Your SlideShare is downloading. ×

Genode Components


Published on

The lecture by Norman Feske for Summer Systems School'12. …

The lecture by Norman Feske for Summer Systems School'12.
Genode Components

SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.

Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.


Published in: Education

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Genode OS Framework - Components Norman Feske <>
  • 2. Outline1. Classification of components2. Kernelization example3. Unified configuration concept4. Session routing5. Components overview Genode OS Framework - Components 2
  • 3. Outline1. Classification of components2. Kernelization example3. Unified configuration concept4. Session routing5. Components overview Genode OS Framework - Components 3
  • 4. ClassificationKernel enables base platformDevice driver translates device interface to APIProtocol stack translates API to APIApplication is leaf node in process treeRuntime environment has one or more childrenResource multiplexer has multiple clientscombinations are possible Genode OS Framework - Components 4
  • 5. Kernel Genode OS Framework - Components 5
  • 6. Device driverTranslates device interface to session interface Uses core’s IO MEM, IO PORT, IRQ services Single client Contains no policy Enforces policy (device-access arbitration) Genode OS Framework - Components 6
  • 7. Device driver (2)Critical because of DMA MMU protects physical memory from driver code Driver code accesses device via MMIO Device has access to whole physical memory (DMA)→ Device driver can access whole physical memory IOMMUs can help ...but are no golden bullet Genode OS Framework - Components 7
  • 8. Device driver (3)Even with no IOMMU, isolating drivers has benefits Taming classes of non-DMA-related bugs Memory leaks Synchronization problems, dead-locks Flawed driver logic, wrong state machines Device initialization Minimizing attack surface from the outside Genode OS Framework - Components 8
  • 9. Protocol stackTranslates API to another (or the same) API Does not enforce policy Single client May be co-located with device driver Genode OS Framework - Components 9
  • 10. Protocol stack (2)Libraries Library Translation Qt4 Qt4 API → various Genode sessions lwIP socket API → NIC sessionComponents translating sessions Component Translation TCP terminal Terminal session → NIC session iso9660 ROM session → Block session ffat fs File-system session → Block session Genode OS Framework - Components 10
  • 11. Protocol stack (3)Components that filter sessions Genode OS Framework - Components 11
  • 12. Protocol stack (4)Operate on session interfaces, not physical resources→ May be instantiated any number of times→ Critical for availablility→ Not neccessarily critical for integrity and confidentiality→ Information leakage constrained to used interfacescomplex code should go in here Genode OS Framework - Components 12
  • 13. ApplicationLeaf node in process tree Uses services Implements application logic Provides no service Genode OS Framework - Components 13
  • 14. Runtime environmentHosts other processes as childrenDefines and imposes policy! Examples Init Virtual machine monitor Debugger Python interpreter Genode OS Framework - Components 14
  • 15. Resource multiplexerMultiplexes session interface Multiple clients → Potential multi-level component Free from policy Enforce policy dictated by parent Prone to cross-client information leakage Prone to resource-exhaustion-based DoS Genode OS Framework - Components 15
  • 16. Resource multiplexer (2)→ Often as critical as the kernel→ Must be as low complex as possible→ Must work on client-provided resources→ Must employ heap partitioningonly a few resource multiplexers needed Genode OS Framework - Components 16
  • 17. Outline1. Classification of components2. Kernelization example3. Unified configuration concept4. Session routing5. Components overview Genode OS Framework - Components 17
  • 18. Kernelizing the GUI serverPersistent security problems of GUIs Impersonation (Trojan horses, phishing, man in the middle) Spyware (input loggers, arcane observers) Robustness/availability risks (resource-exhaustion-based denial of serviceGUI belongs to TCB → low complexity is important! Genode OS Framework - Components 18
  • 19. Starting point: DOpE as secure GUI Genode OS Framework - Components 19
  • 20. DOpE as secure GUI - DrawbacksProne to resource exhaustion by malicious clientsProvides custom look and feel* Stands in the way when using legacy software May be enhanced by theme supportComplexity of 12,000 LOC Genode OS Framework - Components 20
  • 21. Straight-forward attempt: Shrinking DOpERevisiting the implementation Keeping only essential functionality → 7,000 LOCWe loose: Majority of widgets (grid, scale, scrollbar, etc.) Flexible command interface Coolness, fancyness, convenience Real-time support7,000 LOC are too much for such a crippled GUI! Genode OS Framework - Components 21
  • 22. Bottom-up approachWhat do we really need in the GUI server? Widgets? → No Font support? → No Window decoration? → No Textual command interface? → No Look and feel, gradients, translucency? → No Hardware abstractions (e. g., color-space conversion)? → No Windows displaying pixel buffers? → YES Distribution of input events? → YES Secure labeling? → YES Genode OS Framework - Components 22
  • 23. Buffers and views Genode OS Framework - Components 23
  • 24. User interactionInput-event handling Only one receiver of each input event Focused view defines input routing Routing controlled by the user only Genode OS Framework - Components 24
  • 25. Client-side window handlingReport motion events to focused view while a button is pressed→ Client-side window policies (move, resize, stacking)→ Key for achieving low server-side complexityEmergency break→ Special key regains control over misbehaving applications Genode OS Framework - Components 25
  • 26. Trusted pathIt is not sufficient to label windows! A Trojan Horse could present an image of a secure window Not the secure window must be marked, but all others!Revoke some degree of freedom from the clients Dedicated screen area, reserved for the trusted GUI Revoking the ability to use the whole color space→ X-Ray mode, activated by special key (x-ray key) Genode OS Framework - Components 26
  • 27. Trusted path (2) Genode OS Framework - Components 27
  • 28. Nitpicker resultsSource-code complexity GUI server Lines of code > 80,000 Trusted X 30,000 DOpE 12,000 EWS 4,500 Nitpicker < 2,000 Low performance overhead, no additional copy Low-complexity clients are possible (Scout: 4,000 LOC) Genode OS Framework - Components 28
  • 29. Nitpicker results (2) Support for legacy software Protection against spyware Helps to uncover Trojan horses Low source-code complexity→ Poster child of a resource multiplexer Genode OS Framework - Components 29
  • 30. Outline1. Classification of components2. Kernelization example3. Unified configuration concept4. Session routing5. Components overview Genode OS Framework - Components 30
  • 31. Traditional approaches to system configurationBoot-loader configuration vbeset command in GRUB menu.lstCommand line arguments specified to boot modulesKernel command lineCustom configuration files Needs file providers, file name space Varying syntax → parsing problems Genode OS Framework - Components 31
  • 32. Unified configuration concept Genode OS Framework - Components 32
  • 33. Unified configuration concept (II) Genode OS Framework - Components 33
  • 34. Unified configuration concept (III)→ Uniform syntax→ Extensible through custom tags at each level→ XML parser adds less than 300 LOC to TCB Genode OS Framework - Components 34
  • 35. Outline1. Classification of components2. Kernelization example3. Unified configuration concept4. Session routing5. Components overview Genode OS Framework - Components 35
  • 36. Session routing example<config> <parent-provides> <service name="CAP"/> <service name="LOG"/> </parent-provides> <start name="timer"> <resource name="RAM" quantum="1M"/> <provides> <service name="Timer"/> </provides> <route> <service name="CAP"> <parent/> </service> </route> </start> <start name="test-timer"> <resource name="RAM" quantum="1M"/> <route> <service name="Timer"> <child name="timer"/> </service> <service name="LOG"> <parent/> </service> </route> </start></config> Genode OS Framework - Components 36
  • 37. Using wildcards <route> <service name="ROM"> <parent/> </service> <service name="RAM"> <parent/> </service> <service name="RM"> <parent/> </service> <service name="PD"> <parent/> </service> <service name="CPU"> <parent/> </service> </route>generalized: <route> <any-service> <parent/> </any-service> </route> Genode OS Framework - Components 37
  • 38. Combining wildcards with explicit routes<route> <service name="LOG"> <child name="nitlog"/> </service> <any-service> <parent/> </any-service></route> Genode OS Framework - Components 38
  • 39. Useful routing template <route> <any-service> <parent/> </any-service> <any-service> <any-child/> </any-service> </route>abbreviated: <route> <any-service> <parent/> <any-child/> </any-service> </route> Genode OS Framework - Components 39
  • 40. Poly-instantiating the same binary <start name="nit_fb"> ... <start name="nit_fb"> <!-- XXX ambiguous name! --> ...ambiguity resolved: <start name="nit_fb_1"> <binary name="nit_fb"/> <!-- binary name != process name --> ... <start name="nit_fb_2"> <!-- unique name --> <binary name="nit_fb"/> ... Genode OS Framework - Components 40
  • 41. Routing through hierarchies Genode OS Framework - Components 41
  • 42. Routing through hierarchies (2)<config> <parent-provides> ... </parent-provides> <start name="timer"> <resource name="RAM" quantum="1M"/> <provides> <service name="Timer"/> </provides> <route> <service name="CAP"> <parent/> </service> </route> </start> <start name="init"> <resource name="RAM" quantum="1M"/> <config> <parent-provides> <service name="Timer"/> <service name="LOG"/> </parent-provides> <start name="test-timer"> <resource name="RAM" quantum="1M"/> <route> <service name="Timer"> <parent/> </service> <service name="LOG"> <parent/> </service> </route> </start> </config> <route> <service name="Timer"> <child name="timer"/> </service> <any-service> <parent/> </any-service> </route> </start></config> Genode OS Framework - Components 42
  • 43. Real-time prioritiesKernels provide static prioritiesHow to make the feature available?Priorities have side effects on otherwise unrelated subsystemsPriority inversionPriority inversion + time-slice donation = hard-to-find bug Genode OS Framework - Components 43
  • 44. Real-time priorities (2) Genode OS Framework - Components 44
  • 45. Real-time priorities (3)<config prio_levels="2"> ... <start name="init.1" priority="0"> ... <config prio_levels="4"> ... <!-- priority -1 results in platform priority 112 --> <start name="init.11" priority="-1"> ... </start> <!-- priority -2 results in platform priority 96 --> <start name="init.12" priority="-2"> <config> <start name="init.121"> ... </start> </config> </start> </config> </start> <!-- priority -1 results in platform priority 64 --> <start name="init.2" priority="-1"> ... </start></config> Genode OS Framework - Components 45
  • 46. Configuration concept in practiceDevelopment Wildcards are handy Concise configurations, easy to maintainDeployment Use explicit routes only → Default deny → Whitelist only permitted session types → Mandatory access control Absence of wildcards is easy to validate Genode OS Framework - Components 46
  • 47. Outline1. Classification of components2. Kernelization example3. Unified configuration concept4. Session routing5. Components overview Genode OS Framework - Components 47
  • 48. Interfaces LOG Unidirectional debug output Terminal Bi-directional input and output synchronous bulk Timer Facility to block the client Input Obtain user input synchronous bulkFramebuffer Display pixel buffer synchronous bulk PCI Represents PCI bus, find and obtain PCI devices Genode OS Framework - Components 48
  • 49. Interfaces (2) ROM Obtain read-only data modules shared memory Block Block-device access packet streamFile system File-system access packet stream NIC Bi-directional transfer of network packets 2 x packet stream Audio out Audio output packet stream Genode OS Framework - Components 49
  • 50. Device drivers Session type Location Timer os/src/drivers/timer Block os/src/drivers/atapi os/src/drivers/ahci os/src/drivers/sd card dde linux/src/drivers/usb drv Input os/src/drivers/input/ps2 dde linux/src/drivers/usb drv Framebuffer os/src/drivers/framebuffer/vesa os/src/drivers/framebuffer/sdl os/src/drivers/framebuffer/pl11x os/src/drivers/framebuffer/omap4 Audio out linux drivers/src/drivers/audio out Terminal os/src/drivers/uart NIC dde ipxe/src/drivers/nic dde linux/src/drivers/usb drv PCI os/src/drivers/pci Genode OS Framework - Components 50
  • 51. Resource multiplexers and protocol stacks Session type Location LOG os/src/server/terminal log demo/src/server/nitlog Framebuffer, demo/src/server/liquid framebuffer Input os/src/server/nit fb Nitpicker os/src/server/nitpicker Terminal os/src/server/terminal crosslink gems/src/server/terminal gems/src/server/tcp terminal Genode OS Framework - Components 51
  • 52. Resource multiplexers and protocol stacks (2) Session type Location Audio out os/src/server/mixer NIC os/src/server/nic bridge ROM os/src/server/rom prefetcher os/src/server/tar rom os/src/server/iso9660 Block os/src/server/rom loopdev os/src/server/part blk gems/src/server/http block File system os/src/server/ram fs libports/src/server/ffat fs Genode OS Framework - Components 52
  • 53. Protocol-stack libraries API Location POSIX libports/lib/mk/ libports/lib/mk/libc libports/lib/mk/libc libports/lib/mk/libc libports/lib/mk/libc libports/lib/mk/libc libports/lib/mk/libc lock libports/lib/mk/libc Qt4 qt4/lib/mk/qt * OpenGL libports/lib/mk/ Genode OS Framework - Components 53
  • 54. Runtime environments Runtime Location Init os/src/init Loader os/src/server/loader L4Linux ports-foc/src/l4linux L4Android ports-foc/src/l4android OKLinux ports-okl4/src/oklinux Vancouver ports/src/vancouver Noux ports/src/noux GDB Monitor ports/src/app/gdb monitor Python libports/lib/mk/x86 32/ Lua libports/lib/mk/ Genode OS Framework - Components 54
  • 55. Thank youWhat we covered today Coming up next...Components Compositions 1. Classification of components 1. Virtualization techniques 2. Kernelization of the GUI 2. Enslaving services server 3. Dynamic workloads 3. Unified configuration concept 4. Session routing 5. Components overview More information and resources: Genode OS Framework - Components 55