams, O. Agesen, VMware, ASPLOS 2006.

17 VMware’s Software Virtualization Overheads benchmarks  benchmarks Data from “Comparison of Software and Hardware Techniques for x86 Virtualization” K. Adams, O. Agesen, VMware, ASPLOS 2006.

18 VMware’s Software Virtualization Overheads benchmarks  benchmarks nano-benchmarks Data from “Comparison of Software and Hardware Techniques for x86 Virtualization” K. Adams, O. Agesen, VMware, ASPLOS 2006.

19 Dynamo-Rio Kernel (DRK) Overheads Data from “Comprehensive Kernel Instrumentation via Dynamic Binary Translation” P. Feiner, A.D. Brown, A. Goel, U. Toronto, ASPLOS 2012.

20 DRK vs BTKernel

21 Fully Transparent Execution is not required The OS kernel rarely relies on precise exceptions The OS kernel rarely relies on precise interrupts The OS kernel seldom inspects the PC address pushed on stack. It is only used at the time of returning from interrupt using the iret instruction.

22 Faster Execution is Possible Leave code cache addresses in kernel stacks. An interrupt/exception directly jumps into the code cache, bypassing the dispatcher. Allow imprecise interrupts and exceptions. Handle special cases specially.

23 IDT now points to the code cache Dispatcher cached? Execute from Code Cache Translate Block Native code Store in code cache no yes Interrupt Descriptor Table

24 IDT now points to the code cache Dispatcher cached? Execute from Code Cache Translate Block Native code Store in code cache no yes Interrupt Descriptor Table

25 Correctness Concerns 1.Read / Write of the interrupted PC address on stack will return incorrect values. Fortunately, this is rare in practice and can be handled specially

26 Read of an interrupted PC address CS register translated PC Flags Guest Stack SP load addr Examples: 1.Exception Tables in Linux page fault handler

27 Exception Tables in Linux Page faults are allowed in certain functions e.g., copy_from_user(), copy_to_user(). An exception table is constructed at compile time contains the range of PC addresses that are allowed to page fault. At runtime, the faulting PC value is compared against the exception table Panic only if PC not present in exception table

28 Read of an Interrupted PC address CS register translated PC Flags Guest Stack SP load addr Problem: The faulting PC value is now a code- cache address. Solution: Dispatcher adds potentially faulting code cache addresses to the exception table

29 Read of an Interrupted PC address CS register translated PC Flags Guest Stack SP load addr Examples: 1.Exception Tables in Linux 2.MS Windows NT Structured Exception Handling __try / __except constructs in C/C++

30 __try / __except blocks in MS Windows NT __try { } __except { } __try { copy_from_user(); } __except { signal_process() } Syntax:Example Usage: Also implemented using exception tables in the Windows kernel

31 More examples in paper In our experience, all such cases can be nicely handled!

32 Correctness Concerns 1.Read / Write of the faulting PC address on stack will return incorrect values. 2.Code-cache addresses will now live in kernel stacks. What if code-cache addresses become invalid?

33 Code Cache Addresses can now live in Kernel Data Structures CS register translated PC Flags Thread 1 Stack SP Code Cache Thread 2 Stack SP Context Switch

34 Code Cache Addresses can now live in Kernel Data Structures Disallow Cache Replacement Code Cache of around 10MB suffices for Linux Do not move or modify code cache blocks, once they are created Ensures that a code cache address remains valid for the execution lifetime If the code cache gets full, switchoff and switch-back on the translator Switchoff implemented by reverting to original IDT and other entry points. This results in effectively flushing the code cache and starting afresh

35 Dynamic Switchon / Switchoff Replace all entry points with shadow / original values e.g., for switchoff, replace shadow interrupt descriptor table with original Iterate over the kernel’s list of threads Identify PC values in thread stacks and convert them to code cache / native values Translator reboot (switchoff followed by switchon) flushes the code cache

36 Correctness Concerns 1.Read / Write of the faulting PC address on stack will return incorrect values. 2.Code-cache addresses will now live in kernel stacks. What if code- cache addresses become invalid? 3.Imprecise Interrupts and Exceptions.

37 Imprecise Exceptions and Interrupts Interestingly, an OS kernel typically never depends on precise exceptions and interrupts.

38 Reentrancy and Concurrency Direct entries into the code cache introduce new reentrancy and concurrency issues Detailed discussion in the paper.

39 Optimizations that worked L1 cache-aware Code Cache Layout Function call/return optimization

40 Code Cache Layout for Direct Branch Chaining Dispatcher Code Cache Edge Cache Edge code: executed only once, on the first execution of the block. However, shares the same cache lines as all other code. Allocate edge code from a separate memory pool for better cache locality. Edge code for branching to dispatcher

41 Function call/return optimization Use identity translations for ‘call’ and ‘ret’ instructions instead of treating ‘ret’ as another indirect branch. Involves careful handling of call instructions with indirect targets (discussed in the paper)

42 Experiments BTKernel Performance vs. Native BTKernel Statistics Experience with some applications

43 Apache 1, 2, 4, 8 and 12 processors Higher is better

44 Fileserver 1, 4, 8, 12 processors Higher is better

45 lmbench fork operations Lower is better

46 Number of Dispatcher Exits Without call/ret optimization With call/ret optimization InstructionsDispatcher Exits InstructionsDispatcher Exits Apache56 b7 m59 b125 Linux Build570 b72 m590 b33059 m = million b = billion

47 Applications We implemented Shadow Memory for a Linux guest Identifies the CPU-private (read/write) and CPU-shared (read/write) bytes in kernel address space Overheads range from 20% - 300% Significant improvement over the 10x overheads reported in DRK

48 Summary and Conclusion Avoid back-and-forth translation between native and translated values of interrupted PC Relax precision requirements on exceptions and interrupts Use cache-aware layout for the code cache Use identity translations for the function call/ret instructions Near-Native performance DBT implementation for unmodified Linux Availability: https://github.com/piyus/btkernel

49 Thank You.

Download ppt "Fast Dynamic Binary Translation for the Kernel Piyus Kedia and Sorav Bansal IIT Delhi."

Similar presentations

Programming Technologies, MIPT, April 7th, 2012 Introduction to Binary Translation Technology Roman Sokolov SMWare

Programming Technologies, MIPT, April 7th, 2012 Introduction to Binary Translation Technology Roman Sokolov SMWare
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Comprehensive Kernel Instrumentation via Dynamic Binary Translation Peter Feiner, Angela Demke Brown, Ashvin Goel University of Toronto Presenter: Chuong.

Comprehensive Kernel Instrumentation via Dynamic Binary Translation Peter Feiner, Angela Demke Brown, Ashvin Goel University of Toronto Presenter: Chuong.
G22.3250-001 Robert Grimm New York University Virtual Memory.

G Robert Grimm New York University Virtual Memory.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Chapter 8. Pipelining. Instruction Hazards Overview Whenever the stream of instructions supplied by the instruction fetch unit is interrupted, the pipeline.

Chapter 8. Pipelining. Instruction Hazards Overview Whenever the stream of instructions supplied by the instruction fetch unit is interrupted, the pipeline.
Chapter 6 Limited Direct Execution

Chapter 6 Limited Direct Execution
Presented By Srinivas Sundaravaradan. MACH µ-Kernel system based on message passing Over 5000 cycles to transfer a short message Buffering IPC L3 Similar.

Presented By Srinivas Sundaravaradan. MACH µ-Kernel system based on message passing Over 5000 cycles to transfer a short message Buffering IPC L3 Similar.
Early Experiences with Developing Sorav Bansal IIT Delhi An Optimizing Virtualization Layer.

Early Experiences with Developing Sorav Bansal IIT Delhi An Optimizing Virtualization Layer.
Xen and the Art of Virtualization A paper from the University of Cambridge, presented by Charlie Schluting For CS533 at Portland State University.

Xen and the Art of Virtualization A paper from the University of Cambridge, presented by Charlie Schluting For CS533 at Portland State University.
3.5 Interprocess Communication

3.5 Interprocess Communication
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.

Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
Virtual Memory and Paging J. Nelson Amaral. Large Data Sets Size of address space: – 32-bit machines: 2 32 = 4 GB – 64-bit machines: 2 64 = a huge number.

Virtual Memory and Paging J. Nelson Amaral. Large Data Sets Size of address space: – 32-bit machines: 2 32 = 4 GB – 64-bit machines: 2 64 = a huge number.
CS533 Concepts of Operating Systems Class 3 Integrated Task and Stack Management.

CS533 Concepts of Operating Systems Class 3 Integrated Task and Stack Management.
Xen and the Art of Virtualization. Introduction  Challenges to build virtual machines Performance isolation  Scheduling priority  Memory demand  Network.

Xen and the Art of Virtualization. Introduction  Challenges to build virtual machines Performance isolation  Scheduling priority  Memory demand  Network.
Qin Zhao (MIT) Derek Bruening (VMware) Saman Amarasinghe (MIT) Umbra: Efficient and Scalable Memory Shadowing CGO 2010, Toronto, Canada April 26, 2010.

Qin Zhao (MIT) Derek Bruening (VMware) Saman Amarasinghe (MIT) Umbra: Efficient and Scalable Memory Shadowing CGO 2010, Toronto, Canada April 26, 2010.
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
A Comparison of Software and Hardware Techniques for x86 Virtualization Keith Adams Ole Agesen Oct. 23, 2006.

A Comparison of Software and Hardware Techniques for x86 Virtualization Keith Adams Ole Agesen Oct. 23, 2006.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.

Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
Our work on virtualization Chen Haogang, Wang Xiaolin {hchen, Institute of Network and Information Systems School of Electrical Engineering.

Our work on virtualization Chen Haogang, Wang Xiaolin {hchen, Institute of Network and Information Systems School of Electrical Engineering.

Similar presentations

Ads by Google