Sealing OS processes to improve dependability and safety

In most modern operating systems, a process is a hardware-protected abstraction for isolating code and data. This protection, however, is selective. Many common mechanisms---dynamic code loading, run-time code generation, shared memory, and intrusive system APIs---make the barrier between processes very permeable. This paper argues that this traditional open process architecture exacerbates the dependability and security weaknesses of modern systems. As a remedy, this paper proposes a sealed process architecture, which prohibits dynamic code loading, self-modifying code, shared memory, and limits the scope of the process API. This paper describes the implementation of the sealed process architecture in the Singularity operating system, discusses its merits and drawbacks, and evaluates its effectiveness. Some benefits of this sealed process architecture are: improved program analysis by tools, stronger security and safety guarantees, elimination of redundant overlaps between the OS and language runtimes, and improved software engineering. Conventional wisdom says open processes are required for performance; our experience suggests otherwise. We present the first macrobenchmarks for a sealed-process operating system and applications. The benchmarks show that an experimental sealed-process system can achieve performance competitive with highly-tuned, commercial, open-process systems.

[1]  V. A. Vyssotsky,et al.  Structure of the multics supervisor , 1965, AFIPS '65 (Fall, part I).

[2]  Jerome H. Saltzer,et al.  A hardware architecture for implementing protection rings , 1972, CACM.

[3]  A. Retrospective,et al.  The UNIX Time-sharing System , 1977 .

[4]  Butler W. Lampson,et al.  An open operating system for a single-user machine , 1979, SOSP '79.

[5]  Yogen K. Dalal,et al.  Pilot: an operating system for a personal computer , 1980, CACM.

[6]  David A. Moon,et al.  The Lisp Machine manual , 1981, SGAR.

[7]  David Robson,et al.  Smalltalk-80: The Language and Its Implementation , 1983 .

[8]  Richard J. Beach,et al.  A structural view of the Cedar programming environment , 1986, TOPL.

[9]  William J. Bolosky,et al.  Mach: A New Kernel Foundation for UNIX Development , 1986, USENIX Summer.

[10]  Lawrence C. Stewart,et al.  Firefly: a multiprocessor workstation , 1987, IEEE Trans. Computers.

[11]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[12]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[13]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[14]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[15]  Margo I. Seltzer,et al.  Dealing with disaster: surviving misbehaved kernel extensions , 1996, OSDI '96.

[16]  Philip Winterbottom,et al.  The Inferno™ operating system , 1997, Bell Labs Technical Journal.

[17]  Paul R. McJones,et al.  Evolving the UNIX System Interface to Support Multithreaded Programs , 1997 .

[18]  Jochen Liedtke,et al.  The performance of μ-kernel-based systems , 1997, SOSP.

[19]  Deyu Hu,et al.  Implementing Multiple Protection Domains in Java , 1998, USENIX Annual Technical Conference.

[20]  Juan-Mariano de Goyeneche,et al.  Loadable Kernel Modules , 1999, IEEE Softw..

[21]  Linda Mui,et al.  Writing Apache Modules with PERL and C , 1999 .

[22]  MorrisettGreg,et al.  From system F to typed assembly language , 1999 .

[23]  Tom Saulpaugh,et al.  Inside the JavaOS operating system , 1999 .

[24]  Jong-Deok Choi,et al.  A framework for interprocedural optimization in the presence of dynamic class loading , 2000, PLDI '00.

[25]  Erik Ruf,et al.  Marmot: an optimizing compiler for Java , 2000, Softw. Pract. Exp..

[26]  Wilson C. Hsieh,et al.  Processes in KaffeOS: isolation, resource management, and sharing in java , 2000, OSDI.

[27]  Robert P. Fitzgerald,et al.  The case for profile-directed selection of garbage collectors , 2000, ISMM '00.

[28]  Brendan Murphy,et al.  Windows 2000 Dependability , 2000 .

[29]  Erik Ruf,et al.  Marmot: an optimizing compiler for Java , 2000 .

[30]  Joseph Gil,et al.  Sealing, Encapsulation, and Mutability , 2001, ECOOP.

[31]  Junfeng Yang,et al.  An empirical study of operating systems errors , 2001, SOSP.

[32]  Dawson R. Engler,et al.  Fast and flexible application-level networking on exokernel systems , 2002, TOCS.

[33]  Michael Golm,et al.  The JX Operating System , 2002, USENIX Annual Technical Conference, General Track.

[34]  C. Hawblitzel,et al.  Luna: a flexible Java protection system , 2002, OSDI '02.

[35]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[36]  Brian Vinter,et al.  RMoX: A Raw-Metal occam Experiment , 2003 .

[37]  George C. Necula,et al.  Capriccio: scalable threads for internet services , 2003, SOSP '03.

[38]  Robert Bruce Findler,et al.  Kill-safe synchronization abstractions , 2004, PLDI '04.

[39]  Paul England,et al.  NGSCB: A Trusted Open System , 2004, ACISP.

[40]  Nathanael Paul,et al.  .NET security: lessons learned and missed from Java , 2004, 20th Annual Computer Security Applications Conference.

[41]  George Candea,et al.  Microreboot - A Technique for Cheap Recovery , 2004, OSDI.

[42]  James R. Larus,et al.  Broad New OS Research: Challenges and Opportunities , 2005, HotOS.

[43]  Martín Abadi,et al.  An Overview of the Singularity Project , 2005 .

[44]  Martín Abadi,et al.  Access Control in a World of Software Diversity , 2005, HotOS.

[45]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[46]  Herbert Bos,et al.  MINIX 3: a highly reliable, self-repairing operating system , 2006, OPSR.

[47]  James R. Larus,et al.  Reflective program generation with patterns , 2006, GPCE '06.

[48]  河野 健二 20世紀の名著名論:M. Accetta R. Baron W. Bolosky D. Golub R. Rashid A. Tevanian and M. Young:Mach : A New Kernel Foundation For UNIX Development , 2006 .

[49]  Galen C. Hunt,et al.  Solving the starting problem: device drivers as self-describing artifacts , 2006, EuroSys '06.

[50]  Brian N. Bershad,et al.  Recovering device drivers , 2004, TOCS.

[51]  James R. Larus,et al.  Deconstructing process isolation , 2006, MSPC '06.

[52]  James R. Larus,et al.  Transactional Memory , 2006, Transactional Memory.

[53]  Úlfar Erlingsson,et al.  Ad hoc extensibility and access control , 2006, OPSR.

[54]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[55]  James R. Larus,et al.  Language support for fast and reliable message-based communication in singularity OS , 2006, EuroSys.

[56]  Martín Abadi,et al.  Authorizing applications in singularity , 2007, EuroSys '07.