Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 "Efficient Software-based Fault Isolation" by R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Presenter: Tom Burkleaux.

Published byMarcia Kelley Modified over 8 years ago

Similar presentations

Presentation on theme: "1 "Efficient Software-based Fault Isolation" by R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Presenter: Tom Burkleaux."— Presentation transcript:

1 1 "Efficient Software-based Fault Isolation" by R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Presenter: Tom Burkleaux

2 2 What is the problem? With closely cooperating software modules, how do we protect from distrusted code? What is distrusted code? Code that might corrupt memory of other cooperating modules Code that is not adequately tested Perhaps written by third-party persons

3 3 Cooperating Modules Complex systems are often broken down into separate (logical) components This supports the following goals: Independent development of individual components Upgrade and enhance existing components “Extensibility” – allow other programmers to add functionality

4 4 Examples: Cooperating Modules Micro-kernel operation systems Elements of the OS are moved to user- space. Postgres database manager Extensible Type System Microsofts Object Linking & Embedding (OLE) Extensibility code supported by OS Link together independently developed software modules

5 5 Structuring Cooperating Modules, 1 How can we structure cooperating modules? There are two basic choices, each with a distinct advantage: Share the same address space Low communication cost between modules Keep modules in separate address spaces Separate protection domains

6 6 Structuring Cooperating Modules, 2 … and each has a disadvantage: Share the same address space Distrusted code can cause hard to find bugs within a system Keep modules in separate address spaces Cross-Protection Domain calls are expensive (RPC). Overall application performance suffers.

7 7 Structuring Cooperating Modules, 3 Protection Domains Shared Address RPC Shared Memory

8 8 Structuring Cooperating Modules, 4 Protection Domains Shared Address RPC Shared Memory Slow! Distrusted Code ? Yes

9 9 Trends in structuring? In OS, which method of structuring coop. modules is more prevalent? BSD System Mach Mac OS X Linux (I think?) more a tendency to share address space for performance reasons

10 10 Proposed Solution If we want fault isolation, the authors offer a tradeoff: Fault Isolation with – “substantially faster communication between fault domains, at a cost of slightly increased execution time for distrusted modules”

11 11 What Does Solution Look Like? Shared Memory Distrusted Code NO We want the speed of shared memory But we want to prevent distrusted code from corrupting memory of other modules “Fault Domains” Yes

12 12 Overview of Techniques The authors suggest two techniques for software based fault-isolation: Segment Matching Sandboxing And two times these can be applied: Compile Time Object Linking

13 13 “Fault Domain” -- Definition 990--- Segment (code) 991---992--- … 991---992--- … 993--- … Segment (data) Fault Domain Each segment shares unique pattern of upper bits. “segment identifier”

14 14 Examining Binary Code For distrusted modules: What about modifying the binary so we add a check on all loads and stores? “binary patching” Assume this could be done at load-time Addresses are used very frequently, and this method would add extra instructions for each address reference Many tools are based on identifying compiler- specific idioms to distinguish between code and data

15 15 Software-Enforced Fault Isolation: Segment Matching “unsafe instruction” – an instruction that jumps or stores an address, and can’t be statically verified Jumps through register are example Compiler can add code to check instructions On typical RISC architectures, this takes 4 instructions Requires dedicated registers, to prevent checks being by-passed

16 16 Segment Matching, 2 Pseudo code example. w/o dedicated registers, code could jump to last instruction

17 17 Segment Matching, 3 Shared Memory Distrusted Code Trap With segment- matching, we can pin- point the source of the fault How does this compare with hardware-based memory protection? Yes

18 18 Segment Matching, 4 What about the loss of registers? We need four: addresses in data segment, address in code segment, segment shift amount, and segment identifier Author rely on most modern architectures having at least 32 registers

19 19 Software-Enforced Fault Isolation: Address Sandboxing Idea is we can reduce run-time overhead by giving up information on source of fault. Sandboxing: Before each unsafe instruction we simply insert code that sets the uppers bit of the target to the correct segment identifier

20 20 Sandboxing, 2 There is no trap Only two extra instructions Recall that segment matching has five extra instructions

21 21 Sandboxing, 3 Shared Memory Distrusted Code Any address access outside of the module’s segment is prevented We access and potentially corrupt an incorrect address within our own segment Execution continues, unaware of error! Yes ? The sandbox

22 22 Optimizations Guard Zones are one example of an opt. that can be handled by a compiler. Avoid address arithmetic Reg + Offset instr. We sandbox only the Reg and handle offset by creating guard zones

23 23 Process Resources We need to prevent distrusted modules from corrupting resources allocated on a per-address- space basis. One idea: make OS aware of fault domains Authors choose to require distrusted modules to access resources through cross-fault-domain RPC

24 24 Implementation Authors identify two strategies for implementation 1. Have a compiler emit encapsulation code and have a verifier confirm object code at load time. 2. Modifying object code at load time. “binary patching” They went with option 1. Problem with modifying object code is making modified object code use a subset of registers.

25 25 Low Latency Cross Fault RPC Because distrusted modules are isolated, we need something like LRPC. Efficient software isolation was first part of solution The second part of solution is fast communication across fault domains

26 26 Cross Fault RPC, 2 Constraints of running distrusted code: Distrusted code can’t directly call a function outside its segment, or return from an outside call via an address on the stack When code is running within a distrusted module it has its own execution context.

27 27 Cross Fault RPC, 3 Like LRPC, the solution is done through stubs For each pair of fault domains a customized call and return stubs is created for each exported procedure Stub run unprotected outside both domain They are responsible for copy of args And managing machine state

28 28 Cross Fault RPC, 4 Args are copied through a shared buffer Jump Table: each entry is a control transfer instruction to legal entry point outside the domain

29 29 Cross Fault RPC, 5 The stubs and the jump table are added to the code. The jump table added to the code segment, so distrusted code can’t modify.

30 30 Evaluation For evaluation, the authors looked at three questions: What is overhead for software encapsulation? How fast is XFD-RPC? What effect does this solution have on end-user applications?

31 31 Evaluation – Software Encapsulation, 1 The authors developed an analytical model to predict cost. Expected overhead is: (s-instructions – interlocks ) / cycles-per-second ------------------------------------------------------ Original-execution-time-seconds S-instructions = sandbox instructions Interlocks = saved floating point interlocks

32 32 Evaluation - Software Encapsulation, 2 The purpose of the model is help identify 2 nd order effects. To get data, they ran various benchmarks, and ran the benchmark code as “untrusted” modules. They found that their model predicted the “average” overhead very well. But individual benchmark test showed NEGATIVE overhead!

33 33 Evaluation-Software Encapsulation

34 34 Evaluation - Software Encapsulation, 4 Explaining results Anomolies – 2 nd order effects? Conjecture: “instruction cache mapping conflicts” Programs with more floating-point operations exhibitied less overhead (2.5% vs 5.6%) These were compute heavy benchmarks They expect I/O programs to have less overhead Overall, overhead is not much!

35 35 Evaluation – Cross-Fault RPC, 1 How to measure XFD-RPC? Their mechanism spends most of its time saving and restoring registers. Table 2 (following) – shows performance for NULL cross fault domain RPC. And this is compared to a C procedure call and Pipes. Their call is 1 order of magnitude better than C procedure call Other optimized RPCs are, at best, 2 orders of magnitude better than C procedure call.

36 36 Evaluation – Cross-Fault RPC, 2

37 37 Evaluation – Cross-Fault RPC, 3 Table 3 measures how their system works when applied to Postgres, using the Sequoia 2000 benchmark. Postgres has extensible type system, which is a recognize safety problem. They want to compare their system with Postgres’ built in “untrusted function manager” and traditional hardware protection domains.

38 38 Analysis The author’s Postgress example shows savings over other methods. The formula for savings in general is: Savings = (1 – r) t c - h t d t c time spent crossing fault domains t d time spent in distrusted code h overhead for encapsulation r ratio of their crossing time to hardware RPC

39 39 Analysis, 2 The savings formula can be graphed to illustrate the breakeven curve. In figures following: X-axis: percentage of time spent crossing domains Y-axis: relative cost of software enforced fault- domain crossing vs hardware method

40 40 Breakeven curve

41 41 Analysis, 4 The question is: does savings in efficient XFD- RPC (over traditional RPC) make up for encapsulation overhead? Answer appears to yes Author’s give example if app spends 30% of its time crossing fault domains, their RPC mechanism needs to be only 10% better Figure 5 was conservative and assumed everything was protected. Usually most of the app is trusted. Figure 6 assume only 50% of time is spend in distrusted code.

42 42 Breakeven curve

43 43 Some Additional Points Why not object code? Because tools are there and you may lose compiler efficiencies How many tools are written for this? In what compiler languages? Any Questions?

Download ppt "1 "Efficient Software-based Fault Isolation" by R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Presenter: Tom Burkleaux."

Similar presentations

Operating Systems Lecture 10 Issues in Paging and Virtual Memory Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing.

Operating Systems Lecture 10 Issues in Paging and Virtual Memory Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing.
MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 3 Memory Management Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,

MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 3 Memory Management Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?

Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?
Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.

Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.
“Efficient Software-Based Fault Isolation” (1993) by: Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham PRESENTED BY DAVID KENNEDY.

“Efficient Software-Based Fault Isolation” (1993) by: Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham PRESENTED BY DAVID KENNEDY.
CS 333 Introduction to Operating Systems Class 12 - Virtual Memory (2) Jonathan Walpole Computer Science Portland State University.

CS 333 Introduction to Operating Systems Class 12 - Virtual Memory (2) Jonathan Walpole Computer Science Portland State University.
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Memory ManagementCS-502 Fall 20061 Memory Management CS-502 Operating Systems Fall 2006 (Slides include materials from Operating System Concepts, 7 th.

Memory ManagementCS-502 Fall Memory Management CS-502 Operating Systems Fall 2006 (Slides include materials from Operating System Concepts, 7 th.
Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.

Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.
CS510 Concurrent Systems Jonathan Walpole. Lightweight Remote Procedure Call (LRPC)

CS510 Concurrent Systems Jonathan Walpole. Lightweight Remote Procedure Call (LRPC)
Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.

Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?

Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
CS333 Intro to Operating Systems Jonathan Walpole.

CS333 Intro to Operating Systems Jonathan Walpole.
5-Stage Pipelining Fetch Instruction (FI) Fetch Operand (FO) Decode Instruction (DI) Write Operand (WO) Execution Instruction (EI) S3S3 S4S4 S1S1 S2S2.

5-Stage Pipelining Fetch Instruction (FI) Fetch Operand (FO) Decode Instruction (DI) Write Operand (WO) Execution Instruction (EI) S3S3 S4S4 S1S1 S2S2.
A genda for Today What is memory management Source code to execution Address binding Logical and physical address spaces Dynamic loading, dynamic linking,

A genda for Today What is memory management Source code to execution Address binding Logical and physical address spaces Dynamic loading, dynamic linking,
Eric Keller, Evan Green Princeton University PRESTO 2008 8/22/08 Virtualizing the Data Plane Through Source Code Merging.

Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Architecture Support for OS CSCI 444/544 Operating Systems Fall 2008.

Architecture Support for OS CSCI 444/544 Operating Systems Fall 2008.

Similar presentations

Ads by Google