You are on page 1of 13

Presentation on Dealing With Disaster: Surviving Misbehaved Kernel Extensions

Margo I. Seltzer, Yasuhiro Endo, Christopher Small, Keith A. Smith


Catalina Macalet, SRIC, Politehnic University of Bucharest

December 4, 2011

Margo I. Seltzer, Yasuhiro Endo, Christopher Small, Keith A. Smith 1 / 13

Table of contents

Extensible systems Grafts: deniton and clasication Grafts: misbehaviours and needed limitations VINO Function/event graft VINOs solutions for misbehaviours The Cost of Graft Protection Experimental Results Related Work Conclusions

Margo I. Seltzer, Yasuhiro Endo, Christopher Small, Keith A. Smith 2 / 13

Extensible systems

Why do we need extensions?


policy, performance, functionality

What riscs are we prepared to take? Needed precautions


do not missuse memory do not consume resources so that they jeopardize the kernel and other components

Margo I. Seltzer, Yasuhiro Endo, Christopher Small, Keith A. Smith 3 / 13

Grafts: deniton and clasication

kernel extension used to add functionality or to change some kernel behaviour Atributes
similar to user-processes: own stack, heap,... run in kernel mode

Types: prioritization, stream, black box

Margo I. Seltzer, Yasuhiro Endo, Christopher Small, Keith A. Smith 4 / 13

Grafts: misbehaviours and needed limitations

Misbehaviour Illegal data access Resource hoarding Attempt to use incorrect interfaces Antisocial behaviour Covert Denial of service

Mitigation technique Preemptibility Limited time for kernel resources hold Access only memory/functions to which granted permission Aect only applications that have agreed to use the graft Kernel should execute only safe grafts and make progress even with a faulty graft in its path

Margo I. Seltzer, Yasuhiro Endo, Christopher Small, Keith A. Smith 5 / 13

VINO

Research OS developed at Harvard University UNIX-like operating system self implementation in C++ and NetBSD implementation Intel x86 architecture Grafting architecture
software fault isolation: load/store interception MiSFIT kernel transaction support: commit/abort transaction, ACI only

Ways at inserting a graft: function/event graft

Margo I. Seltzer, Yasuhiro Endo, Christopher Small, Keith A. Smith 6 / 13

Function/event graft

Event graft: Function graft:


f i l e o db ; g r a f t p o i n t h a n d l e o gp ; db = f i l e o : : open ( db , r ) ; gp = g r a f t n a m e s p a c e s >l o o k u p ( db , r e a d a h e a d ) ; gp>r e p l a c e ( m y r e a d a h e a d . o ) ;

// h t t p s e r v e r i n s t a l l a t i o n , // i n v o k e d a t u s e r l e v e l g r a f t p o i n t h a n d l e o gp ; gp = g r a f t n a m e s p a c e >l o o k u p ( t c p / gp>add ( h t t p s e r v e r . o ) ; // h t t p s e r v e r code , r u n a s g r a f t h t t p s e r v e r ( f i l e o fd ) { char buf [ 2 5 6 ] ; f d >r e a d ( buf , s i z e o f ( b u f ) ) ; // p r o c e s s h t t p r e q u e s t . . . }

Margo I. Seltzer, Yasuhiro Endo, Christopher Small, Keith A. Smith 7 / 13

VINOs solutions for misbehaviours

Mitigation technique Preemptibility Limited time for kernel resources hold Access only memory/functions to which granted permission Aect only applications that have agreed to use the graft Kernel should execute only safe grafts and make progress even with a faulty graft in its path

VINO solution By design Transaction mechanism and resource accounting MiSFIT and combination of static and dynamic methods downloading mechanism, resource accounting MiSFIT

Margo I. Seltzer, Yasuhiro Endo, Christopher Small, Keith A. Smith 8 / 13

The Cost of Graft Protection

Paths
Base path: kernel code path without indirection and graft-support cost VINO path: adding indirection and return-value verication Null path: graft stub, transaction support(begin, commit) and minimal graft implementation Unsafe path: full graft code and lock overhead Safe path: MiSFIT protection added Abort path: Safe path plus abort instead of commit in the end

Margo I. Seltzer, Yasuhiro Endo, Christopher Small, Keith A. Smith 9 / 13

Experimental Results

Testing environment
Intel Endeavor Motherboard, 120 MHz Pentium processor 512 KB pipeline burst L2 Cache, 320 MB of 60 ns EDO DRAM 540 RPM Fujitsu M2694ESA disk with SCSI interface, 1080 MB capacity

Read-ahead (black-box graft) Page eviction and Scheduling(Prioritization graft) Encryption/Decryption (Stream graft)

Margo I. Seltzer, Yasuhiro Endo, Christopher Small, Keith A. Smith 10 / 13

Related Work

SPIN Quicksilver exokernel

Margo I. Seltzer, Yasuhiro Endo, Christopher Small, Keith A. Smith 11 / 13

Conclusions

two architecture decisions for safe grafting Last release in 1998 the research was dropped, 2000 v 0.55 was canceled

Margo I. Seltzer, Yasuhiro Endo, Christopher Small, Keith A. Smith 12 / 13

Questions?

Thank you !

Margo I. Seltzer, Yasuhiro Endo, Christopher Small, Keith A. Smith 13 / 13

You might also like