Hijack: Taking Control of COTS Systems for Real-Time User-Level - - PowerPoint PPT Presentation

hijack taking control of cots systems for real time user
SMART_READER_LITE
LIVE PREVIEW

Hijack: Taking Control of COTS Systems for Real-Time User-Level - - PowerPoint PPT Presentation

Dec 23, 2023 388 likes •709 views

Hijack: Taking Control of COTS Systems for Real-Time User-Level Services Gabriel Parmer and Richard West Computer Science Deparment Boston University Boston, MA 02215 { gabep1, richwest } @cs.bu.edu April 5, 2007 COTS in RT/Embedded Systems

slide-1
SLIDE 1

Hijack: Taking Control of COTS Systems for Real-Time User-Level Services

Gabriel Parmer and Richard West

Computer Science Deparment Boston University Boston, MA 02215 {gabep1, richwest}@cs.bu.edu

April 5, 2007

slide-2
SLIDE 2

COTS in RT/Embedded Systems

Commodity Off The Shelf (COTS) general purpose systems provide many advantages for RT/Embedded systems Tested and widely deployed code-base Established development tools/environments Developer familiarity → faster time to market/smaller development costs

Parmer, West, BU CS Hijack 2/33

slide-3
SLIDE 3

COTS in RT/Embedded Systems (2)

General purpose systems have a number of disadvantages General-purpose policies are often insufficient/awkward for needs of RT applications QoS, predictability, policies absent for satisfying app-specific requirements, i.e. EDF Semantic gap between the requirements of the application and the functionality/guarantees of the system

Parmer, West, BU CS Hijack 3/33

slide-4
SLIDE 4

Shrinking the Semantic Gap

Domain-specific OSs created with a focus on one class of applications (RTOSs) Extensible systems allow the modification of system policies in an application-specific manner Generally either not COTS, or not isolation preserving Developing extensions requires skill/experience Goal: provide app-specific policies using a COTS base in a safe and predictable manner

Parmer, West, BU CS Hijack 4/33

slide-5
SLIDE 5

Hijacking your COTS system

Efficient interposition on service requests from specific applications allows the definition at user-level of application-specific policy

Parmer, West, BU CS Hijack 5/33

slide-6
SLIDE 6

Hijack Mechanism

Kernel module Host Kernel . . .

Background process Guest Guest

Hardware (I/O devices) Executive

Interrupts IDT Syscall interception Schedule / dispatch Hijack execution environment Unintercepted syscalls

Hijack module receives specific events system calls page faults possibly device interrupts Vector guest service requests to executive executive controls execution context of guests create/switch address spaces access guest registers event-triggered executive scheduler

Parmer, West, BU CS Hijack 6/33

slide-7
SLIDE 7

Hijack Mechanism (2)

Kernel module Host Kernel . . .

Background process Guest Guest

Hardware (I/O devices) Executive

Interrupts IDT Syscall interception Schedule / dispatch Hijack execution environment Unintercepted syscalls

executive isolated at user-level executive harnesses base system functionality where appropriate Does not require changes to the COTS system source-code (no kernel recompilation) One (2000 LOC) hijack module enables flexibility in the definition of user-level app-specific services

Parmer, West, BU CS Hijack 7/33

slide-8
SLIDE 8

Case Study: Guest System Call Interposition

Kernel module Host Kernel . . . Executive

Guest Guest executive state (to be restored) saved guest state syscall

1 guest service request

intercepted by Hijack module

2 executive region mapped into

current guest address space

3 guest registers saved into

executive region

4 executive registers restored 5 executive executed

executive not present while guest is executing – mapped in dynamically executive isolated from guests

Parmer, West, BU CS Hijack 8/33

slide-9
SLIDE 9

Case Study: Guest System Call Return

Kernel module Host Kernel . . . Executive

Guest Guest saved guest state (to be restored) saved executive state

1 executive returns to kernel

module

2 executive registers saved in

module

3 guest registers restored from

executive region

4 executive region unmapped

from guest address space

5 executive’s mappings evicted

from TLB

6 guest executed

Can use global bits to avoid flushing guest pages from TLB set all guest pages as global

Parmer, West, BU CS Hijack 9/33

slide-10
SLIDE 10

Experimental Setup

All experiments conducted

  • n a 2.4 GHz Pentium 4 processor
  • n Linux 2.6.13

with a clock tick every 10 milliseconds

Parmer, West, BU CS Hijack 10/33

slide-11
SLIDE 11

nanosleep Experiments

A goal of Hijack is to offer the ability to enhance default system functionality in an application-specific manner nanosleep: yield for at least a specific number of nanoseconds

used in multimedia apps such as mplayer

Wake up time variability/unpredictability

clock granularity COTS CPU scheduler

Parmer, West, BU CS Hijack 11/33

slide-12
SLIDE 12

nanosleep Experiments (2)

Hijack-provided extensions:

1 Hijack: Executive can give scheduler preference to tasks

waking from nanosleep

2 Hijack Extended: Executive can busy wait for periods

less than a clock tick

Parmer, West, BU CS Hijack 12/33

slide-13
SLIDE 13

nanosleep Experiments (3)

1 10 100 1000 10000 100000 1 2 3 4

Number of Background CPU Bound Tasks Jitter (Tens of Microseconds)

Hijack Linux Task Hijack Extended

Parmer, West, BU CS Hijack 13/33

slide-14
SLIDE 14

QoS for Packet Stream Delivery

Scheduling of Tasks dependent on I/O availability with QoS constraints: models traffic shapers, QoS aware stream processing, etc. . . Four streams of 42,000 16 byte packets/second from separate hosts over GigE Single host with four tasks, each receiving a stream QoS constraints:

Task 0: 35,000 p/s Task 1: 20,000 p/s Task 2: 10,000 p/s Task 3: best effort

higher QoS

  • lower QoS

Start tasks every 5 seconds from Task 3 to Task 0

Parmer, West, BU CS Hijack 14/33

slide-15
SLIDE 15

QoS for Packet Stream Delivery (2)

Three scenarios:

1 Linux, tasks with same priority 2 Linux, tasks with different priority 3 Hijack, Executive using policy similar to

proportional-share

Tasks assigned tokens proportional to QoS select used to probe for I/O activity Task with tokens and available I/O executed Tokens refreshed every given period When guest make system call to read data read data into guest buffer until no tokens, or no data

Parmer, West, BU CS Hijack 15/33

slide-16
SLIDE 16

Packet Delivery QoS Results: Linux Same Priority

5000 10000 15000 20000 25000 30000 35000 40000 45000 5 10 15 20 25 30 Number of packets delivered to a task Time (seconds) Task 0 Task 1 Task 2 Task 3

Parmer, West, BU CS Hijack 16/33

slide-17
SLIDE 17

Packet Delivery QoS Results: Linux Increasing Priority

5000 10000 15000 20000 25000 30000 35000 40000 45000 5 10 15 20 25 30 Number of packets delivered to a task Time (seconds) Task 0 Task 1 Task 2 Task 3

Parmer, West, BU CS Hijack 17/33

slide-18
SLIDE 18

Packet Delivery QoS Results: Hijacked Linux

5000 10000 15000 20000 25000 30000 35000 40000 45000 5 10 15 20 25 30 Number of packets delivered to a task Time (seconds) Task 0 Task 1 Task 2 Task 3

Parmer, West, BU CS Hijack 18/33

slide-19
SLIDE 19

Related Work

Related work includes: RTLinux Separate system into two functional domains for Hard-RT predictability Focus is on interrupt latency, not app-specific resource management policies VMs Interface provided to guest OSs (executives) is identical to the hardware itself Focus is on HW virtualization, not on providing app-specific services

Parmer, West, BU CS Hijack 19/33

slide-20
SLIDE 20

Conclusions

Hijack enables app-specific, user-level RT policies using a general purpose computing base Use interposition on system service requests to redefine policies executive defined at user-level can leverage underlying system functionality where appropriate Demonstrated that complex policies can be introduced A useful approach towards shrinking the semantic gap

Parmer, West, BU CS Hijack 20/33

slide-21
SLIDE 21
slide-22
SLIDE 22

Limitations

global bit trick not ideal for all workloads

can revert to simply flushing whole TLB or use other techniques

Certain aspects of the system that cannot be hijacked using these techniques

If utilize functionality in base system, generally cannot Hijack that functionality COTS system interrupt handling behavior (prototype limitation)

Parmer, West, BU CS Hijack 22/33

slide-23
SLIDE 23

Using Global-bit Trick to Avoid TLB Flushes

Study the effect of TLB flushes on Executive ↔ Guest communication Vary working set size (WSS) of guest by touching data/instruction pages then making system call instruction-TLB has 128 entries data-TLB has 64 entries Global-bit trick avoids TLB flush, thus avoiding misses

50 100 150 200 250 300 350 50 100 150 200 250 300 # iTLB Misses Instruction WSS Hijack Guest -> Executive RPC Linux Pipe System Call

Parmer, West, BU CS Hijack 23/33

slide-24
SLIDE 24

Using the Global-bit Trick to Avoid TLB Flushes (2)

5000 10000 15000 20000 25000 30000 35000 50 100 150 200 250 300 Cycles Data WSS Hijack Guest -> Executive RPC Linux Pipe 5000 10000 15000 20000 25000 30000 50 100 150 200 250 300 Cycles Instruction WSS Hijack Guest -> Executive RPC Linux Pipe

Parmer, West, BU CS Hijack 24/33

slide-25
SLIDE 25

Asynchronous Event Notification Experiments

Timer interrupts in Executive synthesized with signals Predictable notification Executive can define customizable policy for scheduling beyond what is present in the COTS system (EDF, PFAIR, DWCS, etc. . . )

0.0 5.0 10.0 15.0 20.0 25.0 30.0 1 2 3 4

Number of Background CPU Bound Tasks Average Signal Interarrival Time (milliseconds)

Hijack Linux Task

Parmer, West, BU CS Hijack 25/33

slide-26
SLIDE 26

Hijack Execution Environment Address Space

signal_handler 4KB guard page executive stack 4KB guard page sigaltstack executive read-only 0x3FC00000 read-writable

Parmer, West, BU CS Hijack 26/33

slide-27
SLIDE 27

QoS Expts. Executive Algorithm

main_event_loop () { next = NULL; select on the file descriptors for each task; if (timing period has expired) for (each task in tasks) curr_tokens(task) = init_tokens(task); for (each task in tasks) if (select indicated that task has data && curr_tokens(task) > 0) { next = task; break; } if (next == NULL) next = best_effort_task; execute next; }

Parmer, West, BU CS Hijack 27/33

slide-28
SLIDE 28

QoS Expts. Executive Algorithm (2)

guest_syscall_read(guest_fd, guest_buf, guest_size) { fd = translate_to_host_fd(guest_fd); loop until (read doesn’t return data || curr_tokens(task) == 0) { read(fd, guest_buf, guest_size); //nonblocking curr_tokens(task)--; } }

Parmer, West, BU CS Hijack 28/33

slide-29
SLIDE 29
  • Max. Jitter QoS Results: Linux Same Priority

100000 1e+06 1e+07 1e+08 1e+09 5 10 15 20 25 30 Maximum stream jitter (cycles) Time (seconds) Task 0 Task 1 Task 2 Task 3

Parmer, West, BU CS Hijack 29/33

slide-30
SLIDE 30
  • Max. Jitter QoS Results: Linux Increasing Priority

100000 1e+06 1e+07 1e+08 1e+09 5 10 15 20 25 30 Maximum stream jitter (cycles) Time (seconds) Task 0 Task 1 Task 2 Task 3

Parmer, West, BU CS Hijack 30/33

slide-31
SLIDE 31
  • Max. Jitter QoS Results: Hijacked Linux

100000 1e+06 1e+07 1e+08 1e+09 5 10 15 20 25 30 Maximum stream jitter (cycles) Time (seconds) Task 0 Task 1 Task 2 Task 3

Parmer, West, BU CS Hijack 31/33