30 Years of Reliable and Secure Computing

Transcrição

Ope nVMS – 30 Ye a rs
of Re lia ble a nd
S e cure Computing
Andy Golds te in
Ope nVMS Eng inee ring
© 2007 Hewlett-Pa cka rd De velopment Compa ny, L.P.
The informa tion conta ined herein is s ubject to cha ng e without notice
30 Yea rs of Evolution
VMS in 1977
●
Dig ita l’s 32 bit s upermini
●
Te rmina ls & time s ha ring
●
Fortra n: e ng ineering , s imula tion
●
1.5M line s of code in ba s e s ys tem
10/03/07
30 Yea rs of Evolution
VMS Now
●
$3K w orks ta tions to $25M multi-s ite clus ters
●
VAX, Alpha a nd, Ita nium cpu
●
Fa ctory floor, inte rba nk EFT, bus ines s tra ns a ctions , tra ffic control,
da ta ba s e , inte rnet s erver
●
> 25M line s of code
●
More re lia ble tha n e ver
●
Mos t V1 a pps s till w ork
10/03/07
Ma jor Evolutions in VMS
●
DECw indow s
●
Clus te rs
●
S ymmetric Multiproces s ing
●
Alpha Port
●
Memory Ma na g eme nt Redes ig n
●
Ita nium Port
10/03/07
Overview of VMS Org a niza tion
●
Proces s : a ddres s s pa ce + threa d(s ) of execution
●
Dema nd pa g e d, virtua l memory
●
Pa rtitioned a ddres s s pa ce:
10/03/07
●
P0: a pplica tion code & da ta
●
P1: s ta cks a nd proces s -s pecific OS context
●
P2: 64 bit extende d proces s s pa ce
●
S 0: OS code & g loba l da ta
●
S 2: 64 bit extended s ys tem s pa ce
●
10/03/07
Proces s a cce s s modes
●
Us er
●
S upervis or - DCL
●
Exec - hig he r OS la yers
●
Kernel
●
S ta ck per a cce s s mode
●
●
Interrupt (fork) context
●
Kernel mode, ha rdw a re IPL
●
S ys te m s pa ce only
●
Limite d s ta ck
●
“Lig htw eig ht thre a d” model
AS T: a s ynchronous procedure ca ll
●
10/03/07
Proces s e quiva lent of interrupt context
I/O S ubs ys tem
●
$QIO s ervice in proces s context
●
Loa da ble device drivers
●
Drive r pre-proce s s ing in us er context
●
Drive r fork le vel
●
I/O inte rrupt
●
Proces s conte xt completion AS T
●
ACP - a ncilla ry control proces s
10/03/07
driver fork
DECwindows
VMS becomes a w orks ta tion
●
Gra phics device drivers
●
Port of X-11 a nd OS F Motif
●
S es s ion ma na g e r menu items :
●
●
10/03/07
DCL s hell s cript
Exis ting cha ra cter cell a pps :
●
Pa rtition into cha ra cter cell UI a nd ca lla ble a pplica tion log ic
●
Add ne w w indow s UI
Clus ters
VMS Becomes a Dis tributed Opera ting S ys tem
VMS
Node
S torag e
Ctrl
10/03/07
VMS
Node
VMS
Node
S torag e
Ctrl
Clus ters : The Lock Ma na g er
●
Abs tra ct na med re s ources
●
Lock modes to re pres ent typica l da ta a cces s :
10/03/07
●
EX
●
PW
●
PR
●
CW
●
CR
●
NL
RMS a nd the Lock Ma na g er
RMS Fea ture s
●
Record-orie nted I/O pa cka g e
●
S eque ntia l, direct, indexed
●
Cohere nt s ha red w rite a cces s w ith record locking
●
Proces s loca l buffers w ith coherent ca che ma na g ement
Priva te locking implementa tion repla ced w ith clus ter lock ma na g er
10/03/07
Before Clus ters : File ACP
S erver proce s s inte rcepts complex file opera tions
●
Open file context in s ys tem pool
●
File me ta da ta ca che in proces s context
●
S ing le threa d ope ra tion provided implicit s ynchroniza tion
10/03/07
Clus ters : the File XQP
●
●
10/03/07
Clus te r implementa tion choices
●
S ing le s erver w ith fa ilover
●
Multiple coordina ted ACPs
S erve r proces s converted to run in client proces s context
●
Ca che move d to s ys tem pool
●
S imple thre a ding pa cka g e la yered on AS T mecha nis m
●
Explicit s ynchroniza tion w ith lock ma na g er
Orig ina l kernel s ynchroniza tion des ig ned for uniproces s or:
●
●
●
●
●
●
●
●
10/03/07
IPL 24-31: clock, cpu errors
IPL 16-23: I/O interrupts
IPL 8-11: device driver threa ds
IPL 8: s cheduling , memory ma na g ement, kernel-level
mes s a g es , etc.
IPL 4: I/O completion proces s ing
IPL 3: proces s res cheduling
IPL 2: AS T delivery
IPL 0: proces s execution
Implicit IPL s ynchroniza tion repla ced w ith explicit s pinlocks
●
Ea ch IPL becomes a s pinlock
●
IPL 8 broken into functiona l a rea s
●
10/03/07
●
Memory Ma na g ement
●
S che duling
●
Clus te r communica tions
●
File s ys tem
●
etc.
Continuing to refine locking
S MP Convers ion
Brute force e ffort
●
Entire kernel ins pected for s ynchroniza tion
●
Aided by exis ting ma cros (DS BINT, ENBINT, S ETIPL)
●
Counte rs converte d to interlocked ins tructions
●
S pinlock ra nk de s ig n detects des ig n dea dlocks
●
Debug a nd production locking ma cros
10/03/07
Port to Alpha
VMS a nd VAX w ere ma de for ea ch other
●
Privileg e d a rchite cture (memory ma na g ement, a cces s modes , IPLs ,
etc.)
●
Va ria ble leng th CIS C ins tructions , 32 bit a rchitecture
●
Mos t of VMS kerne l in ma cro
10/03/07
Port to Alpha
Alpha is
●
64 bit a rchite cture
●
Fixed leng th RIS C ins truction
But…
●
VAX-like privileg e d a rchitecture
●
Compa tible da ta types
10/03/07
Port to Alpha
Rew rite :
●
CPU s upport
●
Boot code
●
S ome drivers
●
Low leve l memory ma na g ement
●
Exception ha ndling
●
Ma th RTL
10/03/07
Port to Alpha
Compile eve rything e ls e:
●
Blis s & C
●
Ma cro!
●
●
32 bit vs 64 bit
●
Compila ble ma cro
●
Atomicity is s ues
Exe cuta ble ima g es !!
Res ult:
“It’s rea lly VMS . It eve n ha s the s a me bug s .”
- e a rly Alpha us er
10/03/07
64 Bit Virtua l Memory
• Orig ina l
pa g e ta ble des ig n
Pa g e
S 0 S pa ce
Da ta Pa g e
Pa g e
OFF
Da ta
10/03/07
OFF
• Extended
virtua l a ddres s ing
L1
L2
L3
OFF
L1PT
L2PT
L1
L2
L3PT
Da ta Pa g e
L3
OFF
Da ta
10/03/07
• Pa g e
ta ble reference
K
L1
L2
L3
L1PT
L2PT
K
L
1
L2
L3PT
L3
10/03/07
Port to Ita nium
• Another
64-bit a rchitecture, but...
• Different reg is ter conventions
• Intel ca lling s ta nda rd
• Different privileg ed a rchitecture
−No PALcode
−Different cons ole / boot procedure
−Different interrupt a rchitecture
−Different s ynchroniza tion primitives
10/03/07
Port to Ita nium
• Fortuna tely...
•4
a cces s modes
• Compa tible memory protection fea tures
• Memory a tomicity no wors e tha n Alpha
10/03/07
Port to Ita nium
• Rewrite
−CPU s upport
−Boot code
• New
−Interrupt & exception delivery in s oftware
−Emulation of interlocked ins tructions (queues , etc.)
−EFI pa rtition on s ys tem dis k
• Redes ig n
−Ca lling s ta nda rd a nd condition handling
−Object a nd executa ble file forma t
10/03/07
Port to Ita nium
• Recompile
• 95%
of ba s e OS code recompiled without cha ng e
• Bina ry tra ns la tor a ls o a va ila ble
10/03/07
Pa rt 2
Building a S ecure Opera ting S ys tem –
the VMS Approa ch
10/03/07
Wha t is S ecurity?
Us ers ' da ta ha ndled a ccording to a s ecurity policy
• Policy mus t meet us ers ' needs
• Policy mus t a lwa ys be correctly ha ndled
s o...
• Conceptua lly, s ecurity is very s imple
• In pra ctice, s ecurity is fra cta l (Butler La mps on)
10/03/07
Genera l Concepts
• Reference
monitor
−Textbook model
−Two exa mples
• S ys tem
la yering – the textbook a nd rea lity
−Textbook model
−The rea lity of VMS
• Typica l
10/03/07
privileg ed s ubs ys tem
Copyrig ht © 2007 HP corpora te pres enta tion. All rig hts res erved.
31
Reference Monitor
The textbook model
Us er
Reference
Monitor
Authoriza tion
Da ta ba s e
10/03/07
Da ta
Audit
Tra il
32
Reference Monitor
• All
object a cces s es a re controlled by the reference
monitor
• The a uthoriza tion da ta ba s e determines the a cces s
control policy
• Object a cces s es ma y be recorded in the a udit log
• The reference monitor, a uthoriza tion da ta ba s e,
a nd a udit log a re ta mperproof
therefore...
• The reference monitor implementa tion mus t be
correct
10/03/07
33
Reference Monitor
Two Exa mples
• An a cces s to a file
−The file repres ents the data object
−The rig hts da ta ba s e a nd the file's ACL conta in the
a uthoriza tion informa tion
−The a cces s ma y be a udited
• The
$S ETS WM s ervice
−A s ing le bit of proces s s ta te repres ents the da ta object
−The a uthoriza tion da ta ba s e is the PS WAPM privileg e
−Audit ca pability exis ts
10/03/07
34
S ys tem La yering
The Textbook Model
Kernel
(trus ted)
Us er Mode
(untrus ted)
10/03/07
35
S ys tem La yering
Development Tools
Command Language Interpreter
Privileged Images
•Images installed with privilege
•Protected shareable images
•Protected subsystems
•Privileged server processes
•Informational utilities
•Text editors
•Macro
•Compilers
•Linker
RMS and System Services
$OPEN
$GET
System Services
$IMGACT
$PUT
$CRETVA
$ASSIGN
$ADJWSL
$CRMPSC
Memory
Management
•Pagefault
•Swapper
I/O
Subsystem
System-wide
Protected
Data Structures
$CLOSE
$QIO
$CANCEL
•Device
Drivers
•I/O Support
Routines
Run Time Library
(General)
•Math library
•String handling
•Screen management
•Misc LIB functions
•Page Tables
•I/O Database
•Scheduler Data
Process and Time Management
Run Time Library
(Language-specific)
•CRTL
•FORTRAN
•PASCAL
•BASIC
10/03/07
•Scheduler
•Process Control
$WAKE
$CREPRC
$SETIMR
Assorted Utilities
•COPY
•HELP
•DIRECTORY
•SORT
36
Typica l Privileg ed S ubs ys tem
Us er
Privileg ed
S ubs ys tem
Priva te
Da ta
Us er
Da ta
10/03/07
VMS
S ervices
37
Principles
• Who
is performing the opera tion?
−A privileg ed s ubs ys tem performs s ome opera tions on its
own behalf, with its rig hts a nd privileg es
−It performs other opera tions on behalf of the us er. The
s ubs ys tem mus t ta ke ca re not to ta ke a ny a ctions the us er
could not ha ve done by thems elves .
10/03/07
38
Principles
• Keep
tra ck of the environment
−How ca n the us er affect your environment?
(Log ica l na mes a re a clas s ic exa mple.)
−How have you a ltered the environment?
Any a ltera tions mus t be undone before the us er ca n
reg a in control in a ny way.
10/03/07
39
Principles
• Whos e
da ta is this a nywa y?
−Priva te da ta mus t be protected from modification a nd/or
reading by the us er.
−Us er data mus t be acces s ed with the a cces s rig hts of the
us er.
−Da ta under the us er's control mus t be viewed a s
untrus tworthy. Its contents and acces s ibility ma y cha ng e
over time a nd mus t be fully va lida ted on every reference.
10/03/07
40
Confidentia lity a nd Integ rity
• Untrus ted
code mus t not be a llowed to s ee da ta
tha t is cons idered priva te
−Da ta belong ing to other us ers
−Da ta whos e s ecrecy is critica l to enforcing s ecurity policy
(e.g ., pa s s words )
• However...
there is no need to hide da ta tha t is not
confidentia l
−Entire VMS kernel code is us er rea dable
−Mos t P1 context is us er reada ble
10/03/07
41
Confidentia lity a nd Integ rity
• Untrus ted
code mus t not be a llowed to modify da ta
belong ing to other us ers
• Untrus ted code mus t not be a llowed to modify da ta
critica l to the opera tion of the opera ting s ys tem
• However... there is no need to protect da ta tha t
only a ffects the us er.
−AS T a ctive/ena ble, FP reg is ter us e fla g s
10/03/07
42
Acces s Modes
• Hiera rchy
of a cces s modes : us er, s upervis or,
exec, kernel
• Inwa rd tra ns itions :
−S ys tem s ervice calls
−Exceptions
−Interrupts
−AS Ts
• Outwa re
tra ns itions :
−REI
10/03/07
43
Us er Mode
Us er mode is the one mode a cces s ible to unprivileg ed us er
s oftwa re. Therefore, a nything coming from us er mode mus t be
reg a rded with extreme s us picion.
•
Log ica l na mes (including s upervis or mode log ica ls )
•
Addres s s pace. When us er mode ca n execute, the
pres ence, ma pping , a nd protection of us er-owned a ddres s
s pa ce ca n cha ng e. The contents of us er-owned a ddres s
s pa ce ca n cha ng e at any time.
•
AS Ts . Us er mode execution may be initia ted by timers , I/O
completion, etc., a nytime no inner mode execution is in
prog res s .
With a few exceptions , all us er mode s ta te is elimina ted by
ima g e rundown.
10/03/07
44
S upervis or Mode
• Belong s
to the comma nd la ng ua g e interpretor,
which is not a ccus tomed to coexis ting with other
s ubs ys tems
• Is privileg ed beca us e it ha s control over the
integ rity a nd execution of privileg ed ima g es .
10/03/07
45
Exec Mode
• Outer
la yer of the “s ys tem kernel”
• Us ed for RMS , ima g e a ctiva tor, s ecurity s ervices ,
etc.
• Rea d-only a cces s to a ll s ys tem interna l da ta
s tructures
• S evera l implicit privileg es
−S YS LCK
−Exec mode log ica l names
−CMKRNL
−S ETPRV
10/03/07
46
Kernel Mode
• Acces s
to a ll s ys tem interna l da ta s tructures , I/O
s pa ce, privileg ed ins tructions , etc.
• Execution a t eleva ted IPL
• Acces s to interna l s ynchroniza tion
10/03/07
47
Why Ha ve Four Modes ?
S upervis or a nd exec modes a re trus ted but
firewa lled
• S upervis or
−Protects in-proces s CLI from ima g e
−Only trus ted to not a ctively interfere with privileg ed
ima g es
• Exec
−Rea d a cces s to a ll kernel data
−Va rious implied privileg es
−But ca nnot directly cras h the s ys tem
10/03/07
48
Privileg es
• 64
bits of proces s s ta te a llowing a cces s to s ecurity
s ens itive opera tions
• 4 privileg e ma s ks per proces s
−Proces s authorized: ma ximum privileg es permitted for the
life of the proces s
−Proces s current: proces s privileg es as reduced by the
us er or a pplica tion code
−Ima g e enha nced: additiona l privileg es ma de ava ila ble to
the currently executing ima g e by INS TALL
−Ima g e current: ava ila ble privileg es as reduced by the
a pplica tion
10/03/07
49
Privileg es
• Why
s o ma ny privileg es ?
• Ma ny privileg es a llow complete control of the
s ys tem
• S epa ra te privileg es protect a g a ins t a ccidents
• Alwa ys a pply “principle of lea s t privileg e”
10/03/07
50
Privileg ed S ubs ys tems
Privileg ed Proces s es
•
Own proces s context
•
Own a ddres s s pa ce
•
Typica lly ma ny or a ll privileg es s et
•
Typica lly well ins ula ted from us er atta ck
- but -
•
Mus t va lida te a ll us er inputs
•
Operations “on behalf of the us er” a re problema tica l
−Us e impers ona tion s ervices
•
Exa mples : job controller, s ymbionts , s ecurity s erver
10/03/07
51
Ima g es Ins ta lled With Privileg e
• “Ma in prog ra ms ” only
• Opera te in us er's proces s context
• Privileg es ena bled by ima g e a ctiva tor
• Privileg es extend to a ll code ca lled by ima g e
• Exa mples : S ET & S HOW
10/03/07
52
P rote ction of Privileg e d Ima g e s
• Privile g e s
re moved on ima g e rundown
• DCL EXAMINE,
DEPOS IT, DEBUG, e tc., dis a ble d;
S PAWN drops privile g e s
• S ha rea ble
ima g e s mus t be ins ta lled a nd a re a ctiva te d
with e xe c mode log ica ls only
• Debug
a nd tra ce ba ck hooks a re dis a llowed
- but -
• Us er
mode log ica ls a pply to file ope ra tions unle s s
dis a ble d with RMS 's FAB$V_LNM_MODE
10/03/07
53
Protected S ubs ys tems (executa ble ima g es with a
S ubs ys tem ACE)
• Ana log ous to ima g es ins ta lled with privileg es
• Rig hts lis t a ug mented by identifiers from
s ubs ys tem ACE
• Identifiers ma y be ena bled/dis a bled with
$S UBS YS TEM s ervice ca ll
• Ca pa bilities (a nd ris k) determined by a cces s
conferred by s ubs ys tem identifiers
• Genera lly s a fer tha n privileg ed ima g es
10/03/07
54
S ys tem S pa ce S ys tem S ervice Code
• Executes in proces s context
• Protected by inner mode
• Ha ve rig hts a nd privileg es of the inner mode
• Ca lla ble from us er mode via s ys tem s ervice entry
• Exa mples : mos t VMS s ys tem s ervices
10/03/07
55
Proces s S pa ce S ys tem S ervice Code
• Known a s
−Us er-written s ys tem s ervices
−Protected s ha rea ble imag es
−Privileg ed s harea ble ima g es
• Loa ded
by ima g e a ctiva tor during ima g e a ctiva tion
• S ha re a ll other cha ra cteris tics of s ys tem s ervice
code
• Exa mples : $MOUNT, $GETUAI, etc.
10/03/07
56
• Protection
of Protected S ha rea ble Ima g es
• Addres s s pa ce
−Owned by exec mode
−Writa ble pag es s et to us er rea d / exec write
• Ca nnot
be overma pped
• Mus t not ca ll other s ha rea ble ima g es
Conclus ions
10/03/07
57
S pecific Techniques
• Privileg es
• Pa ra meter
Va lida tion
• Pa ra meter Acces s ibility
• Proces s Deletion
• Environment
• As ynchronous Opera tion
• Opera ting on Beha lf of the Us er
• Crea ting Protected S ha rea ble Ima g es
10/03/07
58
Privileg es
• Keep
them off
• Turn them on only when neces s a ry
• Ma ke s ure privileg es a re off on all exit pa ths
• If us er inputs ca n a ffect a n opera tion executed with
privileg e, they mus t be ca refully va lida ted
• NEVER pa s s us er pa ra meters directly to a n
opera tion executed with privileg e
• Remember the privileg es implicit in inner modes
10/03/07
59
Pa ra meter Va lida tion
Nothing pa s s ed by a us er prog ra m to a privileg ed
procedure s hould be trus ted
• As s ume a rbitra ry va lues
−Us ing a ddres s es as “handles ” is us ua lly a ba d idea
• As s ume
a rbitra ry combina tions of pa ra meters
• Va lida te pa ra meter combina tions for cons is tency
• Contents of us er a ddres s s pa ce ca n cha ng e. If you
need to us e the va lue of a pa ra meter multiple
times , ma ke a n interna l copy.
10/03/07
60
Pa ra meter Acces s ibility
Inner mode s ervices mus t check pa g e protection of
a ll pa ra meters to ens ure
• Tha t the a rg ument is a cces s ible to the s ervice
• Tha t the a rg ument wa s a cces s ible to the us er
PROBER/PROBEW opera tions check a g a ins t
previous mode in the PS . Note tha t in a n interrupt or
AS T previous mode is your mode, not the us er's !
10/03/07
61
Probing Arg uments
• All
a rg uments mus t be probed
• Arg ument lis t (except res ident VMS s ervices )
−Alpha/IA64: memory res ident a rg uments only
• Arg uments
pa s s ed by des criptor
−Probe the des criptor
−Copy des criptor into local s tora g e
−Probe the buffer
−Us er the loca l copy from here on!
10/03/07
62
Proces s Deletion
A proces s ca n be deleted a nytime it is executing
below IPL 2 of kernel mode
• Run a t IPL 2 to prevent deletion while holding
unrecorded s ys tem-wide s ta te
• S ubs ys tem s ta te in s ys tem s tora g e (i.e., nonpa g ed
or pa g ed pool) mus t be clea ned up
• Us e the rundown ha ndler fa cility to g ua ra ntee
execution a t proces s rundown
• Exit ha ndler execution is not g ua ra nteed!
10/03/07
63
Environment
Inner mode s ubs ys tems do not have the entire VMS
prog ra mming environment a t their dis pos a l
•
S ubroutine libra ries : OTS $, S YS $, EXE$, IOC$, etc., a re freely
ca lla ble in inner mode
•
S ta teles s RTL routines ma y be ca lled
−LIB$S IGNAL is OK
−LIB$GET_VM, ma lloc(), etc. a re not (work pla nned pos t V8.3)
−CRTL components in res ident exec a re OK
•
Do not ca ll s ha rea ble ima g es – link /NOS YS S HR
−Link with S YS $BAS E_IMAGE.EXE to us e res ident exec OTS
routines
•
RMS ma y be ca lled from exec mode but not kernel
10/03/07
64
Log ica l Na mes
• Log ica l
na mes a re a n implicit us er input to ma ny
s ys tem s ervices
• $OPEN/$CREATE, firs t a nd foremos t
• Only exec a nd kernel mode log ica ls a re “trus ted”
• Ima g e a ctiva tor us es trus ted log ica ls when
a ctiva ting a privileg ed ima g e
• All other opera tions mus t us e FAB$V_LNM_MODE
10/03/07
65
Memory Gua ra ntees
• During
inner mode execution the s ha pe a nd
a cces s ibility of the a ddres s s pa ce do not cha ng e
−Unles s you ca ll a s ervice tha t cha ng es the a ddres s s pace!
• The
contents of memory ca n cha ng e from cycle to
cycle
−Direct I/O
−Modifica tion by other threa ds or proces s es
• Do
not re-fetch a rg uments !
• Cros s -cpu memory upda tes mus t be s ynchronized
• Only s ys tem s pa ce ma y be referenced from
interrupt context
10/03/07
66
As ynchronous Opera tion
Kernel Threa ds
• Allow true concurrent execution in a s ing le proces s
• Inner mode execution is protected by the inner
mode s ema phore
−Thread-s a fe s ervice coexis ts with all s ervices
−Thread-tolerant s ervice coexis ts with other tolera nt
s ervices
−Thread-intolera nt s ervice coexis ts only with threa d-s a fe
s ervices
• Almos t
a ll s ervices a re currently threa d-intolera nt
• Future opportunities for threa d-tolera nt s ervices
10/03/07
67
As ynchronous Opera tion
An Inne r mode s ubs ys te m ma y wa it for a n e xte rna l e vent
in the mode of the ca lle r:
• Is s ue ope ra tion ca us ing the e ve nt with a comple tion
AS T
• Cle a n up a nd re turn to us e r
• AS T re s umes exe cution (AS TPRM ma y pa s s context)
- but • Your e nvironme nt ma y ha ve cha ng e d
• All us e r inputs mus t be re va lida te d
• Reme mbe r pre vious mode = curre nt mode
10/03/07
68
Opera ting on Beha lf of the Us er
• In
the s a me proces s :
−Drop enha nced privileg es
−Dis able s ubs ys tem identifiers
−Bewa re of privileg es implicit in inner mode
• In
a s erver proces s : us e impers ona tion s ervices
−$PERS ONA_CREATE
−$PERS ONA_AS S UME
−$PERS ONA_RES ERVE
−$PERS ONA_DELEGATE
10/03/07
69
Threa ds a nd Pers ona s
•A
proces s threa d s ha res the pers ona of its pa rent
• $S ETPRV a nd s imila r s ervices modify the current
pers ona
• Modifying a s ha red pers ona a ffects a ll threa ds !
• To modify the pers ona for jus t the current threa d
−$PERS ONA_CLONE
−$PERS ONA_AS S UME
−$S ETPRV (or wha tever)
• S ys tem
ma na g es pers ona s for both kernel threa ds
a nd pthrea ds
10/03/07
70
Pa rt 3
Conclus ions
10/03/07
71
How to Build a S ecure a nd
Evolva ble S ys tem
It beg ins a t the beg inning
• S ta rt with a tea m of g rownups
• Des ig n with ca re
• Keep the tea m s ma ll
−Initia l VMS a rchitecture came from 3 people
−Entire VMS V1 tea m wa s 24 people
• Keep
the pres s ure up
−The firs t known “fa ct” a bout VMS wa s the s chedule
−Bewa re of creeping eleg ance
10/03/07
72
How to Build a S ecure a nd
Evolva ble S ys tem
Modula rity
● Modula rity
● Modula rity
●
10/03/07
Modula rity in VMS
• Dyna mica lly
loa ded modules for a ll config ura tion
dependent components
• Hug e number of s ys tem models a nd devices
s upported over the life of the s ys tem
• Any VMS s ys tem dis k will boot on a ny
config ura tion of a pa rticula r a rchitecture
• New ha rdwa re is s upported with minima l effect on
the res t of the s ys tem
10/03/07
Modula rity - Cons truction
VMS kernel is org a nized a round g loba lly
a cces s ible da ta s tructures
● Centra lized definition
● S ynchroniza tion rules
● Conventions for s ha red vs priva te da ta
● Object-oriented is better but more expens ive
●
10/03/07
Modula rity - Cons truction
●
●
10/03/07
VMS us es pa rtia l object des ig n
● S elf-identifying da ta s tructures
● Complex interpreta tion & ma nipula tion a re enca ps ula ted
● Direct a cces s for s imple reference
● Pa rtia l la yering of s ubs ys tems
Modula rity cos ts
● Lig htweig ht s ubroutine ca lls
● Mode tra ns itions (s ervice ca lls ) a re more expens ive
● Context s witch to s erver proces s is mos t expens ive
Modula rity - Interfa ces
Well-defined interfa ces a re the core of a n
extens ible a nd relia ble s ys tem
● S pecify beha vior fully
● S pecify wha t is uns pecified
● Reject inva lid inputs
● How to detect dependence on uns pecified
beha vior?
10/03/07
Interfa ce Compa tibility
• Do
not cha ng e documented beha vior
−New beha vior ma y res ult from new inputs
• Des ig n
interfa ces to be extens ible
−Va ria ble leng th a rg ument lis ts
−Item lis ts (TLV encoding )
−Option fla g s
• If
a ll els e fa ils , crea te a new interfa ce for new
beha vior
10/03/07
Modula rity - Interfa ces
Do not permit us e of uns pecified interfa ces
● To be s ucces s ful, s pecified interfa ces mus t
be functiona lly complete
● VMS ’s nemes is is $CMKRNL
Given the opportunity, us ers will brea k the rules
10/03/07
S ecurity is Built In
• S ecurity
is mos tly a bout correctnes s a nd relia bility
• Us e a modula r a pproa ch to minimize the impa ct of
errors
−Firewa ll functions a nd s ubs ys tems to confine fa ilures
−Apply principle of lea s t privileg e to ma ke firewa lls effective
10/03/07
Ma inta in Competence
Ca us es of “s oftwa re rot”
● La ck of des ig n unders ta nding
● Quick a nd dirty cha ng es
● Cha ng es tha t compromis e the orig ina l des ig n
● Functiona l extens ion without extending the
orig ina l des ig n
● Duplica tion of function
● Runa wa y complexity
10/03/07
Ma inta in Competence
• Write
des ig n s pecifica tions !
• Reta in eng ineering expertis e (written des ig ns a re
never g ood enoug h)
−Ma jor evolutions in VMS required wides prea d cha ng es
reg a rdles s of modularity
• ”Why” is
even more importa nt tha n “how”
• Clea n hous e occa s iona lly
−Ma ny VMS components ha ve been rewritten over time
• Org a niza tiona l
10/03/07
commitment to qua lity is critica l
The End
a nd
Tha nk You

30 Years of Reliable and Secure Computing

Transcrição

Documentos relacionados

feminil argentina - Universports.info

RESUMO SOUSA, Carlos Carny de Oliveira Perote de

Tem@ ferari windows xp

FBFlyer $$$ Shoot - Fallon Bowmens Club

FORM FOR A GENERAL MEDICAL APPOINTMENT

Boat: Moody 44 Laurent Giles

Nome da Criana

ver pdf

TENSARGEOPIER FOUNDATIONS

Newsletter - St. Nicholas School