Singularity Reviewed an Operating System Challenging Common Concepts
|
|
- Steven O’Neal’
- 5 years ago
- Views:
Transcription
1 an Operating System Challenging Common Concepts by Lothar Schäfer Overview Singularity is a research operating system at Microsoft Research. The project started in 2003 and is the largest cross discipline project at Microsoft Research. It combines research in the fields of operating systems, networking, programming languages, programming tools and compilers. It s not intended for the commercial market. It should rather be seen as a test bed for trying out new ideas in operating system design, operating system concepts, program verification, compiler techniques and more. About 12 researchers are working full time and ca. 40 more are involved in the project. The projects two lead researchers are James Larus, concerned with programming languages, programming tools and parallel computation and Galen Hunt concerned with operating systems. Singularity is now at version 2, the research has spread from Microsoft Research to about six universities which became access to the source code. The following description is - due to the unavailable source code - based on several publications, presentations and papers from members of the singularity research team, which can all be downloaded from Beside the publications the site also contains some additional features like video presentations of Singularity s design concepts and architecture or links to web pages of several team members. 1 Introduction Every operating system embodies a collection of design decisions - some explicit, some implicit. These decisions include the choice of implementation language, the program protection model, the security model, the system abstractions, and many others. Contemporary operating systems like Windows, Linux, Mac OS X, and BSD - share a large number of design decisions. This commonality is not entirely accidental, as these systems are all rooted in OS architectures and development tools of the late 1960 s and early 1970 s. Given the common operating environments, the same programming language, and similar user expectations, it is not surprising that designers of these systems made similar decisions. While some design decisions have withstood the test of time, others have aged less gracefully [1]. Since then, computer science has changed in many ways. The machines became fast, the memory became cheap and computers are ubiquitous. On the other hand, the computing environment became malicious due to worms, viruses, scams, attacks and other bad surprises waiting around the corner [2]. So the design decisions should not be the same any longer, they need a change. To solve this problem, singularity has - from the beginning - been driven by the following question: What would a software platform look like if it was designed from scratch with the primary goal of dependability and trustworthiness? [1] Software dependability should in this case be understood as an amalgam of reliability, availability, safety, and security [3]. 1 / 8
2 Figure 1: Time of Detection or Correction It s possible to develop the above question into an actual approach, which is shown in figure 1. It states: Try to move as many sources of unreliability and their mitigation as far to the left as possible on the time axis. For example, moving the detection and correction of incorrect DLL binding from load time and run time to install time would eliminate DLL Hell [4]. To reach this goal, the Singularity project started with the following firm architectural principles: If the software fails, the system should not fail. The system should be self describing. Verify as many system aspects as possible. Those principles itself lead to three design issues: Use safe programming languages everywhere: A safe programming language ensures type safety and memory safety, where type safety ensures that the only operations applied to a value are those defined for instances of its type. Memory safety ensures the validity of memory references by preventing null pointer references, references outside an array s bounds, or references to deallocated memory. These properties can be partially verified by a compiler, but in some circumstances require run-time tests. Java and C# are expressive, safe programming languages that can be compiled with a small performance penalty for safety [5]. Improve system resilience despite software errors: The resilience can be improved by providing failure boundaries between components that permit part of a system to fail without compromising the whole. Another way to improve the resilience is to improve the extension model, which prevents kernel corruption through incorrect or malicious operations and inconsistent data after extension failure. If a failure happens the error notification should be explicit and cleanly propagated. Enable modular verification: This can be approached, if the system is made self-describing, so pieces can be examined in isolation. A program s behaviour could then be specified and checked at many levels of abstraction, and the automated analysis would become easier [2]. Figure 2: Interacting Improvements Figure 2 shows, that it is not possible to change one of these issues without globally affecting the others. 2 / 8
3 All mentioned design issues brought together end up in a new design choice that combines three key ideas. 2 Key Ideas The excessive use of safe programming languages enables the first key idea - Software Isolated Processes. Software Isolated Processes allow programs to run in their own software protected environment. On the other hand inter process communication cannot be done via shared memory. Doing this would break down the concept of a closed object space. The second key idea brings the solution to this problem - Contract Based Channels. The communication between Software Isolated Processes is done via Contract Based Channels, which enables the verification and control of messages between processes. Verification allows a process to interact with a second process only within predefined safety boundaries. The third key idea deals with applications running under singularity. In Singularity, an application consists of a manifest and a collection of resources. The manifest describes the application in terms of its resources and their dependencies. Although many existing setup descriptions combine declarative and imperative aspects, Singularity manifests contain only declarative statements that describe the desired state of the application after installation or update [6]. 2.1 Software Isolated Processes Software isolated processes (SIPs) use - as the name already implies - software verification, rather than hardware protection, to isolate portions of a system. They rely on verifying code s safe behavior to prevent it from accessing another process s (or the kernel s) instructions or data. A verifiably safe program can only access data that it allocated or was passed, and it cannot construct or corrupt a memory reference. In Singularity, all untrusted code that runs in a SIP must be verifiably safe. The SIP may also contain trusted, unverified code that cannot be expressed in a safe language, for example, parts of the language runtime, a memory allocator, or an accessor for memory-mapped I/O. The correctness and safety of this type of code needs to be verified by other means. Figure 3: Software Isolated Process A SIP is a closed object space that resides on a collection of memory pages exclusively owned by a process. An object space is the complete collection of objects reachable by a program at a point in its execution. Singularity ensures that two processes objects spaces are always disjoint. Since the code in the processes is safe, the only way in which one process could obtain a reference to another process s object is to be passed it (see figure 3). Singularity prevents crossprocess references by not providing shared memory and by using the language type system to prevent a process from sending an object reference through the interprocess communication mechanism [5]. To enable concurrency, SIPs contain Lightweight threads. All threads are kernel threads that are visible to the kernel s scheduler, which coordinates blocking operations. Singularity uses linked stacks to reduce thread memory overhead. These stacks grow on demand by adding non- 3 / 8
4 contiguous segments of 4K or more. The standard Singularity scheduler is optimized for a large number of threads that communicate frequently. SIPs are sealed code spaces. As a sealed process, a SIP cannot dynamically load or generate code into itself. Sealed processes demand a common extension mechanism for both the OS and applications: extension code can only execute in a new process, distinct from its host s SIP. Sealed processes offer a number of advantages. They increase the ability of program analysis tools to detect defects statically. They enable stronger security mechanisms, such as identifying a process by its code content. Context switches between SIPs have very low overhead as TLBs and virtually addressed caches need not be flushed. On termination, a SIP s resources can be efficiently reclaimed and its memory pages recycled without involving garbage collection. The low cost makes it practical to use SIPs as a fine-grain isolation and extension mechanism to replace the conventional mechanisms of hardware protected processes and unprotected dynamic code loading [1]. 2.2 Contract Based Channels In Singularity, all interprocess communication occurs through message passing across channels, which allows two processes to exchange data through an area of memory called the exchange heap. Messages in this heap are structs, not objects (i.e., they do not contain methods) and cannot contain object references. Messages, however, can contain references to exchange heap data, so it is possible to send structured data between processes. However, an object reference cannot be embedded in a message or sent between processes. Moreover, the system maintains the invariant that there exists at most one pointer to an item in the exchange heap. When a process sends a message, it loses its reference to the message, which is transferred to the receiving process (analogous to sending a letter by postal mail). Therefore, processes cannot use this heap as shared memory and messages can be exchanged through pointer passing, not copying [5]. The other significant difference that comes with CBCs is: communication across a channel is described by a channel contract. Figure 4: Example of a Channel Contract 4 / 8
5 Channel contracts are central to Singularity s isolation architecture and are directly supported in Singularity s programming language Sing#. Figure 4 shows an example contract describing a simple interaction on a channel. A contract consists of message declarations and a set of named protocol states. Message declarations state the number and types of arguments for each message and an optional message direction. Each state specifies the possible message sequences leading to other states in the state machine. So beside handling the message passing, a contract describes a state machine. This automatically delivers another advantage. Channels enable efficient and above all analyzable communication between SIPs. When combined with support for linear types, Singularity allows zero-copy exchange of large amounts of data between SIPs access channels. In addition, the Sing# compiler can statically verify that send and receive operations on channels never are applied in the wrong protocol state. A separate contract verifier can read a program s byte code and statically verify which contracts are used within a program and that the code conforms to the state machine described in the contract s protocol [1]. 2.3 Manifest Based Programs The third foundational architecture feature common to Singularity systems is the Manifest-Based Program (MBP). A MBP is a program defined by a static manifest. No code is allowed to run on a Singularity system without a manifest. In fact, to start execution, a user invokes a manifest, not an executable file as in other systems. A manifest describes an MBP s code resources, its required system resources, its desired capabilities, and its dependencies on other programs. When an MBP is installed on a system, the manifest is used to identify and verify that the MBP s code meets all required safety properties, to ensure that all of the MBP s system dependencies can be met, and to prevent the installation of the MBP from interfering with the execution of any previously installed MBPs. Before execution, the manifest is used to discover the configuration parameters affecting the MBP and restrictions on those configuration parameters. When an MBP is invoked, the manifest guides the placement of code into a SIP for execution, the connection of channels between the new SIP and other SIPs, and the granting of access to system resources by the SIP. Figure 5: A Program Manifest 5 / 8
6 A manifest is more than just a description of a program or an inventory of a SIP s code content; it is a machine-checkable, declarative expression of the MBP s expected behavior. The primary purpose of the manifest is to allow static and dynamic verification of properties of the MBP. For example, the manifest of a device driver provides sufficient information to allow installtime verification that the driver will not access hardware used by a previously installed device driver [1]. To facilitate static verification of as many run-time properties as possible, code for Singularity MBPs is delivered to the system as compiled Microsoft Intermediate Language (MSIL) binaries. MSIL is the CPU-independent instruction set accepted by the Microsoft Common Language Runtime. Every component in Singularity is described by a manifest, including the kernel, device drivers, and user applications. This is especially helpful in creating self-describing device drivers with verifiable hardware access properties [1]. 3 Architecture Singularity is a microkernel architecture (which is not entirely true, because in version 2, it s possible to merge software isolation and hardware protection into a hybrid system) nearly entirely written in Sing#, which is an extension to the Spec# language developed in Microsoft Research. Spec# itself is an extension to Microsoft s C# language that provides constructs (preand post-conditions and object invariants) for specifying program behavior. Figure 6 depicts the architecture of the Singularity OS, which is built around three key abstractions: a kernel, softwareisolated processes, and channels. The kernel provides the core functionality of the system, including memory management, process creation and termination, channel operations, scheduling, and I/O. Like other microkernels, most of the system s functionality and extensibility exist in processes outside of the kernel. Figure 6: System Architecture A Singularity system lives in a single virtual address space. Virtual memory hardware is used to protect pages, for example by mapping out the first 16K of address space to trap null pointer references. Within a Singularity system, the address space is logically partitioned into: a kernel object space, an object space for each process, and the Exchange Heap for channel data (see Contract Based Channels). A pervasive design decision is the memory independence invariant: cross-object space pointers only point into the Exchange Heap. In particular, the kernel does not have pointers into a process s object space, nor does one process have a pointer to another process objects. This invariant ensures that each process can be garbage collected and terminated without the cooperation of other processes. Each process has its own runtime system, with its own memory layout, garbage collection algorithm, and libraries. Because of memory independence, a runtime can be tailored to meet the needs of a computation. Garbage collection is an essential component of most safe languages, as it prevents memory deallocation errors that 6 / 8
7 can subvert safety guarantees. In Singularity, the kernel and processes object spaces are garbage collected. The kernel and each SIP has its own collector that is solely responsible for collection of objects in the object space. From the garbage collector s perspective, when a thread of control enters or leaves an application (or the kernel) it is treated similarly to a call to or a call-back from native code in conventional garbage collected environments. Garbage collection for different object spaces can therefore be scheduled and run completely independently. Singularity processes communicate exclusively by sending messages over channels, which are a bidirectional, behaviorally typed connection between two processes. When data is sent over a channel, ownership passes from the sending process, which may not retain a reference to the message, to the receiving process. This ownership invariant is enforced by the language and run-time systems, and serves three purposes. In addition to the usual mechanism of message-passing channels, processes communicate with the kernel through a strongly versioned application binary interface (ABI) that invokes static methods in kernel code. The ABI ensures a minimal, secure, and isolated computation environment for each SIP. So this interface (with about 192 methods) also follows the design of the rest of the system and isolates the kernel and process object spaces. All parameters to this ABI are values, not pointers, so the kernel and process s garbage collectors need not coordinate. The ABI maintains the system-wide state isolation invariant: a process cannot alter the state of another process using the ABI (with only two exceptions) [6]. 4 Verification Since the integrity of the SIPs depends on language safety and on a system-wide invariant that a process does not hold a reference into another process s object space, it s obvious, that Singularity relies on verification. Verifying that code executed in Singularity is type safe and satisfies the memory independence invariants is a three-stage process, depicted in figure 7. The Sing# compiler checks type safety, ownership rules, and protocol conformance during compilation. The Singularity verifier checks these same properties on the generated MSIL code. Finally, the back-end compiler should - but does not as yet - produce a form of typed assembly language that enables these properties to be checked on compiled code yet again by the operating system. One could argue that only the final stage is strictly necessary for safety. This is of course literally true, but in practice, programmers benefit from finding mistakes as early as possible and from having the errors explained completely, at a high level [6]. Figure 7: Compilation Pipeline 7 / 8
8 Summary Singularity is a microkernel operating system that uses advances in programming languages and compilers to build lightweight, software isolated processes, which provide code with protection and failure isolation at lower overhead than conventional, hardware supported processes. Singularity provides an isolation boundary by running verifiably safe programs and by preventing object pointers from passing between processes object spaces. SIPs, in turn, enable a new solution to the problem of code extension in systems and applications. In Singularity s model, extensions are not loaded into their parent process, but instead run in their own process and communicate over strongly typed channels. This model fixes some of the major problems with extensions, since in Singularity, they cannot directly access their parents data or interfaces, and, if they fail, they can be easily terminated by killing their parents. Singularity is above all a laboratory for exploring interactions among system architecture, programming languages, compilers, specification, and verification. Advances in each of these areas enable and reinforce advances in the others domains, which limits the benefit and impact of studying an area in isolation. Singularity is small and well structured, so it is possible to make changes that span the arbitrary boundaries between these domains. At the same time, it is large and realistic enough to demonstrate the practical advantages of new techniques [6]. Bibliography [1] Singularity: Rethinking the Software Stack, Galen C. Hunt, James R. Larus, Operating Systems Review, Vol. 41, Iss. 2, pp , April [2] Singularity: Rethinking the Software Stack, James R. Larus, Distinguished Lecture, University of Pennsylvania, November [3] {End Bracket} Singularity, James R. Larus, Galen C. Hunt, and David Tarditi. MSDN Magazine, Vol. 21, No. 7, p. 172, Microsoft Corporation, Redmond, WA, June [4] Singularity Design Motivation (STR 1), Galen C. Hunt and James R. Larus, Microsoft Research Technical Report MSR-TR , Microsoft Corporation, Redmond, WA, December [5] Deconstructing Process Isolation, Mark Aiken, Manuel Fähndrich, Chris Hawblitzel Galen C. Hunt, and James R. Larus. ACM SIGPLAN Workshop on Memory Systems Correctness and Performance (MSPC 2006) at ASPLOS 2006, San Jose, CA, October [6] An Overview of the Singularity Project, Galen C. Hunt, James R. Larus a.o., Microsoft Research Technical Report MSR-TR , Microsoft Corporation, Redmond, WA, October [7] Singularity Overview, Galen C. Hunt and James R. Larus, Microsoft Research Faculty Summit, July Table of Figures Figure 1: Time of Detection or Correction Source: Singularity Design Motivation (STR 1), Galen C. Hunt and James R. Larus, Microsoft Research Technical Report MSR-TR , Microsoft Corporation, December 2004, p.3. Figure 2: Interacting Improvements Pennsylvania, November 2006, p.6. Figure 3: Software Isolated Process Pennsylvania, November 2006, p.10. Figure 4: Example of a Channel Contract Pennsylvania, November 2006, p.31. Figure 5: A Program Manifest Pennsylvania, November 2006, p.31. Figure 6: System Architecture Pennsylvania, November 2006, p.30. Figure 7: Compilation Pipeline Singularity Overview, Galen C. Hunt and James R. Larus, Microsoft Research Faculty Summit, July 2006, p.28 8 / 8
Using the Singularity Research Development Kit
Using the Research Development Kit James Larus & Galen Hunt Microsoft Research ASPLOS 08 Tutorial March 1, 2008 Outline Overview (Jim) Rationale & key decisions architecture Details (Galen) Safe Languages
More informationSingularity Technical Report 1: Singularity Design Motivation
Singularity Technical Report 1: Singularity Design Motivation Galen C. Hunt James R. Larus December 17, 2004 MSR-TR-2004-105 Microsoft Research Microsoft Corporation One Microsoft Way Redmond, WA 98052
More information6.828: OS/Language Co-design. Adam Belay
6.828: OS/Language Co-design Adam Belay Singularity An experimental research OS at Microsoft in the early 2000s Many people and papers, high profile project Influenced by experiences at
More informationOperating System Architecture. CS3026 Operating Systems Lecture 03
Operating System Architecture CS3026 Operating Systems Lecture 03 The Role of an Operating System Service provider Provide a set of services to system users Resource allocator Exploit the hardware resources
More informationSingularity Part 2. Jeff Chase
Singularity Part 2 Jeff Chase Today Singularity: abstractions How do processes interact? Communicate / share Combine (De)compose Extend How to invoke the kernel? User processes / VAS / segments kernel
More informationSPIN Operating System
SPIN Operating System Motivation: general purpose, UNIX-based operating systems can perform poorly when the applications have resource usage patterns poorly handled by kernel code Why? Current crop of
More informationInfluential OS Research Security. Michael Raitza
Influential OS Research Security Michael Raitza raitza@os.inf.tu-dresden.de 1 Security recap Various layers of security Application System Communication Aspects of security Access control / authorization
More informationSealing OS Processes to Improve Dependability and Security
Sealing OS Processes to Improve Dependability and Security Galen Hunt, Mark Aiken, Paul Barham, Manuel Fähndrich, Chris Hawblitzel, Orion Hodson, James Larus, Steven Levi, Nick Murphy, Bjarne Steensgaard,
More informationLecture Notes on Memory Layout
Lecture Notes on Memory Layout 15-122: Principles of Imperative Computation Frank Pfenning André Platzer Lecture 11 1 Introduction In order to understand how programs work, we can consider the functions,
More informationOutline. V Computer Systems Organization II (Honors) (Introductory Operating Systems) Language-based Protection: Solution
Outline V22.0202-001 Computer Systems Organization II (Honors) (Introductory Operating Systems) Lecture 21 Language-Based Protection Security April 29, 2002 Announcements Lab 6 due back on May 6th Final
More informationAgenda Process Concept Process Scheduling Operations on Processes Interprocess Communication 3.2
Lecture 3: Processes Agenda Process Concept Process Scheduling Operations on Processes Interprocess Communication 3.2 Process in General 3.3 Process Concept Process is an active program in execution; process
More informationCS533 Concepts of Operating Systems. Jonathan Walpole
CS533 Concepts of Operating Systems Jonathan Walpole Lightweight Remote Procedure Call (LRPC) Overview Observations Performance analysis of RPC Lightweight RPC for local communication Performance Remote
More informationProblem. Context. Hash table
Problem In many problems, it is natural to use Hash table as their data structures. How can the hash table be efficiently accessed among multiple units of execution (UEs)? Context Hash table is used when
More informationOPERATING SYSTEM. Chapter 4: Threads
OPERATING SYSTEM Chapter 4: Threads Chapter 4: Threads Overview Multicore Programming Multithreading Models Thread Libraries Implicit Threading Threading Issues Operating System Examples Objectives To
More informationOS Design Approaches. Roadmap. OS Design Approaches. Tevfik Koşar. Operating System Design and Implementation
CSE 421/521 - Operating Systems Fall 2012 Lecture - II OS Structures Roadmap OS Design and Implementation Different Design Approaches Major OS Components!! Memory management! CPU Scheduling! I/O Management
More informationHigh-Level Language VMs
High-Level Language VMs Outline Motivation What is the need for HLL VMs? How are these different from System or Process VMs? Approach to HLL VMs Evolutionary history Pascal P-code Object oriented HLL VMs
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationGeneral Purpose GPU Programming. Advanced Operating Systems Tutorial 7
General Purpose GPU Programming Advanced Operating Systems Tutorial 7 Tutorial Outline Review of lectured material Key points Discussion OpenCL Future directions 2 Review of Lectured Material Heterogeneous
More informationELEC 377 Operating Systems. Week 1 Class 2
Operating Systems Week 1 Class 2 Labs vs. Assignments The only work to turn in are the labs. In some of the handouts I refer to the labs as assignments. There are no assignments separate from the labs.
More informationOperating Systems (2INC0) 2017/18
Operating Systems (2INC0) 2017/18 Memory Management (09) Dr. Courtesy of Dr. I. Radovanovic, Dr. R. Mak (figures from Bic & Shaw) System Architecture and Networking Group Agenda Reminder: OS & resources
More informationCSC Operating Systems Fall Lecture - II OS Structures. Tevfik Ko!ar. Louisiana State University. August 27 th, 2009.
CSC 4103 - Operating Systems Fall 2009 Lecture - II OS Structures Tevfik Ko!ar Louisiana State University August 27 th, 2009 1 Announcements TA Changed. New TA: Praveenkumar Kondikoppa Email: pkondi1@lsu.edu
More informationAnnouncements. Computer System Organization. Roadmap. Major OS Components. Processes. Tevfik Ko!ar. CSC Operating Systems Fall 2009
CSC 4103 - Operating Systems Fall 2009 Lecture - II OS Structures Tevfik Ko!ar TA Changed. New TA: Praveenkumar Kondikoppa Email: pkondi1@lsu.edu Announcements All of you should be now in the class mailing
More informationCSE 4/521 Introduction to Operating Systems. Lecture 29 Windows 7 (History, Design Principles, System Components, Programmer Interface) Summer 2018
CSE 4/521 Introduction to Operating Systems Lecture 29 Windows 7 (History, Design Principles, System Components, Programmer Interface) Summer 2018 Overview Objective: To explore the principles upon which
More informationRun-Time Environments/Garbage Collection
Run-Time Environments/Garbage Collection Department of Computer Science, Faculty of ICT January 5, 2014 Introduction Compilers need to be aware of the run-time environment in which their compiled programs
More informationa A secure, field upgradeable operating system architecture for Blackfin Microprocessors
a A secure, field upgradeable operating system architecture for Blackfin Microprocessors ABSTRACT David N. Kleidermacher Green Hills Software, Inc. 30 W. Sola St. Santa Barbara, CA 93101, USA davek@ghs.com
More informationAutonomous Garbage Collection: Resolve Memory
Autonomous Garbage Collection: Resolve Memory Leaks In Long Running Server Applications Brian Willard willabr@mail.northgrum.com Ophir Frieder ophir@csam.iit.edu Electronics and Systems Integration Division
More informationOperating Systems. Memory Management. Lecture 9 Michael O Boyle
Operating Systems Memory Management Lecture 9 Michael O Boyle 1 Memory Management Background Logical/Virtual Address Space vs Physical Address Space Swapping Contiguous Memory Allocation Segmentation Goals
More informationOperating System Security
Operating System Security Operating Systems Defined Hardware: I/o...Memory.CPU Operating Systems: Windows or Android, etc Applications run on operating system Operating Systems Makes it easier to use resources.
More informationRun-time Environments
Run-time Environments Status We have so far covered the front-end phases Lexical analysis Parsing Semantic analysis Next come the back-end phases Code generation Optimization Register allocation Instruction
More informationRun-time Environments
Run-time Environments Status We have so far covered the front-end phases Lexical analysis Parsing Semantic analysis Next come the back-end phases Code generation Optimization Register allocation Instruction
More informationExokernel: An Operating System Architecture for Application Level Resource Management
Exokernel: An Operating System Architecture for Application Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O'Tool Jr. M.I.T Laboratory for Computer Science Cambridge, MA 02139,
More informationCS558 Programming Languages
CS558 Programming Languages Fall 2016 Lecture 3a Andrew Tolmach Portland State University 1994-2016 Formal Semantics Goal: rigorous and unambiguous definition in terms of a wellunderstood formalism (e.g.
More informationIdentity-based Access Control
Identity-based Access Control The kind of access control familiar from operating systems like Unix or Windows based on user identities This model originated in closed organisations ( enterprises ) like
More informationPROCESS VIRTUAL MEMORY. CS124 Operating Systems Winter , Lecture 18
PROCESS VIRTUAL MEMORY CS124 Operating Systems Winter 2015-2016, Lecture 18 2 Programs and Memory Programs perform many interactions with memory Accessing variables stored at specific memory locations
More informationLecture 15 Designing Trusted Operating Systems
Lecture 15 Designing Trusted Operating Systems Thierry Sans 15-349: Introduction to Computer and Network Security Anatomy of an operating system Concept of Kernel Definition Component that provides an
More informationCCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs
CCured Type-Safe Retrofitting of C Programs [Necula, McPeak,, Weimer, Condit, Harren] #1 One-Slide Summary CCured enforces memory safety and type safety in legacy C programs. CCured analyzes how you use
More informationSecuring Untrusted Code
Securing Untrusted Code Untrusted Code May be untrustworthy Intended to be benign, but may be full of vulnerabilities These vulnerabilities may be exploited by attackers (or other malicious processes)
More informationCMSC 330: Organization of Programming Languages
CMSC 330: Organization of Programming Languages Memory Management and Garbage Collection CMSC 330 Spring 2017 1 Memory Attributes Memory to store data in programming languages has the following lifecycle
More informationOS and Computer Architecture. Chapter 3: Operating-System Structures. Common System Components. Process Management
Last class: OS and Architecture OS and Computer Architecture OS Service Protection Interrupts System Calls IO Scheduling Synchronization Virtual Memory Hardware Support Kernel/User Mode Protected Instructions
More informationStackVsHeap SPL/2010 SPL/20
StackVsHeap Objectives Memory management central shared resource in multiprocessing RTE memory models that are used in Java and C++ services for Java/C++ programmer from RTE (JVM / OS). Perspectives of
More informationHeap, Variables, References, and Garbage. CS152. Chris Pollett. Oct. 13, 2008.
Heap, Variables, References, and Garbage. CS152. Chris Pollett. Oct. 13, 2008. Outline. Dynamic Allocation. Variables and Constants. Aliases and Problems. Garbage. Introduction. On Wednesday, we were talking
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Reference Monitor Observes execution of the program/process At what level? Possibilities:
More informationMain Memory CHAPTER. Exercises. 7.9 Explain the difference between internal and external fragmentation. Answer:
7 CHAPTER Main Memory Exercises 7.9 Explain the difference between internal and external fragmentation. a. Internal fragmentation is the area in a region or a page that is not used by the job occupying
More informationSustainable Memory Use Allocation & (Implicit) Deallocation (mostly in Java)
COMP 412 FALL 2017 Sustainable Memory Use Allocation & (Implicit) Deallocation (mostly in Java) Copyright 2017, Keith D. Cooper & Zoran Budimlić, all rights reserved. Students enrolled in Comp 412 at Rice
More informationReal-Time and Embedded Systems (M) Lecture 19
Low-Level/Embedded Programming Real-Time and Embedded Systems (M) Lecture 19 Lecture Outline Hardware developments Implications on system design Low-level programming Automatic memory management Timing
More informationBinding and Storage. COMP 524: Programming Language Concepts Björn B. Brandenburg. The University of North Carolina at Chapel Hill
Binding and Storage Björn B. Brandenburg The University of North Carolina at Chapel Hill Based in part on slides and notes by S. Olivier, A. Block, N. Fisher, F. Hernandez-Campos, and D. Stotts. What s
More informationIronclad C++ A Library-Augmented Type-Safe Subset of C++
Ironclad C++ A Library-Augmented Type-Safe Subset of C++ Christian DeLozier, Richard Eisenberg, Peter-Michael Osera, Santosh Nagarakatte*, Milo M. K. Martin, and Steve Zdancewic October 30, 2013 University
More informationCS 5523 Operating Systems: Midterm II - reivew Instructor: Dr. Tongping Liu Department Computer Science The University of Texas at San Antonio
CS 5523 Operating Systems: Midterm II - reivew Instructor: Dr. Tongping Liu Department Computer Science The University of Texas at San Antonio Fall 2017 1 Outline Inter-Process Communication (20) Threads
More informationOpal. Robert Grimm New York University
Opal Robert Grimm New York University The Three Questions What is the problem? What is new or different? What are the contributions and limitations? The Three Questions What is the problem? Applications
More informationBasic Memory Management. Basic Memory Management. Address Binding. Running a user program. Operating Systems 10/14/2018 CSC 256/456 1
Basic Memory Management Program must be brought into memory and placed within a process for it to be run Basic Memory Management CS 256/456 Dept. of Computer Science, University of Rochester Mono-programming
More informationGlossary. abort. application schema
Glossary abort An abnormal termination of a transaction. When a transaction aborts, its changes to the database are erased, and the database is effectively restored to its state as of the moment the transaction
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationWhen Java technology burst onto the Internet scene in 1995,
MOBILE CODE SECURITY SECURE JAVA CLASS LOADING The class loading mechanism, LI GONG Sun Microsystems central to Java, plays a key role in JDK 1.2 by enabling When Java technology burst onto the Internet
More informationShort Notes of CS201
#includes: Short Notes of CS201 The #include directive instructs the preprocessor to read and include a file into a source code file. The file name is typically enclosed with < and > if the file is a system
More informationG Programming Languages - Fall 2012
G22.2110-003 Programming Languages - Fall 2012 Lecture 2 Thomas Wies New York University Review Last week Programming Languages Overview Syntax and Semantics Grammars and Regular Expressions High-level
More informationExploiting the Behavior of Generational Garbage Collector
Exploiting the Behavior of Generational Garbage Collector I. Introduction Zhe Xu, Jia Zhao Garbage collection is a form of automatic memory management. The garbage collector, attempts to reclaim garbage,
More informationCS201 - Introduction to Programming Glossary By
CS201 - Introduction to Programming Glossary By #include : The #include directive instructs the preprocessor to read and include a file into a source code file. The file name is typically enclosed with
More informationAddress spaces and memory management
Address spaces and memory management Review of processes Process = one or more threads in an address space Thread = stream of executing instructions Address space = memory space used by threads Address
More informationPart 1: Introduction to device drivers Part 2: Overview of research on device driver reliability Part 3: Device drivers research at ERTOS
Some statistics 70% of OS code is in device s 3,448,000 out of 4,997,000 loc in Linux 2.6.27 A typical Linux laptop runs ~240,000 lines of kernel code, including ~72,000 loc in 36 different device s s
More informationHardware-Supported Pointer Detection for common Garbage Collections
2013 First International Symposium on Computing and Networking Hardware-Supported Pointer Detection for common Garbage Collections Kei IDEUE, Yuki SATOMI, Tomoaki TSUMURA and Hiroshi MATSUO Nagoya Institute
More informationChapter 4: Threads. Chapter 4: Threads
Chapter 4: Threads Silberschatz, Galvin and Gagne 2013 Chapter 4: Threads Overview Multicore Programming Multithreading Models Thread Libraries Implicit Threading Threading Issues Operating System Examples
More informationCS 261 Fall Mike Lam, Professor. Virtual Memory
CS 261 Fall 2016 Mike Lam, Professor Virtual Memory Topics Operating systems Address spaces Virtual memory Address translation Memory allocation Lingering questions What happens when you call malloc()?
More informationGeneral Objective:To understand the basic memory management of operating system. Specific Objectives: At the end of the unit you should be able to:
F2007/Unit6/1 UNIT 6 OBJECTIVES General Objective:To understand the basic memory management of operating system Specific Objectives: At the end of the unit you should be able to: define the memory management
More informationLecture Notes on Garbage Collection
Lecture Notes on Garbage Collection 15-411: Compiler Design Frank Pfenning Lecture 21 November 4, 2014 These brief notes only contain a short overview, a few pointers to the literature with detailed descriptions,
More informationCompiler Construction D7011E
Compiler Construction D7011E Lecture 14: Memory Management Viktor Leijon Slides largely by Johan Nordlander with material generously provided by Mark P. Jones. 1 First: Run-time Systems 2 The Final Component:
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules
More informationCMSC 330: Organization of Programming Languages
CMSC 330: Organization of Programming Languages Memory Management and Garbage Collection CMSC 330 - Spring 2013 1 Memory Attributes! Memory to store data in programming languages has the following lifecycle
More informationMachine-Independent Virtual Memory Management for Paged June Uniprocessor 1st, 2010and Multiproce 1 / 15
Machine-Independent Virtual Memory Management for Paged Uniprocessor and Multiprocessor Architectures Matthias Lange TU Berlin June 1st, 2010 Machine-Independent Virtual Memory Management for Paged June
More informationBasic Memory Management
Basic Memory Management CS 256/456 Dept. of Computer Science, University of Rochester 10/15/14 CSC 2/456 1 Basic Memory Management Program must be brought into memory and placed within a process for it
More informationCS 536 Introduction to Programming Languages and Compilers Charles N. Fischer Lecture 11
CS 536 Introduction to Programming Languages and Compilers Charles N. Fischer Lecture 11 CS 536 Spring 2015 1 Handling Overloaded Declarations Two approaches are popular: 1. Create a single symbol table
More informationSpecial Topics: Programming Languages
Lecture #23 0 V22.0490.001 Special Topics: Programming Languages B. Mishra New York University. Lecture # 23 Lecture #23 1 Slide 1 Java: History Spring 1990 April 1991: Naughton, Gosling and Sheridan (
More informationMemory Management Basics
Memory Management Basics 1 Basic Memory Management Concepts Address spaces! Physical address space The address space supported by the hardware Ø Starting at address 0, going to address MAX sys! MAX sys!!
More informationWhat s An OS? Cyclic Executive. Interrupts. Advantages Simple implementation Low overhead Very predictable
What s An OS? Provides environment for executing programs Process abstraction for multitasking/concurrency scheduling Hardware abstraction layer (device drivers) File systems Communication Do we need an
More informationUNIT 5 - UML STATE DIAGRAMS AND MODELING
UNIT 5 - UML STATE DIAGRAMS AND MODELING UML state diagrams and modeling - Operation contracts- Mapping design to code UML deployment and component diagrams UML state diagrams: State diagrams are used
More informationMemory: Overview. CS439: Principles of Computer Systems February 26, 2018
Memory: Overview CS439: Principles of Computer Systems February 26, 2018 Where We Are In the Course Just finished: Processes & Threads CPU Scheduling Synchronization Next: Memory Management Virtual Memory
More informationChapter 8 Virtual Memory
Operating Systems: Internals and Design Principles Chapter 8 Virtual Memory Seventh Edition William Stallings Operating Systems: Internals and Design Principles You re gonna need a bigger boat. Steven
More informationChapter 3: Operating-System Structures
Chapter 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines System Design and Implementation System Generation 3.1
More informationMain Points of the Computer Organization and System Software Module
Main Points of the Computer Organization and System Software Module You can find below the topics we have covered during the COSS module. Reading the relevant parts of the textbooks is essential for a
More informationDynamic Storage Allocation
6.172 Performance Engineering of Software Systems LECTURE 10 Dynamic Storage Allocation Charles E. Leiserson October 12, 2010 2010 Charles E. Leiserson 1 Stack Allocation Array and pointer A un Allocate
More information1 Publishable Summary
1 Publishable Summary 1.1 VELOX Motivation and Goals The current trend in designing processors with multiple cores, where cores operate in parallel and each of them supports multiple threads, makes the
More informationVirtualization and memory hierarchy
Virtualization and memory hierarchy Computer Architecture J. Daniel García Sánchez (coordinator) David Expósito Singh Francisco Javier García Blas ARCOS Group Computer Science and Engineering Department
More informationCS558 Programming Languages
CS558 Programming Languages Winter 2017 Lecture 4a Andrew Tolmach Portland State University 1994-2017 Semantics and Erroneous Programs Important part of language specification is distinguishing valid from
More informationChapter 4: Threads. Operating System Concepts 9 th Edit9on
Chapter 4: Threads Operating System Concepts 9 th Edit9on Silberschatz, Galvin and Gagne 2013 Chapter 4: Threads 1. Overview 2. Multicore Programming 3. Multithreading Models 4. Thread Libraries 5. Implicit
More informationStudent Name:.. Student ID... Course Code: CSC 227 Course Title: Semester: Fall Exercises Cover Sheet:
King Saud University College of Computer and Information Sciences Computer Science Department Course Code: CSC 227 Course Title: Operating Systems Semester: Fall 2016-2017 Exercises Cover Sheet: Final
More informationKakadu and Java. David Taubman, UNSW June 3, 2003
Kakadu and Java David Taubman, UNSW June 3, 2003 1 Brief Summary The Kakadu software framework is implemented in C++ using a fairly rigorous object oriented design strategy. All classes which are intended
More informationName, Scope, and Binding. Outline [1]
Name, Scope, and Binding In Text: Chapter 3 Outline [1] Variable Binding Storage bindings and lifetime Type bindings Type Checking Scope Lifetime vs. Scope Referencing Environments N. Meng, S. Arthur 2
More informationAOSA - Betriebssystemkomponenten und der Aspektmoderatoransatz
AOSA - Betriebssystemkomponenten und der Aspektmoderatoransatz Results obtained by researchers in the aspect-oriented programming are promoting the aim to export these ideas to whole software development
More informationProgramming Languages Third Edition. Chapter 7 Basic Semantics
Programming Languages Third Edition Chapter 7 Basic Semantics Objectives Understand attributes, binding, and semantic functions Understand declarations, blocks, and scope Learn how to construct a symbol
More informationLecture Notes on Garbage Collection
Lecture Notes on Garbage Collection 15-411: Compiler Design André Platzer Lecture 20 1 Introduction In the previous lectures we have considered a programming language C0 with pointers and memory and array
More informationLecture Notes on Advanced Garbage Collection
Lecture Notes on Advanced Garbage Collection 15-411: Compiler Design André Platzer Lecture 21 November 4, 2010 1 Introduction More information on garbage collection can be found in [App98, Ch 13.5-13.7]
More informationSecure Programming Lecture 3: Memory Corruption I (Stack Overflows)
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes
More informationA STUDY IN THE INTEGRATION OF COMPUTER ALGEBRA SYSTEMS: MEMORY MANAGEMENT IN A MAPLE ALDOR ENVIRONMENT
A STUDY IN THE INTEGRATION OF COMPUTER ALGEBRA SYSTEMS: MEMORY MANAGEMENT IN A MAPLE ALDOR ENVIRONMENT STEPHEN M. WATT ONTARIO RESEARCH CENTER FOR COMPUTER ALGEBRA UNIVERSITY OF WESTERN ONTARIO LONDON
More informationProcess size is independent of the main memory present in the system.
Hardware control structure Two characteristics are key to paging and segmentation: 1. All memory references are logical addresses within a process which are dynamically converted into physical at run time.
More informationChapter 4: Threads. Operating System Concepts 9 th Edition
Chapter 4: Threads Silberschatz, Galvin and Gagne 2013 Chapter 4: Threads Overview Multicore Programming Multithreading Models Thread Libraries Implicit Threading Threading Issues Operating System Examples
More informationOS Extensibility: SPIN and Exokernels. Robert Grimm New York University
OS Extensibility: SPIN and Exokernels Robert Grimm New York University The Three Questions What is the problem? What is new or different? What are the contributions and limitations? OS Abstraction Barrier
More informationOperating System. Operating System Overview. Structure of a Computer System. Structure of a Computer System. Structure of a Computer System
Overview Chapter 1.5 1.9 A program that controls execution of applications The resource manager An interface between applications and hardware The extended machine 1 2 Structure of a Computer System Structure
More informationManual Allocation. CS 1622: Garbage Collection. Example 1. Memory Leaks. Example 3. Example 2 11/26/2012. Jonathan Misurda
Manual llocation Dynamic memory allocation is an obvious necessity in a programming environment. S 1622: Garbage ollection Many programming languages expose some functions or keywords to manage runtime
More informationCMSC 330: Organization of Programming Languages. Memory Management and Garbage Collection
CMSC 330: Organization of Programming Languages Memory Management and Garbage Collection CMSC330 Fall 2018 1 Memory Attributes Memory to store data in programming languages has the following lifecycle
More informationARM Security Solutions and Numonyx Authenticated Flash
ARM Security Solutions and Numonyx Authenticated Flash How to integrate Numonyx Authenticated Flash with ARM TrustZone* for maximum system protection Introduction Through a combination of integrated hardware
More informationFILE SYSTEMS. CS124 Operating Systems Winter , Lecture 23
FILE SYSTEMS CS124 Operating Systems Winter 2015-2016, Lecture 23 2 Persistent Storage All programs require some form of persistent storage that lasts beyond the lifetime of an individual process Most
More information