Dealing With Disaster : Surviving Misbehaved Kernel Extensions - PowerPoint PPT Presentation

1 / 25

About This Presentation

Title:

Dealing With Disaster : Surviving Misbehaved Kernel Extensions

Description:

Prioritization Graft : Page Eviction. Default function : LRU. Graft function ... Page Eviction Graft Overhead. 24. Scheduling Graft Overhead. Encryption Graft Overhead ... – PowerPoint PPT presentation

Number of Views:66

Avg rating:3.0/5.0

Slides: 26

Provided by: camarsK

Category:

more less

Transcript and Presenter's Notes

Title: Dealing With Disaster : Surviving Misbehaved Kernel Extensions

1
Dealing With Disaster Surviving Misbehaved
Kernel Extensions
Margo I. Seltzer, Yasuhiro Endo, Christopher
Small, Keith A. Smith

KAIST CS. Computer Architecture Lab
KimSungWan
1998.03.25

2
Contents

Introduction
The Misbehaviors of Grafts
VINO Grafting Architecture
The Cost of Graft Protection
Related Work
Conclusion

3
Introduction

Extensible system
permit clients to modify the behavior of a server
by loading client-specific extension code into
the server
improved application flexibility and performance
destroyed integrity by buggy or malicious code
Grafts
Application extensions downloaded into the kernel
Requirements
Kernel must guarantee that they do not misuse
memory
ex) Reading and writing inappropriate data,
executing bad instructions
Safe language (Modula-3), SFI, virtual memory
address domains
Kernel must ensure that they do not consume
resources.
ex) resource hoarding

4
The Misbehaviors of Grafts

Grafts model
SFI is used to prevent illegal data accesses
Each graft receives its own heap and stack
Kernel records the changes to be undone
Why dangerous
Grafts run in supervisor mode
Grafts are given access to a more powerful
interface
The more restrictive graft interface, the more
limited functionality
System relies on the correct operation of the
graft ? Grafts actions can affect all the
processes on system

5
The Classes of Misbehavior (1)

Illegal data access
Protection mechanisms
Safe languages, software fault isolation
Requirement of kernel notification
Kernel must know whether a graft is compiled by
such a tool
Prevention from calling kernel function
A graft cant execute kernel function that
provide untitled actual data
Resource hoarding
Infinite loop, excessive memory allocation,
flooding network with packets
Preemption termination the graft
undo kernel state changes, release resources held
by the graft

6
The Classes of Misbehavior (2)

Attempting to use incorrect interfaces
Restricted replacement of a global kernel policy
global scheduling
Verification of downloaded graft
compiled with the correct compiler
Limited function call
functions that return private data
functions that change kernel state (ex.
shutdown())

7
The Classes of Misbehavior (3)

Antisocial behavior
Grafts dont do what they have agreed to do
The selection of an application specific policy
should not affect other applications
Covert denial of service
A graft cant attempt a denial of service attack
If a graft never returns, system cant make
forward progress

8
VINO Grafting Architecture (1)

Kernel transaction support
Aborting a graft and cleaning up its state
Wrapper (function)
interposed when a function is grafted into the
kernel
begin a transaction for a graft invocation and
then call the grafted function
commit the transaction when the grafted function
returns
Goal of graft transaction
provide a means for backing out changes made by
faulty grafts
necessary to support nested transactions for
indirectly invoking other grafts

9
VINO Grafting Architecture (2)

VINO transaction manager
when a transaction is initiated, the manager
allocates a transaction object
use two-phase locking and an undo call stack
Lock release is delayed until commit or abort
Accessor function encapsulates modifications to
permanent kernel state
A grafted function must go through data accessor
function
Each accessor has an associated undo function
Whenever an accessor function is called, the undo
operation is pushed onto transactions undo call
stack

10
VINO Grafting Architecture (3)

VINO transaction manager (cont.)
If a transaction aborts,
TM invoke each undo operation on the undo call
stack
return a abort error to the graft stub
call the default function (that was replaced by
graft)
When a transaction commits,
non-nested transaction
the locks are released, the undo call stack
transaction object are freed
nested transaction
its undo call stack and locks are merged with
those of its parent

11
VINO Grafting Architecture (4)

When to abort graft transactions
Time-constrained resources
A graft does not hold the resource for too long
period
time-out value
Quantity-constrained resources
A graft does not use too much of the resource
A graft thread has limited resource
transfer amounts from its own limits to the graft

12
VINO Grafting Architecture (5)

Graft code safety
MiSFIT
insert instructions to protect loads and stores
at compile time
2 to 5 cycles per load or store
how verify that graft is made by MiSFIT
digital signature
Protection of function calls
maintain a list of graft-callable functions
direct function call
checked when grafts are linked into kernel
if fails, the graft is not loaded into the system
indirect function call
checked at run-time by looking up the address of
target function in hash table containing
addresses of graft-callable functions
if fails, the graft is aborted

13
VINO Grafting Architecture (6)

Function Graft
Graft point
To install a graft, application obtain a handle
for graft point
by looking up the graft point in a
kernel-maintained graft namespace
object to be graft, name of the function to be
replaced
graft point handle provides a replace method
suitable for modifying the behavior of a single
object
Event Graft
Event graft point
correspond to the external events to which a
service responds
Addition of a new graft function to a graft point
application can specify the order in which
grafted functions are called

14

Function graft
Event graft
15
The Cost of Graft Protection

Taxonomy of kernel extension
Prioritization Graft
choosing a candidate process to schedule, a page
to evict, or a buffer to flush
Stream Graft
accepting data, transforming or manipulating the
data, and producing new data stream
encryption, compression, checksum calculation
Black Box Graft
general graft
some number of inputs, some state, and single
output

16
Measurement Methodology
Graft Evaluation Model
17
The Cost of Graft Protection (1)

Black Box Graft Read-Ahead
Default function
prefetch sequential next block
Graft function
prefetch non-sequential next block
compute-ra function
offset and size of the current read request
a list of additional file extents that should be
prefetched
memory buffer is shared between application and
read-ahead graft
anticipated file access pattern is saved in the
buffer
compute-ra function uses this data to issue
read-ahead requests
measurement
total cost is 107 µs
137 µs to sum a 4KB array of integer

18
The Cost of Graft Protection (2)

Prioritization Graft Page Eviction
Default function LRU
Graft function
supporting application-provided page out
selection
Three requirements
must be made in a timely fashion
the value returned by the graft must be valid
(detectably invalid)
the graft cant permit the application to use
more physical memory

19
The Cost of Graft Protection (3)

VINO VM Page Eviction
A global page eviction algorithm selects a victim
page
if the owning VAS has installed a page eviction
graft, it invokes the graft passing the victim
and a list of all other page assigned to the VAS
VAS-specific function accept the victim page or
suggest another page as replacement
global algorithm verifies selected page
if failed, system evicts the original victim
Memory buffer is shared
Application places page numbers that it wishes to
retain in memory
Measurement
316 µs, benefit of avoiding page fault is 18ms
increased cost of victim page selection is to
reduce performance