The following paper was originally published in the Proceedings of the USENIX Annual Technical Conference (NO 98) New Orleans, Louisiana, June 1998 SLIC: An Extensibility System for Commodity Operating Systems Douglas P. Ghormley, University of California, Berkeley David Petrou, Carnegie Mellon University Steven H. Rodrigues, Network Appliance, Inc. Thomas E. Anderson, University of Washington For more information about USENIX Association contact: 1. Phone: 510 528-8649 2. FAX: 510 548-5738 3. Email: [email protected] 4. WWW URL:http://www.usenix.org/ SLIC: An Extensibility System for Commodity Operating Systems Douglas P. Ghormley David Petrou Steven H. Rodrigues U.C. Berkeley Carnegie Mellon University Network Appliance, Inc. [email protected] [email protected] [email protected] Thomas E. Anderson University of Washington [email protected] Abstract 1 Introduction Modern commodity operating systems are large and com- Modifying modern commodity operating systems is plex systems developed over many years by large teams of extremely dif®cult and costly. They are large, complex programmers, containing hundreds of thousands of lines of systems developed over many years by large teams of code. Consequently, it is extremely dif®cult to add signi®- programmers and contain millions of lines of code. It cant new functionality to these systems. In response to this is not unusual for major releases of commodity oper- problem, a number of recent research projects have explored ating systems to be riddled with ¯aws introduced dur- novel operating system architectures to support untrusted ex- ing development, typically requiring additional ªbug tensions, including SPIN, VINO, Exokernel, and Fluke. Un- ®xº releases which may in turn introduce their own fortunately, these architectures require substantialimplemen- ¯aws. Compounding these problems, the development tation effort and are not generally available in commodity and debugging environments for operating system ker- systems. nels are considerably behind the state of the art. Conse- In contrast, by leveraging the technique of interposition, quently, it is extremely dif®cult in practice to add sig- we have designed and implemented a prototype extension ni®cant new functionality to modern commodity oper- system called SLIC which requires only trivial operating sys- ating systems [12, 1, 34]. tem changes. SLIC ef®ciently inserts trusted extension code Although modifying commodity operating systems into commodity operating systems, enabling a large class of is complex and dif®cult, the need to do so remains. trusted extensions for existing commodity operating systems There is a large catalog of operating system function- such as Solaris and Linux, while retaining full compatibil- ality which has not been widely deployed, in part be- ity with existing application binaries. By interposing trusted cause of the dif®culty of modifying existing systems: extensions on existing kernel interfaces, our solution enables load sharing [51], process migration [43, 12], fast com- extensions which are protected from malicious applications, munication primitives [6, 44], upcalls [9], distributed are enforced upon uncooperative applications, are compos- shared memory [25], user-level pagers [49], and novel able with extensions from other third-party sources, and can schedulers [46, 13, 27]. In addition, security ¯aws be developed at the user-level using state-of-the-art develop- are routinely discovered and reported by organizations ment tools. We have used SLIC to implement and demon- such as Carnegie-Mellon's Computer Emergency Re- strate a number of useful operating system extensions, in- sponse Team (CERT) and the Department of Energy's cluding a patch to ®x a security hole described in a CERT ad- Computer Incident Advisory Capability (CIAC). De- visory, a simple encryption ®le system, and a restricted exe- spite the need for immediate repair to prevent wide ex- cution environment for arbitrary untrusted binaries. Perfor- ploitation of these ¯aws, the required patches can take mance measurements of the SLIC prototype demonstrate a weeks to become available [42]. one-time installation cost of 2-8 µsec and a per-extension in- This work aims to signi®cantly simplify the pro- vocation overhead commensurate with a procedure call. cess of evolving existing commodity operating sys- tems by enabling new extensions which can manage global resources and/or enforce security guarantees. This work was supported in part by the Defense Advanced Research The ideal system which achieves this goal would pos- Projects Agency (N00600-93-C-2481, F30602-95-C-0014), the National Sci- sess a number of characteristics: it would require few ence Foundation (CDA 9401156), Sun Microsystems, California MICRO, Hewlett Packard, Intel, Microsoft, and Mitsubishi. Anderson was also sup- or no modi®cations to existingoperating systems or ap- ported by a National Science Foundation Presidential Faculty Fellowship. plications; it would introduce little overhead; multiple extensions from independent, third-partysources could binaries. Our work differs from earlier efforts in that be active simultaneously; extensions would be pro- our solutionÐkernel-level interposition of trusted ex- tected from malicious applications and enforced upon tensions on kernel interfacesÐis simple to implement, uncooperative applications; and kernel extension de- is ef®cient, requires no specialized hardware support, velopers would be able to make use of state-of-the-art protects extensions from malicious or faulty applica- user-level development and debugging tools. tions, enforces extensions on uncooperative applica- Accomplishing this goal would enable independent tions, and supports extension stacking. We believe that software vendors (ISV's) to develop and deploy inno- no other system provides this powerful combination of vative operating system features. In particular, new op- features for extending existing commodity operating erating system features developed by research projects systems. could be transferred directly to end users without the Prior attempts to extend the operating system with- need to convince or wait for operating system vendors out signi®cant modi®cation suffered from signi®cant to adopt the modi®cations. Furthermore, many CERT limitations. Interposition Agents [20] leverages the and CIAC security advisories normally require the sys- Mach [1] system call redirection facility to transpar- tem administrator to wait for a patch from the operating ently insert user-level extensions at the system call in- system vendor; instead, the advisory could directly in- terface. However, because extensions run unprotected clude a small extension to correct the ¯aw, reducing the in the application's address space and require appli- window of vulnerability dramatically. cation cooperation, extensions cannot enforce security Prior approaches to extending operating systems guarantees or manage shared resources for competing can be roughly divided into three categories: (i) re- applications. Software Fault Isolation (SFI) [45] can engineering the operating system from the ground up, be used to protect extensions from applications even in the process making it easier to extend, (ii) incremen- when loaded in the same address space. Unfortunately, tally re-engineering selected portions of the kernel, and SFI requires a number of compiler optimizations to (iii) adding extensions to existing systems without sig- achieve low overhead and therefore cannot be applied ni®cant modi®cation to either the operating system or ef®ciently to existing application binaries. Protected its applications. Shared Libraries [4] has the same capability as SFI Over the years, a number of systems have attempted without the need for compiler optimizations, but does to reduce the cost of adding new operating system func- not enforce extensions on applications. tionality by re-engineering the operating system to be To overcome the limitations of these systems, we extensible. Systems built using this approach include have developed SLIC, a prototype system for ef®- Hydra [48], SPIN [5], VINO [36], Exokernel [14], and ciently inserting trusted extension code into existing Fluke [15]. While many of these systems have success- operating systems with minor or no modi®cations to fully demonstrated greatly reduced costs for adding operating system source code. Conceptually, SLIC dy- new functionality, the initial cost of replacing existing namically ªhijacksº various kernel interfaces (such as commodity operating systems is prohibitive; for exam- the system call, signal, or virtual memory paging in- ple, Microsoft spent over $300 M developing Windows terfaces) and transparently reroutes events which cross NT [50]. Consequently, extensibility architectures de- that interface to extensions located either in the kernel veloped using this approach will remain unavailable to (for performance) or at the user-level (for ease of de- the average user for the foreseeable future. velopment). Extensions both use and implement the A small number of projects have taken the second intercepted kernel interface, enabling new functional- approach of re-engineering certain kernel interfaces ity to be added to the system while the underlying ker- to reduce the complexity of adding new functional- nel and existing application binaries remain oblivious ity at those interfaces. The vnode interface [23] is a to those extensions. SLIC dynamically interposes ex- prime example of this approach. However,