Presentation is loading. Please wait.

Presentation is loading. Please wait.

Can We Make Operating Systems Reliable and Secure? By : Hassan AL-Maksousy Andrew S. Tanenbaum, Jorrit N. Herder, and Herbert Bos.

Published byTracy Garey Matthews Modified over 9 years ago

Similar presentations

Presentation on theme: "Can We Make Operating Systems Reliable and Secure? By : Hassan AL-Maksousy Andrew S. Tanenbaum, Jorrit N. Herder, and Herbert Bos."— Presentation transcript:

1 Can We Make Operating Systems Reliable and Secure? By : Hassan AL-Maksousy Andrew S. Tanenbaum, Jorrit N. Herder, and Herbert Bos

2 Abstract Microkernels— long discarded as unacceptable because of their lower performance compared with monolithic kernels— might be making a comeback in operating systems due to their potentially higher reliability. In this paper four different attempts are used to improve operating system reliability by focusing on preventing buggy device drivers from crashing the system.

3 Cited by  Shan Chen, Lingling Zhou, Rendong Ying, Yi Ge, "Safe Device Driver Model Based on Kernel-mode JVM", Virtualization Technology in Distributed Computing (VTDC), 2007  Momeni, H., Kashefi, O., Sharifi, H., "How to Realize Self-Healing Operating Systems?", Information and Communication Technologies: From Theory to Applications, 2008  Eduardo B. Fernandez, Tami Sorgente, Maria M. Larrondo-Petrie, Even more patterns for secure operating systems, Proceedings of the 2006 conference on Pattern languages of programs, October 21-23, 2006, Portland, Oregon  Patrick Colp, Mihir Nanavati, Jun Zhu, William Aiello, George Coker, Tim Deegan, Peter Loscocco, Andrew Warfield, Breaking up is hard to do: security and functionality in a commodity hypervisor, Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles,, 2011, Cascais, Portugal

4 Why are systems unreliable? Current operating systems have two characteristics that make them unreliable and insecure:  They are huge  They have very poor fault isolation

5 Why are systems unreliable? They are huge :  code contains between six and 16 bugs per 1,000 lines  The Linux kernel has more than 2.5 million lines of code; the Windows XP kernel is more than twice as large.  Linux kernel probably has something like 15,000 bugs; Windows XP has at least double that.

6 Why are systems unreliable? They have very poor fault isolation :  Thousands of procedures are linked together as a single binary program  Lines of kernel code can overwrite key data structures that an unrelated component uses and that leads to crashing the system.  A virus can infect one part of the kernel, and it will spread rapidly.

7 4 ways to make future OS’s more reliable and secure 1.Armored OS’s 2.PARAVIRTUAL MACHINES 3.MULTISERVER OPERATING SYSTEMS 4.LANGUAGE-BASED PROTECTION

8 1. Armored OS’s Nooks, a reliability sub-system that works with current OS:  maintains the monolithic kernel structure  focuses on making device drivers less dangerous

9 The Nooks model Each driver is wrapped in a layer of protective software that monitors all interactions between the driver and the kernel.

10 The Nooks project's goals  Protect the kernel against driver failures  Recover automatically when a driver fails, and  Do all of this with as few changes as possible to existing drivers and the kernel

11 Isolation  The main tool used to keep faulty drivers from trashing kernel data structures is the virtual memory page map.  When a driver runs, all pages outside it are changed to read-only, thus implementing a separate lightweight protection domain for each driver.

12 Interposition  Each driver class exports a set of functions that the kernel can call.  Nooks provides wrappers for both the exported and imported functions.  Some are automatically generated,  The Nooks team had to write 455 wrappers: 329 for functions the kernel exports and 126 for functions the device drivers export.  When a driver tries to modify a kernel object:  Its wrapper copies the object into the driver's protection domain,  Upon successful completion of the request, the isolation manager copies modified kernel objects back to the kernel.

13 Recovery  After a failure, the user-mode recovery agent runs and consults a configuration database  In many cases, releasing any resources held and restarting the driver is enough  Sometimes shadow drivers are used to allow applications to continue  Shadow driver logs communication between each driver and the kernel  The shadow driver feeds the newly restarted driver from the log  The kernel is unaware of the process of getting the new driver back

14 Limitations  Nooks can catch 99 percent of the fatal driver errors and 55 percent of the nonfatal ones  Drivers can execute privileged instructions they should not Execute  The Nooks team had to write large numbers of wrappers manually, and they could contain faults  Drivers are not prevented from re-enabling write access to all of memory

15 2. PARAVIRTUAL MACHINES  Like a virtual machine, this technique isolates the OS from the sub-system  The goal is to protect within a single operating system, rather than between different operating systems One of the virtual Linux machines runs the application programs while one or more other machines run the device drivers.

16 An Example using Linux  Researchers built an L4 microkernel  They ran multiple versions of Linux (L4 Linux), where one virtual machine has the drivers and another has the apps  Unlike Nooks, the driver’s state is not persistent.  the Linux kernel itself had to be modified to achieve paravirtualization, but this is a one-time change, and it is not necessary to repeat it for each device driver.  the overhead of using paravirtualized machines in this fashion is about 3 to 8 percent.

17 3. Multiserver OS’s  A tiny microkernel runs in kernel mode with the rest of the operating system running as a collection of fully isolated user-mode server and driver processes. Minix 3 microkernel handles interrupts, provides the basic mechanisms for process management, implements interprocess communication, and performs process scheduling.

18 Minix 3  the microkernel handles interrupts, provides the basic mechanisms for process management, implements interprocess communication, and performs process scheduling.  Each I/O device has its own driver that runs as a separate process in its own private address space, protected by the memory management unit (MMU) hardware.  The drivers run in user mode and cannot execute privileged instructions or read or write the computer's I/O ports; they must make kernel calls to obtain these services. While introducing a small amount of overhead, this design also enhances reliability.

19 Interprocess communication  All servers and drivers in Minix 3 run as physically isolated processes, they cannot directly call each other's functions or share data structures. Instead, Minix 3 performs IPC by passing fixed-length messages using the rendezvous principle: When both the sender and the receiver are ready, the system copies the message directly from the sender to the receiver  Minix 3 elegantly integrates interrupts with the message passing system. Interrupt handlers use the notification mechanism to signal I/O completion.

20 Reliability features  First, only about 4,000 lines of code run in the kernel  Minix 3's IPC design does not require message queuing or buffering, which eliminates the need for buffer management in the kernel.  All kernel data structures are static.  The user-mode drivers and servers do not run as superuser.  Separate instruction and data spaces.  Self-healing property through reincarnation server  All of these features greatly simplify the code and eliminate kernel bugs associated with buffer overruns, memory leaks, untimely interrupts, untrusted kernel code,

21 Performance considerations  Has been criticized because of alleged performance problems.  However, various projects have proven that modular designs actually can provide competitive performance.  The performance loss that user-mode drivers cause compared to in-kernel drivers is less than 10 percent, and the system can build itself, including the kernel, common drivers, and all servers (112 compilations and 11 links) in less than 6 seconds on a 2.2-GHz Athlon processor.

22 Language-Based Protection  Championed by Microsoft Researched  Replaces traditional role of operating system as a single program running in kernel mode plus some collection of user processes running in user mode  Singularity (Sing#) uses a type-safe language, a single address space, and formal contracts to carefully limit what each module can do

23 The microkernel  The Singularity operating system consists of a microkernel process and a set of user processes, all typically running in a common virtual address space.  controls access to hardware; allocates and deallocates memory; creates, destroys, and schedules threads.  handles thread synchronization with mutexes.  handles interprocess synchronization with channels; and supervises I/O. Each device driver runs as a separate process.  The hardware abstraction layer hides the low-level hardware from the system

24 Interprocess communication  obtain system services by sending strongly typed messages  supports channels in the language, including formal typing and protocol specifications.  All process-to-process communication also use these channels.

25 The heap  Singularity supports a shared object heap.  Each object on the heap belongs to a single process.  Ownership of an object can be passed over a channel.

26 Verification  Each system component has metadata describing its dependencies, exports, resources, and behavior.  Verification is a three-step process:  The compiler checks type safety, object ownership, channel protocols, and so on.  The compiler generates Microsoft Intermediate Language, a portable JVM-like byte code that the verifier can check.  MSIL is compiled to x86 code by a back-end compiler, which could insert runtime checks into the code (the current compiler does not do this though).  The point of redundant verification is to catch errors in the verifiers.

27 Conclusion (1\3)  Each of the four different attempts to improve operating system reliability focuses on preventing buggy device drivers from crashing the system.  In the Nooks approach, each driver is individually hand wrapped in a software jacket to carefully control its interactions with the rest of the operating system, but it leaves all the drivers in the kernel.  The paravirtual machine approach takes this one step further and moves the drivers to one or more machines distinct from the main one, taking away even more power from the drivers.

28 Conclusion (2\3)  The multiserver approach runs each driver and operating system component in a separate user process and allows them to communicate using the microkernel's IPC mechanism.  Singularity uses a type-safe language, a single address space, and formal contracts to carefully limit what each module can do.

29 Conclusion (3\3)  Paravirtualization, Minix 3, and Singularity use microkernels.  Long discarded as unacceptable because of their lower performance  Might be making a comeback due to their potentially higher reliability

Download ppt "Can We Make Operating Systems Reliable and Secure? By : Hassan AL-Maksousy Andrew S. Tanenbaum, Jorrit N. Herder, and Herbert Bos."

Similar presentations

Threads, SMP, and Microkernels

Threads, SMP, and Microkernels
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Chorus and other Microkernels Presented by: Jonathan Tanner and Brian Doyle Articles By: Jon Udell Peter D. Varhol Dick Pountain.

Chorus and other Microkernels Presented by: Jonathan Tanner and Brian Doyle Articles By: Jon Udell Peter D. Varhol Dick Pountain.
Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-

Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-
Chapter 4 Threads, SMP, and Microkernels Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design.

Chapter 4 Threads, SMP, and Microkernels Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design.
Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.

Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.
Computer Systems/Operating Systems - Class 8

Computer Systems/Operating Systems - Class 8
INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.

INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.
Figure 1.1 Interaction between applications and the operating system.

Figure 1.1 Interaction between applications and the operating system.
Introduction Operating Systems’ Concepts and Structure Lecture 1 ~ Spring, 2008 ~ Spring, 2008TUCN. Operating Systems. Lecture 1.

Introduction Operating Systems’ Concepts and Structure Lecture 1 ~ Spring, 2008 ~ Spring, 2008TUCN. Operating Systems. Lecture 1.
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.

A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Operating System Organization

Operating System Organization
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Xen and the Art of Virtualization Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, Andrew Warfield.

Xen and the Art of Virtualization Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, Andrew Warfield.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?

Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
Chapter 2 Operating System Overview Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 2 Operating System Overview Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Computer System Architectures Computer System Software

Computer System Architectures Computer System Software
IMPROVING THE RELIABILITY OF COMMODITY OPERATING SYSTEMS Michael M. Swift Brian N. Bershad Henry M. Levy University of Washington.

IMPROVING THE RELIABILITY OF COMMODITY OPERATING SYSTEMS Michael M. Swift Brian N. Bershad Henry M. Levy University of Washington.
Chapter 4 Threads, SMP, and Microkernels Dave Bremer Otago Polytechnic, N.Z. ©2008, Prentice Hall Operating Systems: Internals and Design Principles, 6/E.

Chapter 4 Threads, SMP, and Microkernels Dave Bremer Otago Polytechnic, N.Z. ©2008, Prentice Hall Operating Systems: Internals and Design Principles, 6/E.

Similar presentations

Ads by Google