WIND RIVER WHITE PAPER Implementing Basic Memory Protection in VxWorks: A Best Practices Guide Paul Chen Product Manager, Wind River Contents Implementing Basic Memory Protection in VxWorks: A Best Practices Guide 1. Introduction . .1 2. Embedded Device Development Issues . .1 Increasing software complexity . .1 Compressed development times . .1 Expanding device functionality . .1 Demanding service-based economy . .1 Increasingly connected devices . .1 3. VxWorks and Memory Protection . .1 4. VxWorks Basic Memory Protection . .2 Protecting private data . .2 Protecting shared data . .3 Detecting buffer overruns / underruns . .3 5. VxWorks Memory Protection using VxVMI . .3 Protecting program code . .4 Protecting the interrupt vector table . .4 6. VxWorks Memory Protection using VxVMI: Advanced Best Practices .4 Protecting private data . .4 Protecting shared data . .5 Detecting buffer overruns / underruns . .5 Examining virtual memory contexts . .5 7. Getting VxVMI . .5 VxVMI availability . .5 8. Summary . .6 1. Introduction bundled with VxWorks, as well as efficiency of both development and Wind River’s VxWorks® is the most VxVMI™, an unbundled Operating debugging phases of projects, widely deployed real-time operating System (OS) Extension for VxWorks thereby improving the device’s time system (RTOS) in the embedded that provides additional memory to market. device market. With over 46 percent protection features and program- share of the embedded RTOS matic access to the MMU. The basic Expanding device functionality market1, VxWorks has enabled thou- memory protection features in Embedded devices are becoming sands of customers worldwide to VxWorks utilize the MMU that is open, multifunction, managed appli- deliver millions of reliable, high- present in many of today's proces- ances. Embedded applications will performance products to market — sors to enhance productivity during become increasingly more dynamic rapidly, efficiently and cost-effective- the development and debugging as vendors allow customization ly. To achieve the guaranteed cycles. Use of memory protection (personalization), extensions, and responsiveness and determinism can also improve the reliability and software updates on such devices. that are crucial characteristics of quality of an embedded system by Again, memory protection becomes mission- or life-critical applications, reducing security risks in its applica- critical to device reliability. VxWorks supports application devel- tions, and can improve the device’s opment exclusively in kernel (or time to market by making develop- Demanding service-based economy “supervisor”) mode. Executing in a ment and debugging cycles both As the economy becomes progres- flat, non-protected memory space more efficient and effective. To sively more service-based, it grows enables applications to obtain the enable developers to take advantage more dependent on the timeliness utmost performance, determinism, of these benefits, this paper and availability of those services. and application flexibility. Kernel describes some “best practice” Downtime for the provider means a mode execution, however, precludes examples for implementing memory loss of service revenue and customer the ability to take advantage of some protection in VxWorks when design- loyalty. Downtime for the consumer types of memory protection enforced ing reliable embedded applications. means a denial of service access and by a Memory Management Unit user frustration. These consumers, (MMU). Use of an MMU can protect 2. Embedded Device Development unlike desktop users, are extremely application code, kernel code, and Issues intolerant of failures. Systems critical data. This memory protection Over the past few years, Wind River providing these services require pro- is usually accompanied by a cost in has been tracking key trends in the tection from common memory faults reduced system performance, due to embedded device market. The trends to improve their overall robustness. the implementation of a process relevant to this paper involve issues model-based or a message-passing facing the developers of embedded Increasingly connected devices architecture. devices. These issues have a direct When embedded devices are opened As the sophistication of embedded impact on system design require- up to the outside world, they must applications has increased, however, ments, as described below. preserve system reliability and issues of system reliability and robustness through protective protection have become ever more Increasing software complexity measures against inadequately important. If an embedded system Embedded applications comprising debugged or poorly designed third- can withstand some performance several megabytes of code are party applications. degradation, its applications can becoming commonplace. Larger Due to these and other concerns, benefit from memory protection development teams, from different memory protection has assumed mechanisms to improve reliability. divisions or business units or even paramount importance for develop- Errant or poorly designed applica- from different companies, collabo- ers of embedded devices. Using tions can be prevented from having rate on designs and face an VxVMI, developers can meet this harmful or disastrous effects on the increasing challenge to create robust requirement while obtaining the embedded system. Memory protec- applications. System reliability must small footprint, high performance, tion between applications supports a be ensured inherently by a system's reliability, and determinism that “fault containment” concept, and can software design, including OS- VxWorks is known throughout the limit the extent of the effect of cer- provided memory protection, rather industry for providing. tain types of software faults. Memory than by relying on extensive system- protection also assists development, level integration testing. 3. VxWorks and Memory Protection catching memory trashing bugs dur- VxWorks is a task-based RTOS in ing integration or debug cycles that Compressed development times which applications run in kernel (or are often difficult to detect and To remain competitive, developers of “supervisor”) mode. In this mode of diagnose. embedded devices face increasing operation, all of physical memory While VxWorks does not provide pressure to shorten project develop- can be accessible to developers in full memory protection and applica- ment cycles and to bring devices to real-addressing mode. Applications tion isolation, Wind River does offer market more quickly. Use of memory that execute in kernel mode can both basic MMU support that is protection can greatly enhance the achieve the highest performance and 1 “2002 Embedded Market Study,” CMP Media LLC, November 2002. 1 determinism, and have the utmost in address 0x0, the protection of this 4. VxWorks Basic Memory flexibility. One risk, however, of table by VxVMI also enables detec- Protection executing in kernel mode is that any tion of writes to a null address. The basic level of MMU support bun- area of memory — e.g., the applica- dled with VxWorks primarily provides tion code, data, or even the kernel By utilizing VxWorks memory pro- cache-safe buffers (see Chapter 12, itself — can potentially be overwrit- tection, developers of software for “Virtual Memory Interface,” in the ten by software bugs or misbehaving embedded systems can realize the VxWorks Programmer’s Guide). applications. following benefits: Importantly, too, it provides pro- Many processors today provide an grammatic modification of page on-chip or onboard Memory Manage- • Improved efficiency of development status, which enables developers to ment Unit (MMU) that can be used to and debugging implement a basic level of memory protect memory against unintention- Memory protection enables faster protection. al or undesired access. To enable diagnosis of incorrect memory To enable the bundled, basic MMU developers to take advantage of accesses. support in VxWorks, define the con- memory protection in their VxWorks- • Improved system reliability and figuration macro powered embedded devices, Wind robustness INCLUDE_MMU_BASIC. See figure 1. River provides bundled, basic MMU Memory protection helps prevent support and an unbundled OS Exten- bugs from crashing devices. The ability to modify page status sion called VxVMI. Some examples of • Reduced development risk dynamically enables developers to: how memory protection can assist Memory protection helps reduce • Protect private memory the development of VxWorks appli- the possibility that latent bugs in • Protect shared memory cations include: the shipping code, or new bugs • Detect buffer overruns and under- from add-on applications, will runs • Detection of buffer overruns or adversely affect the functionality or underruns performance of devices. Each of these benefits will be dis- Using either the bundled MMU • Improved time to market cussed below. For a summary of support or the APIs provided by More efficient development using basic MMU routines, see vmBaseLib VxVMI, pages allocated around memory protection leads to faster in the VxWorks OS Libraries API local buffers can be write-protect- development cycles. Reference. ed so that attempts to write beyond • Improved device quality buffers can be detected both dur- Memory protection enables safer Protecting private data ing debugging and in commercially code, and more graceful degrada- There are many instances when deployed products and systems. tion of device behavior in the face