830 likes | 990 Views
Recent Advances in System Software Dependability. 周枫 网易公司 2007-12-21 清华大学 http://zhoufeng.net. 关于我. 周枫 1996-2002 ,清华,计算机本科、硕士 2002-2007 , UC Berkeley, Ph.D. in CS 2007-, 网易公司,高级副总裁 感兴趣的研究方向: OS, Internet Services, Programming Languages, Networking, Information Retrieval.
E N D
Recent Advances in System Software Dependability 周枫 网易公司 2007-12-21 清华大学 http://zhoufeng.net
关于我 • 周枫 • 1996-2002,清华,计算机本科、硕士 • 2002-2007,UC Berkeley, Ph.D. in CS • 2007-, 网易公司,高级副总裁 • 感兴趣的研究方向:OS, Internet Services, Programming Languages, Networking, Information Retrieval
A Trend in Software “The Movement to Safe Languages” • Type-safety No memory safety errors (segfaults) Java, C#, Python, Ruby, PHP, Perl… Vs. C, C++, ASM
Why Safe Languages? Pros • Easier to program • Less error-prone • Easier to analyze • Cons • Slower • Less control (over memory, I/O …) • Bad for real-time things More dependable software with less effort
Status Quo • Server: ~80% • All server-side Java, Ruby-on-Rails… • Client: ~30% • Visual Studio, Eclipse… • What about system software? Almost 0 Why? See “cons” on previous slide: slower, less control, bad realtime perf.
The Problem • System software: mainly operating systems • Dependability: “properties that allow one to rely on a system” • Reliability, Security, Safety, Availability How do we make more dependable system software?
Current State • Problems dealing with latest or peculiar hardware • Worms because of so many security flaws • More problems for long running servers or large clusters [Bligh et al. 07]
Problem scope Our Focus
Why is this important? • The cost of defects is increasing • The society is increasingly driven by computers • More and more computers online remote exploits • Critical infrastructure using commodity systems – “OS monoculture”
Why is this hard? • Reason 1: Complexity • Windows Vista (2006): 50M LOCWindows NT 3.1 (1993): 6M • Linux kernel: 8.3M LOC 86 lines/hr for last 2 years
More reasons • Reason 2: Unsafe languages used (C/C++) • Buffer overruns can be eliminated with safe languages • Reason 3: Recent trends • Multicore more parallelism • “The Free Lunch is Over”, Herb Sutter, 2005 • ccNUMA, smarter devices • ACPI byte language
Roadmap • OS Dependability with Hardware Protection • Swift et al. 03-04 • OS Dependability with Program Analysis • Zhou et al. 04-06 • OS Dependability with Virtual Machines • Criswell et al. 07
What Causes Most Crashes? • Device drivers! • Run in the same protection domain • Drivers are often buggier than the kernel • Device drivers cause 85% of Windows XP crashes • Drivers are 7 times buggier than the kernel in Linux • Xbox hacked due to memory bugs in games Better driver dependability Better OS dependability
Crashes * Figure courtesy of Mike Swift et al.
Crashes * Figure courtesy of Mike Swift et al.
Goal * Figure courtesy of Mike Swift et al.
Requirements • Isolation • Recovery • Non-intrusive • No/very few code changes
Principles & Goal • Principles & Assumptions • Drivers are generally well-behaved and benign • Design for mistakes (not abuse) • Doesn’t need to be perfect • Design for fault resistance (not fault tolerance) • Goal: a practical “best-effort” system
Nooks • Linux 2.4 kernel and drivers • “Nooks” kernel patch • Isolation • Recovery • Compatible with existing code
Isolation - Memory * Figure courtesy of Mike Swift et al.
Isolation – Control Transfer * Figure courtesy of Mike Swift et al.
Isolation – Control Transfer * Figure courtesy of Mike Swift et al.
Isolation – Data Access * Figure courtesy of Mike Swift et al.
Isolation – Data Access * Figure courtesy of Mike Swift et al.
Isolation – Interposition * Figure courtesy of Mike Swift et al.
Isolation – Interposition * Figure courtesy of Mike Swift et al.
Isolation Summary • Isolation • Lightweight Kernel Protection Domain • eXtension Procedure Call (XPC) • Copy-in/Copy-out • Wrappers
Failure Detection * Figure courtesy of Mike Swift et al.
Failure Detection * Figure courtesy of Mike Swift et al.
Failure Detection * Figure courtesy of Mike Swift et al.
Restart * Figure courtesy of Mike Swift et al.
Restart * Figure courtesy of Mike Swift et al.
Restart * Figure courtesy of Mike Swift et al.
Driver State/Session Recovery • Drivers lose state after restart • E.g. file handles + history of ioctls configuring the drivers • This causes apps to fail • Shadow drivers • Kernel agents for recovering drivers • Observe kernel-driver communication normally • Restores drivers state after restart
Native Linux * Figure courtesy of Mike Swift et al.
Normal Behavior * Figure courtesy of Mike Swift et al.
During Recovery * Figure courtesy of Mike Swift et al.
Evaluation • Pros • General solution • Covers both isolation and recovery • Good availability • Low overhead when accessing memory • Cons • High overhead when crossing domains • System specific • Coarse grain protection. Does not prevent driver from corrupting itself
Results * Figure courtesy of Mike Swift et al.
More Results • Nooks: 23,000 LOC • Shadow Manager: 600 LOC • Overhead: up to 100% • Main overhead is domain crossing
Nooks Recap • Device drivers are a major source of OS crashes. • Nooks isolates drivers by putting them inside separate hardware protection domains • Recovery is done by restarting drivers • Driver state can be restored by the “shadow driver” technique • Performance is O.K. Code changes are reasonable.
Review • Separate hardware protection domains: Nooks [Swift et al], L4 [LeVasseur et al], Xen [Fraser et al] • Relatively high overhead due to cross-domain calls, system specific • Binary instrumentation: SFI [Wahbe et al, Small/Seltzer] • High overhead, coarse-grained • What can be done at the C language level? • Add fined-grained type-safety, to extensions only • A way to recover from failures
Vision • What a safe language provides: • Array indexing stays within object bounds • No uses of null/invalid pointers • All operations are type safe • No uses of dangling pointers • Control flow obeys program semantics • …
A Language-Based Approach to Extension Safety • Light annotations in extension code and host API • Buffer bounds, non-null pointers, nullterm strings, tagged unions • Deputy src-to-src compiler emits safety checks when necessary • Key: compatible extension-host binary interface • Runtime tracks resource usage and restores system invariants at fail time Annot.Source Deputy C w/ checks GCC DriverModule SafeDrive Runtime & Recovery Linux Kernel Kernel Address Space
Deputy: Motivation • Common C code • How to check memory safety? • C pointers do not express extent of buffers (unlike Java) struct { unsigned int len; int * data; } x; for (i=0;i<x.len;i++) { … x.data[i] … }
Previous Approach: Fat Pointers • Used in CCured and Cyclone • Compiler inserts extra bounds variables • Changes memory layout • Cannot be applied modularly struct { unsigned int len; int * data; int * data_b; int * data_e; } x; for (i = 0; i < x.len; i++) { if (x.data+i<x.data_b) abort(); if (x.data+i>=x.data_e) abort(); … x.data[i] … }
Deputy Bounds Annotations struct { unsigned int len; int * count(len) data; } x; for(i = 0; i < x.len; i++) { if (i<0||i>=x.len) abort(); … x.data[i] … } • Annotations use existing bounds info in programs, or constants • Compiler emits runtime checks • No memory layout change Can be applied to one extension a time • Many checks can be optimized away
Deputy Features • Bounds: safe,count(n), bound(lo,hi) • Default: safe • Other annotations • Null terminated string/buffer • Tagged unions • Open arrays • Checks for printf() arguments • Automatic bounds variables for local variables reduced annotation burden