MINIX3: A Reliable and Secure Operating System - Haxpohaxpo.nl/materials/haxpo2015ams/HAXPO HIGHLIGHT - Andrew Tanenbaum... · 1 MINIX3: A Reliable and Secure Operating System Andrew

1

MINIX3: A Reliable and SecureOperating System

Andrew S. Tanenbaum

and a team of students and programmers who actually did all the work

Vrije UniversiteitAmsterdam, The Netherlands

2

GOAL OF OUR WORK: BUILD A RELIABLE OS

Tanenbaum’s definition of a reliable OS:

“An operating system is said to be reliable when a typical user has never experienced even a single failure in his or her lifetime and does not know anybody who has ever experienced a failure.”

In engineering terms, this is probably mean time to failure > 50 years

I don’t think we are there yet

3

THE TELEVISION MODEL

1. You buy the television2. You plug it in3. It works perfectly for the next 10 years

4

THE COMPUTER MODEL (WINDOWS EDITION)

1. You buy the computer 2. You plug it in 3. You install service packs 1 through 9f 4. You install 18 new emergency security patches 5. You find and install 7 new device drivers 6. You install antivirus software 7. You install antispyware software 8. You install antihacker software (firewall) 9. You install antispam software10. You reboot the computer

5

THE COMPUTER MODEL (2)

11. It doesn’t work12. You call the helpdesk13. You wait on hold for 30 minutes14. They tell you to reinstall Windows

6

TYPICAL USER REACTION

The New York Times recently reported that 25% of computer users have gotten so angry at their computerthat they physically hit it.

IS RELIABILITY SO IMPORTANT?

•  Annoying•  Lost work•  But also think about

–  Industrial control systems in factories–  Power grids–  Hospital operating rooms–  Banking and e-commerce servers–  Emergency phone centers–  Control software in cars, airplanes, etc.

7

IS THIS FEASIBLE?

•  We won’t find out if we don’t try•  Dutch Royal Academy gave me €2 million to try•  European Union gave me €2.5 million to give it a shot•  So, we’re trying

8

9

IS RELIABILITY ACHIEVABLE AT ALL?

•  Systems can survive hardware failures!–  RAIDs can survive failed disks–  ECC memory can survive parity errors in memory–  TCP/IP can survive lost packets–  CD-ROM drives can correct many simultaneous errors

•  We need to be able to survive software failures, too

10

A NEED TO RETHINK OPERATING SYSTEMS

•  Operating systems research need to be refocused–  We have nearly infinite hardware on PC-class machines–  Plenty of CPU cycles, RAM, bandwidth–  Current software has tons of (useless) features–  Consequently, the software is slow, bloated, and buggy

•  To achieve the TV model, future OSes, must be–  Small–  Simple–  Modular–  Reliable–  Secure–  Self-healing

BRIEF HISTORY OF OUR WORK

•  (1976) John Lions wrote a book on UNIX V6•  (1979) AT&T released V7 and forbade books on it L•  (1985) I started to write a UNIX-like OS from scratch•  (1987) MINIX 1 + book for teaching OS classes released•  (1997) MINIX 2 (POSIX) & 2nd edition of book released•  (2000) MINIX 2 license changed to BSD•  (2004) MINIX 3: start of work making a reliable OS•  (2006) 3rd edition of book•  (2008) European grant•  (2010) Focus moved towards embedded systems•  (2013) MINIX 3.3.0 moves to NetBSD “compatibility”

11

THREE EDITIONS OF THE BOOK

12

1 2 3

13

INTELLIGENT DESIGN

•  Microkernel (15,000 LoC vs. > 15 million for Linux)–  Bugs per 1000 LoC: Most S/W (1-10)–  MINIX 3 at least 15 kernel bugs; Linux has > 15,000–  Drivers have 3-7x more bugs than rest of kernel–  About 70% of the code is drivers

•  Highly modular•  OS runs as multiple user-mode server processes

AS APPLIED TO OPERATING SYSTEMS

14

STEP 1: ISOLATE COMPONENTS

•  Move all loadable modules out of the kernel–  includes all device drivers and file systems

•  Run each module as a separate process with POLA (Principle Of Least Authority)

15

STEP 2: ISOLATE I/O

•  Isolate I/O devices•  Limit access to I/O ports•  Constrain DMA (needs hardware assistance)

16

STEP 3: ISOLATE COMMUNICATION

•  Limit interprocess communication•  Restrict kernel calls on a per component basis•  Restrict IPC on a ‘need-to-communicate’ basis•  Make sure faulty receiver cannot hang sender

17

ARCHITECTURE OF MINIX 3

Shell Make User...

FS 1 FS 2 Proc. Other... ServersUsermode

Disk TTY Net Print Other... Drivers

Process

Microkernel handles interrupts, processes, scheduling, IPC

Kernelmode

18

USER-MODE DEVICE DRIVERS

•  Each driver runs as a user-mode process•  No superuser privileges•  Protected by the MMU•  Do not have access to I/O ports, privileged instrs

19

USER-MODE SERVERS

•  Each server runs as a separate process•  Some key servers

–  Virtual file server–  Actual file servers–  Process manager–  Memory manager–  Network server–  Reincarnation server

20

Usermode Servers

Drivers

Users

Kernel

A SIMPLIFIED EXAMPLE: DOING A READ

File access when the block is in the FS cache

1

2 3

4

User

Disk

FSFS

21

ServersUsermode

Drivers

Users

Kernel

FILE SERVER (2)

1

2

3

9

4

67,8

File access when the block is NOT in the FS cache

5

Notification

FS

User

Disk

22

REINCARNATION SERVER

•  Parent of all the drivers and servers•  When a driver or server dies, RS collects it•  RS checks a table for action to take e.g., restart it•  RS also pings drivers and servers frequently

23

DISK DRIVER RECOVERY

ServersUsermode

Drivers

Users

Kernel

User1

FS2

DiskdriverX 3. Crash!New

driver

4

RSRS

5

System is self healing—this is how we hope to make it reliable

24

KERNEL RELIABILITY/SECURITY

•  Fewer LoC means fewer kernel bugs•  Small kernel (15,000 LoC) means reduced TCB •  NO foreign code (e.g., drivers) in the kernel•  Static data structures (no malloc in kernel)•  Moving bugs to user space reduces their power

25

IPC RELIABILITY/SECURITY

•  Fixed-length messages (no buffer overruns)•  Rendezvous system was simple

–  No lost messages–  No buffer management–  We had to add asynchronous messages

•  Interrupts and messages are unified

26

DRIVER RELIABILITY/SECURITY

•  Untrusted code: heavily isolated•  Bugs, viruses cannot spread to other modules•  Cannot touch kernel data structures•  Bad pointers crash only one driver; recoverable•  Infinite loops detected and driver restarted•  Restricted power to do damage (not superuser)

27

OTHER ADVANTAGES OF USER DRIVERS

•  Short development cycle•  Normal programming model•  No down time for crash and reboot•  Easy debugging•  Good flexibility

28

FAULT INJECTION EXPERIMENT

•  We injected 800,000 faults into each of 3 drivers•  Done on the binary drivers•  Examples, change src addr, dest addr, loop condition•  100 faults were injected on each experiment•  Waited 1 sec to see if the driver crashed•  If no crash, inject another 100 faults and repeat•  The driver crashed in 18,038 trials•  The operating system NEVER crashed

29

PORT OF MINIX 3 TO ARM

•  Restructured source tree for multiple architectures•  Changed booting to support uboot for ARM•  Rewrote the low-level code dealing with hardware•  Changed code for context switching, paging, etc.•  Removed x86 segmentation code•  Imported NetBSD ARM headers and libraries•  Ported build.sh for cross-toolchain support•  Wrote drivers for SD card and other Beagle devices

30

EMBEDDED SYSTEMS

9 cm

5 cm

BeagleBone Black

31

CHARACTERISTICSItem Beaglebone Black

32


CPU ARM v7

33


CPU ARM v7Clock 1 GHz

34


CPU ARM v7Clock 1 GHzRAM 512 MB

35


CPU ARM v7Clock 1 GHzRAM 512 MBFlash 4 GB

36


CPU ARM v7Clock 1 GHzRAM 512 MBFlash 4 GBVideo HDMI/1080p

37


CPU ARM v7Clock 1 GHzRAM 512 MBFlash 4 GBVideo HDMI/1080pGPIO pins 92

38


CPU ARM v7Clock 1 GHzRAM 512 MBFlash 4 GBVideo HDMI/1080pGPIO pins 92Ethernet 10/100 Mbps

39


CPU ARM v7Clock 1 GHzRAM 512 MBFlash 4 GBVideo HDMI/1080pGPIO pins 92Ethernet 10/100 MbpsUSB 1

40


CPU ARM v7Clock 1 GHzRAM 512 MBFlash 4 GBVideo HDMI/1080pGPIO pins 92Ethernet 10/100 MbpsUSB 1Open source Yes

41


CPU ARM v7Clock 1 GHzRAM 512 MBFlash 4 GBVideo HDMI/1080pGPIO pins 92Ethernet 10/100 MbpsUSB 1Open source YesPrice (quantity 1) $45

42

CHARACTERISTICSItem Beaglebone Black Raspberry Pi B+

CPU ARM v7Clock 1 GHzRAM 512 MBFlash 4 GBVideo HDMI/1080pGPIO pins 92Ethernet 10/100 MbpsUSB 1Open source YesPrice (quantity 1) $45

43


CPU ARM v7 ARM v6Clock 1 GHzRAM 512 MBFlash 4 GBVideo HDMI/1080pGPIO pins 92Ethernet 10/100 MbpsUSB 1Open source YesPrice (quantity 1) $45

44


CPU ARM v7 ARM v6Clock 1 GHz 700 MHzRAM 512 MBFlash 4 GBVideo HDMI/1080pGPIO pins 92Ethernet 10/100 MbpsUSB 1Open source YesPrice (quantity 1) $45

45


CPU ARM v7 ARM v6Clock 1 GHz 700 MHzRAM 512 MB 512 MBFlash 4 GBVideo HDMI/1080pGPIO pins 92Ethernet 10/100 MbpsUSB 1Open source YesPrice (quantity 1) $45

46


CPU ARM v7 ARM v6Clock 1 GHz 700 MHzRAM 512 MB 512 MBFlash 4 GB NoneVideo HDMI/1080pGPIO pins 92Ethernet 10/100 MbpsUSB 1Open source YesPrice (quantity 1) $45

47


CPU ARM v7 ARM v6Clock 1 GHz 700 MHzRAM 512 MB 512 MBFlash 4 GB NoneVideo HDMI/1080p HDMI/1080pGPIO pins 92Ethernet 10/100 MbpsUSB 1Open source YesPrice (quantity 1) $45

48


CPU ARM v7 ARM v6Clock 1 GHz 700 MHzRAM 512 MB 512 MBFlash 4 GB NoneVideo HDMI/1080p HDMI/1080pGPIO pins 92 40Ethernet 10/100 MbpsUSB 1Open source YesPrice (quantity 1) $45

49


CPU ARM v7 ARM v6Clock 1 GHz 700 MHzRAM 512 MB 512 MBFlash 4 GB NoneVideo HDMI/1080p HDMI/1080pGPIO pins 92 40Ethernet 10/100 Mbps 10/100 MbpsUSB 1 Open source YesPrice (quantity 1) $45

50


CPU ARM v7 ARM v6Clock 1 GHz 700 MHzRAM 512 MB 512 MBFlash 4 GB NoneVideo HDMI/1080p HDMI/1080pGPIO pins 92 40Ethernet 10/100 Mbps 10/100 MbpsUSB 1 4Open source YesPrice (quantity 1) $45

51


CPU ARM v7 ARM v6Clock 1 GHz 700 MHzRAM 512 MB 512 MBFlash 4 GB NoneVideo HDMI/1080p HDMI/1080pGPIO pins 92 40Ethernet 10/100 Mbps 10/100 MbpsUSB 1 4Open source Yes NoPrice (quantity 1) $45

52


CPU ARM v7 ARM v6Clock 1 GHz 700 MHzRAM 512 MB 512 MBFlash 4 GB NoneVideo HDMI/1080p HDMI/1080pGPIO pins 92 40Ethernet 10/100 Mbps 10/100 MbpsUSB 1 4Open source Yes NoPrice (quantity 1) $45 $35

I ADMIT I WAS WRONG

•  On 29 Jan 1992 I posted to comp.os.minix this:

•  “Don`t get me wrong, I am not unhappy with LINUX. It will get all the people who want to turn MINIX in BSD UNIX off my back.”

•  I Apologize. Now I do want to turn MINIX into BSD. It just took me 20 years to realize this.

53

MINIX 3 MEETS BSD

54

+ =

BSD Daemon is copyright 1988 by Marshall Kirk McKusick and is used with permission.

OR MAYBE

55

WHY BSD?

•  MINIX 3 didn’t have enough application software•  BSD is a proven, portable, quality product•  BSD has better code quality than Linux•  Pkgsrc handles packages better than what we had•  Thousands of excellent packages available•  Active community•  License compatibility•  Why NetBSD?•  Mostly due to its emphasis on portability

56

NETBSD FEATURES IN MINIX 3.3.0

•  Clang/LLVM compiler•  NetBSD build system•  ELF file format•  Source code tree modeled on NetBSD•  Headers and libraries are from NetBSD•  X11•  Pkgsrc works and builds 5040 NetBSD packages•  Nevertheless, it is built on MINIX 3 kernel & servers

57

NETBSD FEATURES MISSING IN MINIX 3.3.0

•  Kernel threads (we do have userland pthreads)•  Some system calls:

–  All _LWP*, MSG*, SEM* calls–  CLONE–  Some GET, IOCTL calls–  KQUEUE, KTRACE–  VFORK–  Job control–  Some other minor calls

•  Nevertheless, we can build over 5000 packages

58

KYUA TESTS

59

Conclusion: 2139 out of 2651 passed (81%)

60

SYSTEM ARCHITECTURE

…

Servers

Drivers

Microkernel (this is the only part running in kernel mode)

Net

VFS

TTYDisk USB …

FS MM Reincarnat

Clang Pkgsrc (libc)

…

…Pkg 1 Pkg nUsers

OS(MINIX)

User- Land(NetBSD)

MINIX 3 ON THE THREE BEAGLE BOARDS

61

YOUR ROLE

•  MINIX 3 is an open-source project•  I hope some of you will join and help us•  Things to do

–  Add crucial missing system calls–  Port more packages (Java, a browser, etc.)–  Write the missing drivers for Beagle series–  Get it running on Raspberry Pi & other platforms–  Port Rump–  Port required libraries and then port a GUI

62

63

MINIX 3 IN A NUTSHELL

•  Microkernel reimplementation of NetBSD•  Fully open source with BSD license•  Highly compatible with NetBSD•  Supports both LLVM and gcc•  Uses NetBSD pkgsrc•  Over 5000 packages build•  Go get it at www.minix3.org and try it

64

POSITIONING OF MINIX

•  Show that multiserver systems are reliable•  Demonstrate that drivers belong in user mode•  High-reliability and fault-tolerant applications•  $50 single-chip, small-RAM laptops for 3rd world•  Embedded systems

FUTURE FEATURE: LIVE UPDATE

•  Software is updated to:–  Fix bugs–  Improve performance–  Add new features

•  Goal is to update OS to a new version w/o reboot•  Running processes must NOT be restarted•  New version of OS may have new data structures•  Lots of state in there: open files, timers,etc.

65

EXAMPLE OF HOW WOULD THIS WORK

66

A Apache still running

FreeBSD 10.2

•  Replace the OS while user processes are running•  Very difficult to do with BSD, Linux, Windows, etc.

Apache running

FreeBSD 10.1

A

Kernel

User

LIVE UPDATE IN MINIX

67

Apache runningA

FS 6.0

MM Dri-ver

Kernel

User

User

Microkernel

A

FS 7.0

MM Dri-ver

Apache still running

Microkernel

HOW DO WE DO THE UPDATE?

•  Manager tells some process (e.g. Old-FS) to get ready•  Old-FS finishes its work and queues new work•  Manager creates New-FS process with new code•  LLVM puts tables inside New-FS listing its data objects•  New-FS contacts Old-FS and asks for state it needs•  The state is transferred one object at a time•  When all state is transferred, Third-FS is created•  It talks to New-FS and tries to recreate Old-FS•  If they agree New-FS becomes FS, else revert to Old-FS•  Like translating English to Dutch, then Dutch to English

68

HOW THE UPDATE WORKS

69

A

FS 6.0

Apache running

Microkernel

Old FS


70

A

FS 6.0

Apache running

Microkernel

Getready


71

A

FS 6.0

Apache running

Microkernel

FS 7.0


72

A

GFS 6.0

Apache running

Microkernel

FS 7.0

I need variable x


73

A

FS 6.0

Apache running

Microkernel

FS 7.0

Here is variable x


74

A

FS 6.0

Apache running

Microkernel

FS 7.0

FS ?


75

A

FS 6.0

Apache running

Microkernel

FS 7.0

FS ?

I need variable x


76

A

FS 6.0

Apache running

Microkernel

FS 7.0

FS ?

Here is variable x


77

Are these the same?

A

FS 6.0

Apache running

Microkernel

FS 7.0

FS ?


78

A Apache running

Microkernel

FS 7.0

79

MUCH BETTER THAN KSPLICE

•  KSPLICE can handle only small security patches•  KSPLICE patches the running process•  Over time, crud accumulates in the process•  If the update fails, there is no recovery

OTHER USES OF LIVE UPDATE

•  Enhanced security: –  Update the OS at a high rate to foil return-to-libc attacks–  Stop any attack that uses knowledge of memory layout–  Reduce exposure to information leakage attacks

•  Garbage collection in C (!)–  Only live data is copied over to the new version–  This can “fix” memory leaks (malloc but no free)

80

81

RESEARCH: FAULT INJECTION

Inject fault?

Originalunmodifiedbasic block

Basic blockwith faultinjected

This structure is created automatically by the LLVM compiler

82

NEW PROGRAM STRUCTURE

This can be optimizedby patching the originalbinary to get any test without recompilation Overhead is 8%

83

MINIX 3 LOGO

•  Why a raccoon?–  Small–  Cute–  Clever–  Agile–  Eats bugs–  More likely to visit your house than a penguin

84

WEBSITE: www.minix3.org

DOCUMENTATION IS IN A WIKI

•  Wiki.minix3.org•  You can help document the system

85

86

TRAFFIC TO WWW.MINIX3.ORG

Total visits to the main page since 2004: 3.1 million

Actual downloads since 2007: 650,000 (from the log)

87

MINIX 3 GOOGLE NEWSGROUP

88

CONCLUSION

•  Current OSes are bloated and unreliable•  MINIX 3 is an attempt at a reliable, secure OS•  Kernel is very small (15,000 LoC)•  OS runs as a collection of user processes•  Each driver is a separate process•  Each OS component has restricted privileges•  Faulty drivers can be replaced automatically•  Live update is possible (not in current release)

89

SURVEY

•  Please download MINIX 3 from www.minix3.org•  Give it a try•  Fill out the survey on the main page•  We have had 650,000 downloads but we don’t

know who they are or what they are doing•  We are trying to build a community

90

THE END

91

WEBSITE: www.minix3.org

92

93

MASTERS DEGREE AT THE VU

•  If you are interested in computer systems•  Look at our masters in parallel & distributed syst.•  Google me•  Look at my home page•  See video linked there or check out

pdcs.vu.nl

94

DISK PERFORMANCE

95

THE COST OF DRIVER RECOVERY•  We killed the Ethernet driver every Δt sec to

simulate repeated driver crashes

Driver recovery takes about 360 msec

96

RESEARCH: MULTICORE CHIPS

•  Network stack has components•  Chips may be heterogeneous•  Where to put each component?•  Experiments scaling frequencies•  Sometimes slower is faster!•  Sleep/wakeup is expensive

TCP IP

Ether Kernel

Multicore chip

Core

97

RESEARCH: NEW FILE SYSTEM--LORIS

•  Better reliabilty•  Better flexibility•  Handles heterogeneity better•  File rather than block oriented•  Uses checksums to detect corruption

VFS

Naming

Cache

Logical

Physical

Driver

Introduces concept of a logical file (1 or more phys files spread or striped over possiblyheterogeneous devices)

Documents

MINIX3: A Reliable and Secure Operating System - Haxpohaxpo.nl/materials/haxpo2015ams/HAXPO HIGHLIGHT - Andrew Tanenbaum... · 1 MINIX3: A Reliable and Secure Operating System Andrew