The Experts below are selected from a list of 4113 Experts worldwide ranked by ideXlab platform
Henry M Levy - One of the best experts on this subject based on the ideXlab platform.
-
improving the reliability of commodity operating systems
ACM Transactions on Computer Systems, 2005Co-Authors: Michael M Swift, Brian N. Bershad, Henry M LevyAbstract:Despite decades of research in extensible operating system technology, extensions such as device drivers remain a significant cause of system failures. In Windows XP, for example, drivers account for 85p of recently reported failures.This article describes Nooks, a reliability subsystem that seeks to greatly enhance operating system (OS) reliability by isolating the OS from driver failures. The Nooks approach is practical: rather than guaranteeing complete fault tolerance through a new (and incompatible) OS or driver architecture, our goal is to prevent the vast majority of driver-caused crashes with little or no change to the existing driver and system code. Nooks isolates drivers within lightweight protection domains inside the Kernel Address Space, where hardware and software prevent them from corrupting the Kernel. Nooks also tracks a driver's use of Kernel resources to facilitate automatic cleanup during recovery.To prove the viability of our approach, we implemented Nooks in the Linux operating system and used it to fault-isolate several device drivers. Our results show that Nooks offers a substantial increase in the reliability of operating systems, catching and quickly recovering from many faults that would otherwise crash the system. Under a wide range and number of fault conditions, we show that Nooks recovers automatically from 99p of the faults that otherwise cause Linux to crash.While Nooks was designed for drivers, our techniques generalize to other Kernel extensions. We demonstrate this by isolating a Kernel-mode file system and an in-Kernel Internet service. Overall, because Nooks supports existing C-language extensions, runs on a commodity operating system and hardware, and enables automated recovery, it represents a substantial step beyond the specialized architectures and type-safe languages required by previous efforts directed at safe extensibility.
-
improving the reliability of commodity operating systems
Symposium on Operating Systems Principles, 2003Co-Authors: Michael M Swift, Brian N. Bershad, Henry M LevyAbstract:Despite decades of research in extensible operating system technology, extensions such as device drivers remain a significant cause of system failures. In Windows XP, for example, drivers account for 85% of recently reported failures. This paper describes Nooks, a reliability subsystem that seeks to greatly enhance OS reliability by isolating the OS from driver failures. The Nooks approach is practical: rather than guaranteeing complete fault tolerance through a new (and incompatible) OS or driver architecture, our goal is to prevent the vast majority of driver-caused crashes with little or no change to existing driver and system code. To achieve this, Nooks isolates drivers within lightweight protection domains inside the Kernel Address Space, where hardware and software prevent them from corrupting the Kernel. Nooks also tracks a driver's use of Kernel resources to hasten automatic clean-up during recovery.To prove the viability of our approach, we implemented Nooks in the Linux operating system and used it to fault-isolate several device drivers. Our results show that Nooks offers a substantial increase in the reliability of operating systems, catching and quickly recovering from many faults that would otherwise crash the system. In a series of 2000 fault-injection tests, Nooks recovered automatically from 99% of the faults that caused Linux to crash.While Nooks was designed for drivers, our techniques generalize to other Kernel extensions, as well. We demonstrate this by isolating a Kernel-mode file system and an in-Kernel Internet service. Overall, because Nooks supports existing C-language extensions, runs on a commodity operating system and hardware, and enables automated recovery, it represents a substantial step beyond the specialized architectures and type-safe languages required by previous efforts directed at safe extensibility.
Brian N. Bershad - One of the best experts on this subject based on the ideXlab platform.
-
improving the reliability of commodity operating systems
ACM Transactions on Computer Systems, 2005Co-Authors: Michael M Swift, Brian N. Bershad, Henry M LevyAbstract:Despite decades of research in extensible operating system technology, extensions such as device drivers remain a significant cause of system failures. In Windows XP, for example, drivers account for 85p of recently reported failures.This article describes Nooks, a reliability subsystem that seeks to greatly enhance operating system (OS) reliability by isolating the OS from driver failures. The Nooks approach is practical: rather than guaranteeing complete fault tolerance through a new (and incompatible) OS or driver architecture, our goal is to prevent the vast majority of driver-caused crashes with little or no change to the existing driver and system code. Nooks isolates drivers within lightweight protection domains inside the Kernel Address Space, where hardware and software prevent them from corrupting the Kernel. Nooks also tracks a driver's use of Kernel resources to facilitate automatic cleanup during recovery.To prove the viability of our approach, we implemented Nooks in the Linux operating system and used it to fault-isolate several device drivers. Our results show that Nooks offers a substantial increase in the reliability of operating systems, catching and quickly recovering from many faults that would otherwise crash the system. Under a wide range and number of fault conditions, we show that Nooks recovers automatically from 99p of the faults that otherwise cause Linux to crash.While Nooks was designed for drivers, our techniques generalize to other Kernel extensions. We demonstrate this by isolating a Kernel-mode file system and an in-Kernel Internet service. Overall, because Nooks supports existing C-language extensions, runs on a commodity operating system and hardware, and enables automated recovery, it represents a substantial step beyond the specialized architectures and type-safe languages required by previous efforts directed at safe extensibility.
-
improving the reliability of commodity operating systems
Symposium on Operating Systems Principles, 2003Co-Authors: Michael M Swift, Brian N. Bershad, Henry M LevyAbstract:Despite decades of research in extensible operating system technology, extensions such as device drivers remain a significant cause of system failures. In Windows XP, for example, drivers account for 85% of recently reported failures. This paper describes Nooks, a reliability subsystem that seeks to greatly enhance OS reliability by isolating the OS from driver failures. The Nooks approach is practical: rather than guaranteeing complete fault tolerance through a new (and incompatible) OS or driver architecture, our goal is to prevent the vast majority of driver-caused crashes with little or no change to existing driver and system code. To achieve this, Nooks isolates drivers within lightweight protection domains inside the Kernel Address Space, where hardware and software prevent them from corrupting the Kernel. Nooks also tracks a driver's use of Kernel resources to hasten automatic clean-up during recovery.To prove the viability of our approach, we implemented Nooks in the Linux operating system and used it to fault-isolate several device drivers. Our results show that Nooks offers a substantial increase in the reliability of operating systems, catching and quickly recovering from many faults that would otherwise crash the system. In a series of 2000 fault-injection tests, Nooks recovered automatically from 99% of the faults that caused Linux to crash.While Nooks was designed for drivers, our techniques generalize to other Kernel extensions, as well. We demonstrate this by isolating a Kernel-mode file system and an in-Kernel Internet service. Overall, because Nooks supports existing C-language extensions, runs on a commodity operating system and hardware, and enables automated recovery, it represents a substantial step beyond the specialized architectures and type-safe languages required by previous efforts directed at safe extensibility.
-
extensibility safety and performance in the spin operating system
Symposium on Operating Systems Principles, 1995Co-Authors: Brian N. Bershad, Przemyslaw Pardyak, Marc E Fiuczynski, David Becker, Craig Chambers, Stefan Savage, Susan J EggersAbstract:This paper describes the motivation, architecture and performance of SPIN, an extensible operating system. SPIN provides an extension infrastructure, together with a core set of extensible services, that allow applications to safely change the operating system's interface and implementation. Extensions allow an application to specialize the underlying operating system in order to achieve a particular level of performance and functionality. SPIN uses language and link-time mechanisms to inexpensively export fine-grained interfaces to operating system services. Extensions are written in a type safe language, and are dynamically linked into the operating system Kernel. This approach offers extensions rapid access to system services, while protecting the operating system code executing within the Kernel Address Space. SPIN and its extensions are written in Modula-3 and run on DEC Alpha workstations.
Michael M Swift - One of the best experts on this subject based on the ideXlab platform.
-
improving the reliability of commodity operating systems
ACM Transactions on Computer Systems, 2005Co-Authors: Michael M Swift, Brian N. Bershad, Henry M LevyAbstract:Despite decades of research in extensible operating system technology, extensions such as device drivers remain a significant cause of system failures. In Windows XP, for example, drivers account for 85p of recently reported failures.This article describes Nooks, a reliability subsystem that seeks to greatly enhance operating system (OS) reliability by isolating the OS from driver failures. The Nooks approach is practical: rather than guaranteeing complete fault tolerance through a new (and incompatible) OS or driver architecture, our goal is to prevent the vast majority of driver-caused crashes with little or no change to the existing driver and system code. Nooks isolates drivers within lightweight protection domains inside the Kernel Address Space, where hardware and software prevent them from corrupting the Kernel. Nooks also tracks a driver's use of Kernel resources to facilitate automatic cleanup during recovery.To prove the viability of our approach, we implemented Nooks in the Linux operating system and used it to fault-isolate several device drivers. Our results show that Nooks offers a substantial increase in the reliability of operating systems, catching and quickly recovering from many faults that would otherwise crash the system. Under a wide range and number of fault conditions, we show that Nooks recovers automatically from 99p of the faults that otherwise cause Linux to crash.While Nooks was designed for drivers, our techniques generalize to other Kernel extensions. We demonstrate this by isolating a Kernel-mode file system and an in-Kernel Internet service. Overall, because Nooks supports existing C-language extensions, runs on a commodity operating system and hardware, and enables automated recovery, it represents a substantial step beyond the specialized architectures and type-safe languages required by previous efforts directed at safe extensibility.
-
improving the reliability of commodity operating systems
Symposium on Operating Systems Principles, 2003Co-Authors: Michael M Swift, Brian N. Bershad, Henry M LevyAbstract:Despite decades of research in extensible operating system technology, extensions such as device drivers remain a significant cause of system failures. In Windows XP, for example, drivers account for 85% of recently reported failures. This paper describes Nooks, a reliability subsystem that seeks to greatly enhance OS reliability by isolating the OS from driver failures. The Nooks approach is practical: rather than guaranteeing complete fault tolerance through a new (and incompatible) OS or driver architecture, our goal is to prevent the vast majority of driver-caused crashes with little or no change to existing driver and system code. To achieve this, Nooks isolates drivers within lightweight protection domains inside the Kernel Address Space, where hardware and software prevent them from corrupting the Kernel. Nooks also tracks a driver's use of Kernel resources to hasten automatic clean-up during recovery.To prove the viability of our approach, we implemented Nooks in the Linux operating system and used it to fault-isolate several device drivers. Our results show that Nooks offers a substantial increase in the reliability of operating systems, catching and quickly recovering from many faults that would otherwise crash the system. In a series of 2000 fault-injection tests, Nooks recovered automatically from 99% of the faults that caused Linux to crash.While Nooks was designed for drivers, our techniques generalize to other Kernel extensions, as well. We demonstrate this by isolating a Kernel-mode file system and an in-Kernel Internet service. Overall, because Nooks supports existing C-language extensions, runs on a commodity operating system and hardware, and enables automated recovery, it represents a substantial step beyond the specialized architectures and type-safe languages required by previous efforts directed at safe extensibility.
Andrew S Tanenbaum - One of the best experts on this subject based on the ideXlab platform.
-
– Antoine de Saint-Exupéry [9]
2008Co-Authors: Jorrit N. Herder, Herbert Bos, Andrew S TanenbaumAbstract:It has been well established that most operating system crashes are due to bugs in device drivers. Because drivers are normally linked into the Kernel Address Space, a buggy driver can wipe out Kernel tables and bring the system crashing to a halt. We have greatly mitigated this problem by reducing the Kernel to an absolute minimum and running each driver as a separate, unprivileged process in user Space. In addition, we implemented a POSIX-conformant operating system as multiple user-mode processes. In this design, all that is left in Kernel mode is a tiny Kernel of under 3800 lines of executable code for catching interrupts, starting and stopping processes, and doing IPC. By moving nearly the entire operating system to multiple, protected user-mode processes we reduce the consequences of faults, since a driver failure no longer is fatal and does not require rebooting the computer. In fact, our system incorporates a reincarnation server that is designed to deal with such errors and often allows for full recovery, transparent to the application and without loss of data. To achieve maximum reliability, our design was guided by simplicity, modularity, least authorization, and fault tolerance. This paper discusses our lightweight approach and reports on its performance and reliability. It also compares our design to other proposals for protecting drivers using Kernel wrapping and virtual machines
-
construction of a highly dependable operating system
European Dependable Computing Conference, 2006Co-Authors: Jorrit N. Herder, Ben Gras, Philip Homburg, Herbert Bos, Andrew S TanenbaumAbstract:It has been well established that most operating system crashes are due to bugs in device drivers. Because drivers are normally linked into the Kernel Address Space, a buggy driver can wipe out Kernel tables and bring the system crashing to a grinding halt. We have greatly mitigated this problem by reducing the Kernel to an absolute minimum and running each driver as a separate, unprivileged user-mode process. In addition, we implemented a POSIX-conformant operating system, MINIX 3, as multiple user-mode servers. In this design, a server or driver failure no longer is fatal and does not require rebooting the computer. This paper discusses how we designed and implemented the system, which problems we encountered, and how we solved these problems. We also discuss the performance effects of our changes and evaluate how our multiserver design improves operating system dependability over monolithic designs.
-
Construction of a Highly Dependable Operating System
2006Co-Authors: Jorrit N. Herder, Ben Gras, Philip Homburg, Herbert Bos, Andrew S TanenbaumAbstract:It has been well established that most operating system crashes are due to bugs in device drivers. Because drivers are normally linked into the Kernel Address Space, a buggy driver can wipe out Kernel tables and bring the system crashing to a grinding halt. We have greatly mitigated this problem by reducing the Kernel to an absolute minimum and running each driver as a separate, unprivileged user-mode process. In addition, we implemented a POSIX-conformant operating system, MINIX 3, as multiple user-mode servers. In this design, a server or driver failure no longer is fatal and does not require rebooting the computer. This paper discusses how we designed and implemented the system, which problems we encountered, and how we solved these problems. We also discuss the performance effects of our changes and evaluate how our multiserver design improves operating system dependability over monolithic designs. ’Perfection is not achieved when there is nothing left to add, but when there is nothing left to take away.’ 1
Herbert Bos - One of the best experts on this subject based on the ideXlab platform.
-
tagbleed breaking kaslr on the isolated Kernel Address Space using tagged tlbs
IEEE European Symposium on Security and Privacy, 2020Co-Authors: Jakob Koschel, Herbert Bos, Cristiano Giuffrida, Kaveh RazaviAbstract:Kernel Address Space Layout Randomization (KASLR) has been repeatedly targeted by side-channel attacks that exploit a typical unified user/Kernel Address Space organization to disclose randomized Kernel Addresses. The community has responded with Kernel Address Space isolation techniques that separate user and Kernel Address Spaces (and associated resources) to eradicate all existing side-channel attacks. In this paper, we show that Kernel Address Space isolation is insufficient to harden KASLR against practical side-channel attacks on modern tagged TLB architectures. While tagged TLBs have been praised for optimizing the performance of Kernel Address Space isolation, we show that they also silently break its original security guarantees and open up opportunities for new derandomization attacks. As a concrete demonstration, we present TagBleed, a new side-channel attack that abuses tagged TLBs and residual translation information to break KASLR even in the face of state-of-the-art mitigations. TagBleed is practical and shows that implementing secure Address Space isolation requires deep partitioning of microarchitectural resources and a more generous performance budget than previously assumed.
-
– Antoine de Saint-Exupéry [9]
2008Co-Authors: Jorrit N. Herder, Herbert Bos, Andrew S TanenbaumAbstract:It has been well established that most operating system crashes are due to bugs in device drivers. Because drivers are normally linked into the Kernel Address Space, a buggy driver can wipe out Kernel tables and bring the system crashing to a halt. We have greatly mitigated this problem by reducing the Kernel to an absolute minimum and running each driver as a separate, unprivileged process in user Space. In addition, we implemented a POSIX-conformant operating system as multiple user-mode processes. In this design, all that is left in Kernel mode is a tiny Kernel of under 3800 lines of executable code for catching interrupts, starting and stopping processes, and doing IPC. By moving nearly the entire operating system to multiple, protected user-mode processes we reduce the consequences of faults, since a driver failure no longer is fatal and does not require rebooting the computer. In fact, our system incorporates a reincarnation server that is designed to deal with such errors and often allows for full recovery, transparent to the application and without loss of data. To achieve maximum reliability, our design was guided by simplicity, modularity, least authorization, and fault tolerance. This paper discusses our lightweight approach and reports on its performance and reliability. It also compares our design to other proposals for protecting drivers using Kernel wrapping and virtual machines
-
construction of a highly dependable operating system
European Dependable Computing Conference, 2006Co-Authors: Jorrit N. Herder, Ben Gras, Philip Homburg, Herbert Bos, Andrew S TanenbaumAbstract:It has been well established that most operating system crashes are due to bugs in device drivers. Because drivers are normally linked into the Kernel Address Space, a buggy driver can wipe out Kernel tables and bring the system crashing to a grinding halt. We have greatly mitigated this problem by reducing the Kernel to an absolute minimum and running each driver as a separate, unprivileged user-mode process. In addition, we implemented a POSIX-conformant operating system, MINIX 3, as multiple user-mode servers. In this design, a server or driver failure no longer is fatal and does not require rebooting the computer. This paper discusses how we designed and implemented the system, which problems we encountered, and how we solved these problems. We also discuss the performance effects of our changes and evaluate how our multiserver design improves operating system dependability over monolithic designs.
-
Construction of a Highly Dependable Operating System
2006Co-Authors: Jorrit N. Herder, Ben Gras, Philip Homburg, Herbert Bos, Andrew S TanenbaumAbstract:It has been well established that most operating system crashes are due to bugs in device drivers. Because drivers are normally linked into the Kernel Address Space, a buggy driver can wipe out Kernel tables and bring the system crashing to a grinding halt. We have greatly mitigated this problem by reducing the Kernel to an absolute minimum and running each driver as a separate, unprivileged user-mode process. In addition, we implemented a POSIX-conformant operating system, MINIX 3, as multiple user-mode servers. In this design, a server or driver failure no longer is fatal and does not require rebooting the computer. This paper discusses how we designed and implemented the system, which problems we encountered, and how we solved these problems. We also discuss the performance effects of our changes and evaluate how our multiserver design improves operating system dependability over monolithic designs. ’Perfection is not achieved when there is nothing left to add, but when there is nothing left to take away.’ 1
