OpenVMS – 30 Yea rs of Relia ble a nd S ecure Computing Andy Golds tein OpenVMS Eng ineering © 2007 Hewlett-Packard Development Company, L.P. The informa tion contained herein is s ubject to cha nge without notice 30 Years of Evolution VMS in 1977 ● Dig ital’s 32 bit s upermini ● Terminals & times haring ● Fortran: eng ineering , s imulation ● 1.5M lines of code in bas e s ys tem 10/03/07 30 Years of Evolution VMS Now ● $3K works tations to $25M multi-s ite clus ters ● VAX, Alpha and, Itanium cpu ● Factory floor, interbank EFT, bus ines s trans actions , traffic control, databas e, internet s erver ● > 25M lines of code ● More reliable than ever ● Mos t V1 apps s till work 10/03/07 Major Evolutions in VMS ● DECwindows ● Clus ters ● S ymmetric Multiproces s ing ● Alpha Port ● Memory Manag ement Redes ig n ● Itanium Port 10/03/07 Overview of VMS Org anization ● Proces s : addres s s pace + thread(s ) of execution ● Demand pag ed, virtual memory ● Partitioned addres s s pace: ● P0: application code & data ● P1: s tacks and proces s -s pecific OS context ● P2: 64 bit extended proces s s pace ● S 0: OS code & g lobal data ● S 2: 64 bit extended s ys tem s pace 10/03/07 Overview of VMS Org anization ● Proces s acces s modes ● Us er ● S upervis or - DCL ● Exec - hig her OS layers ● Kernel ● S tack per acces s mode 10/03/07 Overview of VMS Org anization ● Interrupt (fork) context ● Kernel mode, hardware IPL ● S ys tem s pace only ● Limited s tack ● “Lig htweig ht thread” model ● AS T: as ynchronous procedure call ● Proces s equivalent of interrupt context 10/03/07 I/O S ubs ys tem ● $QIO s ervice in proces s context ● Loadable device drivers ● Driver pre-proces s ing in us er context ● Driver fork level ● I/O interrupt driver fork ● Proces s context completion AS T ● ACP - ancillary control proces s 10/03/07 DECwindows VMS becomes a works tation ● Graphics device drivers ● Port of X-11 and OS F Motif ● S es s ion manag er menu items : ● DCL s hell s cript ● Exis ting character cell apps : ● Partition into character cell UI and callable application log ic ● Add new windows UI 10/03/07 Clus ters VMS Becomes a Dis tributed Operating S ys tem VMS VMS VMS Node Node Node Storage Storage Ctrl Ctrl 10/03/07 Clus ters : The Lock Manag er ● Abs tract named res ources ● Lock modes to repres ent typical data acces s : ● EX ● PW ● PR ● CW ● CR ● NL 10/03/07 RMS and the Lock Manag er RMS Features ● Record-oriented I/O packag e ● S equential, direct, indexed ● Coherent s hared write acces s with record locking ● Proces s local buffers with coherent cache manag ement Private locking implementation replaced with clus ter lock manag er 10/03/07 Before Clus ters : File ACP S erver proces s intercepts complex file operations ● Open file context in s ys tem pool ● File metadata cache in proces s context ● S ing le thread operation provided implicit s ynchronization 10/03/07 Clus ters : the File XQP ● Clus ter implementation choices ● S ing le s erver with failover ● Multiple coordinated ACPs ● S erver proces s converted to run in client proces s context ● Cache moved to s ys tem pool ● S imple threading packag e layered on AS T mechanis m ● Explicit s ynchronization with lock manag er 10/03/07 S ymmetric Multiproces s ing Orig inal kernel s ynchronization des ig ned for uniproces s or: ● IPL 24-31: clock, cpu errors ● IPL 16-23: I/O interrupts ● IPL 8-11: device driver threads ● IPL 8: scheduling, memory management, kernel-level messages, etc. ● IPL 4: I/O completion processing ● IPL 3: process rescheduling ● IPL 2: AST delivery ● IPL 0: process execution 10/03/07 S ymmetric Multiproces s ing Implicit IPL s ynchronization replaced with explicit s pinlocks ● Each IPL becomes a s pinlock ● IPL 8 broken into functional areas ● Memory Manag ement ● S cheduling ● Clus ter communications ● File s ys tem ● etc. ● Continuing to refine locking 10/03/07 S MP Convers ion Brute force effort ● Entire kernel ins pected for s ynchronization ● Aided by exis ting macros (DS BINT, ENBINT, S ETIPL) ● Counters converted to interlocked ins tructions ● S pinlock rank des ig n detects des ig n deadlocks ● Debug and production locking macros 10/03/07 Port to Alpha VMS and VAX were made for each other ● Privileg ed architecture (memory manag ement, acces s modes , IPLs , etc.) ● Variable leng th CIS C ins tructions , 32 bit architecture ● Mos t of VMS kernel in macro 10/03/07 Port to Alpha Alpha is ● 64 bit architecture ● Fixed leng th RIS C ins truction But… ● VAX-like privileg ed architecture ● Compatible datatypes 10/03/07 Port to Alpha Rewrite: ● CPU s upport ● Boot code ● S ome drivers ● Low level memory manag ement ● Exception handling ● Math RTL 10/03/07 Port to Alpha Compile everything els e: ● Blis s & C ● Macro! ● 32 bit vs 64 bit ● Compilable macro ● Atomicity is s ues ● Executable imag es !! Res ult: “It’s really VMS . It even has the s ame bug s .” - early Alpha us er 10/03/07 64 Bit Virtual Memory • Orig inal pag e table des ig n Page OFF S 0 S pace Data Pag e Page OFF Da ta 10/03/07 64 Bit Virtual Memory • Extended virtual addres s ing L1 L2 L3 OFF L1PT L2PT L1 L3PT L2 Data Pag e L3 OFF Data 10/03/07 64 Bit Virtual Memory • Pag e table reference K L1 L2 L3 L1PT L2PT K L 1 L3PT L2 L3 10/03/07 Port to Itanium • Another 64-bit architecture, but... • Different reg is ter conventions • Intel calling s tandard • Different privileg ed architecture −No PALcode −Different console / boot procedure −Different interrupt architecture −Different synchronization primitives 10/03/07 Port to Itanium • Fortunately... • 4 acces s modes • Compatible memory protection features • Memory atomicity no wors e than Alpha 10/03/07 Port to Itanium • Rewrite −CPU support −Boot code • New −Interrupt & exception delivery in software −Emulation of interlocked instructions (queues, etc.) −EFI partition on system disk • Redes ig n −Calling standard and condition handling −Object and executable file format 10/03/07 Port to Itanium • Recompile • 95% of bas e OS code recompiled without chang e • Binary trans lator als o available 10/03/07 Part 2 Building a S ecure Operating S ys tem – the VMS Approach 10/03/07 What is S ecurity? Us ers ' data handled according to a s ecurity policy • Policy mus t meet us ers ' needs • Policy mus t always be correctly handled s o... • Conceptually, s ecurity is very s imple • In practice, s ecurity is fractal (Butler Lamps on) 10/03/07 General Concepts • Reference monitor −Textbook model −Two examples • S ys tem layering – the textbook and reality −Textbook model −The reality of VMS • Typical privileg ed s ubs ys tem 10/03/07 Copyright © 2007 HP corporate pres entation. All rights res erved. 31 Reference Monitor The textbook model Reference Us er Monitor Data Authorization Audit Databas e Trail 10/03/07 Copyright © 2007 HP corporate pres entation. All rights res erved. 32 Reference Monitor • All object acces s es are controlled by the reference monitor • The authorization databas e determines the acces s control policy • Object acces s es may be recorded in the audit log • The reference monitor, authorization databas e, and audit log are tamperproof therefore... • The reference monitor implementation mus t be correct 10/03/07 Copyright © 2007 HP corporate pres entation. All rights res erved. 33 Reference Monitor Two Examples • An acces s to a file −The file represents the data object −The rights database and the file's ACL contain the authorization information −The access may be audited • The $S ETSWM s ervice −A single bit of process state represents the data object −The authorization database is the PSWAPM privilege −Audit capability exists 10/03/07 Copyright © 2007 HP corporate pres entation. All rights res erved. 34 S ys tem Layering The Textbook Model Kernel (trusted) User Mode (untrusted) 10/03/07 Copyright © 2007 HP corporate pres entation. All rights res erved. 35 S ys tem Layering Development Tools Command Language Interpreter •Text editors •Macro •Compilers Privileged Images •Linker •Images installed with privilege RMS and System Services •Protected shareable images •Protected subsystems $OPEN •Privileged server processes $GET •Informational utilities System Services $IMGACT $PUT $CRETVA $ASSIGN $CLOSE $ADJWSL Run Time Library $CRMPSC Memory I/O $QIO Management Subsystem (General) •Math library $CANCEL •Device •String handling Drivers •Screen management •Pagefault System-wide •I/O Support •Misc LIB functions •Swapper Protected Routines Data Structures •Page Tables •I/O Database •Scheduler Data Process and Time Management •Scheduler Run Time Library •Process Control (Language-specific) $WAKE •CRTL $CREPRC •FORTRAN Assorted Utilities •PASCAL $SETIMR •COPY •BASIC •HELP •DIRECTORY •SORT 10/03/07 Copyright © 2007 HP corporate pres entation. All rights res erved. 36 Typical Privileg ed S ubs ys tem Privileg ed VMS Us er S ubs ys tem S ervices Us er Private Data Data 10/03/07 Copyright © 2007 HP corporate pres entation. All rights res erved. 37 Principles • Who is performing the operation? −A privileged subsystem performs some operations on its own behalf, with its rights and privileges −It performs other operations on behalf of the user. The subsystem must take care not to take any actions the user could not have done by themselves.