ABSTRACT
In most modern operating systems, a process is a hardware-protected abstraction for isolating code and data. This protection, however, is selective. Many common mechanisms---dynamic code loading, run-time code generation, shared memory, and intrusive system APIs---make the barrier between processes very permeable. This paper argues that this traditional open process architecture exacerbates the dependability and security weaknesses of modern systems.
As a remedy, this paper proposes a sealed process architecture, which prohibits dynamic code loading, self-modifying code, shared memory, and limits the scope of the process API. This paper describes the implementation of the sealed process architecture in the Singularity operating system, discusses its merits and drawbacks, and evaluates its effectiveness. Some benefits of this sealed process architecture are: improved program analysis by tools, stronger security and safety guarantees, elimination of redundant overlaps between the OS and language runtimes, and improved software engineering.
Conventional wisdom says open processes are required for performance; our experience suggests otherwise. We present the first macrobenchmarks for a sealed-process operating system and applications. The benchmarks show that an experimental sealed-process system can achieve performance competitive with highly-tuned, commercial, open-process systems.
- Accetta, M., Baron, R., Bolosky, W., Golub, D., Rashid, R., Tevanian, A. and Young, M. Mach: A New Kernel Foundation for UNIX Development. In Summer USENIX Conference, Atlanta, GA, 1986, 93--112.Google Scholar
- Aiken, M., Fähndrich, M., Hawblitzel, C., Hunt, G. and Larus, J. Deconstructing Process Isolation 2006 ACM SIGPLAN Workshop on Memory Systems Performance and Correctness (MSPC 2006), Microsoft Research, San Jose, CA, 2006. Google ScholarDigital Library
- Back, G., Hsieh, W. C. and Lepreau, J. Processes in KaffeOS: Isolation, Resource Management, and Sharing in Java. In Proceedings of the 4th USENIX Symposium on Operating Systems Design & Implementation (OSDI), San Diego, CA, 2000. Google ScholarDigital Library
- Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg, J., McGarvey, C., Ondrusek, B., Rajamani, S. K. and Ustuner, A. Thorough Static Analysis of Device Drivers In Proceedings of the EuroSys 2006 Conference, Leuven, Belgium, 2006. Google ScholarDigital Library
- Barnes, F., Jacobsen, C. and Vinter, B. RMoX: A Raw-Metal occam Experiment. In Communicating Process Architectures, IOS Press, Enschede, the Netherlands, 2003, 269--288.Google Scholar
- Bershad, B. N., Savage, S., Pardyak, P., Sirer, E. G., Fiuczynski, M., Becker, D., Eggers, S. and Chambers, C. Extensibility, Safety and Performance in the SPIN Operating System. In Proceedings of the Fifteenth ACM Symposium on Operating System Principles, Copper Mountain Resort, CO, 1995, 267--284. Google ScholarDigital Library
- Biberstein, M., Gil, J. and Porat, S. Sealing, Encapsulation, and Mutability. In Proceeedings of the 15th European Conference on Object-Oriented Programming (ECOOP), Lecture Notes in Computer Science, Springer-Verlag, Budapest, Hungary, 2001. Google ScholarDigital Library
- Candea, G., Kawamoto, S., Fujiki, Y., Friedman, G. and Fox, A. Microreboot---A Technique for Cheap Recovery. In Proceedings of the Sixth Symposium on Operating Systems Design and Implementation (OSDI '04), San Francisco, CA, 2004, 31--44. Google ScholarDigital Library
- Chou, A., Yang, J., Chelf, B., Hallem, S. and Engler, D. An Empirical Study of Operating Systems Errors. In Proceedings of the 18th ACM Symposium on Operating Systems Principles (SOSP '01), Alberta, Canada, 2001, 73--88. Google ScholarDigital Library
- de Goyeneche, J.-M. and de Sousa, E. A. F. Loadable Kernel Modules. IEEE Software, 16 (1). 65--71. Google ScholarDigital Library
- Engler, D. R., Kaashoek, M. F. and O'Toole, J., Jr. Exokernel: an Operating System Architecture for Application-Level Resource Management. In Proceedings of the Fifteenth ACM Symposium on Operating System Principles, Copper Mountain Resort, CO, 1995, 251--266. Google ScholarDigital Library
- Erlingsson, Ú. and MacCormick, J. Ad hoc Extensibility and Access Control. ACM Operating Systems Review, 40 (3). 93--101. Google ScholarDigital Library
- Fähndrich, M., Aiken, M., Hawblitzel, C., Hodson, O., Hunt, G., Larus, J. R. and Levi, S., Language Support for Fast and Reliable Message Based Communication in Singularity OS. In Proceedings of the EuroSys 2006 Conference, Leuven, Belgium, 2006, 177--190. Google ScholarDigital Library
- Fähndrich, M., Aiken, M., Hawblitzel, C., Hodson, O., Hunt, G., Larus, J. R. and Levi, S. Language Support for Fast and Reliable Message Based Communication in Singularity OS. In Proceedings of the EuroSys 2006 Conference, ACM, Leuven, Belgium, 2006, 177--190. Google ScholarDigital Library
- Fähndrich, M., Carbin, M. and Larus, J., Reflective Program Generation with Patterns. In 5th International Conference on Generative Programming and Component Engineering (GPCE'06), Portland, OR, 2006. Google ScholarDigital Library
- Fitzgerald, R., Knoblock, T. B., Ruf, E., Steensgaard, B. and Tarditi, D. Marmot: an Optimizing Compiler for Java. Software-Practice and Experience, 30 (3). 199--232. Google ScholarDigital Library
- Fitzgerald, R. and Tarditi, D. The Case for Profile-directed Selection of Garbage Collectors. In Proceedings of the 2nd International Symposium on Memory Management (ISMM '00), Minneapolis, MN, 2000, 111--120. Google ScholarDigital Library
- Flatt, M. and Findler, R. B. Kill-safe Synchronization Abstractions. In Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation (PLDI 04), Washington, DC, 2004, 47--58. Google ScholarDigital Library
- Ganger, G. R., Engler, D. R., Kaashoek, M. F., Briceño, H. M., Hunt, R. and Pinckney, T. Fast and Flexible Application-level Networking on Exokernel Systems. ACM Transactions on Computer Systems, 20 (1). 49--83. Google ScholarDigital Library
- Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M. and Boneh, D. Terra: A Virtual-Machine Based Platform for Trusted Computing In Proceedings for the 19th ACM Symposium on Operating System Principles (SOSP), Bolton Landing, NY, 2003. Google ScholarDigital Library
- Goldberg, A. and Robson, D. Smalltalk-80: The Language and Its Implementation. Addison-Wesley, 1983. Google ScholarDigital Library
- Golm, M., Felser, M., Wawersich, C. and Kleinoeder, J. The JX Operating System. In Proceedings of the USENIX 2002 Annual Conference, Monterey, CA, 2002, 45--58. Google ScholarDigital Library
- Gosling, J., Joy, B. and Steele, G. The Java Language Specification. Addison Wesley, 1996. Google ScholarDigital Library
- Härtig, H., Hohmuth, M., Liedtke, J. and Schönberg, S. The Performance of μ-kernel-based Systems. In Proceedings of the Sixteenth ACM Symposium on Operating Systems Principles (SOSP '97), Saint Malo, France, 1997, 66--77. Google ScholarDigital Library
- Hawblitzel, C., Chang, C.-C., Czajkowski, G., Hu, D. and Eicken, T. v. Implementing Multiple Protection Domains in Java. In Proceedings of the 1998 USENIX Annual Technical Conference, New Orleans, LA, 1998, 259--270. Google ScholarDigital Library
- Hawblitzel, C. and Eicken, T. v. Luna: A Flexible Java Protection System. In Proceedings of the Fifth ACM Symposium on Operating System Design and Implementation (OSDI '02), Boston, MA, 2002, 391--402. Google ScholarDigital Library
- Herder, J. N., Bos, H., Gras, B., Homburg, P. and Tanenbaum, A. S. MINIX 3: A Highly Reliable, Self-Repairing Operating System. Operating System Review, 40 (3). 80--89. Google ScholarDigital Library
- Hunt, G. C., Larus, J. R., Tarditi, D. and Wobber, T., Broad New OS Research: Challenges and Opportunities. In Proceedings of the 10th Workshop on Hot Topics in Operating Systems (HotOS X), Santa Fe, NM, 2005, 85--90. Google ScholarDigital Library
- Larus, J. R. and Rajwar, R. Transactional Memory. Morgan & Claypool, 2006.Google ScholarCross Ref
- Morrisett, G., Walker, D., Crary, K. and Glew, N. From System F to Typed Assembly Language. ACM Transactions on Programming Languages and Systems, 21 (3). 527--568. Google ScholarDigital Library
- Murphy, B. and Levidow, B. Windows 2000 Dependability. In Proceedings of the IEEE International Conference on Dependable Systems and Networks, New York, NY, 2000.Google Scholar
- Paul, N. and Evans, D. NET Security: Lessons Learned and Missed from Java. In 20th Annual Computer Security Applications Conference (ACSAC), Tucson, AZ, 2004, 272--281. Google ScholarDigital Library
- Peinado, M., Chen, Y., England, P. and Manferdelli, J. NGSCB: A Trusted Open System. In Proceedings of the 9th Australasian Conference on Information Security and Privacy (ACISP), Sydney, Australia, 2004.Google ScholarCross Ref
- Process, J. C. Application Isolation API Specification Java Specification Request, 2003, JSR-000121.Google Scholar
- Ritchie, D. and Thompson, K. The UNIX Time-Sharing System. Communications of the ACM, 17 (7). 365--375. Google ScholarDigital Library
- Saulpaugh, T. and Mirho, C. Inside the JavaOS Operating System. Addison-Wesley, 1999.Google Scholar
- Schroeder, M. D. and Saltzer, J. H. A Hardware Architecture for Implementing Protection Rings In Proceedings of the Third ACM Symposium on Operating Systems Principles (SOSP), ACM, Palo Alto, CA, 1971. Google ScholarDigital Library
- Seltzer, M. I., Endo, Y., Small, C. and Smith, K. A. Dealing with Disaster: Surviving Misbehaved Kernel Extensions. In Proceedings of the Second USENIX Symposium on Operating Systems Design and Implementation (OSDI 96), Seattle, WA, 1996, 213--227. Google ScholarDigital Library
- Spear, M. F., Roeder, T., Levi, S. and Hunt, G. Solving the Starting Problem: Device Drivers as Self-Describing Artifacts. In Proceedings of the EuroSys 2006 Conference, Leuven, Belgium, 2006. Google ScholarDigital Library
- SPEC SPECweb99 Release 1.02. Standard Performance Evaluation Corporation Warrenton, VA, 2000.Google Scholar
- Sreedhar, V. C., Burke, M. and Choi, J.-D. A Framework for Interprocedural Optimization in the Presence of Dynamic Class Loading. In Proceedings of the ACM SIGPLAN '00 Conference on Programming Language Design and Implementation (PLDI 00), Vancouver, BC, 2000, 196--207. Google ScholarDigital Library
- Stein, L. and MacEacbern, D. Writing Apache Modules with Perl and C. O'Reilly, 1999. Google ScholarDigital Library
- Swift, M. M., Bershad, B. N. and Levy, H. M. Improving the Reliability of Commodity Operating Systems. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP '03), Bolton Landing, NY, 2003, 207--222. Google ScholarDigital Library
- Thacker, C., Stewart, L. C. and Satterthwaite, E., Firefly: A multiprocessor workstation. Technical Report SRC-023, DEC SRC, 1987.Google Scholar
- Thacker, C. P. and Stewart, L. C. Firefly: a Multiprocessor Workstation. In Proceedings of the Second International Conference on Architectural Support for Programming Languages and Operating Systems, Palo Alto, CA, 1987, 164--172. Google ScholarCross Ref
- Trusted Computing Group, Trusted Platform Module Specification Version 1.2 Revision 94. Technical Report 2006.Google Scholar
- von Behren, R., Condit, J., Zhou, F., Necula, G. C. and Brewer, E. Capriccio: Scalable Threads for Internet Services. In Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles (SOSP '03), Bolton Landing, NY, 2003, 268--281. Google ScholarDigital Library
- Vyssotsky, V. A., Corbató, F. J. and Graham, R. M. Structure of the Multics supervisor. In AFIPS Conference Proceedings 27, 1965 Fall Joint Computing Conference (FJCC), Spartan Books, Washington, DC, 1965, 203--212.Google ScholarDigital Library
- Wahbe, R., Lucco, S., Anderson, T. E. and Graham, S. L. Efficient Software-Based Fault Isolation. In Proceedings of the Fourteenth ACM Symposium on Operating System Principles, Asheville, NC, 1993, 203--216. Google ScholarDigital Library
- Weinreb, D. and Moon, D. Lisp Machine Manuel. Symbolics, Inc, Cambridge, MA, 1981. Google ScholarDigital Library
- Wobber, T., Abadi, M., Birrell, A., Simon, D. R. and Yumerefendi, A., Authorizing Applications in Singularity. In Proceedings of the EuroSys2007 Conference, Lisbon, Portugal, 2007. Google ScholarDigital Library
Index Terms
- Sealing OS processes to improve dependability and safety
Recommendations
Sealing OS processes to improve dependability and safety
EuroSys'07 Conference ProceedingsIn most modern operating systems, a process is a hardware-protected abstraction for isolating code and data. This protection, however, is selective. Many common mechanisms---dynamic code loading, run-time code generation, shared memory, and intrusive ...
Singularity: rethinking the software stack
Systems work at Microsoft ResearchEvery operating system embodies a collection of design decisions. Many of the decisions behind today's most popular operating systems have remained unchanged, even as hardware and software have evolved. Operating systems form the foundation of almost ...
Soldered sealing process to assemble a protective cap for a MEMS CSP
DTIP '03: Proceedings of the Symposium on Design, Test, Integration and Packaging of MEMS/MOEMSCapping and hermetic sealing of MEMS devices is a key factor in enabling them to be processed with further packaging steps like TO can, ceramic package or molded plastic. Aside from mounting a hermetic cap, the soldering of a front- and backside ...
Comments