Using the Singularity Research Development Kit

Similar documents
Singularity: Designing Be1er So3ware

Abolish Runtime Systems!

Singularity Reviewed an Operating System Challenging Common Concepts

6.828: OS/Language Co-design. Adam Belay

Singularity Technical Report 1: Singularity Design Motivation

High-Level Language VMs

Sealing OS Processes to Improve Dependability and Security

Agenda. Threads. Single and Multi-threaded Processes. What is Thread. CSCI 444/544 Operating Systems Fall 2008

Chapter 2. Operating-System Structures

Last class: OS and Architecture. OS and Computer Architecture

Last class: OS and Architecture. Chapter 3: Operating-System Structures. OS and Computer Architecture. Common System Components

Chapter 3: Operating-System Structures

OS and Computer Architecture. Chapter 3: Operating-System Structures. Common System Components. Process Management

Chapter 1 GETTING STARTED. SYS-ED/ Computer Education Techniques, Inc.

The Singularity System

Singularity Part 2. Jeff Chase

JDK 9/10/11 and Garbage Collection

JamaicaVM Java for Embedded Realtime Systems

Introduction. CS3026 Operating Systems Lecture 01

Operating Systems. Operating System Structure. Lecture 2 Michael O Boyle

Operating System Architecture. CS3026 Operating Systems Lecture 03

Full file at

Cloud Programming James Larus Microsoft Research. July 13, 2010

Parley: Federated Virtual Machines

Chapter 3: Operating-System Structures

LINUX CONTAINERS. Where Enterprise Meets Embedded Operating Environments WHEN IT MATTERS, IT RUNS ON WIND RIVER

Chapter 3: Operating-System Structures

CSE P 501 Compilers. Java Implementation JVMs, JITs &c Hal Perkins Winter /11/ Hal Perkins & UW CSE V-1

Chapter 1 INTRODUCTION SYS-ED/ COMPUTER EDUCATION TECHNIQUES, INC.

Four Components of a Computer System

Java Internals. Frank Yellin Tim Lindholm JavaSoft

Operating System. Operating System Overview. Structure of a Computer System. Structure of a Computer System. Structure of a Computer System

CSE P 501 Compilers. Memory Management and Garbage Collec<on Hal Perkins Winter UW CSE P 501 Winter 2016 W-1

1 System & Activities

Chapter 2: Operating-System Structures

What s An OS? Cyclic Executive. Interrupts. Advantages Simple implementation Low overhead Very predictable

The Slide does not contain all the information and cannot be treated as a study material for Operating System. Please refer the text book for exams.

Managed runtimes & garbage collection. CSE 6341 Some slides by Kathryn McKinley

Advanced Object-Oriented Programming Introduction to OOP and Java

Windows Java address space

Operating- System Structures

L4/Darwin: Evolving UNIX. Charles Gray Research Engineer, National ICT Australia

Managed runtimes & garbage collection

Chapter 2: Operating-System Structures. Operating System Concepts 9 th Edition

Lecture Notes on Garbage Collection

StackVsHeap SPL/2010 SPL/20

JAVA PERFORMANCE. PR SW2 S18 Dr. Prähofer DI Leopoldseder

Memory Allocation. Static Allocation. Dynamic Allocation. Dynamic Storage Allocation. CS 414: Operating Systems Spring 2008

Nooks. Robert Grimm New York University

KESO Functional Safety and the Use of Java in Embedded Systems

Chapter 2: Operating-System Structures. Operating System Concepts 9 th Edit9on

Process. Operating Systems (Fall/Winter 2018) Yajin Zhou ( Zhejiang University

A new Mono GC. Paolo Molaro October 25, 2006

Operating-System Structures

Chapter 2: Operating-System Structures. Operating System Concepts 8 th Edition

The Z Garbage Collector Low Latency GC for OpenJDK

Windows History 2009 Windows 7 2

CHAPTER 2: SYSTEM STRUCTURES. By I-Chen Lin Textbook: Operating System Concepts 9th Ed.

Influential OS Research Security. Michael Raitza

6.033 Spring Lecture #6. Monolithic kernels vs. Microkernels Virtual Machines spring 2018 Katrina LaCurts

Disco. CS380L: Mike Dahlin. September 13, This week: Disco and Exokernel. One lesson: If at first you don t succeed, try try again.

Operating System: Chap2 OS Structure. National Tsing-Hua University 2016, Fall Semester

DNWSH - Version: 2.3..NET Performance and Debugging Workshop

Lecture 1 Introduction to Android. App Development for Mobile Devices. App Development for Mobile Devices. Announcement.

OS Structure. Kevin Webb Swarthmore College January 25, Relevant xkcd:

SECOMP Efficient Formally Secure Compilers to a Tagged Architecture. Cătălin Hrițcu INRIA Paris

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

Windows Persistent Memory Support

New programming language introduced by Microsoft contained in its.net technology Uses many of the best features of C++, Java, Visual Basic, and other

Agenda. CSE P 501 Compilers. Java Implementation Overview. JVM Architecture. JVM Runtime Data Areas (1) JVM Data Types. CSE P 501 Su04 T-1

Operating System Services. User Services. System Operation Services. User Operating System Interface - CLI. A View of Operating System Services

Autonomous Garbage Collection: Resolve Memory

Chapter 4: Threads. Overview Multithreading Models Thread Libraries Threading Issues Operating System Examples Windows XP Threads Linux Threads

Operating Systems. Designed and Presented by Dr. Ayman Elshenawy Elsefy

Windows 7 Overview. Windows 7. Objectives. The History of Windows. CS140M Fall Lake 1

Field Analysis. Last time Exploit encapsulation to improve memory system performance

Fiji VM Safety Critical Java

Last 2 Classes: Introduction to Operating Systems & C++ tutorial. Today: OS and Computer Architecture

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

Unit 5: Distributed, Real-Time, and Multimedia Systems

Operating Systems: Internals and Design Principles. Chapter 2 Operating System Overview Seventh Edition By William Stallings

Part 1: Introduction to device drivers Part 2: Overview of research on device driver reliability Part 3: Device drivers research at ERTOS

CS 330 Lecture 18. Symbol table. C scope rules. Declarations. Chapter 5 Louden Outline

Chapter 2: Operating-System Structures

OS COMPONENTS OVERVIEW OF UNIX FILE I/O. CS124 Operating Systems Fall , Lecture 2

Utilizing Linux Kernel Components in K42 K42 Team modified October 2001

Operating-System Structures

C++\CLI. Jim Fawcett CSE687-OnLine Object Oriented Design Summer 2017

The benefits and costs of writing a POSIX kernel in a high-level language

Introducing the Haiku Operating System

<Insert Picture Here> Symmetric multilanguage VM architecture: Running Java and JavaScript in Shared Environment on a Mobile Phone

SPIN Operating System

Jaguar: Enabling Efficient Communication and I/O in Java

RTX. Features by Release IZ-DOC-X

Chapter 2: Operating-System Structures

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

JavaOS. David Burhans 2/3/2003 CS384 Dr. Taylor

MODULE 1 JAVA PLATFORMS. Identifying Java Technology Product Groups

UNIT 2. OPERATING SYSTEM STRUCTURES

Lightweight RPC. Robert Grimm New York University

Transcription:

Using the Research Development Kit James Larus & Galen Hunt Microsoft Research ASPLOS 08 Tutorial March 1, 2008

Outline Overview (Jim) Rationale & key decisions architecture Details (Galen)

Safe Languages (C#) Verification Tools Improved OS Architecture

Key Tenets 1. Use safe programming languages everywhere safe type safe and memory safe (C#) everywhere applications, extensions, OS services, device drivers, kernel 2. Improve system resilience in the face of software errors failure containment boundaries explicit failure notification model 3. Facilitate modular verification make system self-describing, so pieces can be examined in isolation specify and check behavior at many levels of abstraction facilitate automated analysis

Deemphasized Performance Easy to measure, but less important than dependability Good enough performance was goal has very good performance

OS Architecture channels processes content extension ext. class library kernel API runtime web server server class library runtime page mgr scheduler chan mgr proc mgr i/o mgr kernel HAL TCP/IP stack tcp class library runtime kernel class library runtime network driver driver class library runtime Safe micro-kernel 95% written in C# 17% of files contain unsafe C# 5% of files contain x86 asm or C++ services and device drivers in processes Software isolated processes (SIPs) all user code is verifiably safe some unsafe code in trusted runtime processes and kernel sealed at start time Communication via channels channel behavior is specified and checked fast and efficient communication Working research prototype not Windows replacement

Process Model Process contains only safe code No shared memory communicates via messages Software Isolated Process SIP Kernel ABI Messages flow over channels well-defined & verified Lightweight threads for concurrency Small binary interface to kernel threads, memory, & channels Seal the process on execution no dynamic code loading no in-process plug-ins Everything can run in ring 0 in kernel memory!

Pervasive Safe Languages Modern, safe programming languages prevent entire classes of (serious) defects easier to analyze is written in extended C# Spec# (C# + pre/post-conditions and invariants) Sing# adds features to increase control over allocation, initialization, and memory layout Evolve language to support abstractions channel communications factor libraries into composable pieces compile-time reflection Native compiler and runtime no bytecodes or MSIL no JVM or CLR

Managed Language Runtime JVM & CLR not appropriate for building systems Rich runtime ( one size fits all ) monolithic, general-purpose environment large memory footprint (~4 MB/process for CLR) many OS dependencies (CLR PAL requires >300 Win32 APIs) JIT compiler increases runtime size and complexity unpredictable performance Replicate OS functionality security, threading, configuration, etc.

Runtime Runtime (GC, etc.) Application Libraries Small, fast execution environment Ahead-of-time, global optimizing compiler (Bartok) specializes runtime and libraries Bartok Compiler eliminates unused language features and application or library code Factorable runtime and libraries x86 Executable Process Language runtime, garbage collector, and libraries selectable on per-process basis reduce memory and computation overhead enforce design discipline and system policies per process

Improve Resilience Cannot build software without defects verification is a chimera (but we could still do a lot better) Software defects should not cause system failure A resilient system architecture should isolate system components to prevent data corruption provide clear failure notification implement policy for restarting failed component Existing system architectures lack isolation and resilience

Open Process Architecture Process Ubiquitous architecture (Windows, Unix, Java, etc.) DLLs, classes, plug-ins, device drivers, etc. Processes are not sealed dynamic code loading and runtime code generation shared memory system API allow process to alter another s state Low dependability 85% of Windows crashes caused by third party code in kernel interface between host and extension often poorly documented and understood maintenance nightmare

Single Process Architecture App Traditional safe language architecture Xerox PARC (Cedar, Smalltalk, etc.) and Lisp Machine model Java and.net as well OS Code and data in single address space language and memory safety isolates tangled data and code garbage collection reclaims resources dynamic code loading and runtime code generation

Java Isolates and.net AppDomains App App App Java isolates and CLR AppDomains have complex, shared runtime single point of failure Runtime Shared runtime must also satisfy different applications requirements

Sealed Processes Process Kernel Extension Extension processes are sealed no dynamic code loading or run-time code generation all code present when process starts execution extensions execute in distinct processes separate closed environments with well-defined interfaces no shared memory Fundamental unit of failure isolation Improved optimization, verification, security

Isolation Requires Lightweight Processes Existing processes rely on virtual memory and protection domains VM prevents reference into other address spaces protection prevents unprivileged code from access system resources Processes are expensive to create and schedule high cost to cross protection domains (rings), handle TLB misses, and manipulate address spaces Cost encourages monolithic architecture expensive process creation and inter-process communication large, undifferentiated applications dynamically loaded extensions

Software Isolated Processes (SIPs) Protection and isolation enforced by language safety and kernel API design process owns a set of pages all of process s objects reside on its pages (object space, not address space) language safety ensures process can t create or mutate reference to other pages Global invariants: no process contains a pointer to another process s object space no pointers from exchange heap into process P1 P2 P3

Interprocess Communications Channels are strongly typed (value & behavior), bidirectional communications ports messages passing with extensive language support Messages live outside processes, in exchange heap only a single reference to a message Mailbox semantics enforced by linear types copying and pointer passing are semantically indistinguishable Channel buffers pre-allocated according to contract P1 P2 P3 exchange heap

OS Controls Resources and Security OS owns, allocates, and reclaims system resources conventional model On process termination, OS reclaims memory pages and channels not dependent on finalization or garbage collection Clean failure notification sent messages still available to other process Security policy on per-process crux is control of channels

Would You Trust Your System to a Type System? Process integrity depends on type and memory safety currently trust compiler and runtime TAL can remove compiler from trusted computing base We are working on verifying GC and runtime as well Sing# C# source csc sgc MSIL+ bartok TAL TCB TCB x86 system compiler verification byte code verification application verification

Still Not Convinced? Hardware Protection Domains virtual address space contains one or more SIPs runs at ring 0 ( kernel domain ) or ring 3 21

Domains: Monolithic Kernel App 1 App 2 App 3 File System Kernel Net Stack SIP Protection Domain Ring 3 Ring 0 22

Domains: Novel Models Unsigned App2 SIP Protection Domain App1 Signed Extension Unsigned Extension Ring 3 Ring 0 Unsigned Driver Signed Driver Kernel 23

Challenge 3: Verify More channels processes content extension ext. class library Kernel API runtime web server server class library runtime page mgr scheduler chan mgr proc mgr i/o mgr kernel HAL TCP/IP stack tcp class library runtime kernel class library runtime network driver driver class library runtime Process internals (code): type safety object invariants method pre- & post- conditions component interfaces Process externals: channel contracts resource access & dependencies System: communication safety hardware resource conflict free namespace conflict free Static verification: before code runs

Example: Channel Contracts public contract IoStream {... state Start : { Open? -> { OK! -> Opened; Error! -> End; } } state Opened : { Read? -> Data! -> Opened; Write? -> OK! -> Opened; Close? -> OK! -> End; } state End;... }? = receive! = send Start Open? -> OK! Opened Open? -> Error! Read? -> Data! Write? -> OK! End Close? -> OK!

Example: Contract Conformance Contract public contract TcpSocketContract {... state Connected : { Read? -> ReadResultPending; Write? -> WriteResultPending; } GetLocalAddress? -> IPAddress! - > Connected; GetLocalPort? -> Port! -> Connected; DoneSending? -> ReceiveOnly; DoneReceiving? -> SendOnly; Close? -> Closed; Abort? -> Closed; state ReadResultPending : { Data! -> Connected; NoMoreData! -> SendOnly; RemoteClose! -> Zombie; }... conn.sendread(); switch receive { case conn.data(readdata) : }... Web Server (User) databuffer.addtotail(readdata); return true; case conn.remoteclose() : return false; Missing Case case conn.nomoredata() :

Example: Configuration Specifications [DriverCategory] [Signature("/pci/03/00/5333/8811")] class S3Trio64Config : DriverCategoryDeclaration { [IoMemoryRange(0, Length = 0x400000)] IoMemoryRange framebuffer; requires PCI Device requires 4MB frame buffer (from in PCI config) requires system console buffer [IoFixedMemoryRange(Base = 0xb8000, Length = 0x8000)] IoMemoryRange textbuffer; requires VGA I/O ports... [IoFixedPortRange(Base = 0x3c0, Length = 0x20)] IoPortRange control; [ExtensionEndpoint(typeof(ExtensionContract.Exp))] TRef<ExtensionContract.Exp:Start> pnp; [ServiceEndpoint(typeof(VideoDeviceContract.Exp))] TRef<ServiceProviderContract.Exp:Start> video;... requires control by plug-and-play system Provides video capability to system

Specification Usable in Many Ways Conflict Driver (Source + Spec) Driver Manifest System Manifest 1. Load driver 2. Allocate I/O objects 3. Create channels File System Disk Driver driver class library runtime page mgr scheduler chan mgr proc mgr i/o mgr kernel HAL kernel class library runtime

Conclusion Can we fundamentally improve the dependability of today s software? (yes) Rethink language, OS, and system architecture assumptions OS should control application s execution environment new mechanisms to enhance system integrity, verifiability, and dependability Programming languages and runtime systems are central to new architecture is a complete (but simple) system safe languages all the way down to the hardware OS architecture improves system integrity and verification many more aspects of system behavior are verifiable We are distributing (source code) http://research.microsoft.com/os/singularity

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback