the quest v separation kernel
play

The Quest-V Separation Kernel Richard West richwest@cs.bu.edu - PowerPoint PPT Presentation

Sep 21, 2023 •130 likes •547 views

The Quest-V Separation Kernel Richard West richwest@cs.bu.edu Computer Science Goals Develop system for high-confidence (embedded) systems Mixed criticalities (timeliness and safety) Predictable real-time support

  1. The Quest-V Separation Kernel Richard West richwest@cs.bu.edu Computer Science

  2. Goals • Develop system for high-confidence (embedded) systems – Mixed criticalities (timeliness and safety) • Predictable – real-time support • Resistant to component failures & malicious manipulation • Self-healing • Online recovery of software component failures 2

  3. Target Applications • Healthcare • Avionics • Automotive • Factory automation • Robotics • Space exploration • Other safety-critical domains 3

  4. Case Studies • $327 million Mars Climate Orbiter – Loss of spacecraft due to Imperial / Metric conversion error (September 23, 1999) • 10 yrs & $7 billion to develop Ariane 5 rocket – June 4, 1996 rocket destroyed during flight – Conversion error from 64-bit double to 16-bit value • 50+ million people in 8 states & Canada in 2003 without electricity due to software race condition 4

  5. Approach • Quest-V for multi-/many-core processors – Distributed system on a chip – Time as a first-class resource • Cycle-accurate time accountability – Separate sandbox kernels for system components – Memory isolation using h/w-assisted memory virtualization • Extended page tables (EPTs – Intel) • Nested page tables (NPTs – AMD) – Also need CPU, I/O, cache isolation, etc (later!) 6

  6. Related Work • Existing virtualized solutions for resource partitioning – Wind River Hypervisor, XtratuM, PikeOS, Mentor Graphics Hypervisor – Xen, Oracle PDOMs, IBM LPARs – Muen, (Siemens) Jailhouse 7

  7. Problem • Traditional Virtual Machine approaches too expensive – Require traps to VMM (a.k.a. hypervisor) to mux & manage machine resources for multiple guests – e.g., ~1500 clock cycles VM-Enter/Exit on Xeon E5506 8

  8. Traditional Approach (Type 1 VMM) ... VM VM VM VM VM Type 1 VMM / Hypervisor Hardware (CPUs, memory, devices) 9

  9. Contributions • Quest-V Separation Kernel [WMC'13, VEE'14] – Uses H/W virtualization to partition resources amongst services of different criticalities – Each partition, or sandbox , manages its own CPU cores, memory area, and I/O devices w/o hypervisor intervention – Hypervisor typically only needed for bootstrapping system + managing comms channels b/w sandboxes 10

  10. Contributions • Quest-V Separation Kernel Eliminates hypervisor intervention during normal virtual machine operations 11

  11. Architecture Overview 12

  12. Memory Partitioning • Guest kernel page tables for GVA-to-GPA translation • EPTs (a.k.a. shadow page tables) for GPA-to- HPA translation – EPTs modifiable only by monitors – Intel VT-x: 1GB address spaces require 12KB EPTs w/ 2MB superpaging 13

  13. Quest-V Linux Memory Layout 14

  14. Quest-V Memory Partitioning 15

  15. Memory Virtualization Costs • Example Data TLB overheads • Xeon E5506 4-core @ 2.13GHz, 4GB RAM 16

  16. I/O Partitioning • Device interrupts directed to each sandbox – Use I/O APIC redirection tables – Eliminates monitor from control path • EPTs prevent unauthorized updates to I/O APIC memory area by guest kernels • Port-addressed devices use in/out instructions • VMCS configured to cause monitor trap for specific port addresses • Monitor maintains device "blacklist" for each sandbox – DeviceID + VendorID of restricted PCI devices 17

  17. Quest-V I/O Partitioning Data Port: 0xCFC Address Port: 0xCF8 18

  18. Monitor Intervention During normal operation only one monitor trap every 3-5 mins by CPUID No I/O Partitioning I/O Partitioning (Block COM and NIC) Exception (TF) 0 9785 CPUID 502 497 VMCALL 2 2 I/O Instruction 0 11412 EPT Violation 0 388 XSETBV 1 1 Table: Monitor Trap Count During Linux Sandbox Initialization 19

  19. CPU Partitioning • Scheduling local to each sandbox – partitioned rather than global – avoids monitor intervention • Uses real-time VCPU approach for Quest native kernels [RTAS'11] 20

  20. Predictability ● VCPUs for budgeted real-time execution of threads and system events (e.g., interrupts) ● Threads mapped to VCPUs ● VCPUs mapped to physical cores ● Sandbox kernels perform local scheduling on assigned cores ● Avoid VM-Exits to Monitor – eliminate cache/TLB flushes 21

  21. VCPUs in Quest(-V) Address Threads Space Main VCPUs I/O VCPUs PCPUs (Cores) 22

  22. VCPUs in Quest(-V) • Two classes Main → – for conventional tasks I/O → – for I/O event threads (e.g., ISRs) • Scheduling policies Main → – sporadic server (SS) I/O → – priority inheritance bandwidth- preserving server (PIBS) 23

  23. SS Scheduling • Model periodic tasks – Each SS has a pair (C,T) s.t. a server is guaranteed C CPU cycles every period of T cycles when runnable • Guarantee applied at foreground priority • background priority when budget depleted – Rate-Monotonic Scheduling theory applies 24

  24. PIBS Scheduling IO VCPUs have utilization factor, U V,IO • • IO VCPUs inherit priorities of tasks (or Main VCPUs) associated with IO events Currently, priorities are ƒ (T) for – corresponding Main VCPU – IO VCPU budget is limited to: • T V,main * U V,IO for period T V,main 25

  25. PIBS Scheduling • IO VCPUs have eligibility times, when they can execute t e = t + C actual / U V,IO • – t = start of latest execution – t >= previous eligibility time 26

  26. Example VCPU Schedule 27

  27. Sporadic Constraint • Worst-case preemption by a sporadic task for all other tasks is not greater than that caused by an equivalent periodic task (1) Replenishment, R must be deferred at least t+T V (2) Can be deferred longer (3) Can merge two overlapping replenishments • R1.time + R1.amount >= R2.time then MERGE • Allow replenishment of R1.amount +R2.amount at R1.time 28

  28. Example Replenishments amount , time Replenishment Queue Element VCPU 0 (C=10, T=40, Start=1) VCPU 1 (C=20, T=50, Start=0) IOVCPU (Utilization=4%) 20,00 02,00 02,40 18,50 02,50 02,80 02,90 16,100 00,00 18,50 18,50 02,90 02,90 02,90 16,100 02,130 00,00 00,00 00,00 00,00 16,100 16,100 02,130 02,140 (A) 1 10 17 2 1 10 1 16 2 1 10 12 8 Corrected Algorithm 0 10 20 30 40 50 60 70 80 90 100 110 (B) 1 10 17 2 1 10 17 2 1 10 17 Premature Replenishment 0 10 20 30 40 50 60 70 80 90 100 110 Interval [t=0,100] (A) VCPU 1 = 40%, (B) VCPU 1 = 46% 29

  29. Utilization Bound Test • Sandbox with 1 PCPU, n Main VCPUs, and m I/O VCPUs – Ci = Budget Capacity of Vi – Ti = Replenishment Period of Vi – Main VCPU, Vi – Uj = Utilization factor for I/O VCPU, Vj n − 1 Ci m − 1 Ti + ∑ ∑ √ 2 − 1 ) n ( 2 − Uj ) ⋅ Uj ≤ n ⋅ ( i = 0 j = 0 30

  30. Cache Partitioning • Shared caches controlled using color-aware memory allocator • Cache occupancy prediction based on h/w performance counters – E' = E + (1-E/C) * m l – E/C * m o – Enhanced with hits + misses [Book Chapter, OSR'11, PACT'10] 31

  31. Linux Front End • For low criticality legacy services • Based on Puppy Linux 3.8.0 • Runs entirely out of RAM including root filesystem • Low-cost paravirtualization – less than 100 lines – Restrict observable memory – Adjust DMA offsets • Grant access to VGA framebuffer + GPU • Quest native SBs tunnel terminal I/O to Linux via shared memory using special drivers 32

  32. Quest-V Linux Screenshot 33

  33. Quest-V Linux Screenshot 1 CPU + 512 MB No VMX or EPT flags 34

  34. Quest-V Performance Overhead • Measured time to play back 1080P MPEG2 video from the x264 HD video benchmark • Mini-ITX Intel Core i5-2500K 4-core, HD3000 graphics, 4GB RAM mplayer Benchmark 35

  35. Conclusions • Quest-V separation kernel built from scratch – Distributed system on a chip – Uses (optional) h/w virtualization to partition resources into sandboxes – Protected comms channels b/w sandboxes • Sandboxes can have different criticalities – Linux front-end for less critical legacy services • Sandboxes responsible for local resource management – avoids monitor involvement 36

  36. Quest-V Status • About 11,000 lines of kernel code • 200,000+ lines including lwIP, drivers, regression tests • SMP, IA32, paging, VCPU scheduling, USB, PCI, networking, etc • Quest-V requires BSP to send INIT-SIPI-SIPI to APs, as in SMP system – BSP launches 1 st (guest) sandbox – APs “VM fork” their sandboxes from BSP copy 37

  37. Future Work • Online fault detection and recovery • Technologies for secure monitors – e.g., Intel TXT + VT-d • Separation kernel support for: – Accelerators / GPUs (time partitioning) – NoCs – Heterogeneous platforms (ala Helios satellite kernels) See www.questos.org for more details 38

  38. Quest-V Demo ● Bootstrapping Quest native kernel (core 0) + Linux (core 1) – Linux kernel + filesystem in RAM – Secure comms channel b/w Quest SB & Linux SB using a pseudo-char device – /dev/qSBx device for each sandbox x ● Triple modular redundancy (TMR) fault recovery for unmanned aerial vehicle (UAV) http://quest.bu.edu/demo.html 39

  39. The Quest Team • Richard West • Ye Li • Eric Missimer • Matt Danish • Gary Wong 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Predictable Communication and Migration in the Quest-V Separation Kernel Ye Li, Richard West,

Predictable Communication and Migration in the Quest-V Separation Kernel Ye Li, Richard West,

Introduction Quest-V Overview Inter-Sandbox Communication Predictable Migration Conclusions Predictable Communication and Migration in the Quest-V Separation Kernel Ye Li, Richard West, Zhuoqun Cheng, Eric Missimer Boston University 1 / 29

870 views • 29 slides
Fragile Separation Robust Separation x 2 x 2 x 2 x 2 New data x 1 x 1 x 1 x 1 } What

Fragile Separation Robust Separation x 2 x 2 x 2 x 2 New data x 1 x 1 x 1 x 1 } What

Data Separation x 2 x 2 Class #10: Kernel Functions and Support Vector Machines (SVMs) x 1 x 1 Machine Learning (COMP 135): M. Allen, 07 Oct. 19 Linear classification with a perceptron or logistic function look for a dividing line in } the

162 views • 5 slides
Fragile Separation Robust Separation x 2 x 2 x 2 x 2 New data x 1 x 1 x 1 x 1 } What

Fragile Separation Robust Separation x 2 x 2 x 2 x 2 New data x 1 x 1 x 1 x 1 } What

Data Separation x 2 x 2 Class #13: Support Vector Machines (SVMs) and Kernel Functions x 1 x 1 Machine Learning (COMP 135): M. Allen, 02 Mar. 20 Linear classification with a perceptron or logistic function look for a dividing line in } the

170 views • 6 slides
FreeBSD Development for Smarties The quest for a better kernel development environment Lawrence

FreeBSD Development for Smarties The quest for a better kernel development environment Lawrence

FreeBSD Development for Smarties The quest for a better kernel development environment Lawrence Stewart lastewart@swin.edu.au Centre for Advanced Internet Architectures (CAIA) Swinburne University of Technology Outline Getting started 1

394 views • 35 slides
Kernel Spectrogram Models for source separation Antoine Liutkus 1 , Zafar Rafii 2 , Bryan Pardo 2

Kernel Spectrogram Models for source separation Antoine Liutkus 1 , Zafar Rafii 2 , Bryan Pardo 2

Audio separation Spectrogram models Results Conclusion Kernel Spectrogram Models for source separation Antoine Liutkus 1 , Zafar Rafii 2 , Bryan Pardo 2 Derry Fitzgerald 3 , Laurent Daudet 4 1 Inria, Universit e de Lorraine, LORIA, UMR 7503,

197 views • 18 slides
Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its Verification Mads Dam KTH Royal Institute of Technology BISS spring school, Bertinoro 2018 The Goal Hypervisor Context switch: Fixed round-robin

1.16k views • 67 slides
Muen - An x86/64 Separation Kernel for High Assurance Reto Buerki Adrian-Ken Rueegsegger

Muen - An x86/64 Separation Kernel for High Assurance Reto Buerki Adrian-Ken Rueegsegger

Outline Introduction Implementation Analysis Conclusion Muen - An x86/64 Separation Kernel for High Assurance Reto Buerki Adrian-Ken Rueegsegger Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil

784 views • 27 slides
Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege

Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege

Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation Nathan Dautenhahn, Theodoros Kasampalis, Will Dietz, John Criswell, and Vikram Adve Nested Kernel - Motivation Monoliths have single

398 views • 17 slides
Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop

Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop

Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop 2010 Austin, Texas Timothy Levin, Thuy Nguyen, Cynthia Irvine, Michael McEvilley LAW 2010 Overview Purpose Help users of SKPP understand

383 views • 17 slides
A Virtualized Separation Kernel for Mixed Criticality Systems Ye Li, Richard West and Eric

A Virtualized Separation Kernel for Mixed Criticality Systems Ye Li, Richard West and Eric

Introduction Architecture Performance Conclusions Ongoing and Future Work A Virtualized Separation Kernel for Mixed Criticality Systems Ye Li, Richard West and Eric Missimer Boston University March 2nd, 2014 Introduction Architecture

449 views • 21 slides
Quantification of Uncertainty in Extreme Scale Computations (QUEST) www.quest-scidac.org H. Najm

Quantification of Uncertainty in Extreme Scale Computations (QUEST) www.quest-scidac.org H. Najm

Intro QUEST Technical Progress Closure Quantification of Uncertainty in Extreme Scale Computations (QUEST) www.quest-scidac.org H. Najm 1 , B. Debusschere 1 , M. Eldred 1 , R. Ghanem 2 , O. Ghattas 3 , R. Moser 3 , E. Prudencio 3 , D. Higdon 4

510 views • 28 slides
Verification of a Separation Kernel Inzemamul Haque Indian Institute of Science, Bangalore 17

Verification of a Separation Kernel Inzemamul Haque Indian Institute of Science, Bangalore 17

Introduction Muen Intel Virtualization Support Challenges Approach Verification of a Separation Kernel Inzemamul Haque Indian Institute of Science, Bangalore 17 July 2017 Introduction Muen Intel Virtualization Support Challenges

272 views • 25 slides
The Quest for Quarks Quest for Quarks p. 1/2 The Frontiers of Matter (in 1932) The periodic

The Quest for Quarks Quest for Quarks p. 1/2 The Frontiers of Matter (in 1932) The periodic

The Quest for Quarks Quest for Quarks p. 1/2 The Frontiers of Matter (in 1932) The periodic chart orders the chemical elements according to their properties. It provides clues to the underly- ing atomic structure. The fundamental

421 views • 29 slides
Atsuto Suzuki 1 in 2007 2 Quest for Quest for Unifying International Linear Collider

Atsuto Suzuki 1 in 2007 2 Quest for Quest for Unifying International Linear Collider

Atsuto Suzuki 1 in 2007 2 Quest for Quest for Unifying International Linear Collider Birth-Evolution Matter and Force ILC of Universe Scie cientific ic A Act ctiv ivit ities Lepton CP Asymmetry Beyond Standard Physics

657 views • 33 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
Separation energies A = 21 isobaric chain one-nucleon separation energies two-nucleon separation

Separation energies A = 21 isobaric chain one-nucleon separation energies two-nucleon separation

Separation energies A = 21 isobaric chain one-nucleon separation energies two-nucleon separation energies Using http://www.nndc.bnl.gov/chart/ find one- and two-nucleon separation energies of 8 He, 11 Li, 45 Fe, 141 Ho, and 208 Pb. Discuss the

237 views • 5 slides
Clinical Assessment of Patients with Acute Coronary Syndrome Managed with Percutaneous Coronary

Clinical Assessment of Patients with Acute Coronary Syndrome Managed with Percutaneous Coronary

Clinical Assessment of Patients with Acute Coronary Syndrome Managed with Percutaneous Coronary Intervention and Treated with Prasugrel or Clopidogrel using Academic Center Databases - The PROMETHEUS Study- Study Organization Data

335 views • 22 slides
CLTS Contributions to Results of a WASHPaLS Desk Review December 13, 2017 Ending Open

CLTS Contributions to Results of a WASHPaLS Desk Review December 13, 2017 Ending Open

CLTS Contributions to Results of a WASHPaLS Desk Review December 13, 2017 Ending Open Presenters Jeff Albert Caroline Delaire Valentina Zuin (WASHPaLS team) Defecation Jesse Shapiro (USAID) What is WASHPaLS? Water, Sanitation, &

483 views • 24 slides
The Bro Monitoring Platform Adam Slagell National Center for Supercomputing Applications Borrowed

The Bro Monitoring Platform Adam Slagell National Center for Supercomputing Applications Borrowed

The Bro Monitoring Platform Adam Slagell National Center for Supercomputing Applications Borrowed from Robin Sommer International Computer Science Institute The Bro Monitoring Platform What Is Bro? Packet Capture Traffic Inspection

523 views • 36 slides
T Fingerprinting and Classifying Participants F A NMRG Workshop, Prague, Czech Republic

T Fingerprinting and Classifying Participants F A NMRG Workshop, Prague, Czech Republic

Automaton Models for Netflow Analysis T Fingerprinting and Classifying Participants F A NMRG Workshop, Prague, Czech Republic Friday, July 24th 2015 R Christian A Hammerschmidt, christian.hammerschmidt@uni.lu D Interdisciplinary Centre for

387 views • 16 slides
Organization of DSLE part Tooling Domain Specific Language Domain Specific Language

Organization of DSLE part Tooling Domain Specific Language Domain Specific Language

Organization of DSLE part Tooling Domain Specific Language Domain Specific Language Eclipse plus EMF Engineering Xtext, Xtend, Xpand, QVTo and ATL Topics: Prof.dr. Mark van den Brand Model driven software engineering Model

268 views • 13 slides
If I Only Knew Then What I Know Now 5 Lessons Learned from my experiences leading agile

If I Only Knew Then What I Know Now 5 Lessons Learned from my experiences leading agile

If I Only Knew Then What I Know Now 5 Lessons Learned from my experiences leading agile transformations Larry Gorman , Chief Technology Evangelist, SkyTouch Technology Larry Gorman Chief Technology Evangelist SkyTouch Technology o: 602-337-2865

484 views • 21 slides
Descriptive Methods 707.031: Evaluation Methodology Winter 2015/16 Eduardo Veas what we do with

Descriptive Methods 707.031: Evaluation Methodology Winter 2015/16 Eduardo Veas what we do with

Descriptive Methods 707.031: Evaluation Methodology Winter 2015/16 Eduardo Veas what we do with the data depends on the scales 2 Measurement Scales 3 The complexity of measurements Nominal Crude Ordinal Interval Ratio

847 views • 69 slides
Web Application Stress Testing with Blaise Internet with Blaise Internet Jim OReilly Jim O

Web Application Stress Testing with Blaise Internet with Blaise Internet Jim OReilly Jim O

Web Application Stress Testing with Blaise Internet with Blaise Internet Jim OReilly Jim O Reilly Westat International Blaise Users Conference Annapolis Maryland, USA September 28, 2007 Septe be 8, 00 Introduction F Focus: web

460 views • 20 slides

More recommend