Date post: | 22-Dec-2015 |
Category: |
Documents |
View: | 217 times |
Download: | 0 times |
CS533 - Concepts of Operating Systems 2
Motivation for Exokernel
Problems with general purpose abstractions: overhead cost for features that are needed hide information from applications increase of complexity because of good
performance problems limit functionality of applications: no efficiency
and flexibility
CS533 - Concepts of Operating Systems 3
ExoKernel Overview
Separate resource protection and management
Securely multiplex hw resources to application-specific Library OS
Exo exports hw resources through:o Secure bindingo Visible source revocationo Abort protocol
CS533 - Concepts of Operating Systems 5
Functionalities
Library OS:o Implement own system objects and policieso Uses low-level exokernel interfaceso Implements higher-level abstractionso Can define special-purpose implementations for best
performance and functionalityo Can be specialized, extended, or replaced of
abstractions Exokernel:
o Multiplexes and exports physical resources securely through low-level primitive
CS533 - Concepts of Operating Systems 6
Library OS
Simple implementation Kernel crossings are small Provide portability and compatibility To reduce space by libraries support for
shared libraries and dynamic linking
CS533 - Concepts of Operating Systems 7
Exokernel Backward Compatibility
Binary emulation of OS and programs Implementing its hardware abstraction layer on
top of exokernel re-implementing OS’s abstraction on top of
exokernel
CS533 - Concepts of Operating Systems 8
Exokernel Design
Giving LOS freedom for management Securely expose hardware Expose allocation Expose names Expose revocation
Policy: control allocation and revocation of resources
By deciding allocation requests to grant, from which application to revoke resources
Enforce traditional partitioning strategies: quotas, reservation schemes
CS533 - Concepts of Operating Systems 9
Protection
Tasks: Tracking ownership of resources Ensuring protection by guarding all resources
usage and binding points Revoking access to resources
Techniques: Secure bindings Visible revocation Abort protocol
CS533 - Concepts of Operating Systems 10
Secure Bindings
3 Approaches: Hardware mechanism Software caching Downloading application code
CS533 - Concepts of Operating Systems 11
Hardware Mechanism
TLB entry: translation virtual-to-physical address o TLB fault – TLB load into kernel at bind time Used multiple time at access timeo At low level protection
File Servero Can buffer data in memory pageso Grant access to authorized applicationso Checking w/o info of authorization mechanism
Frame Buffer HWo Associate ownership tag at each pixelo Application can access frame buffer HW directly, since
HW checks ownership tag when I/O loaded
CS533 - Concepts of Operating Systems 12
Software Caching
Large SW TLBo Cache address that are not in HW TLB
CS533 - Concepts of Operating Systems 13
Download code into Kernel
Invoked in every access/event to determine ownership and actions for kernel
Eliminate expensive kernel crossings Execution without scheduling Protection done by
o type-safe language, o interpretation and o sandboxing
Ex: ASHs
CS533 - Concepts of Operating Systems 14
Multiplexing Physical Memory
When LOS allocate physical memory page, exo creates secure binding, checks capabilities
Reducing number of secure bindings by SW TLB Exo: guards TLB loads and DMA capabilities LOS: visible deallocation flush TLB mappings
queue DMA request Example of HW mechanism and SW caching
CS533 - Concepts of Operating Systems 15
Multiplexing the Network
HW: virtual circuit in ATM to bind streams to applications
SW: message demultiplexing by packet filters Example of downloading code
CS533 - Concepts of Operating Systems 16
Downloading Code
Application-specific Sage Handlers (ASHs) Initiate message (roundtrip latency low) Initiate control at message reception time No waiting on message reception No pre-bind buffer location for message Xen? Disco?
CS533 - Concepts of Operating Systems 17
Visible Resource Revocation
1. Invisible: deallocate resources without application involvement1. Perform better when revocations occur frequently
2. Visible: requires interaction with LOSo LOS can avoid saving state and registers that are not
live LOS handle revocation for quick resource
deallocation
CS533 - Concepts of Operating Systems 18
Abort Protocol
For failed LOS response to revocation requests Kill LOS and associated applications (rejected) Exokernel will break existing secure bindings to
resources and inform LOS Done by repossession vector
CS533 - Concepts of Operating Systems 19
Aegis and ExOS
Aegiso Exports processor, physical memory, TLB, exceptions,
and interrupts ExOS
o Implements processes, virtual memory, user-level exceptions, interprocess abstractions, network protocols
Experimental Methodologieso Exokernel can be efficiento Low-level, secure multiplexing of hw resources
implemented efficientlyo Traditional OS abstraction implemented efficiently at
applo Applications can create special-purpose
implementations of abstractions
CS533 - Concepts of Operating Systems 20
Aegis: Exokernel
Support set of primitive operations of privileged instructions (pseudo-instruction)
Efficient because:o Keep track of ownership is simpleo Kernel provides little functionality: small and leano Caching secure binding in SW TLB for efficient TLB
misseso Downloading packet filters and dynamic code
generation for efficient secure binding to network
CS533 - Concepts of Operating Systems 21
ExOS: Library OS
IPC: LRPC Virtual memory Remote communication: ASHs
CS533 - Concepts of Operating Systems 22
Protected Control Transfers
Is an efficient implementation of IPC abstractions Steps:
o Change PC to calleeo Donate current time sliceo Install required elements of callee’s processor context
1. Asynchronous: gives remainder current time slice2. Synchronous: donate current time slice Properties:
o Atomic o No overwrite on application-visible registers by exokernel
No protection check Single-threaded Yield primitive: donate remainder current time slice to
another
CS533 - Concepts of Operating Systems 24
Extensibility ExOS
Extensible RPC: o tLRPC (trusted LRPC): trust server to save and restore
callee-saved registers with no permissionso LRPC: saves general-purpose callee-saved registerso Single-threaded
Extensible Page-table Structureso Inverted page table for sparse address space
Extensible Schedulerso Yield primitive to donate remainder of current time
slice by stride scheduling
CS533 - Concepts of Operating Systems 25
Conclusion
Exo securely multiplexes HW resources among appls LOS implements higher-level abstractions and define
special-purpose implementation for best performance and functionality
Simplicity and limited primitives allow for efficiency implementation
Exo primitives are fast, low-level secure multiplexing is efficient
Traditional OS abstraction implemented at appl-level Applications can create special-purpose
implementation of abstractions by modifying library