Upload
luis-gutierrez
View
214
Download
2
Tags:
Embed Size (px)
Citation preview
Singularity OverviewSingularity Overview
Galen Hunt and James LarusMicrosoft Research
July 17, 2006MSR Faculty Summit
Galen Hunt and James LarusMicrosoft Research
July 17, 2006MSR Faculty Summit
Large, Diverse Research TeamLarge, Diverse Research Team
Lead by Galen Hunt and Jim LarusMSR Cambridge
Paul Barham, Richard Black, Tim Harris, Rebecca Isaacs, Dushyanth Narayanan
MSR RedmondAdvanced Compiler Technology Group:
Juan Chen, Qunyan Mangus, Mark Plesko, Bjarne Steensgaard, David Tarditi
Foundations of Software Engineering Group:Wolfgang Grieskamp
Operating Systems Group: Mark Aiken, Chris Hawblitzel, Orion Hodson, Galen Hunt, Steven Levi
Security and Distributed Systems: Dan Simon, Brian Zill
Software Design and Implementation Group:John DeTreville, Ben Zorn
Software Improvement Group: Manuel Fahndrich, James Larus, Sriram Rajamani, Jakob Rehof
MSR Silicon ValleyMartin Abadi, Andrew Birrell, Ulfar Erlingsson, Roy Levin, Nick Murphy, Ted Wobber
Lead by Galen Hunt and Jim LarusMSR Cambridge
Paul Barham, Richard Black, Tim Harris, Rebecca Isaacs, Dushyanth Narayanan
MSR RedmondAdvanced Compiler Technology Group:
Juan Chen, Qunyan Mangus, Mark Plesko, Bjarne Steensgaard, David Tarditi
Foundations of Software Engineering Group:Wolfgang Grieskamp
Operating Systems Group: Mark Aiken, Chris Hawblitzel, Orion Hodson, Galen Hunt, Steven Levi
Security and Distributed Systems: Dan Simon, Brian Zill
Software Design and Implementation Group:John DeTreville, Ben Zorn
Software Improvement Group: Manuel Fahndrich, James Larus, Sriram Rajamani, Jakob Rehof
MSR Silicon ValleyMartin Abadi, Andrew Birrell, Ulfar Erlingsson, Roy Levin, Nick Murphy, Ted Wobber
“Modern” OS And Applications“Modern” OS And Applications
Design parametersscarce resourcesbenign environmentknowledgeable and trained users
Design parametersscarce resourcesbenign environmentknowledgeable and trained users
19701970 19801980 19901990
MulticsMultics UnixUnixVMSVMS Windows (NT)Windows (NT)
LinuxLinux
World ChangedWorld Changed
Hardware and software industries were wildly successfulmachines are fastmemory is cheapcomputers are ubiquitous
Malicious environmentubiquitous worms, viruses, scams, attacks, …
Few users understand computers or software
Hardware and software industries were wildly successfulmachines are fastmemory is cheapcomputers are ubiquitous
Malicious environmentubiquitous worms, viruses, scams, attacks, …
Few users understand computers or software
SingularitySingularity
Goal: technology and techniques to build more dependable systemsDependable: predictable behavior and easily understood usage model
consumer satisfaction: new car vs. new PCcar has .99 to .999 availability (9-90 hours down time/yr)
Research on new OS, languages, and toolsattack problem from multiple directions working research prototype (not Windows replacement)
No magic bulletmutually reinforcing improvements to languages and compilers, systems, and tools
Goal: technology and techniques to build more dependable systemsDependable: predictable behavior and easily understood usage model
consumer satisfaction: new car vs. new PCcar has .99 to .999 availability (9-90 hours down time/yr)
Research on new OS, languages, and toolsattack problem from multiple directions working research prototype (not Windows replacement)
No magic bulletmutually reinforcing improvements to languages and compilers, systems, and tools
Key ApproachesKey Approaches
1. Pervasive use of safe (& analyzable) programming languages
type safety and memory safetyincluding device drivers, OS components, applications
2. Improve system resilience despite software errors failure boundaries between componentsimprove extension modelexplicit error notification
3. Increased verificationspecification at multiple levels of abstractionclosed environments with explicit cross-domain interfacesdesign for verifiability
1. Pervasive use of safe (& analyzable) programming languages
type safety and memory safetyincluding device drivers, OS components, applications
2. Improve system resilience despite software errors failure boundaries between componentsimprove extension modelexplicit error notification
3. Increased verificationspecification at multiple levels of abstractionclosed environments with explicit cross-domain interfacesdesign for verifiability
kernel
Singularity OSSingularity OS
Closed Kernel95% written in C#
17% of files contain unsafe C#5% of files contain x86 or C++
OS services & drivers in processeskernel closed at boot time
Software isolated processes (SIPs)all user code is verified safe some unsafe code in trusted runtimeprocesses closed at start time
Safe and efficient communication via strong interfaces
channels between processeschannel behavior is specified & checkedchecked behavior enables efficient communication
Type safety is crux of verificationand protection
Closed Kernel95% written in C#
17% of files contain unsafe C#5% of files contain x86 or C++
OS services & drivers in processeskernel closed at boot time
Software isolated processes (SIPs)all user code is verified safe some unsafe code in trusted runtimeprocesses closed at start time
Safe and efficient communication via strong interfaces
channels between processeschannel behavior is specified & checkedchecked behavior enables efficient communication
Type safety is crux of verificationand protection
webserver
runtime
app.classlibs.
TCP/IPstack
runtime
serv.class libs.
runtime
kernelclass library
page mgr
contentextension
runtime
ext.class libs.
networkdriver
runtime
driverclass libs.
channels
proc
esse
s
kernelABI
HAL
schedulerchan mgrproc mgri/o mgr
Challenge 1:Pervasive Safe Languages
Challenge 1:Pervasive Safe Languages
Singularity is written in extended C#actually Spec#(C# + pre/post-conditions and invariants)
Added features for systems programmingincrease programmer control over allocation, initialization, and memory layout
Language design to support programmingand verification
message passing
factoring libraries into composable pieces
compile-time reflection
Singularity is written in extended C#actually Spec#(C# + pre/post-conditions and invariants)
Added features for systems programmingincrease programmer control over allocation, initialization, and memory layout
Language design to support programmingand verification
message passing
factoring libraries into composable pieces
compile-time reflection
What About The Runtime?What About The Runtime?
JVM & CLR’s design not always appropriaterich runtime (“one size fits all”)
monolithic, general-purpose environmentlarge memory footprints (~4 MB process for CLR)many dependencies (CLR PAL requires >300 Win32 APIs)
JIT compilation increases runtime size and complexityunpredictable performance
replicate OS functionalitysecurity, threading, configuration, etc.more is less
JVM & CLR’s design not always appropriaterich runtime (“one size fits all”)
monolithic, general-purpose environmentlarge memory footprints (~4 MB process for CLR)many dependencies (CLR PAL requires >300 Win32 APIs)
JIT compilation increases runtime size and complexityunpredictable performance
replicate OS functionalitysecurity, threading, configuration, etc.more is less
Singularity RuntimeSingularity Runtime
Libraries
Singularity Runtime
(GC, etc.)
Singularity Process
Whole Program
Optimization
Small, Customizable RuntimeSmall, Customizable Runtime
Small execution environmentahead-of-time, global optimizing compiler (MSR Bartok) specializes runtime and libraries
eliminate code for unused/disabled language features and unused application/library code
factorable runtime and libraries
Runtime, garbage collector, and libraries selectable on per-process basis
reduce memory and computation overheadenforce design discipline and system policies per process
Eliminate OS functionality from runtimesecurity, resource allocation, etc.
Provide OS mechanism for enforcing system policyruntime can constrain behavior (e.g. driver environment)
Small execution environmentahead-of-time, global optimizing compiler (MSR Bartok) specializes runtime and libraries
eliminate code for unused/disabled language features and unused application/library code
factorable runtime and libraries
Runtime, garbage collector, and libraries selectable on per-process basis
reduce memory and computation overheadenforce design discipline and system policies per process
Eliminate OS functionality from runtimesecurity, resource allocation, etc.
Provide OS mechanism for enforcing system policyruntime can constrain behavior (e.g. driver environment)
Runtime OverheadRuntime Overhead
C# process w/ GC has similar memory footprint to C++minimal process (no GC or exceptions) is ~16K
C# process w/ GC has similar memory footprint to C++minimal process (no GC or exceptions) is ~16K
Memory footprintMemory footprint“Hello World” process“Hello World” process
Singularity FreeBSD FreeBSD 5.35.3
Linux 2.6.11 Linux 2.6.11 (Red Hat FC4)(Red Hat FC4)
Windows Windows XP (SP2)XP (SP2)
C - static libC - static lib 232K232K 664K664K 544K544K
C++ - static libC++ - static lib 704K704K 1,216K1,216K 572K572K
C# - w/ GCC# - w/ GC 408K* 3,750K3,750K
Challenge 2:
Run-Time Resilience Challenge 2:
Run-Time Resilience
Software errors should not causesystem failure
Resilient system architecture
isolate system components to preventdata corruption
provide clear failure notification
implement policy for restartingfailed component
Software errors should not causesystem failure
Resilient system architecture
isolate system components to preventdata corruption
provide clear failure notification
implement policy for restartingfailed component
Process ArchitecturesProcess Architectures
OS Kernel
App
OS
Open Process ArchitectureOpen Process Architecture
Open processesdynamic code loading and runtime code generation
DLLs, Java class loading, browser plug-ins, device drivers in kernel, etc.
cross-process memory sharingsystem API allows one process to alter state of another
Near ubiquitous (Windows, Unix, etc.)originated in Multics
Shared state reduces dependability85% of Windows crashes are caused by third party code in kernelinterfaces between extension and host are often poorly documented and understoodno isolation boundary between code and extensionextension can access non-public interfaces (reflection)
Open processesdynamic code loading and runtime code generation
DLLs, Java class loading, browser plug-ins, device drivers in kernel, etc.
cross-process memory sharingsystem API allows one process to alter state of another
Near ubiquitous (Windows, Unix, etc.)originated in Multics
Shared state reduces dependability85% of Windows crashes are caused by third party code in kernelinterfaces between extension and host are often poorly documented and understoodno isolation boundary between code and extensionextension can access non-public interfaces (reflection)
Single Process ArchitectureSingle Process Architecture
All code and data in single address spacerely on language and memory safety to isolate components
dynamic code loading and runtime code generation
easy data sharing
Xerox PARC (Cedar, Smalltalk, etc.) and Lisp Machine model
Java and .NET model as well
Runtime is single point of failureshared runtime must also meet all applications’ requirements
Rely on garbage collection to reclaim resourcesfinalizers
Difficult to constraint interactions
All code and data in single address spacerely on language and memory safety to isolate components
dynamic code loading and runtime code generation
easy data sharing
Xerox PARC (Cedar, Smalltalk, etc.) and Lisp Machine model
Java and .NET model as well
Runtime is single point of failureshared runtime must also meet all applications’ requirements
Rely on garbage collection to reclaim resourcesfinalizers
Difficult to constraint interactions
Isolates And AppDomains Are Still InterdependentIsolates And AppDomains Are Still Interdependent
App
App
App
Singularity Sealed Processes Singularity Sealed Processes
OS Kernel
Singularity processesare sealed
no dynamic code loading or run-time code generation
all code present when process starts execution
extensions execute inseparate processes
separate closed environments with well-defined interfaces
no shared memory
Process is fundamental unit of failure isolation
Better: security, verification, failure handling, optimization
Singularity processesare sealed
no dynamic code loading or run-time code generation
all code present when process starts execution
extensions execute inseparate processes
separate closed environments with well-defined interfaces
no shared memory
Process is fundamental unit of failure isolation
Better: security, verification, failure handling, optimization
Static Benefit Of Sealed ProcessesStatic Benefit Of Sealed Processes
Reduces process code size by up to 75%.Fewer code paths => better optimization & error analysis
Reduces process code size by up to 75%.Fewer code paths => better optimization & error analysis
ProgramWhole Code
ReachableCode % Reduction
Kernel 2.37 MB 1.29 MB 46%
IDE Disk Driver 1.85 MB 455 KB 75%
Web Server 2.73 MB 765 KB 72%
Content Extension 2.14 MB 502 KB 77%
Need For Lightweight ProcessesNeed For Lightweight Processes
Existing processes rely on expensive hardware virtual memory and protection mechanisms
VM prevents reference to other processes’ pages
protection prevents unprivileged code from access system resources (e.g. VM page tables)
Processes are expensive to create and schedule
encourages monolithic program development
large, undifferentiated applications
dynamic code loading
threading to allow independent control flow
Existing processes rely on expensive hardware virtual memory and protection mechanisms
VM prevents reference to other processes’ pages
protection prevents unprivileged code from access system resources (e.g. VM page tables)
Processes are expensive to create and schedule
encourages monolithic program development
large, undifferentiated applications
dynamic code loading
threading to allow independent control flow
P2 P3
Software Isolated Processes (SIPs)Software Isolated Processes (SIPs)
Protection and isolation enforced by language safety and kernel API design, not hardware
process owns a set of pages
all of a process’s objects reside on its pages (object space, not address space)
language safety ensures process can’t create or mutate references to other pages
Global invariants:no process contains a pointer to another process’s object space
no pointers from exchange heap into process
Protection and isolation enforced by language safety and kernel API design, not hardware
process owns a set of pages
all of a process’s objects reside on its pages (object space, not address space)
language safety ensures process can’t create or mutate references to other pages
Global invariants:no process contains a pointer to another process’s object space
no pointers from exchange heap into process
P1
P2 P3
Interprocess CommunicationsInterprocess Communications
Channels are strongly typed (value and behavior), bidirectional communications ports
messages passing with extensive language support
Messages live outside processes, in exchange heaponly a single reference to a message
“Mailbox” semantics enforced by linear types
Channels are strongly typed (value and behavior), bidirectional communications ports
messages passing with extensive language support
Messages live outside processes, in exchange heaponly a single reference to a message
“Mailbox” semantics enforced by linear types
P1
exchange heap
Failure IsolationFailure Isolation
SIPs are failure containersno shared implementation or state across SIPs
process runtimes are distinct
On SIP failure:clean failure notification on peerchannel endpoints
resources reclaimed by OS
Recovery feasible, not automaticor transparent
peers can recover and continue
SIPs are failure containersno shared implementation or state across SIPs
process runtimes are distinct
On SIP failure:clean failure notification on peerchannel endpoints
resources reclaimed by OS
Recovery feasible, not automaticor transparent
peers can recover and continue
Would You Trust Your System To A Type System?Would You Trust Your System To A Type System?
Process integrity depends on type and memory safety
currently trust compiler and runtime
TAL can eliminate compiler from trusted computing base
Working on verifying the GC as well
Process integrity depends on type and memory safety
currently trust compiler and runtime
TAL can eliminate compiler from trusted computing base
Working on verifying the GC as wellSingularity TCB
bartok x86 Singularitysystem
MSIL+
Sing#C#
source
csc
byte codeverification
compilerverification
sgc
Singularity TCBbartok Singularity
system
x86
safetyproof
applicationverification
Hardware Protection Is OrthogonalHardware Protection Is Orthogonal
SIP-Page
HIP-R3
SIP-Phys
HIP-R0 HIP-R0-S
HIP-R3-S
KernelKernel domain
Non-kernel domain
System process
SIPApplication
1. 2.
3. 4.
5. 6.
Cost Of Hardware And Software IsolationCost Of Hardware And Software Isolation
0.9
1.0
1.0
1.1
1.1
Rel
ativ
e p
erfo
rma
nce
Metric
BartokSIP-Phys
SIP-Page
HIP-R0
HIP-R0-S
HIP-R3
HIP-R3-S
0.0
0.2
0.4
0.6
0.8
1.0
1.2
1.4
1.6
1.8
2.0
Rel
ativ
e p
erfo
rma
nce
Metric
WebFiles
SIP-Phys
SIP-Page
HIP-R0
HIP-R0-S
HIP-R3
HIP-R3-S
5.5 – 6.8
Micro BenchmarksMicro Benchmarks
Athlon64 3000+ Athlon64 3000+ (1.8GHz)(1.8GHz)
nForce4 SLInForce4 SLI
Cost (CPU Cycles)Cost (CPU Cycles)
SingularitySingularity FreeBSD 5.3FreeBSD 5.3 Linux 2.6.11 (Red Linux 2.6.11 (Red Hat FC4)Hat FC4) Windows XP (SP2)Windows XP (SP2)
Minimum kernel Minimum kernel API callAPI call 80 878878 437437 627627
Message Message request/replyrequest/reply 1,041 13,30013,300 5,8005,800 (LPC) 4,650(LPC) 4,650
(NP) 6,340(NP) 6,340
Process Process create & startcreate & start 388,000 1,030,0001,030,000 719,000719,000 5,380,0005,380,000
Why?all SIPs run in ring 0static verification replaces hardware protectiongood optimizing compiler (not JIT)
Why?all SIPs run in ring 0static verification replaces hardware protectiongood optimizing compiler (not JIT)
Challenge 3:
More VerificationChallenge 3:
More Verification
Integrate specifications throughout systemlanguageinterprocess communicationsystem configuration
Detect errors early, verify code late language safety essential to system integrity
Integrate specifications throughout systemlanguageinterprocess communicationsystem configuration
Detect errors early, verify code late language safety essential to system integrity
Singularity TCB
MSIL+ bartok
Sing#C#
source
byte codeverification
compilerverification
Singularitysystem
csc
sgc
x86
safetyproof
type assembly languageverification
Example:
Channel ContractsExample:
Channel Contracts
public contract TcpSocketContract {...state Connected : one { Read? -> ReadResult; Write? -> WriteResult;
GetLocalAddress? -> IPAddress! -> Connected;
GetLocalPort? -> Port! -> Connected;
DoneSending? -> ReceiveOnly; DoneReceiving? -> SendOnly; Close? -> Closed; Abort? -> Closed;}
state Reading : one { Data! -> Connected; NoMoreData! -> SendOnly; RemoteClose! -> Zombie;}...}
public contract TcpSocketContract {...state Connected : one { Read? -> ReadResult; Write? -> WriteResult;
GetLocalAddress? -> IPAddress! -> Connected;
GetLocalPort? -> Port! -> Connected;
DoneSending? -> ReceiveOnly; DoneReceiving? -> SendOnly; Close? -> Closed; Abort? -> Closed;}
state Reading : one { Data! -> Connected; NoMoreData! -> SendOnly; RemoteClose! -> Zombie;}...}
? = receive! = send
ConnectedConnected
ReadingReading
Read?
ZombieZombieRemoteClose!
SendOnlySendOnly
Data!
NoMoreData!
Example:
Channel ContractsExample:
Channel Contracts
public contract TcpConnectionContract {...state Connected : one { Read? -> ReadResult; Write? -> WriteResult;
GetLocalAddress? -> IPAddress! -> Connected;
GetLocalPort? -> Port! -> Connected;
DoneSending? -> ReceiveOnly; DoneReceiving? -> SendOnly; Close? -> Closed; Abort? -> Closed;}
state Reading : one { Data! -> Connected; NoMoreData! -> SendOnly; RemoveClose! -> Zombie;}...}
public contract TcpConnectionContract {...state Connected : one { Read? -> ReadResult; Write? -> WriteResult;
GetLocalAddress? -> IPAddress! -> Connected;
GetLocalPort? -> Port! -> Connected;
DoneSending? -> ReceiveOnly; DoneReceiving? -> SendOnly; Close? -> Closed; Abort? -> Closed;}
state Reading : one { Data! -> Connected; NoMoreData! -> SendOnly; RemoveClose! -> Zombie;}...}
... conn.SendRead();switch receive { case conn.Data(readData) : dataBuffer.AddToTail(readData); return true;
case conn.RemoteClose() : return false;}...
Contract Client
Example:
Channel ContractsExample:
Channel Contracts
... conn.SendRead();switch receive { case conn.Data(readData) : dataBuffer.AddToTail(readData); return true;
case conn.RemoteClose() : return false;}...
Contract Clientpublic contract TcpConnectionContract {...state Connected : one { Read? -> ReadResult; Write? -> WriteResult;
GetLocalAddress? -> IPAddress! -> Connected;
GetLocalPort? -> Port! -> Connected;
DoneSending? -> ReceiveOnly; DoneReceiving? -> SendOnly; Close? -> Closed; Abort? -> Closed;}
state Reading : one { Data! -> Connected; NoMoreData! -> SendOnly; RemoteClose! -> Zombie;}...}
Contract conformance statically detects subtle errors such as deadlock
Missing Casecase conn.NoMoreData() :
Example:
Applications SpecificationsExample:
Applications Specifications
Application is first-class abstractionwith identity
code + resources + manifest
Manifest specifies
software components
dependencies
exported channels
hardware or software resource requirements
Application is first-class abstractionwith identity
code + resources + manifest
Manifest specifies
software components
dependencies
exported channels
hardware or software resource requirements
Device Driver SpecificationDevice Driver Specification
[DriverCategory][Signature("/pci/03/00/5333/8811")]class S3Trio64Config : DriverCategoryDeclaration{ [IoMemoryRange(0, Length = 0x400000)] IoMemoryRange frameBuffer;
[IoFixedMemoryRange(Base = 0xb8000, Length = 0x8000)] IoMemoryRange textBuffer; ...
[IoFixedPortRange(Base = 0x3c0, Length = 0x20)] IoPortRange control;
[ExtensionEndpoint(typeof(ExtensionContract.Exp))] TRef<ExtensionContract.Exp:Start> pnp;
[ServiceEndpoint(typeof(VideoDeviceContract.Exp))] TRef<ServiceProviderContract.Exp:Start> video; ...
[DriverCategory][Signature("/pci/03/00/5333/8811")]class S3Trio64Config : DriverCategoryDeclaration{ [IoMemoryRange(0, Length = 0x400000)] IoMemoryRange frameBuffer;
[IoFixedMemoryRange(Base = 0xb8000, Length = 0x8000)] IoMemoryRange textBuffer; ...
[IoFixedPortRange(Base = 0x3c0, Length = 0x20)] IoPortRange control;
[ExtensionEndpoint(typeof(ExtensionContract.Exp))] TRef<ExtensionContract.Exp:Start> pnp;
[ServiceEndpoint(typeof(VideoDeviceContract.Exp))] TRef<ServiceProviderContract.Exp:Start> video; ...
requires PCI Device
requires 4MB frame buffer (declared in PCI config)
requires system console buffer
requires channel to parent process for
control
provides channel for clients to access
video device
requires VGA I/O ports
Specification Used In Many WaysSpecification Used In Many Ways
Conflict
1. Load driver
2. Allocate I/O objects
3. Create channels
driver class library
Abolish Runtime Systems
kernelkernel class library
page mgrschedulerchan mgrproc mgri/o mgr
Verification Of System ConfigurationVerification Of System Configuration
Verification ensures
never install an program that will break another program
never start a program without appropriate resources
never grant a program access to undeclared resources
All of these checks performed statically
Verification ensures
never install an program that will break another program
never start a program without appropriate resources
never grant a program access to undeclared resources
All of these checks performed statically
SummarySummary
Singularity is basis for moredependable systems
pervasive use of safe programming languageslightweight, closed, customizablerun-time environmentverifiable specification of system behavior
Working research prototypedriving research in large number of areas
More information:http://research.microsoft.com/os/singularity Growing number of TRs & papers
Singularity is basis for moredependable systems
pervasive use of safe programming languageslightweight, closed, customizablerun-time environmentverifiable specification of system behavior
Working research prototypedriving research in large number of areas
More information:http://research.microsoft.com/os/singularity Growing number of TRs & papers
© 2006 Microsoft Corporation. All rights reserved.Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation.Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft,and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.