December 4, 2011
Table of contents
Extensible systems Grafts: deniton and clasication Grafts: misbehaviours and needed limitations VINO Function/event graft VINOs solutions for misbehaviours The Cost of Graft Protection Experimental Results Related Work Conclusions
Extensible systems
kernel extension used to add functionality or to change some kernel behaviour Atributes
similar to user-processes: own stack, heap,... run in kernel mode
Misbehaviour Illegal data access Resource hoarding Attempt to use incorrect interfaces Antisocial behaviour Covert Denial of service
Mitigation technique Preemptibility Limited time for kernel resources hold Access only memory/functions to which granted permission Aect only applications that have agreed to use the graft Kernel should execute only safe grafts and make progress even with a faulty graft in its path
VINO
Research OS developed at Harvard University UNIX-like operating system self implementation in C++ and NetBSD implementation Intel x86 architecture Grafting architecture
software fault isolation: load/store interception MiSFIT kernel transaction support: commit/abort transaction, ACI only
Function/event graft
Mitigation technique Preemptibility Limited time for kernel resources hold Access only memory/functions to which granted permission Aect only applications that have agreed to use the graft Kernel should execute only safe grafts and make progress even with a faulty graft in its path
VINO solution By design Transaction mechanism and resource accounting MiSFIT and combination of static and dynamic methods downloading mechanism, resource accounting MiSFIT
Paths
Base path: kernel code path without indirection and graft-support cost VINO path: adding indirection and return-value verication Null path: graft stub, transaction support(begin, commit) and minimal graft implementation Unsafe path: full graft code and lock overhead Safe path: MiSFIT protection added Abort path: Safe path plus abort instead of commit in the end
Experimental Results
Testing environment
Intel Endeavor Motherboard, 120 MHz Pentium processor 512 KB pipeline burst L2 Cache, 320 MB of 60 ns EDO DRAM 540 RPM Fujitsu M2694ESA disk with SCSI interface, 1080 MB capacity
Read-ahead (black-box graft) Page eviction and Scheduling(Prioritization graft) Encryption/Decryption (Stream graft)
Related Work
Conclusions
two architecture decisions for safe grafting Last release in 1998 the research was dropped, 2000 v 0.55 was canceled
Questions?
Thank you !