Mutable Protection Domains: Towards a Component-Based System for Dependable and Predictable Computing

The increasing complexity of software poses signicant challenges for real-time and embedded systems beyond those based purely on timeliness. With embedded sys-tems and applications running on everything from mobile phones, PDAs, to automobiles, aircraft and beyond, an emerging challenge is to ensure both the functional and tim-ing correctness of complex software. We argue that static analysis of software is insufcient to verify the safety of all possible control ow interactions. Likewise, a static sys-tem structure upon which software can be isolated in sepa-rate protection domains, thereby dening immutable bound-aries between system and application-level code, is too in-exible to the challenges faced by real-time applications with explicit timing requirements. This paper, therefore, in-vestigates a concept called mutable protection domains that supports the notion of hardware-adaptable isolation boundaries between software components. In this way, a system can be dynamically recongured to maximize soft-ware fault isolation, increasing dependability, while guar-anteeing various tasks are executed according to specic time constraints. Using a series of simulations on multi-dimensional, multiple-choice knapsack problems, we show how various heuristics compare in their ability to rapidly reorganize the fault isolation boundaries of a component-based system, to ensure resource constraints while simulta-neously maximizing isolation benet. Our ssh oneshot algorithm offers a promising approach to address system dynamics, including changing component invocation pat-terns, changing execution times, and mispredictions in iso-lation costs due to factors such as caching. This material is based upon work supported by the National Science Foundation under Grant Numbers 0615153 and 0720464. Any opinions, ndings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reect the views of the National Science Foundation.

System noise, OS clock ticks, and fine-grained parallel applications

As parallel jobs get bigger in size and finer in granularity, “system noise ” is increasingly becoming a problem. In fact, fine-grained jobs on clusters with thousands of SMP nodes run faster if a processor is intentionally left idle (per node), thus enabling a separation of “system noise ” from the com-putation. Paying a cost in average processing speed at a node for the sake of eliminating occasional processes delays is (unfortunately) beneficial, as such delays are enormously magnified when one late process holds up thousands of peers with which it synchronizes. We provide a probabilistic argument showing that, under certain conditions, the effect of such noise is linearly pro-portional to the size of the cluster (as is often empirically observed). We then identify a major source of noise to be indirect overhead of periodic OS clock interrupts (“ticks”), that are used by all general-purpose OSs as a means of main-taining control. This is shown for various grain sizes, plat-forms, tick frequencies, and OSs. To eliminate such noise, we suggest replacing ticks with an alternative mechanism we call “smart timers”. This turns out to also be in line with needs of desktop and mobile computing, increasing the chances of the suggested change to be accepted. 1

Shards: a system for systems

Operating system construction is often focused on the internal operation and architecture of a general purpose system. This thesis instead focuses on systems built in response to a specific purpose, design intent, application load and platform. These are referred to as custom systems in the thesis. These focused systems have known demands, constraints and requirements that provide a target for system design and optimisation. These systems can perform valuable and demanding tasks which may encourage optimisation effort. The first challenge is discovering and capturing these attributes in an encoding that can be machine manipulated. The second challenge was to use this information in a way which makes custom system construction economical, thereby widening the range of systems for which such efforts are appropriate. A bespoke and manual system construction is too expensive for the more narrowly deployed systems being considered. The operating systems field generally assumes a long lived and widely deployed general system which can afford significant design effort up-front which is not applicable in this case. The proposed solution was to balance the advantages of modular functionality with automated configuration, construction and tailoring based on the captured demands of the proposed system. Effectively the operating system is compiled as an integrated part of the system. In such an approach new inputs not relevant to general systems, such as application code and design intent, are known in advance and can inform the system generation process. This leads to an operating system structure that is determined by and optimised to the needs of the proposed system. A clean architecture is often a design goal for system construction. In this case the ideal is an operating system so integrated into the overall system there is no clearly identifiable run time structure. The Operating System could become part of the hardware, system operation or applications of the system. The final goal was to build a foundation in which construction work or advances can be captured and reused. Building a complete "system of systems" in a single project would be an impractical undertaking. The effort was to build an approach and framework which could grow as a side effect of its use and application. This allowed the lessons learnt and work done in one project to potentially enrich both this approach and the domain of operating systems

A New Protection Model for Component-Based

Protected operating systems multiplex programs onto resources such that they are isolated from one another — that is, concurrently executing programs cannot interfere with each other. A layer of software known as the kernel provides this protection to the software layers above it. Untrusted, ‘user’ programs are prevented from controlling the protection hardware because they are executed when the processor is in user mode — a mode of reduced privilege. In user mode, instructions that can be used to circumvent protection are unavailable; the processor’s instruction-set is reduced. This thesis introduces a new operating system protection mechanism termed SISR — Software-based Instruction Set Reduction (pronounced scissor). Here, all software (including the kernel) executes in the same processor mode, while both language independence and protection are maintained. Untrusted (that is, ‘user level’) code is prevented from issuing privileged instructions not by reducing the processor’s instruction set, but by scanning code prior to its loading; any code found to contain privileged instructions is not loaded. Memory protection is provided through segmentation. SISR leads to improved architectures (that is, simpler and more modular), and improves performance significantly. Its low overheads make fine-grained protection practical, making it especially well-suited to component-based operating systems. A prototype system has been built for x86-based PCs as a ‘proof-of-concept’. Significant improvements in architectures have been delivered. Tasks that have previously been inextricably linked (such as interrupt handling and CPU scheduling) have been separated into distinct components. Experiments have demonstrated significant improvements in performance, compared even to the leanest research operating systems