These are some notes I took while I was taking the Advanced Operating Systems (COMP9242 19T2) at UNSW. Since the lectures cover a variety of somewhat obscure topics, I’m posting them here so I don’t forget about them later on in my career!
Disclaimer: These notes are my own, and they may not fully appreciate the intention of the lecturers or the contents of the course.
The lecture slides are Creative Commons, and they are available here: https://www.cse.unsw.edu.au/~cs9242/19/lectures.shtml
Lecture Week 1 Monday
“Introduction”
Capabilities
- Invoke a method on a capability (like an object)
CSpace and CNodes
- A CSpace represents Mapping[OID, AccessRight]
- Each CNode is an array of capability “slots”
- Capabilities: Read, Write, Execute, Grant
- Operations on Capabilities: Invoke, Copy/Mint/Grant (Duplicate super/lesser), Move/Mutate (Transfer), Delete, Revoke
IPC (Endpoints)
- More like “Cross-Address-Space Invocation”
- Endpoints: Strictly synchronous
- Receiver must be ready
- This means data is only copied once
- There is no buffering
- No asynchronous kernel buffering
- Do not use IPC for shipping data (don’t use for copy, obviously, copy-cost exists)
- It is:
- Protected procedure call
- User-initiated context switch (because it’s synchronous in lock-step)
- Endpoint, if the recipient is not highest priority and free, will queue FIFO
- Think of Endpoints as a Producer-Consumer Pipe, One-Way
- Need two endpoints for a sane two-way communication
- How to reply:
- Call automatically generates a Reply capability for the Server
- Once-use
- Reply to a separate Endpoint specially created for this Call
- Hence, two Endpoints for one Call
- Call is atomic and cannot be reproduced by Send/Receive
- No automatic creation of Reply Endpoint
- Send / Server Preemption (Higher Priority) / Receive was Preempted?!, etc.
Badges
- Maintaining session state for Endpoints without having every Server implement their own session mechanism
- A Badged Capability is Minted from the original Capability, and then gives it to a Client
- This Badged Capability identifies a consumer of the Server
Virtual Registers
- “Argument” storage for Endpoints
- Included in thread state
Notifications
- Equivalent to Binary Semaphores made using bit fields
- Can be polled (multiple, like select)
- Maps nicely to interrupts
- To alleviate receiving from Endpoint and Notification simultaneously, Notification can be received as an Endpoint through TCB_BindNotification()
Lecture Week 1 Tuesday
- Recap of similar lecture content from yesterday
Lecture Week 2 Tuesday
“Operating System Execution Models”
Note: Week 2 Monday was a public holiday
Interrupt Handling
- IRQHandler and IRQControl
- IRQControl can create IRQHandler
- Application given IRQHandler to make them device drivers
Execution Models, Threads, Coroutines
- Events
- Event loops and event handler
- Waits for events
- Only requires a single stack (no yields)
- How to handle user level code?
- A kernel timer can be one of the events (this is the scheduler)
- No blocking in kernel code
- Only works on a uniprocessor
- Coroutines
- A stack per routine
- Requires explicit yields
- Threads
- Preemptive multithreading
- Continuations
- Used in functional languages
- Much more high level than the above
- Basically an explicit context switch, but in functional languages
- Done by getting given a “switch context back to caller” function, and invoking it
- Basically just multiple return in functional languages
- Basically just Python generators
- Can be used to build (yield) where it doesn’t exist
Per-Thread Kernel Stack
- The UNIX model
- The state (e.g. per syscall) is explicitly stored by the stack
- Can postpone execution by yielding (regardless of execution model)
- Preemption is easy – just nest on the stack
Single Kernel Stack
- How is blocking handled?
- Either continuations
- Or stateless kernels
- “All it does is it makes it hard to write code” – Kevin
Lecture Week 3 Monday
“Events and Threads”
Two competing papers to guide us to choose which model to use for our own OS project.
Why Threads Are A Bad Idea
(for most purposes)
- 1995
- Threads hard to program in
- For most purposes events are better
- Only use threads when true CPU concurrency needed
- Requires
- Synchronisation
- Deadlock
- Hard to debug (data dependencies, timing dependencies)
Why Events Are A Bad Idea
(for high-concurrency servers)
- 2003
- Proposes Thread-Event duality
- No inherent problem with threads
- Benchmark user-level threads package; still fast
Lecture Week 3 Tuesday
“Caches”
Cache Indexing
- Cache lines
- Set associative lookup
- Tag | Set | Byte
- 2-way associative
- Fully associative
- No indexing, just compare tag
- Obviously very expensive to compare in parallel
- Cache associativity vs Paging
- Traditionally, the 2-bit index bit used for the cache indexing overlaps both page number bit and offset bit, so it comes from both
- Implications:
- Odd/Even of page number determines top / lower half of 2-way associative cache
- Pages fall into equivalence classes as caching is concerned
- Gives rise to an implicit notion of page colouring – any pages that have different colours cannot compete for cache
Cache Misses
- “The Four Cs”
- Compulsory miss
- First access
- Capacity miss
- Would not miss on infinite-size cache
- Conflict miss
- Would not miss on fully-associative cache
- Coherence miss
- Hardware coherence protocol
- Compulsory miss
- Cache replacement policy
- Upon replacement, dirty cache lines must be flushed
- Algorithm must be simple for speed
- Cache write policy
- Write-back / write-through
- A store that misses cache
- Write-allocate / no allocate
- (Bypass cache on write cache-miss?)
Cache Addressing Schemes
- Four possible schemes:
- Virtually-indexed, virtually-tagged (VV)
- Virtually-indexed, physically-tagged (VP)
- Physically-indexed, virtually-tagged (PV) <= Usually nonsensical
- Physically-indexed, physically-tagged (PP)
- Virtually-indexed, virtually-tagged
- Virtually-addressed cache
- Various incorrect names
- Virtual cache
- Virtual address cache
- Can operate concurrently with MMU
- Pitfalls
- Must be flushed on context switch because virtual address
- Permissions must be processed via the MMU anyway, fast translation but still need to wait for MMU
- Rarely used these days
- Virtually-indexed, physically-tagged
- Indexing concurrent with MMU
- Used for on-core L1
- Physically-indexed, physically-tagged
- Intel claims physically indexed L1 cache
- Cache size is picked so that it behaves like one
- If index bits are all within offset bits, they are invariant under translation
Cache Issues
- Structure software for cache performance
- If virtual addresses are used for indexing, then these:
- Homonyms
- Same address, different data
- May access incorrect data!
- Prevention: tag VA with ASID
- Synonyms (aliases)
- Different address, same data
- May access stale data!
- Not a problem for R/O data or I-caches
- Late write-back “Cache bomb”
- Also DMA inconsistency issues kind of like synonym issues
- Fixes
- Flush cache – doesn’t fix aliasing within address space
- Detect synonyms in either hardware or software
- In other words, hardware restrict VM mapping so synonyms map to the same cache set
- Rely on hardware 😛
Write Buffer
- Stores take time to complete
- Avoid stalling the CPU by buffering writes FIFO before it hits the cache
- Gives rise to weak memory ordering
- Local CPU can grab things out of local write-buffer, remote CPUs may not see this write-buffer
Translation Lookaside Buffer
- TLB sizes have remained relatively similar historically
Lecture Week 4 Monday
“Virtualisation”
Virtual Machine
- “Efficient, isolated duplicate of a real machine”
- Duplicate
- Should behave almost identically, except for resources or timing differences
- Isolated
- Multi homed without interference
- Efficient
- Run on bare metal
- Hypervisor / Virtual Machine Monitor
- Interchangeable terms
- Software layer implementing the virtual machine
Types of Virtualisation
- Platform (Type 1) VM
- System (Type 2) VM
- OS-level VM
- Programming Language VM
- We’ll mostly look at Type 1, and some of Type 2
Why VMs?
- First designed to multiplex the hardware before true time-sharing OS
- Then reborn to solve the same problem, poor resource isolation by mainstream OS
- Use case: Cloud computing
- Many benefits
- Type 2 has very high exception handling cost (e.g. signal handling)
Virtualisation Mechanics
- Instruction Emulation
- Trap-and-Emulate approach
- Expensive (i.e. trap frame)
- But few instructions trap, so cost is amortised
- Hypercalls
- Hypervisor-specific ISA?
- Trap-and-Emulate requires specific host ISA support
- Privileged and Sensitive Instructions
- T&E virtualisable = All sensitive instructions are privileged
- “Impure” virtualisation if T&E not supported
- Binary translation of privileged instructions
- Replace with trap “hypercall”
- Insert in-line emulation for some others
- Binary translation of privileged instructions
- Trap-and-Emulate approach
Virtualisation Address Translation
- Two levels of address translation
- Introduce a notion of “Guest Physical Memory”
- But, must be implemented with single MMU translation
- 1. Shadow Page Table
- Hypervisor shadows (keeps a copy of) real guest page table
- VMM resolves two page table layers at once
- Only works on hardware-loaded page tables so the VMM can find out where the guest’s page table base pointer is
- (Of course, this instruction is privileged so it’s trapped)
- We write-protect the guest page table, so we trap every write to it
- Shadow PT has TLB semantics (weak consistency)
- Only gets synced at synchronisation points like a TLB
- Page fault
- TLB flush
- Only gets synced at synchronisation points like a TLB
- 2. Real Page Table
- Directly translate on every read/write to Guest PT so that it contains the actual physical mapping, but abstract so that it sees only guest-level mappings
- Instead of trapping on every read/write, do inline binary translation so we don’t trap
- Or para-virtualise, use a hypercall
Guest Self-Virtualisation
- Minimise traps by holding some virtual state inside guest
- For example, interrupt handling virtual interrupt flag
- Only if guest and VMM agree on using virtual interrupt flag
- No need to trap interrupt flag edits
Device Models
- Emulated, Split (Para-Virtualised), Passthrough
- Emulated
- Emulate device register accesses
- Very slow, because requires trapping on every device access
- If too slow, real device has time constraints, breaks abstraction
- For example, Linux does boot time speed checks
- Split Driver
- Must port drivers to hypervisor
- Low overhead
- Basically a driver RPC
- Example: Xen Dom0
- Trusted Computing Base runs “Driver OS”
- Pass Through
- Can have hardware support for I/O MMU for hardware guest separation
- Can also share hardware itself if hardware itself supports it
ARM Virtualisation Extensions
- Hyp Mode
- Configurable Traps
- Can configure the hardware to trap directly into the guest OS, instead of the hypervisor having to forward the trap to the guest OS
- Similar for x86
- Emulation support
- Because of separation of I-Cache and D-Cache, we get a compulsory cache miss upon any instruction trap
- HW decodes instruction so we don’t have to access cache
- 2-stage Translation
- Hardware walks both guest and VMM page tables
- Eliminates “Virtual TLB”
- A bit slower, even though VMM PT is shallow
- Worst case is massively slower, i.e. page fault on every single level
- But generally a good idea
- Virtual Interrupts
- System MMU (I/O MMU)
- Like an MMU for DMA
World Switch
- Intel
- VM state is <=4KiB
- VMentry / VMexit
- Hardware saves and restores
- ARM
- VM state is 488B
- Save and restore done by hypervisor
KVM
- KVM is not Type-2!
- A “Hybrid Hypervisor”
- Fundamentally a Type-1
- Works by using the fact that virtualisation privilege is orthogonal to normal ring privilege
- “Really bloody HUGE” Trusted Computing Base
- Reuse Linux drivers
Fun Things with VMs
- See Slide
Lecture Week 4 Tuesday
“Measuring and Analysing Performance”
Benchmarking in R&D
- Conservative: No regression
- Progressive: Actual improvement in important cases
- Must analyse and explain results
- Discuss model
- Hypothesis for behaviour
- Test and confirm hypothesis
- Microbenchmarks (component) and Macrobenchmarks (full system)
- Obtaining an overall score
- Absolute score rarely matters
- Compare systems relative to each other
- BUT: Arithmetic mean is meaningless for relative measures
- Use: Geometric mean – invariant under normalisation
- Benchmarking crime: Throughput degradation = overhead
- Use proper unit of figure: processing cost per unit data
Profiling
- Tool: gprof, but can’t be used inside OS
- Performance Monitoring Unit (PMU)
- Hardware-based profiling unit
- Collects certain events
- A counter that counts events
- Linux: oprof
- Mainly CPU based events
Performance Analysis
- Benchmarking crime: No indication of significance of data
- Include standard deviation
- Vary inputs, check outputs
- Writing zeros may be optimised out
- Vary data AND addresses
- Hidden parameters and mental models! Large deviation is giveaway.
- https://www.cse.unsw.edu.au/~gernot/benchmarking-crimes.html
Understanding Performance
- Some benchmarking tables and how to interpret them
Lecture Week 5 Monday
“Real-Time Systems”
Real-Time Tasks
- Event, Jitter, Release, Processing Time, Completion, Deadline
- Deadlines are frequently implicit – process things without missing an event
- Safety-critical: Failure; Death, serious injury
- Mission-critical: Failure; Massive financial damage
Weakly-Hard Real
- Where occasional deadline misses can be occasionally compensated
- A cost of a miss doesn’t go to infinity (i.e. recoverable or probabilistically ok)
- But; What does it mean to have a probability? Is it safe to base it on observed times?
- To Gernot, probabilistic real time is bogus because you usually can’t assign real probabilities
Firm Real-Time Systems
- Typically represented by a gain function (lower latency is advantageous), not a cost function (upon failure)
- For example, trading systems
Soft Real-Time
- Tail latencies
- For example, cloud providers, web services, video streaming
- Characterised by Quality of Service
- “Bounded tardiness” – just some term
Best-Effort
- In practice, duration is rarely totally irrelevant
What does it mean for OS?
- Designed to support real-time
- Fast and predictable interrupt handling
- Main duty is scheduling tasks to meet their deadline
- RT vs OS terminology
- Task vs Thread
- Job vs Event
- Problem is harder than bin-packing; because time is not fungible
- Feasible – there is a known algorithm that will schedule them
- Optimal – can schedule any task that is feasible
On-Line RT Scheduling
- Execution order is not predetermined
- Fixed priority scheduling – L4
- Scheduler always runs highest-priority thread
- Will preempt to run a higher-priority thread
- Rate Monotonic Priority Assignment (RMPA)
- Period, Rate, Priority, Utilisation
- Schedulability test guarantee
- For infinity, if utilisation is <= 69.3
- Sufficient but not necessary (can get “lucky”)
- RMPA is optimal for FPS
- Dynamic priorities: Earliest Deadline First
- Also schedulability test guarantee of U <=100
- Assumption: All the tasks are completely independent of each other
- Not recommended by Gernot
Resource Sharing
- Locking vs Delegation
- RT Terminology: Resource Server
- How to implement delegation for seL4
- seL4 IPC for single-core (Hoare-style monitor), notifications for multi-core (semaphores)
- Problem: Priority Inversion
- May have multiple layers of dependencies, if high-priority thread depends on low-priority
- How do you minimise it?
- Solution 1: Priority inheritance (“Helping”)
- Do what’s most beneficial for highest-priority task
- Bump priority of subtasks to the priority of the waiting thread
- Transitive inheritance => Possibility for long blocking chains
- Potential deadlocks
- Messy, easy to get wrong for safety-critical systems
- Solution 2: (Immediate) Priority Ceiling Protocol (IPCP)
- Predefined priority associated with a shared resource (lock)
- Make thread exit critical section as soon as possible (use “ceiling” priority)
- Each task must declare resources at admission time
- In a real time system, this is okay to require
- Easy to enforce with capabilities
- FPS: bump priority, EDF: floor of deadlines
Scheduling Overloaded RT Systems
- Cannot trust everything to obey declared worst-case execution time
- Which job will miss the deadline?
- Fixed Priority Scheduling: Loser is well-defined
- Priority and Criticality, in FPS the two are the same
- In FPS, priority is implicit so there’s no notion of criticality, so loser is not well-defined
Mixed-Criticality Systems
- High priority but low criticality tasks (device drivers)
- Low priority but high criticality tasks (control loops)
Lecture Week 5 Tuesday
“Microkernel Design & Implementation”
“If you find yourself hand waving a lot this is a sure sign you’re missing a diagram” – Gernot
“Security is no excuse for bad performance” – Gernot
Traditional L4 and seL4 Improvements
- Recursive address spaces
- If you have a mapping, you can just give it to any other process through IPC
- Some issues exist with this model apparently
- Thread IDs as IPC addressing
- seL4: Mailbox model with badges; communication partners are anonymous
- Also more useful to have badges, which has more flexible semantics
- Traditional: Forces you to have a load balancer thread, which complicates programming
- seL4: Transfer endpoint capability upfront for load balancing, get them back later, like a kernel-managed queue for workers
- Traditional: No interposing; lest violate truth of Thread ID authentication
- Long IPC
- Kernel-managed zero-copy IPC
- Page faults? Which takes ages for a microkernel…
- Very complicated
- Don’t need a kernel to have a trusted third-party with access to both processes mapping
- Timeouts
- IPC calls with timeouts
- How does a user determine the timeout values? Only really reasonable in networking
- seL4: New semantics for call/reply reduces this problem for server/client cases
- IPC Fastpath
- 1. Prologue
- 2. Identify destination
- Check caps
- 3. Get receiver TCB
- Check priority
- 4. Mark sender blocked and enqueue
- Create reply cap
- 5. Switch to receiver
- Leave Message Registers untouched
- 6. Epilogue
- Notice:
- No scheduler invocation, just direct lookup
- No time-slice donation
- Kernel runs with interrupts disabled
- No concurrency control means simpler kernel
- Easier reasoning about correctness
- Better average case
- Long-running system calls? Bad.
- Interrupt latency? Bad.
- Most protected-mode RTOS are fully preemptible
- Just save registers (trapframe) and re-enable interrupts
- According to Gernot, preemption during IPC makes the code very hard to guarantee correctness, not a good idea for high assurance environments
- It’s also very slow
- How to ensure liveliness if we don’t enable interrupts in the kernel?
- Incremental Consistency Paradigm
- To ensure liveliness, break operations down into a bunch of O(1) operations, and ensure kernel consistency afterwards, and poll for interrupts in between
- Consistency, restartable progress
- Worst-Case Execution Time Analysis
- 1. Program Binary
- 2. Control-flow graph, Micro-architecture model, Loop bounds
- 3. Analysis tool
- 4. Integer linear equations, Infeasible path (mutually exclusive paths) info
- 5. ILP solver
- 6. WCET
- ARM stopped providing WCET information…
- RISC-V implementations may supply them!
- No concurrency control means simpler kernel
- Scheduler optimisation – Lazy scheduling
- Frequent blocking and unblocking in microkernel model
- Don’t want to modify scheduler queue at every IPC
- Leave blocked threads in ready queue, leave for scheduler to clean up
- Worst case unbounded scheduler operation! O(n) for threads in system
- Not the way to do real time
- Now uses Benno Scheduling
- Scheduler optimisation – Direct Process Switch
- Idea: Don’t invoke scheduler if you know who’ll be chosen i.e. if receiver priority has higher priority
- Implication: Because scheduler doesn’t run, implies time slice donation – receiver runs on sender’s time slice
- Solution: Time represented by capabilities
- Scheduling context capability
- Represents a right to use time
- T: Period
- C: Budget <= T
- Represents basic unit for mixed criticality
- Problem has been bothering Gernot for 20 years
- Notion of a passive server
- No scheduling context
- Runs on donated scheduling context (uses up client’s scheduling context)
- So-called Migrating Thread Model
- Problem: Timeslice runs out while server is running, what is the next behaviour?
- Passive server may be blocked due to a low criticality consumer’s timeslice which will then block the high criticality consumer
- Policy free method for solving this in seL4: raise an exception and let the user handle it
- Timeout exceptions – policy-free mechanism for dealing with budget depletion
- Possible policies
- Emergency budget to leave critical section
- Rollback, it’s client’s problem
- SOSP ‘93 and SOSP ‘95, two papers that describe tricks and design decisions in the original L4 kernel
- Some kept, some remain
Reflecting on Changes
- Original L4 shortcomings
- Insufficient and impractical resource control
- Over-optimised and needlessly complex IPC abstraction
- Completes a 30 year dream for a verification of OS
Lecture Week 6 Monday
“Security Fundamentals”
Security Design
- Saltzer & Schroeder [SOSP ‘73, CACM ‘74]
- Economy of mechanism
- Fail-safe defaults
- Complete mediation – check everything
- Open design – not security by obscurity
- Separation of privilege
- Least privilege – principle of least authority
- Least common mechanism
- Psychological acceptability – if it’s hard to use it won’t be
Mechanisms & Policies
- Access control is the central domain of operating systems
- Confidentiality – prevent read of Hi
- Integrity – prevent tampering of Hi
- Availability
Risk Management
- Mitigate (security mechanisms) or Transfer (insurance)
Covert Channels
- Intentional leakage
- Storage channel
- Use attribute of shared resource i.e. filename contains secrets
- Timing channel
- Temporal order of use of shared resource
- Other physical channels
- Power draw etc.
- Covert channels vs side channels
- Covert channels are intentional
- Side channels are unintentional
Access-Control Principles
- Representing protection state
- Think of a matrix
- (Vertical) Access control list – list for everyone, gets big
- Compacted – UNIX only stores for user,group,everyone
- (Horizontal) Capabilities
- Capability
- (Reference + Access Token) Combined
- Implies a naming system to reference it
- Capabilities must be unforge-able
- Either protected by hardware (tagged memory protection)
- Or protected by sparseness (high number of bits)
- Or privileged kernel data (e.g kernel can verify through a tree)
- ACLs & Capabilities – Duals of the access control matrix
Differences of ACLs and Capabilities
- Naming and name spaces
- ACLs: Objects referenced by name; access is orthogonal to reference
- Capabilities: Caps imply name;
- Problem: Confused deputy
- Imagine the gcc log file problem
- Problem arises due to ambient authority
- Fundamentally unsolvable with ACLs
- Problem: Confused deputy with caps
- No ambient authority
- Alice can’t even pass the logfile
- Meta-permissions
- ACLs require meta-permissions to modify ACLs
- Caps use delegation and revoking, built-in fine-grained meta-access
- Caps: Right to delegate vs right to use
- Process creation
- ACLs: Child inherits all rights – opposite of least privilege
- Caps: Child has no caps by default – defaults to least privilege
- Auditing of protection state
- “Who has rights to this thing?”
- Easy with ACLs
- Hard to solve with sparse caps
- seL4: CSpace makes this possible
- “What rights does this thing have?”
- Caps: Just look at caps
- ACLs: Close to impossible, need full scan
- “Who has rights to this thing?”
- Interposing access
- Caps are opaque, can masquerade
- Transparent virtualisation of access (e.g. containers)
- “Security Monitor”
- Example: Lazy object creation
- Objects can be lazy references
- Server can create the corresponding state on first use
Mandatory vs Discretionary Access Control
- Discretionary: As owner of file, I can change access
- Mandatory: System administrator defines policy, owner cannot change
- Bell & LaPadula (BLP) Model [1966]
- Modelled on national security classification
- Classification – clearances
- Orthogonal compartments (need-to-know)
- Rules:
- No read up (obviously)
- No write down (because equivalent to down reading up)
- Example: Military, WTF, can’t give orders down?!
- In practice, need exceptions for de-classification
- Attestation for permissions to send down
- Trend to over-classify, not good
- Biba model – similar, but enforces integrity
- Now, don’t think of secrets but think of data corruption
- No read down
- No write up
- Don’t want data flowing up, this time
- Put them together and…..
- Now no information can flow in any direction
- Strong *-Property (Star)
- Allow read down, by trusting high integrity to be responsible to not corrupt itself
- Now no information can flow in any direction
- Boebert’s Attack
- Famous argument against capabilities
- “On the inability of an unmodified capability machine to enforce the Star-property”
- Doesn’t work on seL4 because caps are orthogonal to data
- Need both grant right of the cap and on the IPC (and Hi-integrity will deny this)
- Need mechanism to limit cap propagation: take-grant model on seL4
- Decidability
- Given initial state, can it ever reach an unsafe state?
Lecture Week 6 Tuesday
“Security: Information Leakage”
Causes of Timing Channels
- Algorithmic (e.g. hashing)
- Resource contention (e.g. caches)
- Stateless: e.g. interconnect bus speed
- Limitations:
- Only during concurrent access
- Generally reveals no data
- Requires intentional actor to be used as a covert channel
- Not really possible to use as side channel
- Stateful:
- CPU Caches
- Branch predictor
- These are all capacity-limited resources
- Stateless: e.g. interconnect bus speed
Timing Channels
- Prime and Probe
- Challenge: Access times
- L1 is very high bandwidth
- Longer to traverse cache for upper level caches
- Approach:
- Probe a few cache lines at a time, find “interesting sets”
- E.g. look for `square` code from GnuPG
- Can read out bits of exponent! [Liu S&P’15]
- Prevention:
- Spatial & temporal partitioning
- Spatial: Cache colouring!
- Temporal: Flush cache!
- However: Cannot spatially partition on-core cache (L1 cache)
- L1 usually has 1 colour
- (if virtually-indexed)
- Cache flushing for L1 has little effect cross-domain because the cache would be trashed anyway (for the other domain)
- However: Flushing useless for multicore / SMT
Evaluating Intra-Core Channels
- Methodology: Channel Matrix
- Difference when moving horizontally (changing set size) means channel
- Reference: https://ts.data61.csiro.au/publications/csiro_full_text//Ge_YCH_19.pdf
- I-Cache Channel (even with flush) demonstration with channel matrix
- Branch-History-Buffer (BHB)
- 1-bit channel
- Means: Unclosable channel / impossible for temporal protection even with flushing
Intel Spectre Defences
- “Indirect Branch Control”
- Tries to close BHB channel by flushing
Speculating Disaster
- Instruction Pipelining
- Problem: Dependencies
- Out-of-Order Execution
- Includes speculative branching
- Problem: Speculation pollutes cache
Meltdown
- Fix: Trapping will now switch page tables to a kernel page table, expensive
- Secrets leak because kernel address space contains physical memory, leaks every single userspace program
Spectre: Branch Prediction (Variant 1)
- Speculatively ignore array reference protection via if statements, this pollutes the cache
- Invalid array index can leak any address in program
- ISA has no contract on microarchitectural behaviour
- We need a new hardware-software contract!
Lecture Week 7 Monday
“Linux, Locking, Many Processors”
(No lecture Week 7 Tuesday)
Some History
- John Lions, taught UNIX at UNSW
- A lot of people got their introduction to UNIX with John Lions annotated source code
- BSD, Paged Virtual Memory 1979, etc.
- UUCP, Unix-to-Unix Copy, MHSnet using phone calls (lol)
- Process model, fork exec, memory sharing
- Dup, Open file descriptor, inode, CLOSE_ON_EXEC
- Inode model for directories
- Namei
- Linux extra keywords, __init, __exit, __percpu, __user, __rcu, __kernel, __iomem, __acquires, __releases, __bitwise
- Other Linux C dialect / abstractions
- Linux memory consistency model
- Linux has its own memory model that abstracts the hardware memory model (i.e. loads, fences)
Scheduling
- Dispatch O(1)
- Pretty fair
- Good interactive response
- Topology-aware (NUMA)
- O(log n) scheduling
- Currently CFS – Completely Fair Scheduler
- Dual Entitlement Scheduler
- Each thread given entitlement (CPU time)
- Deserving and Undeserving queue
Memory Management
- Struct page
- Other various structs
- How Linux handles page faults
Driver interface
- Enumerable and non-enumerable
- Who are you? Or can’t find out
- Device tree for userspace
Containers
- Namespace isolation
- Lecturer did research on this in the 70s, thanks to a fair share scheduler developed here, sold to Cray, then to Sun
- Hierarchical scheduling competition
- (Sounds like carving out a scheduling capability…?)
Scalability
- Performance cliff at high loads due to coherence delay
- Amdahl’s law and Gunther’s law
- Doing without locks
- Sequence locks, lots of readers, few writers
- Read Copy Update
Lecture Week 8 Monday
“Multicore and Memory Ordering”
Types of Multiprocessors
- Uniform Memory Access
- Processors with local caches
- Cache coherency!
- Unit of consistency is the cache line
- Sequential Consistency
- Result should be as if all the processors were executed in some sequential order
- In other words, all reads see the latest write
- Early solution: Write-through caches
- CPU snoops bus activity to invalidate stale lines
- Downside:
- All writes go to bus
- Non-Uniform Memory Access
- Provides high local bandwidth and reduces bus contention
- Other options like MESI (Modified Exclusive Share and Invalidate)
- Directory-based coherence
- For really big multiprocessing where broadcast bandwidth for MESI is not adequate
Memory Ordering
- Example: tail of a critical section
- Memory can’t be re-ordered or else it’d be outside the critical section!
- Strong Ordering
- Note: https://preshing.com/20120930/weak-vs-strong-memory-models/
- Each CPU keeps itself consistent, but how is it viewed by others?
- Example: Write buffers
- x86: Total Store Ordering, stores are FIFO
- Problem: CPU 0 writes to write buffer, CPU 1 reads from cache, inconsistency! Apparent reordering of instructions!
- Memory fences, effectively drains write buffer
- ARM: Partial Store Order
- Existing primitives will have appropriate fences in place
- In practice, correctly synchronised code can ignore memory model
- But if you write racey code (e.g. lock free algorithms) must use fences and barriers
- x86 is nice: just stores reordered after loads
- ARM is not so nice
Kernel Locking
- Trylock; prone to livelock
- Different types of locks
- Spinlocks
Lecture Week 8 Tuesday
Continued…
- Common spin lock
- Beware of bus arbitration!
- Bad because requires disabling interrupts for critical paths
- Test and test and set is not a panacea
- Kinda falls off after 7th processor
- Implementation of MCS Locks
- Buuut… MCS locks on ARM MPCore?
- TT&S low overhead on low contention
- MCS grows less on high contention
- Dynamically switch between TT&S and MCS depending on contention level
- Case study: Linux performance collapse
- Collapse for short sections
- Non-scalable lock
- Cache coherence protocol
- MCS locks are the best! 🙂
Lecture Week 9 Monday
“Formal Verification and seL4”
Assurance and Verification
- Common Criteria
- Semi-Formal = use some form of formal language, not just English, not necessarily mathematical
- Formal = mathematical
- Protection Profiles
- Which OS’s have been evaluated?
- Mac OS X – EAL 3
- Windows and RHEL – EAL 4
- Just about anything EAL 4 a.k.a. Not a lot
- 2008 Green Hills INTEGRITY – EAL 6
- “While the system does not certify common criteria at any evaluation level” says the certification paper, WTF?!
- 2019 Prove & Run PROVENCORE – EAL 7
- Green Hills tried One Box One Wire project for commodity hardware VM isolation, NSA, March 2019 said: SKPP validation for commodity hardware platforms infeasible due to complexity. NSA subsequently discontinued certifying >=EAL5
- Common Criteria – a very expensive way to prove nothing – $1000 per line of code
- Too much focus on development process
- Common Criteria – Effectively dead in 5-Eyes defence
Formal Verification
- Started a long time ago, over-promised and under-delivered
- Two approaches
- Abstract Interpretation / Model Checking
- Check a model for certain properties
- Unsoundness – has false positives and false negatives
- Suffers state-space explosion
- Scales to large code bases
- Doesn’t actually prove anything
- Theorem Proving
- Can deal with large state spaces
- Requires refinement property (can be modelled in mathematics)
- Can prove functional correctness against a formal specification
- Very labour intensive
- Note, recent work automatically proved functional correctness of simple systems using SMT solvers (model checking) [Hyperkernel, SOSP’17]
Model Checking and Linux: A Sad Story
- [Chou & al, 2001] Applied static analysis to Linux
- Device drivers are very buggy
- Linux did nothing lol, purely open source static checkers still fault
Story of seL4
- August 2009, birth of seL4
- Abstract Model < (Proof) > C Implementation
- “Under the semantics of the C language, this program has behaviour that is allowed under the functional specification”
- Means we can reason about the abstract model to verify properties
- C Implementation < (Proof) > Binary Code
- “Translation correctness”
- Isolation Properties < (Proof) > Abstract Model
- “Isolation Properties”
- Also, “Worst-case Execution Time”, never been done for protected O
- Initially, had Haskell between AM and C
- Kernel never fails, behaviour is always well-defined:
- Assertions never fail
- Will never de-ref null pointer
- Will never access array out of bounds
- Cannot be subverted by mis-formed input
- All syscall terminate, objects don’t overlap, access control is decidable
- CompCert – done in France, we can’t use because they use a different mathematical framework and we can’t easily show that us and them are equivalent (axioms, lemmas)
- Being able to use gcc is also a real asset, different ISAs etc
Security Properties of seL4
- To prove confidentiality:
- Non-interference proof
- Evolution of Low does not depend on High state
- Infoflow is very strong property. To accomplish, remove non-determinism where it affects confidentiality, e.g. scheduler strictly round-robin.
- May get really hard to work with.
Verification Assumptions
- Hardware behaves as expected
- Spec matches expectations
- Proof checker is correct
Lecture Week 9 Tuesday
“Local OS Research”
“Use of a monolithic OS in security- or safety-critical scenarios is professional malpractice!” – Gernot
Quantifying OS Design Security Impact
- Analyse Linux CVEs
- If it were a microkernel, is it in the TCB?
- Not in TCB, attack defeated
- Else, try verification, attack defeated
- DoS, strongly mitigated
- Integrity or confidentiality violation, weakly mitigated (i.e. not full system compromise)
- Full system compromise, i.e. firmware reflush, I2C bus hijack
Cogent
- Code and proof co-generation to C
- Not turing complete
Time Protection
- Equivalent of memory protection but for time
- i.e. timing channels
- Channel through kernel code (i.e. shared kernel code I-cache)
- Performance impact of cache flushing and colouring
Hardware Redundancy / Lockstep
- Hardware lockstep vs Software lockstep
- YanYan student – RCoE Redundant Co-Execution
- Instead of just software, the kernel itself is now replicated (similar to how it’s necessary for Resource Manager for time protection), they vote between each other
- Two variants:
- Loosely-coupled
- Don’t synchronise too hard, only when kernel entry-exit
- Low overhead, but can’t deal with racy code, threads
- Closely-coupled
- Sync on instruction
- Precise preemptions
- How closely-coupled works:
- Leading replica? Wait for barrier
- Trailing replica? Set breakpoint where leading replica is waiting, wait for barrier
- Synced
- Loosely-coupled
Real World Use
- DARPA HACMS
- CAmkES
- Component middleware
- Higher level abstractions of low-level seL4 constructs
- Cross Domain Desktop Compositor
Lecture Week 10 Monday
“Multiprocessor OS”
Scalability
- Serialisation
- By the OS
- Locking introduces serialisation
- Also atomic operations and cache coherency
- Memory access can stall
- Cache-related serialisation
- False sharing – unrelated data share the same cache line accessed from different processors – cache coherence traffic and delay
- Cache line bouncing
Multiprocessor Hardware
- Contemporary
- ARM, big.LITTLE, Nehalem
- Interconnects
- Cluster on Die
- Tile architecture
- Rings
Optimisation for Scalability
- Reduce critical sections
- Fine grained locking or lock free data structures
- (Lock data not code)
- Reduce false sharing (pad to cache lines)
- Reduce cache line bouncing
- Reduce cache misses; affinity scheduling
OS Design Guidelines for MP
- Avoid shared data
- Explicit communication (regain control over communication costs)
- Reduce synchronisation
- Allocate and schedule for locality
- Uniprocessor performance vs scalability
Approaches for MP
- Divide and conquer
- Just use them as independent bits
- Virtualisation
- Exokernel
- Reduced sharing
- Brute force and heroic effort (fixing them one by one)
- By design
- No sharing
- Distributed system, do extra work to share
Space-Time Partitioning
- Tessellation OS
- Gang Scheduling
- Schedule all threads of a process in one scheduling interval
K42: Clustered Objects
- Globally valid object reference, resolves to processor local representative
- Controlled introduction of locality
- Controlled trade-off between synchronise at write or synchronise at read
Corey / Linux Brute Force
- Profiling Linux and achieved speedup
- Applied lessons from previous research
- Sloppy counters
- Per-core data structs
- Fine grained lock, lock free
- Cache lines
- How do we know if a system is scalable? Is there some fundamental blocker?
- How do you really know without infinite benchmarks?
- Is the OS API a potential bottleneck?
- Scalable Commutativity Rule
- Can’t tell which order the operations were run
- Counterexample: lowest available file descriptor
FlexSC
- Async syscall, batch syscalls
Barrelfish
- No sharing
- Message passing
Michael Yoo 