Intra-Address-Space Protection
Intra-Address Space Protection Using Segmentation Hardware
Group Members:
Two major software applications trends call for operating systems support
for establishing protection boundaries among modules that execute
in the same address space. First, the notion of dynamic extensibility
has prevailed in almost every major software systems area,
ranging from extensible database systems to which third-party
data blades can be added to perform type-specific data processing,
extensible operating systems that support application-specific
resource management policies, to programmable active network devices
that allow protocol computation tailored to individual applications.
A key feature of extensible systems is its support of live addition and
removal of software modules into a running address space. Therefore,
an effective and efficient mechanism to protect the running core system
from dynamically inserted modules is crucial to the long-term viability
of extensible systems. Second, component-based software development (CBSD)
is emerging as the dominant development methodology because it significantly
improves software productivity by encouraging modularity and re-usability.
As complicated components manufactured by multiple vendors
are used to construct complete software applications,
a reasonable degree of protection among components is essential
to alleviate the most challenging problem of CBSD: interference among
separately developed components and the resulting system instability.
Although a number of approaches have been proposed to provide intra-address
space protection, such as software fault isolation, extensions
written in type-safe language or interpreter language
and proof-carrying code, there is no clear winner that addresses
all the following issues: flexibility in specifying extensions,
run-time performance overhead, and practical usability.
One commonality among all the above approaches is the use of software-only
techniques to create protection domains within an address space, based on the
assumption that hardware-based protection mechanisms are only applicable
to inter-address space protection. In contrast, this work proposed an
intra-address space protection mechanism using the segmentation check
hardware in the Intel x86 architecture that is efficient in terms of
its run-time overhead, allows maximum flexibility in programming extensions,
and does not add any extra complexity to the deployment of extensions.
Although the proposed mechanism is geared towards a particular processor
architecture, the fact that the architecture in question dominates
more than 90% of the world's desktop market computer market ensures
that it have wide applicability and thus large impact.
Current Work:
- Refining the first prototype of segmentation hardware-based
intra-address-space protection, including support for pre-emptive
extension scheduling
- Build a safe and efficient CGI execution engine by treating
CGI scripts as library calls
- Deploy kernel-level extension mechanism for active networking
support in Suez
Publications:
- Prashant Pradhan, Tzi-cker Chiueh
A Computational Framework for an Extensible Network Router
, submitted for publication, April 2000.
- Tzi-cker Chiueh, Ganesh Venkitachalam, Prashant Pradhan Integrating Segmentation and
Paging Protection for Safe, Efficient and Transparent Software Extensions , in Proc. ACM SOSP-1999.
- Tzi-cker Chiueh, Ganesh Venkitachalam, Prashant Pradhan Intra-address Space Protection using Segmentation Hardware. , in Proceedings of HotOS'99.
- Ganesh Venkitachalam Palladium: A System for Supporting Safe User Extensions Using
Segmentation Hardware , Master Thesis, Computer Science
Department, SUNY at Stony Brook,May 1999.
- Ganesh Venkitachalam, Tzi-cker Chiueh High-Performance Common Gateway Interface Invocation. , in Proceedings of IEEE Workshop of Internet Applications, July 1999.
Code:
Acknowledgement
This project is sponsored by a Student Research grant from
USENIX.