200 likes | 415 Views
EROS: A Reliable Real-time operating system. Presentation for CS775/875 By: SHANGPING GUO ECE, ODU NOV. 15, 1999. EROS: Outline. Introduction of EROS Key technology in EROS Protected Components Capability based system Global Persistence Crossing protection boundaries
E N D
EROS: A Reliable Real-time operating system • Presentation for CS775/875 • By: SHANGPING GUO • ECE, ODU • NOV. 15, 1999
EROS: Outline • Introduction of EROS • Key technology in EROS • Protected Components • Capability based system • Global Persistence • Crossing protection boundaries • EROS for large distributed system in the field • Making unit test cost effective • Field replaceable software units • Summary
What is EROS? Objectives EROS is a new operating system being implemented at UPenn. It is a small, secure, real-time operating system that provides orthogonal persistence. SIMPLIFICATION in building large systems, eliminating as many diversionary requirements as possible. CONTAINMENT, allowing the inevitable software failures to be caught and recovered from SECURITY, enabling applications to safely expose sensitive information in a controlled way. EROS:Introduction
EROS: Key technologies • Pure capability architecture • Authority in EROS is conveyed exclusively by secure capability, down to the granularity of individual pages • Orthogonal global persistence • All user state, including both data and running program are transparently saved periodically. In the event of system failure processes are resumed from the last checkpoint. • Security • Processes hold authorities in their own right rather than inheriting from the user
EROS: Boundary and component • Flaws in conventional application • Too much responsibility assigned to a single point of failure: the application • No means to stop one component from damaging another • Handling exceptional cases is hard to isolate from common time-critical cases • Components can not be replaced individually
EROS:Boundary and Component • Advantages • Each component concentrate a well-defined task. • Components run in parallel • components easily replicated • Components interact by communications • faster and more reliable
EROS: Persistence • Every 5 min, the complete state of an EROS system is saved. This is done through a technique called checkpointing • Process don’t die until they are told to, even across system crashes. There is no need to re-establish consistency. • System recovers in 30 sec. • No need for file system for process is alive forever.
EROS: Capability • A capability is a protected token that lets the holder performs certain operation on a particular object. Possession a capability is necessary and sufficient for doing those operations on that object. • Fault can not propagate from one component to another if the components are properly isolated. • In EROS, processes hold capability on behalf their users, different from UNIX and Windows NT.
EROS: Capability • Access control and integrity checks • Suppose you have a database, you only allow me to use for fix number of times. In EROS, a mediator is inserted between the client and database. The mediator has the right to access, however, the user not. • The mediator can also perform integrity checks to make sure the queries make sense. • It is possible to insert a mediator into a client/server. When the server halts, a new process is built to act as server. The old process is now made to run mediator. No client will realize what happens
EROS: Capability • Confinement: • Suppose the client has the valuable database, and need to control the access, the solution is to have some agents you trust who will certify to the client that you program is safe. • In EROS, the trusted part is called constructor. The constructor is a program knowing how to start programs. • You first install your program in a constructor object, assigning all the capabilities the program will use. • You give this constructor to the client.
EROS: Capability • 1. Client asks the constructor: Is it safe to run the program? • 2. Constructor reply based on the capabilities your program holds. Client decides if or not use it. If yes, request a copy of your program • 3. Constructor fakes a copy • 4. Client and application interaction
EROS: Cross-protection boundaries • Application divided into many protected components • Each component is a well-defined function. Critical task is implemented in a whole component. • 100~1000 times faster than other protected crossing mechanism
Conventional:Unit test expensive Modules are cross-dependent. Data or internal function is exposed to other module. Unit boundaries are not preserved when combined into an application. Once combined modules no longer operate in isolation. Such errors is hard to caught EROS: unit test is cost effective EROS component exposes nothing but the specified interfaces EROS preserves protection boundaries in the final application. They enable the errors caught earlier and cross-module effects can not occur. EROS:Unit test cost effective
EROS: field replaceable units • In EROS, the software units can be replaced and tested without breaking a single client operation.
EROS: Summary • EROS provides a rich environment for constructing secure, reliable applications. Its unique features enable it to support large, field engineerable applications without compromising overall performance or responsiveness. • More details, please see: • http://www.eros-os.org • http://www.ece.odu.edu/~sguox002/eros.ppt