1 / 46

Extensible Kernels

Extensible Kernels. Ken, with slides by Amar Phanishayee. Traditional OS services – Management and Protection. Provides a set of abstractions Processes, Threads, Virtual Memory, Files, IPC Sys calls and APIs (eg: Win32, POSIX) Resource Allocation and Management Accounting

mboone
Download Presentation

Extensible Kernels

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Extensible Kernels Ken, with slides by Amar Phanishayee

  2. Traditional OS services – Management and Protection • Provides a set of abstractions • Processes, Threads, Virtual Memory, Files, IPC • Sys calls and APIs (eg: Win32, POSIX) • Resource Allocation and Management • Accounting • Protection and Security • Concurrent execution

  3. Context for these papers • Researchers (mostly) were doing special purpose O/S hacks • Commercial market complaining that O/S imposed big overheads on them • O/S research community began to ask what the best way to facilitate customization might be. In the spirit of the Flux OS toolkit…

  4. Problems(examples coming-up) • Extensibility • Abstractions overly general • Apps cannot dictate management • Implementations are fixed • Performance • Crossing over into the kernel is expensive • Generalizations and hiding information affect performance • Protection and Management offered with loss in Extensibility and Performance

  5. Need for Application controlled management (examples) • Buffer Pool Management In DBs (*) • LRU, prefetch (locality Vs suggestion), flush (commit) • Shared Virtual Memory (+) • use a page fault to retrieve page from disk / another processor

  6. Examples (cont.) • Concurrent Checkpointing (+) • Overlap checkpointing and program being checkpointed • Change rights to R-only on dirty pages • Copy each page and reset rights • Allow reads; Use write faults to {copy, reset rights, restart} * OS Support for Database Management (Stonebraker) + Virtual Memory Primitives for User Programs (Andrew W. Appel and Kai Li)

  7. Examples (cont.) Feedback for file cache block replacement [Implementation and Performance of Application-Controlled File Caching - Pei Cao, et al.]

  8. Down with monarchy! French Revolution - Execution of Louis XVI

  9. Challenges • Extensibility • Security • Performance

  10. Extensible Kernels • Exokernel (SOSP 1995): safely exports machine resources • Higher-level abstractions in Library OS • Secure binding, Visible resource revocation, Abort • Apps link with the LibOS of their choice • SPIN (SOSP 1995): kernel extensions (imported) safely specialize OS services • Extensions dynamically linked into OS kernel • Safety ensured by Programming Language facilities

  11. Notice difference in pt. of view • Exokernel assumes that very significant extensions to the kernel are needed in many settings and that home-brew kernels may remain common for long into the future • Goal is to enable this sort of work while reducing risk that developer will trash the file system, debugging tools, etc • SPIN is more focused on protecting standard O/S against a device driver run amok. • Sees this as the more common need…

  12. Exokernels - Motivation • Existing Systems offer fixed high-level abstractions which is bad • Hurt app performance (generalization – eg: LRU) • Hide information (eg: page fault) • Limit functionality (infrequent changes – cool ideas don’t make it through)

  13. Motivation (cont.) • Separate protection from management, mgmt in user space • Apps should use domain specific knowledge to influence OS services • Small and simple kernel – adaptable and maintainable

  14. OS Component Layout Exokernel

  15. Lib OS and the Exokernel • Lib OS (untrusted) can implement traditional OS abstractions (compatibility) • Efficient (Lib OS in user space) • Apps link with Lib OS of their choice • Kernel allows LibOS to manage resources, protects LibOss

  16. Exokernel : Design Principles • Securely expose hardware • Min resource management as required by protection (allocation, revocation) • Expose allocation • No implicit allocation • Expose Names • Expose Revocation • Eg: two-level replacement

  17. Exokernel : Secure Bindings • Lib OSs are untrusted • Authorization at bind time • Authentication at access time (no need to understand semantics – eg: FS permissions, groups) • Techniques • Hardware (TLB) • Software (STLB – Kavita Bala!) • download code (direct procedure call, sandboxing, type-safe language)

  18. Secure Bindings • Multiplexing Memory • Record capabilities (ownership, RW) @ bind time • Check capability @ access time • Capability passing to share resources • Multiplexing the Network • Application-specific Safe Handler (ASH) • Download code into kernel (compiled to m/c code @ runtime) • No kernel crossing; Procedure call instead of scheduling (low RTT)

  19. Resource Revocation • Visible Revocation • “please return a memory page” • “return a page within 50 microseconds” • CPU revocation at the end of time-slice • Invisible better when revocations are frequent (due to f/b) • Abort • To revoke resources “by force” from misbehaving processes • repossession vector, repossession exception • Worst case repossession (guarantee)

  20. ExOS + Aegis • Platform – MIPS-based DECstation • Aegis – exokernel • ExOS – library OS • Processes, Virtual Mem, IPC, Network Protocols (ARP/RARP, IP, UDP) • Comparison with Ultrix (tuned monolithic kernel)

  21. Base Cost in microSec 12.5 MHz ~11MIPS 16.6 MHz ~15MIPS 25 MHz ~25MIPS Demultiplexing SysCalls expensive in Ultrix. May have TLB miss in Sys call!

  22. “barebone” unidirectional Protected Control Transfer (microSec) L3 Entering kernel – 71 cycles Exiting Kernel – 36 cycles TLB flush on context switch • Types • Asynchronous (donate only current time slice to callee) • Synchronous

  23. Key to Aegis’ Performance • Easy keeping track of ownership • Provides very little apart from low level multiplexing • Caching secure bindings (STLB) • Dynamic code generation

  24. ExOS IPC • Pipe – shared mem; yield • Pipe’ has code inlining • Shm – Yield to switch (ExOS), Signals (Ultrix) • RPC – single function, no look-up. Cost of emulation in Ultrix using pipes or signals is high

  25. ExOS Virtual Memory + Fast Sys call. - Half the time in look-up (vector). Repeated access to Aegis STLB and ExOS PageTable

  26. ASH and scalability • Ping-pong of counter in a 60-byte UDP packet 4096 times between 2 processes in user space on DECStation5000/125 • Without ASH - response on being scheduled. Round Robin scheduling -> linear increase in RTT.

  27. Exokernel: Summary • Minimal Kernel • Secure multiplexing of resources • Bind time Authorization • Portability • OS Abstractions in user space (Lib OS) • VM, IPC • Apps link with OS of their choice

  28. SPIN • Use of language features for Extensions • Extensibility • Dynamic linking and binding of extensions • Safety • Interfaces. Type safety. Extensions verified by compiler • Performance • Extensions not interpreted; Run in kernel space

  29. Language: Modula 3 • Interfaces • Type safety • Array bounds checking • Storage Management • Threads • Exceptions

  30. Motivation Can we have all 3 in a single OS? From Stefan Savage’s SOSP 95 presentation

  31. SPIN structure From Stefan Savage’s SOSP 95 presentation

  32. Protection model • Capabilities • Pointer as capability • Type safe (compile time check) • Externalized reference

  33. Protection model (cont.) • Protection “domain” • exported interfaces of safe object files • Safe object file = verified by compiler or asserted by the kernel • In-kernel name server • Optional authorization for importing i/f

  34. Events and Handlers • Events • message announcing • Change in state • Request for service • Procedure exported from an interface • Handlers register for events • Multiple handlers

  35. Dispatcher • Central dispatcher – event router • Primary handler • Handler invocation • Synchronous/Asynchronous • Bounded time • Ordered/Unordered

  36. Handler Installation From Brian Bershad’s OSDI 96 presentation

  37. Handler Installation (cont.) From Brian Bershad’s OSDI 96 presentation

  38. Event Handling From Stefan Savage’s SOSP 95 presentation

  39. Core Services: Memory Management • Services • Physical storage : allocate, deallocate, “reclaim” (returns capability) • Naming (virtual) : allocate, deallocate • Translation (mapping) : add/remove/check mapping • Exceptions • BadAddress • PageNotPresent • Extensions use these primitives to define an address space model

  40. Core Services: Thread Management • Strand interface • block/unblock • checkpoint/resume • Global and application-specific schedulers • fault-isolation • Thread model can be defined using these primitives

  41. Microbenchmarks IPC Sockets, SUN RPC Mesgs. In-kernel Call Thread Mgmt All numbers are in microseconds

  42. Performance: Virtual Memory In-Kernel calls are more efficient than traps or messages All numbers are in microseconds

  43. Performance: Networking Lower RTT because of in-kernel extension time in microseconds, Bandwidth in Mbps

  44. End-to-End Performance Networked Video Server CPU utilization (network interface supports DMA)

  45. Issues • Dispatcher scalability • Handler scheduling • Garbage collection

  46. Conclusion • Extensibility without loss of security or performance • Exokernels • Safely export machine resources • Decouple protection from management • SPIN • kernel extensions (imported) safely specialize OS services • Safety ensured by Programming Language facilities

More Related