Design of the SPEEDOS Operating System Kernel
Total Page:16
File Type:pdf, Size:1020Kb
Universität Ulm Fakultät für Informatik Abteilung Rechnerstrukturen Design of the SPEEDOS Operating System Kernel Dissertation zur Erlangung des Doktorgrades Dr. rer. nat. der Fakultät für Informatik der Universität Ulm vorgelegt von Klaus Espenlaub aus Biberach a.d. Riß 2005 Official Copy, serial number df13c6b7-d6ed-e3f4-58b6-8662375a2688 Amtierender Dekan: Prof. Dr. Helmuth Partsch Gutachter: Prof. Dr. J. Leslie Keedy (Universität Ulm) Gutachter: Prof. Dr. Jörg Kaiser (Otto-von-Guericke-Universität, Magdeburg) Gutachter: Prof. John Rosenberg (Deakin University, Geelong, Victoria, Australia) Prüfungstermin: 11.07.2005 iii Abstract (Eine inhaltsgleiche, deutsche Fassung dieser Übersicht ist ab Seite 243 zu finden.) The design of current operating systems and their kernels shows deficiencies in re- spect to the structuring approach and the flexibility of their protection systems. The operating systems and applications suffer under this lack of extensibility and flexib- ility. The protection model implemented in many operating systems is not powerful enough to represent arbitrary protection conditions on a more fine-grained granu- larity than giving read and/or write access to an entire object. Additionally current operating systems are not capable of controlling the flow of information between software units effectively. Confinement conditions cannot be expressed explicitly and thus confinement problems can only be solved indirectly. Further complications with the protection system and especially the software structure in modern operating systems based on the microkernel approach are caused by the use of the out-of-process model. It is extremely difficult to spe- cify access rights appropriately, because the client/server paradigm does not easily allow a relationship to be established between the role of the client and the per- missions of the server. Focusing on client/server structures favours a single, central server implementation. Specifying a software design and communication model for applications at the operating system level impairs their structure. In reaction to this observation, SPEEDOS follows the in-process model. Processes are the abstraction of activity and are orthogonal to the information-hiding objects. This model is part of the design of many object-oriented programming languages and a few operating systems. The method call does not switch processes, it trans- fers execution to another object in a controlled fashion. This model is almost equi- valent to the out-of-process model, but the in-process model provides advantages, because the process identifier correlates to a subject. However this only helps with protection, but does not magically improve the protection system. The two major deficiencies identified and addressed in this thesis are the ver- satility of access right specification and the structuring of the operating system in conjunction with the applications. The SPEEDOS design places the emphasis on balancing the duties and powers of the kernel and the applications, in order to obtain a flexible and extensible overall system. SPEEDOS supports freely programmable protection checks for individual method invocations. These checks are implemented with bracket methods, which intercept other method invocations. The concept was invented in the context of component- oriented programming languages, which are meant to improve the software struc- ture beyond the state of the art in object-oriented programming languages. In the iv operating system context this is a new concept which allows the implementation of protection checks and similar code in user-level code. Bracket methods may e.g. deny access to the target method based on arbitrary rules or may implement access monitoring. In other operating systems it is not possible to implement these cases completely with user-level code. Brackets may also serve as a basis for implementing confinement, by checking the client and target module identity and the information that is passed between the modules. In SPEEDOS there is a further mechanism which allows confinement rules to be enforced. This additional mechanism, which can be expressed through bits in the module capability used to invoke the target module, complements the bracket- based confinement. Both mechanisms have different strengths and weaknesses. Another important aspect of the SPEEDOS design is the delegation of many oper- ating system duties to individual application software modules. The design of the kernel explicitly restricts the duties of the kernel to security-related basic mechan- isms. All policy decisions are made in user-level modules. The delegation of oper- ating system duties to the individual application modules is only sensible for duties which can exploit application knowledge and do not need global knowledge. Cer- tain resource management duties need to be implemented in centralised modules, otherwise the allocation efficiency would suffer. Making decisions as decentralised as possible avoids many structural problems of microkernels, which also attempt to delegate functionality to user-level servers, but results in a completely different and less flexible and extensible operating system and application structure. The kernel implements only policy-neutral mechanisms and delegates all policy decisions to user-level code, in order to minimise the size of the kernel. As an in- tentional side-effect this maximises the flexibility and extensibility of the user-level modules. Effectively the complete operating system characteristics are determined by user-level code. The result is an operating system kernel that implements only a few mechanisms in the form of kernel instructions that enhance the base processor instruction set. Most such kernel instructions deal with aspects related to protec- tion. The SPEEDOS kernel implements the in-process model, which avoids many protection problems, because processes represent users, not services. The ortho- gonal design of modules and processes is the key to a flexible, freely programmable protection system, based on capabilities and bracket methods. In the prototype implementation it is shown that the virtual memory model used to describe the module structure can be mapped efficiently to the current page- based memory architecture implemented by the standard processor architectures available today. It is not necessary to design a custom processor architecture, al- though certain improvements in the virtual memory implementation provided by the processor hardware would be desirable. This observation confirms the experi- ences made by the designers of other single-address-space operating systems. The design description in this thesis reflects the experiences made during the implementation of the prototype. The prototype helped identifying small errors and inconsistencies in the design, however the changes could not be incorporated in the prototype due to time constraints. v Contents 1 Introduction 1 1.1 Motivation . 1 1.2 Aims of SPEEDOS ............................. 3 1.3 Overview of the Thesis . 3 2 Operating System Concepts and Application Issues 5 2.1 What Is an Operating System? . 5 2.1.1 The Operating System as a Resource Manager . 6 2.1.2 The Operating System as a Virtual Machine . 6 2.2 Memory Model . 7 2.2.1 Memory Hierarchy . 8 2.2.2 Non-Virtual Memory Organisation . 9 2.2.3 General Virtual Memory Organisation . 10 2.2.4 Virtual Memory as Extended Computational Memory . 11 2.2.5 Direct Addressability . 12 2.2.6 Segmentation . 13 2.2.7 Paging . 15 2.2.8 Combined Segmentation and Paging . 17 2.3 Process Model . 18 2.3.1 Out-of-Process Model . 19 2.3.2 In-Process Model . 20 2.3.3 Evaluation of the Process Models . 20 2.3.4 Persistent Processes . 21 2.3.5 Address Spaces . 21 2.3.6 Multithreading . 22 2.3.7 Interrupts . 23 2.4 Device Drivers and File Systems . 24 2.4.1 Device Driver Functionality . 24 2.4.2 Device Driver Interface . 25 2.4.3 File System Functionality . 26 2.4.4 File System Interface . 26 2.5 Resource Management . 27 2.5.1 CPU Scheduling . 28 2.5.2 I/O Scheduling . 29 vi Contents 2.5.3 Physical Memory Scheduling . 29 2.5.4 Virtual Memory Scheduling . 30 2.5.5 Energy Management . 30 2.6 Communication . 30 2.6.1 Addressing . 31 2.6.2 Synchronisation . 32 2.6.3 Buffering . 33 2.6.4 Explicitness . 34 2.7 Security Model . 35 2.7.1 Protection . 35 2.7.2 Lampson’s Access Matrix Model . 36 2.7.2.1 Access Control Lists . 37 2.7.2.2 Capability Lists . 38 2.7.3 Access Rule Model . 39 2.7.4 Access Control . 39 2.7.4.1 Discretionary Access Control . 40 2.7.4.2 Mandatory Access Control . 40 2.7.5 Access Rights . 41 2.7.5.1 Direct Access Rights . 41 2.7.5.2 Semantic Access Rights . 41 2.7.5.3 Generic Access Rights . 43 2.7.5.4 Metarights . 43 2.7.6 Implementing a Security Model . 43 2.7.7 Confinement . 44 2.7.8 Covert Channels . 44 2.7.9 Trust . 45 2.7.10 Authentication . 46 2.8 Structuring . 46 2.8.1 Layered Systems . 47 2.8.2 Abstraction . 49 2.8.3 Client-Server System Structure . 49 2.8.4 Module-Based System Structure . 50 2.8.5 Operating System – Kernel Boundary . 50 2.8.6 Graphical User Interfaces . 52 2.8.7 Code Libraries . 53 2.9 Summary . 54 3 Survey of Mechanisms in Existing Operating System Designs 55 3.1 UNIX . 55 3.1.1 History and Structure . 56 3.1.2 Memory and Process Management . 57 3.1.3 Resource Management . 57 3.1.4 File System and Device Drivers . 58 3.1.5 Protection Mechanisms . 58 Contents vii 3.1.6 Authentication . 59 3.1.7 Communication and Synchronisation . 59 3.1.8 Critical Discussion and Summary . 60 3.2 KeyKOS . 62 3.2.1 Structure . 62 3.2.2 Memory and Process Management . 63 3.2.3 Protection Mechanism . 64 3.2.4 Communication . 65 3.2.5 Critical Discussion and Summary .