Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Innovative Operating System Elements (Seminar Course, WiSe 2016) 1
Innovative Operating System Elements
Seminar Course, WiSe 2016
Description
This seminar deals with the design, implementation, and application of innovative and state-of-
the-art operating systems elements. We dive into the inner workings of modern operating sys-
tems and explore different system designs, from micro-kernel systems like seL4 over classic
monolithic systems like Linux to systems somewhere in-between such as NetBSD. We also
look into OSs for different requirements and application areas, from highly specialized OSs for
safety critical embedded systems to commodity OSs running on server or desktop machines.
We explore recent scientific papers published in established software and systems conferences
and other useful sources. Our focus is on the critical discussion of OS related issues and pro-
posed approaches/solutions and the comparison of different approaches that tackle the same or
a similar problem.
Note
The provided references lists, if any, for the individual topics are not exhaustive and should
only be considered as a starting point for the literature research. The goal of the seminar, in
general, is that students familiarize themselves with recent advances in engineering, validating,
and hacking (in the broadest sense!) of operating systems. The suggested topics and accompa-
nying references should be well understandable with background knowledge from the OS1
and/or OS2 lectures.
Course Website
https://www.deeds.informatik.tu-darmstadt.de/teaching/courses/ws20162017/
innovative-operating-system-elements
Contact
Nicolas Coppik
Tel: +49 6151 16-25226
Room: S2|02 E221
Oliver Schwahn
Tel: +49 6151 16-25234
Room: S2|02 E221
Innovative Operating System Elements (Seminar Course, WiSe 2016) 2
Topic Overview
Kernel Concurrency Bugs .......................................................................................................... 3
Beyond Second Level Address Translation ............................................................................... 4
Operating System Updates ......................................................................................................... 5
Intra-Kernel Privilege Separation ............................................................................................... 6
Kernel Control-Flow Integrity ................................................................................................... 7
POSIX Abstractions in Modern OSs .......................................................................................... 8
Is the Linux Scheduler Broken? ................................................................................................. 9
WSL – The Windows Subsystem for Linux ............................................................................ 10
Hardware Supported Trusted Execution Environments ........................................................... 11
Time in Virtual Machines ........................................................................................................ 12
Verified OS Kernels ................................................................................................................. 13
Innovative Operating System Elements (Seminar Course, WiSe 2016) 3
Kernel Concurrency Bugs
Concurrency bugs are notoriously difficult to test for as they may only be triggered under a
small subset of all possible interleavings. Systematic approaches to finding concurrency bugs
typically rely on the ability to control the scheduler to maximize coverage of the interleaving
space. Such approaches cannot be directly applied to an OS kernel without extensive modifica-
tions, possibly rendering the results unrepresentative of the unmodified kernel. The problem is
further complicated by the fact that kernel code frequently uses various finely tuned, architec-
ture-specific mechanisms in order to minimize the performance impact of synchronization.
SKI is a recent approach for detecting kernel concurrency bugs that relies on virtual machine
introspection and works on unmodified kernels.
The objective of this seminar report is to critically discuss the SKI approach and compare it to
earlier approaches that attempt to address kernel concurrency bugs.
References
Fonseca, Rodrigues, Brandenburg (2014):
SKI: Exposing Kernel Concurrency Bugs through Systematic Schedule Exploration.
In: Proc. OSDI ‘14.
https://www.usenix.org/system/files/conference/osdi14/osdi14-paper-fonseca.pdf.
Innovative Operating System Elements (Seminar Course, WiSe 2016) 4
Beyond Second Level Address Translation
Virtualization has become commonplace and significant effort has been expanded on reducing
the overhead it entails, leading to improvements in both hardware and software. Nonetheless,
memory or page table virtualization retain notable overhead even when hardware-assisted Sec-
ond Level Address Translation (SLAT) is used due to the additional memory accesses that are
required during page walks. Recently, researchers have proposed combining SLAT with the
older shadow page table approach in order to tackle this overhead.
The objective of this seminar report is to give an overview of the performance implications of
SLAT and the mechanisms that have been proposed to tackle them.
References
Gandhi, Hill, Swift (2016):
Agile Paging : Exceeding the Best of Nested and Shadow Paging.
In: Proc ISCA ‘16
https://doi.org/10.1109/ISCA.2016.67
Wang, Zang, Wang, Luo, Li (2011):
Selective hardware/software memory virtualization.
In: Proc. VEE ‘11
https://doi.org/10.1145/1952682.1952710
Innovative Operating System Elements (Seminar Course, WiSe 2016) 5
Operating System Updates
Modern operating system kernels are highly complex and new bugs or vulnerabilities are found
frequently. Consequently, it is important that the updates to fix these flaws induce as little
downtime as possible. For Linux, several tools such as Ksplice, kpatch and KGraft have been
developed to allow applying certain updates to the kernel without rebooting the system. Other
recent approaches leverage virtualization or checkpointing mechanisms to allow arbitrary ker-
nel updates.
The objective of this seminar report is to discuss recent live patching techniques for the Linux
kernel, their advantages and their drawbacks.
References
Kashyap, Min, Lee, Kim, Emelyanov (2016):
Instant OS Updates via Userspace Checkpoint-and-Restart
In: Proc. USENIX ATC '16
https://www.usenix.org/system/files/conference/atc16/atc16_paper-kashyap.pdf
Yamada., Kono (2013):
Traveling forward in time to newer operating systems using ShadowReboot.
In: Proc. VEE '13
https://doi.org/10.1145/2103799.2103814
Innovative Operating System Elements (Seminar Course, WiSe 2016) 6
Intra-Kernel Privilege Separation
The monolithic design of most contemporary commodity operating systems is a threat to the
secure and reliable operation of computer systems. Monolithic kernels consist of a large body
of code that is impossible to prove correct or test exhaustively. Bugs in the kernel or kernel
extensions such as device drivers can easily crash the system, being a reliability issue. Success-
ful attacks on the kernel, e.g., using malicious device drivers, compromise security properties
of the whole system. Privilege separation within the kernel, i.e., the ability to assign different
parts of the kernel different privileges, can greatly improve the situation. For instance, the ac-
cess to certain memory regions can be restricted within the kernel or subsystems within the
kernel can be isolated from each other. A recent advancement in this area is the nested kernel
architecture that aims to reduce a system’s trusted computing base by nesting a small isolated
kernel within a commodity kernel.
The objective of this seminar report is to critically discuss the nested kernel approach and com-
pare it to other approaches for privilege separation inside the kernel with a focus not only on
security but also reliability and fault tolerance aspects.
References
Dautenhahn, N., Kasampalis, T., Dietz, W., Criswell, J., & Adve, V.
Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation.
In Proc. of ASPLOS 2015
Available online at http://doi.acm.org/10.1145/2694344.2694386
Innovative Operating System Elements (Seminar Course, WiSe 2016) 7
Kernel Control-Flow Integrity
Memory safety attacks, such as buffer overflows, are a well-known class of attacks against
software. Especially software written in unmanaged and/or low-level languages like C/C++ are
susceptible to these attacks. Usually, the goal of such attacks is to gain the control over the code
that is executed within a piece of software, i.e., to hijack the control flow and force the system
to execute code chosen by the attacker. OS kernels, which are often written in C/C++, are pop-
ular targets for these kind of attacks as control over the OS gives full control over a complete
system. Control-flow integrity (CFI) security policies prevent such attacks. Although many ap-
proaches exist for enforcing CFI on user-level software, only few approaches exist for kernel-
level code. KCoFI is a recent CFI approach for commodity kernels that promises low overhead
and is based on a formal model.
The goal of this seminar report is to critically discuss the KCoFI approach and compare it to
similar approaches that aim to protect OS kernels from control flow manipulations.
References
J. Criswell, N. Dautenhahn, and V. Adve
KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels.
In Proceedings of the 2014 IEEE Symposium on Security and Privacy,.
Available online at http://dx.doi.org/10.1109/SP.2014.26
Innovative Operating System Elements (Seminar Course, WiSe 2016) 8
POSIX Abstractions in Modern OSs
The Portable Operating Systems Interface (POSIX) standard(s) has been around for more than
25 years. It is intended to help developers in achieving application portability across different
UNIX-based (but also other) OSs. A central part of POSIX is the application programming
interface (API) specification that defines a set of abstractions (functions, data types, etc.) which
application developers can rely on for a different OSs (e.g., Linux, Android, macOS, BSD,
Windows). Applications, including their use cases and requirements, have changed over the
years, but the POSIX APIs have remained unchanged. But does POSIX still provide the “right”
abstractions for modern systems? How do applications use the POSIX APIs nowadays? Are
other abstractions needed? A recent study explores contemporary POSIX API usage on modern
systems across different OSs (see references).
The goal of this seminar report is to critically discuss whether POSIX is still suitable for modern
applications and OSs and compare the findings of the referenced study with other related works
(consistency check).
References
Atlidakis, V., Andrus, J., Geambasu, R., Mitropoulos, D., & Nieh, J. (2016):
POSIX Abstractions in Modern Operating Systems: The Old, the New, and the Missing.
In: Proc. EuroSys 2016.
Available online at http://doi.org/10.1145/2901318.2901350
Innovative Operating System Elements (Seminar Course, WiSe 2016) 9
Is the Linux Scheduler Broken?
In the past, CPU scheduling has been considered a solved problem. However, with the advent
of multicore systems and the increasing importance of energy efficiency, CPU scheduling be-
came complicated again, resulting in broken implementations. As the referenced study shows,
even Linux’s widely used scheduler (CFS) implementation still contains bugs that lead to long
idle times for CPU cores, which can severely hurt performance.
The objective of this seminar report is to give an overview of Linux’s scheduler and discuss the
findings of the referenced study.
References
Lozi, J.-P., Lepers, B., Funston, J., Gaud, F., Quéma, V., & Fedorova, A. (2016):
The Linux Scheduler: A Decade of Wasted Cores.
In: Proc. EuroSys 2016.
Available online at http://doi.org/10.1145/2901318.2901326
Innovative Operating System Elements (Seminar Course, WiSe 2016) 10
WSL – The Windows Subsystem for Linux
With the latest Windows version (Windows 10, 1607), Microsoft released the Windows Sub-
system for Linux (WSL), which allows to run unmodified Linux executables under Windows.
WSL provides a semi-isolated environment in which a complete (user-mode) Ubuntu system
with a Linux 3.4 kernel is executed. WSL must translate Linux system calls to Windows equiv-
alents, mediate file system access, and manage resources. Although many (most?) applications
contained in Ubuntu are supported, WSL still lacks certain capabilities to allow the execution
of arbitrary Linux software.
The objective of this seminar report is to give an overview of WSL and discuss how it integrates
with other Windows processes and subsystems with a focus on isolation and security. The report
should also include an assessment of current limitations of WSL.
References
Microsoft Blog on WSL
Online at https://blogs.msdn.microsoft.com/wsl/
MSDN post on “Bash on Ubuntu on Windows”
Online at https://msdn.microsoft.com/commandline/wsl
Innovative Operating System Elements (Seminar Course, WiSe 2016) 11
Hardware Supported Trusted Execution Environments
Over the past decades, hardware manufacturers have increasingly added “trusted computing”
features to their platforms. One of latest efforts in this respect is the provision of hardware
mechanisms to isolate particularly critical code and data and make it inaccessible to unauthor-
ized parts of the system, even if these unauthorized parts execute at highest system privileges.
Intel’s latest SGX instruction set extension offers this functionality for commodity applications
on x86 based platforms.
The goal of this seminar report is to provide a detailed overview of the new instructions pro-
vided by SGX, how they can be used to enforce data and code isolation, and add a brief com-
parison with the older trusted computing extensions offered by AMD (PSP) and ARM
(TrustZone).
References
Sinha, Costa, Lal, Lopes, Rajamani, Seshia, Vaswani (2016):
A design and verification methodology for secure isolated regions.
In: Proc. PLDI ‘16.
Available online at http://dx.doi.org/10.1145/2908080.2908113
Innovative Operating System Elements (Seminar Course, WiSe 2016) 12
Time in Virtual Machines
Virtualization has become ubiquitous. It forms the core of cloud computing, enables OS devel-
opers to easily test and debug their code, and postdoctoral researchers can use them to create
documents with inferior office software demanded by the university administration.
An interesting problem of virtualization is the relation between the time bases of the host and
guest machines. If the host time is directly exposed to guests, a side channel is created via which
an adversary can infer properties of the host machine and, possibly, collocated guests. If the
time base of the guest is purely virtual, no realistic performance measures can be obtained for
workloads executing inside guest machines. In particular, hardware runtime monitoring mech-
anisms, such as watchdog timers, require full emulation, which comes at a significant runtime
overhead.
The goal of this report is to present an overview of hardware timers and watchdogs commonly
found in x86 and ARM systems and how these timers are exposed to virtual guests in
QEMU/KVM.
Innovative Operating System Elements (Seminar Course, WiSe 2016) 13
Verified OS Kernels
The code of commodity OS kernels is known to have high defect densities for several reasons.
First, kernel code is a difficult mix of C and assembly code, neither of which is particularly
suitable for static analyses. Second, the amount of code that a modern OS kernel comprises is
often huge and executing in concurrent threads, which leads to an immense complexity of the
state space where bugs can hide during testing. Third, the large variety of hardware platforms
with different combinations of devices lead to large numbers of kernel configurations, each of
which would need to be tested individually.
Over the last couple of years, a number of attempts have been made to verify the correctness of
OS kernels, the most prominent ones being seL4 and mCertiKOS. The goal of this report is to
summarize and compare a) which properties of the two kernels have been verified nad b) how
these kernel properties have been articulated and how the kernel has been proven to possess
these properties.
References
Chen, Wu, Shao, Lockerman, Gu (2016):
Toward compositional verification of interruptible OS kernels and device drivers.
In: Proc. PLDI ‘16.
Available online at http://dx.doi.org/10.1145/2908080.2908101.
Klein, Elphinstone, Heiser, Andronick, Cock, Derrin, Elkaduwe, Engelhardt, Kolanski, Norrish, Sewell, Tuch, Winwood
(2009):
seL4: formal verification of an OS kernel.
In: Proc. SOSP ‘09.
Available online at http://dx.doi.org/10.1145/1629575.1629596.