Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland.

Published byDiane Evans Modified over 8 years ago

Similar presentations

Presentation on theme: "Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland."— Presentation transcript:

1 Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland

2 The Big Picture Two Main things: –Loading the distrusted code into its own fault domain Only mistrusted Cheaper RPC for cross fault domains –Modify object code so it doesn’t jump to an area it is not supposed to

3 Introduction – More Big Picture Definitions and such 1993 - what was happening…133mhz, WTC, microkernels Sandboxing – only slightly increases execution time Modifying Object Code Fault Domains – a logically separate portion of the applications address space, and has a uniques identifier which is used to control its access

4 Examples of Programs that could cause problems PostGres – queries with extension code can play with data not its own or just mess with database in general BSD (three areas) Microsoft’s Object Linking As more things are moved to the user level, more third party code can mess with kernel operations - ?

5 Other Examples Unix vnode interface – easy to add file system I/O / Active Messages – compiled into kernel for reasonable performance Quark Xpress – extension modules can currupt its data structures What does this show significant portion of time being spent in operating system context switch code only a small amount of code is distrusted

6 Why us software and not Hardware Does not scale with processor integer performance High Cost for address switching –RPC example: requires at least A trap into the operating system kernel Copying each argument from the caller to callee Saving and restoring registers Switching hardware address spaces Possibly flushing the TLB A trap back to user level Rinse and repeat

7 Software Enforced Fault Isolation Going back to the big picture, we have to locate were faults occur in a software module and then we can look at Sandboxing Cut up the virtual address space into separate chunks

8 Segment Identifier Divide an applications virtual address space into segments All virtual addresses share pattern of upper bits Fault domain has two segments –One for distrusted module’s code –Other for heap, stack, and static data

9 Software Encapsulation Distrusted code can only jump within its segment, as well as write to its segment, due to the segment identifiers All legal jumps have same bit pattern This doesn’t solve all problems, the os will still need to catch illegal things, such as unmapped pages We have two techniques for this…….

10 Segment matching Insert Checking code before any unsafe instruction (unsafe means not statically verifiable…jumps through registers - procedure returns, or stores in registers for target address are considered unsafe) Is it in the correct segment? If not, trap to system error

11 Uses 4 registers, but not a problem based on their tests can pinpoint the offending instruction, there for better for development Or can skip the pinpointing for efficiency

12 Or Sandboxing This sets the upper bits to the correct segment identifier This doesn’t catch, it stops Verifiable Takes 5 registers instead of 4

13 Optimizations Register + offset and guardzones –this avoids uneeded math to compute target addresses. They sandbox reg and not reg + offset to save an instruction. MIPS stack pointer as a dedicated register and the stack pointer is only sandboxed when set Transformation tool to remove sandboxing from loops

14 Process Resources Need to stop multiple fault domains that share the same virtual address space from corrupting per-address-space resources –Let the operating system know –Cross fault domain RPC

15 Data Sharing Cant work the same way hardware implementation does because hw solution manipulates page table entries in a different way. Read only is not a problem because fault domains can read any memory within the address space Read-write through lazy pointer swizzling –Modify hardware page tables to map the shared memory region into every address space segment that needs access –Automatically translates into own segment through sandboxing Another option is shared segment matching, dedicated registers to hold bitmap that tells which segments the fault domain can access

16 Implementation and Verification Unsafe regions are areas of code that modify jump dedicated register Is the dedicated register valid upon exiting the region Disadvantages –Most modified compilers only support one language –Compiler and verifier must be synchronized –Binary patching can fix these things, however not robust enough

17 Binary patching System can encapsulate the module by directly modifying object code Unfornately, a good technique for this does not exist yet

18 Jump table is legal address outside the fault domain Kept in read only, so only modified by trusted code Stubs are unprotected and responsible for copying cross domain arguments

19 Fast communication between fault domains Calling a trusted stub outside of your domain –Jump table – only modified by trusted code, and legal entry point outside domain Arguments are passed between fault domains –Because they are trusted, we can copy directly to target domain*** Fault isolation –In a cross domain call the registers used by the caller and possibly modified by the callee are protected –Switch execution stack –Validate registers –Establish register context for encapsulation Errors –Addressing violation, loops, etc…

20 Results How much overhead? How fast is cross domain fault?

21 Related Work At this time it was typical to buld micro-kernel operating systems with separate address spaces –This meant heavy ipc with untrusted domains –Performance problems Some people loaded modules into kernel address space (co-location) –Which means performance over protection So, this paper is trying to get performance and protection.

Download ppt "Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland."

Similar presentations

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 3 Memory Management Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,

MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 3 Memory Management Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,
Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?

Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?
Chapter 6 Limited Direct Execution

Chapter 6 Limited Direct Execution
Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.

Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.
“Efficient Software-Based Fault Isolation” (1993) by: Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham PRESENTED BY DAVID KENNEDY.

“Efficient Software-Based Fault Isolation” (1993) by: Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham PRESENTED BY DAVID KENNEDY.
CS 153 Design of Operating Systems Spring 2015

CS 153 Design of Operating Systems Spring 2015
Figure 2.8 Compiler phases. 2.8.1 Compiling. Figure 2.9 Object module. 2.8.2 Linking.

Figure 2.8 Compiler phases Compiling. Figure 2.9 Object module Linking.
Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.

Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.

Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Memory ManagementCS-502 Fall 20061 Memory Management CS-502 Operating Systems Fall 2006 (Slides include materials from Operating System Concepts, 7 th.

Memory ManagementCS-502 Fall Memory Management CS-502 Operating Systems Fall 2006 (Slides include materials from Operating System Concepts, 7 th.
Threads CS 416: Operating Systems Design, Spring 2001 Department of Computer Science Rutgers University

Threads CS 416: Operating Systems Design, Spring 2001 Department of Computer Science Rutgers University
Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.

Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.
CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.

CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
Computer Organization

Computer Organization
IMPROVING THE RELIABILITY OF COMMODITY OPERATING SYSTEMS Michael M. Swift Brian N. Bershad Henry M. Levy University of Washington.

IMPROVING THE RELIABILITY OF COMMODITY OPERATING SYSTEMS Michael M. Swift Brian N. Bershad Henry M. Levy University of Washington.
Architecture Support for OS CSCI 444/544 Operating Systems Fall 2008.

Architecture Support for OS CSCI 444/544 Operating Systems Fall 2008.

Similar presentations

Ads by Google