31-10-2016, 03:30 PM
1462553509-OSSecureandreliable.docx (Size: 1.28 MB / Downloads: 3)
Abstract
Security and Reliability of operating systems are more important than features. In this paper, approaches suggested by researchers to improve security and reliability are explained.
Introduction
Computers have become most essential thing of human beings. During 1970-1980s period computers were used by used only by a small group of technically literate. But now computers are used by individuals who don’t want to know about how computer works. So computers have to be more secure, reliable and software error free like Televisions. Computer crashes are mainly because of bugs in operating systems.
According to researchers there are about 2.5 millions of code in Linux, 5 millions of code in Windows. That code contains 6-16 bugs per 1000 lines of code. About 70 percent of operating system consists of device drivers, which have error rates of 3-7 times higher than ordinary code
IOS date bug: If the device date is changed to the date less than January 1st 1970, device will be crashed.
Techniques to improve reliability and security of operating systems.
• ARMORED OPERATING SYSTEMS
• PARAVIRTUAL MACHINES
• MULTISERVER OPERATING SYSTEMS
• LANGUAGE BASED PROTECTION
ARMORED OPERATING SYSTEMS
Armored operating system is given by Nook and his research team. It is the most conservative approach. This approach focuses in making the device drivers less dangerous.
Approach: In this method, each driver is wrapped in a layer of protective software that monitors all the interactions between the driver and the kernel. Virtual memory page map is the tool to keep faulty drivers from trashing kernel data structures. When a driver runs, all the pages outside it is changed to read-only, thus implementing a separatelightweight protection domain for each driver. In thisway, the driver can read the kernel data structures itneeds, but any attempt to directly modify a kernel datastructure results in a CPU exception that the Nooks isolationmanager catches. Access to the driver’s privatememory, where it stores stacks, a heap, private datastructures, and copies of kernel objects, is read-write. When kernel calls a driver function or driver calls a kernel function, the call actually goes to wrapper (provided by Nooks) that checks the parameter for validity and manages the call.
When a driver tries to modify a kernel object, its wrappercopies the object into the driver’s protection domain,that is, onto its private read-write pages. The driver thenmodifies the copy. Upon successful completion of therequest, the isolation manager copies modified kernelobjects back to the kernel. In this way, a driver crash orfailure during a call always leaves kernel objects in avalid state.
Recovery: For recovering the system, user-mode agents run and consults a configuration database, and most commonly releases any resource held and restart any driver. For running applications, after driver restart, a shadow driver is used to feed the newly restarted driver from the log, which stores all the communication occurred between each driver and the kernel before failure. Once this is done driver begins processing new requests.
Limitations: Most of the fatal driver errors can be corrected in this approach. But, approximately only 55% of the nonfatal are corrected. Also, Nooks team had to write large number of wrappers manually, and they could contain faults.
Expected improvement: The technique can be extended to other extensions to the kernel as well, such as loadable file system. As this may also cause failure sometimes, apart from drivers, using a wrapper to the file system will further reduce the chance of failure in the system.
Language-Based Protection
Language-Based protection operating system is from Microsoft research group which is written in Type-safe languages that don’t have pointers and other problems associated with C and C++ languages.
Singularity is operating system developed by Microsoft research group which is written in Sing#. Sign# is superset of Spec# and Spec# is extension of C# with extended features like Non-nullable types, Structure for codes like precondition and post condition, Checked Exceptions. In Sign# support for communication channels and low-level programming constructs are implemented.
Singularity uses closed micro kernel architecture. As Language design tightly constrains the system and processes all the processes can run on single address space. This designs leads to both safety and efficient. Safety- because compilers do not allow a process to touch another process data and Efficient- because it eliminates kernel traps and context switching.
The key aspect of Singularity is Software Isolated Process SIPs. SIPs encapsulate pieces of applications or programs and provide information hiding, failure isolation and strong interfaces. All the code outside kernel are SIPs. SIPs are closed objects spaces. No two SIP Processes cannot access an object simultaneously. Communication between processes transfer exclusive ownership of data. Multiple SIPs can reside in single virtual address space. SIPs are inexpensive to create and communication between SIPs are low overhead. SIPs created and destroyed by Operating System, so on termination SIPs resources can be efficiently reclaimed.
Most part of the code is written in Type safe language SING#. Some part of code is written using c#,c++,assembly code for garbage collection and hardware abstraction layer. The hardware abstraction layer hides the low-level hardware from the system by hiding concepts such as I/O ports, interrupt request lines, direct memory access channels, and timers to presentmachine-independent abstractions to the rest of the operating system.
User processes obtain system services by sending strongly typed messages to the microkernel over point-to-point bidirectional channels (Channel contracts). Channel contracts are central to software isolation in singularity operating systems
Channel communication example
contract C1 {
in message
Request(int x) requires x>0;
out message Reply(int y);
out message Error();
state Start: Request? -> (Reply! or Error!) -> Start;
}
In the Start state, the client sends the Request message, putting the channel into the Pending state. The server can either respond with a Reply message or an Error message.The Reply message transitions the channel back to the Start state, where communication can continue. The Error message transitions the channel to the Stopped state, ending communication on the channel.
Application Abstraction is key feature in Singularity Operating System which avoids conflicting software installs. In Singularity, an application consists of manifest and a collection of resources. The manifest describes application in terms of its resources and their dependencies. A manifest must provide enough information for the Singularity installer to deduce appropriate installation steps, detect conflicts with existing applications, and decide whether the installation succeeded. Singularity can prevent installations that impair the system
PARAVIRTUAL MACHINES
Para virtualization is reputed for its fault isolation. Virtual machine is placed on a bare machine and it creates an instance of real machine. It was designed to run 2 operating systems simultaneously. It creates a scenario of illusion to each operating system that makes each operating system thinks it has the entire machine to itself and doesn’t know the presence of the other Operating system. The advantage is the problem of one operating system cannot spread to another operating system. Paravirtualization is designed based on Virtual machine concept. The Idea is to adopt this concept of protection to single operating system instead of multiple operating systems.
Pentium was not fully virtualisable. So unmodified operating system was taken into virtual machine and necessary modifications were made to it. This resulted modified operating system has been made to not do anything that cannot be virtualisable. This technique is called paravirtualization and it was named so to distinguish it from virtualization technique which was discussed above.
Many researches were made and a research group at the University of Karlsruhe in 1990s built a L4 microkernel. The L4 is a kind of virtual machine. The modified Linux was made to run on it. In the course of research, they found that multiple copies of Linux can be made to run on L4 virtual machine. This insight led to the idea of making one copy of Linux run application programs and other copy of Linux is made to run device drivers. When main virtual machine that runs the rest of the operating system and application programs is separated from virtual machine that runs device drivers helps in obtaining fault isolation.
Under this scenario the system will not crash though the device drivers get crashed during the running of the system since the device drivers are run in different virtual machine. In normal Linux kernel environment the device drivers are modified but in this method there is no need of modifying the device drivers. Here to achieve paravirtualization the complete Linux Kernel has been modified. Though expensive this one is still better than normal Linux because the modification here is only one time modification unlike normal Linux where device drivers are modified several times. Since the device drivers are running in the hardware’s user mode, a major issue is how they actually perform I/O and handle interrupts. Physical I/O is handled by adding about 3,000 lines of code to the Linux kernel on which the drivers run to allow them to use the L4 services for I/O instead of doing it themselves. An additional 5,000 lines of code handle communication between the three isolated drivers—disk, network, and PCI bus—and the virtual machine running the application programs.
In principle this provides better reliability than single operating system. When drivers are crashed they simply reboot. Their reboot doesn’t crash the system because of paravirtualization. In Nooks Operating System the crashed driver is replaced by shadow driver which has a log of the crashed driver and when crashed driver is recovered it uses the log and restores itself to the position where it was previously crashed. But here no log is maintained so recovered device driver begets default settings not the setting in which it got crashed. This Microkernels though reliable but lacks in performance by a bit because of this issue. Nothing comes for free one has to sacrifice something to get something. Here performance is sacrificed to get reliability. Good news is that this performance is not much low than normal systems it almost runs in par with performance of normal machine.