Emmett Witchel Josh Cates Krste Asanovic MIT Lab for Computer Science Mondrian Memory Protection.

Slides:



Advertisements
Similar presentations
Virtual Memory. The Limits of Physical Addressing CPU Memory A0-A31 D0-D31 “Physical addresses” of memory locations Data All programs share one address.
Advertisements

CSIE30300 Computer Architecture Unit 10: Virtual Memory Hsin-Chou Chi [Adapted from material by and
Virtual Memory Hardware Support
Considerations for Mondriaan-like Systems 2009 Workshop on Duplicating, Deconstructing, and Debunking Emmett Witchel University of Texas at Austin.
CS 153 Design of Operating Systems Spring 2015
CS 333 Introduction to Operating Systems Class 12 - Virtual Memory (2) Jonathan Walpole Computer Science Portland State University.
CS 333 Introduction to Operating Systems Class 12 - Virtual Memory (2) Jonathan Walpole Computer Science Portland State University.
Virtual Memory Adapted from lecture notes of Dr. Patterson and Dr. Kubiatowicz of UC Berkeley and Rabi Mahapatra & Hank Walker.
Memory Management (II)
S.1 Review: The Memory Hierarchy Increasing distance from the processor in access time L1$ L2$ Main Memory Secondary Memory Processor (Relative) size of.
Computer ArchitectureFall 2008 © November 10, 2007 Nael Abu-Ghazaleh Lecture 23 Virtual.
Recap. The Memory Hierarchy Increasing distance from the processor in access time L1$ L2$ Main Memory Secondary Memory Processor (Relative) size of the.
Memory Management and Paging CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han.
Computer ArchitectureFall 2007 © November 21, 2007 Karem A. Sakallah Lecture 23 Virtual Memory (2) CS : Computer Architecture.
CS 333 Introduction to Operating Systems Class 11 – Virtual Memory (1)
Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.
Memory Management 2010.
EECE476: Computer Architecture Lecture 27: Virtual Memory, TLBs, and Caches Chapter 7 The University of British ColumbiaEECE 476© 2005 Guy Lemieux.
CS 333 Introduction to Operating Systems Class 12 - Virtual Memory (2) Jonathan Walpole Computer Science Portland State University.
CS 153 Design of Operating Systems Spring 2015 Lecture 17: Paging.
Emmett Witchel Krste Asanovic MIT Lab for Computer Science Mondriaan Memory Protection.
Operating Systems ECE344 Ding Yuan Paging Lecture 8: Paging.
Virtual Memory Expanding Memory Multiple Concurrent Processes.
8.1 Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Paging Physical address space of a process can be noncontiguous Avoids.
CS399 New Beginnings Jonathan Walpole. Virtual Memory (1)
Virtual Memory Part 1 Li-Shiuan Peh Computer Science & Artificial Intelligence Lab. Massachusetts Institute of Technology May 2, 2012L22-1
Virtual Memory. Virtual Memory: Topics Why virtual memory? Virtual to physical address translation Page Table Translation Lookaside Buffer (TLB)
Operating Systems Lecture 14 Segments Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software Engineering.
University of Amsterdam Computer Systems – virtual memory Arnoud Visser 1 Computer Systems Virtual Memory.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Virtual Memory Hardware.
Processes and Virtual Memory
Multilevel Caches Microprocessors are getting faster and including a small high speed cache on the same chip.
Virtual Memory.  Next in memory hierarchy  Motivations:  to remove programming burdens of a small, limited amount of main memory  to allow efficient.
Carnegie Mellon 1 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Virtual Memory: Concepts Slides adapted from Bryant.
Constructive Computer Architecture Virtual Memory: From Address Translation to Demand Paging Arvind Computer Science & Artificial Intelligence Lab. Massachusetts.
OS Memory Addressing. Architecture CPU – Processing units – Caches – Interrupt controllers – MMU Memory Interconnect North bridge South bridge PCI, etc.
Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.
CS5204 Fall 20051Oct. 26, 2005 Mondrix: Memory Isolation for Linux using Mondriaan Memory Protection Emmett Witchel Junghwan Rhee Krste Asanovic Sreeram.
Virtual Memory 1 Computer Organization II © McQuain Virtual Memory Use main memory as a “cache” for secondary (disk) storage – Managed jointly.
Translation Lookaside Buffer
CMSC 611: Advanced Computer Architecture
Vivek Seshadri 15740/18740 Computer Architecture
ECE232: Hardware Organization and Design
From Address Translation to Demand Paging
From Address Translation to Demand Paging
Memory Hierarchy Virtual Memory, Address Translation
CS510 Operating System Foundations
CSE 153 Design of Operating Systems Winter 2018
Lecture 14 Virtual Memory and the Alpha Memory Hierarchy
From Address Translation to Demand Paging
Translation Lookaside Buffer
Hardware Works, Software Doesn’t: Enforcing Modularity with Mondriaan Memory Protection Emmett Witchel Krste Asanović MIT Lab for Computer Science.
Morgan Kaufmann Publishers Memory Hierarchy: Virtual Memory
CSE 451: Operating Systems Autumn 2005 Memory Management
Virtual Memory Overcoming main memory size limitation
CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs
CSE451 Virtual Memory Paging Autumn 2002
CSE 451: Operating Systems Autumn 2003 Lecture 9 Memory Management
CSC3050 – Computer Architecture
CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs
CSE 451: Operating Systems Autumn 2003 Lecture 9 Memory Management
Lecture 8: Efficient Address Translation
CSE 471 Autumn 1998 Virtual memory
Paging and Segmentation
CSE 451: Operating Systems Lecture 10 Paging & TLBs
CS703 - Advanced Operating Systems
CSE 153 Design of Operating Systems Winter 2019
Virtual Memory Lecture notes from MKP and S. Yalamanchili.
Virtual Memory Use main memory as a “cache” for secondary (disk) storage Managed jointly by CPU hardware and the operating system (OS) Programs share main.
Instructor: Phil Gibbons
Presentation transcript:

Emmett Witchel Josh Cates Krste Asanovic MIT Lab for Computer Science Mondrian Memory Protection

Software Has Needs Plug-ins have won as the extensible system model. o Fast & data sharing is convenient. Software is written for a model not directly supported by current hardware and OSes. o No protection. Single Address Space Kernel vfat.o RW RO EX NO

Plug-ins need access to different, small data structures. o Word level protection at word boundaries. Placing every possibly shared data on its own page is very difficult. o Some data structures imposed by hardware. Currently, Protection Is Not Provided Kernel vfat.o RW RO EX NO Single Address Space

Mondrian Memory Protection Single address space split into multiple protection domains. A domain owns a region of the address space and can export privileges to another domain  Similar to mprotect. Kernel (PD-ID=0) vfat.o (PD-ID=1) RW RO EX NO Single Address Space

Word Level Protection Is Not New Segmentation is a traditional solution. o + Provides word-level protection. o - Explicit segment registers [B5000,x86] o - Non-linear addressing Capability based machines. o + Fine-grained sharing. o - Revocation difficult [System/38, M- machine]. o - Different protection for different domains via shared capability is hard.

MMP is a New Solution Segmentation semantics without the problems. o MMP provides fine-grained protection and data sharing. o MMP uses linear addressing. o MMP is compatible with existing ISAs o MMP has no segment registers. o MMP has easy perm. revocation. o MMP does not have tagged pointers. MMP is all the fun of segmentation without the headaches.

There’s No Free Lunch MMP requires extra memory to store permissions tables. o Good engineering keeps tables small. MMP requires CPU & memory system resources to access tables. o Good engineering provides an effective cache for permissions information so table access is infrequent.

Segmentation Timeline VA - constructed by processor. LA - post segmentation. PA - post TLB translation. Protection Fault Linear Addr. VA Seg. Regs TLB (opt.) PA

MMP Timeline MMP checks virtual addresses. o Protection check only needs to happen before instruction graduation (not in critical path). Protection Fault Linear Addr. VA TLB (opt.) PA MMP

MMP Implementation —Tables Memory Permissions Table Refill Lets look at the table in memory. CPU Protection Lookaside Buffer Domain ID (PD-ID) Perm. Table Base Permissions Table

Permission Table Requirements Entries should be compact. o 2 bits of permissions data per word (none, read-only, read-write, execute-read). Should represent different sized regions efficiently. o Any number of words at a word boundary. Organized like a hierarchical page table (trie).

Representing Large Regions Efficiently Upper level entries are typed, enabling large entries. … … … … P D D P D … P D D D D … P D D D P 2 bits per sub-block 1 st level 256KB sub-blocks 2 nd level 256B sub-blocks 3 rd level – 4B sub-blk

Representing Large Regions Efficiently Upper level entries are typed, enabling large entries. … … … P D D P D … P D D D D … D D D P 2 bits per sub-block 1 st level 256KB sub-blocks 2 nd level 256B sub-blocks 3 rd level – 4B sub-blk D

Representing Large Regions Efficiently Upper level entries are typed, enabling large entries. … … P D D P D … P D D D D 2 bits per sub-block 1 st level 256KB sub-blocks 2 nd level 256B sub-blocks 3 rd level – 4B sub-blk0-256KB no perm. … D D D D D

Compressing The Entry Format Most words have same perm. as neighbor. o Compressed entries represent longer, overlapping regions. o Compressed entries are the same size, but represent more information. Naive Entries Compressed Entries Memory Words

MMP Implementation — PLB Memory Permissions Table Refill Lets look at the PLB. CPU Protection Lookaside Buffer Perm. Table Base Protection Lookaside Buffer Domain ID (PD-ID)

PLB Requirements The PLB caches protection table entries tagged by Domain-ID. o Like a TLB but without translation. o Like a TLB but variable ranges, not just page sizes.

Instruction + RSIMM PLB TagPerm Tab. Ent. OP Addr Regs CK Read/Write OKFault Access Perm. Table in Memory Hit? No Yes PLB Permissions Check Flow PD-ID PC checked for execute permissions.

PLB Requirements PLB task—index permissions data from different sized memory chunks. o Loads from different addresses can get permissions information from different levels in the table. D vs. 1 st level or 2 nd level

PLB index implemented by ternary CAM. o Like superpages in a TLB, but protection superpages are easy for OS—they don’t require lots of contiguous physical memory. o PLB index limited to power-of-two size. Protection Look aside Buffer (PLB) 0x07 XX XX 0x09 87 XX 0x PLB (Xs are don’t-care bits) Tag (26 bits) Perm. Table Ent. D D 1 st level ent. 2 nd level ent. 3 rd level ent. o The compressed format has intermediate number of don’t-care bits, and non power- of-two sized regions. PD-ID 0 0 0

MMP Implementation — Sidecars Memory Permissions Table Refill Lets look at the the sidecars. CPU Protection Lookaside Buffer Perm. Table Base Sidecars refill Sidecars Domain ID (PD-ID)

Register Sidecars Sidecars allow permissions checks without accessing the PLB (register level cache). o Base, bounds and permissions information in sidecar. o Lower access energy for sidecar than PLB. Increased hit rate with compressed entry format because non power-of- two sized regions are not fully indexed by PLB. o Fewer table accesses than PLB alone.

Instruction + RSIMM OP Addr Regs CK Read/Write OKFault Access PLB Sidecar Permissions Check Flow Base Bound Perm Sidecar Regs Base  Addr.  Bound NoYes PC has its own sidecar.

Coarse-Grained Evaluation Coarse-grained protection equivalent to current UNIX semantics (text, ro- data, data, bss, stack). o One protection domain. Application mix from SPEC2000, SPEC95, Java, Media bench, and Olden.  Compiled with gcc –O3 (egcs-1.0.3) o Address traces fed to MMP simulator.

Coarse-Grained Protection Results 60 Entry PLB60 Entry TLB Ref. to MMP tables Application refs % % Table size / App. data % % Sidecar miss rate 1-40%(12%)-- Comparison with TLB is just for scale, a TLB is still useful with MMP. o MMP is 2 bits of protection, not 4 bytes of translation + protection.

Fine-Grained Evaluation Fine-grained protection: Every malloc- ed region goes in its own protection region with inaccessible header words between regions. o malloc library is protected subsystem. Very demanding evaluation, almost worst case. o Protected subsystems will likely not have to export every region malloc-ed. o Functionality similar to purify.

Fine-Grained Protection Results 60 Entry PLB Ref. to MMP tables Application refs % (0.1-19%) Table size / App. data % Table references eliminated by sidecars % Time and space overheads very small. o Results include table updates. o Minimal cache disturbance (study in paper). o Sidecar helps eliminate table references. o Paper compares different entry formats.

MMP Timeline With Translation MMP can add an offset to the VA, providing translation. o Protection check happens on pre- translated address. o Address generation is 3-to-1 add on critical path. Protection Fault Linear Addr. VA TLB (opt.) PA MMP Trans Unit

Kernel a user Implement zero- copy networking. Translation lets memory discontiguous in one domain appear contiguous in another. No cache aliasing problem, translation before cache access. Why Translation? Body 1 Head 1 Body 0 Head 0 Body 0 Body 1 Single Address Space

Implementing Translation MMP entry format is flexible, allowing additional pointer types. o Pointer to permissions and byte-level translation offset. Translation information held in sidecar. Variable sized pool of translation records +0x9583F … PT 3 rd level table New ptr. type

MMP Networking Results Simulated a zero-copy networking implementation that uses unmodified read system call. o Web client receiving 500KB. Eliminates 52% of memory references relative to a copying implementation. o Win includes references to update and read the permissions tables. o 46% of reference time saved.

Related Work Capabilities [Dennis65, IBM AS400]. Domain Pages [Koldinger ASPLOS92]. Guarded pointers [Carter ASPLOS94]. Guarded page tables [Liedke 94]. IP longest prefix match [Waldvogel TOCS 01].

Possible Applications Safe kernel modules. o Safe plug-ins for apache and web browsers. Eliminate memory copying from kernel calls. o Provide specialized kernel entry points. Support millions of threads, each with a tiny stack. Implement C++ const. Use meta-data for cache coherence. Make each function its own protection domain. o Buffer overrun much more difficult.

Conclusion Fine-grained protection is the solution for safe, extensible systems. Fine-grained protection can be provided efficiently. Mondrian Memory Protection will enable more robust software. o It matches the way we think about code. o It can be adopted incrementally (e.g., 1 st just change malloc library).

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.