CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman

CS533 Concepts of OSClass 16

ExoKernel

by Constantia Tryman

CS533 - Concepts of Operating Systems 2

Motivation for Exokernel

Problems with general purpose abstractions: overhead cost for features that are needed hide information from applications increase of complexity because of good

performance problems limit functionality of applications: no efficiency

and flexibility


ExoKernel Overview

Separate resource protection and management

Securely multiplex hw resources to application-specific Library OS

Exo exports hw resources through:o Secure bindingo Visible source revocationo Abort protocol


Exokernel Architecture


Functionalities

Library OS:o Implement own system objects and policieso Uses low-level exokernel interfaceso Implements higher-level abstractionso Can define special-purpose implementations for best

performance and functionalityo Can be specialized, extended, or replaced of

abstractions Exokernel:

o Multiplexes and exports physical resources securely through low-level primitive


Library OS

Simple implementation Kernel crossings are small Provide portability and compatibility To reduce space by libraries support for

shared libraries and dynamic linking


Exokernel Backward Compatibility

Binary emulation of OS and programs Implementing its hardware abstraction layer on

top of exokernel re-implementing OS’s abstraction on top of

exokernel


Exokernel Design

Giving LOS freedom for management Securely expose hardware Expose allocation Expose names Expose revocation

Policy: control allocation and revocation of resources

By deciding allocation requests to grant, from which application to revoke resources

Enforce traditional partitioning strategies: quotas, reservation schemes


Protection

Tasks: Tracking ownership of resources Ensuring protection by guarding all resources

usage and binding points Revoking access to resources

Techniques: Secure bindings Visible revocation Abort protocol


Secure Bindings

3 Approaches: Hardware mechanism Software caching Downloading application code


Hardware Mechanism

TLB entry: translation virtual-to-physical address o TLB fault – TLB load into kernel at bind time Used multiple time at access timeo At low level protection

File Servero Can buffer data in memory pageso Grant access to authorized applicationso Checking w/o info of authorization mechanism

Frame Buffer HWo Associate ownership tag at each pixelo Application can access frame buffer HW directly, since

HW checks ownership tag when I/O loaded


Software Caching

Large SW TLBo Cache address that are not in HW TLB


Download code into Kernel

Invoked in every access/event to determine ownership and actions for kernel

Eliminate expensive kernel crossings Execution without scheduling Protection done by

o type-safe language, o interpretation and o sandboxing

Ex: ASHs


Multiplexing Physical Memory

When LOS allocate physical memory page, exo creates secure binding, checks capabilities

Reducing number of secure bindings by SW TLB Exo: guards TLB loads and DMA capabilities LOS: visible deallocation flush TLB mappings

queue DMA request Example of HW mechanism and SW caching


Multiplexing the Network

HW: virtual circuit in ATM to bind streams to applications

SW: message demultiplexing by packet filters Example of downloading code


Downloading Code

Application-specific Sage Handlers (ASHs) Initiate message (roundtrip latency low) Initiate control at message reception time No waiting on message reception No pre-bind buffer location for message Xen? Disco?


Visible Resource Revocation

1. Invisible: deallocate resources without application involvement1. Perform better when revocations occur frequently

2. Visible: requires interaction with LOSo LOS can avoid saving state and registers that are not

live LOS handle revocation for quick resource

deallocation


Abort Protocol

For failed LOS response to revocation requests Kill LOS and associated applications (rejected) Exokernel will break existing secure bindings to

resources and inform LOS Done by repossession vector


Aegis and ExOS

Aegiso Exports processor, physical memory, TLB, exceptions,

and interrupts ExOS

o Implements processes, virtual memory, user-level exceptions, interprocess abstractions, network protocols

Experimental Methodologieso Exokernel can be efficiento Low-level, secure multiplexing of hw resources

implemented efficientlyo Traditional OS abstraction implemented efficiently at

applo Applications can create special-purpose

implementations of abstractions


Aegis: Exokernel

Support set of primitive operations of privileged instructions (pseudo-instruction)

Efficient because:o Keep track of ownership is simpleo Kernel provides little functionality: small and leano Caching secure binding in SW TLB for efficient TLB

misseso Downloading packet filters and dynamic code

generation for efficient secure binding to network


ExOS: Library OS

IPC: LRPC Virtual memory Remote communication: ASHs


Protected Control Transfers

Is an efficient implementation of IPC abstractions Steps:

o Change PC to calleeo Donate current time sliceo Install required elements of callee’s processor context

1. Asynchronous: gives remainder current time slice2. Synchronous: donate current time slice Properties:

o Atomic o No overwrite on application-visible registers by exokernel

No protection check Single-threaded Yield primitive: donate remainder current time slice to

another


ASHs Performance


Extensibility ExOS

Extensible RPC: o tLRPC (trusted LRPC): trust server to save and restore

callee-saved registers with no permissionso LRPC: saves general-purpose callee-saved registerso Single-threaded

Extensible Page-table Structureso Inverted page table for sparse address space

Extensible Schedulerso Yield primitive to donate remainder of current time

slice by stride scheduling


Conclusion

Exo securely multiplexes HW resources among appls LOS implements higher-level abstractions and define

special-purpose implementation for best performance and functionality

Simplicity and limited primitives allow for efficiency implementation

Exo primitives are fast, low-level secure multiplexing is efficient

Traditional OS abstraction implemented at appl-level Applications can create special-purpose

implementation of abstractions by modifying library

Documents

CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman