the benefits and costs of writing a unix kernel in a high
play

The benefits and costs of writing a UNIX kernel in a high-level - PowerPoint PPT Presentation

Sep 27, 2023 •129 likes •803 views

The benefits and costs of writing a UNIX kernel in a high-level language Cody Cutler, M. Frans Kaashoek, Robert T. Morris MIT CSAIL 1 / 62 What language to use for developing a kernel? A hotly-debated question but often with few facts

  1. The benefits and costs of writing a UNIX kernel in a high-level language Cody Cutler, M. Frans Kaashoek, Robert T. Morris MIT CSAIL 1 / 62

  2. What language to use for developing a kernel? A hotly-debated question but often with few facts 6.828/6.S081 students: why are we using C? why not a type-safe language? To shed some light, we wrote a new kernel with • A language with automatic memory management (i.e., with a garbage collector) • A traditional, monolithic Unix organization 2 / 62

  3. C is popular for kernels Windows Linux *BSD 3 / 62

  4. Why C is good: complete control Control of memory allocation and freeing Almost no implicit, hidden code Direct access to memory Few dependencies 4 / 62

  5. Why C is bad Writing secure C code is difficult • buffer overruns • use-after-free bugs • threads sharing dynamic memory 40 Linux kernel execute-code CVEs in 2017 due to memory-safety errors (execute-code CVE is a bug that enables attacker to run malicious code in kernel) 5 / 62

  6. High-level languages (HLLs) provide memory-safety All 40 CVEs would not execute malicious code in an HLL 6 / 62

  7. HLL benefits Type safety Automatic memory management with garbage collector Concurrency Abstraction 7 / 62

  8. HLL potential downsides Poor performance: • Bounds, cast, nil-pointer checks • Garbage collection Incompatibility with kernel programming: • No direct memory access • No hand-written assembly • Limited concurrency or parallelism 8 / 62

  9. Goal: measure HLL trade-offs Explore total effect of using HLL instead of C: • Impact on safety • Impact on programmability • Performance cost ...for production-grade kernel 9 / 62

  10. Prior work: HLL trade-offs Many studies of HLL trade-offs for user programs ( Hertz’05, Yang’04 ) But kernels different from user programs (ex: more careful memory management) Need to measure HLL trade-offs in kernel 10 / 62

  11. Prior work: HLL kernels Singularity (SOSP’07) , J-kernel (ATC’98) , Taos (ASPLOS’87) , Spin (SOSP’95) , Tock (SOSP’17) , KaffeOS (ATC’00) , House (ICFP’05) ,... Explore new ideas and architectures None measure HLL trade-offs vs C kernel 11 / 62

  12. Measuring trade-offs is tricky Must compare with production-grade C kernel (e.g., Linux) Problem: can’t build production-grade HLL kernel 12 / 62

  13. The most we can do Build HLL kernel Keep important parts the same as Linux Optimize until performance is roughly similar to Linux Measure HLL trade-offs Risk: measurements of production-grade kernels differ 13 / 62

  14. Methodology Built HLL kernel Same apps, POSIX interface, and monolithic organization Optimized, measured HLL trade-offs 14 / 62

  15. Which HLL? Go is a good choice: • Easy to call assembly • Compiled to machine code w/good compiler • Easy concurrency • Easy static analysis • GC (Concurrent mark and sweep) Rust might be a fine choice too 15 / 62

  16. B ISCUIT overview 58 system calls, LOC: 28k Go, 16 / 62

  17. B ISCUIT Features • Multicore • Threads • Journaled FS (7k LOC) • Virtual memory (2k LOC) • TCP/IP stack (5k LOC) • Drivers: AHCI and Intel 10Gb NIC (3k LOC) 17 / 62

  18. User programs Process has own address space User/kernel memory isolated by hardware Each user thread has companion kernel thread Kernel threads are “goroutines” 18 / 62

  19. System calls User thread put args in registers User thread executes SYSENTER Control passes to kernel thread Kernel thread executes system call, returns via SYSEXIT 19 / 62

  20. B ISCUIT design puzzles Runtime on bare-metal Goroutines run different applications Device interrupts in runtime critical sections Hardest puzzle: heap exhaustion 20 / 62

  21. Puzzle: Heap exhaustion 21 / 62

  22. Puzzle: Heap exhaustion 21 / 62

  23. Puzzle: Heap exhaustion 21 / 62

  24. Puzzle: Heap exhaustion 21 / 62

  25. Puzzle: Heap exhaustion Can’t allocate heap memory = ⇒ nothing works All kernels face this problem 21 / 62

  26. How to recover? Strawman 0: panic (xv6) Strawman 1: Wait for memory in allocator? • May deadlock! Strawman 2: Check/handle allocation failure, like C kernels? • Difficult to get right • Can’t – Go implicitly allocates • Doesn’t expose failed allocations Both cause problems for Linux; see “too small to fail” rule 22 / 62

  27. B ISCUIT solution: reserve memory To execute system call... No checks, no error handling code, no deadlock 23 / 62

  28. Heap reservation bounds How to compute max memory for each system call? Smaller heap bounds = ⇒ more concurrent system calls 24 / 62

  29. Heap bounds via static analysis HLL easy to analyze Tool computes reservation via escape analysis Using Go’s static analysis packages Annotations for difficult cases ≈ three days of expert effort to apply tool 25 / 62

  30. B ISCUIT implementation Building B ISCUIT was similar to other kernels 26 / 62

  31. B ISCUIT implementation Building B ISCUIT was similar to other kernels B ISCUIT adopted many Linux optimizations: • large pages for kernel text • per-CPU NIC transmit queues • RCU-like directory cache • execute FS ops concurrently with commit • pad structs to remove false sharing Good OS performance more about optimizations, less about HLL 26 / 62

  32. Evaluation Part 1: HLL benefits Part 2: HLL performance costs 27 / 62

  33. Evaluation: HLL benefits Should we use high-level languages to build OS kernels? 1 Does B ISCUIT use HLL features? 2 Does HLL simplify B ISCUIT code? 3 Would HLL prevent kernel exploits? 28 / 62

  34. 1: Does B ISCUIT use HLL features? Counted HLL feature use in B ISCUIT and two huge Go projects (Moby and Golang, >1M LOC) 29 / 62

  35. 1: B ISCUIT uses HLL features 18 Biscuit 16 Golang 14 Count/1K lines Moby 12 10 8 6 4 2 0 A M S C S M C F D G I T I n m i y l t l h l n e o l a i u t r o p o c a f e p p i l a s s e c e n t e n r o s u l i t a s g - i r f n z r m a a r r t t e e e e c s s i t o r s l t e u n e s r r n t s 30 / 62

  36. 2: Does HLL simplify B ISCUIT code? Qualitatively, my favorite features: • GC’ed allocation • slices • defer • multi-valued return • strings • closures • maps Net effect: simpler code 31 / 62

  37. 2: Simpler concurrency Simpler data sharing between threads In HLL, GC frees memory In C, programmer must free memory 32 / 62

  38. 2: Simpler concurrency example buf := new(object_t) // Initialize buf... go func () { process1(buf) }() process2(buf) // When should C code free(buf)? 33 / 62

  39. 2: Simpler read-lock-free concurrency Locks and reference counts expensive in hot paths Good for performance to avoid them Challenge in C: when is object free? 34 / 62

  40. 2: Read-lock-free example var Head *Node func get() *Node { return atomic_load(&Head) } func pop() { Lock() v := Head if v != nil { atomic_store(&Head, v.next) } Unlock() 35 / 62

  41. 2: Simpler read-lock-free concurrency Linux safely frees via RCU ( McKenney’98 ) Defers free until all CPUs context switch Programmer must follow RCU rules: • Prologue and epilogue surrounding accesses • No sleeping or scheduling Error prone in more complex situations GC makes these challenges disappear HLL significantly simplifies read-lock-free code 36 / 62

  42. 3: Would HLL prevent kernel exploits? Inspected fixes for all publicly-available execute code CVEs in Linux kernel for 2017 Classify based on outcome of bug in B ISCUIT 37 / 62

  43. 3: HLL prevents kernel exploits Category # Outcome in Go — 11 unknown logic 14 same use-after-free/double-free 8 disappear due to GC out-of-bounds 32 panic or disappear panic likely better than malicious code execution HLL would prevent kernel exploits 38 / 62

  44. Evaluation: HLL performance Should we use high-level languages to build OS kernels? 1 Is B ISCUIT ’s performance roughly similar to Linux? 2 What is the breakdown of HLL tax? 3 How much might GC cost? 4 What are the GC pauses? 5 What is the performance cost of Go compared to C? 6 Does B ISCUIT ’s performance scale with cores? 39 / 62

  45. Experimental setup Hardware: • 4 core 2.8Ghz Xeon-X3460 • 16 GB RAM • Hyperthreads disabled Eval applications: • NGINX (1.11.5) – webserver • Redis (3.0.5) – key/value store • CMailbench – mail-server benchmark 40 / 62

  46. Applications are kernel intensive No idle time; 79%-92% kernel time In-memory FS Ran for a minute 512MB heap RAM for B ISCUIT 41 / 62

  47. 1: Is B ISCUIT ’s perf roughly similar to Linux? i.e. is B ISCUIT ’s performace similar to production-grade kernel? Compare app throughput on B ISCUIT and Linux 42 / 62

  48. Linux setup Debian 9.4, Linux 4.9.82 Disabled features that slowed Linux down on our apps: • page-table isolation • retpoline • kernel address space layout randomization • transparent huge-pages • ... 43 / 62

  49. 1: Is B ISCUIT ’s perf roughly similar to Linux? B ISCUIT ops/s Linux ops/s Ratio CMailbench (mem) 15,862 17,034 1.?? NGINX 88,592 94,492 1.?? Redis 711,792 775,317 1.?? Linux has more features: NUMA, scales to many cores, ... Not apples-to-apples, but B ISCUIT perf roughly similar 44 / 62

Recommend

The benefits and costs of writing a POSIX kernel in a high-level language Cody Cutler, M. Frans

The benefits and costs of writing a POSIX kernel in a high-level language Cody Cutler, M. Frans

The benefits and costs of writing a POSIX kernel in a high-level language Cody Cutler, M. Frans Kaashoek, Robert T. Morris MIT CSAIL 1 / 38 Should we use high-level languages to build OS kernels? 2 / 38 HLL Benefits Easier to program

788 views • 58 slides
UNIX History UNIX Kernel The kernel is the central part of the operating system and is 1965-1969

UNIX History UNIX Kernel The kernel is the central part of the operating system and is 1965-1969

UNIX History UNIX Kernel The kernel is the central part of the operating system and is 1965-1969 Bell Labs participates in the Multics project. always resident in the primary memory. 1969 Ken Thomson develops the first UNIX version in The kernel

440 views • 8 slides
What is Unix? Unix: explained markus schnalke <meillo@marmaro.de> Unix Operating

What is Unix? Unix: explained markus schnalke <meillo@marmaro.de> Unix Operating

What is Unix? Unix: explained markus schnalke <meillo@marmaro.de> Unix Operating system Kernel (Systemcalls) Userland Filesystem Background and History Philosophy Historical background Timeline The late 60s and early 70s

579 views • 9 slides
High Hopes for CER Better information about the costs and benefits of different treatment

High Hopes for CER Better information about the costs and benefits of different treatment

E VIDENTIARY S TANDARDS FOR D ETERMINING THE C LINICAL U TILITY OF G ENOMICS -B ASED D IAGNOSTIC T ESTS G ENOMICS -B ASED D IAGNOSTIC T ESTS Sean Tunis MD, MSc May 23, 2012 High Hopes for CER Better information about the costs and benefits

744 views • 50 slides
Crash Course in Unix For more info check out the Unix man pages -or-

Crash Course in Unix For more info check out the Unix man pages -or-

Crash Course in Unix For more info check out the Unix man pages -or- http://www.cs.rpi.edu/~hollingd/unix -or- Unix in a Nutshell (an OReilly book). 1 Unix Accounts To access a Unix system you need to have an account . Unix

1.05k views • 84 slides
Network Programming UNIX Internet Socket API Everything in Unix is a File When Unix programs

Network Programming UNIX Internet Socket API Everything in Unix is a File When Unix programs

Network Programming UNIX Internet Socket API Everything in Unix is a File When Unix programs do any sort of I/O, they do it by reading or writing to a file descriptor. A file descriptor is simply an integer associated with an open file.

612 views • 47 slides
GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The GNU userland consists of libc, the init system (SystemD) X11 GUI toolkits etc. Ask the audience Who has used

442 views • 22 slides
Operating System API Case study: UNIX shell Unix shell Provides interactive command execution

Operating System API Case study: UNIX shell Unix shell Provides interactive command execution

Operating System API Case study: UNIX shell Unix shell Provides interactive command execution Was part of OS kernel initially, now a normal program The shell interface looks like this: $ _ Prompt Keyboard cursor Unix shell $ cat

474 views • 22 slides
Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix:

Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix:

1/19/2010 Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix: tak, the Whitehead Scientific Linux server t k th Whit h d S i tifi Li most important/useful commands & Apply

259 views • 8 slides
Unix Philosophy, Text Editors, IDEs Assignment In-Class Writing code Building / Running

Unix Philosophy, Text Editors, IDEs Assignment In-Class Writing code Building / Running

Unix Development Data Structures Lab: Comp Sci 1585 Unix Philosophy, Text Editors, IDEs Assignment In-Class Writing code Building / Running Code::Blocks Environments Integrated philosophy Kate Notepad++ Atom Emacs Vim nano Text

579 views • 38 slides
RENEWABLE ENERGY BENEFITS AND COSTS David Littell Commissioner, Maine Public Utilities

RENEWABLE ENERGY BENEFITS AND COSTS David Littell Commissioner, Maine Public Utilities

RENEWABLE ENERGY BENEFITS AND COSTS David Littell Commissioner, Maine Public Utilities Commission Renewables Economic benefits for ratepayers & state Higher upfront (capital) costs Environmental benefits & impacts

225 views • 22 slides
SYSTEM CALL IN MINIX Zhen Mo What is the MINIX System? Mini Unix (Minix) basically, a UNIX

SYSTEM CALL IN MINIX Zhen Mo What is the MINIX System? Mini Unix (Minix) basically, a UNIX

SYSTEM CALL IN MINIX Zhen Mo What is the MINIX System? Mini Unix (Minix) basically, a UNIX compatible operating system. Open source : intend to be studied in universities Very small (kernel is under 4000 lines) Simple Design

299 views • 17 slides
Todays topics Unix history Unix philosophy Unix standards Unix future Future

Todays topics Unix history Unix philosophy Unix standards Unix future Future

Todays topics Unix history Unix philosophy Unix standards Unix future Future classes Unix history The Unix family of operating systems have been in existence since around 1969. Most folks agree the system that Ken

1.13k views • 57 slides
Natural Gas Pipeline Regulation: Natural Gas Pipeline Regulation: Costs and Benefits of the

Natural Gas Pipeline Regulation: Natural Gas Pipeline Regulation: Costs and Benefits of the

Natural Gas Pipeline Regulation: Natural Gas Pipeline Regulation: Costs and Benefits of the Costs and Benefits of the Canadian Approach Canadian Approach Glenn Booth Chief Economist National Energy Board Gold Coast, July 2004 1(title)

580 views • 36 slides
Chapter 4: Relevant Costs and Benefits for Decision- Making Agenda Sunk/Opportunity Costs

Chapter 4: Relevant Costs and Benefits for Decision- Making Agenda Sunk/Opportunity Costs

Chapter 4: Relevant Costs and Benefits for Decision- Making Agenda Sunk/Opportunity Costs Decision Relevance Differential Analysis 2 1 Its all relevant Sunk Costs outlays of resources or effort from past periods.

398 views • 15 slides
OS Structure and Performance OS Structure and Performance Reconsidering the Kernel Interface

OS Structure and Performance OS Structure and Performance Reconsidering the Kernel Interface

OS Structure and Performance OS Structure and Performance Reconsidering the Kernel Interface Reconsidering the Kernel Interface Mach and NT are representative of systems that seek to provide richer, more general kernel interfaces than Unix.

523 views • 23 slides
1. Why . ? 2. What + How . ? 3. Who + How long + Costs . ? 4. Benefits +

1. Why . ? 2. What + How . ? 3. Who + How long + Costs . ? 4. Benefits +

Environmental Management Systems at University of Paderborn > Implementation at the Chair (Environmental) Process Engineering 1. Why . ? 2. What + How . ? 3. Who + How long + Costs . ? 4. Benefits + Perspectives . ? Josef

221 views • 21 slides
Escaping chroot jails Why? Chroot jails come up in writing exploits, CtF competitions, etc.

Escaping chroot jails Why? Chroot jails come up in writing exploits, CtF competitions, etc.

Escaping chroot jails Why? Chroot jails come up in writing exploits, CtF competitions, etc. In the context of this class, a good intro to basic UNIX concepts UNIX 101 man man man 2 chroot Users (UID 0 is root)

370 views • 11 slides
1 Mach Overview Mach Overview Mach Mach Mach is more general than NT in that objects named by

1 Mach Overview Mach Overview Mach Mach Mach is more general than NT in that objects named by

Reconsidering the Kernel Interface Reconsidering the Kernel Interface Mach and NT are representative of systems that seek to provide richer, more general kernel interfaces than Unix. decouple elements of process abstraction OS Structure and

256 views • 4 slides
USEPA Methods for Quantifying the Benefits and Costs of Reducing Air Pollution Amy Lamson U.S.

USEPA Methods for Quantifying the Benefits and Costs of Reducing Air Pollution Amy Lamson U.S.

USEPA Methods for Quantifying the Benefits and Costs of Reducing Air Pollution Amy Lamson U.S. Environmental Protection Agency Office of Air and Radiation Risk and Benefits Group Presentation for Multi-stakeholder Workshop South Africas

717 views • 50 slides
Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory

Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory

Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory Implementation The starting (root) directory of each filesystem is created by formatting . A UNIX directory is a file : it has an owner, group

502 views • 12 slides
Introduction to C in Linux/Unix COMP 1002/1402 Writing a Novel Process Determine ideas Story

Introduction to C in Linux/Unix COMP 1002/1402 Writing a Novel Process Determine ideas Story

Introduction to C in Linux/Unix COMP 1002/1402 Writing a Novel Process Determine ideas Story features Write book (Mystery, Contact publisher metaphors) Editing Book (Novel) Book language (English, French) 1 Creating a program

736 views • 24 slides
BENEFITS PROGRAM Plan Year 2020 Rates March 28, 2019 Executive Summary PEBP continues to see

BENEFITS PROGRAM Plan Year 2020 Rates March 28, 2019 Executive Summary PEBP continues to see

PUBLIC EMPLOYEES BENEFITS PROGRAM Plan Year 2020 Rates March 28, 2019 Executive Summary PEBP continues to see low inflation on medical and dental costs but recently experienced very high pharmacy costs on the CDHP. This has led to an

283 views • 14 slides
What is a File? A file is a collection of data elements, grouped together for purpose of

What is a File? A file is a collection of data elements, grouped together for purpose of

CPSC-313: Introduction to Computer Systems UNIX I/O UNIX I/O Files and File Representation Basic operations: Reading / Writing Caching: File Open / Close Multiplexing: Select / Poll File Descriptors Reading: R&R,

391 views • 10 slides

More recommend