160 likes | 292 Views
Toward Self-Stabilizing Operating Systems. Shlomi Dolev, BGU Reuven Yagel, BGU-Rafael. Talk Outline. Motivation for self-stabilizing operating systems OS do not stabilize! NMI example, must shut down the computer! Blackbox Periodic reset re-install and execute
E N D
Toward Self-Stabilizing Operating Systems Shlomi Dolev, BGU Reuven Yagel, BGU-Rafael
Talk Outline • Motivation for self-stabilizing operating systems • OS do not stabilize! NMI example, must shut down the computer! • Blackbox • Periodic reset re-install and execute • Periodic re-install and execute • Continues re-install monitor and establish consistency • Write a self-stabilizing tiny OS
Goal: Autonomic Computer • Following any sequence of transient faults, soft-errors (98% of RAM errors are soft errors), wrong crc during communication etc. the system converges. • Self Stabilization • System can be started in arbitrary state • Traditionally used in distributed systems (where transient faults are frequent) • Cannot run self-stabilizing algorithms unless hardware+OS are stabilizing (Fair composition [Dolev2K,DH03])
Operating Systems • Main OS (black-box): • UNIX (Berkeley), LINUX (freeware) • DOS, WINDOWS (Microsoft) • Three main parts of a kernel (tailored): • Process scheduler • Memory manager • Device drivers
Hardware Platform • IA-32 Architecture • CPU modes – (real, protected, virtual 8086, system) • Boot process – BIOS, MBR, 2nd Loader. • Memory: RAM + ROM, 20-bit segment addressing, Interrupt Vector Table, IDTR • Interrupts (INT + NMI pins, software interrupts) • Watchdog device • Machine restart • Recovery Monitor in ROM [Castro & Liskov 2k] • OS Re-install • Harvard Model (data - program separated)
Unix-Linux-Windows-Dos do not Stabilize • Processor - NMI • During NMI handler, further NMI are discarded, until the IRET instruction is executed [Intel 2003 • IDTR • LIDT instruction can change table location
Periodic reset re-install and execute • Watchdog Timer – Self Stabilizing • Processor reset • OS code copy from ROM to RAM during bootstrap (check that it is self-stabilizing) • Slow & Bother continuous work
Periodic re-install and execute • Watchdog • Re-install only • Require hardware changes • NMI countdown register • Decremented toward 0 in each cycle • Enables NMIs when equal to 0 • Set to a value that enables full execution of the stabilizer code • NMI vector hardwired • Still bothers continuous work
OS Stabilizer Code OS_SEGMENT equ 0x1000 STABILIZER_ROM_SEGMENT equ 0x2000 OS_ROM_SEGMENT equ 0x3000 ;enter real mode mov cr0, 0 ;copy OS image mov ax, OS_ROM_SEGMENT mov ds, ax mov ax, OS_SEGMENT mov es, ax mov si, 0x00 mov di, 0x00 mov cx, 0x100 cld rep movsb Processor Address Space cr0 0 0 10000 20000 30000 2000 ax 1000 3000 OS CODE cx 99 100 Stabilizer ds 3000 OS Image si 0 1 es 1000 di 1 0 PC PSW 2000 0
OS Stabilizer Code cont. ; prepare for journey back mov ax, WATCHDOG_ROM_SEGMENT mov ss, ax mov sp, 0xFFFF pushf push word OS_SEGENT push word 0x0 ; enable NMI & jump to OS code iret Or better just: mov ax, OS_SEGMENT mov es, ax jmp [es:0]
Assumptions • Initial Configuration • RAM contains OS code and initialized variables, processor is configured to run the OS (real-mode), PC register points to the first instruction of the OS code. • Stabilizing processor & watchdog. • Processor will react to watchdog interrupt. • Stabilizer code can not be corrupted
Proof Sketch • Every execution of the OS stabilizer is finite and does not depend on previous state • OS stabilizer will be executed infinitely often. • The OS stabilizer code enters the system into the initial configuration. • Thus: In every infinite execution the system will infinitely often will reach the initial configuration.
Continues re-install monitor and establish consistency • Warm boot • Consistency check & Establishment • …
Minimal OS • Various Small OSs • Tiny OS – Specialized • SONIX (Temporary Name)
Demo – SONIX Code • [SEGMENT .text] • jmp StartOS • msgWelcome db "SONIX is NOT Linux!", 0x00 • reversedCol db 9 ;holds the raw that will be reversed • fontColor db 1 ;originally blue • delayCounter dw 0 ;make it work slower • StartOS: • mov ax, cs ;location where loader2 is loaded • mov ds, ax • OsLoop: • mov si, msgWelcome ; welcome message • mov cl, 10 ; screen col 10 • mov ch, 13 ; screen row 13 • mov dh, byte [fontColor] ; normal attribute • ; all this mess is to determine which character will be reserved • mov al, [reversedCol] • inc al • cmp al, 29 ; end of message • jb GoAhead • ; put reverse video back to first column and also switch color • mov al, 9 • inc byte [fontColor] • cmp byte [fontColor], 8 • jb GoAhead • mov byte [fontColor], 1