A Safe Operating System RedLeaf: Isolation And .
RedLeaf: Isolation and Communication ina Safe Operating SystemBy Narayanan et al.Presented by Alex AppelNote: Slides Adapted from OSDI ‘20 Presentation
Agenda-Introduction/BackgroundRedLeaf ImplementationRedLeaf EvaluationConclusionQuestions
Isolation in Operating Systems-Isolation of kernel subsystems is a critical mechanismSystems remained monolithic- Isolation was expensiveHardware IsolationLanguage-based Isolation
Traditional Safe Languages vs. Rust
Language-based Isolation: Rust-Other projects mostly use Rust as a drop-in replacement for CNumerous possibilities- Fault Isolation- Transparent Device-Driver Recovery- Safe Kernel Extensions- Fine-grained capability-based access control
Fault-Isolation in Language-Based Systems-Unfortunately, built-in language mechanisms alone are not sufficient- Crash of a single component could leave the entire system in a corrupted stateNeed a mechanism that isolates faultsProvide a way to terminate a faulting or misbehaving computation leaving system in aclean state- 1) Deallocate all resources that were in use by the subsystem- 2) Preserve the objects that were allocated by the subsystem but then passed toanother subsystem- 3) Ensure that all future invocations do not violate safety or block the caller
Redleaf Fault Isolation-Crash occurs when one of the threads that enters the domain panicsFault is isolated if- 1) We can unwind all threads running inside the crashing domain to the domain entrypoint and return an error to the caller- 2) Subsequent attempts to invoke the domain return errors but do not violate safetyguarantees or result in panics- 3) All resources of the crashed domain can be safely deallocated, and we can reclaimall resources owned by the domain without leaks- 4) Threads in other domains continue execution, and can continue accessing objectsthat were allocated by the crashed domain, but were moved to other domains beforethe crash
RedLeaf Key Principles-Heap Isolation--Exchangeable Types--Keep track of ownership for all objects on the shared heapInterface Validation--Objects allocated on the shared heap cannot have pointers into private domain heaps, but can havereferences to other objects on the shared heapOwnership Tracking--Since no other domains hold pointers into the private heap of a crashing domain, it’s safe to deallocate theentire heapAllow domain authors to define custom interfaces while retaining isolationCross-Domain Call Proxying-All cross-domain invocations are mediated with invocation proxies
Evaluation: System Setup-2 x Intel E5-2660 v3 10-core CPUs at 2.60 GHz (Haswell EP)Disabled: Hyper-Threading, Turbo Boost, CPU Idle statesLinux and DPDK benchmarks run on version 4.8.4RedLeaf benchmarks run on baremetal
Evaluation: Language-Based Isolation vs HardwareMechanisms
Evaluation: Language Overheads (C vs Rust)
Evaluation: Ixgbe Driver Comparison
Evaluation: Application Benchmark (Maglev LoadBalancer)
Conclusion-Heap Isolation, Exchangeable Types, Ownership Tracking, Interface Validation,Cross-Domain Call ProxyingProvides a collection of mechanisms for enabling isolationA step forward in enabling future system architectures- Secure kernel extensions, fine-grained access control, transparent recovery etc.
ResourcesPaper: RedLeaf: Isolation and Communication in a Safe Operating SystemRedLeaf Site:: https://mars-research.github.io/redleafRedLeaf Source Code: https://github.com/mars-research/redleaf
Isolation in Operating Systems - Isolation of kernel subsystems is a critical mechanism - Systems remained monolithic - Isolation
RedLeaf is a new operating system developed from scratch in Rust to explore the impact of language safety on operat-ing system organization. In contrast to commodity systems, RedLeaf does not rely on hardware address spaces for isola-tion and instead uses only type and memory safety of the Rust language. Departure from costly hardware isolation .
overhead isolation mechanisms in hardware [84,89,90]. How-ever, focusing on performance, modern commodity CPUs provide only basic support for coarse-grained isolation of user applications. Similarly, for decades, overheads of safe languages that can provide fine-grained isolation in software remained prohibitive for low-level operating system .
safe analysis is not included in this tutorial. Please see the fe-safe User Manual including fe-safe Tutorials for details, for instance: Tutorial 106: Using fe-safe with Abaqus .odb files . Start fe-safe /Rubber TM as described in the -safe feUser Manual. The Configure -safefe Project Directory window will be displayed:
Locking The Safe Step 1: Open safe Step 2: Take out any removable interior parts. Step 3: Remove the 2 lag screws using a 15mm socket and ratchet, then close and lock safe door. NOTE: Use caution as the safe is top heavy and due to the mass of the door, can tip easily when moving; installing the safe will take two or more people.
akuntansi musyarakah (sak no 106) Ayat tentang Musyarakah (Q.S. 39; 29) لًََّز ãَ åِاَ óِ îَخظَْ ó Þَْ ë Þٍجُزَِ ß ا äًَّ àَط لًَّجُرَ íَ åَ îظُِ Ûاَش
Collectively make tawbah to Allāh S so that you may acquire falāḥ [of this world and the Hereafter]. (24:31) The one who repents also becomes the beloved of Allāh S, Âَْ Èِﺑاﻮَّﺘﻟاَّﺐُّ ßُِ çﻪَّٰﻠﻟانَّاِ Verily, Allāh S loves those who are most repenting. (2:22
1.1 Operating System Functionality The operating system controls the machine It is common to draw the following picture to show the place of the operating system: application operating system hardware user This is a misleading picture, because applications mostly execute machine instruc-tions that do not go through the operating system.
of its Animal Nutrition Series. The Food and Drug Administration relies on information in the report to regulate and ensure the safety of pet foods. Other reports in the series address the nutritional needs of horses, dairy cattle, beef cattle, nonhuman primates, swine, poultry, fish, and small ruminants. Scientists who study the nutritional needs of animals use the Animal Nutrition Series to .
