tolerating hardware device failures in software
play

Tolerating Hardware Device Failures in Software Asim Kadav, Matthew - PowerPoint PPT Presentation

Mar 09, 2023 •323 likes •779 views

Tolerating Hardware Device Failures in Software Asim Kadav, Matthew J. Renzelmann, Michael M. Swift University of Wisconsin-Madison Current state of OS-hardware interaction Many device drivers assume device perfection Common Linux

  1. Tolerating Hardware Device Failures in Software Asim Kadav, Matthew J. Renzelmann, Michael M. Swift University of Wisconsin-Madison

  2. Current state of OS-hardware interaction • Many device drivers assume device perfection » Common Linux network driver: 3c59x .c While (ioread16(ioaddr + Wn7_MasterStatus)) & 0x8000) ; HANG! Hardware dependence bug: Device malfunction can crash the system 10/12/2009 Tolerating Hardware Device Failures in Software

  3. Current state of OS-hardware interaction • Hardware dependence bugs across driver classes void hptitop_iop_request_callback(...) { arg= readl(...); ... if (readl(&req->result) == IOP_SUCCESS) { arg->result = HPT_IOCTL_OK; } } Highpoint SCSI driver(hptiop.c) *Code simplified for presentation purposes 10/12/2009 Tolerating Hardware Device Failures in Software

  4. How do the hardware bugs manifest? • Drivers often trust hardware to always work correctly » Drivers use device data in critical control and data paths » Drivers do not report device malfunctions to system log » Drivers do not detect or recover from device failures 10/12/2009 Tolerating Hardware Device Failures in Software

  5. An example: Windows servers • Transient hardware failures caused 8% of all crashes and 9% of all unplanned reboots [1] » Systems work fine after reboots » Vendors report returned device was faultless • Existing solution is hand-coded hardened driver: » Crashes reduced from 8% to 3% • Driver isolation systems not yet deployed [1] Fault resilient drivers for Longhorn server, May 2004. Microsoft Corp. 10/12/2009 Tolerating Hardware Device Failures in Software

  6. Carburizer • Goal: Tolerate hardware device failures in software through hardware failure detection and recovery • Static analysis tool - analyze and insert code to: » Detect and fix hardware dependence bugs » Detect and generate missing error reporting information • Runtime » Handle interrupt failures » Transparently recover from failures 10/12/2009 Tolerating Hardware Device Failures in Software

  7. Outline • Background • Hardening drivers • Reporting errors • Runtime fault tolerance • Cost of carburizing • Conclusion 10/12/2009 Tolerating Hardware Device Failures in Software

  8. Hardware unreliability • Sources of hardware misbehavior: » Device wear-out, insufficient burn-in » Bridging faults » Electromagnetic radiation » Firmware bugs • Result of misbehavior: » Corrupted/stuck-at inputs » Timing errors/unpredictable DMA » Interrupt storms/missing interrupts 10/12/2009 Tolerating Hardware Device Failures in Software

  9. Vendor recommendations for driver developers Recommendation Summary Recommended by Intel Sun MS Linux    Validation Input validation    Read once& CRC data   DMA protection    Infinite polling Timing  Stuck interrupt Goal: Automatically implement as many recommendations as  Lost request possible in commodity drivers  Avoid excess delay in OS   Unexpected events    Report all failures Reporting   Recovery Handle all failures   Cleanup correctly    Do not crash on failure     Wrap I/O memory access 10/12/2009 Tolerating Hardware Device Failures in Software

  10. Carburizer architecture Compile-time components Run-time components OS Kernel Kernel Interface Carburizer If (c==0) { . print (“Driver Carburizer init”); Compiler } If (c==0) { . . . print (“Driver Runtime init”); Hardened } . . Driver Binary Driver Faulty Hardware 10/12/2009 Tolerating Hardware Device Failures in Software

  11. Outline • Background • Hardening drivers » Finding sensitive code » Repairing code • Reporting errors • Runtime fault tolerance • Cost of carburizing • Conclusion 10/12/2009 Tolerating Hardware Device Failures in Software

  12. Hardening drivers • Goal: Remove hardware dependence bugs » Find driver code that uses data from device » Ensure driver performs validity checks • Carburizer detects and fixes hardware bugs from » Infinite polling » Unsafe static/dynamic array reference » Unsafe pointer dereferences » System panic calls 10/12/2009 Tolerating Hardware Device Failures in Software

  13. Hardening drivers • Finding sensitive code » First pass: Identify tainted variables 10/12/2009 Tolerating Hardware Device Failures in Software

  14. Finding sensitive code First pass: Identify tainted variables Tainted int test () { Variables a = readl(); a b = inb(); b c = b; c d = c + 2; d return d; test() } e int set() { e = test(); } 10/12/2009 Tolerating Hardware Device Failures in Software

  15. Detecting risky uses of tainted variables • Finding sensitive code » Second pass: Identify risky uses of tainted variables • Example: Infinite polling » Driver waiting for device to enter particular state » Solution: Detect loops where all terminating conditions depend on tainted variables 10/12/2009 Tolerating Hardware Device Failures in Software

  16. Example: Infinite polling Finding sensitive code static int amd8111e_read_phy(………) { ... reg_val = readl(mmio + PHY_ACCESS); while (reg_val & PHY_CMD_ACTIVE) reg_val = readl(mmio + PHY_ACCESS) . } AMD 8111e network driver(amd8111e.c) 10/12/2009 Tolerating Hardware Device Failures in Software

  17. Not all bugs are obvious while (DAC960_PD_StatusAvailableP(ControllerBaseAddress)) { DAC960_V1_CommandIdentifier_T CommandIdentifier= DAC960_PD_ReadStatusCommandIdentifier (ControllerBaseAddress); DAC960_Command_T *Command = Controller ->Commands [CommandIdentifier-1]; DAC960_V1_CommandMailbox_T *CommandMailbox = &Command->V1.CommandMailbox; DAC960_V1_CommandOpcode_T CommandOpcode=CommandMailbox->Common.CommandOpcode; Command->V1.CommandStatus =DAC960_PD_ReadStatusRegister(ControllerBaseAddress); DAC960_PD_AcknowledgeInterrupt(ControllerBaseAddress); DAC960_PD_AcknowledgeStatus(ControllerBaseAddress); switch (CommandOpcode) { case DAC960_V1_Enquiry_Old: DAC960_P_To_PD_TranslateReadWriteCommand(CommandMailbox); … } DAC960 Raid Controller(DAC960.c) 10/12/2009 Tolerating Hardware Device Failures in Software

  18. Detecting risky uses of tainted variables • Example II: Unsafe array accesses » Tainted variables used as array index into static or dynamic arrays » Tainted variables used as pointers 10/12/2009 Tolerating Hardware Device Failures in Software

  19. Example: Unsafe array accesses Unsafe array accesses static void __init attach_pas_card(...) { if ((pas_model = pas_read(0xFF88))) { ... sprintf(temp, “%s rev %d”, pas_model_names[(int) pas_model], pas_read(0x2789)); ... } Pro Audio Sound driver (pas2_card.c) 10/12/2009 Tolerating Hardware Device Failures in Software

  20. Analysis results over the Linux kernel • Analyzed drivers in 2.6.18.8 Linux kernel » 6300 driver source files » 2.8 million lines of code » 37 minutes to analyze and compile code • Additional analyses to detect existing validation code 10/12/2009 Tolerating Hardware Device Failures in Software

  21. Analysis results over the Linux kernel Driver class Infinite Static array Dynamic Panic calls polling array net 117 2 21 2 scsi 298 31 22 121 sound 64 1 0 2 video 174 0 22 22 other 381 9 57 32 Total 860 43 89 179 • Found 992 bugs in driver code Many cases of poorly written drivers with hardware dependence bugs • False positive rate: 7.4% (manual sampling of 190 bugs) 10/12/2009 Tolerating Hardware Device Failures in Software

  22. Repairing drivers • Hardware dependence bugs difficult to test • Carburizer automatically generates repair code » Inserts timeout code for infinite loops » Inserts checks for unsafe array/pointer references » Replaces calls to panic() with recovery service » Triggers generic recovery service on device failure 10/12/2009 Tolerating Hardware Device Failures in Software

  23. Carburizer automatically fixes infinite loops timeout = rdstcll(start) + (cpu/khz/HZ)*2; reg_val = readl(mmio + PHY_ACCESS); while (reg_val & PHY_CMD_ACTIVE) { reg_val = readl(mmio + PHY_ACCESS); if (_cur < timeout) rdstcll(_cur); else Timeout code __recover_driver(); added } AMD 8111e network driver(amd8111e.c) *Code simplified for presentation purposes 10/12/2009 Tolerating Hardware Device Failures in Software

  24. Carburizer automatically adds bounds checks static void __init attach_pas_card(...) { Array bounds check added if ((pas_model = pas_read(0xFF88))) { ... if ((pas_model< 0)) || (pas_model>= 5)) __recover_driver(); . sprintf(temp, “%s rev %d”, pas_model_names[(int) pas_model], pas_read(0x2789)); } Pro Audio Sound driver (pas2_card.c) *Code simplified for presentation purposes 10/12/2009 Tolerating Hardware Device Failures in Software

  25. Runtime fault recovery Driver-Kernel • Low cost transparent recovery Interface » Based on shadow drivers » Records state of driver Taps Shadow Driver » Transparent restart and state replay on failure • Independent of any isolation Device Driver mechanism (like Nooks) Device 10/12/2009 Tolerating Hardware Device Failures in Software

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TOLERATING BUSINESS FAILURES IN HOSTED APPLICATIONS Jean-Sbastien Lgar Dutch T. Meyer,

TOLERATING BUSINESS FAILURES IN HOSTED APPLICATIONS Jean-Sbastien Lgar Dutch T. Meyer,

TOLERATING BUSINESS FAILURES IN HOSTED APPLICATIONS Jean-Sbastien Lgar Dutch T. Meyer, Mark Spear, Alexandru Totolici, Sara Bainbridge, Kalan MacRow, Robert Sumi, Quinlan Jung, Dennis Tjandra, David Williams-King, William Aiello, Andrew

567 views • 29 slides
Hardware and Device Drivers Device virtualization Device drivers and security Bjrn

Hardware and Device Drivers Device virtualization Device drivers and security Bjrn

Outline Faculty of Computer Science Institute for System Architecture, Operating Systems Group What's so different about device drivers? Hardware access Writing device drivers on L4 Reuse of legacy drivers Hardware and Device

619 views • 12 slides
Tolerating Application Failures with LegoSDN Balakrishnan Chandrasekaran Theophilus Benson Duke

Tolerating Application Failures with LegoSDN Balakrishnan Chandrasekaran Theophilus Benson Duke

Tolerating Application Failures with LegoSDN Balakrishnan Chandrasekaran Theophilus Benson Duke University Quality of Code In C, I never learned to use the debugger, so I used to never make mistakes I went millions and millions

540 views • 32 slides
uRADMonitor KIT1 Product Manual v1.0 / 2016 HARDWARE: 1.1.103 SOFTWARE: 115 DEVICE ID:

uRADMonitor KIT1 Product Manual v1.0 / 2016 HARDWARE: 1.1.103 SOFTWARE: 115 DEVICE ID:

uRADMonitor KIT1 Product Manual v1.0 / 2016 HARDWARE: 1.1.103 SOFTWARE: 115 DEVICE ID: _____________ QC ENGINEER: ______________ DATE: ________________ Congratulations on purchasing this excellent radiation dosimeter! You The uRADMonitor

421 views • 10 slides
XXX Tolerating Malicious Drivers in Linux Silas Boyd-Wickizer and Nickolai Zeldovich How could

XXX Tolerating Malicious Drivers in Linux Silas Boyd-Wickizer and Nickolai Zeldovich How could

XXX Tolerating Malicious Drivers in Linux Silas Boyd-Wickizer and Nickolai Zeldovich How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex;

1.63k views • 95 slides
MySQL High Availability Solutions Alex Poritskiy Percona The Five 9s of Availability

MySQL High Availability Solutions Alex Poritskiy Percona The Five 9s of Availability

MySQL High Availability Solutions Alex Poritskiy Percona The Five 9s of Availability Clustering &amp; disasters Geographical Redundancy power failures network failures Clustering Technologies hardware failures software failures

593 views • 47 slides
Embedded Device Generation Turning Software into Hardware Rohit Ramesh and Prabal Dutta

Embedded Device Generation Turning Software into Hardware Rohit Ramesh and Prabal Dutta

Embedded Device Generation Turning Software into Hardware Rohit Ramesh and Prabal Dutta Speakers Notes : - Im Rohit Ramesh, a PhD Student as the University of Michigan - Ive been working on Embedded Device Generation with Prof.

736 views • 52 slides
How to develop Device Drivers for Linux OS? Presented from: Rashid Siddiqui For: Bin Tang What

How to develop Device Drivers for Linux OS? Presented from: Rashid Siddiqui For: Bin Tang What

How to develop Device Drivers for Linux OS? Presented from: Rashid Siddiqui For: Bin Tang What is a device driver? Software that handles or manages a hardware controller for a particular device! What is a Controller? Is a piece of hardware

624 views • 31 slides
Software Mechanisms for Tolerating Soft Errors in an Automotive Brake-Controller Daniel Skarin

Software Mechanisms for Tolerating Soft Errors in an Automotive Brake-Controller Daniel Skarin

Software Mechanisms for Tolerating Soft Errors in an Automotive Brake-Controller Daniel Skarin Johan Karlsson Department of Computer Science and Engineering Chalmers University of Technology G oteborg, Sweden June 29, 2009 Introduction

432 views • 13 slides
Hardware Model and Software Validation for AcoustiGLASS (Autonomous Wearable Alert Device based

Hardware Model and Software Validation for AcoustiGLASS (Autonomous Wearable Alert Device based

Hardware Model and Software Validation for AcoustiGLASS (Autonomous Wearable Alert Device based on Sound Pattern Recognition) Kei Kojima March 2016 OBJECTIVE &amp; DESIGN CRITERIA The objective is to build an autonomous hearing glass

644 views • 16 slides
Hardware and Device Drivers Bjrn Dbel Dresden, 2007-11-13 Outline What's so different

Hardware and Device Drivers Bjrn Dbel Dresden, 2007-11-13 Outline What's so different

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Hardware and Device Drivers Bjrn Dbel Dresden, 2007-11-13 Outline What's so different about device drivers? Hardware access Writing device

634 views • 45 slides
software and hardware for the Internet of Things. Choose hardware Design hardware Design

software and hardware for the Internet of Things. Choose hardware Design hardware Design

Zeidman Technologies has created a fundamentally new way to develop embedded software and hardware for the Internet of Things. Choose hardware Design hardware Design software Initial hardware choices determine Integrate functionality and

185 views • 15 slides
How Software Projects Fail Software Failures Software appears, by its nature, to be difficult to

How Software Projects Fail Software Failures Software appears, by its nature, to be difficult to

How Software Projects Fail Software Failures Software appears, by its nature, to be difficult to engineer on a large scale. Nevertheless, there is an insatiable demand for sizeable, well-engineered software. Dr. James A. Bednar We continue to

69 views • 6 slides
Software Failures Perdita Stevens perdita@inf.ed.ac.uk

Software Failures Perdita Stevens perdita@inf.ed.ac.uk

Software Failures Perdita Stevens perdita@inf.ed.ac.uk http://www.inf.ed.ac.uk/teaching/courses/sapm/ Original slides: Dr James A. Bednar &amp; Dr David Robertson, changes by Dr Massimo Felici, Mr Conrad Hughes, me SAPM Spring 2010: Failures

771 views • 27 slides
What Can We Learn from Four Years of Data Center Hardware Failures? Guosai Wang, Lifei Zhang, Wei

What Can We Learn from Four Years of Data Center Hardware Failures? Guosai Wang, Lifei Zhang, Wei

What Can We Learn from Four Years of Data Center Hardware Failures? Guosai Wang, Lifei Zhang, Wei Xu Mo Moti tivati tion: n: E Evolving ng F Failur ure Mo Mode del Failures in data centers are common and costly - Violate service

870 views • 48 slides
Error detection Storage device failures and correction and mitigation - I Sector/page failure

Error detection Storage device failures and correction and mitigation - I Sector/page failure

Error detection Storage device failures and correction and mitigation - I Sector/page failure (i.e., Partial failure) Data lost, rest of device operates correctly A layered approach Permanent (e.g. due to scratches) or transient (e.g., due to

233 views • 6 slides
Perspectives on Network Management Jrgen Schnwlder International University Bremen,

Perspectives on Network Management Jrgen Schnwlder International University Bremen,

Perspectives on Network Management Jrgen Schnwlder International University Bremen, Germany NGI 2006, Valencia, 2006-04-05 Outline of the talk What is network management? What is the operators perspective? What is the

908 views • 33 slides
Operating Systems Operating Systems CMPSC 473 CMPSC 473 Virtual Memory Virtual Memory March

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Virtual Memory Virtual Memory March

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Virtual Memory Virtual Memory March 18, 2008 - Lecture 16 16 March 18, 2008 - Lecture Instructor: Trent Jaeger Instructor: Trent Jaeger Last class: Paging Today:

672 views • 39 slides
Network Management &amp; Monitoring Overview Advanced ccTLD Workshop September, 2008 Amsterdam,

Network Management &amp; Monitoring Overview Advanced ccTLD Workshop September, 2008 Amsterdam,

Network Management &amp; Monitoring Overview Advanced ccTLD Workshop September, 2008 Amsterdam, Holland nsrc@ccTLD-advanced Amsterdam What is network management? System &amp; Service monitoring Reachability, availability Resource

666 views • 22 slides
TDDB68/TDDE47 Concurrent Programming and Operating Systems Lecture: Memory management I Mikael

TDDB68/TDDE47 Concurrent Programming and Operating Systems Lecture: Memory management I Mikael

TDDB68/TDDE47 Concurrent Programming and Operating Systems Lecture: Memory management I Mikael Asplund Real-time Systems Laboratory Department of Computer and Information Science Thanks to Simin Nadjm-Tehrani and Christoph Kessler for much

1.47k views • 92 slides
1 The Translation The Translation Lookaside Lookaside Buffer (TLB) Buffer (TLB) Care and

1 The Translation The Translation Lookaside Lookaside Buffer (TLB) Buffer (TLB) Care and

Review: the Program and the Process VAS Review: the Program and the Process VAS BSS Process text segment Block Started by Symbol is initialized directly (uninitialized global data) e.g., heap and sbuf go here. from program text header

349 views • 5 slides
Capability Wrangling Made Easy: Debugging on a Microkernel with Valgrind Aaron Pohle, Bjrn

Capability Wrangling Made Easy: Debugging on a Microkernel with Valgrind Aaron Pohle, Bjrn

Dept. of Computer Science, Institute of System Architecture, Operating Systems Group Capability Wrangling Made Easy: Debugging on a Microkernel with Valgrind Aaron Pohle, Bjrn Dbel, Michael Roitzsch, Hermann Hrtig Technische Universitt

442 views • 22 slides
Memory Management Disclaimer: some slides are adopted from book authors slides with permission

Memory Management Disclaimer: some slides are adopted from book authors slides with permission

Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 Recap Multi-level paging Instead of a single big table, many smaller tables Save space Demand paging Memory is dynamically

523 views • 33 slides
Fault lt Tre ree An Analysis lysis (F (FTA) A) Kim R. Fowler KSU ECE February 2013 Pu

Fault lt Tre ree An Analysis lysis (F (FTA) A) Kim R. Fowler KSU ECE February 2013 Pu

Fault lt Tre ree An Analysis lysis (F (FTA) A) Kim R. Fowler KSU ECE February 2013 Pu Purp rpose se for r FTA A In the face of potential failures, determine if design must change to improve: Reliability Safety

1.41k views • 59 slides

More recommend