DOCSLIB.ORG

Cross-Checking Semantic Correctness: the Case of Finding File System Bugs

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cross-Checking Semantic Correctness: the Case of Finding File System Bugs Cross-checking Semantic Correctness: The Case of Finding File System Bugs Paper #171 Abstract 1. Introduction Today, systems software is too complex to be bug-free. To System software is buggy. It is often implemented in un- find bugs in systems software, developers often rely oncode safe languages (e.g., C) for achieving better performance or checkers, like Sparse in Linux. However, the capability of directly accessing the hardware, thereby facilitating the intro- existing tools used in commodity, large-scale systems is duction of tedious bugs. At the same time, it is also complex. limited to finding only shallow bugs that tend to be introduced For example, Linux consists of 17 millions lines of pure code by the simple mistakes of programmers and require no deep and accepts around 190 commits every day. understanding of code. Unfortunately, a majority of and To help this situation, researchers often use memory-safe difficult-to-find bugs are semantic ones, which violate high- languages in the first place. For example, Singularity [32] level rules or invariants (e.g., missing a permission check). uses C# and Unikernel [40] use OCaml for their OS develop- Thus, it is difficult for code-checking tools that lack the ment. However, in practice, developers usually rely on code understanding of a programmer’s true intention, to reason checkers. For example, Linux has integrated static code anal- about semantic correctness. ysis tools (e.g., Sparse) in its build process to detect common To solve this problem, we present JUXTA, a tool that au- coding errors (e.g., if system calls validate arguments that tomatically infers high-level semantics directly from source come from userspace). Other tools such as Coverity [7] and code. The key idea of JUXTA is to compare and contrast mul- KINT [56] are able to find memory corruption and integer tiple existing implementations that obey latent yet implicit overflow bugs, respectively. Besides this, a large number of high-level semantics. For example, the implementation of dynamic checkers are also available, such as kmemleak for de- open() at the file system layer expects to handle an out-of- tecting memory leaks, and AddressSanitizer [47] for finding space error of the disk, regardless of implementation. We use-after-free bugs in Linux. have applied JUXTA to 54 file systems in the stock Linux Unfortunately, these tools tend to follow certain kinds of kernel (680K LoC), found 139 previously unknown semantic high-level rules that not only lack deep understanding of a bugs (one bug per 4.9K LoC), and provided corresponding programmer’s intentions or execution context, but also result patches to 41 different file systems that include mature, popu- in discovering shallow bugs. The majority of undiscovered lar file systems like ext4, btrfs, xfs and nfs. These semantic bugs are semantic ones that violate high-level rules or in- bugs are not easy to locate, as all that JUXTA found have ex- variants. According to recent surveys of software bugs and isted for overDRAFT 6.4 years on average. Not only do our empirical patches, over 50% of bugs in Linux file systems are semantic results look promising, but the design of JUXTA is generic bugs [39] (e.g., incorrectly updating a file’s timestamps), and (not specific to file systems) enough to be easily extended to many tools used in practice are ineffective in detecting se- any software that has multiple implementations, like browsers mantic vulnerabilities [14] (e.g., missing a permission check). or network stacks. Without any domain-specific knowledge, it is highly unlikely to reason about the correctness or incorrectness of code, and discover such bugs. In this regard, a large body of research has been proposed to check and enforce semantic or system rules, which we broadly classify into three categories: model checking, for- mal proof, and automatic testing. A common requirement for these techniques is that developers should manually pro- vide the correct semantics of code for checking: models in model checking and proofs in formal proofs. Unfortunately, creating such semantics is difficult, error-prone, and virtually infeasible for commodity systems like Linux. [Copyright notice will appear here once ’preprint’ option is removed.] 1 2015/5/20 To solve this problem, we present JUXTA, a tool that auto- 2. Case Study matically infers high-level semantics from source code. The Linux provides an abstraction layer, called virtual file system key intuition of our approach is that different implementa- (VFS). The Linux VFS defines an interface between afile tions of the same functionality should obey the same system system and Linux, which can be viewed as an implicit spec- rules or semantics. Therefore, we can derive latent seman- ification that all file systems should obey to support Linux. tics by comparing and contrasting these implementations. In To derive this latent specification in the existing file sys- particular, we have applied JUXTA to 54 file system imple- tems, JUXTA compares source code of file systems originated mentations in stock Linux, which consists of 680K LoC in from these VFS interfaces. The VFS is rather complex; it total. We found 139 previously unknown semantic bugs (one consists of 15 common operations (e.g., super_operations, bug per 4.9K), and provided corresponding patches to 41 inode_operations) that comprise over 170 functions. In this different file systems, including mature and widely adopted section, we describe three interesting cases (and bugs) that file systems like ext4, btrfs, xfs and nfs. We would liketo JUXTA found: rename(), write_begin/end() and fsync(). emphasize that these semantic bugs JUXTA found are difficult to find as they have existed for over 6.4 years on average; 2.1 Bugs in inode.rename() over 30 bugs were introduced more than 10 years ago. One might think that rename() is a simple system call Challenges. The main challenge in comparing a multiple of that just changes the name of a file to another, but it has file system implementations at once stems from the fact that a very subtle, complicated semantics. Let us consider a all of the file systems implement their own logic (e.g., fea- simple example that renames a file, “old_dir/a” to another, tures and disk layout), which is dramatically different from “new_dir/b”: each other, but implicitly follow certain high-level semantics 1 rename("old_dir/a","new_dir/b"); (e.g., expect to check file system permissions when opening a file). More importantly, these high-level semantics are deeply Upon its successful completion, “old_dir/a” is renamed convoluted in their code in one way or another without any ex- to “new_dir/b” as expected, but what about timestamps plicit, common specifications. Instead of directly comparing of involved directories and files? To precisely implement all of the file system implementations, we devised two statis- rename(), developers should specify semantics of 12 dif- tical models that properly capture common semantics, and ferent scenarios: three timestamps, ctime for status change, remain tolerant against the specific implementation of each mtime for modification and atime for access timestamps, of old_dir new_dir a b file system; in other words, JUXTA identifies deviant behav- four inodes, , , and . In fact, POSIX par- ior derived from common semantics shared among multiple tially defines its semantics: updating ctime and mtime of two different software implementations. directories, old_dir and new_dir: Contributions. We have made the following contributions: “Upon successful completion, rename() shall mark for update the last data modification and last file status • We have found 139 previously unknown semantic bugs change timestamps of the parent directory of each in 41 different file systems in the stock Linux kernel. We file.” have made and submitted corresponding patches to fix [51] the bugs that we found. Patches for 58 bugs are already In UNIX philosophy, this specification makes sense since applied either in a testing branch or in mainline Linux. rename() never change the inodes of both files, a and b. But • Our idea and design of inferring latent semantics by com- in practice, it causes serious problems as developers believe paring and contrasting multiple implementations. In par- status of both files (ctime) are changed after rename(). ticular, we devise two statistical comparison schemes that For example, a popular archiving utility, tar, used to have can compare multiple seemingly different implementa- a critical problem when performing an incremental backup tions at the code level. (–listed-incremental). After a user renames a file a to b, tar assumes file b is already backed up and file a is deleted, • An open source tool, JUXTA, and its pre-processed as ctime of b is not updated after renamed. Then, upon database that will facilitate other developers’ ability to restoration, tar deletes file a, which it thinks deleted, and easily build their own checkers on top of it. We have never restore b as it skipped, thereby losing the original file made eight checkers as an example: semantic comparator, that user wanted to backup [1]. specification/interface generator, external APIs checker, However, it is hard to say this is a fault by tar because and lock pattern checker. the majority of file systems update ctime of new and old The rest of this paper is organized as follows. §2 motivates files after rename(), although POSIX remains this behav- JUXTA’s approach with case study. §3 overviews its workflow. ior undefined. In fact, assuming rename() updates ctime of §4 describes JUXTA’s design. §5 shows various checkers built both files is more reasonable belief as developers, because on top of JUXTA. §6 shows its implementation. §7 explains traditionally rename() has updated ctime when it has been bugs we found. §8 discusses our potential applications. §9 implemented with link() and unlink() [1, 51].
Load more

Recommended publications
  • Development of a Verified Flash File System ⋆
    Development of a Verified Flash File System ? Gerhard Schellhorn, Gidon Ernst, J¨orgPf¨ahler,Dominik Haneberg, and Wolfgang Reif Institute for Software & Systems Engineering University of Augsburg, Germany fschellhorn,ernst,joerg.pfaehler,haneberg,reifg @informatik.uni-augsburg.de Abstract. This paper gives an overview over the development of a for- mally verified file system for flash memory. We describe our approach that is based on Abstract State Machines and incremental modular re- finement. Some of the important intermediate levels and the features they introduce are given. We report on the verification challenges addressed so far, and point to open problems and future work. We furthermore draw preliminary conclusions on the methodology and the required tool support. 1 Introduction Flaws in the design and implementation of file systems already lead to serious problems in mission-critical systems. A prominent example is the Mars Explo- ration Rover Spirit [34] that got stuck in a reset cycle. In 2013, the Mars Rover Curiosity also had a bug in its file system implementation, that triggered an au- tomatic switch to safe mode. The first incident prompted a proposal to formally verify a file system for flash memory [24,18] as a pilot project for Hoare's Grand Challenge [22]. We are developing a verified flash file system (FFS). This paper reports on our progress and discusses some of the aspects of the project. We describe parts of the design, the formal models, and proofs, pointing out challenges and solutions. The main characteristic of flash memory that guides the design is that data cannot be overwritten in place, instead space can only be reused by erasing whole blocks.
    [Show full text]
  • Huawei Announces EROFS Linux File-System, Might Eventually Be Used
    ARTICLES & REVIEWS NEWS ARCHIVE FORUMS PREMIUM CATEGORIES Custom Search Search Latest Linux News Huawei Announces EROFS Linux File-System, Might Huawei Announces EROFS Linux File- Eventually Be Used By Android Devices System, Might Eventually Be Used By Android Devices Written by Michael Larabel in Linux Storage on 31 May 2018 at 09:00 AM EDT. 3 Comments Mesa 18.0.5 Is The Last Planned Release In Huawei's Gao Xiang has announced the EROFS open-source Linux file-system The Series intended for Android devices, but still at its very early stages of AMD K8 Support Stripped Out Of Coreboot development. NVIDIA’s Next Generation Mainstream GPU Will At Least Be Detailed In August EROFS is the company's new approach for a read-only file-system that would work well for Android devices. EROFS is short for the Extendable Read-Only GNOME 3 Might Be Too Resource Hungry To File-System and they began developing it with being unsatisfied with other read-only file- Ever Run Nicely On The Raspberry Pi system alternatives. XWayland Gets Patch To Automatically Use EGLStreams For NVIDIA Support When EROFS is designed to offer better performance than other read-only alternatives while still Needed focusing upon saving storage space. As part of EROFS is also a compression mode pursuing BPFILTER Landing For Linux 4.18 For a different design approach than other file-systems: the compression numbers shared in Eventually Better Firewall / Packet Filtering today's announcement on both server hardware and a Kirin 970 are compelling for being in AMDGPU Patches Prepping JPEG Support For the early stages of development.
    [Show full text]
  • Membrane: Operating System Support for Restartable File Systems Swaminathan Sundararaman, Sriram Subramanian, Abhishek Rajimwale, Andrea C
    Membrane: Operating System Support for Restartable File Systems Swaminathan Sundararaman, Sriram Subramanian, Abhishek Rajimwale, Andrea C. Arpaci-Dusseau, Remzi H. Arpaci-Dusseau, Michael M. Swift Computer Sciences Department, University of Wisconsin, Madison Abstract and most complex code bases in the kernel. Further, We introduce Membrane, a set of changes to the oper- file systems are still under active development, and new ating system to support restartable file systems. Mem- ones are introduced quite frequently. For example, Linux brane allows an operating system to tolerate a broad has many established file systems, including ext2 [34], class of file system failures and does so while remain- ext3 [35], reiserfs [27], and still there is great interest in ing transparent to running applications; upon failure, the next-generation file systems such as Linux ext4 and btrfs. file system restarts, its state is restored, and pending ap- Thus, file systems are large, complex, and under develop- plication requests are serviced as if no failure had oc- ment, the perfect storm for numerous bugs to arise. curred. Membrane provides transparent recovery through Because of the likely presence of flaws in their imple- a lightweight logging and checkpoint infrastructure, and mentation, it is critical to consider how to recover from includes novel techniques to improve performance and file system crashes as well. Unfortunately, we cannot di- correctness of its fault-anticipation and recovery machin- rectly apply previous work from the device-driver litera- ery. We tested Membrane with ext2, ext3, and VFAT. ture to improving file-system fault recovery. File systems, Through experimentation, we show that Membrane in- unlike device drivers, are extremely stateful, as they man- duces little performance overhead and can tolerate a wide age vast amounts of both in-memory and persistent data; range of file system crashes.
    [Show full text]
  • Z/OS Distributed File Service Zseries File System Implementation Z/OS V1R13
    Front cover z/OS Distributed File Service zSeries File System Implementation z/OS V1R13 Defining and installing a zSeries file system Performing backup and recovery, sysplex sharing Migrating from HFS to zFS Paul Rogers Robert Hering ibm.com/redbooks International Technical Support Organization z/OS Distributed File Service zSeries File System Implementation z/OS V1R13 October 2012 SG24-6580-05 Note: Before using this information and the product it supports, read the information in “Notices” on page xiii. Sixth Edition (October 2012) This edition applies to version 1 release 13 modification 0 of IBM z/OS (product number 5694-A01) and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright International Business Machines Corporation 2010, 2012. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . xiii Trademarks . xiv Preface . .xv The team who wrote this book . .xv Now you can become a published author, too! . xvi Comments welcome. xvi Stay connected to IBM Redbooks . xvi Chapter 1. zFS file systems . 1 1.1 zSeries File System introduction. 2 1.2 Application programming interfaces . 2 1.3 zFS physical file system . 3 1.4 zFS colony address space . 4 1.5 zFS supports z/OS UNIX ACLs. 4 1.6 zFS file system aggregates. 5 1.6.1 Compatibility mode aggregates. 5 1.6.2 Multifile system aggregates. 6 1.7 Metadata cache. 7 1.8 zFS file system clones . 7 1.8.1 Backup file system . 8 1.9 zFS log files.
    [Show full text]
  • Elinos Product Overview
    SYSGO Product Overview ELinOS 7 Industrial Grade Linux ELinOS is a SYSGO Linux distribution to help developers save time and effort by focusing on their application. Our Industrial Grade Linux with user-friendly IDE goes along with the best selection of software packages to meet our cog linux Qt LOCK customers needs, and with the comfort of world-class technical support. ELinOS now includes Docker support Feature LTS Qt Open SSH Configurator Kernel embedded Open VPN in order to isolate applications running on the same system. laptop Q Bug Shield-Virus Docker Eclipse-based QEMU-based Application Integrated Docker IDE HW Emulators Debugging Firewall Support ELINOS FEATURES MANAGING EMBEDDED LINUX VERSATILITY • Industrial Grade Creating an Embedded Linux based system is like solving a puzzle and putting • Eclipse-based IDE for embedded the right pieces together. This requires a deep knowledge of Linux’s versatility Systems (CODEO) and takes time for the selection of components, development of Board Support • Multiple Linux kernel versions Packages and drivers, and testing of the whole system – not only for newcomers. incl. Kernel 4.19 LTS with real-time enhancements With ELinOS, SYSGO offers an ‘out-of-the-box’ experience which allows to focus • Quick and easy target on the development of competitive applications itself. ELinOS incorporates the system configuration appropriate tools, such as a feature configurator to help you build the system and • Hardware Emulation (QEMU) boost your project success, including a graphical configuration front-end with a • Extensive file system support built-in integrity validation. • Application debugging • Target analysis APPLICATION & CONFIGURATION ENVIRONMENT • Runs out-of-the-box on PikeOS • Validated and tested for In addition to standard tools, remote debugging, target system monitoring and PowerPC, x86, ARM timing behaviour analyses are essential for application development.
    [Show full text]
  • A Study of Failure Recovery and Logging of High-Performance Parallel File Systems
    1 A Study of Failure Recovery and Logging of High-Performance Parallel File Systems RUNZHOU HAN, OM RAMESHWAR GATLA, MAI ZHENG, Iowa State University JINRUI CAO, State University of New York at Plattsburgh DI ZHANG, DONG DAI, North Carolina University at Charlotte YONG CHEN, Texas Tech University JONATHAN COOK, New Mexico State University Large-scale parallel file systems (PFSes) play an essential role in high performance computing (HPC). However, despite the importance, their reliability is much less studied or understood compared with that of local storage systems or cloud storage systems. Recent failure incidents at real HPC centers have exposed the latent defects in PFS clusters as well as the urgent need for a systematic analysis. To address the challenge, we perform a study of the failure recovery and logging mechanisms of PFSes in this paper. First, to trigger the failure recovery and logging operations of the target PFS, we introduce a black- box fault injection tool called PFault, which is transparent to PFSes and easy to deploy in practice. PFault emulates the failure state of individual storage nodes in the PFS based on a set of pre-defined fault models, and enables examining the PFS behavior under fault systematically. Next, we apply PFault to study two widely used PFSes: Lustre and BeeGFS. Our analysis reveals the unique failure recovery and logging patterns of the target PFSes, and identifies multiple cases where the PFSes are imperfect in terms of failure handling. For example, Lustre includes a recovery component called LFSCK to detect and fix PFS-level inconsistencies, but we find that LFSCK itself may hang or trigger kernel panicswhen scanning a corrupted Lustre.
    [Show full text]
  • Filesystem Considerations for Embedded Devices ELC2015 03/25/15
    Filesystem considerations for embedded devices ELC2015 03/25/15 Tristan Lelong Senior embedded software engineer Filesystem considerations ABSTRACT The goal of this presentation is to answer a question asked by several customers: which filesystem should you use within your embedded design’s eMMC/SDCard? These storage devices use a standard block interface, compatible with traditional filesystems, but constraints are not those of desktop PC environments. EXT2/3/4, BTRFS, F2FS are the first of many solutions which come to mind, but how do they all compare? Typical queries include performance, longevity, tools availability, support, and power loss robustness. This presentation will not dive into implementation details but will instead summarize provided answers with the help of various figures and meaningful test results. 2 TABLE OF CONTENTS 1. Introduction 2. Block devices 3. Available filesystems 4. Performances 5. Tools 6. Reliability 7. Conclusion Filesystem considerations ABOUT THE AUTHOR • Tristan Lelong • Embedded software engineer @ Adeneo Embedded • French, living in the Pacific northwest • Embedded software, free software, and Linux kernel enthusiast. 4 Introduction Filesystem considerations Introduction INTRODUCTION More and more embedded designs rely on smart memory chips rather than bare NAND or NOR. This presentation will start by describing: • Some context to help understand the differences between NAND and MMC • Some typical requirements found in embedded devices designs • Potential filesystems to use on MMC devices 6 Filesystem considerations Introduction INTRODUCTION Focus will then move to block filesystems. How they are supported, what feature do they advertise. To help understand how they compare, we will present some benchmarks and comparisons regarding: • Tools • Reliability • Performances 7 Block devices Filesystem considerations Block devices MMC, EMMC, SD CARD Vocabulary: • MMC: MultiMediaCard is a memory card unveiled in 1997 by SanDisk and Siemens based on NAND flash memory.
    [Show full text]
  • Lustre* Software Release 2.X Operations Manual Lustre* Software Release 2.X: Operations Manual Copyright © 2010, 2011 Oracle And/Or Its Affiliates
    Lustre* Software Release 2.x Operations Manual Lustre* Software Release 2.x: Operations Manual Copyright © 2010, 2011 Oracle and/or its affiliates. (The original version of this Operations Manual without the Intel modifications.) Copyright © 2011, 2012, 2013 Intel Corporation. (Intel modifications to the original version of this Operations Man- ual.) Notwithstanding Intel’s ownership of the copyright in the modifications to the original version of this Operations Manual, as between Intel and Oracle, Oracle and/or its affiliates retain sole ownership of the copyright in the unmodified portions of this Operations Manual. Important Notice from Intel INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IM- PLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSO- EVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR IN- FRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in personal injury or death. SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL IN- DEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE AT- TORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS SUBCON- TRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS.
    [Show full text]
  • Error Propagation Analysis for File Systems!
    Error Propagation Analysis for File Systems! Cindy Rubio-González, Haryadi S. Gunawi, Ben Liblit, Remzi H. Arpaci-Dusseau, and Andrea C. Arpaci-Dusseau! University of Wisconsin-Madison PLDI’09 ECS 289C Seminar on Program Analysis February 17th, 2015 Motivation! • Systems software plays an important role! o Designed to operate the computer hardware! o Provides platform for running application software! • Particular focus on file systems! o Store massive amounts of data! o Used everywhere!! § Home use: photos, movies, tax returns! § Servers: network file servers, search engines! • Incorrect error handling → serious consequences! o Silent data corruption, data loss, system crashes, etc.! • Broken systems software → Broken user applications!! ! 2 Error Handling! Error Propagation + Error Recovery! USER-LEVEL APPLICATION SYSTEMS SOFTWARE Error Recovery:! ERROR ERROR • Logging! • Notifying! • Re-trying! Run-time ERROR ERROR Errors! HARDWARE Incorrect error handling → longstanding problem! 3 Return-Code Idiom! • Widely used in systems software written in C! • Also used in large C++ applications! • Run-time errors represented as integer values! • Propagated through variable assignments and function return values! 4 Error Codes in Linux! 5 Example of Error-Propagation Bug! 1 int txCommit(...) { 2 ... 3 if (isReadOnly(...)) { 4 rc = -EROFS; read-only file-system error! 5 ... 6 goto TheEnd; 7 } ... 8 if (rc = diWrite(...)) diWrite may return EIO error! 9 txAbort(...); 10 TheEnd: return rc; function returns variable rc 11 } 13 int diFree(...) { 14 ..
    [Show full text]
  • A Brief Introduction to the Design of UBIFS Document Version 0.1 by Adrian Hunter 27.3.2008
    A Brief Introduction to the Design of UBIFS Document version 0.1 by Adrian Hunter 27.3.2008 A file system developed for flash memory requires out-of-place updates . This is because flash memory must be erased before it can be written to, and it can typically only be written once before needing to be erased again. If eraseblocks were small and could be erased quickly, then they could be treated the same as disk sectors, however that is not the case. To read an entire eraseblock, erase it, and write back updated data typically takes 100 times longer than simply writing the updated data to a different eraseblock that has already been erased. In other words, for small updates, in-place updates can take 100 times longer than out-of-place updates. Out-of-place updating requires garbage collection. As data is updated out-of-place, eraseblocks begin to contain a mixture of valid data and data which has become obsolete because it has been updated some place else. Eventually, the file system will run out of empty eraseblocks, so that every single eraseblock contains a mixture of valid data and obsolete data. In order to write new data somewhere, one of the eraseblocks must be emptied so that it can be erased and reused. The process of identifying an eraseblock with a lot of obsolete data, and moving the valid data to another eraseblock, is called garbage collection. Garbage collection suggests the benefits of node-structure. In order to garbage collect an eraseblock, a file system must be able to identify the data that is stored there.
    [Show full text]
  • Monitoring Raw Flash Memory I/O Requests on Embedded Linux
    Flashmon V2: Monitoring Raw NAND Flash Memory I/O Requests on Embedded Linux Pierre Olivier Jalil Boukhobza Eric Senn Univ. Europeenne de Bretagne Univ. Europeenne de Bretagne Univ. Europeenne de Bretagne Univ. Bretagne Occidentale, Univ. Bretagne Occidentale, Univ. Bretagne Sud, UMR6285, Lab-STICC, UMR6285, Lab-STICC, UMR6285, Lab-STICC, F29200 Brest, France, F29200 Brest, France, F56100 Lorient, France [email protected] [email protected] [email protected] ABSTRACT management mechanisms. One of these mechanisms is This paper presents Flashmon version 2, a tool for monitoring implemented by the Operating System (OS) in the form of embedded Linux NAND flash memory I/O requests. It is designed dedicated Flash File Systems (FFS). That solution is adopted in for embedded boards based devices containing raw flash chips. devices using raw flash chips on embedded boards, such as Flashmon is a kernel module and stands for "flash monitor". It smartphones, tablet PCs, set-top boxes, etc. Linux is a major traces flash I/O by placing kernel probes at the NAND driver operating system in such devices, and provides a wide support for level. It allows tracing at runtime the 3 main flash operations: several NAND flash memory models. In these devices the flash page reads / writes and block erasures. Flashmon is (1) generic as chip itself does not embed any particular controller. it was successfully tested on the three most widely used flash file This paper presents Flashmon version 2, a tool for monitoring systems that are JFFS2, UBIFS and YAFFS, and several NAND embedded Linux I/O operations on NAND secondary storage.
    [Show full text]
  • Authenticated and Encypted Storage on Embedded Linux
    Authenticated and Encrypted Storage on Embedded Linux ELC Europe 2019 Jan Lübbe – [email protected] https://www.pengutronix.de Linux Storage Stack 2/21 Transparent Authentication and Encryption 3/21 Crypto‽ https://www.pengutronix.de https://www.instructables.com/id/Laser-Cut-Cryptex/ Quick Crypto Refresher Hash: one-way function, fixed output size (SHA*) HMAC: data authentication using hash and shared secret Signature: data authentication using public key cryptography (keys & certificates, RSA & ECDSA) Unauthenticated encryption: attacker can‘t read private data, but could modify it (AES-CBC, AES-XTS, …) Authenticated encryption: attacker can‘t read private data and modification is detected (AEAD: AES GCM, AEGIS) 5/21 Overview Building Blocks authentication encryption authenticated encryption General Considerations 6/21 dm-verity (since 2012, v3.4) filesystem authentication via hash tree: read-only dm-verity hash used by Chrome OS & Android for rootfs tree root hash provided via out-of-band (kernel cmdline) or via signature in super block (since 5.4) can be created and configured via veritysetup (LUKS2) combine with ext4, SquashFS or EROFS hash-tree image ⇒ best choice for RO data 7/21 fsverity (since 2019, v5.4) “dm-verity for files”: efficient authentication of (large) read- only files via a hash tree root hash provided out-of-band integrated into ext4 could be integrated with IMA/EVM to improve performance ⇒ Android will likely be the main user (for .apk authentication) 8/21 dm-integrity (since 2017, v4.12) emulates
    [Show full text]