Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Software-Based Fault Isolation Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham.

Published byValentine Fitzgerald Modified over 8 years ago

Similar presentations

Presentation on theme: "Efficient Software-Based Fault Isolation Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham."— Presentation transcript:

1 Efficient Software-Based Fault Isolation Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham

2 Possible Means of Isolating Faults in End-User Extensions ● Using an interpreted language to enable End-User Extensions ● Writing the system in a type safe language such as MODULA-3, tcl, or perl (e.g. SPIN). ● Hardware-based fault isolation methods such as setting protection bits in the MMU to restrict write access within the system's address space (e.g. NOOKS). ● Modifying modules themselves to avoid corruption outside of their address space (e.g. SFI). 1

3 Problem Description ● Extensible applications demonstrate the value of allowing end-users to modify the behavior of the system. – Operating Systems – Web Browsers – Database Systems ● Extensible systems must be protected from possible instabilities in misbehaved end-user extensions. MISFIT: A Tool for Constructing Safe Extensible C++ Systems Cristopher Small and Margo Seltzer 2

4 Example cross-domain faults (in C++) void unsafe() { char *bad = (char *) this; bad -= ; memset(bad, 0, 30); } void unsafe() { char name[20]; memset(name, 0, 300); } Encapsulating class private data Data corruption Stack corruption etc. Store & Jump considered only unsafe instructions across domains 3

5 Handling cross domain faults ● Place domain data in a contiguous region. ● Ensure that each contiguous region's virtual addresses share a unique prefix. Detection (segment matching): dedicated := target scratch := (dedicated>>shift) if (scratch == segment) store to dedicated else do error; Prevention (sandboxing): dedicated := target&mask dedicated := dedicated| segment store to dedicated Dedicated, shift, mask, and segment are all dedicated registers. 4

6 Example Fault Domain (unaligned) Start address 0x2FCE Domain Size= 255 (hex 00FF), shift is log 2 255 = 8 Segment identifier becomes 0x2FCE >> 8 = 0x002F End address 0x30cd 5

7 Protection Domains are Strictly Mutally Exclusive A B C Overlap Before Domain Restriction Variables and return values After Domain Restriction A B C Since domains are mutually exclusive, cross domain calls are thus far impossible. 6

8 Call Stubs (lightweight RPC) Before Call Stubs A B C Since domains are mutually exclusive, cross domain calls are thus far impossible. After Call Stubs A B C Stubs copy across variables and return values and enable cross domain calls. Stub ● Call stubs enable functions to be called across domains by copying data directly from one domain into the other. ● Call stubs set dedicated registers and ensure properly aligned data for representative segment identifiers (context switching and alignment enforcement). (alignment could also be done by the compiler) 7

9 Hardware vs Software Based Fault Isolation ● Jump or Store Cost – Check protection bit in MMU / practically free ● Changing Domains – Reset protection bits in the MMU/ flush and reset the TLB ● Jump or Store Cost – Addition of a preamble to check the target of the Jump or Store ● Changing Domains – Copy data into dedicated registers (5 registers), fairly cheap. 8

10 Conclusion ● Fault isolation can be implemented in software. ● Software based fault isolation adds a little overhead to the common case. ● Software based fault isolation vastly improves the performance of IPC. ● Applications that cross fault domains a lot benefit a whole lot from software based fault isolation, but even applications that spend very little time crossing fault domains can benefit. 9

11 Caveats ● SFI is not enough alone when commonly used library functions such as bcopy, strcpy, read, write, close, printf, etc. have not been compiled using the SFI model. ● Safe versions of all commonly used library calls that modify memory must be implemented to avoid breaking the model. ● Safe languages like MODULA-3 may be able to accomplish the same task at nearly the same level with less overhead (but they are not as popular of languages). 10

12 Evaluation ● SFI could also be extended to provide security by extending isolation enforcement to loads at some additional cost. ● Hardware Based fault isolation cannot benefit from increasing or decreasing the level of security, the dominating cost of reprogramming the MMU and flushing the TLB remains constant regarless of protection type. ● SFI offers varying levels of protection at varying costs, and has fairly low overhead. 11

13 Questions? Any questions at all.

14 Thank you Thank you very much.

Download ppt "Efficient Software-Based Fault Isolation Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham."

Similar presentations

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?

Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?
OS Memory Addressing.

OS Memory Addressing.
Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.

Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.
“Efficient Software-Based Fault Isolation” (1993) by: Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham PRESENTED BY DAVID KENNEDY.

“Efficient Software-Based Fault Isolation” (1993) by: Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham PRESENTED BY DAVID KENNEDY.
CS 333 Introduction to Operating Systems Class 12 - Virtual Memory (2) Jonathan Walpole Computer Science Portland State University.

CS 333 Introduction to Operating Systems Class 12 - Virtual Memory (2) Jonathan Walpole Computer Science Portland State University.
OmniVM Efficient and Language- Independent Mobile Programs Ali-Reza Adl-Tabatabai, Geoff Langdale, Steven Lucco and Robert Wahbe from Carnegie Mellon University.

OmniVM Efficient and Language- Independent Mobile Programs Ali-Reza Adl-Tabatabai, Geoff Langdale, Steven Lucco and Robert Wahbe from Carnegie Mellon University.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.

CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Chapter 14: Protection.

Chapter 14: Protection.
User-Level Interprocess Communication for Shared Memory Multiprocessors Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented.

User-Level Interprocess Communication for Shared Memory Multiprocessors Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented.
Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.

Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.
Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.

Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.
IMPROVING THE RELIABILITY OF COMMODITY OPERATING SYSTEMS Michael M. Swift Brian N. Bershad Henry M. Levy University of Washington.

IMPROVING THE RELIABILITY OF COMMODITY OPERATING SYSTEMS Michael M. Swift Brian N. Bershad Henry M. Levy University of Washington.
Paging. Memory Partitioning Troubles Fragmentation Need for compaction/swapping A process size is limited by the available physical memory Dynamic growth.

Paging. Memory Partitioning Troubles Fragmentation Need for compaction/swapping A process size is limited by the available physical memory Dynamic growth.
CS333 Intro to Operating Systems Jonathan Walpole.

CS333 Intro to Operating Systems Jonathan Walpole.
Topics covered: Memory subsystem CSE243: Introduction to Computer Architecture and Hardware/Software Interface.

Topics covered: Memory subsystem CSE243: Introduction to Computer Architecture and Hardware/Software Interface.
1 Micro-kernel. 2 Key points Microkernel provides minimal abstractions –Address space, threads, IPC Abstractions –… are machine independent –But implementation.

1 Micro-kernel. 2 Key points Microkernel provides minimal abstractions –Address space, threads, IPC Abstractions –… are machine independent –But implementation.
Native Client: A Sandbox for Portable, Untrusted x86 Native Code

Native Client: A Sandbox for Portable, Untrusted x86 Native Code

Similar presentations

Ads by Google