Administrivia
•
Last project due today
- Must hand in something by midnight even if you get extension
•
Final Exam
- Wednesday March 18, 12:15-3:15pm in
Gates B-01
- Open book, open notes, just like midterm- Covers material from all 19 lectures
•
SCPD students please take in person if possible
- Otherwise, email cs140-staff your exam monitor’s email address (using subject exam monitor)
•
I have special office hours next Monday, 3:00-4:00pm
- I also plan to be around most of the afternoon that day, so stop by if you have questions before exam
Themes in OS research
•
Performance
•
Functionality
•
System management
•
Extensibility
•
Power consumption
•
Security
Performance
•
Performance improvements always welcome
- 10% is nice, but often not super interesting - 10x can actually enable new functionality
•
Through early 90s, a major focus of OS research
- Makes benefits nicely quantifiable - Let to lots of incremental work
•
But some performance work very interesting:
- Synthesis [Massalin]
- OS made extensive use of dynamic code generation for speed
•
Making logically synchronous disk accesses
asynchronous [Nightingale]
Functionality
•
Lots of work to make distributed systems transparent
- Network operating systems (Sprite, Amoeba) - Distributed shared memory (tons of papers) - Much of this work had little impact
•
Plan9 [Pike] – make all functionality available
through file namespace
- Developed by the inventors of Unix, who gave up on Unix - Invented now popular abstractions such as /proc
- Mount table is no longer global, but per process group - Lots of really cool benefits to unifying abstractions in FS:
System management
⊲
•
Already talked about virtual machines
•
Plan9’s features greatly simplified management
- E.g., backups available through file system under /dump
•
Storage management a huge deal
- Large, virtual disks (e.g., Petal [Lee]) - Serverless network file systems [Dahlin]
- Using desktop machines for storage (Farsite [Bolosky]) - Peer-to-peer network file systems (e.g., Ivy [Morris]) - Peer-to-peer backup (e.g., Pastiche [Cox])
•
Application abstraction (Singularity [Hunt])
- Avoid problems associated with installing software - Packages must describe themselves declaratively
Extensibility: Microkernels
•
Very popular in 1980s
•
Idea: Provide traditional OS abstractions in servers
- E.g., Virtual memory server, file system server - Could Make for better fault isolation
- Also makes it easier to develop new OS functionality
(debugging servers potentially easier than debugging kernel)
•
Kernel interface is very small
- E.g., just provide simple IPC abstractions
- Note: “micro” means small interface, not small code
•
Most well-known example: Mach 3
Extensibility: Other architectures
•
Big focus in mid-90s:
- Inspired by applications that fight with the OS
- E.g., database that has to bypass the OS buffer cache - Also CPUs still slow enough that hard to saturate net
•
One approach: Spin [Bershad]
- Download extensions into kernel using safe language - Safely run user code in kernel, saving context switch
•
Another approach: Exokernel [Engler/Kaashoek]
- “Exterminate all operating system abstractions”
- Idea: Kernel should provide protection, not abstraction - Implement abstractions in user-level library
Power management
•
Recent hot topic for sensor networks
- Battery-powered devices
- Deployed in environments where hard to change battery
- OS techniques can extend battery lifetime from days to months
•
Also becoming an issue for server farms
- Cost of power + cooling comparable to cost of hardware
•
Some techniques
- CPU voltage scaling (requires cutting frequency—when to do?) - Careful use of wireless networks
HiStar
•
Developed by Nickolai Zeldovich here at Stanford
•
Most software cannot be trusted
- Massive, complex systems no one fully understands - Not written by security-conscious programmers
- Even good programmers make mistakes
•
Yet this is what people develop and want to run
•
Address problem through better OS interface
- HiStar: a new OS that reduces trust in software while providing Unix-like environment
Examples
•
Symantec AntiVirus 10 contained remote exploit
- Software deployed on 200,000,000 systems
•
PayMaxx web site divulges social security numbers
- Test record had SSN 000–00–0000 and no password
- After login, could access records by consecutive serial number
•
The list goes on. . .
- CardSystems loses 40,000,000 credit card numbers
- Jacobsen compromises T-mobile, steals secret service mail - Recommendation letters for 10,000 Stanford applicants stolen
Anti-virus software details
AVHelper
/tmp User Data Virus DB Network
TTY
User Update
Daemon AV
Scanner
•
Scanner – checks files for virus signatures
•
Update daemon – downloads new virus signatures
•
How to enforce security w/o trusting AV software?
- Must not leak contents of your files to network - Must not tamper with contents of your files
What can go wrong?
AV Helper /tmp Virus DB Network TTY User User Data Update Daemon AV ScannerWhat can go wrong?
AV Helper /tmp Virus DB Network TTY User User Data Update Daemon AV Scanner•
Scanner sends private data to update daemon
•
Update daemon sends data over network
What can go wrong?
AV Helper /tmp Virus DB Network TTY User User Data Update Daemon AV Scanner•
Scanner writes data to world-readable file in /tmp
What can go wrong?
AV Helper /tmp Virus DB Network TTY User User Data Update Daemon AV Scanner•
Scanner acquires read locks on virus database
- Encodes user data by locking various ranges of file
•
Update daemon decodes data by detecting locks
The list goes on
•
Scanner can call setproctitle with user data
- Update daemon extracts data by running ps
•
Scanner can bind particular TCP or UDP port
numbers
•
Scanner can relay data through another process
- Call ptrace to take over process, then write to network - Use sendmail, httpd, or portmap to reveal data
•
Disclose data by modulating free disk space
Information flow control
•
Reasoning about operations is hard
- Can you enumerate all permissible actions by scanner?
- What about helper programs spawned (gzip, ar, mime, . . . )? - What about any process that can observe scanner?
•
Reasoning about information flow is easier
- Policy: Don’t write my files to network unless I say so
•
Restructure OS to make all information flow explicit
- Has been done in a very heavy-weight fashion for military - Give individual users control over information flow
HiStar architecture
Linux
Hardware UNIX Security checks A V H el p er U p d at e A V H el p er S ca n n er U p d at e U N IX U N IX U N IX Security checks S ca n n erHiStar
HardwareHiStar kernel objects
Unix processes
Example: File descriptors in Unix
•
Suppose
A
can’t flow to
B
, but they share a file desc.
•
Typical mistake: Consider read-only fd to be okay
- But even a read-only fd has mutable state, such as offset pointer - Hard to catch all such shared state
Example: File descriptors in HiStar
What’s in a label?
•
Labels represents 2 types of information flow concern
- secrecy – preventing people from observing information - integrity – preventing people from modifying information
•
Each concern is represented by a
category
of taint
•
Secrecy categories shown as
- Different colors represent different secrecy categories
- Secrecy category in label
⇒
object tainted in that category•
Integrity categories shown as
- Integrity category in label
⇒
object less tainted in that category•
L
A⊑
L
B(“
L
Acan flow to
L
B”) when:
Recall: Bell-LaPadula labels
X
X
X
L
1L
1means
L
1⊑
L
2h
top-secret,
{
Crypto
}i
hsecret,
∅
i
hsecret,
{Crypto}i
h
top-secret,
∅
i
hsecret,
{Nuclear}i
h
top-secret,
{
Nuclear
}i
h
top-secret,
{
Nuclear, Crypto
}i
HiStar labels
Downgrading privileges
•
Downgrading privileges are
decentralized
- Represented by per-category stars in threads’ labels - Means thread can ignore taint in that category
•
Any thread can create a new category
- You get the stars for the categories you create
•
Can implement Unix UIDs using categories
- Each UID u corresponds to two categories:
An integrity category, ui and, a secrecy category, us
- u’s shell gets those stars whenever s/he logs in
Example: virus scanner
•
Scanner tainted, so cannot write to network
Example: ssh-agent
Runaway processes
•
What if ssh-agent goes nuts?
Containers
•
Separate resource allocation from access control
Other HiStar applications
•
Untrusted login
•
Red-green VPNs
•
Web server for untrusted CGI scripts (next slide)
•
Distributed HiStar
•
Ongoing/future work:
- Scheduler resource control for reducing timing channels - New applications written by “untrusted programmers” - Allowing policies to apply to power management
Final thoughts
•
You are all now operating systems experts
•
Use this knowledge to build better applications
- Sometimes need to coax right behavior out of kernel
- Should be much easier now that you know what’s going on
•
Syscall interface can be an
innovation
barrier
- Much harder to change kernel than user code
- Other examples include standardized net. protocols, servers - Get these wrong and many people will suffer
•
Some of you will go on to design interfaces that
many people are later subjected to
How to learn more about OSes
•
Take CS240 – Advanced Topics in Operating Systems
- Class will bring you up to speed on OS research - Read & discuss 18–25 research papers
- By the end, should be ready to do OS research
•
Get involved in research!
•
Lot’s of interesting OS work at Stanford
- Rosenblum – launched the virtual machine resurgence - Lam – collective system, software for mobile devices
- Levis – seminal work on sensor nets & power management - Engler – tools to find OS bugs automatically