article

Mondrix: memory isolation for linux using mondriaan memory protection

Authors:
Emmett Witchel

University of Texas at Austin, Austin, TX

University of Texas at Austin, Austin, TX
View Profile

,
Junghwan Rhee

Purdue University, West Lafayette, Indiana

Purdue University, West Lafayette, Indiana
View Profile

,
Krste Asanović

MIT, Cambridge, MA

MIT, Cambridge, MA
View Profile

Authors Info & Claims

ACM SIGOPS Operating Systems Review Volume 39 Issue 5December 2005pp 31–44https://doi.org/10.1145/1095809.1095814

Published:20 October 2005Publication History

ACM SIGOPS Operating Systems Review

Abstract

This paper presents the design and an evaluation of Mondrix, a version of the Linux kernel with Mondriaan Memory Protection (MMP). MMP is a combination of hardware and software that provides efficient fine-grained memory protection between multiple protection domains sharing a linear address space. Mondrix uses MMP to enforce isolation between kernel modules which helps detect bugs, limits their damage, and improves kernel robustness and maintainability. During development, MMP exposed two kernel bugs in common, heavily-tested code, and during fault injection experiments, it prevented three of five file system corruptions.The Mondrix implementation demonstrates how MMP can bring memory isolation to modules that already exist in a large software application. It shows the benefit of isolation for robustness and error detection and prevention, while validating previous claims that the protection abstractions MMP offers are a good fit for software. This paper describes the design of the memory supervisor, the kernel module which implements permissions policy.We present an evaluation of Mondrix using full-system simulation of large kernel-intensive workloads. Experiments with several benchmarks where MMP was used extensively indicate the additional space taken by the MMP data structures reduce the kernel's free memory by less than 10%, and the kernel's runtime increases less than 15% relative to an unmodified kernel.

References

M. J. Accetta, R. V. Baron, W. Bolosky, D.B. Golub, R. F. Rashid, A. Tevanian, and M.W. Young. Mach: A new kernel foundation for unix development. In Proceedings of Summer Usenix, 1986.]]Google Scholar
Advanced Micro Devices. http://www.amd.com/, 2004.]]Google Scholar
Thomas Ball and Sriram K. Rajamani. The slam project: Debugging system software via static analysis. In POPL '02, 2002.]] Google ScholarDigital Library
Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski, David Becker, Craig Chambers, and Susan J. Eggers. Extensibility, safety and performance in the SPIN operating system. In SOSP-15, pages 267--284, Copper Mountain, Colorado, 1995.]] Google ScholarDigital Library
Jeff Bonwick. The slab allocator: An object-caching kernel memory allocator. In USENIX Summer, pages 87--98, 1994.]] Google ScholarDigital Library
Nicholas P. Carter, Stephen W. Keckler, and William J. Dally. Hardware support for fast capability-based addressing. In ASPLOS-VI, pages 319--327, San Jose, California, 1994.]] Google ScholarDigital Library
Jeffrey Chase. An Operating System Structure for Wide-Address Architectures. PhD thesis, University of Washington, August 1995.]] Google ScholarDigital Library
Peter M. Chen, Wee Teck Ng, Subhachandra Chandra, Christopher Aycock, Gurushankar Rajamani, and David Lowell. The Rio file cache: Surviving operating system crashes. In ASPLOS-VII, 1996.]] Google ScholarDigital Library
J. Condit, M. Harren, S. McPeak, G. Necula, and W. Weimer. CCured in the real world. In PLDI, 2003.]] Google ScholarDigital Library
Intel Corp. Intel Itanium Architecture Software Developer's Manual v2.1, 2002.]]Google Scholar
Microsoft Corporation. Microsoft Windows Vista Developer Center, 2005. http://msdn.microsoft.com/windowsvista/default.aspx.]]Google Scholar
B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, I. Pratt, A. Warfield, P. Barham, and R. Neugebauer. Xen and the art of virtualization. In SOSP '03, 2003.]]Google Scholar
Dawson Engler and Ken Ashcraft. RacerX: Effective, static detection of race conditions and deadlocks. In SOSP-19, 2003.]] Google ScholarDigital Library
Steven M. Hand. Self-paging in the nemesis operating system. In Operating Systems Design and Implementation, pages 73--86, 1999.]] Google ScholarDigital Library
Hermann Härtig, Michael Hohmuth, Jochen Liedtke, Sebastian Schonberg, and Jean Wolter. The performance of microkernel-based systems. In SOSP-16, Oct. 1997.]] Google ScholarDigital Library
John Hartman, Larry Peterson, Andy Bavier, Peter Bigot, Patrick Bridges, Brady Montz, Rob Piltz, Todd Proebsting, and Oliver Spatscheck. Experiences building a communication-oriented javaos. Software: Practice and Experience, 30(10):1107--1126, 2000.]] Google ScholarDigital Library
Gernot Heiser, Kevin Elphinstone, Jerry Vochteloo, Stephen Russell, and Jochen Liedtke. The Mungi single-address-space operating system. Software Practice and Experience, 28(9):901--928, 1998.]] Google ScholarDigital Library
Merle E. Houdek, Frank G. Soltis, and Roy L. Hoffman. IBM System/38 support for capability-based addressing. In Proceedings of the 8th Symposium on Computer Architecture, pages 341--348, May 1981.]] Google ScholarDigital Library
Galen Hunt, James Larus, David Tarditi, and Ted Wobber. Broad new os research: Challenges and opportunities. In Proceedings of the 10th Workshop on Hot Topics in Operation Systems, June 2005.]] Google ScholarDigital Library
Richard K. Johnsson and John D. Wick. An overview of the mesa processor architecture. In Proceedings of the first international symposium on architectural support for programming languages and operating systems, 1982.]] Google ScholarDigital Library
Eric J. Koldinger, Jeffrey S. Chase, and Susan J. Eggers. Architectural support for single address space operating systems. SIGPLAN Notices, 27(9):175--186, 1992.]] Google ScholarDigital Library
Butler Lampson. Protection. In Proceedings of the 5th Annual Princeton Conference on Information Sciences and Systems, pages 437--443, Princeton University, 1971.]]Google Scholar
Kevin Lawton. bochs: The cross platform IA-32 emulator, 2004. http://bochs.sourceforge.net/.]]Google Scholar
Henry M. Levy. Capability-Based Computer Systems. Digital Press, Bedford, Massachusetts, 1984.]] Google ScholarDigital Library
David Lie, Chandramohan Thekkath, and Mark Horowitz. Implementing an untrusted operating system on trusted hardware. In SOSP '03, 2003.]] Google ScholarDigital Library
David Lie, Chandramohan Thekkath, Mark Mitchell, Patrick Lincoln, Ban Boneh, John Mitchell, and Mark Horowitz. Architectural support for copy and tamper resistant software. In ASPLOS-IX, 2000.]]Google Scholar
P. S. Magnusson, M. Christensson, J. Eskilson, D. Forsgren, G. Hallberg, J. Hogberg, F. Larsson, A. Moestedt, and B. Werner. Simics: A full system simulation platform. IEEE Computer, 35(2):50--58, 2002.]] Google ScholarDigital Library
Madanlal Musuvathi, David Park, Andy Chou, Dawson R. Engler, and David L. Dill. CMC: A Pragmatic Approach to Model Checking Real Code. In OSDI-5, December 2002.]] Google ScholarDigital Library
George C. Necula, Scott McPeak, and Westley Weimer. CCured: type-safe retrofitting of legacy code. In Symposium on Principles of Programming Languages, pages 128--139, 2002.]] Google ScholarDigital Library
Norman Ramsey and Simon Peyton Jones. A single intermediate language that supports multiple implementations of exceptions. ACM SIGPLAN Notices, 35(5):285--298, 2000.]] Google ScholarDigital Library
Jerome H. Saltzer. Protection and the control of information sharing in Multics. Communications of the ACM, 17(7):388--402, July 1974.]] Google ScholarDigital Library
Jerome H. Saltzer and Michael D. Schroeder. The protection of information in computer systems. In Proceedings of the IEEE 63 9, pages 1278--1308, 1975.]]Google ScholarCross Ref
Jonathan S. Shapiro. EROS: A Capability System. PhD thesis, University of Pennsylvania, 1999.]] Google ScholarDigital Library
Jonathan S. Shapiro, Jonathan M. Smith, and David J. Farber. EROS: a fast capability system. In Symposium on Operating Systems Principles, pages 170--185, 1999.]] Google ScholarDigital Library
Jonathan S. Shapiro, John Vanderburgh, Eric Northup, and David Chizmadia. Design of the EROS trusted window system. In USENIX Security, 2004.]] Google ScholarDigital Library
G. Sirer, M. Fiuczynski, P. Pardyak, and B. N. Bershad. Safe dynamic linking in an extensible operating system. Technical Report TR-95-11-01, University of Washington, 1995.]]Google Scholar
Michael Swift, Brian N. Bershad, and Henry M. Levy. Improving the reliability of commodity operating systems. In SOSP-19, 2003.]] Google ScholarDigital Library
Michael Swift, Muthukaruppan, Brian N. Bershad, and Henry M. Levy. Recovering device drivers. In OSDI-6, 2004.]] Google ScholarDigital Library
A. Whitaker, M. Shaw, and S. Gribble. Scale and performance in the denali isolation kernel. In OSDI '02, 2002.]] Google ScholarDigital Library
Maurice V. Wilkes and Roger M. Needham. The Cambridge CAP Computer and Its Operating System. North Holland, New York, 1979.]] Google ScholarDigital Library
Niklaus Wirth. Project Oberon: The Design of an Operating System and Compiler. Addison-Wesley, 1992.]] Google ScholarDigital Library
Emmett Witchel and Krste Asanović. Hardware works, software doesn't: Enforcing modularity with Mondriaan memory protection. In HotOS-9, 2003.]] Google ScholarDigital Library
Emmett Witchel, Josh Cates, and Krste Asanović. Mondrian memory protection. In 10th International Conference on Architectural Support for Programming Languages and Operating Systems, Oct 2002.]] Google ScholarDigital Library

Index Terms

Mondrix: memory isolation for linux using mondriaan memory protection
1. General and reference
  1. Cross-computing tools and techniques
    1. Reliability
2. Software and its engineering
  1. Software organization and properties
    1. Extra-functional properties
      1. Software reliability

Recommendations

Mondrix: memory isolation for linux using mondriaan memory protection
SOSP '05: Proceedings of the twentieth ACM symposium on Operating systems principles

This paper presents the design and an evaluation of Mondrix, a version of the Linux kernel with Mondriaan Memory Protection (MMP). MMP is a combination of hardware and software that provides efficient fine-grained memory protection between multiple ...
Read More
Matching micro-kernels to modern applications using fine-grained memory protection
SPDP '95: Proceedings of the 7th IEEE Symposium on Parallel and Distributeed Processing

Scalable distributed systems, systems whose processing power remains proportional to the number of component processors, require a programming methodology where an application developer may take existing software modules and plug them together to form a ...
Read More
SRVM: Hypervisor Support for Live Migration with Passthrough SR-IOV Network Devices
VEE '16

Single-Root I/O Virtualization (SR-IOV) is a specification that allows a single PCI Express (PCIe) device (ysical function or PF) to be used as multiple PCIe devices (virtual functions or VF). In a virtualization system, each VF can be directly assigned ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM SIGOPS Operating Systems Review Volume 39, Issue 5
SOSP '05
December 2005
290 pages
ISSN:0163-5980
DOI:10.1145/1095809
Issue’s Table of Contents
SOSP '05: Proceedings of the twentieth ACM symposium on Operating systems principles
October 2005
259 pages
ISBN:1595930795
DOI:10.1145/1095810
General Chair:
Andrew Herbert
Microsoft Research, UK
,
Program Chair:
Ken Birman
Cornell University, USA
Copyright © 2005 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 20 October 2005
Check for updates
Author Tags
fine-grained memory protection
Qualifiers
- article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 97
  Total Citations
  View Citations
- 1,507
  Total Downloads
- Downloads (Last 12 months)62
- Downloads (Last 6 weeks)10
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Mondrix: memory isolation for linux using mondriaan memory protection

ACM SIGOPS Operating Systems Review

Abstract

References

Cited By

Index Terms

Recommendations

Mondrix: memory isolation for linux using mondriaan memory protection

Matching micro-kernels to modern applications using fine-grained memory protection

SRVM: Hypervisor Support for Live Migration with Passthrough SR-IOV Network Devices