Results 1 - 10
of
47
Operating System Transactions
, 2008
"... Operating systems should provide system transactions to user applications, in which user-level processes execute a series of system calls atomically and in isolation from other processes on the system. System transactions provide a simple tool for programmers to express safety conditions during conc ..."
Abstract
-
Cited by 47 (9 self)
- Add to MetaCart
Operating systems should provide system transactions to user applications, in which user-level processes execute a series of system calls atomically and in isolation from other processes on the system. System transactions provide a simple tool for programmers to express safety conditions during concurrent execution. This paper describes TxOS, a variant of Linux 2.6.22, which is the first operating system to implement system transactions on commodity hardware with strong isolation and fairness between transactional and non-transactional system calls. System transactions provide a simple and expressive interface for user programs to avoid race conditions on system resources. For instance, system transactions eliminate time-of-check-to-time-of-use (TOCTTOU) race conditions in the file system which are a class of security vulnerability that are difficult to eliminate with other techniques. System transactions also provide transactional semantics for user-level transactions that require system resources, allowing applications using hardware or software transactional memory system to safely make system calls. While system transactions may reduce single-thread performance, they can yield more scalable performance. For example, enclosing link and unlink within a system transaction outperforms rename on Linux by 14 % at 8 CPUs.
Towards Scalable Multiprocessor Virtual Machines
, 2004
"... A multiprocessor virtual machine benefits its guest operating system in supporting scalable job throughput and request latency-useful properties in server consolidation where servers require several of the system processors for steady state or to handle load bursts. Typical operating systems, optimi ..."
Abstract
-
Cited by 42 (2 self)
- Add to MetaCart
A multiprocessor virtual machine benefits its guest operating system in supporting scalable job throughput and request latency-useful properties in server consolidation where servers require several of the system processors for steady state or to handle load bursts. Typical operating systems, optimized for multiprocessor systems in their use of spin-locks for critical sections, can defeat flexible virtual machine scheduling due to lock-holder preemption and misbalanced load. The virtual machine must assist the guest operating system to avoid lock-holder preemption and to schedule jobs with knowledge of asymmetric processor allocation. We want to support a virtual machine environment with flexible scheduling policies, while maximizing guest performance. This paper presents solutions to avoid lock-holder preemption for both fully virtualized and paravirtualized environments. Experiments show that we can nearly eliminate the effects of lock-holder preemption. Furthermore, the paper presents a scheduler feedback mechanism that despite the presence of asymmetric processor allocation achieves optimal and fair load balancing in the guest operating system.
The Nizza Secure-System Architecture
- In IEEE CollaborateCom 2005
, 2005
"... The trusted computing bases (TCBs) of applications running on today’s commodity operating systems have become extremely large. This paper presents an architecture that allows to build applications with a much smaller TCB. It is based on a kernelized architecture and on the reuse of legacy software u ..."
Abstract
-
Cited by 38 (7 self)
- Add to MetaCart
(Show Context)
The trusted computing bases (TCBs) of applications running on today’s commodity operating systems have become extremely large. This paper presents an architecture that allows to build applications with a much smaller TCB. It is based on a kernelized architecture and on the reuse of legacy software using trusted wrappers. We discuss the design principles, the architecture and some components, and a number of usage examples. 1
Design of the EROS trusted window system
- In USENIX Security Symposium
, 2004
"... Permission is granted for noncommercial reproduction of the work for educational or research purposes. ..."
Abstract
-
Cited by 35 (0 self)
- Add to MetaCart
(Show Context)
Permission is granted for noncommercial reproduction of the work for educational or research purposes.
Applying source-code verification to a microkernel -- The VFiasco project
, 2002
"... Source-code verification works by reasoning about the semantics of the full source code of a program. Traditionally it is limited to small programs written in an academic programming language. In this paper we present the VFiasco (Verified Fiasco) project, in which we apply source-code verification ..."
Abstract
-
Cited by 30 (4 self)
- Add to MetaCart
(Show Context)
Source-code verification works by reasoning about the semantics of the full source code of a program. Traditionally it is limited to small programs written in an academic programming language. In this paper we present the VFiasco (Verified Fiasco) project, in which we apply source-code verification to a complete operating-system kernel written in C++. The aim of the VFiasco project is to establish security relevant properties of the Fiasco microkernel using source code verification. The project's main challenges are to develop a clean semantics for the subset of C++ used by the kernel and to enable high-level reasoning about typed data starting from only low-level knowledge about the hardware. In this paper we present our ideas for tackling these challenges. We sketch a semantics of C++ and develop a type-safe object store for reasoning about C++ programs. This object store is based on a hardware model that closely resembles the IA32 virtual-memory architecture, and on guarantees provided by the kernel itself.
Cost and Benefit of Separate Address Spaces in Real-Time Operating Systems
- IN PROCEEDINGS OF THE 23RD IEEE REAL-TIME SYSTEMS SYMPOSIUM (RTSS
, 2002
"... The combination of a real-time executive and an off-theshelf time-sharing operating system has the potential of providing both predictability and the comfort of a large application base. To isolate the real-time section from a significant class of faults in the (ever-growing) time-sharing operating ..."
Abstract
-
Cited by 21 (3 self)
- Add to MetaCart
The combination of a real-time executive and an off-theshelf time-sharing operating system has the potential of providing both predictability and the comfort of a large application base. To isolate the real-time section from a significant class of faults in the (ever-growing) time-sharing operating system, address spaces can be used to encapsulate the time-sharing subsystem. However, in practice designers seldomly use address spaces for this purpose, fearing that extra cost induced thereby limits the system's predictability. To analyze this cost, we compared in detail two systems with almost identical interfaces---both are a combination of the Linux operating system and a small real-time executive. Our analysis revealed that for interrupt-response times, the delay and jitter caused by address spaces are similar to or even smaller than those caused by caches and blocked interrupts. As a side effect of our analysis, we observed that published figures on predictability must be carefully checked whether or not such hardware features are included in the analysis. This
Hardware support for spin management in overcommitted virtual machines
- In Proc. of 15th PACT
, 2006
"... Multiprocessor operating systems (OSs) pose several unique and conflicting challenges to System Virtual Machines (System VMs). For example, most existing system VMs resort to gang scheduling a guest OS’s virtual processors (VCPUs) to avoid OS synchronization overhead. However, gang scheduling is inf ..."
Abstract
-
Cited by 19 (9 self)
- Add to MetaCart
Multiprocessor operating systems (OSs) pose several unique and conflicting challenges to System Virtual Machines (System VMs). For example, most existing system VMs resort to gang scheduling a guest OS’s virtual processors (VCPUs) to avoid OS synchronization overhead. However, gang scheduling is infeasible for some application domains, and is inflexible in other domains. In an overcommitted environment, an individual guest OS has more VCPUs than available physical processors (PCPUs), precluding the use of gang scheduling. In such an environment, we demonstrate a more than two-fold increase in runtime when transparently virtualizing a chipmultiprocessor’s cores. To combat this problem, we propose a hardware technique to detect several cases when a VCPU is not performing useful work, and suggest preempting that VCPU to run a different, more productive VCPU. Our technique can dramatically reduce cycles wasted on OS synchronization, without requiring any semantic information from the software. We then present a case study, typical of server consolidation, to demonstrate the potential of more flexible scheduling policies enabled by our technique. We propose one such policy that logically partitions the CMP cores between guest VMs. This policy increases throughput by 10–25 % for consolidated server workloads due to improved cache locality and core utilization, and substantially improves performance isolation in private caches.
The Semantics of C++ Data Types: Towards Verifying Low-Level System Components
, 2003
"... Data[Semantics int] dt int exists : Axiom Exists (x: (pod data type?[Semantics int])): True dt int : (pod data type?[Semantics int]) End Cxx Int The identifiers with sshort refer to the corresponding items from the semantics of signed short. First we declare the size of the value representation, ..."
Abstract
-
Cited by 17 (8 self)
- Add to MetaCart
(Show Context)
Data[Semantics int] dt int exists : Axiom Exists (x: (pod data type?[Semantics int])): True dt int : (pod data type?[Semantics int]) End Cxx Int The identifiers with sshort refer to the corresponding items from the semantics of signed short. First we declare the size of the value representation, this becomes important for the unsigned integer types, see below. We define the value type Semantics int as a predicate subtype of the PVS integer type int. The axioms int longer and int contains sshort formalise the requirement that "[short int] provides at least as much storage as [int]" (3.9.1 (2)).
From L3 to seL4 What Have We Learnt in 20 Years of L4 Microkernels?
"... The L4 microkernel has undergone 20 years of use and evolution. It has an active user and developer community, and there are commercial versions which are deployed on a large scale and in safety-critical systems. In this paper we examine the lessons learnt in those 20 years about microkernel design ..."
Abstract
-
Cited by 12 (3 self)
- Add to MetaCart
(Show Context)
The L4 microkernel has undergone 20 years of use and evolution. It has an active user and developer community, and there are commercial versions which are deployed on a large scale and in safety-critical systems. In this paper we examine the lessons learnt in those 20 years about microkernel design and implementation. We revisit the L4 design papers, and examine the evolution of design and implementation from the original L4 to the latest generation of L4 kernels, especially seL4, which has pushed the L4 model furthest and was the first OS kernel to undergo a complete formal verification of its implementation as well as a sound analysis of worst-case execution times. We demonstrate that while much has changed, the fundamental principles of minimality and high IPC performance remain the main drivers of design and implementation decisions. 1
