Article

Sealing OS processes to improve dependability and safety

Authors:

Manuel Fähndrich,

Chris Hawblitzel,

Bjarne Steensgaard,

Ted WobberAuthors Info & Claims

EuroSys '07: Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007

Pages 341 - 354

https://doi.org/10.1145/1272996.1273032

Published: 21 March 2007 Publication History

Abstract

In most modern operating systems, a process is a hardware-protected abstraction for isolating code and data. This protection, however, is selective. Many common mechanisms---dynamic code loading, run-time code generation, shared memory, and intrusive system APIs---make the barrier between processes very permeable. This paper argues that this traditional open process architecture exacerbates the dependability and security weaknesses of modern systems.

As a remedy, this paper proposes a sealed process architecture, which prohibits dynamic code loading, self-modifying code, shared memory, and limits the scope of the process API. This paper describes the implementation of the sealed process architecture in the Singularity operating system, discusses its merits and drawbacks, and evaluates its effectiveness. Some benefits of this sealed process architecture are: improved program analysis by tools, stronger security and safety guarantees, elimination of redundant overlaps between the OS and language runtimes, and improved software engineering.

Conventional wisdom says open processes are required for performance; our experience suggests otherwise. We present the first macrobenchmarks for a sealed-process operating system and applications. The benchmarks show that an experimental sealed-process system can achieve performance competitive with highly-tuned, commercial, open-process systems.

References

[1]

Accetta, M., Baron, R., Bolosky, W., Golub, D., Rashid, R., Tevanian, A. and Young, M. Mach: A New Kernel Foundation for UNIX Development. In Summer USENIX Conference, Atlanta, GA, 1986, 93--112.

[2]

Aiken, M., Fähndrich, M., Hawblitzel, C., Hunt, G. and Larus, J. Deconstructing Process Isolation 2006 ACM SIGPLAN Workshop on Memory Systems Performance and Correctness (MSPC 2006), Microsoft Research, San Jose, CA, 2006.

Digital Library

[3]

Back, G., Hsieh, W. C. and Lepreau, J. Processes in KaffeOS: Isolation, Resource Management, and Sharing in Java. In Proceedings of the 4th USENIX Symposium on Operating Systems Design & Implementation (OSDI), San Diego, CA, 2000.

Digital Library

[4]

Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg, J., McGarvey, C., Ondrusek, B., Rajamani, S. K. and Ustuner, A. Thorough Static Analysis of Device Drivers In Proceedings of the EuroSys 2006 Conference, Leuven, Belgium, 2006.

Digital Library

[5]

Barnes, F., Jacobsen, C. and Vinter, B. RMoX: A Raw-Metal occam Experiment. In Communicating Process Architectures, IOS Press, Enschede, the Netherlands, 2003, 269--288.

[6]

Bershad, B. N., Savage, S., Pardyak, P., Sirer, E. G., Fiuczynski, M., Becker, D., Eggers, S. and Chambers, C. Extensibility, Safety and Performance in the SPIN Operating System. In Proceedings of the Fifteenth ACM Symposium on Operating System Principles, Copper Mountain Resort, CO, 1995, 267--284.

Digital Library

[7]

Biberstein, M., Gil, J. and Porat, S. Sealing, Encapsulation, and Mutability. In Proceeedings of the 15th European Conference on Object-Oriented Programming (ECOOP), Lecture Notes in Computer Science, Springer-Verlag, Budapest, Hungary, 2001.

Digital Library

[8]

Candea, G., Kawamoto, S., Fujiki, Y., Friedman, G. and Fox, A. Microreboot---A Technique for Cheap Recovery. In Proceedings of the Sixth Symposium on Operating Systems Design and Implementation (OSDI '04), San Francisco, CA, 2004, 31--44.

Digital Library

[9]

Chou, A., Yang, J., Chelf, B., Hallem, S. and Engler, D. An Empirical Study of Operating Systems Errors. In Proceedings of the 18th ACM Symposium on Operating Systems Principles (SOSP '01), Alberta, Canada, 2001, 73--88.

Digital Library

[10]

de Goyeneche, J.-M. and de Sousa, E. A. F. Loadable Kernel Modules. IEEE Software, 16 (1). 65--71.

Digital Library

[11]

Engler, D. R., Kaashoek, M. F. and O'Toole, J., Jr. Exokernel: an Operating System Architecture for Application-Level Resource Management. In Proceedings of the Fifteenth ACM Symposium on Operating System Principles, Copper Mountain Resort, CO, 1995, 251--266.

Digital Library

[12]

Erlingsson, Ú. and MacCormick, J. Ad hoc Extensibility and Access Control. ACM Operating Systems Review, 40 (3). 93--101.

Digital Library

[13]

Fähndrich, M., Aiken, M., Hawblitzel, C., Hodson, O., Hunt, G., Larus, J. R. and Levi, S., Language Support for Fast and Reliable Message Based Communication in Singularity OS. In Proceedings of the EuroSys 2006 Conference, Leuven, Belgium, 2006, 177--190.

Digital Library

[14]

Fähndrich, M., Aiken, M., Hawblitzel, C., Hodson, O., Hunt, G., Larus, J. R. and Levi, S. Language Support for Fast and Reliable Message Based Communication in Singularity OS. In Proceedings of the EuroSys 2006 Conference, ACM, Leuven, Belgium, 2006, 177--190.

Digital Library

[15]

Fähndrich, M., Carbin, M. and Larus, J., Reflective Program Generation with Patterns. In 5th International Conference on Generative Programming and Component Engineering (GPCE'06), Portland, OR, 2006.

Digital Library

[16]

Fitzgerald, R., Knoblock, T. B., Ruf, E., Steensgaard, B. and Tarditi, D. Marmot: an Optimizing Compiler for Java. Software-Practice and Experience, 30 (3). 199--232.

Digital Library

[17]

Fitzgerald, R. and Tarditi, D. The Case for Profile-directed Selection of Garbage Collectors. In Proceedings of the 2nd International Symposium on Memory Management (ISMM '00), Minneapolis, MN, 2000, 111--120.

Digital Library

[18]

Flatt, M. and Findler, R. B. Kill-safe Synchronization Abstractions. In Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation (PLDI 04), Washington, DC, 2004, 47--58.

Digital Library

[19]

Ganger, G. R., Engler, D. R., Kaashoek, M. F., Briceño, H. M., Hunt, R. and Pinckney, T. Fast and Flexible Application-level Networking on Exokernel Systems. ACM Transactions on Computer Systems, 20 (1). 49--83.

Digital Library

[20]

Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M. and Boneh, D. Terra: A Virtual-Machine Based Platform for Trusted Computing In Proceedings for the 19th ACM Symposium on Operating System Principles (SOSP), Bolton Landing, NY, 2003.

Digital Library

[21]

Goldberg, A. and Robson, D. Smalltalk-80: The Language and Its Implementation. Addison-Wesley, 1983.

Digital Library

[22]

Golm, M., Felser, M., Wawersich, C. and Kleinoeder, J. The JX Operating System. In Proceedings of the USENIX 2002 Annual Conference, Monterey, CA, 2002, 45--58.

Digital Library

[23]

Gosling, J., Joy, B. and Steele, G. The Java Language Specification. Addison Wesley, 1996.

Digital Library

[24]

Härtig, H., Hohmuth, M., Liedtke, J. and Schönberg, S. The Performance of μ-kernel-based Systems. In Proceedings of the Sixteenth ACM Symposium on Operating Systems Principles (SOSP '97), Saint Malo, France, 1997, 66--77.

Digital Library

[25]

Hawblitzel, C., Chang, C.-C., Czajkowski, G., Hu, D. and Eicken, T. v. Implementing Multiple Protection Domains in Java. In Proceedings of the 1998 USENIX Annual Technical Conference, New Orleans, LA, 1998, 259--270.

Digital Library

[26]

Hawblitzel, C. and Eicken, T. v. Luna: A Flexible Java Protection System. In Proceedings of the Fifth ACM Symposium on Operating System Design and Implementation (OSDI '02), Boston, MA, 2002, 391--402.

Digital Library

[27]

Herder, J. N., Bos, H., Gras, B., Homburg, P. and Tanenbaum, A. S. MINIX 3: A Highly Reliable, Self-Repairing Operating System. Operating System Review, 40 (3). 80--89.

Digital Library

[28]

Hunt, G. C., Larus, J. R., Tarditi, D. and Wobber, T., Broad New OS Research: Challenges and Opportunities. In Proceedings of the 10th Workshop on Hot Topics in Operating Systems (HotOS X), Santa Fe, NM, 2005, 85--90.

Digital Library

[29]

Larus, J. R. and Rajwar, R. Transactional Memory. Morgan & Claypool, 2006.

[30]

Morrisett, G., Walker, D., Crary, K. and Glew, N. From System F to Typed Assembly Language. ACM Transactions on Programming Languages and Systems, 21 (3). 527--568.

Digital Library

[31]

Murphy, B. and Levidow, B. Windows 2000 Dependability. In Proceedings of the IEEE International Conference on Dependable Systems and Networks, New York, NY, 2000.

[32]

Paul, N. and Evans, D. NET Security: Lessons Learned and Missed from Java. In 20th Annual Computer Security Applications Conference (ACSAC), Tucson, AZ, 2004, 272--281.

Digital Library

[33]

Peinado, M., Chen, Y., England, P. and Manferdelli, J. NGSCB: A Trusted Open System. In Proceedings of the 9th Australasian Conference on Information Security and Privacy (ACISP), Sydney, Australia, 2004.

[34]

Process, J. C. Application Isolation API Specification Java Specification Request, 2003, JSR-000121.

[35]

Ritchie, D. and Thompson, K. The UNIX Time-Sharing System. Communications of the ACM, 17 (7). 365--375.

Digital Library

[36]

Saulpaugh, T. and Mirho, C. Inside the JavaOS Operating System. Addison-Wesley, 1999.

[37]

Schroeder, M. D. and Saltzer, J. H. A Hardware Architecture for Implementing Protection Rings In Proceedings of the Third ACM Symposium on Operating Systems Principles (SOSP), ACM, Palo Alto, CA, 1971.

Digital Library

[38]

Seltzer, M. I., Endo, Y., Small, C. and Smith, K. A. Dealing with Disaster: Surviving Misbehaved Kernel Extensions. In Proceedings of the Second USENIX Symposium on Operating Systems Design and Implementation (OSDI 96), Seattle, WA, 1996, 213--227.

Digital Library

[39]

Spear, M. F., Roeder, T., Levi, S. and Hunt, G. Solving the Starting Problem: Device Drivers as Self-Describing Artifacts. In Proceedings of the EuroSys 2006 Conference, Leuven, Belgium, 2006.

Digital Library

[40]

SPEC SPECweb99 Release 1.02. Standard Performance Evaluation Corporation Warrenton, VA, 2000.

[41]

Sreedhar, V. C., Burke, M. and Choi, J.-D. A Framework for Interprocedural Optimization in the Presence of Dynamic Class Loading. In Proceedings of the ACM SIGPLAN '00 Conference on Programming Language Design and Implementation (PLDI 00), Vancouver, BC, 2000, 196--207.

Digital Library

[42]

Stein, L. and MacEacbern, D. Writing Apache Modules with Perl and C. O'Reilly, 1999.

Digital Library

[43]

Swift, M. M., Bershad, B. N. and Levy, H. M. Improving the Reliability of Commodity Operating Systems. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP '03), Bolton Landing, NY, 2003, 207--222.

Digital Library

[44]

Thacker, C., Stewart, L. C. and Satterthwaite, E., Firefly: A multiprocessor workstation. Technical Report SRC-023, DEC SRC, 1987.

[45]

Thacker, C. P. and Stewart, L. C. Firefly: a Multiprocessor Workstation. In Proceedings of the Second International Conference on Architectural Support for Programming Languages and Operating Systems, Palo Alto, CA, 1987, 164--172.

Digital Library

[46]

Trusted Computing Group, Trusted Platform Module Specification Version 1.2 Revision 94. Technical Report 2006.

[47]

von Behren, R., Condit, J., Zhou, F., Necula, G. C. and Brewer, E. Capriccio: Scalable Threads for Internet Services. In Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles (SOSP '03), Bolton Landing, NY, 2003, 268--281.

Digital Library

[48]

Vyssotsky, V. A., Corbató, F. J. and Graham, R. M. Structure of the Multics supervisor. In AFIPS Conference Proceedings 27, 1965 Fall Joint Computing Conference (FJCC), Spartan Books, Washington, DC, 1965, 203--212.

Digital Library

[49]

Wahbe, R., Lucco, S., Anderson, T. E. and Graham, S. L. Efficient Software-Based Fault Isolation. In Proceedings of the Fourteenth ACM Symposium on Operating System Principles, Asheville, NC, 1993, 203--216.

Digital Library

[50]

Weinreb, D. and Moon, D. Lisp Machine Manuel. Symbolics, Inc, Cambridge, MA, 1981.

Digital Library

[51]

Wobber, T., Abadi, M., Birrell, A., Simon, D. R. and Yumerefendi, A., Authorizing Applications in Singularity. In Proceedings of the EuroSys2007 Conference, Lisbon, Portugal, 2007.

Digital Library

Cited By

Suchy BGhosh SKersnar DChai SHuang ZNelson ACuevas MBernat AChaudhary GHardavellas NCampanoni SDinda PFalsafi BFerdman MLu SWenisch T(2022)CARAT CAKE: replacing paging via compiler/kernel cooperationProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507771(98-114)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507771
Gordon C(2021)Polymorphic Iterable Sequential Effect SystemsACM Transactions on Programming Languages and Systems10.1145/345027243:1(1-79)Online publication date: 17-Apr-2021
https://dl.acm.org/doi/10.1145/3450272
Ren YLiu GNitu VShao WKennedy RParmer GWood TTchana AGavrilovska AZadok E(2020)Fine-grained isolation for scalable, dynamic, multi-tenant edge cloudsProceedings of the 2020 USENIX Conference on Usenix Annual Technical Conference10.5555/3489146.3489210(927-942)Online publication date: 15-Jul-2020
https://dl.acm.org/doi/10.5555/3489146.3489210
Show More Cited By

Index Terms

Recommendations

Sealing OS processes to improve dependability and safety
EuroSys'07 Conference Proceedings

In most modern operating systems, a process is a hardware-protected abstraction for isolating code and data. This protection, however, is selective. Many common mechanisms---dynamic code loading, run-time code generation, shared memory, and intrusive ...
Singularity: rethinking the software stack
Systems work at Microsoft Research

Every operating system embodies a collection of design decisions. Many of the decisions behind today's most popular operating systems have remained unchanged, even as hardware and software have evolved. Operating systems form the foundation of almost ...
Soldered sealing process to assemble a protective cap for a MEMS CSP
DTIP '03: Proceedings of the Symposium on Design, Test, Integration and Packaging of MEMS/MOEMS

Capping and hermetic sealing of MEMS devices is a key factor in enabling them to be processed with further packaging steps like TO can, ceramic package or molded plastic. Aside from mounting a hermetic cap, the soldering of a front- and backside ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSys '07: Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007

March 2007

431 pages

ISBN:9781595936363

DOI:10.1145/1272996

ACM SIGOPS Operating Systems Review Volume 41, Issue 3
EuroSys'07 Conference Proceedings
June 2007
386 pages
ISSN:0163-5980
DOI:10.1145/1272998
Issue’s Table of Contents

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 March 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

EuroSys07

Sponsor:

SIGOPS

EuroSys07: Eurosys 2007 Conference

March 21 - 23, 2007

Lisbon, Portugal

Acceptance Rates

Overall Acceptance Rate 241 of 1,308 submissions, 18%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

51
Total Citations
View Citations
998
Total Downloads

Downloads (Last 12 months)18
Downloads (Last 6 weeks)0

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Suchy BGhosh SKersnar DChai SHuang ZNelson ACuevas MBernat AChaudhary GHardavellas NCampanoni SDinda PFalsafi BFerdman MLu SWenisch T(2022)CARAT CAKE: replacing paging via compiler/kernel cooperationProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507771(98-114)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507771
Gordon C(2021)Polymorphic Iterable Sequential Effect SystemsACM Transactions on Programming Languages and Systems10.1145/345027243:1(1-79)Online publication date: 17-Apr-2021
https://dl.acm.org/doi/10.1145/3450272
Ren YLiu GNitu VShao WKennedy RParmer GWood TTchana AGavrilovska AZadok E(2020)Fine-grained isolation for scalable, dynamic, multi-tenant edge cloudsProceedings of the 2020 USENIX Conference on Usenix Annual Technical Conference10.5555/3489146.3489210(927-942)Online publication date: 15-Jul-2020
https://dl.acm.org/doi/10.5555/3489146.3489210
Suchy BCampanoni SHardavellas NDinda PDonaldson ATorlak E(2020)CARAT: a case for virtual memory through compiler- and runtime-based address translationProceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation10.1145/3385412.3385987(329-345)Online publication date: 11-Jun-2020
https://dl.acm.org/doi/10.1145/3385412.3385987
Shen ZSun ZSela GBagdasaryan EDelimitrou CVan Renesse RWeatherspoon HBahar IHerlihy MWitchel ELebeck A(2019)X-ContainersProceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3297858.3304016(121-135)Online publication date: 4-Apr-2019
https://dl.acm.org/doi/10.1145/3297858.3304016
Klein GAndronick JKeller GMatichuk DMurray TO'Connor L(2017)Provably trustworthy systemsPhilosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences10.1098/rsta.2015.0404375:2104(20150404)Online publication date: 4-Sep-2017
https://doi.org/10.1098/rsta.2015.0404
Shu RWang PGorski III SAndow BNadkarni ADeshotels LGionta JEnck WGu X(2016)A Study of Security Isolation TechniquesACM Computing Surveys10.1145/298854549:3(1-37)Online publication date: 12-Oct-2016
https://dl.acm.org/doi/10.1145/2988545
Yan YChen CDantu KKo SZiarek LChu DDutta P(2016)Using a Multi-Tasking VM for Mobile ApplicationsProceedings of the 17th International Workshop on Mobile Computing Systems and Applications10.1145/2873587.2873596(93-98)Online publication date: 23-Feb-2016
https://dl.acm.org/doi/10.1145/2873587.2873596
Hai-Jew S(2015)Building Open-Source Resources for Online Learning in a Higher Education EnvironmentOpen Source Technology10.4018/978-1-4666-7230-7.ch045(948-967)Online publication date: 2015
https://doi.org/10.4018/978-1-4666-7230-7.ch045
Attouchi KThomas GMuller GLawall JBottaro A(2015)Incinerator -- Eliminating Stale References in Dynamic OSGi ApplicationsProceedings of the 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks10.1109/DSN.2015.39(545-554)Online publication date: 22-Jun-2015
https://dl.acm.org/doi/10.1109/DSN.2015.39
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents