Innovative Operating System Elements (Seminar Course, WiSe 2016) 1

Innovative Operating System Elements

Seminar Course, WiSe 2016

Description

This seminar deals with the design, implementation, and application of innovative and state-of-

the-art operating systems elements. We dive into the inner workings of modern operating sys-

tems and explore different system designs, from micro-kernel systems like seL4 over classic

monolithic systems like Linux to systems somewhere in-between such as NetBSD. We also

look into OSs for different requirements and application areas, from highly specialized OSs for

safety critical embedded systems to commodity OSs running on server or desktop machines.

We explore recent scientific papers published in established software and systems conferences

and other useful sources. Our focus is on the critical discussion of OS related issues and pro-

posed approaches/solutions and the comparison of different approaches that tackle the same or

a similar problem.

Note

The provided references lists, if any, for the individual topics are not exhaustive and should

only be considered as a starting point for the literature research. The goal of the seminar, in

general, is that students familiarize themselves with recent advances in engineering, validating,

and hacking (in the broadest sense!) of operating systems. The suggested topics and accompa-

nying references should be well understandable with background knowledge from the OS1

and/or OS2 lectures.

Course Website

https://www.deeds.informatik.tu-darmstadt.de/teaching/courses/ws20162017/

innovative-operating-system-elements

Contact

Nicolas Coppik

nc@cs.tu-darmstadt.de

Tel: +49 6151 16-25226

Room: S2|02 E221

Oliver Schwahn

os@cs.tu-darmstadt.de

Tel: +49 6151 16-25234

Room: S2|02 E221

Innovative Operating System Elements (Seminar Course, WiSe 2016) 2

Topic Overview

Kernel Concurrency Bugs .......................................................................................................... 3

Beyond Second Level Address Translation ............................................................................... 4

Operating System Updates ......................................................................................................... 5

Intra-Kernel Privilege Separation ............................................................................................... 6

Kernel Control-Flow Integrity ................................................................................................... 7

POSIX Abstractions in Modern OSs .......................................................................................... 8

Is the Linux Scheduler Broken? ................................................................................................. 9

WSL – The Windows Subsystem for Linux ............................................................................ 10

Hardware Supported Trusted Execution Environments ........................................................... 11

Time in Virtual Machines ........................................................................................................ 12

Verified OS Kernels ................................................................................................................. 13

Innovative Operating System Elements (Seminar Course, WiSe 2016) 3

Kernel Concurrency Bugs

Concurrency bugs are notoriously difficult to test for as they may only be triggered under a

small subset of all possible interleavings. Systematic approaches to finding concurrency bugs

typically rely on the ability to control the scheduler to maximize coverage of the interleaving

space. Such approaches cannot be directly applied to an OS kernel without extensive modifica-

tions, possibly rendering the results unrepresentative of the unmodified kernel. The problem is

further complicated by the fact that kernel code frequently uses various finely tuned, architec-

ture-specific mechanisms in order to minimize the performance impact of synchronization.

SKI is a recent approach for detecting kernel concurrency bugs that relies on virtual machine

introspection and works on unmodified kernels.

The objective of this seminar report is to critically discuss the SKI approach and compare it to

earlier approaches that attempt to address kernel concurrency bugs.

References

Fonseca, Rodrigues, Brandenburg (2014):

SKI: Exposing Kernel Concurrency Bugs through Systematic Schedule Exploration.

In: Proc. OSDI ‘14.

https://www.usenix.org/system/files/conference/osdi14/osdi14-paper-fonseca.pdf.

Innovative Operating System Elements (Seminar Course, WiSe 2016) 4

Beyond Second Level Address Translation

Virtualization has become commonplace and significant effort has been expanded on reducing

the overhead it entails, leading to improvements in both hardware and software. Nonetheless,

memory or page table virtualization retain notable overhead even when hardware-assisted Sec-

ond Level Address Translation (SLAT) is used due to the additional memory accesses that are

required during page walks. Recently, researchers have proposed combining SLAT with the

older shadow page table approach in order to tackle this overhead.

The objective of this seminar report is to give an overview of the performance implications of

SLAT and the mechanisms that have been proposed to tackle them.

References

Gandhi, Hill, Swift (2016):

Agile Paging : Exceeding the Best of Nested and Shadow Paging.

In: Proc ISCA ‘16

https://doi.org/10.1109/ISCA.2016.67

Wang, Zang, Wang, Luo, Li (2011):

Selective hardware/software memory virtualization.

In: Proc. VEE ‘11

https://doi.org/10.1145/1952682.1952710

Innovative Operating System Elements (Seminar Course, WiSe 2016) 5

Operating System Updates

Modern operating system kernels are highly complex and new bugs or vulnerabilities are found

frequently. Consequently, it is important that the updates to fix these flaws induce as little

downtime as possible. For Linux, several tools such as Ksplice, kpatch and KGraft have been

developed to allow applying certain updates to the kernel without rebooting the system. Other

recent approaches leverage virtualization or checkpointing mechanisms to allow arbitrary ker-

nel updates.

The objective of this seminar report is to discuss recent live patching techniques for the Linux

kernel, their advantages and their drawbacks.

References

Kashyap, Min, Lee, Kim, Emelyanov (2016):

Instant OS Updates via Userspace Checkpoint-and-Restart

In: Proc. USENIX ATC '16

https://www.usenix.org/system/files/conference/atc16/atc16_paper-kashyap.pdf

Yamada., Kono (2013):

Traveling forward in time to newer operating systems using ShadowReboot.

In: Proc. VEE '13

https://doi.org/10.1145/2103799.2103814

Innovative Operating System Elements (Seminar Course, WiSe 2016) 6

Intra-Kernel Privilege Separation

The monolithic design of most contemporary commodity operating systems is a threat to the

secure and reliable operation of computer systems. Monolithic kernels consist of a large body

of code that is impossible to prove correct or test exhaustively. Bugs in the kernel or kernel

extensions such as device drivers can easily crash the system, being a reliability issue. Success-

ful attacks on the kernel, e.g., using malicious device drivers, compromise security properties

of the whole system. Privilege separation within the kernel, i.e., the ability to assign different

parts of the kernel different privileges, can greatly improve the situation. For instance, the ac-

cess to certain memory regions can be restricted within the kernel or subsystems within the

kernel can be isolated from each other. A recent advancement in this area is the nested kernel

architecture that aims to reduce a system’s trusted computing base by nesting a small isolated

kernel within a commodity kernel.

The objective of this seminar report is to critically discuss the nested kernel approach and com-

pare it to other approaches for privilege separation inside the kernel with a focus not only on

security but also reliability and fault tolerance aspects.

References

Dautenhahn, N., Kasampalis, T., Dietz, W., Criswell, J., & Adve, V.

Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation.

In Proc. of ASPLOS 2015

Available online at http://doi.acm.org/10.1145/2694344.2694386

Innovative Operating System Elements (Seminar Course, WiSe 2016) 7

Kernel Control-Flow Integrity

Memory safety attacks, such as buffer overflows, are a well-known class of attacks against

software. Especially software written in unmanaged and/or low-level languages like C/C++ are

susceptible to these attacks. Usually, the goal of such attacks is to gain the control over the code

that is executed within a piece of software, i.e., to hijack the control flow and force the system

to execute code chosen by the attacker. OS kernels, which are often written in C/C++, are pop-

ular targets for these kind of attacks as control over the OS gives full control over a complete

system. Control-flow integrity (CFI) security policies prevent such attacks. Although many ap-

proaches exist for enforcing CFI on user-level software, only few approaches exist for kernel-

level code. KCoFI is a recent CFI approach for commodity kernels that promises low overhead

and is based on a formal model.

The goal of this seminar report is to critically discuss the KCoFI approach and compare it to

similar approaches that aim to protect OS kernels from control flow manipulations.

References

J. Criswell, N. Dautenhahn, and V. Adve

KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels.

In Proceedings of the 2014 IEEE Symposium on Security and Privacy,.

Available online at http://dx.doi.org/10.1109/SP.2014.26

Innovative Operating System Elements (Seminar Course, WiSe 2016) 8

POSIX Abstractions in Modern OSs

The Portable Operating Systems Interface (POSIX) standard(s) has been around for more than

25 years. It is intended to help developers in achieving application portability across different

UNIX-based (but also other) OSs. A central part of POSIX is the application programming

interface (API) specification that defines a set of abstractions (functions, data types, etc.) which

application developers can rely on for a different OSs (e.g., Linux, Android, macOS, BSD,

Windows). Applications, including their use cases and requirements, have changed over the

years, but the POSIX APIs have remained unchanged. But does POSIX still provide the “right”

abstractions for modern systems? How do applications use the POSIX APIs nowadays? Are

other abstractions needed? A recent study explores contemporary POSIX API usage on modern

systems across different OSs (see references).

The goal of this seminar report is to critically discuss whether POSIX is still suitable for modern

applications and OSs and compare the findings of the referenced study with other related works

(consistency check).

References

Atlidakis, V., Andrus, J., Geambasu, R., Mitropoulos, D., & Nieh, J. (2016):

POSIX Abstractions in Modern Operating Systems: The Old, the New, and the Missing.

In: Proc. EuroSys 2016.

Available online at http://doi.org/10.1145/2901318.2901350

Innovative Operating System Elements (Seminar Course, WiSe 2016) 9

Is the Linux Scheduler Broken?

In the past, CPU scheduling has been considered a solved problem. However, with the advent

of multicore systems and the increasing importance of energy efficiency, CPU scheduling be-

came complicated again, resulting in broken implementations. As the referenced study shows,

even Linux’s widely used scheduler (CFS) implementation still contains bugs that lead to long

idle times for CPU cores, which can severely hurt performance.

The objective of this seminar report is to give an overview of Linux’s scheduler and discuss the

findings of the referenced study.

References

Lozi, J.-P., Lepers, B., Funston, J., Gaud, F., Quéma, V., & Fedorova, A. (2016):

The Linux Scheduler: A Decade of Wasted Cores.

In: Proc. EuroSys 2016.

Available online at http://doi.org/10.1145/2901318.2901326

Innovative Operating System Elements (Seminar Course, WiSe 2016) 10

WSL – The Windows Subsystem for Linux

With the latest Windows version (Windows 10, 1607), Microsoft released the Windows Sub-

system for Linux (WSL), which allows to run unmodified Linux executables under Windows.

WSL provides a semi-isolated environment in which a complete (user-mode) Ubuntu system

with a Linux 3.4 kernel is executed. WSL must translate Linux system calls to Windows equiv-

alents, mediate file system access, and manage resources. Although many (most?) applications

contained in Ubuntu are supported, WSL still lacks certain capabilities to allow the execution

of arbitrary Linux software.

The objective of this seminar report is to give an overview of WSL and discuss how it integrates

with other Windows processes and subsystems with a focus on isolation and security. The report

should also include an assessment of current limitations of WSL.

References

Microsoft Blog on WSL

Online at https://blogs.msdn.microsoft.com/wsl/

MSDN post on “Bash on Ubuntu on Windows”

Online at https://msdn.microsoft.com/commandline/wsl

Innovative Operating System Elements (Seminar Course, WiSe 2016) 11

Hardware Supported Trusted Execution Environments

Over the past decades, hardware manufacturers have increasingly added “trusted computing”

features to their platforms. One of latest efforts in this respect is the provision of hardware

mechanisms to isolate particularly critical code and data and make it inaccessible to unauthor-

ized parts of the system, even if these unauthorized parts execute at highest system privileges.

Intel’s latest SGX instruction set extension offers this functionality for commodity applications

on x86 based platforms.

The goal of this seminar report is to provide a detailed overview of the new instructions pro-

vided by SGX, how they can be used to enforce data and code isolation, and add a brief com-

parison with the older trusted computing extensions offered by AMD (PSP) and ARM

(TrustZone).

References

Sinha, Costa, Lal, Lopes, Rajamani, Seshia, Vaswani (2016):

A design and verification methodology for secure isolated regions.

In: Proc. PLDI ‘16.

Available online at http://dx.doi.org/10.1145/2908080.2908113

Innovative Operating System Elements (Seminar Course, WiSe 2016) 12

Time in Virtual Machines

Virtualization has become ubiquitous. It forms the core of cloud computing, enables OS devel-

opers to easily test and debug their code, and postdoctoral researchers can use them to create

documents with inferior office software demanded by the university administration.

An interesting problem of virtualization is the relation between the time bases of the host and

guest machines. If the host time is directly exposed to guests, a side channel is created via which

an adversary can infer properties of the host machine and, possibly, collocated guests. If the

time base of the guest is purely virtual, no realistic performance measures can be obtained for

workloads executing inside guest machines. In particular, hardware runtime monitoring mech-

anisms, such as watchdog timers, require full emulation, which comes at a significant runtime

overhead.

The goal of this report is to present an overview of hardware timers and watchdogs commonly

found in x86 and ARM systems and how these timers are exposed to virtual guests in

QEMU/KVM.

Innovative Operating System Elements (Seminar Course, WiSe 2016) 13

Verified OS Kernels

The code of commodity OS kernels is known to have high defect densities for several reasons.

First, kernel code is a difficult mix of C and assembly code, neither of which is particularly

suitable for static analyses. Second, the amount of code that a modern OS kernel comprises is

often huge and executing in concurrent threads, which leads to an immense complexity of the

state space where bugs can hide during testing. Third, the large variety of hardware platforms

with different combinations of devices lead to large numbers of kernel configurations, each of

which would need to be tested individually.

Over the last couple of years, a number of attempts have been made to verify the correctness of

OS kernels, the most prominent ones being seL4 and mCertiKOS. The goal of this report is to

summarize and compare a) which properties of the two kernels have been verified nad b) how

these kernel properties have been articulated and how the kernel has been proven to possess

these properties.

References

Chen, Wu, Shao, Lockerman, Gu (2016):

Toward compositional verification of interruptible OS kernels and device drivers.

In: Proc. PLDI ‘16.

Available online at http://dx.doi.org/10.1145/2908080.2908101.

Klein, Elphinstone, Heiser, Andronick, Cock, Derrin, Elkaduwe, Engelhardt, Kolanski, Norrish, Sewell, Tuch, Winwood

(2009):

seL4: formal verification of an OS kernel.

In: Proc. SOSP ‘09.

Available online at http://dx.doi.org/10.1145/1629575.1629596.