WHO WATCHES THE WATCHMEN? Protecting Operating System Reliability - - PowerPoint PPT Presentation

WHO WATCHES THE WATCHMEN?

Protecting Operating System Reliability Mechanisms

Bj ¨

• rn D ¨
• bel, Hermann H¨

artig

Hollywood, 10/07/2012

Splitting Systems

Linux Bank App VPFS DOpE L4/Fiasco.OC Microkernel

D ¨

• bel, H¨

artig, 10/07/2012 Who Watches the Watchmen? slide 2 of 13

Assumption: Res & NonRes Cores

ResCore NonRes Core NonRes Core NonRes Core NonRes Core NonRes Core NonRes Core NonRes Core NonRes Core NonRes Core NonRes Core D ¨

• bel, H¨

artig, 10/07/2012 Who Watches the Watchmen? slide 3 of 13

Transparent Replication as OS Service

Reliable Computing Base Replicated Driver Unreplicated Application Replicated Application L4 Runtime Environment Romain L4/Fiasco.OC microkernel

[DHE12] B. D ¨

• bel, H. H¨

artig, M. Engel: “Operating System Support for Redundant Multithreading” , EMSOFT 2012

D ¨

• bel, H¨

artig, 10/07/2012 Who Watches the Watchmen? slide 4 of 13

Romain: Structure

Replica Replica Replica Romain System Call Proxy Memory Manager = NonRes NonRes NonRes NonRes NonRes NonRes Res Res D ¨

• bel, H¨

artig, 10/07/2012 Who Watches the Watchmen? slide 5 of 13

Three Alternatives for Signalling

• 1. Thread Migration
• 2. Synchronous notifications
• 3. Shared-memory polling

D ¨

• bel, H¨

artig, 10/07/2012 Who Watches the Watchmen? slide 6 of 13

Alternative #1: Thread Migration

Rep NonRes Rep NonRes Res

D ¨

• bel, H¨

artig, 10/07/2012 Who Watches the Watchmen? slide 7 of 13

Alternative #1: Thread Migration

NonRes NonRes Rep Res handle

D ¨

• bel, H¨

artig, 10/07/2012 Who Watches the Watchmen? slide 7 of 13

Alternative #2: Notifications

Rep NonRes Rep NonRes notification n

• t

i fi c a t i

• n

Handler Res

D ¨

• bel, H¨

artig, 10/07/2012 Who Watches the Watchmen? slide 8 of 13

Alternative #2: Notifications

Rep NonRes Rep NonRes reactivate r e a c t i v a t e Handler Res

D ¨

• bel, H¨

artig, 10/07/2012 Who Watches the Watchmen? slide 8 of 13

Alternative #3: Shared-Memory Polling

Rep NonRes Rep NonRes Handler Res Memory p

• l

l

D ¨

• bel, H¨

artig, 10/07/2012 Who Watches the Watchmen? slide 9 of 13

Alternative #3: Shared-Memory Polling

Rep NonRes Rep NonRes Handler Res Memory p

• l

l w r i t e w r i t e

D ¨

• bel, H¨

artig, 10/07/2012 Who Watches the Watchmen? slide 9 of 13

Alternative #3: Shared-Memory Polling

Rep NonRes Rep NonRes Handler Res Memory p

• l

l p

• l

l

D ¨

• bel, H¨

artig, 10/07/2012 Who Watches the Watchmen? slide 9 of 13

Evaluation

• MiBench, single-threaded

– susan: image filter – CRC32: checksumming a file

• Benchmarks with highest overhead in [DHE12]
• Test machine:

– 12 Intel Core i7 CPUs @ 2.6 GHz – Replicas pinned to dedicated physical cores – Hyperthreading off

• Double (DMR) and triple (TMR) modular redundancy

D ¨

• bel, H¨

artig, 10/07/2012 Who Watches the Watchmen? slide 10 of 13

Overhead to Unreplicated Execution

10 20 30 40 50 60 Overhead in % Overhead by signalling method Migration Sync IPC Shared Mem

susan CRC32 DMR susan CRC32 TMR

D ¨

• bel, H¨

artig, 10/07/2012 Who Watches the Watchmen? slide 11 of 13

Transparent Replication as OS Service

• This paper:

– Protection of RCB components – Efficient signalling

• [DHE12]:

– Application replication – Transmission errors

• To be done:

– Multithreading (determinism) – Device drivers, I/O – Scalability Analysis

D ¨

• bel, H¨

artig, 10/07/2012 Who Watches the Watchmen? slide 12 of 13

Key Points

• Reliable Computing Base
• Assumption: Hardware with varying resilience levels
• Replication as OS Service
• Efficient signalling between Res and NonResCores
• Hardware wishlist:

– Memory isolation between NonResCores – Fast inter-core notifications (e.g., Intel SCC)

D ¨

• bel, H¨

artig, 10/07/2012 Who Watches the Watchmen? slide 13 of 13