SLIDE 1
- ✁
Tzi-cker Chiueh Ganesh Venkitachalam Prashant Pradhan Computer - - PowerPoint PPT Presentation
Tzi-cker Chiueh Ganesh Venkitachalam Prashant Pradhan Computer - - PowerPoint PPT Presentation
Integrating segmentation and paging protection for safe, efficient and transparent software extensions Tzi-cker Chiueh Ganesh Venkitachalam Prashant Pradhan Computer Science Department State University of New York Stony
SLIDE 2
SLIDE 3 ✝ ✝✞ ✞ ✟ ✟ ✟✠ ✠ ✠ ✡ ✡ ✡☛ ☛ ☛ ☞ ☞ ☞✌ ✌ ✌
Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
2 A Linux-based system that supports safe user-level and kernel-level software extensions using Intel X86 architecture’s segmentation and paging hardware Provide the same level of protection as using separate address spaces Fastest protection domain switching: 142 CPU cycles for a null protected procedure call and return Minimal changes required to existing programming tools and conventional linear-address-space programming model
✍ ✍✎ ✎ ✏ ✏ ✏✑ ✑ ✑ ✒ ✒ ✒✓ ✓ ✓ ✔ ✔ ✔✕ ✕ ✕Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
2 A Linux-based system that supports safe user-level and kernel-level software extensions using Intel X86 architecture’s segmentation and paging hardware Provide the same level of protection as using separate address spaces Fastest protection domain switching: 142 CPU cycles for a null protected procedure call and return Minimal changes required to existing programming tools and conventional linear-address-space programming model
SLIDE 4
Virtual Address Linear Address Physical Address
Segmentation Paging
✖ ✖✗ ✗ ✘ ✘✙ ✙ ✚ ✚ ✚✛ ✛ ✛Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
3 Virtual Address: 16-bit segment selector and 32-bit offset Segment-level Protection Check
4 Segment Protection Levels (SPL) Segment Limit
Page-level Protection Check
2 Page Protection Levels (PPL) Read/Write Permission
SLIDE 5 ✜✢ ✣ ✤✦✥ ✧ ★ ✥ ✩ ✪ ✤✦✥ ✫ ✥✬ ✪✮✭✯ ✰✱ ✱✦✲ ✥ ✪
GDT/LDT
✳ ✜ ✣+
Two-Level Page Table
✴✵ ✵ ✯ ✥ ✲ ✲ ✶✷ ✸ ✲ ✹ ✬ ✺ ✫ ✻ ✹ ✩ ✥ ✺ ✯ ✴✵ ✵ ✯ ✥ ✲ ✲ ✼ ✹ ✯ ✪✮✽ ✺ ✫ ✴✵ ✵ ✯ ✥ ✲ ✲ ✾✿ ❀ ✿❁ ❂ ❃ ✳ ✜ ✜ ✢ ✣ ✣ ❄ ✜ ✳ ✜❅ ✜ ✢ ✜❆ ❇ ❃ ✳ ✜ ❂ ✣Descriptor Format
✜ ❅ ❈ ✣ ✣ ❉ ❊❋● ✜ ❅ ❈ ✣ ✣ ✾✿ ❀ ✿ ❁ ✜❆ ❈ ✜ ✢ ❇ ✳ ❈ ✜✢ ❉ ❊❋● ✳ ✜ ❈ ❇ ❃ ❉ ❊❋● ❍ ✳ ✜Page Table Entry Format
❇ ✜ ✣ ✜ ❇Page Frame Address P U W T I PL
❇ ■ ❍ ✾Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
4
SLIDE 6
SPL 0, 1, 2 SPL 3 PPL 0 PPL 1
❏ ❏❑ ❑ ▲ ▲ ▲▼ ▼ ▼ ◆ ◆ ◆❖ ❖ ❖ P P P◗ ◗ ◗Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
5 Mapping between SPL and PPL Control transfer among protection domains
Switch to the stack associated with the destination SPL lcall call-gate-ID lret
Only supports transfer starting from more privileged level to less privileged level and back On a process switch, page-table base address register is reloaded and TLB is flushed
SLIDE 7 ❘ ❘❙ ❙ ❚ ❚ ❚❯ ❯ ❯ ❱ ❱ ❱❲ ❲ ❲ ❳ ❳ ❳❨ ❨ ❨
Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
A main program (kernel or extensible application) is protected from its dynamically-linked extension Extensions are protected function calls. Among extension modules, only safety-strength but not security-strength protection modules, but not vice versa Shared data regions between protection domains are available to reduce data copying User-level extensions make system calls through hosting applications; kernel-level extensions are allowed to access only selective core kernel services 6
SLIDE 8
User Data/Stack Segment SPL=3 PPL=1 SPL=3 PPL=1 Segment Code User Kernel Code Segment SPL=0 PPL=0 Kernel Data/Stack Segment SPL=0 PPL=0 Kernel 0GB 4GB Procedure Linkage Table Text Global Offset Table Data BSS Heap Relocated Shared Library Stack 3GB
Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
7
SLIDE 9
Kernel Data/Stack Segment SPL=0 PPL=0 Kernel Code Segment SPL=0 PPL=0 4GB 3GB 0GB Extension-2 Extension-1 SPL=1, PPL=0 SPL=1, PPL=0
Kernel User
Segment Kernel Extension Segment Kernel Extension Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
8
SLIDE 10
dynamically via insmod
❩ ❩ ❩ ❩ ❩ ❩ ❬ ❬ ❬ ❬ ❬ ❬ ❭ ❭ ❭❪ ❪ ❪ ❫ ❫ ❫❴ ❴ ❴ ❵ ❵ ❵❛ ❛ ❛ ❜ ❜ ❜❝ ❝ ❝Allow multiple extension segments, each of which can hold multiple extension modules that are loaded One stack per extension segment. Modules loaded into the same segment cannot run concurrently Kernel extension modules can access selective core kernel services such as kmalloc Kernel service functions called by kernel extensions execute in the context of the kernel stack of the triggering user process or the ‘‘Idle’’ process Shared data region allocated in extension segment 9
Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
SLIDE 11
Table Function Extension Function Kernel Area Data Shared
Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
10
Kernel Service Call System Interrupt Gate System Call Table Stack Kernel Per-Process Function Extension Frame Stack Extension Kernel Function Table
1 10 2 3 4 5 6 7 9 8
User Process P
❞❡❞ ❞❢❞ SLIDE 12 ❣ ❣ ❣❤ ❤ ❤ ✐ ✐❥ ❥ ❦ ❦❧ ❧
Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
11 Why the segmentation approach is not good? Passing data/code pointers between protection domains requires swizzling because of different base addresses a flat linear address space Gcc and ld need to be modified, because they assume Difficult to support stateful shared library routines such as fprintf() Solution: Combining page-level and segment-level protection checks
SLIDE 13
User Data/Stack Segment SPL = 2 PPL = 0 Segment Code User SPL = 2 PPL = 0 SPL = 3 PPL = 1 SPL = 3 PPL = 1 4GB 0GB
Kernel
3GB Extension-1 Extension-2
User
SPL = 2 PPL = 1 shared SPL = 0 PPL = 0
Extension Segment User Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
12
SLIDE 14 ♠ ♠♥ ♥ ♦ ♦ ♦♣ ♣ ♣ q q qr r r s s st t t ✉ ✉ ✉✈ ✈ ✈ ✇ ✇ ✇① ① ①
Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
13 Use seg_dlopen, seg_dlsym and seg_dlclose to load access and close dynamically-loaded modules Call init_PL in the beginning to be safely extensible Use set_range to expose shared library code pages Use set_call_gate to package application service functions that user extensions can invoke Use xmalloc rather than malloc Invoke gcc with a specific linker script to ensure that Global Offset Table be placed on a separate page
SLIDE 15 ② ② ② ② ③ ③ ③ ③ ④ ④ ④⑤ ⑤ ⑤ ⑥ ⑥ ⑥⑦ ⑦ ⑦ ⑧ ⑧ ⑧⑨ ⑨ ⑨
Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
14 X86 architecture’s lcall goes from less-privileged level to more-privileged level, and lret for the other direction Gcc and ld do not know segments Solution: Add one level of indirection by dynamically generating code sequences to hide inter-domain control transfers and call/return semantic mismatch Seg_dlsym returns modified function pointers Saving SP and BP at user space to avoid system calls
SLIDE 16
pushl 0x4(%esp) popl ExtensionStack movl %esp, SP2 movl %ebp, BP2 push ExtensionStackSegment pushl ExtensionStackPointer push ExtensionCodeSegment push Transfer lret Prepare: mov SP2, %esp mov BP2, %ebp ret AppCallGate: call ExtensionFunction lcall AppCallGateNum Transfer: (SPL = 3) Segment (SPL = 2) Segment Extension Application
local call return inter-domain call return local call local return inter-domain local
Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
15
SLIDE 17 ⑩ ⑩ ⑩ ⑩ ❶ ❶ ❶ ❶ ❷ ❷ ❷❸ ❸ ❸ ❹ ❹ ❹❺ ❺ ❺ ❻ ❻❼ ❼
Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
16 Additional protection check at page fault time based
- n calling code segment’s SPL and faulted page’s PPL
System call check based on application’s SPL and the calling code segment’s SPL an extension to prevent ‘‘infinite-loop’’ bugs. Timer value is left to be a policy issue Deliver signals to user applications when protection faults arise or lifetime timers expire. No support for system state cleanup other than resource reclamation A lifetime timer is set at the beginning of invoking
SLIDE 18
Hardware Returning to caller Calling function Setting up stack Component Restoring state Total Cost Intra-Domain Inter-Domain 5 22 44 5 89 2 3 3 2 10 26 34 75 142 7
Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
17 Micro-Benchmark: Null protected procedure call
SLIDE 19
Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
18 Micro-Benchmark: Reverse-string function with different (Bytes) Call Linux RPC Palladium Call Unprotected String Size input string sizes, in micro-seconds 32 64 128 256 2.20 4.06 7.78 15.22 2.79 4.65 8.37 15.97 349.19 352.55 374.20 423.33
SLIDE 20
Web FastCGI (Palladium) LibCGI LibCGI (unprotected) Server 28Byte file size HTML 1KByte 10KBytes 100KBytes CGI 98 92 76 33 188 193 130 52 437 423 311 57 448 431 312 57 460 436 315 57
Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
19 Fast CGI Invocation -- CGI script running as a protected function call, in requests/sec Macro-Benchmark: user-level extension
SLIDE 21 ❽
1
❾2
❿3
➀4
➁Number of Terms
➂0.0 200.0 400.0 600.0 800.0 1000.0 Cycles
➃BPF Palladium
Integrating segmentation and paging protection for safe, efficient, and transparent software extensions
20 Compiled versus Interpretive Packet Filtering Macro-Benchmark:
SLIDE 22 ➄ ➄➅ ➅ ➆ ➆ ➆➇ ➇ ➇ ➈ ➈ ➈➉ ➉ ➉