Solving the Starting Problem Device Drivers as Self-Describing Artifacts Michael Spear(Rochester) Tom Roeder(Cornell) Galen Hunt(Microsoft) Orion Hodson(Microsoft)

Slides:



Advertisements
Similar presentations
Nooks: Safe Device Drivers with Lightweight Kernel Protection Domains Mike Swift, Steve Martin Hank Levy, Susan Eggers, Brian Bershad University of Washington.
Advertisements

MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Operating System Structure
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
CS 345 Computer System Overview
Testing and Analysis of Device Drivers Supervisor: Abhik Roychoudhury Author: Pham Van Thuan 1.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, David Becker, Marc.
Extensibility, Safety and Performance in the SPIN Operating System Department of Computer Science and Engineering, University of Washington Brian N. Bershad,
Extensible Kernels Edgar Velázquez-Armendáriz September 24 th 2009.
Lecture 1: History of Operating System
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.
Nooks: an architecture for safe device drivers Mike Swift, The Wild and Crazy Guy, Hank Levy and Susan Eggers.
I/O Hardware n Incredible variety of I/O devices n Common concepts: – Port – connection point to the computer – Bus (daisy chain or shared direct access)
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Microkernels: Mach and L4
A Type System for Expressive Security Policies David Walker Cornell University.
Figure 1.1 Interaction between applications and the operating system.
Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell.
Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T.
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Reflection, Conversions, and Exceptions Tom Roeder CS fa.
Chapter 13: I/O Systems I/O Hardware Application I/O Interface
Xen and the Art of Virtualization Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, Andrew Warfield.
JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.
CS533 Concepts of Operating Systems Jonathan Walpole.
1 Memory Management Memory Management COSC513 – Spring 2004 Student Name: Nan Qiao Student ID#: Professor: Dr. Morteza Anvari.
LWIP TCP/IP Stack 김백규.
Presentation of Singularity OS Seminar, winter 2005 by Jacob Munk-Stander November 23 rd, 2005.
A Survey of Dynamic Techniques for Detecting Device Driver Errors Olatunji Ruwase LBA Reading Group 18 th May 2010.
Fall 2000M.B. Ibáñez Lecture 01 Introduction What is an Operating System? The Evolution of Operating Systems Course Outline.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Can We Make Operating Systems Reliable and Secure? Andrew S. Tanenbaum, Jorrit N. Herder, and Herbert Bos Vrije Universiteit, Amsterdam May 2006 Group.
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
LINUX System : Lecture 7 Bong-Soo Sohn Lecture notes acknowledgement : The design of UNIX Operating System.
Processes Introduction to Operating Systems: Module 3.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM
Safe to the Last Instruction: Automated Verification of a Type-Safe Operating System Jean Yang MIT CSAIL Chris Hawblitzel Microsoft Research.
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
CSC414 “Introduction to UNIX/ Linux” Lecture 2. Schedule 1. Introduction to Unix/ Linux 2. Kernel Structure and Device Drivers. 3. System and Storage.
MIDORI The Windows Killer!! by- Sagar R. Yeole Under the guidance of- Prof. T. A. Chavan.
Chapter 2 Operating System Overview Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Improving the Reliability of Commodity Operating Systems Michael M. Swift, Brian N. Bershad, Henry M. Levy Presented by Ya-Yun Lo EECS 582 – W161.
CS533 Concepts of Operating Systems Jonathan Walpole.
I/O Software CS 537 – Introduction to Operating Systems.
Introduction to Programming 1 1 2Introduction to Java.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Computer System Structures
Muen Policy & Toolchain
Why VT-d Direct memory access (DMA) is a method that allows an input/output (I/O) device to send or receive data directly to or from the main memory, bypassing.
Support for Program Analysis as a First-Class Design Constraint in Legion Michael Bauer 02/22/17.
KERNEL ARCHITECTURE.
Chapter 9: Virtual-Memory Management
IMPROVING THE RELIABILITY OF COMMODITY OPERATING SYSTEMS
Chapter 3: Operating-System Structures
Operating System Concepts
Lecture 15 Reading: Bacon 7.6, 7.7
Outline Chapter 2 (cont) OS Design OS structure
LINUX System : Lecture 7 Lecture notes acknowledgement : The design of UNIX Operating System.
Chapter 13: I/O Systems I/O Hardware Application I/O Interface
Preventing Privilege Escalation
In Today’s Class.. General Kernel Responsibilities Kernel Organization
Module 12: I/O Systems I/O hardwared Application I/O Interface
Presentation transcript:

Solving the Starting Problem Device Drivers as Self-Describing Artifacts Michael Spear(Rochester) Tom Roeder(Cornell) Galen Hunt(Microsoft) Orion Hodson(Microsoft) Steven Levi(Microsoft)

2 June 2015Solving the Starting Problem2 The Driver Conspiracy Theory Kernel developers write some device drivers therefore driver developers should be smart –Imperative driver code implicitly declares all the resources it will use We hide this information during compilation Then we lament its absence when things fail –Drivers eschew safe programming languages to gain performance –Driver code is written rarely, and it is tedious But, drivers cause too many system failures

2 June 2015Solving the Starting Problem3 What Makes a Driver Dependable? It is bug free (or its bugs are isolated) –If drivers can contain bugs, they must be isolated from the kernel and applications It is configured correctly –The kernel must know exactly which resources the driver uses –The system must be able to verify driver configuration without execution

2 June 2015Solving the Starting Problem4 Outline Singularity Overview Self-Describing Drivers Benefits Experience Related Work Conclusions

2 June 2015Solving the Starting Problem5 Singularity Overview Dependability is a design-time consideration –Fix and verify system behavior as early as possible in code lifecycle Application isolation is not just a run-time issue Design Time Post Mortem Compile Time Install Time Load Time Run Time errors are less expensive when they are found early

2 June 2015Solving the Starting Problem6 Singularity Implementation Microkernel OS written in C# / Sing# –Strong type safety and memory safety –Compiled to native code / no JIT Emphasis on increasing static verification –Verify early, verify often

2 June 2015Solving the Starting Problem7 Applications Applications are composed of one or more processes –Process protection via language safety, not hardware –All inter-process communication (IPC) through channels Application configuration is declarative –Application manifests describe dependencies, resources, and code –System manifest describes configuration of applications and system policies Declarative configuration enables off-line (static) analysis –You shouldn’t have to run an application to determine if it is configured correctly

2 June 2015Solving the Starting Problem8 Drivers Singularity drivers are a distinct category of application Drivers do more than regular applications –Access hardware –Abstract hardware-specific functionality Drivers do less than regular applications –Require limited functionality –Follow simple design patterns Drivers do not run in the kernel –In practice, driver developers are not kernel developers –so, we don’t trust them!

2 June 2015Solving the Starting Problem9 Outline Singularity Overview Self-Describing Drivers Benefits Experience Related Work Conclusions

2 June 2015Solving the Starting Problem10 Drivers in Singularity Drivers are processes –Isolated through language protection, not hardware –Communicate with applications through channels OS enforces strict limits on drivers –Access to limited set of libraries –No file system or namespace access Only drivers can access objects in driver runtime –I/O ports, interrupt vectors, DMA channels, I/O memory regions

2 June 2015Solving the Starting Problem11 Driver Installation Programmer delivers bundle of MSIL (bytecode) files Driver verified against system policy Driver is statically linked to trusted libraries Whole-program analysis/optimization Native instruction code generation Driver MSIL Driver MSIL Driver MSIL System Policy Driver MSIL Trusted Libraries Native Executable Bartok Compiler Verification

2 June 2015Solving the Starting Problem12 Self-Describing = Code + Metadata MSIL format affords convenient and verifiable representation of declarative metadata –Resources are annotated where they are declared –No separate configuration files are needed –Metadata is strongly typed

2 June 2015Solving the Starting Problem13 Driver Configuration Object [DriverCategory] [Signature("/pci/03/00/5333/8811")] class S3Trio64Config : DriverCategoryDeclaration { [IoMemoryRange(0, Length = 0x400000)] IoMemoryRange frameBuffer; [IoFixedMemoryRange(Base = 0xb8000, Length = 0x8000)] IoMemoryRange textBuffer;... [IoFixedPortRange(Base = 0x3c0, Length = 0x20)] IoPortRange control; [ServiceEndpoint(typeof(VideoDeviceContract.Exp))] TRef video;... } requires PCI Device requires 4MB frame buffer (declared in PCI config) requires system console buffer exports channel for clients to access video device requires VGA I/O ports

2 June 2015Solving the Starting Problem14 The Metadata Lifecycle Annotations are: –Type-checked at compile time –Verified at install time Require annotations on object declarations from driver runtime Metadata in driver must match physical hardware –Extracted to form the driver manifest used at driver activation –Declarative and general to any use of the driver For example, all PCI drivers declare the required count / type of I/O objects, minimum length of range The burden on the programmer is minimal, but the kernel is empowered to manage resources proactively

2 June 2015Solving the Starting Problem15 Outline Singularity Overview Self-Describing Drivers Benefits Experience Related Work Conclusions

2 June 2015Solving the Starting Problem16 Eliminates /etc/init.d Booting and activating drivers is a dynamic process –At install time, driver metadata is merged into a system-wide repository –At boot time, the repository and a simple resolution algorithm are sufficient to determine a valid boot order –Process is resistant to failures / device-not-found errors –Same mechanism used for hot-pluggable drivers and applications

2 June 2015Solving the Starting Problem17 Automates Resource Allocation Driver resource needs are known in advance –Conflicts are prevented at install time –Unsafe resource remapping is not possible –Resources provided automatically to the driver Reasoning about drivers can be done off-line –Snapshot of manifests, copy of system policy, and a list of target physical devices are all that is needed

2 June 2015Solving the Starting Problem18 Simplifies Programming All resource requirements are declared and annotated in the driver configuration object The kernel prepares all resources before activating the driver The code to instantiate the driver configuration object is automatically generated at install time

2 June 2015Solving the Starting Problem19 Protects Hardware Access The kernel only starts the driver code after –The declared resources are allocated –The resources are transferred to the driver –The trusted I/O objects are initialized Methods on trusted I/O objects –Validate bounds and type of access –Directly access hardware using privileged instructions

2 June 2015Solving the Starting Problem20 Outline Singularity Overview Self-Describing Drivers Benefits Experience Related Work Conclusions

2 June 2015Solving the Starting Problem21 9 Months, No Problems Metadata is sufficiently expressive for ~20 drivers we’ve written –7 device types: audio, video, ide, network, keyboard, timers, interrupt controllers –3 buses: pci, pnp, lpc –Memory mapped and programmed I/O devices

2 June 2015Solving the Starting Problem22 Safety We Can Afford Performance on par with Windows, Linux, FreeBSD

2 June 2015Solving the Starting Problem23 Related Work Static detection of bugs in driver code –Meta Compilation [Engler et al. OSDI ‘00], Slam [Ball et al. POPL ‘02], ESP [Das et al. PLDI ‘02] Runtime containment of bugs in driver code –SPIN [Bershad et al. SOSP ‘95], Nooks [Swift et al. OSDI ‘04] Xen [Barham et al. SOSP ‘03, Fraser et al. OASIS ‘04] L4 [Härtig et al. SOSP ’97], Minix3 [Herder et al. ‘06] Static detection of driver/device communication bugs –DEVIL [Mérillon et al. OSDI ‘00], HAIL [Sun et al. EMSOFT ‘05] Declarative configuration in other domains –Vesta [Heydon et al. ‘01], [DeTreville HOTOS ‘05]

2 June 2015Solving the Starting Problem24 Contributions Metadata allows flexible inference of total boot order Declaring / verifying I/O requirements affords better isolation –Singularity isolates drivers at design time –Drivers carry their resource requirements at all times –OS never starts a driver with unfilled resource needs Configuration can be checked off-line through manifests

Discussion We thank the rest of the Singularity Team: Mark Aiken, Paul Barham, Michael Carbin, Manuel Fähndrich, Chris Hawblitzel, James Larus, Nick Murphy, Bjarne Steensgaard, David Tarditi, and Brian Zill

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.