Article

Sealing OS processes to improve dependability and safety

Authors:
Galen Hunt

Microsoft Research, One Microsoft Way, Redmond, WA

Microsoft Research, One Microsoft Way, Redmond, WA
View Profile

,
Mark Aiken

Microsoft Research, One Microsoft Way, Redmond, WA

Microsoft Research, One Microsoft Way, Redmond, WA
View Profile

,
Manuel Fähndrich

Microsoft Research, One Microsoft Way, Redmond, WA

Microsoft Research, One Microsoft Way, Redmond, WA
View Profile

,
Chris Hawblitzel

Microsoft Research, One Microsoft Way, Redmond, WA

Microsoft Research, One Microsoft Way, Redmond, WA
View Profile

,
Orion Hodson

Microsoft Research, One Microsoft Way, Redmond, WA

Microsoft Research, One Microsoft Way, Redmond, WA
View Profile

,
James Larus

Microsoft Research, One Microsoft Way, Redmond, WA

Microsoft Research, One Microsoft Way, Redmond, WA
View Profile

,
Steven Levi

Microsoft Research, One Microsoft Way, Redmond, WA

Microsoft Research, One Microsoft Way, Redmond, WA
View Profile

,
Bjarne Steensgaard

Microsoft Research, One Microsoft Way, Redmond, WA

Microsoft Research, One Microsoft Way, Redmond, WA
View Profile

,
David Tarditi

Microsoft Research, One Microsoft Way, Redmond, WA

Microsoft Research, One Microsoft Way, Redmond, WA
View Profile

,
Ted Wobber

Microsoft Research, One Microsoft Way, Redmond, WA

Microsoft Research, One Microsoft Way, Redmond, WA
View Profile

EuroSys '07: Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007March 2007Pages 341–354https://doi.org/10.1145/1272996.1273032

Published:21 March 2007Publication History

EuroSys '07: Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007

Pages 341–354

ABSTRACT

In most modern operating systems, a process is a hardware-protected abstraction for isolating code and data. This protection, however, is selective. Many common mechanisms---dynamic code loading, run-time code generation, shared memory, and intrusive system APIs---make the barrier between processes very permeable. This paper argues that this traditional open process architecture exacerbates the dependability and security weaknesses of modern systems.

As a remedy, this paper proposes a sealed process architecture, which prohibits dynamic code loading, self-modifying code, shared memory, and limits the scope of the process API. This paper describes the implementation of the sealed process architecture in the Singularity operating system, discusses its merits and drawbacks, and evaluates its effectiveness. Some benefits of this sealed process architecture are: improved program analysis by tools, stronger security and safety guarantees, elimination of redundant overlaps between the OS and language runtimes, and improved software engineering.

Conventional wisdom says open processes are required for performance; our experience suggests otherwise. We present the first macrobenchmarks for a sealed-process operating system and applications. The benchmarks show that an experimental sealed-process system can achieve performance competitive with highly-tuned, commercial, open-process systems.

References

Accetta, M., Baron, R., Bolosky, W., Golub, D., Rashid, R., Tevanian, A. and Young, M. Mach: A New Kernel Foundation for UNIX Development. In Summer USENIX Conference, Atlanta, GA, 1986, 93--112.Google Scholar
Aiken, M., Fähndrich, M., Hawblitzel, C., Hunt, G. and Larus, J. Deconstructing Process Isolation 2006 ACM SIGPLAN Workshop on Memory Systems Performance and Correctness (MSPC 2006), Microsoft Research, San Jose, CA, 2006. Google ScholarDigital Library
Back, G., Hsieh, W. C. and Lepreau, J. Processes in KaffeOS: Isolation, Resource Management, and Sharing in Java. In Proceedings of the 4th USENIX Symposium on Operating Systems Design & Implementation (OSDI), San Diego, CA, 2000. Google ScholarDigital Library
Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg, J., McGarvey, C., Ondrusek, B., Rajamani, S. K. and Ustuner, A. Thorough Static Analysis of Device Drivers In Proceedings of the EuroSys 2006 Conference, Leuven, Belgium, 2006. Google ScholarDigital Library
Barnes, F., Jacobsen, C. and Vinter, B. RMoX: A Raw-Metal occam Experiment. In Communicating Process Architectures, IOS Press, Enschede, the Netherlands, 2003, 269--288.Google Scholar
Bershad, B. N., Savage, S., Pardyak, P., Sirer, E. G., Fiuczynski, M., Becker, D., Eggers, S. and Chambers, C. Extensibility, Safety and Performance in the SPIN Operating System. In Proceedings of the Fifteenth ACM Symposium on Operating System Principles, Copper Mountain Resort, CO, 1995, 267--284. Google ScholarDigital Library
Biberstein, M., Gil, J. and Porat, S. Sealing, Encapsulation, and Mutability. In Proceeedings of the 15th European Conference on Object-Oriented Programming (ECOOP), Lecture Notes in Computer Science, Springer-Verlag, Budapest, Hungary, 2001. Google ScholarDigital Library
Candea, G., Kawamoto, S., Fujiki, Y., Friedman, G. and Fox, A. Microreboot---A Technique for Cheap Recovery. In Proceedings of the Sixth Symposium on Operating Systems Design and Implementation (OSDI '04), San Francisco, CA, 2004, 31--44. Google ScholarDigital Library
Chou, A., Yang, J., Chelf, B., Hallem, S. and Engler, D. An Empirical Study of Operating Systems Errors. In Proceedings of the 18th ACM Symposium on Operating Systems Principles (SOSP '01), Alberta, Canada, 2001, 73--88. Google ScholarDigital Library
de Goyeneche, J.-M. and de Sousa, E. A. F. Loadable Kernel Modules. IEEE Software, 16 (1). 65--71. Google ScholarDigital Library
Engler, D. R., Kaashoek, M. F. and O'Toole, J., Jr. Exokernel: an Operating System Architecture for Application-Level Resource Management. In Proceedings of the Fifteenth ACM Symposium on Operating System Principles, Copper Mountain Resort, CO, 1995, 251--266. Google ScholarDigital Library
Erlingsson, Ú. and MacCormick, J. Ad hoc Extensibility and Access Control. ACM Operating Systems Review, 40 (3). 93--101. Google ScholarDigital Library
Fähndrich, M., Aiken, M., Hawblitzel, C., Hodson, O., Hunt, G., Larus, J. R. and Levi, S., Language Support for Fast and Reliable Message Based Communication in Singularity OS. In Proceedings of the EuroSys 2006 Conference, Leuven, Belgium, 2006, 177--190. Google ScholarDigital Library
Fähndrich, M., Aiken, M., Hawblitzel, C., Hodson, O., Hunt, G., Larus, J. R. and Levi, S. Language Support for Fast and Reliable Message Based Communication in Singularity OS. In Proceedings of the EuroSys 2006 Conference, ACM, Leuven, Belgium, 2006, 177--190. Google ScholarDigital Library
Fähndrich, M., Carbin, M. and Larus, J., Reflective Program Generation with Patterns. In 5th International Conference on Generative Programming and Component Engineering (GPCE'06), Portland, OR, 2006. Google ScholarDigital Library
Fitzgerald, R., Knoblock, T. B., Ruf, E., Steensgaard, B. and Tarditi, D. Marmot: an Optimizing Compiler for Java. Software-Practice and Experience, 30 (3). 199--232. Google ScholarDigital Library
Fitzgerald, R. and Tarditi, D. The Case for Profile-directed Selection of Garbage Collectors. In Proceedings of the 2nd International Symposium on Memory Management (ISMM '00), Minneapolis, MN, 2000, 111--120. Google ScholarDigital Library
Flatt, M. and Findler, R. B. Kill-safe Synchronization Abstractions. In Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation (PLDI 04), Washington, DC, 2004, 47--58. Google ScholarDigital Library
Ganger, G. R., Engler, D. R., Kaashoek, M. F., Briceño, H. M., Hunt, R. and Pinckney, T. Fast and Flexible Application-level Networking on Exokernel Systems. ACM Transactions on Computer Systems, 20 (1). 49--83. Google ScholarDigital Library
Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M. and Boneh, D. Terra: A Virtual-Machine Based Platform for Trusted Computing In Proceedings for the 19th ACM Symposium on Operating System Principles (SOSP), Bolton Landing, NY, 2003. Google ScholarDigital Library
Goldberg, A. and Robson, D. Smalltalk-80: The Language and Its Implementation. Addison-Wesley, 1983. Google ScholarDigital Library
Golm, M., Felser, M., Wawersich, C. and Kleinoeder, J. The JX Operating System. In Proceedings of the USENIX 2002 Annual Conference, Monterey, CA, 2002, 45--58. Google ScholarDigital Library
Gosling, J., Joy, B. and Steele, G. The Java Language Specification. Addison Wesley, 1996. Google ScholarDigital Library
Härtig, H., Hohmuth, M., Liedtke, J. and Schönberg, S. The Performance of μ-kernel-based Systems. In Proceedings of the Sixteenth ACM Symposium on Operating Systems Principles (SOSP '97), Saint Malo, France, 1997, 66--77. Google ScholarDigital Library
Hawblitzel, C., Chang, C.-C., Czajkowski, G., Hu, D. and Eicken, T. v. Implementing Multiple Protection Domains in Java. In Proceedings of the 1998 USENIX Annual Technical Conference, New Orleans, LA, 1998, 259--270. Google ScholarDigital Library
Hawblitzel, C. and Eicken, T. v. Luna: A Flexible Java Protection System. In Proceedings of the Fifth ACM Symposium on Operating System Design and Implementation (OSDI '02), Boston, MA, 2002, 391--402. Google ScholarDigital Library
Herder, J. N., Bos, H., Gras, B., Homburg, P. and Tanenbaum, A. S. MINIX 3: A Highly Reliable, Self-Repairing Operating System. Operating System Review, 40 (3). 80--89. Google ScholarDigital Library
Hunt, G. C., Larus, J. R., Tarditi, D. and Wobber, T., Broad New OS Research: Challenges and Opportunities. In Proceedings of the 10th Workshop on Hot Topics in Operating Systems (HotOS X), Santa Fe, NM, 2005, 85--90. Google ScholarDigital Library
Larus, J. R. and Rajwar, R. Transactional Memory. Morgan & Claypool, 2006.Google ScholarCross Ref
Morrisett, G., Walker, D., Crary, K. and Glew, N. From System F to Typed Assembly Language. ACM Transactions on Programming Languages and Systems, 21 (3). 527--568. Google ScholarDigital Library
Murphy, B. and Levidow, B. Windows 2000 Dependability. In Proceedings of the IEEE International Conference on Dependable Systems and Networks, New York, NY, 2000.Google Scholar
Paul, N. and Evans, D. NET Security: Lessons Learned and Missed from Java. In 20th Annual Computer Security Applications Conference (ACSAC), Tucson, AZ, 2004, 272--281. Google ScholarDigital Library
Peinado, M., Chen, Y., England, P. and Manferdelli, J. NGSCB: A Trusted Open System. In Proceedings of the 9th Australasian Conference on Information Security and Privacy (ACISP), Sydney, Australia, 2004.Google ScholarCross Ref
Process, J. C. Application Isolation API Specification Java Specification Request, 2003, JSR-000121.Google Scholar
Ritchie, D. and Thompson, K. The UNIX Time-Sharing System. Communications of the ACM, 17 (7). 365--375. Google ScholarDigital Library
Saulpaugh, T. and Mirho, C. Inside the JavaOS Operating System. Addison-Wesley, 1999.Google Scholar
Schroeder, M. D. and Saltzer, J. H. A Hardware Architecture for Implementing Protection Rings In Proceedings of the Third ACM Symposium on Operating Systems Principles (SOSP), ACM, Palo Alto, CA, 1971. Google ScholarDigital Library
Seltzer, M. I., Endo, Y., Small, C. and Smith, K. A. Dealing with Disaster: Surviving Misbehaved Kernel Extensions. In Proceedings of the Second USENIX Symposium on Operating Systems Design and Implementation (OSDI 96), Seattle, WA, 1996, 213--227. Google ScholarDigital Library
Spear, M. F., Roeder, T., Levi, S. and Hunt, G. Solving the Starting Problem: Device Drivers as Self-Describing Artifacts. In Proceedings of the EuroSys 2006 Conference, Leuven, Belgium, 2006. Google ScholarDigital Library
SPEC SPECweb99 Release 1.02. Standard Performance Evaluation Corporation Warrenton, VA, 2000.Google Scholar
Sreedhar, V. C., Burke, M. and Choi, J.-D. A Framework for Interprocedural Optimization in the Presence of Dynamic Class Loading. In Proceedings of the ACM SIGPLAN '00 Conference on Programming Language Design and Implementation (PLDI 00), Vancouver, BC, 2000, 196--207. Google ScholarDigital Library
Stein, L. and MacEacbern, D. Writing Apache Modules with Perl and C. O'Reilly, 1999. Google ScholarDigital Library
Swift, M. M., Bershad, B. N. and Levy, H. M. Improving the Reliability of Commodity Operating Systems. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP '03), Bolton Landing, NY, 2003, 207--222. Google ScholarDigital Library
Thacker, C., Stewart, L. C. and Satterthwaite, E., Firefly: A multiprocessor workstation. Technical Report SRC-023, DEC SRC, 1987.Google Scholar
Thacker, C. P. and Stewart, L. C. Firefly: a Multiprocessor Workstation. In Proceedings of the Second International Conference on Architectural Support for Programming Languages and Operating Systems, Palo Alto, CA, 1987, 164--172. Google ScholarCross Ref
Trusted Computing Group, Trusted Platform Module Specification Version 1.2 Revision 94. Technical Report 2006.Google Scholar
von Behren, R., Condit, J., Zhou, F., Necula, G. C. and Brewer, E. Capriccio: Scalable Threads for Internet Services. In Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles (SOSP '03), Bolton Landing, NY, 2003, 268--281. Google ScholarDigital Library
Vyssotsky, V. A., Corbató, F. J. and Graham, R. M. Structure of the Multics supervisor. In AFIPS Conference Proceedings 27, 1965 Fall Joint Computing Conference (FJCC), Spartan Books, Washington, DC, 1965, 203--212.Google ScholarDigital Library
Wahbe, R., Lucco, S., Anderson, T. E. and Graham, S. L. Efficient Software-Based Fault Isolation. In Proceedings of the Fourteenth ACM Symposium on Operating System Principles, Asheville, NC, 1993, 203--216. Google ScholarDigital Library
Weinreb, D. and Moon, D. Lisp Machine Manuel. Symbolics, Inc, Cambridge, MA, 1981. Google ScholarDigital Library
Wobber, T., Abadi, M., Birrell, A., Simon, D. R. and Yumerefendi, A., Authorizing Applications in Singularity. In Proceedings of the EuroSys2007 Conference, Lisbon, Portugal, 2007. Google ScholarDigital Library

Index Terms

Recommendations

Sealing OS processes to improve dependability and safety
EuroSys'07 Conference Proceedings

In most modern operating systems, a process is a hardware-protected abstraction for isolating code and data. This protection, however, is selective. Many common mechanisms---dynamic code loading, run-time code generation, shared memory, and intrusive ...
Read More
Singularity: rethinking the software stack
Systems work at Microsoft Research

Every operating system embodies a collection of design decisions. Many of the decisions behind today's most popular operating systems have remained unchanged, even as hardware and software have evolved. Operating systems form the foundation of almost ...
Read More
Soldered sealing process to assemble a protective cap for a MEMS CSP
DTIP '03: Proceedings of the Symposium on Design, Test, Integration and Packaging of MEMS/MOEMS

Capping and hermetic sealing of MEMS devices is a key factor in enabling them to be processed with further packaging steps like TO can, ceramic package or molded plastic. Aside from mounting a hermetic cap, the soldering of a front- and backside ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
EuroSys '07: Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007
March 2007
431 pages
ISBN:9781595936363
DOI:10.1145/1272996
ACM SIGOPS Operating Systems Review Volume 41, Issue 3
EuroSys'07 Conference Proceedings
June 2007
386 pages
ISSN:0163-5980
DOI:10.1145/1272998
Issue’s Table of Contents
Copyright © 2007 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 21 March 2007
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
open process architecture
sealed kernel
sealed process architecture
software isolated process (SIP)
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate241of1,308submissions,18%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 51
  Total Citations
  View Citations
- 986
  Total Downloads
- Downloads (Last 12 months)17
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Sealing OS processes to improve dependability and safety

EuroSys '07: Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007

ABSTRACT

References

Cited By

Index Terms

Recommendations

Sealing OS processes to improve dependability and safety

Singularity: rethinking the software stack

Soldered sealing process to assemble a protective cap for a MEMS CSP