Successfully reported this slideshow.
Genode OS Framework - Components            Norman Feske   <norman.feske@genode-labs.com>
Outline1. Classification of components2. Kernelization example3. Unified configuration concept4. Session routing5. Components...
Outline1. Classification of components2. Kernelization example3. Unified configuration concept4. Session routing5. Components...
ClassificationKernel enables base platformDevice driver translates device interface to APIProtocol stack translates API to ...
Kernel         Genode OS Framework - Components   5
Device driverTranslates device interface to session interface    Uses core’s IO MEM, IO PORT, IRQ services    Single clien...
Device driver (2)Critical because of DMA    MMU protects physical memory from driver code    Driver code accesses device v...
Device driver (3)Even with no IOMMU, isolating drivers has benefits    Taming classes of non-DMA-related bugs         Memor...
Protocol stackTranslates API to another (or the same) API    Does not enforce policy    Single client    May be co-located...
Protocol stack (2)Libraries            Library   Translation            Qt4       Qt4 API → various Genode sessions       ...
Protocol stack (3)Components that filter sessions                     Genode OS Framework - Components   11
Protocol stack (4)Operate on session interfaces, not physical resources→ May be instantiated any number of times→ Critical...
ApplicationLeaf node in process tree    Uses services    Implements application logic    Provides no service              ...
Runtime environmentHosts other processes as childrenDefines and imposes policy!  Examples                 Init             ...
Resource multiplexerMultiplexes session interface    Multiple clients → Potential multi-level component    Free from polic...
Resource multiplexer (2)→ Often as critical as the kernel→ Must be as low complex as possible→ Must work on client-provide...
Outline1. Classification of components2. Kernelization example3. Unified configuration concept4. Session routing5. Components...
Kernelizing the GUI serverPersistent security problems of GUIs    Impersonation    (Trojan horses, phishing, man in the mi...
Starting point: DOpE as secure GUI           Genode OS Framework - Components   19
DOpE as secure GUI - DrawbacksProne to resource exhaustion by malicious clientsProvides custom look and feel*    Stands in...
Straight-forward attempt: Shrinking DOpERevisiting the implementation    Keeping only essential functionality    → 7,000 L...
Bottom-up approachWhat do we really need in the GUI server?    Widgets? → No    Font support? → No    Window decoration? →...
Buffers and views          Genode OS Framework - Components   23
User interactionInput-event handling    Only one receiver of each input event    Focused view defines input routing    Rout...
Client-side window handlingReport motion events to focused view while a button is pressed→ Client-side window policies (mo...
Trusted pathIt is not sufficient to label windows!    A Trojan Horse could present an image of a secure window    Not the se...
Trusted path (2)           Genode OS Framework - Components   27
Nitpicker resultsSource-code complexity                   GUI server       Lines of code                   X.org          ...
Nitpicker results (2)    Support for legacy software    Protection against spyware    Helps to uncover Trojan horses    Lo...
Outline1. Classification of components2. Kernelization example3. Unified configuration concept4. Session routing5. Components...
Traditional approaches to system configurationBoot-loader configuration    vbeset command in GRUB menu.lstCommand line argum...
Unified configuration concept          Genode OS Framework - Components   32
Unified configuration concept (II)           Genode OS Framework - Components   33
Unified configuration concept (III)→ Uniform syntax→ Extensible through custom tags at each level→ XML parser adds less than...
Outline1. Classification of components2. Kernelization example3. Unified configuration concept4. Session routing5. Components...
Session routing example<config>  <parent-provides>    <service name="CAP"/>    <service name="LOG"/>  </parent-provides>  ...
Using wildcards <route>   <service    name="ROM">   <parent/>    </service>   <service    name="RAM">   <parent/>    </ser...
Combining wildcards with explicit routes<route>  <service name="LOG"> <child name="nitlog"/> </service>  <any-service>    ...
Useful routing template <route>   <any-service> <parent/>    </any-service>   <any-service> <any-child/> </any-service> </...
Poly-instantiating the same binary <start name="nit_fb">   ... <start name="nit_fb">    <!-- XXX ambiguous name! -->   ......
Routing through hierarchies           Genode OS Framework - Components   41
Routing through hierarchies (2)<config>  <parent-provides> ... </parent-provides>  <start name="timer"> <resource name="RA...
Real-time prioritiesKernels provide static prioritiesHow to make the feature available?Priorities have side effects on othe...
Real-time priorities (2)            Genode OS Framework - Components   44
Real-time priorities (3)<config prio_levels="2">  ...  <start name="init.1" priority="0">    ...    <config prio_levels="4...
Configuration concept in practiceDevelopment              Wildcards are handy              Concise configurations, easy to m...
Outline1. Classification of components2. Kernelization example3. Unified configuration concept4. Session routing5. Components...
Interfaces      LOG Unidirectional debug output   Terminal Bi-directional input and output            synchronous bulk    ...
Interfaces (2)     ROM Obtain read-only data modules         shared memory     Block Block-device access           packet ...
Device drivers Session type   Location       Timer    os/src/drivers/timer        Block   os/src/drivers/atapi            ...
Resource multiplexers and protocol stacks Session type   Location        LOG     os/src/server/terminal log               ...
Resource multiplexers and protocol stacks (2)    Session type   Location      Audio out    os/src/server/mixer            ...
Protocol-stack libraries   API      Location   POSIX    libports/lib/mk/libc.mk            libports/lib/mk/libc log.mk    ...
Runtime environments  Runtime         Location  Init            os/src/init  Loader          os/src/server/loader  L4Linux...
Thank youWhat we covered today                      Coming up next...Components                                 Compositio...
Upcoming SlideShare
Loading in …5
×

Genode Components

744 views

Published on

The lecture by Norman Feske for Summer Systems School'12.
Genode Components

SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.

Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.

1. http://ksyslabs.org/
2. http://genode.org

Published in: Education
  • Be the first to comment

  • Be the first to like this

Genode Components

  1. 1. Genode OS Framework - Components Norman Feske <norman.feske@genode-labs.com>
  2. 2. Outline1. Classification of components2. Kernelization example3. Unified configuration concept4. Session routing5. Components overview Genode OS Framework - Components 2
  3. 3. Outline1. Classification of components2. Kernelization example3. Unified configuration concept4. Session routing5. Components overview Genode OS Framework - Components 3
  4. 4. ClassificationKernel enables base platformDevice driver translates device interface to APIProtocol stack translates API to APIApplication is leaf node in process treeRuntime environment has one or more childrenResource multiplexer has multiple clientscombinations are possible Genode OS Framework - Components 4
  5. 5. Kernel Genode OS Framework - Components 5
  6. 6. Device driverTranslates device interface to session interface Uses core’s IO MEM, IO PORT, IRQ services Single client Contains no policy Enforces policy (device-access arbitration) Genode OS Framework - Components 6
  7. 7. Device driver (2)Critical because of DMA MMU protects physical memory from driver code Driver code accesses device via MMIO Device has access to whole physical memory (DMA)→ Device driver can access whole physical memory IOMMUs can help ...but are no golden bullet Genode OS Framework - Components 7
  8. 8. Device driver (3)Even with no IOMMU, isolating drivers has benefits Taming classes of non-DMA-related bugs Memory leaks Synchronization problems, dead-locks Flawed driver logic, wrong state machines Device initialization Minimizing attack surface from the outside Genode OS Framework - Components 8
  9. 9. Protocol stackTranslates API to another (or the same) API Does not enforce policy Single client May be co-located with device driver Genode OS Framework - Components 9
  10. 10. Protocol stack (2)Libraries Library Translation Qt4 Qt4 API → various Genode sessions lwIP socket API → NIC sessionComponents translating sessions Component Translation TCP terminal Terminal session → NIC session iso9660 ROM session → Block session ffat fs File-system session → Block session Genode OS Framework - Components 10
  11. 11. Protocol stack (3)Components that filter sessions Genode OS Framework - Components 11
  12. 12. Protocol stack (4)Operate on session interfaces, not physical resources→ May be instantiated any number of times→ Critical for availablility→ Not neccessarily critical for integrity and confidentiality→ Information leakage constrained to used interfacescomplex code should go in here Genode OS Framework - Components 12
  13. 13. ApplicationLeaf node in process tree Uses services Implements application logic Provides no service Genode OS Framework - Components 13
  14. 14. Runtime environmentHosts other processes as childrenDefines and imposes policy! Examples Init Virtual machine monitor Debugger Python interpreter Genode OS Framework - Components 14
  15. 15. Resource multiplexerMultiplexes session interface Multiple clients → Potential multi-level component Free from policy Enforce policy dictated by parent Prone to cross-client information leakage Prone to resource-exhaustion-based DoS Genode OS Framework - Components 15
  16. 16. Resource multiplexer (2)→ Often as critical as the kernel→ Must be as low complex as possible→ Must work on client-provided resources→ Must employ heap partitioningonly a few resource multiplexers needed Genode OS Framework - Components 16
  17. 17. Outline1. Classification of components2. Kernelization example3. Unified configuration concept4. Session routing5. Components overview Genode OS Framework - Components 17
  18. 18. Kernelizing the GUI serverPersistent security problems of GUIs Impersonation (Trojan horses, phishing, man in the middle) Spyware (input loggers, arcane observers) Robustness/availability risks (resource-exhaustion-based denial of serviceGUI belongs to TCB → low complexity is important! Genode OS Framework - Components 18
  19. 19. Starting point: DOpE as secure GUI Genode OS Framework - Components 19
  20. 20. DOpE as secure GUI - DrawbacksProne to resource exhaustion by malicious clientsProvides custom look and feel* Stands in the way when using legacy software May be enhanced by theme supportComplexity of 12,000 LOC Genode OS Framework - Components 20
  21. 21. Straight-forward attempt: Shrinking DOpERevisiting the implementation Keeping only essential functionality → 7,000 LOCWe loose: Majority of widgets (grid, scale, scrollbar, etc.) Flexible command interface Coolness, fancyness, convenience Real-time support7,000 LOC are too much for such a crippled GUI! Genode OS Framework - Components 21
  22. 22. Bottom-up approachWhat do we really need in the GUI server? Widgets? → No Font support? → No Window decoration? → No Textual command interface? → No Look and feel, gradients, translucency? → No Hardware abstractions (e. g., color-space conversion)? → No Windows displaying pixel buffers? → YES Distribution of input events? → YES Secure labeling? → YES Genode OS Framework - Components 22
  23. 23. Buffers and views Genode OS Framework - Components 23
  24. 24. User interactionInput-event handling Only one receiver of each input event Focused view defines input routing Routing controlled by the user only Genode OS Framework - Components 24
  25. 25. Client-side window handlingReport motion events to focused view while a button is pressed→ Client-side window policies (move, resize, stacking)→ Key for achieving low server-side complexityEmergency break→ Special key regains control over misbehaving applications Genode OS Framework - Components 25
  26. 26. Trusted pathIt is not sufficient to label windows! A Trojan Horse could present an image of a secure window Not the secure window must be marked, but all others!Revoke some degree of freedom from the clients Dedicated screen area, reserved for the trusted GUI Revoking the ability to use the whole color space→ X-Ray mode, activated by special key (x-ray key) Genode OS Framework - Components 26
  27. 27. Trusted path (2) Genode OS Framework - Components 27
  28. 28. Nitpicker resultsSource-code complexity GUI server Lines of code X.org > 80,000 Trusted X 30,000 DOpE 12,000 EWS 4,500 Nitpicker < 2,000 Low performance overhead, no additional copy Low-complexity clients are possible (Scout: 4,000 LOC) Genode OS Framework - Components 28
  29. 29. Nitpicker results (2) Support for legacy software Protection against spyware Helps to uncover Trojan horses Low source-code complexity→ Poster child of a resource multiplexer Genode OS Framework - Components 29
  30. 30. Outline1. Classification of components2. Kernelization example3. Unified configuration concept4. Session routing5. Components overview Genode OS Framework - Components 30
  31. 31. Traditional approaches to system configurationBoot-loader configuration vbeset command in GRUB menu.lstCommand line arguments specified to boot modulesKernel command lineCustom configuration files Needs file providers, file name space Varying syntax → parsing problems Genode OS Framework - Components 31
  32. 32. Unified configuration concept Genode OS Framework - Components 32
  33. 33. Unified configuration concept (II) Genode OS Framework - Components 33
  34. 34. Unified configuration concept (III)→ Uniform syntax→ Extensible through custom tags at each level→ XML parser adds less than 300 LOC to TCB Genode OS Framework - Components 34
  35. 35. Outline1. Classification of components2. Kernelization example3. Unified configuration concept4. Session routing5. Components overview Genode OS Framework - Components 35
  36. 36. Session routing example<config> <parent-provides> <service name="CAP"/> <service name="LOG"/> </parent-provides> <start name="timer"> <resource name="RAM" quantum="1M"/> <provides> <service name="Timer"/> </provides> <route> <service name="CAP"> <parent/> </service> </route> </start> <start name="test-timer"> <resource name="RAM" quantum="1M"/> <route> <service name="Timer"> <child name="timer"/> </service> <service name="LOG"> <parent/> </service> </route> </start></config> Genode OS Framework - Components 36
  37. 37. Using wildcards <route> <service name="ROM"> <parent/> </service> <service name="RAM"> <parent/> </service> <service name="RM"> <parent/> </service> <service name="PD"> <parent/> </service> <service name="CPU"> <parent/> </service> </route>generalized: <route> <any-service> <parent/> </any-service> </route> Genode OS Framework - Components 37
  38. 38. Combining wildcards with explicit routes<route> <service name="LOG"> <child name="nitlog"/> </service> <any-service> <parent/> </any-service></route> Genode OS Framework - Components 38
  39. 39. Useful routing template <route> <any-service> <parent/> </any-service> <any-service> <any-child/> </any-service> </route>abbreviated: <route> <any-service> <parent/> <any-child/> </any-service> </route> Genode OS Framework - Components 39
  40. 40. Poly-instantiating the same binary <start name="nit_fb"> ... <start name="nit_fb"> <!-- XXX ambiguous name! --> ...ambiguity resolved: <start name="nit_fb_1"> <binary name="nit_fb"/> <!-- binary name != process name --> ... <start name="nit_fb_2"> <!-- unique name --> <binary name="nit_fb"/> ... Genode OS Framework - Components 40
  41. 41. Routing through hierarchies Genode OS Framework - Components 41
  42. 42. Routing through hierarchies (2)<config> <parent-provides> ... </parent-provides> <start name="timer"> <resource name="RAM" quantum="1M"/> <provides> <service name="Timer"/> </provides> <route> <service name="CAP"> <parent/> </service> </route> </start> <start name="init"> <resource name="RAM" quantum="1M"/> <config> <parent-provides> <service name="Timer"/> <service name="LOG"/> </parent-provides> <start name="test-timer"> <resource name="RAM" quantum="1M"/> <route> <service name="Timer"> <parent/> </service> <service name="LOG"> <parent/> </service> </route> </start> </config> <route> <service name="Timer"> <child name="timer"/> </service> <any-service> <parent/> </any-service> </route> </start></config> Genode OS Framework - Components 42
  43. 43. Real-time prioritiesKernels provide static prioritiesHow to make the feature available?Priorities have side effects on otherwise unrelated subsystemsPriority inversionPriority inversion + time-slice donation = hard-to-find bug Genode OS Framework - Components 43
  44. 44. Real-time priorities (2) Genode OS Framework - Components 44
  45. 45. Real-time priorities (3)<config prio_levels="2"> ... <start name="init.1" priority="0"> ... <config prio_levels="4"> ... <!-- priority -1 results in platform priority 112 --> <start name="init.11" priority="-1"> ... </start> <!-- priority -2 results in platform priority 96 --> <start name="init.12" priority="-2"> <config> <start name="init.121"> ... </start> </config> </start> </config> </start> <!-- priority -1 results in platform priority 64 --> <start name="init.2" priority="-1"> ... </start></config> Genode OS Framework - Components 45
  46. 46. Configuration concept in practiceDevelopment Wildcards are handy Concise configurations, easy to maintainDeployment Use explicit routes only → Default deny → Whitelist only permitted session types → Mandatory access control Absence of wildcards is easy to validate Genode OS Framework - Components 46
  47. 47. Outline1. Classification of components2. Kernelization example3. Unified configuration concept4. Session routing5. Components overview Genode OS Framework - Components 47
  48. 48. Interfaces LOG Unidirectional debug output Terminal Bi-directional input and output synchronous bulk Timer Facility to block the client Input Obtain user input synchronous bulkFramebuffer Display pixel buffer synchronous bulk PCI Represents PCI bus, find and obtain PCI devices Genode OS Framework - Components 48
  49. 49. Interfaces (2) ROM Obtain read-only data modules shared memory Block Block-device access packet streamFile system File-system access packet stream NIC Bi-directional transfer of network packets 2 x packet stream Audio out Audio output packet stream Genode OS Framework - Components 49
  50. 50. Device drivers Session type Location Timer os/src/drivers/timer Block os/src/drivers/atapi os/src/drivers/ahci os/src/drivers/sd card dde linux/src/drivers/usb drv Input os/src/drivers/input/ps2 dde linux/src/drivers/usb drv Framebuffer os/src/drivers/framebuffer/vesa os/src/drivers/framebuffer/sdl os/src/drivers/framebuffer/pl11x os/src/drivers/framebuffer/omap4 Audio out linux drivers/src/drivers/audio out Terminal os/src/drivers/uart NIC dde ipxe/src/drivers/nic dde linux/src/drivers/usb drv PCI os/src/drivers/pci Genode OS Framework - Components 50
  51. 51. Resource multiplexers and protocol stacks Session type Location LOG os/src/server/terminal log demo/src/server/nitlog Framebuffer, demo/src/server/liquid framebuffer Input os/src/server/nit fb Nitpicker os/src/server/nitpicker Terminal os/src/server/terminal crosslink gems/src/server/terminal gems/src/server/tcp terminal Genode OS Framework - Components 51
  52. 52. Resource multiplexers and protocol stacks (2) Session type Location Audio out os/src/server/mixer NIC os/src/server/nic bridge ROM os/src/server/rom prefetcher os/src/server/tar rom os/src/server/iso9660 Block os/src/server/rom loopdev os/src/server/part blk gems/src/server/http block File system os/src/server/ram fs libports/src/server/ffat fs Genode OS Framework - Components 52
  53. 53. Protocol-stack libraries API Location POSIX libports/lib/mk/libc.mk libports/lib/mk/libc log.mk libports/lib/mk/libc fs.mk libports/lib/mk/libc rom.mk libports/lib/mk/libc lwip.mk libports/lib/mk/libc ffat.mk libports/lib/mk/libc lock pipe.mk libports/lib/mk/libc terminal.mk Qt4 qt4/lib/mk/qt * OpenGL libports/lib/mk/gallium.mk Genode OS Framework - Components 53
  54. 54. Runtime environments Runtime Location Init os/src/init Loader os/src/server/loader L4Linux ports-foc/src/l4linux L4Android ports-foc/src/l4android OKLinux ports-okl4/src/oklinux Vancouver ports/src/vancouver Noux ports/src/noux GDB Monitor ports/src/app/gdb monitor Python libports/lib/mk/x86 32/python.mk Lua libports/lib/mk/moon.mk Genode OS Framework - Components 54
  55. 55. Thank youWhat we covered today Coming up next...Components Compositions 1. Classification of components 1. Virtualization techniques 2. Kernelization of the GUI 2. Enslaving services server 3. Dynamic workloads 3. Unified configuration concept 4. Session routing 5. Components overview More information and resources: http://genode.org Genode OS Framework - Components 55

×