DOCSLIB.ORG

Arxiv:1904.12226V1 [Cs.NI] 27 Apr 2019

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Arxiv:1904.12226V1 [Cs.NI] 27 Apr 2019 The Ideal Versus the Real: Revisiting the History of Virtual Machines and Containers Allison Randal, University of Cambridge Abstract also have greater access to the host’s privileged software (kernel, operating system) than a physically distinct ma- The common perception in both academic literature and chine would have. the industry today is that virtual machines offer better se- curity, while containers offer better performance. How- Ideally, multitenant environments would offer strong ever, a detailed review of the history of these technolo- isolation of the guest from the host, and between guests gies and the current threats they face reveals a different on the same host, but reality falls short of the ideal. The story. This survey covers key developments in the evo- approaches that various implementations have taken to lution of virtual machines and containers from the 1950s isolating guests have different strengths and weaknesses. to today, with an emphasis on countering modern misper- For example, containers share a kernel with the host, ceptions with accurate historical details and providing a while virtual machines may run as a process in the host solid foundation for ongoing research into the future of operating system or a module in the host kernel, so they secure isolation for multitenant infrastructures, such as expose different attack surfaces through different code cloud and container deployments. paths in the host operating system. Fundamentally, how- ever, all existing implementations of virtual machines and containers are leaky abstractions, exposing more of 1 Introduction the underlying software and hardware than is necessary, useful, or desirable. New security research in 2018 deliv- Many modern computing workloads run in multitenant ered a further blow to the ideal of isolation in multitenant environments, such as cloud or containers, where each environments, demonstrating that certain hardware vul- physical machine is split into hundreds or thousands of nerabilities related to speculative execution—including smaller units of computing, called virtual machines, con- Spectre, Meltdown, Foreshadow, L1TF, and variants— tainers, cloud instances, or more generically guests. Typ- can easily bypass the software isolation of guests. ically, a single tenant (a user or group of users) is granted Because multitenancy has proven to be useful and access to deploy guests in an orchestrated fashion across profitable for a large sector of the computing industry, a cloud or cluster made up of hundreds or thousands it is likely that a significant percentage of computing arXiv:1904.12226v1 [cs.NI] 27 Apr 2019 of physical machines located in the same data center or workloads will continue to run in multitenant environ- across multiple data centers, to facilitate operational flex- ments for the foreseeable future. This is not a matter ibility in areas such as capacity planning, resiliency, and of na¨ıvete,´ but of pragmatism: these days, the compa- reliable performance under variable load. Each guest nies who provide and make use of multitenant environ- runs its own (often minimal) operating system and ap- ments are generally fully aware of the security risks, but plication workloads, and maintains the illusion of being they do so anyway because the benefits—such as flexi- a physical machine, both to the end users who interact bility, resiliency, reliability, performance, cost, or any of with the services running in the guests, and to develop- a dozen other factors—outweigh the risks for their par- ers who are able to build those services using familiar ticular use cases and business needs. That being the case, abstractions, such as programming languages, libraries, it is worthwhile to take a step back and examine how the and operating system features. The illusion, however, is past sixty years of evolution led to the current tension be- not perfect, because ultimately the guests do share the tween secure ideals and flawed reality, and what lessons hardware resources (CPU, memory, cache, devices) of from the past might help us build more secure software the underlying physical host machine, and consequently and hardware for the next sixty years. 1 Capsicum Influence BSD jails direct chroot indirect SunOS Solaris Zones Multics UNIX Borg Kubernetes POSIX POSIX.1e Chicago Magic Number Machine MINIX Linux LXC Docker OCI VServer CTSS CAL-TSS OpenVZ Plessey System 250 UML Kata capabilities B5000 QEMU NEMU CAP crosvm Firecracker KVM iAPX 432 Denali ukvm hvt System/38 AS/400 AWS multiprogramming CP-40/CMS CP-67/CMS VM/370 Disco VMware Xen LightVM M44/44X 1950 1960 1970 1980 1990 2000 2010 today Figure 1: The evolution of virtual machines and containers. This survey is divided into sections following the evo- use are Banga et al. [25] in 1999, Lottiaux and lutionary paths of the technologies behind virtual ma- Morin [125] in 2001, Morin et al. [143] in 2002, chines and containers, generally in chronological order, and Price and Tucker [162] in 2004. Early litera- as illustrated in Figure 1. Section 3 explores the com- ture on containers confusingly referred to them as a mon origins of virtual machines and containers in the kind of virtualization [162; 180; 140; 102; 45; 48], late 1950s and early 1960s, driven by the architectural or even called them virtual machines [180]. As con- shift toward multitasking and multiprocessing, and moti- tainers grew more popular, the confusion shifted to vated by a desire to securely isolate processes, efficiently virtual machines being called containers [37; 217]. utilize shared resources, improve portability, and mini- This survey uses the term “container” for mul- mize complexity. Section 4 examines the first virtual ma- titenant deployment techniques involving process chines in the mid-1960s to 1970s, which primarily aimed isolation on a shared kernel (in contrast with virtual to improve resource utilization in time-sharing systems. machine, as defined below). However, in practice Section 5 delves into the capability systems of the early the distinction between containers and virtual ma- 1960s to 1970s—the precursors of modern containers— chines is more of a spectrum than a binary divide. which evolved along a parallel track to virtual machines, Techniques common to one can be effectively ap- with similar motivations but different implementations. plied to the other, such as using system call filter- Section 6 outlines the resurgence of virtual machines in ing with containers, or using seccomp sandboxing the late 1990s and 2000s. Section 7 traces the emergence or user namespaces with virtual machines. of containers in the 2000s and 2010s. Section 8 investi- gates the impact of recent security research on both vir- • complexity: There are many dimensions to com- tual machines and containers. Section 9 briefly looks at plexity in computing, but in the context of mul- the relationship between virtual machines and containers titenant infrastructures some uniquely relevant di- and the related terms “cloud”, “serverless”, and “uniker- mensions are keeping each guest, the interactions nels”. between guests, and the host’s management of the guests as small and simple as possible. The im- 2 Terminology plementation technique of isolation supports mini- mizing complexity by restricting access to internal For the sake of clarity, this survey consistently uses cer- knowledge of the guests and host, and providing tain modern or common terms, even when discussing lit- well-defined interfaces to reduce the complexity of erature that used various other terms for the same con- interactions between them. cepts. • guest: The term “guest” had some early usage in • container: The term “container” does not have a the 1980s for the operating system image running single origin, but some early relevant examples of inside a virtual machine [145], but was not com- 2 mon until the early 2000s [194; 26]. This survey • process: The early literature tended to use the terms uses “guest” as a general term for operating sys- “job” [169] or “program” [52; 151; 20], and “pro- tem images hosted on multitenant infrastructures, cess” only appeared around the mid-1960s [64; 14]. but occasionally distinguishes between virtual ma- This survey uses the modern term “process”. The chine guests and container guests. early use of “multiprogramming” meaning “multi- processing” was derived from the early use of “pro- • kernel: A variety of different terms appear in the gram” meaning “process”. early literature, including “supervisory program” [52], “supervisor program” [20], “control program” • security: There are many dimensions to security [147; 151; 15], “coordinating program” [151], “nu- in computing, but in the context of multitenant in- cleus” [43; 1], “monitor” [206], and ultimately “ker- frastructures some uniquely relevant dimensions are nel” around the mid-1970s [121; 159]. This survey limiting access between guests, from guests to the uses the modern term “kernel”. host, and from the host to the guests. The imple- mentation technique of isolation supports security, • performance: There are many dimensions to per- at both the software level and the hardware level, by formance in computing, but in the context of mul- reducing the likelihood of a breach and limiting the titenant infrastructures some uniquely relevant di- scope of damage when a breach occurs. mensions are the performance impact of added lay- ers of abstraction separating the guest application workload from the host, balanced against the perfor- • virtual machine: This survey uses the term “virtual mance benefits of sharing resources between guests machine” for multitenant deployment techniques and reducing wasted resources from unused capac- involving the replication/emulation of real hard- ity. At the level of a single machine, this involves ware architectures in software (in contrast with con- running multiple guests on the same machine at tainer, as defined above). The code responsible for the same time, with potential for intelligent, dy- managing virtual machine guests on a physical host namic scheduling to extract more work from the machine is often called a “hypervisor” or “virtual same resource pool.
Load more

Recommended publications
  • Operating Systems and Virtualisation Security Knowledge Area (Draft for Comment)
    OPERATING SYSTEMS AND VIRTUALISATION SECURITY KNOWLEDGE AREA (DRAFT FOR COMMENT) AUTHOR: Herbert Bos – Vrije Universiteit Amsterdam EDITOR: Andrew Martin – Oxford University REVIEWERS: Chris Dalton – Hewlett Packard David Lie – University of Toronto Gernot Heiser – University of New South Wales Mathias Payer – École Polytechnique Fédérale de Lausanne © Crown Copyright, The National Cyber Security Centre 2019. Following wide community consultation with both academia and industry, 19 Knowledge Areas (KAs) have been identified to form the scope of the CyBOK (see diagram below). The Scope document provides an overview of these top-level KAs and the sub-topics that should be covered under each and can be found on the project website: https://www.cybok.org/. We are seeking comments within the scope of the individual KA; readers should note that important related subjects such as risk or human factors have their own knowledge areas. It should be noted that a fully-collated CyBOK document which includes issue 1.0 of all 19 Knowledge Areas is anticipated to be released by the end of July 2019. This will likely include updated page layout and formatting of the individual Knowledge Areas. Operating Systems and Virtualisation Security Herbert Bos Vrije Universiteit Amsterdam April 2019 INTRODUCTION In this knowledge area, we introduce the principles, primitives and practices for ensuring security at the operating system and hypervisor levels. We shall see that the challenges related to operating system security have evolved over the past few decades, even if the principles have stayed mostly the same. For instance, when few people had their own computers and most computing was done on multiuser (often mainframe-based) computer systems with limited connectivity, security was mostly focused on isolating users or classes of users from each other1.
    [Show full text]
  • Benchmarking, Analysis, and Optimization of Serverless Function Snapshots
    Benchmarking, Analysis, and Optimization of Serverless Function Snapshots Dmitrii Ustiugov∗ Plamen Petrov Marios Kogias† University of Edinburgh University of Edinburgh Microsoft Research United Kingdom United Kingdom United Kingdom Edouard Bugnion Boris Grot EPFL University of Edinburgh Switzerland United Kingdom ABSTRACT CCS CONCEPTS Serverless computing has seen rapid adoption due to its high scala- • Computer systems organization ! Cloud computing; • In- bility and flexible, pay-as-you-go billing model. In serverless, de- formation systems ! Computing platforms; Data centers; • velopers structure their services as a collection of functions, spo- Software and its engineering ! n-tier architectures. radically invoked by various events like clicks. High inter-arrival time variability of function invocations motivates the providers KEYWORDS to start new function instances upon each invocation, leading to cloud computing, datacenters, serverless, virtualization, snapshots significant cold-start delays that degrade user experience. To reduce ACM Reference Format: cold-start latency, the industry has turned to snapshotting, whereby Dmitrii Ustiugov, Plamen Petrov, Marios Kogias, Edouard Bugnion, and Boris an image of a fully-booted function is stored on disk, enabling a Grot. 2021. Benchmarking, Analysis, and Optimization of Serverless Func- faster invocation compared to booting a function from scratch. tion Snapshots . In Proceedings of the 26th ACM International Conference on This work introduces vHive, an open-source framework for Architectural Support for Programming Languages and Operating Systems serverless experimentation with the goal of enabling researchers (ASPLOS ’21), April 19–23, 2021, Virtual, USA. ACM, New York, NY, USA, to study and innovate across the entire serverless stack. Using 14 pages. https://doi.org/10.1145/3445814.3446714 vHive, we characterize a state-of-the-art snapshot-based serverless infrastructure, based on industry-leading Containerd orchestra- 1 INTRODUCTION tion framework and Firecracker hypervisor technologies.
    [Show full text]
  • Open Source Ethos Guiding Beliefs Or Ideals That Characterize a Community
    Open Source Ethos guiding beliefs or ideals that characterize a community Patrick Masson Open Source Initiative [email protected] What is the mission of the conference? …bring smart and creative people together; …inspire and motivate them to create new and amazing things; …with an intimate group of like minded individuals. What is the mission of the conference? …bring smart and creative people together; …inspire and motivate them to create new and amazing things; …with an intimate group of like minded individuals. This is the open source ethos – guiding beliefs, ideals of a community It's a great time to be working with open source 1.5 Million Projects 78% of companies run on open source 64% of companies participate It's a great time to be working with open source 88% expect contributions to grow 66% consider before proprietary <3% Don't use OSS 2015 Future of Open Source Survey Black Duck, Northbridge It's a great time to be working with open source It's a great time to be working with open source It's a great time to be working with open source It's a great time to be working with open source Open-course/Open-source Marc Wathieu CC-BY-NC-SA https://www.flickr.com/photos/marcwathieu/2412755417/ _____ College first Massive Open source Online Course (MOOC) Are you seeing other examples of this Mini-MOOC trend (free, I began but did not finish my first The Gates grantees aren’t the only ones open source courses by a MOOC (Massive Open-Source, startup or organization)? Online Course).
    [Show full text]
  • Katalog Elektronskih Knjiga
    KATALOG ELEKTRONSKIH KNJIGA Br Autor Naziv Godina ISBN Str. Porijeklo izdavanja 1 Peter Kent Pay Per Click Search 2006 0-471-74594-3 130 Kupovina Engine Marketing for Dummies 2 Terry Large Access 1 2007 Internet Freeware 3 Kevin Smith Excel Lassons & Tutorials 2004 Internet Freeware 4 Terry Michael Photografy Tutorials 2006 Internet Freeware Janine Peterson Phil Pivnick 5 Jake Ludington Converting Vinyl LPs 2003 Internet Freeware to CD 6 Allen Wyatt Cleaning Windows XP 2004 0-7645-7311-X Poklon for Dummies 7 Peter Kent Sarch Engine Optimization 2006 0-4717-5441-2 Kupovina for Dummies 8 Terry Large Access 2 2007 Internet Freeware 9 Dirk Dupon How to write, create, 2005 Internet Freeware promote and sell E-books on the Internet 10 Chayden Bates eBook Marketing 2000 Internet Freeware Explained 11 Kevin Sinclair How To Choose A 1999 Internet Freeware Homebased Bussines 12 Bob McElwain 101 Newbie-Frendly Tips 2001 Internet Freeware 13 Windows Basics 2004 Poklon 14 Michael Abrash Zen of Graphic 2005 Poklon Programming, 2. izdanje 15 13 Hot Internet 2000 Internet Freeware Moneymaking Methods 16 K. Williams The Complete HTML 1998 Poklon Teacher 17 C. Darwin On the Origin of Species Internet Freeware 2/175 Br Autor Naziv Godina ISBN Str. Porijeklo izdavanja 18 C. Darwin The Variation of Animals Internet Freeware 19 Bruce Eckel Thinking in C++, Vol 1 2000 Internet Freeware 20 Bruce Eckel Thinking in C++, Vol 2 2000 Internet Freeware 21 James Parton Captains of Industry 1890 399 Internet Freeware 22 Bruno R. Preiss Data Structures and 1998 Internet
    [Show full text]
  • CHERI Instruction-Set Architecture
    UCAM-CL-TR-876 Technical Report ISSN 1476-2986 Number 876 Computer Laboratory Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture Robert N. M. Watson, Peter G. Neumann, Jonathan Woodruff, Michael Roe, Jonathan Anderson, David Chisnall, Brooks Davis, Alexandre Joannou, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Robert Norton, Stacey Son September 2015 15 JJ Thomson Avenue Cambridge CB3 0FD United Kingdom phone +44 1223 763500 http://www.cl.cam.ac.uk/ c 2015 Robert N. M. Watson, Peter G. Neumann, Jonathan Woodruff, Michael Roe, Jonathan Anderson, David Chisnall, Brooks Davis, Alexandre Joannou, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Robert Norton, Stacey Son, SRI International Approved for public release; distribution is unlimited. Sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (“CTSRD”) and FA8750-11-C-0249 (“MRC2”) as part of the DARPA CRASH and DARPA MRC research programs. The views, opinions, and/or findings contained in this report are those of the authors and should not be interpreted as representing the official views or policies, either expressed or implied, of the Department of Defense or the U.S. Government. Additional support was received from St John’s College Cambridge, the SOAAP Google Focused Research Award, the RCUK’s Horizon Digital Economy Research Hub Grant (EP/G065802/1), the EPSRC REMS Programme Grant (EP/K008528/1), the Isaac Newton Trust, the UK Higher Education Innovation Fund (HEIF), and Thales E-Security. Technical reports published by the University of Cambridge Computer Laboratory are freely available via the Internet: http://www.cl.cam.ac.uk/techreports/ ISSN 1476-2986 Abstract This technical report describes CHERI ISAv4, the fourth version of the Capability Hardware Enhanced RISC Instructions (CHERI) Instruction-Set Architecture (ISA)1 being developed by SRI International and the University of Cambridge.
    [Show full text]
  • Producing Open Source Software How to Run a Successful Free Software Project
    Producing Open Source Software How to Run a Successful Free Software Project Karl Fogel Producing Open Source Software: How to Run a Successful Free Software Project by Karl Fogel Copyright © 2005-2018 Karl Fogel, under the CreativeCommons Attribution-ShareAlike (4.0) license. Version: 2.3098 Home site: http://producingoss.com/ Dedication This book is dedicated to two dear friends without whom it would not have been possible: Karen Under- hill and Jim Blandy. i Table of Contents Preface ............................................................................................................................. vi Why Write This Book? ............................................................................................... vi Who Should Read This Book? .................................................................................... vii Sources ................................................................................................................... vii Acknowledgements ................................................................................................... viii For the first edition (2005) ................................................................................ viii For the second edition (2017) ............................................................................... x Disclaimer .............................................................................................................. xiii 1. Introduction ...................................................................................................................
    [Show full text]
  • In Search of the Ideal Storage Configuration for Docker Containers
    In Search of the Ideal Storage Configuration for Docker Containers Vasily Tarasov1, Lukas Rupprecht1, Dimitris Skourtis1, Amit Warke1, Dean Hildebrand1 Mohamed Mohamed1, Nagapramod Mandagere1, Wenji Li2, Raju Rangaswami3, Ming Zhao2 1IBM Research—Almaden 2Arizona State University 3Florida International University Abstract—Containers are a widely successful technology today every running container. This would cause a great burden on popularized by Docker. Containers improve system utilization by the I/O subsystem and make container start time unacceptably increasing workload density. Docker containers enable seamless high for many workloads. As a result, copy-on-write (CoW) deployment of workloads across development, test, and produc- tion environments. Docker’s unique approach to data manage- storage and storage snapshots are popularly used and images ment, which involves frequent snapshot creation and removal, are structured in layers. A layer consists of a set of files and presents a new set of exciting challenges for storage systems. At layers with the same content can be shared across images, the same time, storage management for Docker containers has reducing the amount of storage required to run containers. remained largely unexplored with a dizzying array of solution With Docker, one can choose Aufs [6], Overlay2 [7], choices and configuration options. In this paper we unravel the multi-faceted nature of Docker storage and demonstrate its Btrfs [8], or device-mapper (dm) [9] as storage drivers which impact on system and workload performance. As we uncover provide the required snapshotting and CoW capabilities for new properties of the popular Docker storage drivers, this is a images. None of these solutions, however, were designed with sobering reminder that widespread use of new technologies can Docker in mind and their effectiveness for Docker has not been often precede their careful evaluation.
    [Show full text]
  • CA Top Secret for Z/OS Control Options Guide
    CA Top Secret® for z/OS Control Options Guide r15 Ninth Edition This Documentation, which includes embedded help systems and electronically distributed materials (hereinafter referred to as the “Documentation”), is for your informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy. The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
    [Show full text]
  • Qualifikationsprofil #10309
    QUALIFIKATIONSPROFIL #10309 ALLGEMEINE DATEN Geburtsjahr: 1972 Ausbildung: Abitur Diplom, Informatik, (TU, Kaiserslautern) Fremdsprachen: Englisch, Französisch Spezialgebiete: Kubernetes KENNTNISSE Tools Active Directory Apache Application Case CATIA CVS Eclipse Exchange Framework GUI Innovator ITIL J2EE JMS LDAP Lotus Notes make MS Exchange MS Outlook MS-Exchange MS-Office MS-Visual Studio NetBeans OSGI RACF SAS sendmail Together Turbine UML VMWare .NET ADS ANT ASP ASP.NET Flash GEnie IDES Image Intellij IDEA IPC Jackson JBOSS Lex MS-Visio ODBC Oracle Application Server OWL PGP SPSS SQS TesserAct Tivoli Toolbook Total Transform Visio Weblogic WebSphere YACC Tätigkeiten Administration Analyse Beratung Design Dokumentation KI Konzeption Optimierung Support Vertrieb Sprachen Ajax Basic C C# C++ Cobol Delphi ETL Fortran Java JavaScript Natural Perl PHP PL/I PL-SQL Python SAL Smalltalk SQL ABAP Atlas Clips Delta FOCUS HTML Nomad Pascal SPL Spring TAL XML Detaillierte Komponenten AM BI FS-BA MDM PDM PM BW CO FI LO PP Datenbanken Approach IBM Microsoft Object Store Oracle Progress Sybase DMS ISAM JDBC mySQL DC/Netzwerke ATM DDS Gateway HBCI Hub Internet Intranet OpenSSL SSL VPN Asynchronous CISCO Router DNS DSL Firewall Gateways HTTP RFC Router Samba Sockets Switches Finance Business Intelligence Excel Konsolidierung Management Projektleiter Reporting Testing Wertpapiere Einkauf CAD Systeme CATIA V5 sonstige Hardware Digital HP PC Scanner Siemens Spark Teradata Bus FileNet NeXT SUN Switching Tools, Methoden Docker Go Kubernetes Rational RUP
    [Show full text]
  • Resource Management: Linux Kernel Namespaces and Cgroups
    Resource management: Linux kernel Namespaces and cgroups Rami Rosen [email protected] Haifux, May 2013 www.haifux.org 1/121 http://ramirose.wix.com/ramirosen TOC Network Namespace PID namespaces UTS namespace Mount namespace user namespaces cgroups Mounting cgroups links Note: All code examples are from for_3_10 branch of cgroup git tree (3.9.0-rc1, April 2013) 2/121 http://ramirose.wix.com/ramirosen General The presentation deals with two Linux process resource management solutions: namespaces and cgroups. We will look at: ● Kernel Implementation details. ●what was added/changed in brief. ● User space interface. ● Some working examples. ● Usage of namespaces and cgroups in other projects. ● Is process virtualization indeed lightweight comparing to Os virtualization ? ●Comparing to VMWare/qemu/scaleMP or even to Xen/KVM. 3/121 http://ramirose.wix.com/ramirosen Namespaces ● Namespaces - lightweight process virtualization. – Isolation: Enable a process (or several processes) to have different views of the system than other processes. – 1992: “The Use of Name Spaces in Plan 9” – http://www.cs.bell-labs.com/sys/doc/names.html ● Rob Pike et al, ACM SIGOPS European Workshop 1992. – Much like Zones in Solaris. – No hypervisor layer (as in OS virtualization like KVM, Xen) – Only one system call was added (setns()) – Used in Checkpoint/Restart ● Developers: Eric W. biederman, Pavel Emelyanov, Al Viro, Cyrill Gorcunov, more. – 4/121 http://ramirose.wix.com/ramirosen Namespaces - contd There are currently 6 namespaces: ● mnt (mount points, filesystems) ● pid (processes) ● net (network stack) ● ipc (System V IPC) ● uts (hostname) ● user (UIDs) 5/121 http://ramirose.wix.com/ramirosen Namespaces - contd It was intended that there will be 10 namespaces: the following 4 namespaces are not implemented (yet): ● security namespace ● security keys namespace ● device namespace ● time namespace.
    [Show full text]
  • Capabilities
    CS 261, Fall 2015 Scribe notes September 8: Capabilities Scribe: Riyaz Faizullabhoy 1 Motivation for Capabilities In The Confused Deputy, the compiler had two sets of rights: one from the user to access user files such as source code to compile, and another set granted to the compiler intended to access a special statistics file that would collect information about language feature usage. The compiler was installed in the SYSX directory, where it was granted access to write to any file in this directory. Naturally, the statistics file SYSX/STAT was also located in this directory such that the compiler (SYSX/FORT) could add language feature information. To achieve this, the compiler's privileges were set with a home files license that was allowed by the operating system to write to any file in the SYSX directory. A billing information file SYSX/BILL was also stored in SYSX { due to its sensitive nature, this billing file was not directly accessible to users. However, since the compiler was granted access to the entire SYSX directory, users could subvert their access restrictions on the billing information file by using the compiler like so: SYSX/FORT foo.f -o SYSX/BILL The above user-invoked command to the compiler would allow the compiler to first read the user's source code in foo.f, but then the compiler's privilege to SYSX would cause the SYSX/BILL file to be overwritten with the user's binary. In effect, the compiler is the confused deputy having to reconcile both its own and the user's set of privileges, but unfortunately allows for unintended behavior.
    [Show full text]
  • OS Structures and System Calls
    COS 318: Operating Systems OS Structures and System Calls Kai Li Computer Science Department Princeton University (http://www.cs.princeton.edu/courses/cos318/) Outline Protection mechanisms OS structures System and library calls 2 Protection Issues CPU Kernel has the ability to take CPU away from users to prevent a user from using the CPU forever Users should not have such an ability Memory Prevent a user from accessing others’ data Prevent users from modifying kernel code and data structures I/O Prevent users from performing “illegal” I/Os Question What’s the difference between protection and security? 3 Architecture Support: Privileged Mode An interrupt or exception (INT) User mode Kernel (privileged) mode • Regular instructions • Regular instructions • Access user memory • Privileged instructions • Access user memory • Access kernel memory A special instruction (IRET) 4 Privileged Instruction Examples Memory address mapping Flush or invalidate data cache Invalidate TLB entries Load and read system registers Change processor modes from kernel to user Change the voltage and frequency of processor Halt a processor Reset a processor Perform I/O operations 5 x86 Protection Rings Privileged instructions Can be executed only When current privileged Level (CPR) is 0 Operating system kernel Level 0 Operating system services Level 1 Level 2 Applications Level 3 6 Layered Structure Hiding information at each layer Layered dependency Examples Level N THE (6 layers) . MS-DOS (4 layers) . Pros Level 2 Layered abstraction
    [Show full text]