RTCSA 2006 Work in Progress Session Editors: Timothy Bourke and Stefan M. Petters Work-in-Progress-Chair: Liu Xiang, Peking University, China National ICT Australia 223 Anzac Parade Kensington NSW 2052 Australia {firstname.lastname}@nicta.com.au Technical Report August 2006 Copyright 2006 National ICT Australia. All rights reserved. The copyright of this collection is with National ICT Australia. The copyright of the individual articles remains with their authors. National ICT Australia is funded by the Australian Government's Department of Communications, Information Technology, and the Arts and the Australian Research Council through Backing Australia's Ability and the ICT Research Centre of Excellence programs. ii Contents A Fast System Call Implementation for Embedded Systems 1 Shi-Wu Lo An Ef cient Model-Mapping-Schema-Based Approach for Real-Time Ac- 7 cess to XML Database Systems Chih-Chiang Lee, Jun Wu, Chih-Wen Hsueh and Tei-Wei Kuo Genetic-based Approach for Scheduling, Allocation, and Mapping for 13 HW/SW Co-Design with Dynamic Allocation Threshold Chun-Nan Chou, Yi-An Chen and Chi-Sheng Shih Reducing System Entropy Using Fine-Grained Reboot 19 Hiroo Ishikawa, Harry Sun, Tatsuo Nakajima Static Analysis Support for Measurement based WCET Analysis 25 Stefan Schaefer, Bernhard Scholz, Stefan M. Petters and Gernot Heiser Using a Processor Emulator on a Microkernel-based Operating System 31 Hidenari Koshimae, Yuki Kinebuchi, Shuichi Oikawa and Tatsuo Nakajima Virtualization Techniques for Embedded Systems 37 Yuki Kinebuchi, Hidenari Koshimae, Shuichi Oikawa and Tatsuo Nakajima iii iv A Fast System Call Implementation for Embedded Systems Shi-Wu Lo Department of Computer Science and Information Engineering National Cheng-Chung University [email protected] Abstract changes. Since all system calls have the User mode program usually requires the same entry point, kernels must use assistance from hardware in order to certain types of dispatch mechanisms execute a mode change before using (e.g. table lookup) to allow the mapping system service. This also allows user between system calls and Kernel Service mode program to gain complete control Routines (KSR). Such mechanisms of hardware. In this paper, new make the pre-processing mechanisms of instructions are proposed; the OS may system calls fairly complex. Thus, in then take advantage of these instructions this paper we propose a new method to more effectively use the system called Fast System Call (FSC) to service, while reducing the kernel size increase the efficiency of system calls. and adding to the flexibility in design. Take as an example Linux’s system calls Introduction operating on a Pentium processor. System call acts as a communication Figure 1 shows that 5 steps are required interface between the Operation System to complete a system call: 1. UMP (OS) and User Mode Program (UMP). generates a software interrupt (i.e. int To guarantee that all hardware resources 0x80); 2. processor loads the content at are under the control of OS, the location 0x80 in the Interrupt Descript processor must have 2 or more Table (IDT) into the Program Counter execution modes (i.e. kernel mode and (PC); 3. when the new PC is loaded, the user mode). In addition, mode changes OS will call out to different KSRs based (e.g. user mode => kernel mode) must on different value of AX registers; 4. be executed such that system security is returning from the called KSR; 5. not harmed in any way. returning from kernel. Currently, most OS’s and CPUs use software interrupts to complete mode 1 Contain Address (code/ hexadecimal) . space user . 0x00FE0000 jmp 0xC00FF004 user _write: . space prepare registers Step 1 . software interrupt . Step 5 . Step 1 . Step 2 . kernel space 0xC00FF004 0xFF0788FF 0xC00FF004 . 0xC00FF008 Step 3 xor 0xFF0788FF int do_write(...) { . Step 3.b . Step 4 =? reg_cipher } . Y kernel sys_call_handler: space N jump sys_call_tbl[_write] Step 3.a return from interrupt Exception . handler routine . Fig.2 The new method interrupt Step 2 descriptor table jump sys_call_handler (IDT) As shown in Figure 2, we have omitted Fig. 1 Linux’s system call on a Pentium some details for simplicity purpose. For processor example, because immediate addressing cannot address all address spaces, the Since interrupt-based system calls must destination addresses may first need to call out to the correct KSRs using be copied to registers, before a jmp software’s dispatch mechanisms (Step 3), instruction can be performed. the execution of those applications with more stringent time requirements must When UMP is executing the instruction be done inside kernels (e.g. Linux’s (i.e. jmp 0x C00FF004) stored in kernel module). Doing so raises memory location 0x00FE0000, it will efficiency, but lowers system stability. In detect that the next instruction (at 0x this paper, we are hoping to increase C00FF004 in Figure 2) to be executed is system call efficiency by performing located in kernel space. Thus the CPU minor CPU modifications. will handle the instruction/word from 0xC00FF004 in a special way. First, the The Fast System Call Implementation instruction/word from 0xC00FF004 (i.e. The FSC utilizes a cipher register to the instruction/word represented by limit the entry points of kernel. This way 0xFF0788FF) will be Exclusive ORed the UMP can directly call out to the with the memory address of the particular KSRs. The proposed method instruction/word (i.e. 0xC00FF004). is shown in the figure below: (This is shown in Step 2 found in Figure 2.) The result of this Exclusive OR 2 operation is then compared to the cipher more efficient, we must encrypt KSR’s register (the reg_cipher as shown in first instruction. If encryption is not Figure 2). If the comparison shows that applied to protect KSR’s entry point, the the two are equal, then the CPU can kernel must then divide up all pages immediately switch over to kernel mode strictly into data pages and code pages. and continue the execution (Step 3.b in Then, the XD bit (execute disable bit) of Figure 2). On the other hand, if the data pages can be set to prevent these comparison shows that the two are not pages from executing. The method (FSC) equal, then system generates an proposed by this paper allows the exception, and an Exception Handler placement of code segment and data Routine (EHR) is executed instead (Step segment on the same page, which helps 3.a in Figure 2). lower internal fragmentation and thereby enhances the utilization rate of kernel This approach primarily serves 2 memory. On the other hand, since code purposes: segment and data segment are placed side by side, the compiler may use as 1. Simplify the process flows much PC relative addressing as possible followed by the OS when to raise the particular module’s processing system calls. efficiency and size (as shown in Figure 2. Given the premise that the 3). system security is not to be harmed, FSC allows the kernel newModule to simultaneously store code page1 P C (data seg.) r e and data on the same page. As page2 l a t i v such, the kernel becomes e e page3 newPage a c (code seg.) d a d p smaller and more efficient. r s e l install s e _newWrite s n i n r e g As described earlier, most kernels have a K page4 single entry point. When this is the case, page5 the processing steps for system calls page6 become fairly complex. (Please refer to the explanations in the Introduction Fig.3 The kernel modules can be section.) In contrast, the new method inserted into the kernel more easily and directly executes the corresponding KSR, efficiently resulting in less overhead. For example, without FSC and dividing The Proposes of Encryption up all pages into data pages and cold To make the kernel even smaller and pages, a malicious program may use a 3 system call “write” to disguise itself as should have special permission. By data and write itself into a data buffer having the call gate call out to KSR, the within the kernel. If this malicious CPU can automatically switch over from program learns the location of this data user mode to kernel mode. Since the call buffer from studying the code of Linux gates are located on independent (assuming the location is 0xCF00044), it pages/segments, it consumes more may use the instruction jmp 0xCF00044 memories in contrast to FSC. Also, in to execute the illegal code. However, contrast to the 2 existing methods (call because UMP has no way of learning the gates and interrupt based system call), value inside reg_cipher1, the malicious when the system adds in a new module program will be unable to fill in the which is providing a system call, the correct value into 0xCF00044. As such FSC requires no special processing to the program that begins at 0xCF00044 export the provided system call. (As cannot be certified, and the CPU would shown in Figure 3, the new system call automatically begin the execution of the within newModule is called _newWrite. corresponding EHR. Within the EHR, When a super user adds this module into the OS will terminate the malicious kernel, kernel just adds ciphertext in program and report an error (Step 3.a in front of _newWrite, enabling the UMP Figure 2). to use the new system call.) Related Work The method used by language-based OS Most CPUs and OS’s (such as SI from represents an extreme case, which the ARM[1] series, and the int 0x80 totally relies on software’s dynamic from the Intel x86 series [2] running on checks to limit the usage of pointer and Linux) adopt a system call design that is hardware.