11/17/2018

Operating Systems Protection Goal: Ensure confidentiality + data integrity + systems availability Protection domain = the set of accessible objects + access rights

File A [RW] File C [R] Printer 1 [W] File E [RX] File B [RWX] File D [RW] File F [R] OS GUEST LECTURE

XIAOWAN DONG Domain 1 Domain 2 Domain 3 11/15/2018

1 2

Private Challenges of Sharing Memory Most common memory protection Difficult to share pointer-based data A virtual Process B virtual Private Virtual addr space mechanism in current OS structures addr space addr space Private table Physical addr space ◦ Data may map to different virtual addresses Each process has a private virtual in different address spaces space Physical Access addr space ◦ Set of accessible objects: virtual pages frame no Rights Segment 3 mapped … … Segment 2 ◦ Access rights: access permissions to P1 RW each virtual page Segment 1 P2 RW Segment 1 Recorded in per-process page table P3 RW ◦ Virtual-to-physical translation + P4 RW Segment 2 access permissions … …

3 4

1 11/17/2018

Challenges of Sharing Memory Challenges for Memory Sharing Potential duplicate virtual-to-physical Potential duplicate virtual-to-physical translation information for shared Process A page Physical Process B page translation information for shared memory table addr space table memory Processor ◦ Page table is per-process at page ◦ Single copy of the physical memory, multiple granularity copies of the mapping info (even if identical) TLB L1 cache ◦ Single copy of the physical memory, multiple ◦ Duplication in Translation Lookaside Buffer copies of the mapping info (even if identical) (TLB) and memory hierarchy (caches, main memory) L2 cache

Last-level cache

Page Memory Table

5 6

Challenges for Changing Access Permissions of Memory Regions Changing access permissions of Process A page Physical Process B page Are there any other memory protection mechanisms an entire memory region is table table expensive addr space besides private virtual address space? ◦ E.g., disabling writes to a memory Physical Access Physical Access region across processes frame Rights frame Rights no no Page table is at page granularity P1 R P1 RWX on per-process basis Seg 1 P2 R P2 RWX Required to traverse each page P3 R P3 RWX table entry of each virtual … … address space

7 8

2 11/17/2018

Outline Outline Single address space Single address space ◦ Domain-page model ◦ Domain-page model ◦ Page-group model ◦ Page-group model State-of-art memory protection mechanisms State-of-art memory protection mechanisms ◦ ARM protection domains ◦ ARM protection domains ◦ Memory Protection Keys ◦ Intel Memory Protection Keys

9 10

Single Address Space Single Address Space

One single virtual address space shared Process A’s view of Process B’s view of Can we use page table like in private Process A’s Physical Process B’s across processes virtual addr space virtual addr space virtual address space page table addr space page table ◦ Recorded at page granularity per One virtual address is mapped to a unique process Physical Access Physical Access Physical ◦ Virtual-to-physical translation information frame Rights frame Rights physical address addr space ◦ Access permissions no no Simplifies memory sharing compared to P1 R P1 RWX private virtual address space RX RWX Duplicate translation information Seg 1 ◦ Translation of a virtual page is unique P2 R P2 RWX across processes Proposed in the 90s Seg 1 P3 R P3 RWX ◦ Emerging 64-bit address space Other protection domain models … … ◦ Domain-page model Seg 2 ◦ Page-group model

11 12

3 11/17/2018

Single Address Space: Domain-Page Outline Model Single address space Protection domain = set of accessible pages + access permissions ◦ Domain-page model Capability list ◦ Page-group model Each (domain, page) pair is unique State-of-art memory protection mechanisms ◦ Access rights associated with (domain, page) ◦ ARM protection domains ◦ Intel Memory Protection Keys Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Domain A R RW RWX Domain B R-X R R R Domain C RWX R-X RW

13 14

Protection Lookaside Buffer Protection Lookaside Buffer (PLB) One implementation of domain-page Virtual page Physical page Access rights model Processor Translation lookaside buffer (TLB) ◦ On-chip cache of page table ◦ Virtual-to-physical translation information + TLB L1 cache access permissions Protection Lookaside buffer (PLB) L2 cache ◦ Only records access permissions Last-level cache ◦ Translation information is saved separately Page Memory Table Image Source: ASPLOS , “Architecture support for single address space operating systems”,1992.

15 16

4 11/17/2018

PLB Advantages Outline No duplicate translation information Single address space ◦ Each page has a single translation entry in TLB and memory hierarchy ◦ Domain-page model ◦ Page-group model Changing access permission of a memory region is cheaper ◦ Use a single PLB entry for the entire memory region (stack, code segment and etc.) State-of-art memory protection mechanisms ◦ Only required to modify one PLB entry ◦ ARM protection domains ◦ Intel Memory Protection Keys

17 18

Single Address Space: Page-Group Model PA-RISC Page group is a set of pages An architecture of page-group model designed by HP ◦ Each page belongs to a single page group Each process has 4 page-group registers (PID) for accessible page group IDs Access permissions associated with each page ◦ One additional write-disable bit that disables writes to the entire page group ◦ As opposed to (domain, page) pair in the domain-page group Each process runs in one of the 4 privilege levels Protection domain = set of accessible page groups + access permissions ◦ 0 (the highest) to 3

Privilege level PID1 PID2 PID3 PID4 Page 1 Page 4 Page 6 Group A Group B Group C Page 2 Page 5 Page 7 Process I √ √ Process I 0 3 11 6 9 Page 3 Page 8 Process II √ √ Process II 3 11 12 13 14 Page Group A Page Group B Page Group C Process III √ Process III 2 3 6 9 5

19 20

5 11/17/2018

PA-RISC PA-RISC Each page has unique translation information and access permissions Whether accessible ◦ Recorded in page table/TLB ◦ Determined by PID ◦ Access permission = read, write, execute and the corresponding privilege levels registers ◦ E.g., writable from privilege level 0, readable from level 0, 1 and 2, and inaccessible from level 3 Access permission = ◦ No duplicate translation information Rights in TLB based on privilege level + write-disable bit

Image source: ASPLOS , “Architecture support for single address space operating systems”,1992.

21 22

Outline State-of-Art Memory Protection Single address space Modern architectures use private virtual address spaces ◦ Domain-page model ◦ As supported in modern OSs such as Linux and FreeBSD ◦ Page-group model However, they also provide other memory protection models State-of-art memory protection mechanisms ◦ Like ARM and Intel ◦ ARM protection domains ◦ Intel Memory Protection Keys

23 24

6 11/17/2018

Outline ARM Protection Domain

Single address space Domain = set of accessible pages Domain 1 Domain 2 ◦ Domain-page model 32-bit ARM supports 16 domains ◦ Page-group model Kernel Domain access (DACR) Space State-of-art memory protection mechanisms ◦ Defines the access permissions of current ◦ ARM protection domains process to 16 domains (2 bits per domain) ◦ Saved in process control block when the current ◦ Intel Memory Protection Keys process is context switched off DACR 00 01 01 … 10 Each page belongs to a domain ◦ Identified by the domain field in page table entry 16 domains 00: No access permission 01: Based on permission bits listed in page table 10: RWX permissions

25 26

ARM Protection Model ARM Protection Domain

16 domains TLB lookup A legacy feature that is not in use in reality (By VPN and ASID) ◦ Only domain 1 (user space) and 2 (kernel space) are in use 00 01 01 … 10 DACR ◦ Removed from 64-bit ARM architecture TLB hit Any other use cases Access permission ◦ Alleviate duplicate translation information on Android check based on TLB VPN ASID 0 0010 Permission TLB bits and domain

Address Space Identifier Domain ID Domain permission check fails 00: No access permission 01: Based on permission bits listed in page table Abort 10: RWX permissions exception

27 28

7 11/17/2018

Duplicate Translation info on Android Android uses Linux kernel and thus uses private virtual address space 58% duplicate page table pages for ARM Protection Domain: shared libraries on Android All android applications share the A Use Case on Android same virtual and physical addresses for the preloaded shared libraries ◦ Due to Android process creation model

29 30

Android Application Instruction Footprint Android Application Instruction Footprint

Most of the instructions accessed are % of inst fetched Considerable overlap in the shared 98% from shared libraries preloaded 100% library code accessed across different 80% applications Laya Music Number of shared libraries per 72% Player application: 60% 40% ◦ 46% of total inst pages accessed are in ◦ Loaded: 88 to 107 (zygote-preloaded: 88) common for each pair of applications 91% 85% 20% ◦ Invoked: 24 to 68 (zygote-preloaded: 21 to ◦ Zygote-preloaded: 38% 46) 0% MX 72% Adobe

Player Reader

WPS

Email

Chrome

Average

MX Player MX

Angrybirds

Adobe Reader Adobe

Google Calendar Google

Android Browser Android Chrome Chrome Privilege

Chrome Chrome Sandbox The % of inst footprint overlapped Laya Music Player Laya zygote-preloaded shared lib other shared lib

31 32

8 11/17/2018

Sharing TLB for Shared Libraries Sharing TLB for Shared Libraries To alleviate duplication, we share page table and TLB for preloaded shared Global bit libraries across all Android processes [Eurosys’16, IISWC’15] ◦ Set the global bit in the page table entries of the preloaded shared libraries ◦ In this talk we only focus on sharing TLB ◦ To share TLB entries We use Global bit and ARM protection domain ARM protection domain Global bit ◦ There are other process (system services and daemons) not forked from the template ◦ Prevents them from accessing the shared global TLB entries ◦ Traditionally used for kernel-space translation ◦ To unshare TLB entries ◦ Kernel space mappings are identical and therefore shared across processes ◦ Overrides Address Space Identifier (ASID) in TLB

33 34

Global bit Domain field Domain 1 Domain 2 Domain 3

Zygote- VPN ASID 1 0011 Permission TLB Outline Kernel preloaded bits User Space Space shared Single address space libraries ◦ Domain-page model Memory Abort ◦ Page-group model Handler Trap into kernel Other State-of-art memory protection mechanisms … 00 … processes ◦ ARM protection domains DACR ◦ Intel Memory Protection Keys Domain Check fault Android … 01 … fault ? status register processes Domain 3 Flush all TLB 00: No access permission entries with the 01: Based on permission bits listed in the TLB entry faulting address

35 36

9 11/17/2018

Intel Memory Protection Keys Intel Memory Protection Keys Similar to 32-bit ARM protection domain model Intel supports 16 domains ◦ While 64-bit ARM removes it, Intel brings it back Protection key rights for user pages (PKU) register: Goal: Applications can efficiently modify access permissions at memory region ◦ Specifies the access permissions of current process to 16 domains granularity ◦ 2 bits per domain (access disable bit + write disable bit) Only applied to user-space pages ◦ Configurable in user space Each page is associated with a protection key ◦ Recorded in page table entry Domain = set of accessible pages with the same protection key Access permission check: page table entry permissions + protection key permissions (access disable? Write disable?)

37 38

Conclusions Per-process private virtual address space interferences with memory sharing Duplication of address translation information resulted from private virtual address space Changing access permissions at memory region granularity is expensive with page table Other memory protection models can be leveraged: ◦ Single address space ◦ State-of-art mechanisms (ARM protection domain and Intel MPK)

39

10