Abstract
This paper presents the design and an evaluation of Mondrix, a version of the Linux kernel with Mondriaan Memory Protection (MMP). MMP is a combination of hardware and software that provides efficient fine-grained memory protection between multiple protection domains sharing a linear address space. Mondrix uses MMP to enforce isolation between kernel modules which helps detect bugs, limits their damage, and improves kernel robustness and maintainability. During development, MMP exposed two kernel bugs in common, heavily-tested code, and during fault injection experiments, it prevented three of five file system corruptions.The Mondrix implementation demonstrates how MMP can bring memory isolation to modules that already exist in a large software application. It shows the benefit of isolation for robustness and error detection and prevention, while validating previous claims that the protection abstractions MMP offers are a good fit for software. This paper describes the design of the memory supervisor, the kernel module which implements permissions policy.We present an evaluation of Mondrix using full-system simulation of large kernel-intensive workloads. Experiments with several benchmarks where MMP was used extensively indicate the additional space taken by the MMP data structures reduce the kernel's free memory by less than 10%, and the kernel's runtime increases less than 15% relative to an unmodified kernel.
- M. J. Accetta, R. V. Baron, W. Bolosky, D.B. Golub, R. F. Rashid, A. Tevanian, and M.W. Young. Mach: A new kernel foundation for unix development. In Proceedings of Summer Usenix, 1986.]]Google Scholar
- Advanced Micro Devices. http://www.amd.com/, 2004.]]Google Scholar
- Thomas Ball and Sriram K. Rajamani. The slam project: Debugging system software via static analysis. In POPL '02, 2002.]] Google ScholarDigital Library
- Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski, David Becker, Craig Chambers, and Susan J. Eggers. Extensibility, safety and performance in the SPIN operating system. In SOSP-15, pages 267--284, Copper Mountain, Colorado, 1995.]] Google ScholarDigital Library
- Jeff Bonwick. The slab allocator: An object-caching kernel memory allocator. In USENIX Summer, pages 87--98, 1994.]] Google ScholarDigital Library
- Nicholas P. Carter, Stephen W. Keckler, and William J. Dally. Hardware support for fast capability-based addressing. In ASPLOS-VI, pages 319--327, San Jose, California, 1994.]] Google ScholarDigital Library
- Jeffrey Chase. An Operating System Structure for Wide-Address Architectures. PhD thesis, University of Washington, August 1995.]] Google ScholarDigital Library
- Peter M. Chen, Wee Teck Ng, Subhachandra Chandra, Christopher Aycock, Gurushankar Rajamani, and David Lowell. The Rio file cache: Surviving operating system crashes. In ASPLOS-VII, 1996.]] Google ScholarDigital Library
- J. Condit, M. Harren, S. McPeak, G. Necula, and W. Weimer. CCured in the real world. In PLDI, 2003.]] Google ScholarDigital Library
- Intel Corp. Intel Itanium Architecture Software Developer's Manual v2.1, 2002.]]Google Scholar
- Microsoft Corporation. Microsoft Windows Vista Developer Center, 2005. http://msdn.microsoft.com/windowsvista/default.aspx.]]Google Scholar
- B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, I. Pratt, A. Warfield, P. Barham, and R. Neugebauer. Xen and the art of virtualization. In SOSP '03, 2003.]]Google Scholar
- Dawson Engler and Ken Ashcraft. RacerX: Effective, static detection of race conditions and deadlocks. In SOSP-19, 2003.]] Google ScholarDigital Library
- Steven M. Hand. Self-paging in the nemesis operating system. In Operating Systems Design and Implementation, pages 73--86, 1999.]] Google ScholarDigital Library
- Hermann Härtig, Michael Hohmuth, Jochen Liedtke, Sebastian Schonberg, and Jean Wolter. The performance of microkernel-based systems. In SOSP-16, Oct. 1997.]] Google ScholarDigital Library
- John Hartman, Larry Peterson, Andy Bavier, Peter Bigot, Patrick Bridges, Brady Montz, Rob Piltz, Todd Proebsting, and Oliver Spatscheck. Experiences building a communication-oriented javaos. Software: Practice and Experience, 30(10):1107--1126, 2000.]] Google ScholarDigital Library
- Gernot Heiser, Kevin Elphinstone, Jerry Vochteloo, Stephen Russell, and Jochen Liedtke. The Mungi single-address-space operating system. Software Practice and Experience, 28(9):901--928, 1998.]] Google ScholarDigital Library
- Merle E. Houdek, Frank G. Soltis, and Roy L. Hoffman. IBM System/38 support for capability-based addressing. In Proceedings of the 8th Symposium on Computer Architecture, pages 341--348, May 1981.]] Google ScholarDigital Library
- Galen Hunt, James Larus, David Tarditi, and Ted Wobber. Broad new os research: Challenges and opportunities. In Proceedings of the 10th Workshop on Hot Topics in Operation Systems, June 2005.]] Google ScholarDigital Library
- Richard K. Johnsson and John D. Wick. An overview of the mesa processor architecture. In Proceedings of the first international symposium on architectural support for programming languages and operating systems, 1982.]] Google ScholarDigital Library
- Eric J. Koldinger, Jeffrey S. Chase, and Susan J. Eggers. Architectural support for single address space operating systems. SIGPLAN Notices, 27(9):175--186, 1992.]] Google ScholarDigital Library
- Butler Lampson. Protection. In Proceedings of the 5th Annual Princeton Conference on Information Sciences and Systems, pages 437--443, Princeton University, 1971.]]Google Scholar
- Kevin Lawton. bochs: The cross platform IA-32 emulator, 2004. http://bochs.sourceforge.net/.]]Google Scholar
- Henry M. Levy. Capability-Based Computer Systems. Digital Press, Bedford, Massachusetts, 1984.]] Google ScholarDigital Library
- David Lie, Chandramohan Thekkath, and Mark Horowitz. Implementing an untrusted operating system on trusted hardware. In SOSP '03, 2003.]] Google ScholarDigital Library
- David Lie, Chandramohan Thekkath, Mark Mitchell, Patrick Lincoln, Ban Boneh, John Mitchell, and Mark Horowitz. Architectural support for copy and tamper resistant software. In ASPLOS-IX, 2000.]]Google Scholar
- P. S. Magnusson, M. Christensson, J. Eskilson, D. Forsgren, G. Hallberg, J. Hogberg, F. Larsson, A. Moestedt, and B. Werner. Simics: A full system simulation platform. IEEE Computer, 35(2):50--58, 2002.]] Google ScholarDigital Library
- Madanlal Musuvathi, David Park, Andy Chou, Dawson R. Engler, and David L. Dill. CMC: A Pragmatic Approach to Model Checking Real Code. In OSDI-5, December 2002.]] Google ScholarDigital Library
- George C. Necula, Scott McPeak, and Westley Weimer. CCured: type-safe retrofitting of legacy code. In Symposium on Principles of Programming Languages, pages 128--139, 2002.]] Google ScholarDigital Library
- Norman Ramsey and Simon Peyton Jones. A single intermediate language that supports multiple implementations of exceptions. ACM SIGPLAN Notices, 35(5):285--298, 2000.]] Google ScholarDigital Library
- Jerome H. Saltzer. Protection and the control of information sharing in Multics. Communications of the ACM, 17(7):388--402, July 1974.]] Google ScholarDigital Library
- Jerome H. Saltzer and Michael D. Schroeder. The protection of information in computer systems. In Proceedings of the IEEE 63 9, pages 1278--1308, 1975.]]Google ScholarCross Ref
- Jonathan S. Shapiro. EROS: A Capability System. PhD thesis, University of Pennsylvania, 1999.]] Google ScholarDigital Library
- Jonathan S. Shapiro, Jonathan M. Smith, and David J. Farber. EROS: a fast capability system. In Symposium on Operating Systems Principles, pages 170--185, 1999.]] Google ScholarDigital Library
- Jonathan S. Shapiro, John Vanderburgh, Eric Northup, and David Chizmadia. Design of the EROS trusted window system. In USENIX Security, 2004.]] Google ScholarDigital Library
- G. Sirer, M. Fiuczynski, P. Pardyak, and B. N. Bershad. Safe dynamic linking in an extensible operating system. Technical Report TR-95-11-01, University of Washington, 1995.]]Google Scholar
- Michael Swift, Brian N. Bershad, and Henry M. Levy. Improving the reliability of commodity operating systems. In SOSP-19, 2003.]] Google ScholarDigital Library
- Michael Swift, Muthukaruppan, Brian N. Bershad, and Henry M. Levy. Recovering device drivers. In OSDI-6, 2004.]] Google ScholarDigital Library
- A. Whitaker, M. Shaw, and S. Gribble. Scale and performance in the denali isolation kernel. In OSDI '02, 2002.]] Google ScholarDigital Library
- Maurice V. Wilkes and Roger M. Needham. The Cambridge CAP Computer and Its Operating System. North Holland, New York, 1979.]] Google ScholarDigital Library
- Niklaus Wirth. Project Oberon: The Design of an Operating System and Compiler. Addison-Wesley, 1992.]] Google ScholarDigital Library
- Emmett Witchel and Krste Asanović. Hardware works, software doesn't: Enforcing modularity with Mondriaan memory protection. In HotOS-9, 2003.]] Google ScholarDigital Library
- Emmett Witchel, Josh Cates, and Krste Asanović. Mondrian memory protection. In 10th International Conference on Architectural Support for Programming Languages and Operating Systems, Oct 2002.]] Google ScholarDigital Library
Index Terms
- Mondrix: memory isolation for linux using mondriaan memory protection
Recommendations
Mondrix: memory isolation for linux using mondriaan memory protection
SOSP '05: Proceedings of the twentieth ACM symposium on Operating systems principlesThis paper presents the design and an evaluation of Mondrix, a version of the Linux kernel with Mondriaan Memory Protection (MMP). MMP is a combination of hardware and software that provides efficient fine-grained memory protection between multiple ...
Matching micro-kernels to modern applications using fine-grained memory protection
SPDP '95: Proceedings of the 7th IEEE Symposium on Parallel and Distributeed ProcessingScalable distributed systems, systems whose processing power remains proportional to the number of component processors, require a programming methodology where an application developer may take existing software modules and plug them together to form a ...
SRVM: Hypervisor Support for Live Migration with Passthrough SR-IOV Network Devices
VEE '16Single-Root I/O Virtualization (SR-IOV) is a specification that allows a single PCI Express (PCIe) device (ysical function or PF) to be used as multiple PCIe devices (virtual functions or VF). In a virtualization system, each VF can be directly assigned ...
Comments