Efficient Software-Based Fault Isolation Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham.

Slides:



Advertisements
Similar presentations
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Advertisements

Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?
OS Memory Addressing.
Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.
“Efficient Software-Based Fault Isolation” (1993) by: Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham PRESENTED BY DAVID KENNEDY.
CS 333 Introduction to Operating Systems Class 12 - Virtual Memory (2) Jonathan Walpole Computer Science Portland State University.
OmniVM Efficient and Language- Independent Mobile Programs Ali-Reza Adl-Tabatabai, Geoff Langdale, Steven Lucco and Robert Wahbe from Carnegie Mellon University.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Chapter 14: Protection.
User-Level Interprocess Communication for Shared Memory Multiprocessors Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented.
Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.
Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.
IMPROVING THE RELIABILITY OF COMMODITY OPERATING SYSTEMS Michael M. Swift Brian N. Bershad Henry M. Levy University of Washington.
Paging. Memory Partitioning Troubles Fragmentation Need for compaction/swapping A process size is limited by the available physical memory Dynamic growth.
CS333 Intro to Operating Systems Jonathan Walpole.
Topics covered: Memory subsystem CSE243: Introduction to Computer Architecture and Hardware/Software Interface.
1 Micro-kernel. 2 Key points Microkernel provides minimal abstractions –Address space, threads, IPC Abstractions –… are machine independent –But implementation.
Native Client: A Sandbox for Portable, Untrusted x86 Native Code
CS533 Concepts of Operating Systems Jonathan Walpole.
By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming  To allocate scarce memory resources.
Chapter 8 – Main Memory (Pgs ). Overview  Everything to do with memory is complicated by the fact that more than 1 program can be in memory.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.
Chapter 4 Memory Management Virtual Memory.
11 World-Leading Research with Real-World Impact! ZeroVM Backgroud Prosunjit Biswas Institute for Cyber Security University of Texas at San Antonio April.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 18: Protection Goals of Protection Objects and Domains Access Matrix Implementation.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Efficient Software-Based Fault Isolation Robert Wahbe, Steven Lucco Thomas E. Anderson, Susan L. Graham J. Garrett Morris, presenter.
By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming.  To allocate scarce memory.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM
1 Memory Management. 2 Fixed Partitions Legend Free Space 0k 4k 16k 64k 128k Internal fragmentation (cannot be reallocated) Divide memory into n (possible.
12/5/20151 Operating Systems Design (CS 423) Elsa L Gunter 2112 SC, UIUC Based on slides by Roy Campbell, Sam King,
Efficient Software-Based Fault Isolation By Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham Presented by Pehr Collins.
Processes and Virtual Memory
Efficient Software Based Fault Isolation Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L Graham Presenter: Maitree kanungo Date:02/17/2010.
Efficient Software-based Fault Isolation Robert Wahbe, Steven Lucco, Thomas E. Anderson & Susan L. Graham Presented By Tony Bock.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Memory Management Overview.
1 "Efficient Software-based Fault Isolation" by R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Presenter: Tom Burkleaux.
Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros.
SASI Enforcement of Security Policies : A Retrospective* PSLab 오민경.
Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland.
CS533 Concepts of Operating Systems Jonathan Walpole.
OS Memory Addressing. Architecture CPU – Processing units – Caches – Interrupt controllers – MMU Memory Interconnect North bridge South bridge PCI, etc.
Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.
CS5204 Fall 20051Oct. 26, 2005 Mondrix: Memory Isolation for Linux using Mondriaan Memory Protection Emmett Witchel Junghwan Rhee Krste Asanovic Sreeram.
Processes Chapter 3. Processes in Distributed Systems Processes and threads –Introduction to threads –Distinction between threads and processes Threads.
Translation Lookaside Buffer
Efficient Software-Based Fault Isolation
Introduction to Operating Systems
Virtualization Virtualize hardware resources through abstraction CPU
Memory Protection: Kernel and User Address Spaces
COMBINED PAGING AND SEGMENTATION
Memory Protection: Kernel and User Address Spaces
Introduction to Operating Systems
Memory Protection: Kernel and User Address Spaces
Memory Protection: Kernel and User Address Spaces
Page Replacement.
Chapter 14: Protection.
IMPROVING THE RELIABILITY OF COMMODITY OPERATING SYSTEMS
CSE 451: Operating Systems Autumn 2005 Memory Management
CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs
CSE 451: Operating Systems Autumn 2003 Lecture 9 Memory Management
CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs
CSE 451: Operating Systems Autumn 2003 Lecture 9 Memory Management
Lecture 7: Flexible Address Translation
CS703 - Advanced Operating Systems
OPERATING SYSTEMS MEMORY MANAGEMENT BY DR.V.R.ELANGOVAN.
Memory Protection: Kernel and User Address Spaces
Presentation transcript:

Efficient Software-Based Fault Isolation Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham

Possible Means of Isolating Faults in End-User Extensions ● Using an interpreted language to enable End-User Extensions ● Writing the system in a type safe language such as MODULA-3, tcl, or perl (e.g. SPIN). ● Hardware-based fault isolation methods such as setting protection bits in the MMU to restrict write access within the system's address space (e.g. NOOKS). ● Modifying modules themselves to avoid corruption outside of their address space (e.g. SFI). 1

Problem Description ● Extensible applications demonstrate the value of allowing end-users to modify the behavior of the system. – Operating Systems – Web Browsers – Database Systems ● Extensible systems must be protected from possible instabilities in misbehaved end-user extensions. MISFIT: A Tool for Constructing Safe Extensible C++ Systems Cristopher Small and Margo Seltzer 2

Example cross-domain faults (in C++) void unsafe() { char *bad = (char *) this; bad -= ; memset(bad, 0, 30); } void unsafe() { char name[20]; memset(name, 0, 300); } Encapsulating class private data Data corruption Stack corruption etc. Store & Jump considered only unsafe instructions across domains 3

Handling cross domain faults ● Place domain data in a contiguous region. ● Ensure that each contiguous region's virtual addresses share a unique prefix. Detection (segment matching): dedicated := target scratch := (dedicated>>shift) if (scratch == segment) store to dedicated else do error; Prevention (sandboxing): dedicated := target&mask dedicated := dedicated| segment store to dedicated Dedicated, shift, mask, and segment are all dedicated registers. 4

Example Fault Domain (unaligned) Start address 0x2FCE Domain Size= 255 (hex 00FF), shift is log = 8 Segment identifier becomes 0x2FCE >> 8 = 0x002F End address 0x30cd 5

Protection Domains are Strictly Mutally Exclusive A B C Overlap Before Domain Restriction Variables and return values After Domain Restriction A B C Since domains are mutually exclusive, cross domain calls are thus far impossible. 6

Call Stubs (lightweight RPC) Before Call Stubs A B C Since domains are mutually exclusive, cross domain calls are thus far impossible. After Call Stubs A B C Stubs copy across variables and return values and enable cross domain calls. Stub ● Call stubs enable functions to be called across domains by copying data directly from one domain into the other. ● Call stubs set dedicated registers and ensure properly aligned data for representative segment identifiers (context switching and alignment enforcement). (alignment could also be done by the compiler) 7

Hardware vs Software Based Fault Isolation ● Jump or Store Cost – Check protection bit in MMU / practically free ● Changing Domains – Reset protection bits in the MMU/ flush and reset the TLB ● Jump or Store Cost – Addition of a preamble to check the target of the Jump or Store ● Changing Domains – Copy data into dedicated registers (5 registers), fairly cheap. 8

Conclusion ● Fault isolation can be implemented in software. ● Software based fault isolation adds a little overhead to the common case. ● Software based fault isolation vastly improves the performance of IPC. ● Applications that cross fault domains a lot benefit a whole lot from software based fault isolation, but even applications that spend very little time crossing fault domains can benefit. 9

Caveats ● SFI is not enough alone when commonly used library functions such as bcopy, strcpy, read, write, close, printf, etc. have not been compiled using the SFI model. ● Safe versions of all commonly used library calls that modify memory must be implemented to avoid breaking the model. ● Safe languages like MODULA-3 may be able to accomplish the same task at nearly the same level with less overhead (but they are not as popular of languages). 10

Evaluation ● SFI could also be extended to provide security by extending isolation enforcement to loads at some additional cost. ● Hardware Based fault isolation cannot benefit from increasing or decreasing the level of security, the dominating cost of reprogramming the MMU and flushing the TLB remains constant regarless of protection type. ● SFI offers varying levels of protection at varying costs, and has fairly low overhead. 11

Questions? Any questions at all.

Thank you Thank you very much.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.