![Page 1: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/1.jpg)
OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS
Donald E. Porter and Emmett Witchel
The University of Texas at Austin
![Page 2: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/2.jpg)
2
Example: browser plug-in upgrade
write new plug-in binarystart browser, old config,
old plug-in arguments corrupt data filesexec post-install script (updates browser config)
API can’t ensure consistent updates to OS resources
Concurrency and crashes cause subtle inconsistencies
![Page 3: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/3.jpg)
3
System Transactions
Express consistency requirements to OS Transaction wraps group of system calls
Results isolated until commit Interfering operations automatically
serialized Long-overdue OS feature
Natural abstraction Solves important problems Practical implementation
![Page 4: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/4.jpg)
4
Transactional Software Install
sys_xbegin();
apt-get upgrade
sys_xend();
A failed install is automatically rolled back Concurrent operations are not
System crash: reboot to entire upgrade or none
Concurrent apps see consistent state
![Page 5: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/5.jpg)
5
System Transactions
Operating systems should provide them Operating systems can provide them
![Page 6: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/6.jpg)
6
The POSIX API is broken
System resources have long-standing race conditions Time-of-check-to-time-of-use (TOCTTOU) Temporary file creation Signal handling
Correct, concurrent apps need system-level isolation
Multi-core chips raise importance of concurrency
![Page 7: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/7.jpg)
7
System-level races
if(access(“foo”)) {
fd = open(“foo”); …}
(root)
foo == secret
![Page 8: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/8.jpg)
8
Complex work-arounds
TOCTTOU: users write their own directory traversal openat(), fstatat(), etc. User re-implements filename translation
Race between open/fcntl Add CLOSE_ON_EXEC flags to 15 system calls
Temporary file creation libraries mkstemp,tmpfile, etc.
![Page 9: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/9.jpg)
9
Work-arounds don’t work
Complex APIs do not yield secure programs Experts can’t even agree
mkstemp man page:“Don’t use this function, use tmpfile(3) instead.”
www.securecoding.cert.org - VOID FI039-C:“It is thus recommended that…mkstemp() be
used [instead of tmpfile()]”
Transactions can fix the problem
![Page 10: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/10.jpg)
10
TOCTTOU redux
sys_xbegin();if(access(“foo”)) { fd = open(“foo”); read(fd,…); …}sys_xend();
(root)
![Page 11: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/11.jpg)
11
Transactions solve important problems
Applications Replace databases for simple
synchronization Support system calls in transactional
memory apps Tolerate faults in untrusted software
modules Atomically update file contents and access
control list Easier to write OS extensions
System Tx + Journal = Tx Filesystem
![Page 12: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/12.jpg)
12
Hasn’t this already been done?donporter@wesley:~$ man transaction
No manual entry for transaction
![Page 13: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/13.jpg)
13
Related Systems
Similar interface, different implementation QuickSilver [SOSP ‘91], TABS [SOSP ‘85]
Weaker guarantees TxF, Valor [FAST ‘09]
Only file system transactions Different interface, similar
implementation Speculator [SOSP ’05, OSDI ‘06]
Terms “transaction” and “OS” appear in paper title TxLinux [SOSP ’07, ASPLOS ‘09]
![Page 14: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/14.jpg)
14
Can OSes provide transactions?
TxOS: Extends Linux 2.6.22 to support transactions Runs on commodity hardware
Rest of talk: Approach Validation
![Page 15: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/15.jpg)
15
Version Management
How to keep old and new data? Need old data to roll back
TxOS approach: Transactions operate on private copies of
data Replace old data structures at commit
Example: kernel data structures
![Page 16: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/16.jpg)
16
TxOS Version Management
Transaction
sys_xbegin();if(access(“foo”)){ fd = open(“foo”); write(fd, “Hi”);}sys_xend();
File “foo”
Hi
![Page 17: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/17.jpg)
17
Object versioning in TxOS
Deadlock-free Transactions do not hold kernel locks across
syscalls Follows existing locking discipline
Previous work used 2-phase locking, undo log Prone to deadlock
Efficient – a pointer swap per committed object Copy-on-write optimizations
![Page 18: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/18.jpg)
18
Serializing Tx with No-Tx
Important property for intuitive semantics Supports incremental adoption
Serialize TOCTTOU attacker Attacker will not use transactions
Hard to support in software systems Not provided by historical OSes, many STMs
![Page 19: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/19.jpg)
19
Validation
Is implementation tractable? Is performance acceptable?
![Page 20: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/20.jpg)
20
Tractable, challenging implementation
Transactions: Add 8,600 LOC to Linux Minor modifications to 14,000 LOC
Simple API, not a simple implementation Hard to write concurrent programs Developers need good abstractions
Transactions are worth the effort
![Page 21: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/21.jpg)
21
Acceptable Performance
Seq Write Seq Read Rand Write Rand Read-300
-200
-100
0
100
200
300
400
500
Speedup compared to unmodified LinuxLFS Large File Phase
%S
low
dow
n %
Sp
eed
up
40% overhead for dpkg install
![Page 22: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/22.jpg)
22
OSes can support transactions Tractable Implementation Acceptable Performance
![Page 23: OPERATING SYSTEMS SHOULD PROVIDE TRANSACTIONS Donald E. Porter and Emmett Witchel The University of Texas at Austin](https://reader035.vdocument.in/reader035/viewer/2022062404/551b011c5503465e7d8b576b/html5/thumbnails/23.jpg)
23
OSes should provide transactions Solve long-standing problems
Replace ad hoc solutions Broad range of applications Acceptable cost
http://www.cs.utexas.edu/~porterde/[email protected]