30 Years of Reliable and Secure Computing
Transcrição
30 Years of Reliable and Secure Computing
Ope nVMS – 30 Ye a rs of Re lia ble a nd S e cure Computing Andy Golds te in Ope nVMS Eng inee ring © 2007 Hewlett-Pa cka rd De velopment Compa ny, L.P. The informa tion conta ined herein is s ubject to cha ng e without notice 30 Yea rs of Evolution VMS in 1977 ● Dig ita l’s 32 bit s upermini ● Te rmina ls & time s ha ring ● Fortra n: e ng ineering , s imula tion ● 1.5M line s of code in ba s e s ys tem 10/03/07 30 Yea rs of Evolution VMS Now ● $3K w orks ta tions to $25M multi-s ite clus ters ● VAX, Alpha a nd, Ita nium cpu ● Fa ctory floor, inte rba nk EFT, bus ines s tra ns a ctions , tra ffic control, da ta ba s e , inte rnet s erver ● > 25M line s of code ● More re lia ble tha n e ver ● Mos t V1 a pps s till w ork 10/03/07 Ma jor Evolutions in VMS ● DECw indow s ● Clus te rs ● S ymmetric Multiproces s ing ● Alpha Port ● Memory Ma na g eme nt Redes ig n ● Ita nium Port 10/03/07 Overview of VMS Org a niza tion ● Proces s : a ddres s s pa ce + threa d(s ) of execution ● Dema nd pa g e d, virtua l memory ● Pa rtitioned a ddres s s pa ce: 10/03/07 ● P0: a pplica tion code & da ta ● P1: s ta cks a nd proces s -s pecific OS context ● P2: 64 bit extende d proces s s pa ce ● S 0: OS code & g loba l da ta ● S 2: 64 bit extended s ys tem s pa ce Overview of VMS Org a niza tion ● 10/03/07 Proces s a cce s s modes ● Us er ● S upervis or - DCL ● Exec - hig he r OS la yers ● Kernel ● S ta ck per a cce s s mode Overview of VMS Org a niza tion ● ● Interrupt (fork) context ● Kernel mode, ha rdw a re IPL ● S ys te m s pa ce only ● Limite d s ta ck ● “Lig htw eig ht thre a d” model AS T: a s ynchronous procedure ca ll ● 10/03/07 Proces s e quiva lent of interrupt context I/O S ubs ys tem ● $QIO s ervice in proces s context ● Loa da ble device drivers ● Drive r pre-proce s s ing in us er context ● Drive r fork le vel ● I/O inte rrupt ● Proces s conte xt completion AS T ● ACP - a ncilla ry control proces s 10/03/07 driver fork DECwindows VMS becomes a w orks ta tion ● Gra phics device drivers ● Port of X-11 a nd OS F Motif ● S es s ion ma na g e r menu items : ● ● 10/03/07 DCL s hell s cript Exis ting cha ra cter cell a pps : ● Pa rtition into cha ra cter cell UI a nd ca lla ble a pplica tion log ic ● Add ne w w indow s UI Clus ters VMS Becomes a Dis tributed Opera ting S ys tem VMS Node S torag e Ctrl 10/03/07 VMS Node VMS Node S torag e Ctrl Clus ters : The Lock Ma na g er ● Abs tra ct na med re s ources ● Lock modes to re pres ent typica l da ta a cces s : 10/03/07 ● EX ● PW ● PR ● CW ● CR ● NL RMS a nd the Lock Ma na g er RMS Fea ture s ● Record-orie nted I/O pa cka g e ● S eque ntia l, direct, indexed ● Cohere nt s ha red w rite a cces s w ith record locking ● Proces s loca l buffers w ith coherent ca che ma na g ement Priva te locking implementa tion repla ced w ith clus ter lock ma na g er 10/03/07 Before Clus ters : File ACP S erver proce s s inte rcepts complex file opera tions ● Open file context in s ys tem pool ● File me ta da ta ca che in proces s context ● S ing le threa d ope ra tion provided implicit s ynchroniza tion 10/03/07 Clus ters : the File XQP ● ● 10/03/07 Clus te r implementa tion choices ● S ing le s erver w ith fa ilover ● Multiple coordina ted ACPs S erve r proces s converted to run in client proces s context ● Ca che move d to s ys tem pool ● S imple thre a ding pa cka g e la yered on AS T mecha nis m ● Explicit s ynchroniza tion w ith lock ma na g er S ymmetric Multiproces s ing Orig ina l kernel s ynchroniza tion des ig ned for uniproces s or: ● ● ● ● ● ● ● ● 10/03/07 IPL 24-31: clock, cpu errors IPL 16-23: I/O interrupts IPL 8-11: device driver threa ds IPL 8: s cheduling , memory ma na g ement, kernel-level mes s a g es , etc. IPL 4: I/O completion proces s ing IPL 3: proces s res cheduling IPL 2: AS T delivery IPL 0: proces s execution S ymmetric Multiproces s ing Implicit IPL s ynchroniza tion repla ced w ith explicit s pinlocks ● Ea ch IPL becomes a s pinlock ● IPL 8 broken into functiona l a rea s ● 10/03/07 ● Memory Ma na g ement ● S che duling ● Clus te r communica tions ● File s ys tem ● etc. Continuing to refine locking S MP Convers ion Brute force e ffort ● Entire kernel ins pected for s ynchroniza tion ● Aided by exis ting ma cros (DS BINT, ENBINT, S ETIPL) ● Counte rs converte d to interlocked ins tructions ● S pinlock ra nk de s ig n detects des ig n dea dlocks ● Debug a nd production locking ma cros 10/03/07 Port to Alpha VMS a nd VAX w ere ma de for ea ch other ● Privileg e d a rchite cture (memory ma na g ement, a cces s modes , IPLs , etc.) ● Va ria ble leng th CIS C ins tructions , 32 bit a rchitecture ● Mos t of VMS kerne l in ma cro 10/03/07 Port to Alpha Alpha is ● 64 bit a rchite cture ● Fixed leng th RIS C ins truction But… ● VAX-like privileg e d a rchitecture ● Compa tible da ta types 10/03/07 Port to Alpha Rew rite : ● CPU s upport ● Boot code ● S ome drivers ● Low leve l memory ma na g ement ● Exception ha ndling ● Ma th RTL 10/03/07 Port to Alpha Compile eve rything e ls e: ● Blis s & C ● Ma cro! ● ● 32 bit vs 64 bit ● Compila ble ma cro ● Atomicity is s ues Exe cuta ble ima g es !! Res ult: “It’s rea lly VMS . It eve n ha s the s a me bug s .” - e a rly Alpha us er 10/03/07 64 Bit Virtua l Memory • Orig ina l pa g e ta ble des ig n Pa g e S 0 S pa ce Da ta Pa g e Pa g e OFF Da ta 10/03/07 OFF 64 Bit Virtua l Memory • Extended virtua l a ddres s ing L1 L2 L3 OFF L1PT L2PT L1 L2 L3PT Da ta Pa g e L3 OFF Da ta 10/03/07 64 Bit Virtua l Memory • Pa g e ta ble reference K L1 L2 L3 L1PT L2PT K L 1 L2 L3PT L3 10/03/07 Port to Ita nium • Another 64-bit a rchitecture, but... • Different reg is ter conventions • Intel ca lling s ta nda rd • Different privileg ed a rchitecture −No PALcode −Different cons ole / boot procedure −Different interrupt a rchitecture −Different s ynchroniza tion primitives 10/03/07 Port to Ita nium • Fortuna tely... •4 a cces s modes • Compa tible memory protection fea tures • Memory a tomicity no wors e tha n Alpha 10/03/07 Port to Ita nium • Rewrite −CPU s upport −Boot code • New −Interrupt & exception delivery in s oftware −Emulation of interlocked ins tructions (queues , etc.) −EFI pa rtition on s ys tem dis k • Redes ig n −Ca lling s ta nda rd a nd condition handling −Object a nd executa ble file forma t 10/03/07 Port to Ita nium • Recompile • 95% of ba s e OS code recompiled without cha ng e • Bina ry tra ns la tor a ls o a va ila ble 10/03/07 Pa rt 2 Building a S ecure Opera ting S ys tem – the VMS Approa ch 10/03/07 Wha t is S ecurity? Us ers ' da ta ha ndled a ccording to a s ecurity policy • Policy mus t meet us ers ' needs • Policy mus t a lwa ys be correctly ha ndled s o... • Conceptua lly, s ecurity is very s imple • In pra ctice, s ecurity is fra cta l (Butler La mps on) 10/03/07 Genera l Concepts • Reference monitor −Textbook model −Two exa mples • S ys tem la yering – the textbook a nd rea lity −Textbook model −The rea lity of VMS • Typica l 10/03/07 privileg ed s ubs ys tem Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 31 Reference Monitor The textbook model Us er Reference Monitor Authoriza tion Da ta ba s e 10/03/07 Da ta Audit Tra il Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 32 Reference Monitor • All object a cces s es a re controlled by the reference monitor • The a uthoriza tion da ta ba s e determines the a cces s control policy • Object a cces s es ma y be recorded in the a udit log • The reference monitor, a uthoriza tion da ta ba s e, a nd a udit log a re ta mperproof therefore... • The reference monitor implementa tion mus t be correct 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 33 Reference Monitor Two Exa mples • An a cces s to a file −The file repres ents the data object −The rig hts da ta ba s e a nd the file's ACL conta in the a uthoriza tion informa tion −The a cces s ma y be a udited • The $S ETS WM s ervice −A s ing le bit of proces s s ta te repres ents the da ta object −The a uthoriza tion da ta ba s e is the PS WAPM privileg e −Audit ca pability exis ts 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 34 S ys tem La yering The Textbook Model Kernel (trus ted) Us er Mode (untrus ted) 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 35 S ys tem La yering Development Tools Command Language Interpreter Privileged Images •Images installed with privilege •Protected shareable images •Protected subsystems •Privileged server processes •Informational utilities •Text editors •Macro •Compilers •Linker RMS and System Services $OPEN $GET System Services $IMGACT $PUT $CRETVA $ASSIGN $ADJWSL $CRMPSC Memory Management •Pagefault •Swapper I/O Subsystem System-wide Protected Data Structures $CLOSE $QIO $CANCEL •Device Drivers •I/O Support Routines Run Time Library (General) •Math library •String handling •Screen management •Misc LIB functions •Page Tables •I/O Database •Scheduler Data Process and Time Management Run Time Library (Language-specific) •CRTL •FORTRAN •PASCAL •BASIC 10/03/07 •Scheduler •Process Control $WAKE $CREPRC $SETIMR Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. Assorted Utilities •COPY •HELP •DIRECTORY •SORT 36 Typica l Privileg ed S ubs ys tem Us er Privileg ed S ubs ys tem Priva te Da ta Us er Da ta 10/03/07 VMS S ervices Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 37 Principles • Who is performing the opera tion? −A privileg ed s ubs ys tem performs s ome opera tions on its own behalf, with its rig hts a nd privileg es −It performs other opera tions on behalf of the us er. The s ubs ys tem mus t ta ke ca re not to ta ke a ny a ctions the us er could not ha ve done by thems elves . 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 38 Principles • Keep tra ck of the environment −How ca n the us er affect your environment? (Log ica l na mes a re a clas s ic exa mple.) −How have you a ltered the environment? Any a ltera tions mus t be undone before the us er ca n reg a in control in a ny way. 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 39 Principles • Whos e da ta is this a nywa y? −Priva te da ta mus t be protected from modification a nd/or reading by the us er. −Us er data mus t be acces s ed with the a cces s rig hts of the us er. −Da ta under the us er's control mus t be viewed a s untrus tworthy. Its contents and acces s ibility ma y cha ng e over time a nd mus t be fully va lida ted on every reference. 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 40 Confidentia lity a nd Integ rity • Untrus ted code mus t not be a llowed to s ee da ta tha t is cons idered priva te −Da ta belong ing to other us ers −Da ta whos e s ecrecy is critica l to enforcing s ecurity policy (e.g ., pa s s words ) • However... there is no need to hide da ta tha t is not confidentia l −Entire VMS kernel code is us er rea dable −Mos t P1 context is us er reada ble 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 41 Confidentia lity a nd Integ rity • Untrus ted code mus t not be a llowed to modify da ta belong ing to other us ers • Untrus ted code mus t not be a llowed to modify da ta critica l to the opera tion of the opera ting s ys tem • However... there is no need to protect da ta tha t only a ffects the us er. −AS T a ctive/ena ble, FP reg is ter us e fla g s 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 42 Acces s Modes • Hiera rchy of a cces s modes : us er, s upervis or, exec, kernel • Inwa rd tra ns itions : −S ys tem s ervice calls −Exceptions −Interrupts −AS Ts • Outwa re tra ns itions : −REI 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 43 Us er Mode Us er mode is the one mode a cces s ible to unprivileg ed us er s oftwa re. Therefore, a nything coming from us er mode mus t be reg a rded with extreme s us picion. • Log ica l na mes (including s upervis or mode log ica ls ) • Addres s s pace. When us er mode ca n execute, the pres ence, ma pping , a nd protection of us er-owned a ddres s s pa ce ca n cha ng e. The contents of us er-owned a ddres s s pa ce ca n cha ng e at any time. • AS Ts . Us er mode execution may be initia ted by timers , I/O completion, etc., a nytime no inner mode execution is in prog res s . With a few exceptions , all us er mode s ta te is elimina ted by ima g e rundown. 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 44 S upervis or Mode • Belong s to the comma nd la ng ua g e interpretor, which is not a ccus tomed to coexis ting with other s ubs ys tems • Is privileg ed beca us e it ha s control over the integ rity a nd execution of privileg ed ima g es . 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 45 Exec Mode • Outer la yer of the “s ys tem kernel” • Us ed for RMS , ima g e a ctiva tor, s ecurity s ervices , etc. • Rea d-only a cces s to a ll s ys tem interna l da ta s tructures • S evera l implicit privileg es −S YS LCK −Exec mode log ica l names −CMKRNL −S ETPRV 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 46 Kernel Mode • Acces s to a ll s ys tem interna l da ta s tructures , I/O s pa ce, privileg ed ins tructions , etc. • Execution a t eleva ted IPL • Acces s to interna l s ynchroniza tion 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 47 Why Ha ve Four Modes ? S upervis or a nd exec modes a re trus ted but firewa lled • S upervis or −Protects in-proces s CLI from ima g e −Only trus ted to not a ctively interfere with privileg ed ima g es • Exec −Rea d a cces s to a ll kernel data −Va rious implied privileg es −But ca nnot directly cras h the s ys tem 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 48 Privileg es • 64 bits of proces s s ta te a llowing a cces s to s ecurity s ens itive opera tions • 4 privileg e ma s ks per proces s −Proces s authorized: ma ximum privileg es permitted for the life of the proces s −Proces s current: proces s privileg es as reduced by the us er or a pplica tion code −Ima g e enha nced: additiona l privileg es ma de ava ila ble to the currently executing ima g e by INS TALL −Ima g e current: ava ila ble privileg es as reduced by the a pplica tion 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 49 Privileg es • Why s o ma ny privileg es ? • Ma ny privileg es a llow complete control of the s ys tem • S epa ra te privileg es protect a g a ins t a ccidents • Alwa ys a pply “principle of lea s t privileg e” 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 50 Privileg ed S ubs ys tems Privileg ed Proces s es • Own proces s context • Own a ddres s s pa ce • Typica lly ma ny or a ll privileg es s et • Typica lly well ins ula ted from us er atta ck - but - • Mus t va lida te a ll us er inputs • Operations “on behalf of the us er” a re problema tica l −Us e impers ona tion s ervices • Exa mples : job controller, s ymbionts , s ecurity s erver 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 51 Privileg ed S ubs ys tems Ima g es Ins ta lled With Privileg e • “Ma in prog ra ms ” only • Opera te in us er's proces s context • Privileg es ena bled by ima g e a ctiva tor • Privileg es extend to a ll code ca lled by ima g e • Exa mples : S ET & S HOW 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 52 Privileg ed S ubs ys tems P rote ction of Privileg e d Ima g e s • Privile g e s re moved on ima g e rundown • DCL EXAMINE, DEPOS IT, DEBUG, e tc., dis a ble d; S PAWN drops privile g e s • S ha rea ble ima g e s mus t be ins ta lled a nd a re a ctiva te d with e xe c mode log ica ls only • Debug a nd tra ce ba ck hooks a re dis a llowed - but - • Us er mode log ica ls a pply to file ope ra tions unle s s dis a ble d with RMS 's FAB$V_LNM_MODE 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 53 Privileg ed S ubs ys tems Protected S ubs ys tems (executa ble ima g es with a S ubs ys tem ACE) • Ana log ous to ima g es ins ta lled with privileg es • Rig hts lis t a ug mented by identifiers from s ubs ys tem ACE • Identifiers ma y be ena bled/dis a bled with $S UBS YS TEM s ervice ca ll • Ca pa bilities (a nd ris k) determined by a cces s conferred by s ubs ys tem identifiers • Genera lly s a fer tha n privileg ed ima g es 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 54 Privileg ed S ubs ys tems S ys tem S pa ce S ys tem S ervice Code • Executes in proces s context • Protected by inner mode • Ha ve rig hts a nd privileg es of the inner mode • Ca lla ble from us er mode via s ys tem s ervice entry • Exa mples : mos t VMS s ys tem s ervices 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 55 Privileg ed S ubs ys tems Proces s S pa ce S ys tem S ervice Code • Known a s −Us er-written s ys tem s ervices −Protected s ha rea ble imag es −Privileg ed s harea ble ima g es • Loa ded by ima g e a ctiva tor during ima g e a ctiva tion • S ha re a ll other cha ra cteris tics of s ys tem s ervice code • Exa mples : $MOUNT, $GETUAI, etc. 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 56 Privileg ed S ubs ys tems • Protection of Protected S ha rea ble Ima g es • Addres s s pa ce −Owned by exec mode −Writa ble pag es s et to us er rea d / exec write • Ca nnot be overma pped • Mus t not ca ll other s ha rea ble ima g es Conclus ions 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 57 S pecific Techniques • Privileg es • Pa ra meter Va lida tion • Pa ra meter Acces s ibility • Proces s Deletion • Environment • As ynchronous Opera tion • Opera ting on Beha lf of the Us er • Crea ting Protected S ha rea ble Ima g es 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 58 Privileg es • Keep them off • Turn them on only when neces s a ry • Ma ke s ure privileg es a re off on all exit pa ths • If us er inputs ca n a ffect a n opera tion executed with privileg e, they mus t be ca refully va lida ted • NEVER pa s s us er pa ra meters directly to a n opera tion executed with privileg e • Remember the privileg es implicit in inner modes 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 59 Pa ra meter Va lida tion Nothing pa s s ed by a us er prog ra m to a privileg ed procedure s hould be trus ted • As s ume a rbitra ry va lues −Us ing a ddres s es as “handles ” is us ua lly a ba d idea • As s ume a rbitra ry combina tions of pa ra meters • Va lida te pa ra meter combina tions for cons is tency • Contents of us er a ddres s s pa ce ca n cha ng e. If you need to us e the va lue of a pa ra meter multiple times , ma ke a n interna l copy. 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 60 Pa ra meter Acces s ibility Inner mode s ervices mus t check pa g e protection of a ll pa ra meters to ens ure • Tha t the a rg ument is a cces s ible to the s ervice • Tha t the a rg ument wa s a cces s ible to the us er PROBER/PROBEW opera tions check a g a ins t previous mode in the PS . Note tha t in a n interrupt or AS T previous mode is your mode, not the us er's ! 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 61 Probing Arg uments • All a rg uments mus t be probed • Arg ument lis t (except res ident VMS s ervices ) −Alpha/IA64: memory res ident a rg uments only • Arg uments pa s s ed by des criptor −Probe the des criptor −Copy des criptor into local s tora g e −Probe the buffer −Us er the loca l copy from here on! 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 62 Proces s Deletion A proces s ca n be deleted a nytime it is executing below IPL 2 of kernel mode • Run a t IPL 2 to prevent deletion while holding unrecorded s ys tem-wide s ta te • S ubs ys tem s ta te in s ys tem s tora g e (i.e., nonpa g ed or pa g ed pool) mus t be clea ned up • Us e the rundown ha ndler fa cility to g ua ra ntee execution a t proces s rundown • Exit ha ndler execution is not g ua ra nteed! 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 63 Environment Inner mode s ubs ys tems do not have the entire VMS prog ra mming environment a t their dis pos a l • S ubroutine libra ries : OTS $, S YS $, EXE$, IOC$, etc., a re freely ca lla ble in inner mode • S ta teles s RTL routines ma y be ca lled −LIB$S IGNAL is OK −LIB$GET_VM, ma lloc(), etc. a re not (work pla nned pos t V8.3) −CRTL components in res ident exec a re OK • Do not ca ll s ha rea ble ima g es – link /NOS YS S HR −Link with S YS $BAS E_IMAGE.EXE to us e res ident exec OTS routines • RMS ma y be ca lled from exec mode but not kernel 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 64 Log ica l Na mes • Log ica l na mes a re a n implicit us er input to ma ny s ys tem s ervices • $OPEN/$CREATE, firs t a nd foremos t • Only exec a nd kernel mode log ica ls a re “trus ted” • Ima g e a ctiva tor us es trus ted log ica ls when a ctiva ting a privileg ed ima g e • All other opera tions mus t us e FAB$V_LNM_MODE 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 65 Memory Gua ra ntees • During inner mode execution the s ha pe a nd a cces s ibility of the a ddres s s pa ce do not cha ng e −Unles s you ca ll a s ervice tha t cha ng es the a ddres s s pace! • The contents of memory ca n cha ng e from cycle to cycle −Direct I/O −Modifica tion by other threa ds or proces s es • Do not re-fetch a rg uments ! • Cros s -cpu memory upda tes mus t be s ynchronized • Only s ys tem s pa ce ma y be referenced from interrupt context 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 66 As ynchronous Opera tion Kernel Threa ds • Allow true concurrent execution in a s ing le proces s • Inner mode execution is protected by the inner mode s ema phore −Thread-s a fe s ervice coexis ts with all s ervices −Thread-tolerant s ervice coexis ts with other tolera nt s ervices −Thread-intolera nt s ervice coexis ts only with threa d-s a fe s ervices • Almos t a ll s ervices a re currently threa d-intolera nt • Future opportunities for threa d-tolera nt s ervices 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 67 As ynchronous Opera tion An Inne r mode s ubs ys te m ma y wa it for a n e xte rna l e vent in the mode of the ca lle r: • Is s ue ope ra tion ca us ing the e ve nt with a comple tion AS T • Cle a n up a nd re turn to us e r • AS T re s umes exe cution (AS TPRM ma y pa s s context) - but • Your e nvironme nt ma y ha ve cha ng e d • All us e r inputs mus t be re va lida te d • Reme mbe r pre vious mode = curre nt mode 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 68 Opera ting on Beha lf of the Us er • In the s a me proces s : −Drop enha nced privileg es −Dis able s ubs ys tem identifiers −Bewa re of privileg es implicit in inner mode • In a s erver proces s : us e impers ona tion s ervices −$PERS ONA_CREATE −$PERS ONA_AS S UME −$PERS ONA_RES ERVE −$PERS ONA_DELEGATE 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 69 Threa ds a nd Pers ona s •A proces s threa d s ha res the pers ona of its pa rent • $S ETPRV a nd s imila r s ervices modify the current pers ona • Modifying a s ha red pers ona a ffects a ll threa ds ! • To modify the pers ona for jus t the current threa d −$PERS ONA_CLONE −$PERS ONA_AS S UME −$S ETPRV (or wha tever) • S ys tem ma na g es pers ona s for both kernel threa ds a nd pthrea ds 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 70 Pa rt 3 Conclus ions 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 71 How to Build a S ecure a nd Evolva ble S ys tem It beg ins a t the beg inning • S ta rt with a tea m of g rownups • Des ig n with ca re • Keep the tea m s ma ll −Initia l VMS a rchitecture came from 3 people −Entire VMS V1 tea m wa s 24 people • Keep the pres s ure up −The firs t known “fa ct” a bout VMS wa s the s chedule −Bewa re of creeping eleg ance 10/03/07 Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved. 72 How to Build a S ecure a nd Evolva ble S ys tem Modula rity ● Modula rity ● Modula rity ● 10/03/07 Modula rity in VMS • Dyna mica lly loa ded modules for a ll config ura tion dependent components • Hug e number of s ys tem models a nd devices s upported over the life of the s ys tem • Any VMS s ys tem dis k will boot on a ny config ura tion of a pa rticula r a rchitecture • New ha rdwa re is s upported with minima l effect on the res t of the s ys tem 10/03/07 Modula rity - Cons truction VMS kernel is org a nized a round g loba lly a cces s ible da ta s tructures ● Centra lized definition ● S ynchroniza tion rules ● Conventions for s ha red vs priva te da ta ● Object-oriented is better but more expens ive ● 10/03/07 Modula rity - Cons truction ● ● 10/03/07 VMS us es pa rtia l object des ig n ● S elf-identifying da ta s tructures ● Complex interpreta tion & ma nipula tion a re enca ps ula ted ● Direct a cces s for s imple reference ● Pa rtia l la yering of s ubs ys tems Modula rity cos ts ● Lig htweig ht s ubroutine ca lls ● Mode tra ns itions (s ervice ca lls ) a re more expens ive ● Context s witch to s erver proces s is mos t expens ive Modula rity - Interfa ces Well-defined interfa ces a re the core of a n extens ible a nd relia ble s ys tem ● S pecify beha vior fully ● S pecify wha t is uns pecified ● Reject inva lid inputs ● How to detect dependence on uns pecified beha vior? 10/03/07 Interfa ce Compa tibility • Do not cha ng e documented beha vior −New beha vior ma y res ult from new inputs • Des ig n interfa ces to be extens ible −Va ria ble leng th a rg ument lis ts −Item lis ts (TLV encoding ) −Option fla g s • If a ll els e fa ils , crea te a new interfa ce for new beha vior 10/03/07 Modula rity - Interfa ces Do not permit us e of uns pecified interfa ces ● To be s ucces s ful, s pecified interfa ces mus t be functiona lly complete ● VMS ’s nemes is is $CMKRNL Given the opportunity, us ers will brea k the rules 10/03/07 S ecurity is Built In • S ecurity is mos tly a bout correctnes s a nd relia bility • Us e a modula r a pproa ch to minimize the impa ct of errors −Firewa ll functions a nd s ubs ys tems to confine fa ilures −Apply principle of lea s t privileg e to ma ke firewa lls effective 10/03/07 Ma inta in Competence Ca us es of “s oftwa re rot” ● La ck of des ig n unders ta nding ● Quick a nd dirty cha ng es ● Cha ng es tha t compromis e the orig ina l des ig n ● Functiona l extens ion without extending the orig ina l des ig n ● Duplica tion of function ● Runa wa y complexity 10/03/07 Ma inta in Competence • Write des ig n s pecifica tions ! • Reta in eng ineering expertis e (written des ig ns a re never g ood enoug h) −Ma jor evolutions in VMS required wides prea d cha ng es reg a rdles s of modularity • ”Why” is even more importa nt tha n “how” • Clea n hous e occa s iona lly −Ma ny VMS components ha ve been rewritten over time • Org a niza tiona l 10/03/07 commitment to qua lity is critica l The End a nd Tha nk You