Charles Haiber`s presentation on Exokernels

advertisement

Paper by Engler, Kaashoek, O’Toole

Presentation by Charles Haiber

Exokernels

• Overview vs. traditional kernels

Library Operating Systems

Design Principals

 Secure Bindings

 Visible Resource Revocation

 Abort Protocol

Testing

• Hypothesizes

• Results/Conclusion

Is it secure?

The main goal of an exokernel:

• The separation of protection from management

Instead of emulating hardware resources, it exports them directly to the applications

In addition to the exokernel, a “Library

OS” can act as an abstraction layer between hardware and application

Fixed, high-level abstractions, provided by kernels to enable as many types of applications to run on the system, tend to have a very high cost in system resources

• Hurts the performance of applications

Hides information from applications

Limits the functionality of applications

Exokernels exist as a thin layer on top of the hardware that multiplexes and exports physical resources securely

The idea is that an application will better know how it wants to manage it’s resources than a monolithic kernel or microkernel

Multiple Library Operating Systems can exist

Exist to provide specialized abstractions

• One OS might cater specifically to networking

Library OS are not trusted by the exokernel

• They are free to trust the applications

• They run on the application level themselves

Allow applications to be ran on any hardware

Securely expose hardware

• Avoid hardware management, except when required for the protection of the system

Expose allocation to Library OS

Expose names of physical resources

Expose revocation protocol

Secure Bindings

• Allows applications to securely bind themselves to resources

Visible Resource Revocation

• Applications participate in a resource revocation protocol

Abort Protocol

• The exokernel can forcibly break secure bindings of uncooperative applications

Protection mechanism that separates authorization from the use of a resource

• Authorization only checked at bind time

Applications responsible for resources with complex hardware semantics (networks, file systems, etc.)

• This frees up the exokernel to perform access checks at access time

Allows the kernel to protect hardware resources without needing to understand them

Traditionally, resource revocation is invisible to applications in monolithic and micro-kernels

By exposing resource revocation, the exokernel allows applications and

Library OSs to monitor resource usage and act accordingly

Allows the exokernel to retrieve resources from a Library OS that is not responding to revocation requests

• Revocation request – “Please return a memory page”

• Revocation imperative – “Return a memory page within 50 microseconds”

Secure binding is broken, and the Library

OS sent a repossession exception

Aegis – an experimental exokernel

• Exports the processor, physical memory, exceptions, interrupts, and network resources

ExOS – an experimental Library OS

• Provides processes, virtual memory, user-level exceptions, interprocess abstractions, and several network protocols

Ultrix is a mature monolithic Unix-based

OS

Exokernels are very efficient

Low-level, secure multiplexing can be efficient

Traditional OS abstractions can be implemented efficiently at application level

Applications can create special-purpose implementations of these abstractions

• Both Aegis and Ultrix ran on the same hardware

No overhead added to procedure calls

Exception dispatch about 100x faster in

Aegis

ExOS’s implementation of pipes about

100x faster

All four hypothesizes were proven to be correct when compared to Ultrix

Results show that the exokernel design is well suited as a high-performance, extensible OS. Additionally, previous research found that applications benefit greatly from specialized abstractions, and ExOS backed those conclusions up as well

Total mediation: NO

• OS does very little resource management and only authorizes resource usage at bind time

Trustworthy: YES

• Only the exokernel is part of the TCB, with the

Library OSs being ran at application level

Verifiable: YES

• Kernel is extremely small, with only two goals:

 Present hardware resources

 Do so securely

Exokernel: An Operating System Architecture for

Application-Level Resource Management

• Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr.,

M.I.T. Laboratory for Computer Science

The Operating System Kernel as a Secure

Programmable Machine

• Dawson R. Engler, M. Frans Kaashoek, and James O'Toole Jr.,

M.I.T. Laboratory for Computer Science

The case for application-specific operating systems.

• Thomas E. Anderson, Division of Computer Science, University of California at Berkeley

Download