Singularity: Designing Be er So ware
James Larus Microso Research
CAV July 10, 2008 MSR’s Decade of Tools Progress (and Frustra on)
• MSR has researched, developed, and deployed programming tools for 10+ years • Struggle to bring tools to prac ce – incomplete, informal specifica on – unsafe languages (C) – tenuous assump ons (e.g., code completely known and immutable) • Verifica on and tes ng at a low level – language features and library APIs – persistent ques on: “are these the right bugs?” • So ware development is inherently broken – “first we bug the so ware, then we debug it” • People and organiza on may be more important than bugs and tes ng – (another talk)
Singularity Singularity
• Microso Research project with goal of more robust and reliable so ware Safe • Rethink the so ware stack Languages (C#) • Ar culated architectural principles – so ware will fail, system should not – system should be self-describing Verification Tools – verify as many aspects as possible • No single magic bullet Improved OS Architecture – mutually reinforcing improvements to languages and compilers, systems, and tools
Singularity Singularity in the News
Judging from recent rumours, Unfortunately,that's this what willingness it is preparing to begin with to do.an entirely newEven foundation though isit notwon't located be withinin the WindowsWindows group but 7,in Microsoft’sMicrosoft research is happy arm, where scientiststo talk andabout their “ hereticalMinWin thoughts”—a are safely isolated.slimmed Last down April, Microsoftversion ofpublicly the unveiledWindows the five-year-old core. research It’s even project, willing called “Singularity.”to discus It is nothing its “Singularity” more than a neat project academic—a exercise, microkernel-based not a glimpse of Windows operating 7. system written strictly for “Singularityresearch is not the purposes. next Windows,” But ask said Rich Rashid, theabout company’s a project senior code-named vice president overseeing“Midori” research. and “Think everyone of it like clams a concept up. car.”
Singularity Why Rethink So ware Architecture?
VMS Windows (NT) Unix Linux Multics
1970 1980 1990 • Design parameters – scarce resources – assembly code – benign environment – knowledgeable users
Singularity The World Changed
• Hardware and so ware industries were wildly successful – machines are fast, memory is cheap – computers are ubiquitous – safe, high-level languages • Malicious environment – ubiquitous worms, viruses, scams, a acks, …
• Few users understand computers or so ware
Singularity Key Singularity Tenets
1. Use safe (managed) programming languages everywhere – safe ⇒ type safe and memory safe (C# or Java) – everywhere ⇒ applica ons, extensions, OS services, device drivers, kernel, … 2. Improve system resilience in the face of so ware errors – failure containment boundaries – explicit failure no fica on model 3. Modular verifica on – design assuming automated analysis – seal environments so verifica on can be sound – make system “self-describing,” so pieces can be examined in isola on – specify and check behavior at many levels of abstrac on
Singularity
Deemphasize Performance
• Easy to measure, but less important than dependability
• “Good enough” performance was goal – Singularity has very good performance
Singularity Singularity OS Architecture channels • Safe micro-kernel content web TCP/IP network – 95% wri en in C# extension server stack driver – all services and drivers in processes
ext. server tcp driver • So ware isolated processes (SIPs) class class class class – all user code is verifiably safe library library library library processes – some unsafe code in trusted run me run me run me run me run me – processes and kernel sealed at execu on • Communica on via channels kernel API – channel behavior is specified and checked kernel – fast and efficient communica on kernel page mgr scheduler class • Working research prototype chan mgr library – not Windows replacement proc mgr i/o mgr run me – shared source download HAL
Singularity SIP Process Model
• Process contains only safe code – except language run me (GC) • No shared memory – communicate via messages Software • Messages flow over bi-direc onal Isolated channels Process – well-defined & verifiable “SIP” • Small, versioned interface to kernel – threads, memory, & channels ABI • Seal process on execu on – no dynamic code loading Kernel – no in-process plug-ins
Singularity Challenge 1: Pervasive Safe Languages
• Modern, safe programming languages – preclude en re categories of serious defects, e.g. buffer overruns – easier to analyze • Singularity is wri en in Spec# – C# + pre/post-condi ons and invariants • Language research to support Singularity abstrac ons – channel communica ons – factor libraries into composable pieces – compile- me reflec on • Na ve compiler and run me system – no bytecodes or MSIL (not JVM or CLR)
Singularity Run me System
• JVM & CLR not appropriate for building systems • Rich run me (“one size fits all”) – monolithic, general-purpose environment – large memory footprint (~4 MB/process for CLR) – many OS dependencies (CLR PAL requires >300 Win32 APIs) • JIT compiler – increases run me size and complexity – unpredictable performance • Replicate OS func onality – security, threading, configura on, etc.
Singularity Singularity Run me
Singularity Applica on • Minimal run- me system Run me Libraries (GC, etc.) • Ahead-of- me, global op mizing compiler (Bartok) – specializes run me and libraries – eliminate unused language features and Bartok applica on or library code Compiler • Factorable run me and libraries • Language run me, garbage collector, and libraries selectable on per-process basis – reduce memory and computa on overhead Singularity Process – enforce design discipline and system policies per process x86 Executable
Singularity Challenge 2: Improve Resilience
• Cannot build so ware without defects – verifica on is a chimera (but we could do a lot be er) • So ware defects should not cause system failure • A resilient system architecture should – isolate system components to prevent data corrup on – provide clear failure no fica on – implement policy for restar ng failed component • Exis ng system architectures lack isola on and resilience
Singularity Open Process Architecture
• Ubiquitous (Windows, Unix, Java, browsers, etc.) Process – DLLs, classes, plug-ins, device drivers, etc. • Processes are not sealed – dynamic code loading and run me code genera on – shared memory – system API allow process to alter another’s state • Low dependability – 85% of Windows crashes caused by third party code in kernel – interface between host and extension o en poorly documented and understood – maintenance nightmare
Singularity Single Process Architecture
• Tradi onal safe language architecture App – Xerox PARC (Cedar, Smalltalk, etc.) App and Lisp Machine model – Java and .NET as well OS • Tangled code and data – language safety provides some isola on – garbage collec on must reclaim resources – dynamic code loading and run me code genera on – run me is single point of failure Runtime
Singularity Singularity Sealed Processes
• Singularity processes are sealed – no dynamic code loading or run- me Extension code genera on Process • all code present when process starts execu on – extensions execute in dis nct Extension processes • separate closed environments with well-defined interfaces – no shared memory
Kernel • Fundamental unit of failure isola on • Enhance op miza on, verifica on, security – “closed world” assump on is true!
Singularity Program Op miza on
Code Code w/ Program Whole Tree Shake % Reduction Kernel 2,371 KB 1,291 KB 46%
Web Server 2,731 KB 765 KB 72%
SPECweb99 Plug-in 2,144 KB 502 KB 77%
IDE Disk Driver 1,846 KB 455 KB 75%
• Closed world allows global op miza on to eliminate unused code • Reduces process code size by up to 75% • Fewer code paths ⇒ be er op miza on & error analysis
Singularity Complexity of Extensions
• Move register allocator Bartok Compiler from Bartok compiler to bartok.exe separate process Register Allocator – one of 50 phases regalloc.dll – updates IR to assign registers and insert spill opera ons – 156 shared classes (IR + ISA) – invoked per func on Register Allocator regalloc.exe • 6,441 calls in kernel compile • 50KB to 1.5MB of data
EuroSys 2007 Sealing OS Processes to Improve Dependability and 19 Security Code Complexity
Code Lines % of Orig. Bartok Compiler 210,000 95.45% Register Allocator 10,000 4.55% Altered in Host 3 +0.00%
Limited Marshal Tags 107 +0.05% Channel and Child 400 +0.18% Total 220,510 100.25%
• Child process adds < .25% (508 lines) to code base • Time to compile Singularity kernel increases by 11%
EuroSys 2007 Sealing OS Processes to Improve Dependability and 20 Security Isola on Requires Lightweight Processes
• Tradi onal processes rely on virtual memory and hardware domains – legacy of assembly language era – VM prevents reference into other address spaces – protec on prevents unprivileged code from access system resources • Processes are expensive to create and schedule – high cost to cross protec on domains (rings), handle TLB misses, and manipulate address spaces • Costs encourages monolithic architecture – expensive process crea on and inter-process communica on – large, undifferen ated applica ons – dynamically loaded extensions
Singularity So ware Isolated Processes (SIPs)
• Protec on and isola on enforced by language safety and kernel API design – process has exclusive access to a set of pages – all of process’s objects reside on its pages (object space, not address space) – language safety ensures process can’t create or mutate reference to other pages – everything can run in ring 0 in kernel memory (without the MMU)! • Global invariants: – no process contains a pointer to another process’s object space – no pointers from exchange heap into process
P1 P2 P3
Singularity Interprocess Communica ons
• Channels are strongly typed (value & behavior), bidirec onal communica ons ports – messages passing with language support • Messages live outside processes (“exchange heap”) – only a single reference to a message • “Mailbox” seman cs enforced by linear types – copying and pointer passing are seman cally indis nguishable • Channel buffers pre-allocated according to contract
P1 P2 P3
exchange heap
Singularity Performance Micro Benchmarks
Athlon64 3000+ Cost (CPU Cycles) (1.8GHz) Linux 2.6.11 Windows XP Singularity FreeBSD 5.3 nForce4 SLI (Red Hat FC4) (SP2) Minimum kernel API 80 878 437 627 call Message 13,300 5,800 6,340 request/reply 1,041 Process 388,000 1,030,000 719,000 5,380,000 create & start
• Why? – sta c verifica on replaces hardware protec on – all SIPs run in ring 0 – good op mizing compiler (not JIT) Singularity OS Controls Resources and Security
• OS owns, allocates, and reclaims system resources – conven onal model • On process termina on, OS reclaims memory pages and channels – not dependent on finaliza on or garbage collec on • Clean failure no fica on – messages in channel s ll available to other process • Security policy on per-process – crux is control of channels (capabili es)
Singularity Would You Trust Your System to a Type System?
• Process integrity depends on type and memory safety – currently trust compiler and run me • TAL can remove compiler from trusted compu ng base • Need to verify GC and run me as well (research challenge)
Sing# csc TALSingularity TCB Singularity TCB C# SingularitySingularity MSIL+ bartok x86 source sgc system system
compiler byte code applica on verifica on verifica on verifica on
Singularity S ll Not Convinced?
• Hardware Protec on Domains – virtual address space – contains one or more SIPs – runs at ring 0 (“kernel domain”) or ring 3
27 Domains: Monolithic Kernel
App App App 1 2 3
SIP
Protection Domain File Net System Stack Ring 3
Ring 0 Kernel
28 Domains: Novel Models
Unsigned App2 SIP Protection Domain
Unsigned Ring 3 Signed Extension App1 Extension Ring 0
Signed Unsigned Kernel Driver Driver
29 Hardware is Costly
Webfiles Macrobenchmark Unsafe Code Tax
+37.7% +33.0% 1.40 Safe Code Tax +18.9% 1.20 +6.3% -4.7% 1.00
0.80
0.60
0.40
0.20
0.00 No runtime Physical Add VM Add Separate Add Ring 3 Full Microkernel checks Memory Address Space Challenge 3: Verify More channels • Process internals (code): content web TCP/IP network – type safety extension server stack driver
– object invariants ext. server tcp driver – method pre- & post- condi ons class class class class library library library library – component interfaces processes run me run me run me run me • Process externals: – channel contracts Kernel API – resource access & dependencies kernel • System: kernel page mgr – communica on safety scheduler class chan mgr library – hardware resource conflict free proc mgr i/o mgr run me – namespace conflict free HAL
Singularity Boogie and Singularity
Network device driver Scheduler (kernel) • Hardware interac ons • Global proper es – Registers, DMA, etc. – Interrupts, lock levels, etc. • Layered objects • Strongly coupled objects – Main object owns others – Many object references • Driven by WDF interface • Concurrent – Order of invoca ons – Interrupts, mul threading Use Boogie to verify interesting properties in both contexts (Kevin Bierhoff 2007) 32 Example: Channel Contracts
public contract IoStream { Open? -> Error! ... Start state Start : { Open? -> { OK! -> Opened; Error! -> End; Open? -> OK! } End } state Opened : { Read? -> Data! -> Opened; Write? -> OK! -> Opened; Opened Close? -> OK! Close? -> OK! -> End; } state End; ... Read? -> Data! } Write? -> OK! ? = receive ! = send Singularity Example: Contract Conformance
Contract Web Server (User) public contract TcpSocketContract { ...... conn.SendRead(); state Connected : { switch receive { Read? -> ReadResultPending; case conn.Data(readData) : Write? -> WriteResultPending;
dataBuffer.AddToTail(readData); GetLocalAddress? -> IPAddress! return true; -> Connected; GetLocalPort? -> Port! -> Connected; case conn.RemoteClose() : return false; DoneSending? -> ReceiveOnly; } DoneReceiving? -> SendOnly; ... Close? -> Closed; Abort? -> Closed; } Missing Case state ReadResultPending : { case conn.NoMoreData() : Data! -> Connected; NoMoreData! -> SendOnly; RemoteClose! -> Zombie; }
Singularity Example: Configura on Specifica ons requires PCI Device [DriverCategory] [Signature("/pci/03/00/5333/8811")] class S3Trio64Config : DriverCategoryDeclaration requires 4MB frame buffer { (from in PCI config) [IoMemoryRange(0, Length = 0x400000)] IoMemoryRange frameBuffer; requires system console buffer [IoFixedMemoryRange(Base = 0xb8000, Length = 0x8000)] IoMemoryRange textBuffer; requires VGA I/O ports ...
[IoFixedPortRange(Base = 0x3c0, Length = 0x20)] requires control by IoPortRange control; plug-and-play system [ExtensionEndpoint(typeof(ExtensionContract.Exp))] TRef
[ServiceEndpoint(typeof(VideoDeviceContract.Exp))] TRef
Singularity Specifica on Usable in Many Ways
Driver (Source + Spec) File Disk Driver System driver class Driver Manifest library run me 1. Load driver
Conflict 2. Allocate I/O objects kernel kernel page mgr 3. Create channels scheduler class chan mgr library proc mgr System i/o mgr run me Manifest HAL
Singularity Architecture & Verifica on
• So ware architecture can enhance verifica on – modern programming language with appropriate abstrac ons – sealed processes – explicit communica ons across typed channels – specifica ons throughout system • Verifica on community should be involved in system design – your insights and contribu ons can make so ware be er (e.g. TM) – improved reliability and robustness are achievable – “verify what they build” approach complicates verifica on and produces poor so ware • Challenge: make reliability and robustness more important than performance
Singularity Conclusion
• Can we fundamentally improve the dependability of so ware? (yes) • Reexamine and rethink language, OS, and system architecture assump ons – OS should control applica on’s execu on environment – new mechanisms to enhance system integrity, verifiability, and dependability • Programming languages and run me systems are central to new architecture • Singularity is a complete (but simple) system – safe languages all the way down to the hardware – OS architecture improves system integrity and verifica on – many more aspects of system behavior are verifiable • Singularity project is done – using Singularity in small computer (cPhone) – working with incuba on team that is expanding Singularity
Singularity Obtaining Singularity
• Info: – h p://research.microso .com/os/singularity
• Code: – h p://www.codeplex.com/singularity
Singularity Singularity Research Team
• Lead by Galen Hunt and Jim Larus • MSR Cambridge – Paul Barham, Richard Black, Tim Harris, Rebecca Isaacs, Dushyanth Narayanan • MSR Redmond – Advanced Compiler Technology Group: • Juan Chen, Qunyan Mangus, Mark Plesko, Bjarne Steensgaard, David Tardi – Founda ons of So ware Engineering Group: • Wolfgang Grieskamp – Opera ng Systems Group: • Mark Aiken, Chris Hawblitzel, Orion Hodson, Galen Hunt, Steven Levi – Security and Distributed Systems: • Dan Simon, Brian Zill – So ware Design and Implementa on Group: • John DeTreville, Ben Zorn – So ware Improvement Group: • Manuel Fahndrich, James Larus, Sriram Rajamani, Jakob Rehof • MSR Silicon Valley – Mar n Abadi, Andrew Birrell, Ulfar Erlingsson, Roy Levin, Nick Murphy, Ted Wobber
Singularity