Sharing and protection in Multics Landon Cox January 31, 2018
Layer 0 Layer 1 Layer 2 Layer 3 Layer 4 User programs I/O devices Console Pager Scheduler
THE Were THE processes protected from each other? Yes, processes had private segment spaces Those spaces were isolated via the compiler and Layer 1 Are Tock processes protected from each other? Yes, processes are protected by the MPU hardware What is the flip side of protection? Sharing! There are often many benefits to sharing (i.e., “features”) Sharing creates complexity Sharing requires access control (for safety and fault tolerance)
THE Could THE processes share in-core data? Only within the structure of the hierarchy Lower layers were like shared libraries User processes could not share with each other In Tock, processes only share the kernel What about persistent data in THE? Not really, “no common data base.”
THE Important idea not supported by THE The notion of a user “not intended as a multi-access system” What is a “user” in a computer system? Identifier assigned to processes and storage objects Unit of access control in most systems Often associated with a person, but doesn’t have to Do modern machines support users? Desktops/servers do, mobile devices kind of do
Multics Multi-user operating system Primary goal is to allow efficient, safe sharing btw users What was the central data abstraction in Multics? A segment All data was contained within a segment No distinction between files and memory Means all stores are (potentially) persistent What is a segment? Named range of contiguous data + associated meta-data Accessed through loads/stores in memory Think of a segment as an mmapped region of memory
Block-oriented vs byte-oriented Disks are accessed in terms of blocks Also called sectors Similar idea to memory pages E.g., 4KB chunks of data First problem: programs deal with bytes E.g., want to change ‘H’ in “Hello world” to ‘J’ Disks only support block-sized, bulk accesses
Block-oriented vs byte-oriented To read less than a block Read entire block Return the right portion How to write less than a block? Modify the right portion Write out entire block Nothing analogous to byte-grained load/store Flash devices are even more complicated
mmap overview Maps file data into virtual address space Must be mapped at page granularity Data accessed via loads/stores (Most) virtual pages are mapped to a storage page For normal virtual memory page, place to swap in/out For mmapped file, specified file provides the backing Mmaped regions w/o a backing file are called anonymous pages mmap implementation Integrated with in-memory buffer cache (i.e., kernel’s file cache) Loads/stores immediately applied to buffer cache Reads by other processes hit buffer cache
When is mmaped data actually persistent (i.e., hits the disk)? mmap overview Let’s do a demo … When is mmaped data actually persistent (i.e., hits the disk)?
Multics segments Implications of segments Difference between a program and process? We think of a process as an execution of a program In Multics, there was very little distinction What does this force programmers to do? Must explicitly manage segments Process cannot just exit and return to a “known” state Places a lot of burden on programmers Beware, complexity creep …
Review: multi-level translation Single-level page table Just a flat array of page table entries VA={b31,b30,…,b12,b11,…,b1,b0} High-order bits (Page number) Low-order bits (offset) Used to index into table
Review: multi-level translation Multi-level page table Use a tree instead of an array VA={b31,b30,…,b22,b21,…, b12,b11,…,b1,b0} Level 1 Level 2 Low-order bits (offset) Used to index into table 2 Used to index into table 1 What is stored in the level 1 page table? If valid? If invalid?
Review: multi-level translation Multi-level page table Use a tree instead of an array VA={b31,b30,…,b22,b21,…, b12,b11,…,b1,b0} Level 1 Level 2 Low-order bits (offset) Used to index into table 2 Used to index into table 1 What is stored in the level 2 page table? If valid? If invalid?
Review: two-level tree 1 … 1023 ? Level 1 NULL NULL Level 2 0: PhysPage, Res, Prot 0: PhysPage, Res, Prot 1: PhysPage, Res, Prot 1: PhysPage, Res, Prot … … ? 1023: PhysPage, Res, Prot 1023: PhysPage, Res, Prot ? VA={b31,b30,…,b22,b21,…, b12,b11,…,b1,b0} Level 1 Level 2 Offset
Review: two-level tree 1 … 1023 ? Level 1 NULL NULL Level 2 0: PhysPage, Res, Prot 0: PhysPage, Res, Prot 1: PhysPage, Res, Prot 1: PhysPage, Res, Prot … … ? 1023: PhysPage, Res, Prot 1023: PhysPage, Res, Prot ? How does this save space?
Review: two-level tree 1 … 1023 ? Level 1 NULL NULL Level 2 0: PhysPage, Res, Prot 0: PhysPage, Res, Prot 1: PhysPage, Res, Prot 1: PhysPage, Res, Prot … … ? 1023: PhysPage, Res, Prot 1023: PhysPage, Res, Prot ? What changes on a context switch?
Multics: segment access Address [s,i] Descriptor Base Register Descriptor Segment Core|Ld s Segment Descriptor Word Ld Segment Core|Ls|Acc|F Lookup algorithm? i if(DBR.L < S) fault sdw = DW[s] if(sdw.F || sdw.L<i) fault if(!verify(sdw.Acc)) fault return sdw.Core + i Ls word of data L = length, Acc = protection, F = resident
What about paging? How do we make sure that segments are in-core? Segments are broken into fixed-size pages (1k) Another structure to map parts of a segment to pages Page tables describe where pieces are in core Descriptor segment is a segment too! Must locate the pages on which it is located Can then walk data structure to locate data
Paged segment access [s,i] [sp,sw,ip,iw] Core|L Page sp of DS (1) Find page table for descriptor segment (2) Page holds part of descriptor segment Descriptor Base Register [s,i] [sp,sw,ip,iw] Page Table of Descriptor Segment Core|L (3) Use descriptor segment to find page table for data segment Page sp of DS Core|L sp Segment Descriptor Word sw Page Table of Segment S Page ip of Segment S Core|L|Acc|F What’s the problem with this? Core|L ip This is a lot of memory accesses iw word of data How do we make it faster? (4) Use page table to locate data we want to access Caching in hardware: TLB
Multics supervisor code Location of THE supervisor state In separate processes at low-level layers In Multics, where did supervisor state reside? In segments mapped into every process Supervisor segments were at top of address space How was supervisor state protected? Hardware protection provided by processor Hardware supported 8 protection rings (!) Idea was to enforce layering via hardware Exactly like privilege modes (kernel/user/etc) you are used to
Multics supervisor code How did programs invoke the supervisor? Just a procedure call Calls always reside in segments at top of address space Just jump into code in those segments What else has to happen? Have to change hardware protection mode Who/what changed protection modes? This was hardware enforced All segments were assigned a ring level (including code) Mode for an instruction was set in descriptor on which it resided
Protection today All memory accesses go through a translator GBs of protected data All memory accesses go through a translator Who can modify translator’s data? Only kernel can modify translator’s data How do we know if kernel is running? Mode bit indicates if kernel is running Who can modify the mode bit? One bit of protected data Making progress: the amount of protected data is down to a bit
Protecting the mode bit Can kernel change the mode bit? Yes. Kernel is completely trusted. Can user process change the mode bit? Not directly User programs need to invoke the kernel Must be able to initiate a change
When to transition from user to kernel? Exceptions (interrupts, traps) Access something out of your valid address space (e.g., segmentation fault) Disk I/O finishes, causes interrupt Timer pre-emption, causes interrupt Page faults System calls Similar in purpose to a function call Kernel as software library
System call implementation Syscalls are like functions, but different Implemented by special instruction syscall Execution of syscall traps to kernel Processor safely transfers control to kernel Hardware invokes kernel’s syscall trap handler
Kernel trap details User process can initiate mode switch But only transfers control in limited way (i.e., to predefined kernel code) How does processor know where to jump? Stored in hardware “interrupt vector table” Who can update the interrupt vector table? Kernel does this at startup Code that runs first gets control of machine
Segment sharing To facilitate sharing, we need common namespace for segments Multics uses file hierarchy to name all segments Populating address space like a bunch of mmap calls Why is this a nice abstraction? Maps human-readable names (easy to program) to data Makes it easy to specify what data you want to operate on Who manages the namespace? Must be privileged code Common data structure used by all processes Only code trusted by all should be allowed to modify directly
Segment sharing What operations can a process perform on the namespace? Create a segment Delete a segment Change a segment’s name Change the access policy of a segment Read the content of a directory What prevents collisions in the namespace? The supervisor code On a request to create a segment, checks to see if it already exists
Segment sharing How does a process populate its address space? Must know or compute parts of the namespace Invokes the OS to map named segment into memory OS updates the Known Segment Table (KST) for process KST maps segments to pathnames OS returns beginning of segment, length to process Once mapped, how is data loaded into memory? Data is demand loaded Process accesses address (e.g., [s,i]) This triggers a page fault and a trap to the OS The OS uses the KST to locate data on disk
Discussion Are Multics segments a good idea or bad? Programmers may have to perform garbage collection Temporary state must be torn-down/re-initialized by hand Adds complexity Danger of accessing persistent data via loads/stores? Buggy programs can lead to stray writes Stray writes become permanent Why are permanent stray writes bad? Important data structures could become corrupted “Restarting” program just puts you back in a bad state
Discussion How do most modern systems present persistent storage? Must access persistent storage through file system File system interface: open, read, write Why is an explicit file system interface safer? Write system call is similar to a “commit” An explicit acknowledgement that data is ready to be made persistent Buggy programs much less unlikely to generate a spurious write call Spurious loads and stores are very common in buggy programs We actually see this observation in Multics itself. Where? In how it handles the namespace Important, persistent data structure Can only be modified in a controlled way, through narrow interface Nice to offer same interface for user data
Topic we will revisit Interfaces to persistent storage Periodic source of new research In the 90s: battery-backed RAM Memory persists across reboots Rio-Vista from Michigan (SOSP ‘97) Today: phase-change memory, Intel 3D Xpoint Fast, persistent substrate BPFS from Microsoft and UCLA (SOSP ‘09) Strata from UT-Austin (SOSP ‘17)