Singularity OverviewSingularity Overview

Galen Hunt and James LarusMicrosoft Research

July 17, 2006MSR Faculty Summit

Galen Hunt and James LarusMicrosoft Research

July 17, 2006MSR Faculty Summit

Large, Diverse Research TeamLarge, Diverse Research Team

Lead by Galen Hunt and Jim LarusMSR Cambridge

Paul Barham, Richard Black, Tim Harris, Rebecca Isaacs, Dushyanth Narayanan

MSR RedmondAdvanced Compiler Technology Group:

Juan Chen, Qunyan Mangus, Mark Plesko, Bjarne Steensgaard, David Tarditi

Foundations of Software Engineering Group:Wolfgang Grieskamp

Operating Systems Group: Mark Aiken, Chris Hawblitzel, Orion Hodson, Galen Hunt, Steven Levi

Security and Distributed Systems: Dan Simon, Brian Zill

Software Design and Implementation Group:John DeTreville, Ben Zorn

Software Improvement Group: Manuel Fahndrich, James Larus, Sriram Rajamani, Jakob Rehof

MSR Silicon ValleyMartin Abadi, Andrew Birrell, Ulfar Erlingsson, Roy Levin, Nick Murphy, Ted Wobber

Lead by Galen Hunt and Jim LarusMSR Cambridge

Paul Barham, Richard Black, Tim Harris, Rebecca Isaacs, Dushyanth Narayanan

MSR RedmondAdvanced Compiler Technology Group:

Juan Chen, Qunyan Mangus, Mark Plesko, Bjarne Steensgaard, David Tarditi

Foundations of Software Engineering Group:Wolfgang Grieskamp

Operating Systems Group: Mark Aiken, Chris Hawblitzel, Orion Hodson, Galen Hunt, Steven Levi

Security and Distributed Systems: Dan Simon, Brian Zill

Software Design and Implementation Group:John DeTreville, Ben Zorn

Software Improvement Group: Manuel Fahndrich, James Larus, Sriram Rajamani, Jakob Rehof

MSR Silicon ValleyMartin Abadi, Andrew Birrell, Ulfar Erlingsson, Roy Levin, Nick Murphy, Ted Wobber

“Modern” OS And Applications“Modern” OS And Applications

Design parametersscarce resourcesbenign environmentknowledgeable and trained users

Design parametersscarce resourcesbenign environmentknowledgeable and trained users

19701970 19801980 19901990

MulticsMultics UnixUnixVMSVMS Windows (NT)Windows (NT)

LinuxLinux

World ChangedWorld Changed

Hardware and software industries were wildly successfulmachines are fastmemory is cheapcomputers are ubiquitous

Malicious environmentubiquitous worms, viruses, scams, attacks, …

Few users understand computers or software

Hardware and software industries were wildly successfulmachines are fastmemory is cheapcomputers are ubiquitous

Malicious environmentubiquitous worms, viruses, scams, attacks, …

Few users understand computers or software

SingularitySingularity

Goal: technology and techniques to build more dependable systemsDependable: predictable behavior and easily understood usage model

consumer satisfaction: new car vs. new PCcar has .99 to .999 availability (9-90 hours down time/yr)

Research on new OS, languages, and toolsattack problem from multiple directions working research prototype (not Windows replacement)

No magic bulletmutually reinforcing improvements to languages and compilers, systems, and tools

Goal: technology and techniques to build more dependable systemsDependable: predictable behavior and easily understood usage model

consumer satisfaction: new car vs. new PCcar has .99 to .999 availability (9-90 hours down time/yr)

Research on new OS, languages, and toolsattack problem from multiple directions working research prototype (not Windows replacement)

No magic bulletmutually reinforcing improvements to languages and compilers, systems, and tools

Key ApproachesKey Approaches

1. Pervasive use of safe (& analyzable) programming languages

type safety and memory safetyincluding device drivers, OS components, applications

2. Improve system resilience despite software errors failure boundaries between componentsimprove extension modelexplicit error notification

3. Increased verificationspecification at multiple levels of abstractionclosed environments with explicit cross-domain interfacesdesign for verifiability

1. Pervasive use of safe (& analyzable) programming languages

type safety and memory safetyincluding device drivers, OS components, applications

2. Improve system resilience despite software errors failure boundaries between componentsimprove extension modelexplicit error notification

3. Increased verificationspecification at multiple levels of abstractionclosed environments with explicit cross-domain interfacesdesign for verifiability

kernel

Singularity OSSingularity OS

Closed Kernel95% written in C#

17% of files contain unsafe C#5% of files contain x86 or C++

OS services & drivers in processeskernel closed at boot time

Software isolated processes (SIPs)all user code is verified safe some unsafe code in trusted runtimeprocesses closed at start time

Safe and efficient communication via strong interfaces

channels between processeschannel behavior is specified & checkedchecked behavior enables efficient communication

Type safety is crux of verificationand protection

Closed Kernel95% written in C#

17% of files contain unsafe C#5% of files contain x86 or C++

OS services & drivers in processeskernel closed at boot time

Software isolated processes (SIPs)all user code is verified safe some unsafe code in trusted runtimeprocesses closed at start time

Safe and efficient communication via strong interfaces

channels between processeschannel behavior is specified & checkedchecked behavior enables efficient communication

Type safety is crux of verificationand protection

webserver

runtime

app.classlibs.

TCP/IPstack

runtime

serv.class libs.

runtime

kernelclass library

page mgr

contentextension

runtime

ext.class libs.

networkdriver

runtime

driverclass libs.

channels

proc

esse

s

kernelABI

HAL

schedulerchan mgrproc mgri/o mgr

Challenge 1:Pervasive Safe Languages

Challenge 1:Pervasive Safe Languages

Singularity is written in extended C#actually Spec#(C# + pre/post-conditions and invariants)

Added features for systems programmingincrease programmer control over allocation, initialization, and memory layout

Language design to support programmingand verification

message passing

factoring libraries into composable pieces

compile-time reflection

Singularity is written in extended C#actually Spec#(C# + pre/post-conditions and invariants)

Added features for systems programmingincrease programmer control over allocation, initialization, and memory layout

Language design to support programmingand verification

message passing

factoring libraries into composable pieces

compile-time reflection

What About The Runtime?What About The Runtime?

JVM & CLR’s design not always appropriaterich runtime (“one size fits all”)

monolithic, general-purpose environmentlarge memory footprints (~4 MB process for CLR)many dependencies (CLR PAL requires >300 Win32 APIs)

JIT compilation increases runtime size and complexityunpredictable performance

replicate OS functionalitysecurity, threading, configuration, etc.more is less

JVM & CLR’s design not always appropriaterich runtime (“one size fits all”)

monolithic, general-purpose environmentlarge memory footprints (~4 MB process for CLR)many dependencies (CLR PAL requires >300 Win32 APIs)

JIT compilation increases runtime size and complexityunpredictable performance

replicate OS functionalitysecurity, threading, configuration, etc.more is less

Singularity RuntimeSingularity Runtime

Libraries

Singularity Runtime

(GC, etc.)

Singularity Process

Whole Program

Optimization

Small, Customizable RuntimeSmall, Customizable Runtime

Small execution environmentahead-of-time, global optimizing compiler (MSR Bartok) specializes runtime and libraries

eliminate code for unused/disabled language features and unused application/library code

factorable runtime and libraries

Runtime, garbage collector, and libraries selectable on per-process basis

reduce memory and computation overheadenforce design discipline and system policies per process

Eliminate OS functionality from runtimesecurity, resource allocation, etc.

Provide OS mechanism for enforcing system policyruntime can constrain behavior (e.g. driver environment)

Small execution environmentahead-of-time, global optimizing compiler (MSR Bartok) specializes runtime and libraries

eliminate code for unused/disabled language features and unused application/library code

factorable runtime and libraries

Runtime, garbage collector, and libraries selectable on per-process basis

reduce memory and computation overheadenforce design discipline and system policies per process

Eliminate OS functionality from runtimesecurity, resource allocation, etc.

Provide OS mechanism for enforcing system policyruntime can constrain behavior (e.g. driver environment)

Runtime OverheadRuntime Overhead

C# process w/ GC has similar memory footprint to C++minimal process (no GC or exceptions) is ~16K

C# process w/ GC has similar memory footprint to C++minimal process (no GC or exceptions) is ~16K

Memory footprintMemory footprint“Hello World” process“Hello World” process

Singularity FreeBSD FreeBSD 5.35.3

Linux 2.6.11 Linux 2.6.11 (Red Hat FC4)(Red Hat FC4)

Windows Windows XP (SP2)XP (SP2)

C - static libC - static lib 232K232K 664K664K 544K544K

C++ - static libC++ - static lib 704K704K 1,216K1,216K 572K572K

C# - w/ GCC# - w/ GC 408K* 3,750K3,750K

Challenge 2:

Run-Time Resilience Challenge 2:

Run-Time Resilience

Software errors should not causesystem failure

Resilient system architecture

isolate system components to preventdata corruption

provide clear failure notification

implement policy for restartingfailed component

Software errors should not causesystem failure

Resilient system architecture

isolate system components to preventdata corruption

provide clear failure notification

implement policy for restartingfailed component

Process ArchitecturesProcess Architectures

OS Kernel

App

OS

Open Process ArchitectureOpen Process Architecture

Open processesdynamic code loading and runtime code generation

DLLs, Java class loading, browser plug-ins, device drivers in kernel, etc.

cross-process memory sharingsystem API allows one process to alter state of another

Near ubiquitous (Windows, Unix, etc.)originated in Multics

Shared state reduces dependability85% of Windows crashes are caused by third party code in kernelinterfaces between extension and host are often poorly documented and understoodno isolation boundary between code and extensionextension can access non-public interfaces (reflection)

Open processesdynamic code loading and runtime code generation

DLLs, Java class loading, browser plug-ins, device drivers in kernel, etc.

cross-process memory sharingsystem API allows one process to alter state of another

Near ubiquitous (Windows, Unix, etc.)originated in Multics

Shared state reduces dependability85% of Windows crashes are caused by third party code in kernelinterfaces between extension and host are often poorly documented and understoodno isolation boundary between code and extensionextension can access non-public interfaces (reflection)

Single Process ArchitectureSingle Process Architecture

All code and data in single address spacerely on language and memory safety to isolate components

dynamic code loading and runtime code generation

easy data sharing

Xerox PARC (Cedar, Smalltalk, etc.) and Lisp Machine model

Java and .NET model as well

Runtime is single point of failureshared runtime must also meet all applications’ requirements

Rely on garbage collection to reclaim resourcesfinalizers

Difficult to constraint interactions

All code and data in single address spacerely on language and memory safety to isolate components

dynamic code loading and runtime code generation

easy data sharing

Xerox PARC (Cedar, Smalltalk, etc.) and Lisp Machine model

Java and .NET model as well

Runtime is single point of failureshared runtime must also meet all applications’ requirements

Rely on garbage collection to reclaim resourcesfinalizers

Difficult to constraint interactions

Isolates And AppDomains Are Still InterdependentIsolates And AppDomains Are Still Interdependent

App

App

App

Singularity Sealed Processes Singularity Sealed Processes

OS Kernel

Singularity processesare sealed

no dynamic code loading or run-time code generation

all code present when process starts execution

extensions execute inseparate processes

separate closed environments with well-defined interfaces

no shared memory

Process is fundamental unit of failure isolation

Better: security, verification, failure handling, optimization

Singularity processesare sealed

no dynamic code loading or run-time code generation

all code present when process starts execution

extensions execute inseparate processes

separate closed environments with well-defined interfaces

no shared memory

Process is fundamental unit of failure isolation

Better: security, verification, failure handling, optimization

Static Benefit Of Sealed ProcessesStatic Benefit Of Sealed Processes

Reduces process code size by up to 75%.Fewer code paths => better optimization & error analysis

Reduces process code size by up to 75%.Fewer code paths => better optimization & error analysis

ProgramWhole Code

ReachableCode % Reduction

Kernel 2.37 MB 1.29 MB 46%

IDE Disk Driver 1.85 MB 455 KB 75%

Web Server 2.73 MB 765 KB 72%

Content Extension 2.14 MB 502 KB 77%

Need For Lightweight ProcessesNeed For Lightweight Processes

Existing processes rely on expensive hardware virtual memory and protection mechanisms

VM prevents reference to other processes’ pages

protection prevents unprivileged code from access system resources (e.g. VM page tables)

Processes are expensive to create and schedule

encourages monolithic program development

large, undifferentiated applications

dynamic code loading

threading to allow independent control flow

Existing processes rely on expensive hardware virtual memory and protection mechanisms

VM prevents reference to other processes’ pages

protection prevents unprivileged code from access system resources (e.g. VM page tables)

Processes are expensive to create and schedule

encourages monolithic program development

large, undifferentiated applications

dynamic code loading

threading to allow independent control flow

P2 P3

Software Isolated Processes (SIPs)Software Isolated Processes (SIPs)

Protection and isolation enforced by language safety and kernel API design, not hardware

process owns a set of pages

all of a process’s objects reside on its pages (object space, not address space)

language safety ensures process can’t create or mutate references to other pages

Global invariants:no process contains a pointer to another process’s object space

no pointers from exchange heap into process

Protection and isolation enforced by language safety and kernel API design, not hardware

process owns a set of pages

all of a process’s objects reside on its pages (object space, not address space)

language safety ensures process can’t create or mutate references to other pages

Global invariants:no process contains a pointer to another process’s object space

no pointers from exchange heap into process

P1

P2 P3

Interprocess CommunicationsInterprocess Communications

Channels are strongly typed (value and behavior), bidirectional communications ports

messages passing with extensive language support

Messages live outside processes, in exchange heaponly a single reference to a message

“Mailbox” semantics enforced by linear types

Channels are strongly typed (value and behavior), bidirectional communications ports

messages passing with extensive language support

Messages live outside processes, in exchange heaponly a single reference to a message

“Mailbox” semantics enforced by linear types

P1

exchange heap

Failure IsolationFailure Isolation

SIPs are failure containersno shared implementation or state across SIPs

process runtimes are distinct

On SIP failure:clean failure notification on peerchannel endpoints

resources reclaimed by OS

Recovery feasible, not automaticor transparent

peers can recover and continue

SIPs are failure containersno shared implementation or state across SIPs

process runtimes are distinct

On SIP failure:clean failure notification on peerchannel endpoints

resources reclaimed by OS

Recovery feasible, not automaticor transparent

peers can recover and continue

Would You Trust Your System To A Type System?Would You Trust Your System To A Type System?

Process integrity depends on type and memory safety

currently trust compiler and runtime

TAL can eliminate compiler from trusted computing base

Working on verifying the GC as well

Process integrity depends on type and memory safety

currently trust compiler and runtime

TAL can eliminate compiler from trusted computing base

Working on verifying the GC as wellSingularity TCB

bartok x86 Singularitysystem

MSIL+

Sing#C#

source

csc

byte codeverification

compilerverification

sgc

Singularity TCBbartok Singularity

system

x86

safetyproof

applicationverification

Hardware Protection Is OrthogonalHardware Protection Is Orthogonal

SIP-Page

HIP-R3

SIP-Phys

HIP-R0 HIP-R0-S

HIP-R3-S

KernelKernel domain

Non-kernel domain

System process

SIPApplication

1. 2.

3. 4.

5. 6.

Cost Of Hardware And Software IsolationCost Of Hardware And Software Isolation

0.9

1.0

1.0

1.1

1.1

Rel

ativ

e p

erfo

rma

nce

Metric

BartokSIP-Phys

SIP-Page

HIP-R0

HIP-R0-S

HIP-R3

HIP-R3-S

0.0

0.2

0.4

0.6

0.8

1.0

1.2

1.4

1.6

1.8

2.0

Rel

ativ

e p

erfo

rma

nce

Metric

WebFiles

SIP-Phys

SIP-Page

HIP-R0

HIP-R0-S

HIP-R3

HIP-R3-S

5.5 – 6.8

Micro BenchmarksMicro Benchmarks

Athlon64 3000+ Athlon64 3000+ (1.8GHz)(1.8GHz)

nForce4 SLInForce4 SLI

Cost (CPU Cycles)Cost (CPU Cycles)

SingularitySingularity FreeBSD 5.3FreeBSD 5.3 Linux 2.6.11 (Red Linux 2.6.11 (Red Hat FC4)Hat FC4) Windows XP (SP2)Windows XP (SP2)

Minimum kernel Minimum kernel API callAPI call 80 878878 437437 627627

Message Message request/replyrequest/reply 1,041 13,30013,300 5,8005,800 (LPC) 4,650(LPC) 4,650

(NP) 6,340(NP) 6,340

Process Process create & startcreate & start 388,000 1,030,0001,030,000 719,000719,000 5,380,0005,380,000

Why?all SIPs run in ring 0static verification replaces hardware protectiongood optimizing compiler (not JIT)

Why?all SIPs run in ring 0static verification replaces hardware protectiongood optimizing compiler (not JIT)

Challenge 3:

More VerificationChallenge 3:

More Verification

Integrate specifications throughout systemlanguageinterprocess communicationsystem configuration

Detect errors early, verify code late language safety essential to system integrity

Integrate specifications throughout systemlanguageinterprocess communicationsystem configuration

Detect errors early, verify code late language safety essential to system integrity

Singularity TCB

MSIL+ bartok

Sing#C#

source

byte codeverification

compilerverification

Singularitysystem

csc

sgc

x86

safetyproof

type assembly languageverification

Example:

Channel ContractsExample:

Channel Contracts

public contract TcpSocketContract {...state Connected : one { Read? -> ReadResult; Write? -> WriteResult;

GetLocalAddress? -> IPAddress! -> Connected;

GetLocalPort? -> Port! -> Connected;

DoneSending? -> ReceiveOnly; DoneReceiving? -> SendOnly; Close? -> Closed; Abort? -> Closed;}

state Reading : one { Data! -> Connected; NoMoreData! -> SendOnly; RemoteClose! -> Zombie;}...}

public contract TcpSocketContract {...state Connected : one { Read? -> ReadResult; Write? -> WriteResult;

GetLocalAddress? -> IPAddress! -> Connected;

GetLocalPort? -> Port! -> Connected;

DoneSending? -> ReceiveOnly; DoneReceiving? -> SendOnly; Close? -> Closed; Abort? -> Closed;}

state Reading : one { Data! -> Connected; NoMoreData! -> SendOnly; RemoteClose! -> Zombie;}...}

? = receive! = send

ConnectedConnected

ReadingReading

Read?

ZombieZombieRemoteClose!

SendOnlySendOnly

Data!

NoMoreData!

Example:

Channel ContractsExample:

Channel Contracts

public contract TcpConnectionContract {...state Connected : one { Read? -> ReadResult; Write? -> WriteResult;

GetLocalAddress? -> IPAddress! -> Connected;

GetLocalPort? -> Port! -> Connected;

DoneSending? -> ReceiveOnly; DoneReceiving? -> SendOnly; Close? -> Closed; Abort? -> Closed;}

state Reading : one { Data! -> Connected; NoMoreData! -> SendOnly; RemoveClose! -> Zombie;}...}

public contract TcpConnectionContract {...state Connected : one { Read? -> ReadResult; Write? -> WriteResult;

GetLocalAddress? -> IPAddress! -> Connected;

GetLocalPort? -> Port! -> Connected;

DoneSending? -> ReceiveOnly; DoneReceiving? -> SendOnly; Close? -> Closed; Abort? -> Closed;}

state Reading : one { Data! -> Connected; NoMoreData! -> SendOnly; RemoveClose! -> Zombie;}...}

... conn.SendRead();switch receive { case conn.Data(readData) : dataBuffer.AddToTail(readData);       return true;

     case conn.RemoteClose() :        return false;}...

Contract Client

Example:

Channel ContractsExample:

Channel Contracts

... conn.SendRead();switch receive { case conn.Data(readData) : dataBuffer.AddToTail(readData);       return true;

     case conn.RemoteClose() :        return false;}...

Contract Clientpublic contract TcpConnectionContract {...state Connected : one { Read? -> ReadResult; Write? -> WriteResult;

GetLocalAddress? -> IPAddress! -> Connected;

GetLocalPort? -> Port! -> Connected;

DoneSending? -> ReceiveOnly; DoneReceiving? -> SendOnly; Close? -> Closed; Abort? -> Closed;}

state Reading : one { Data! -> Connected; NoMoreData! -> SendOnly; RemoteClose! -> Zombie;}...}

Contract conformance statically detects subtle errors such as deadlock

Missing Casecase conn.NoMoreData() :

Example:

Applications SpecificationsExample:

Applications Specifications

Application is first-class abstractionwith identity

code + resources + manifest

Manifest specifies

software components

dependencies

exported channels

hardware or software resource requirements

Application is first-class abstractionwith identity

code + resources + manifest

Manifest specifies

software components

dependencies

exported channels

hardware or software resource requirements

Device Driver SpecificationDevice Driver Specification

[DriverCategory][Signature("/pci/03/00/5333/8811")]class S3Trio64Config : DriverCategoryDeclaration{ [IoMemoryRange(0, Length = 0x400000)] IoMemoryRange frameBuffer;

[IoFixedMemoryRange(Base = 0xb8000, Length = 0x8000)] IoMemoryRange textBuffer; ...

[IoFixedPortRange(Base = 0x3c0, Length = 0x20)] IoPortRange control;

[ExtensionEndpoint(typeof(ExtensionContract.Exp))] TRef<ExtensionContract.Exp:Start> pnp;

[ServiceEndpoint(typeof(VideoDeviceContract.Exp))] TRef<ServiceProviderContract.Exp:Start> video; ...

[DriverCategory][Signature("/pci/03/00/5333/8811")]class S3Trio64Config : DriverCategoryDeclaration{ [IoMemoryRange(0, Length = 0x400000)] IoMemoryRange frameBuffer;

[IoFixedMemoryRange(Base = 0xb8000, Length = 0x8000)] IoMemoryRange textBuffer; ...

[IoFixedPortRange(Base = 0x3c0, Length = 0x20)] IoPortRange control;

[ExtensionEndpoint(typeof(ExtensionContract.Exp))] TRef<ExtensionContract.Exp:Start> pnp;

[ServiceEndpoint(typeof(VideoDeviceContract.Exp))] TRef<ServiceProviderContract.Exp:Start> video; ...

requires PCI Device

requires 4MB frame buffer (declared in PCI config)

requires system console buffer

requires channel to parent process for

control

provides channel for clients to access

video device

requires VGA I/O ports

Specification Used In Many WaysSpecification Used In Many Ways

Conflict

1. Load driver

2. Allocate I/O objects

3. Create channels

driver class library

Abolish Runtime Systems

kernelkernel class library

page mgrschedulerchan mgrproc mgri/o mgr

Verification Of System ConfigurationVerification Of System Configuration

Verification ensures

never install an program that will break another program

never start a program without appropriate resources

never grant a program access to undeclared resources

All of these checks performed statically

Verification ensures

never install an program that will break another program

never start a program without appropriate resources

never grant a program access to undeclared resources

All of these checks performed statically

SummarySummary

Singularity is basis for moredependable systems

pervasive use of safe programming languageslightweight, closed, customizablerun-time environmentverifiable specification of system behavior

Working research prototypedriving research in large number of areas

More information:http://research.microsoft.com/os/singularity Growing number of TRs & papers

Singularity is basis for moredependable systems

pervasive use of safe programming languageslightweight, closed, customizablerun-time environmentverifiable specification of system behavior

Working research prototypedriving research in large number of areas

More information:http://research.microsoft.com/os/singularity Growing number of TRs & papers

© 2006 Microsoft Corporation. All rights reserved.Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation.Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft,and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.