Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Software-based Fault Isolation Robert Wahbe, Steven Lucco, Thomas E. Anderson & Susan L. Graham Presented By Tony Bock.

Published byGwendoline Mitchell Modified over 8 years ago

Similar presentations

Presentation on theme: "Efficient Software-based Fault Isolation Robert Wahbe, Steven Lucco, Thomas E. Anderson & Susan L. Graham Presented By Tony Bock."— Presentation transcript:

1 Efficient Software-based Fault Isolation Robert Wahbe, Steven Lucco, Thomas E. Anderson & Susan L. Graham Presented By Tony Bock

2 Motivation Developers desire the protect individual processes through system of boundaries but still allow cooperation Developers desire the protect individual processes through system of boundaries but still allow cooperation Hardware boundaries provide automatic protectionHardware boundaries provide automatic protection Crossing hardware boundaries is very expensiveCrossing hardware boundaries is very expensive Perhaps software protection mechanism could provide better performance? Perhaps software protection mechanism could provide better performance?

3 Sandboxing Related processes run together in one address space Related processes run together in one address space Each task gets it’s own fault domain Each task gets it’s own fault domain Code SegmentCode Segment Data SegmentData Segment Contiguous and isolated from other tasksContiguous and isolated from other tasks Software checks to make sure code doesn’t violate protection domain boundaries Software checks to make sure code doesn’t violate protection domain boundaries Can only jump to addresses within it’s code segmentCan only jump to addresses within it’s code segment Can only write to addresses within it’s data segmentCan only write to addresses within it’s data segment CodeDataCodeData Task ATask B Single Address Space

4 Sandboxing: Segment Matching Compiler inserts code before each unsafe instruction to make sure task stays within boundaries of fault domain Compiler inserts code before each unsafe instruction to make sure task stays within boundaries of fault domain Unsafe instructions include: Unsafe instructions include: Jumps through registersJumps through registers Stores that use a register as a target addressStores that use a register as a target address Inserted code verifies that jump and store destination upper address bits match constant offset (segment identifier) Inserted code verifies that jump and store destination upper address bits match constant offset (segment identifier) Typically four instructionsTypically four instructions Uses four dedicated registers accessed only by inserted code: segment ID, segment shift, code address, data addressUses four dedicated registers accessed only by inserted code: segment ID, segment shift, code address, data address Used to statically verify code during development Used to statically verify code during development Segment ID Target Address = Upper Address Bits

5 Sandboxing: Runtime Method Reduce fault isolation overhead through a simpler mechanism Reduce fault isolation overhead through a simpler mechanism Compiler inserts code to simply overwrite upper address bits with segment ID Compiler inserts code to simply overwrite upper address bits with segment ID Ensures all accesses stay within boundariesEnsures all accesses stay within boundaries Does not identify source of faultDoes not identify source of fault Requires only two instructions Requires only two instructions Five dedicated registers: segment mask, code & data segment IDs, code & data addresses Five dedicated registers: segment mask, code & data segment IDs, code & data addresses Segment ID Target Address overwrite

6 Resource Sharing Assuming no fault domain violations, non-trusted code can still corrupt other tasks by acting on resources allocated at address-space level (open files, etc.) Assuming no fault domain violations, non-trusted code can still corrupt other tasks by acting on resources allocated at address-space level (open files, etc.) Solution: Non-trusted code cannot make system calls directly but must use RPC-like semantics Solution: Non-trusted code cannot make system calls directly but must use RPC-like semantics Central, trusted arbitration code handles system calls on behalf of non-trusted codeCentral, trusted arbitration code handles system calls on behalf of non-trusted code Unsafe operations are disallowedUnsafe operations are disallowed Trusted code shares a fault domain with the arbitration code an can make system calls directlyTrusted code shares a fault domain with the arbitration code an can make system calls directly CodeDataCodeData Task ATask B CodeData Trusted Code

7 Data Sharing Read sharing is free as reads are not sandboxed Read sharing is free as reads are not sandboxed Write sharing provided by lazy pointer swizzling Write sharing provided by lazy pointer swizzling Modify page table to map shared region at same offset within each fault domain Modify page table to map shared region at same offset within each fault domain Low order address bits remain the sameLow order address bits remain the same Upper address bits are the segment ID of each protection domainUpper address bits are the segment ID of each protection domain Code Task ATask B Data

8 Fault Domain RPC Jump table written in code segment by trusted module Jump table written in code segment by trusted module Hand-generated stubs call into jump table which transfers control to callee fault domain Hand-generated stubs call into jump table which transfers control to callee fault domain Stubs are trusted by callee so they can copy arguments directly to callee data segmentStubs are trusted by callee so they can copy arguments directly to callee data segment Stubs also manage machine state: push & pop registers like function calls – skip those that aren’t changedStubs also manage machine state: push & pop registers like function calls – skip those that aren’t changed RPC resistant to fatal errors RPC resistant to fatal errors Faults in callee are returned to callerFaults in callee are returned to caller Infinite loops are interrupted by timerInfinite loops are interrupted by timer

9 Performance Software fault isolation cheaper than RPCs when at least 5% of CPU time is spent in domain crossings Software fault isolation cheaper than RPCs when at least 5% of CPU time is spent in domain crossings Much cheaper than traditional context switches Much cheaper than traditional context switches For frequent RPCs, cheaper than theoretical minimum hardware boundary crossing (LRPC) For frequent RPCs, cheaper than theoretical minimum hardware boundary crossing (LRPC)

10 Summary Software fault isolation uses two mechanisms to enforce process boundaries Software fault isolation uses two mechanisms to enforce process boundaries Constrain jumps and writes to addresses within fault domainConstrain jumps and writes to addresses within fault domain Restrict accesses to system calls by non-trusted codeRestrict accesses to system calls by non-trusted code Shared address space means RPCs become simple jump instructions Shared address space means RPCs become simple jump instructions Extra instructions and dedicated registers increase runtime relative to unprotected function calls but result in net performance win if at least 5% of CPU time would be spent crossing address boundaries Extra instructions and dedicated registers increase runtime relative to unprotected function calls but result in net performance win if at least 5% of CPU time would be spent crossing address boundaries

Download ppt "Efficient Software-based Fault Isolation Robert Wahbe, Steven Lucco, Thomas E. Anderson & Susan L. Graham Presented By Tony Bock."

Similar presentations

Part IV: Memory Management

Part IV: Memory Management
Harbor: Software based Memory Protection for Sensor Nodes Ram Kumar, Akhilesh Singhania, Eddie Kohler and Mani Srivastava Introduction: Memory protection.

Harbor: Software based Memory Protection for Sensor Nodes Ram Kumar, Akhilesh Singhania, Eddie Kohler and Mani Srivastava Introduction: Memory protection.
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 3 Memory Management Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,

MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 3 Memory Management Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,
Tiara Procedure Invocation Crossing domains without Context Switch Enforcing the Call/Return Abstraction Privilege escalation.

Tiara Procedure Invocation Crossing domains without Context Switch Enforcing the Call/Return Abstraction Privilege escalation.
Lightweight Remote Procedure Call BRIAN N. BERSHAD THOMAS E. ANDERSON EDWARD D. LAZOWSKA HENRY M. LEVY Presented by Wen Sun.

Lightweight Remote Procedure Call BRIAN N. BERSHAD THOMAS E. ANDERSON EDWARD D. LAZOWSKA HENRY M. LEVY Presented by Wen Sun.
Chapter 6 Limited Direct Execution

Chapter 6 Limited Direct Execution
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.

Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.
“Efficient Software-Based Fault Isolation” (1993) by: Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham PRESENTED BY DAVID KENNEDY.

“Efficient Software-Based Fault Isolation” (1993) by: Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham PRESENTED BY DAVID KENNEDY.
CS 153 Design of Operating Systems Spring 2015

CS 153 Design of Operating Systems Spring 2015
G22.3250-001 Robert Grimm New York University Lightweight RPC.

G Robert Grimm New York University Lightweight RPC.
OmniVM Efficient and Language- Independent Mobile Programs Ali-Reza Adl-Tabatabai, Geoff Langdale, Steven Lucco and Robert Wahbe from Carnegie Mellon University.

OmniVM Efficient and Language- Independent Mobile Programs Ali-Reza Adl-Tabatabai, Geoff Langdale, Steven Lucco and Robert Wahbe from Carnegie Mellon University.
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.

Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
X86 segmentation, page tables, and interrupts 3/17/08 Frans Kaashoek MIT

X86 segmentation, page tables, and interrupts 3/17/08 Frans Kaashoek MIT
Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell.

Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell.
Kumar R., Singhania A., Castner A., Kohler E Proceedings of Design Automation Conference Pages: 218 - 223 June 2007 2015/7/13.

Kumar R., Singhania A., Castner A., Kohler E Proceedings of Design Automation Conference Pages: June /7/13.
1 Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska and Henry M. Levy Presented by: Karthika Kothapally.

1 Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska and Henry M. Levy Presented by: Karthika Kothapally.
CS533 Concepts of Operating Systems Class 9 Lightweight Remote Procedure Call (LRPC) Rizal Arryadi.

CS533 Concepts of Operating Systems Class 9 Lightweight Remote Procedure Call (LRPC) Rizal Arryadi.

Similar presentations

Ads by Google