SLIC: An Extensibility System for Commodity Operating Systems

Modern commodity operating systems are large and complex systems developed over many years by large teams of programmers, containing hundreds of thousands of lines of code. Consequently, it is extremely difficult to add significant new functionality to these systems. In response to this problem, a number of recent research projects have explored novel operating system architectures to support untrusted extensions, including SPIN, VINO, Exokernel, and Fluke. Unfortunately, these architectures require substantial implementation effort and are not generally available in commodity systems. In contrast, by leveraging the technique of interposition, we have designed and implemented a prototype extension system called SLIC which requires only trivial operating system changes. SLIC efficiently inserts trusted extension code into commodity operating systems, enabling a large class of trusted extensions for existing commodity operating systems such as Solaris and Linux, while retaining full compatibility with existing application binaries. By interposing trusted extensions on existing kernel interfaces, our solution enables extensions which are protected from malicious applications, are enforced upon uncooperative applications, are composable with extensions from other third-party sources, and can be developed at the user-level using state-of-the-art development tools. We have used SLIC to implement and demonstrate a number of useful operating system extensions, including a patch to fix a security hole described in a CERT advisory, a simple encryption file system, and a restricted execution environment for arbitrary untrusted binaries. Performance measurements of the SLIC prototype demonstrate a one-time installation cost of 2-8 µsec and a per-extension invocation overhead commensurate with a procedure call.

[1]  Scott Devine,et al.  Disco: running commodity operating systems on scalable multiprocessors , 1997, TOCS.

[2]  David L. Cohn,et al.  Protected shared libraries: a new approach to modularity and sharing , 1997 .

[3]  Emin Gün Sirer,et al.  SPIN: an extensible microkernel for application-specific operating system services , 1994, EW 6.

[4]  Brian N. Bershad,et al.  Lightweight remote procedure call , 1990 .

[5]  Fred Douglis,et al.  Transparent process migration: Design alternatives and the sprite implementation , 1991, Softw. Pract. Exp..

[6]  Seth Copen Goldstein,et al.  Active messages: a mechanism for integrating communication and computation , 1998, ISCA '98.

[7]  Seth Copen Goldstein,et al.  Active Messages: A Mechanism for Integrated Communication and Computation , 1992, [1992] Proceedings the 19th Annual International Symposium on Computer Architecture.

[8]  Daniel G. Bobrow,et al.  Book review: The Art of the MetaObject Protocol By Gregor Kiczales, Jim des Rivieres, Daniel G. and Bobrow(MIT Press, 1991) , 1991, SGAR.

[9]  Mike Hibler,et al.  Microkernels meet recursive virtual machines , 1996, OSDI '96.

[10]  Andrea C. Arpaci-Dusseau,et al.  Effective distributed scheduling of parallel workloads , 1996, SIGMETRICS '96.

[11]  David D. Clark,et al.  The structuring of systems using upcalls , 1985, SOSP '85.

[12]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[13]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[14]  Mahadev Satyanarayanan,et al.  Efficient User-Level File Cache Management on the Sun Vnode Interface , 1990, USENIX Summer.

[15]  Jon A. Rochlis,et al.  With microscope and tweezers: an analysis of the Internet virus of November 1988 , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[16]  Jingwen Wang,et al.  Utopia: A load sharing facility for large, heterogeneous distributed computer systems , 1993, Softw. Pract. Exp..

[17]  Margo Seltzer,et al.  VINO: An Integrated Platform for Operating System and Database Research , 1994 .

[18]  David L. Black,et al.  The duality of memory and communication in the implementation of a multiprocessor operating system , 1987, SOSP '87.

[19]  Keith A. Lantz,et al.  Preemptable remote execution facilities for the V-system , 1985, SOSP 1985.

[20]  Paul Hudak,et al.  Memory coherence in shared virtual memory systems , 1986, PODC '86.

[21]  David S. H. Rosenthal,et al.  Evolving the Vnode interface , 1990, USENIX Summer.

[22]  Peter B. Danzig,et al.  The Harvest Information Discovery and Access System , 1995, Comput. Networks ISDN Syst..

[23]  Dan Walsh,et al.  Design and implementation of the Sun network filesystem , 1985, USENIX Conference Proceedings.

[24]  Jason Nieh,et al.  The design, implementation and evaluation of SMART: a scheduler for multimedia applications , 1997, SOSP.

[25]  Michael B. Jones,et al.  Interposition agents: transparently interposing user code at the system interface , 1994, SOSP '93.

[26]  Larry L. Peterson,et al.  Beyond micro-kernel design: decoupling modularity and protection in Lipto , 1992, [1992] Proceedings of the 12th International Conference on Distributed Computing Systems.

[27]  Margo I. Seltzer,et al.  Dealing with disaster: surviving misbehaved kernel extensions , 1996, OSDI '96.

[28]  John K. Ousterhout,et al.  Why Aren't Operating Systems Getting Faster As Fast as Hardware? , 1990, USENIX Summer.

[29]  G. Pascal Zachary,et al.  Show Stopper!: The Breakneck Race to Create Windows NT and the Next Generation at Microsoft , 1994 .

[30]  Margo Seltzer,et al.  Issues in Extensible Operating Systems , 1997 .

[31]  Brian N. Bershad,et al.  Safe Dynamic Linking in an Extensible Operating System , 1999 .

[32]  Simson L. Garfinkel,et al.  PGP: Pretty Good Privacy , 1994 .

[33]  Alan L. Cox,et al.  TreadMarks: shared memory computing on networks of workstations , 1996 .

[34]  William J. Bolosky,et al.  Mach: A New Kernel Foundation for UNIX Development , 1986, USENIX Summer.

[35]  Ken Thompson,et al.  The UNIX time-sharing system , 1974, CACM.

[36]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[37]  William E. Weihl,et al.  Lottery scheduling: flexible proportional-share resource management , 1994, OSDI '94.

[38]  Mahadev Satyanarayanan,et al.  Scale and performance in a distributed file system , 1988, TOCS.

[39]  Brian N. Bershad,et al.  Dynamic binding for an extensible system , 1996, OSDI '96.

[40]  Chris J. Scheiman,et al.  Extending the operating system at the user level: the Ufo global file system , 1997 .

[41]  Brian N. Bershad,et al.  Scheduler activations: effective kernel support for the user-level management of parallelism , 1991, TOCS.

[42]  Michael N. Nelson,et al.  Extensible file systems in spring , 1994, SOSP '93.

[43]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[44]  Steve R. Kleiman,et al.  Vnodes: An Architecture for Multiple File System Types in Sun UNIX , 1986, USENIX Summer.

[45]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[46]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[47]  Jeffrey C. Mogul,et al.  Spritely NFS: experiments with cache-consistency protocols , 1989, SOSP '89.

[48]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.