《Singularity Overview.ppt》由会员分享,可在线阅读,更多相关《Singularity Overview.ppt(38页珍藏版)》请在三一文库上搜索。
1、Singularity Overview,Galen Hunt and James Larus Microsoft Research July 17, 2006 MSR Faculty Summit,Large, Diverse Research Team,Lead by Galen Hunt and Jim Larus MSR Cambridge Paul Barham, Richard Black, Tim Harris, Rebecca Isaacs, Dushyanth Narayanan MSR Redmond Advanced Compiler Technology Group:
2、Juan Chen, Qunyan Mangus, Mark Plesko, Bjarne Steensgaard, David Tarditi Foundations of Software Engineering Group: Wolfgang Grieskamp Operating Systems Group: Mark Aiken, Chris Hawblitzel, Orion Hodson, Galen Hunt, Steven Levi Security and Distributed Systems: Dan Simon, Brian Zill Software Design
3、and Implementation Group: John DeTreville, Ben Zorn Software Improvement Group: Manuel Fahndrich, James Larus, Sriram Rajamani, Jakob Rehof MSR Silicon Valley Martin Abadi, Andrew Birrell, Ulfar Erlingsson, Roy Levin, Nick Murphy, Ted Wobber,“Modern” OS And Applications,Design parameters scarce reso
4、urces benign environment knowledgeable and trained users,World Changed,Hardware and software industries were wildly successful machines are fast memory is cheap computers are ubiquitous Malicious environment ubiquitous worms, viruses, scams, attacks, Few users understand computers or software,Singul
5、arity,Goal: technology and techniques to build more dependable systems Dependable: predictable behavior and easily understood usage model consumer satisfaction: new car vs. new PC car has .99 to .999 availability (9-90 hours down time/yr) Research on new OS, languages, and tools attack problem from
6、multiple directions working research prototype (not Windows replacement) No magic bullet mutually reinforcing improvements to languages and compilers, systems, and tools,Key Approaches,Pervasive use of safe (& analyzable) programming languages type safety and memory safety including device drivers,
7、OS components, applications Improve system resilience despite software errors failure boundaries between components improve extension model explicit error notification Increased verification specification at multiple levels of abstraction closed environments with explicit cross-domain interfaces des
8、ign for verifiability,kernel,Singularity OS,Closed Kernel 95% written in C# 17% of files contain unsafe C# 5% of files contain x86 or C+ OS services & drivers in processes kernel closed at boot time Software isolated processes (SIPs) all user code is verified safe some unsafe code in trusted runtime
9、 processes closed at start time Safe and efficient communication via strong interfaces channels between processes channel behavior is specified & checked checked behavior enables efficient communication Type safety is crux of verification and protection,web server,runtime,TCP/IP stack,runtime,runtim
10、e,kernel class library,content extension,runtime,network driver,runtime,channels,processes,kernel ABI,HAL,Challenge 1: Pervasive Safe Languages,Singularity is written in extended C# actually Spec# (C# + pre/post-conditions and invariants) Added features for systems programming increase programmer co
11、ntrol over allocation, initialization, and memory layout Language design to support programming and verification message passing factoring libraries into composable pieces compile-time reflection,What About The Runtime?,JVM & CLRs design not always appropriate rich runtime (“one size fits all”) mono
12、lithic, general-purpose environment large memory footprints (4 MB process for CLR) many dependencies (CLR PAL requires 300 Win32 APIs) JIT compilation increases runtime size and complexity unpredictable performance replicate OS functionality security, threading, configuration, etc. more is less,Sing
13、ularity Runtime,Libraries,Singularity Runtime (GC, etc.),Singularity Process,Whole Program Optimization,Small, Customizable Runtime,Small execution environment ahead-of-time, global optimizing compiler (MSR Bartok) specializes runtime and libraries eliminate code for unused/disabled language feature
14、s and unused application/library code factorable runtime and libraries Runtime, garbage collector, and libraries selectable on per-process basis reduce memory and computation overhead enforce design discipline and system policies per process Eliminate OS functionality from runtime security, resource
15、 allocation, etc. Provide OS mechanism for enforcing system policy runtime can constrain behavior (e.g. driver environment),Runtime Overhead,C# process w/ GC has similar memory footprint to C+ minimal process (no GC or exceptions) is 16K,Challenge 2: Run-Time Resilience,Software errors should not ca
16、use system failure Resilient system architecture isolate system components to prevent data corruption provide clear failure notification implement policy for restarting failed component,Process Architectures,OS Kernel,App,OS,Open Process Architecture,Open processes dynamic code loading and runtime c
17、ode generation DLLs, Java class loading, browser plug-ins, device drivers in kernel, etc. cross-process memory sharing system API allows one process to alter state of another Near ubiquitous (Windows, Unix, etc.) originated in Multics Shared state reduces dependability 85% of Windows crashes are cau
18、sed by third party code in kernel interfaces between extension and host are often poorly documented and understood no isolation boundary between code and extension extension can access non-public interfaces (reflection),Single Process Architecture,All code and data in single address space rely on la
19、nguage and memory safety to isolate components dynamic code loading and runtime code generation easy data sharing Xerox PARC (Cedar, Smalltalk, etc.) and Lisp Machine model Java and .NET model as well Runtime is single point of failure shared runtime must also meet all applications requirements Rely
20、 on garbage collection to reclaim resources finalizers Difficult to constraint interactions,Isolates And AppDomains Are Still Interdependent,App,App,App,Singularity Sealed Processes,OS Kernel,Singularity processes are sealed no dynamic code loading or run-time code generation all code present when p
21、rocess starts execution extensions execute in separate processes separate closed environments with well-defined interfaces no shared memory Process is fundamental unit of failure isolation Better: security, verification, failure handling, optimization,Static Benefit Of Sealed Processes,Reduces proce
22、ss code size by up to 75%. Fewer code paths = better optimization & error analysis,Need For Lightweight Processes,Existing processes rely on expensive hardware virtual memory and protection mechanisms VM prevents reference to other processes pages protection prevents unprivileged code from access sy
23、stem resources (e.g. VM page tables) Processes are expensive to create and schedule encourages monolithic program development large, undifferentiated applications dynamic code loading threading to allow independent control flow,Software Isolated Processes (SIPs),Protection and isolation enforced by
24、language safety and kernel API design, not hardware process owns a set of pages all of a processs objects reside on its pages (object space, not address space) language safety ensures process cant create or mutate references to other pages Global invariants: no process contains a pointer to another
25、processs object space no pointers from exchange heap into process,Interprocess Communications,Channels are strongly typed (value and behavior), bidirectional communications ports messages passing with extensive language support Messages live outside processes, in exchange heap only a single referenc
26、e to a message “Mailbox” semantics enforced by linear types,exchange heap,Failure Isolation,SIPs are failure containers no shared implementation or state across SIPs process runtimes are distinct On SIP failure: clean failure notification on peer channel endpoints resources reclaimed by OS Recovery
27、feasible, not automatic or transparent peers can recover and continue,Would You Trust Your System To A Type System?,Process integrity depends on type and memory safety currently trust compiler and runtime TAL can eliminate compiler from trusted computing base Working on verifying the GC as well,Hard
28、ware Protection Is Orthogonal,1.,2.,3.,4.,5.,6.,Cost Of Hardware And Software Isolation,5.5 6.8,Micro Benchmarks,Why? all SIPs run in ring 0 static verification replaces hardware protection good optimizing compiler (not JIT),Challenge 3: More Verification,Integrate specifications throughout system l
29、anguage interprocess communication system configuration Detect errors early, verify code late language safety essential to system integrity,Example: Channel Contracts,public contract TcpSocketContract . state Connected : one Read? - ReadResult; Write? - WriteResult; GetLocalAddress? - IPAddress! - C
30、onnected; GetLocalPort? - Port! - Connected; DoneSending? - ReceiveOnly; DoneReceiving? - SendOnly; Close? - Closed; Abort? - Closed; state Reading : one Data! - Connected; NoMoreData! - SendOnly; RemoteClose! - Zombie; . ,? = receive ! = send,Example: Channel Contracts,public contract TcpConnection
31、Contract . state Connected : one Read? - ReadResult; Write? - WriteResult; GetLocalAddress? - IPAddress! - Connected; GetLocalPort? - Port! - Connected; DoneSending? - ReceiveOnly; DoneReceiving? - SendOnly; Close? - Closed; Abort? - Closed; state Reading : one Data! - Connected; NoMoreData! - SendO
32、nly; RemoveClose! - Zombie; . ,. conn.SendRead(); switch receive case conn.Data(readData) : dataBuffer.AddToTail(readData); return true; case conn.RemoteClose() : return false; .,Contract,Client,Example: Channel Contracts,. conn.SendRead(); switch receive case conn.Data(readData) : dataBuffer.AddToT
33、ail(readData); return true; case conn.RemoteClose() : return false; .,Contract,Client,public contract TcpConnectionContract . state Connected : one Read? - ReadResult; Write? - WriteResult; GetLocalAddress? - IPAddress! - Connected; GetLocalPort? - Port! - Connected; DoneSending? - ReceiveOnly; Done
34、Receiving? - SendOnly; Close? - Closed; Abort? - Closed; state Reading : one Data! - Connected; NoMoreData! - SendOnly; RemoteClose! - Zombie; . ,Contract conformance statically detects subtle errors such as deadlock,Missing Case case conn.NoMoreData() :,Example: Applications Specifications,Applicat
35、ion is first-class abstraction with identity code + resources + manifest Manifest specifies software components dependencies exported channels hardware or software resource requirements,Device Driver Specification,DriverCategory Signature(“/pci/03/00/5333/8811“) class S3Trio64Config : DriverCategory
36、Declaration IoMemoryRange(0, Length = 0x400000) IoMemoryRange frameBuffer; IoFixedMemoryRange(Base = 0xb8000, Length = 0x8000) IoMemoryRange textBuffer; . IoFixedPortRange(Base = 0x3c0, Length = 0x20) IoPortRange control; ExtensionEndpoint(typeof(ExtensionContract.Exp) TRef pnp; ServiceEndpoint(type
37、of(VideoDeviceContract.Exp) TRef video; .,requires PCI Device,requires 4MB frame buffer (declared in PCI config),requires system console buffer,requires channel to parent process for control,provides channel for clients to access video device,requires VGA I/O ports,Specification Used In Many Ways,Co
38、nflict,Load driver Allocate I/O objects Create channels,driver class library,Abolish Runtime Systems,Verification Of System Configuration,Verification ensures never install an program that will break another program never start a program without appropriate resources never grant a program access to
39、undeclared resources All of these checks performed statically,Summary,Singularity is basis for more dependable systems pervasive use of safe programming languages lightweight, closed, customizable run-time environment verifiable specification of system behavior Working research prototype driving res
40、earch in large number of areas More information: http:/ Growing number of TRs & papers, 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information
41、 herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.,