Jonathan S. Shapiro Jonathan M. Smith David J. Farber Priorities - - PowerPoint PPT Presentation

jonathan s shapiro jonathan m smith david j farber
SMART_READER_LITE
LIVE PREVIEW

Jonathan S. Shapiro Jonathan M. Smith David J. Farber Priorities - - PowerPoint PPT Presentation

Dec 04, 2022 238 likes •450 views

Jonathan S. Shapiro Jonathan M. Smith David J. Farber Priorities 1.Security & Integrity 2.High availability 3.Fault Tolerance 4.Evolvability 5.Performance This ordering has architectural and performance implications. Pure

slide-1
SLIDE 1

Jonathan S. Shapiro Jonathan M. Smith David J. Farber

slide-2
SLIDE 2
  • Priorities

1.Security & Integrity 2.High availability 3.Fault Tolerance 4.Evolvability 5.Performance

  • This ordering has architectural and

performance implications.

slide-3
SLIDE 3
  • Pure capability system
  • Transparently persistent
  • Recovers rapidly (< 30 seconds)
  • Thoroughly paranoid implementation

– Consistency checks to prevent snapshot of bad states – Implementation tries to be “fail fast” – Think: kernel always compiled for debugging

  • Some emphasis on discretionary security
slide-4
SLIDE 4
  • A capability is an (object,

permissions) pair

– Unforgeable, so a basis for protection – Transferable, so a basis for authorization

  • This can be generalized to

(object, type)

  • An object version number makes

reallocation simple.

  • The resulting representation is

straightforward. (myspace, {r, w}) (spaceroot, rw-space) (spaceroot, node)

type misc bits version

  • bject identifier

32 bits 4 words

slide-5
SLIDE 5

Comparison to Other Capability Systems

System HW/SW Store Persist Cap Prot Mem Model IPC Cal TSS SW File Explicit Partition Byte Segments Buffered, Unbounded CAP HW Object Explicit Partition Byte Segments Prot. Procedure Call Hydra Mixed File Explicit Partition Byte Segments Prot. Procedure Call S/38 (AS/400) HW + Compiler Object Transparent Tagging Byte Segments Prot. Procedure Call i432 HW Object Explicit Partition Byte Segments Prot. Procedure Call Mach SW App. Defined Explicit Partition Page Regions Buffered, Unbounded Amoeba SW Object Explicit Sparsity Page Regions Buffered, Bounded KeyKOS/ EROS SW Object Transparent Partition Pages + Nodes Unbuffered, Bounded

slide-6
SLIDE 6

PTE Page Capability

Page Table Entry:

Phys Page Number {w,s,v}

Object identifier Type Capability type misc bits version

  • bject identifier

32 bits 4 words

Node Page

slide-7
SLIDE 7
  • Processes have user-mode

machine state plus supervisor- implemented capability registers.

  • Kernel implements a machine-

specific process table

– Used to cache active processes (c.f. Cache Kernel, Fluke). – Fast-path IPC uses this structure. – General capability invocation path uses both representations.

  • Process state is recorded in nodes.

p0 p1 p2 p3 p4 p5 ... pn

slide-8
SLIDE 8
  • Everything (all resources) is named by a uniform naming

mechanism: capabilities.

  • The protection state of the system can be directly realized

by the hardware.

  • All user-visible state is stored in pages and nodes

– This plus “run list” is all you need to define a recoverable system state.

  • Object reference is a protected operation

– Conventional operating system services can therefore be implemented outside the kernel.

slide-9
SLIDE 9

Node, Page Cache (Main Memory) Node, Page Cache (Main Memory) Write-ahead Checkpoint Log Permanent Store Process Table Mapping Structures

Invocation Checkpoint, Ageing Page Faults Checkpoint, Ageing Object Faults Migration Object Faults

slide-10
SLIDE 10
  • How might a system be structured on top of

this kind of platform?

  • How does it perform?
  • Given that it is unconventional, why should

you care?

  • Where do we go from here?
slide-11
SLIDE 11

Program Address Space Fault Handler Other Services Space Bank Other Space Banks Prime Space Bank

slide-12
SLIDE 12
  • Memory fault handlers
  • Storage allocator (space bank)
  • Files and Directories
  • Pipes
  • Constructor (confinement implementation)
  • Reference monitor
slide-13
SLIDE 13
  • Initial Conditions:

– Client has exclusive access to service. – Confined entity has no unauthorized channels.

  • Confined entity can be a

complex subsystem.

  • Client therefore completely

controls communication.

slide-14
SLIDE 14

Reference Monitor w/Confinement

Kernel Reference Monitor Confined Compartment Sandbox Process

  • Reference monitor knows object semantics.
  • Interposes transparent forwarding objects where

appropriate.

  • Can be evolved as new object types are introduced.
slide-15
SLIDE 15

Reference Monitors

Kernel Reference Monitor Confined Compartment Sandbox Process

Reference Monitor

  • Multiple reference monitors can securely manage

disjoint logical systems on the same hardware.

  • Remote Hot Standby
slide-16
SLIDE 16

8.34 3.85 1.92 1.26 3.174 6.7 0.7 5.66 3.56 0.664 1.19 2.042 0.367 1.6

2 4 6 8 10 Pipe Lat (us) Pipe BW (s/GB) Create Process (ms) Ctxt Switch (us) Grow Heap (us/10) Pg Fault (us/10)

  • Triv. Syscall (us)

EROS Linux 2.2.5 (2.0.34 kernel)

400 MHz P-II 512 Kbyte cache 192 MBytes

Note: 2.2.x kernel introduced a temporary performance bug in page fault handling.

slide-17
SLIDE 17

Property L4 EROS Issue Registers saved Most All Covert Channel Payload 31 x 4M 1 x 64k Resource Exhaustion, Target name Thread ID Capability Encapsulation Authority Xfer Permissions for Pages Capabilities Access Control, Channel audits Atomicity No: Preemption, Page Faults Yes Bounding resources and time Missing page strategy Timeout, then discard Discard Covert Channel

slide-18
SLIDE 18

Property L4 EROS Issue Registers saved Most All Covert Channel Payload 31 x 4M 1 x 64k Resource Exhaustion, Target name Thread ID Capability Encapsulation Authority Xfer Permissions for Pages Capabilities Access Control, Channel audits Atomicity No: Preemption, Page Faults Yes Bounding resources and time Missing page strategy Timeout, then discard Discard Covert Channel Latency 454 cycles 640 cycles Large spaces

slide-19
SLIDE 19
  • It appears possible to build a high-performance

capability system.

  • Persistence greatly simplifies some components,

and therefore assurance.

  • Capabilities provide a sufficient primitive

protection mechanism to implement other security policies at user level.

  • Using performance as the only evaluation criterion

can obscure important issues, including security.

slide-20
SLIDE 20
  • How can a capability system be distributed

securely and efficiently?

  • How is multiparty administration and just-in-time

software provisioning to be managed?

  • How can assurance be achieved using an open

development model?

  • Compatibility and (r)evolution
  • System structure – design and architecture
  • Language integration: how to do it successfully
slide-21
SLIDE 21
  • IBM Research has started the Cougar project to

investigate secure, high-performance underpinnings for pervasive devices and their supporting servers.

  • Cougar will be capability based, and will borrow

from both the L4 and the EROS architectures.