Mutable Protection Domains: Towards a Component-based...
Transcript of Mutable Protection Domains: Towards a Component-based...
![Page 1: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/1.jpg)
Mutable Protection Domains: Towards a
Component-based System for Dependable
and Predictable Computing
Gabriel Parmer and Richard West
Computer Science DeparmentBoston UniversityBoston, MA 02215
{gabep1, richwest}@cs.bu.edu
December 6, 2007
![Page 2: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/2.jpg)
Complexity of Embedded Systems
Traditionally simpler software stack
limited functionality and complexity
focused application domain
Soon cellphones will have
10s of millions of lines of code
downloadable content (with real-time constraints)
Trend towards increasing complexity of embedded systems
Parmer, West, BU CS Mutable Protection Domains 2/27
![Page 3: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/3.jpg)
Consequences of Complexity
Run-time interactions are difficult to predict and can causefaults
accessing/modifying memory regions unintentionally
corruption data-structures
deadlocks/livelocks
race-conditions
. . .
Faults can cause violations in correctness and predictability
Parmer, West, BU CS Mutable Protection Domains 3/27
![Page 4: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/4.jpg)
Designing for Dependability and Predictability
Given increasing complexity, system design must anticipatefaults
Memory fault isolation: limit scope of adverse side-effects oferrant software
identify and restart smallest possible section of the system
recover from faults with minimal impact on system goals
employ software/hardware techniques
Preserve system reliability and predictability in spite ofmisbehaving and/or faulty software
Parmer, West, BU CS Mutable Protection Domains 4/27
![Page 5: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/5.jpg)
Trade-offs in Isolation Granularity
Increased Isolation Reduced Communication Cost
Protection Domains Components
Threads
Stacks
Process Isolation User-Kernel Isolation Library Isolation
Parmer, West, BU CS Mutable Protection Domains 5/27
![Page 6: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/6.jpg)
Static HW Fault Isolation Approaches
(II)
What is the “best” isolation granularity?
P1 P2
user−levelkernel−level
Net FS
Monolithic OSs
provide minimal isolation to allow process independence
large kernel not self-isolated, possibly extend-able
→ Coarse-grained isolation, but low service invocation cost
Both characterized by a static system structure
Parmer, West, BU CS Mutable Protection Domains 6/27
![Page 7: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/7.jpg)
Static HW Fault Isolation Approaches (II)
What is the “best” isolation granularity?
P1 P2
user−levelkernel−level
IPC
Net FS
µ-kernels
segregate system services out of the kernel, interact w/Inter-Process Communication (IPC)finer-grained isolation
IPC overhead limits isolation granularity
→ Finer-grained fault isolation, but increased serviceinvocation cost
Both characterized by a static system structure
Parmer, West, BU CS Mutable Protection Domains 6/27
![Page 8: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/8.jpg)
Static HW Fault Isolation Approaches (II)
What is the “best” isolation granularity?
P1 P2
user−levelkernel−level
IPC
Net FS
µ-kernels
segregate system services out of the kernel, interact w/Inter-Process Communication (IPC)finer-grained isolation
IPC overhead limits isolation granularity
→ Finer-grained fault isolation, but increased serviceinvocation cost
Both characterized by a static system structure
Parmer, West, BU CS Mutable Protection Domains 6/27
![Page 9: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/9.jpg)
Mutable Protection Domains (MPD)
Goal: configure system to have finest grained faultisolation while still meeting application deadlines
Mutable Protection Domains (MPDs)
dynamically place protection domains betweencomponents in response to
communication overheads due to isolationapplication deadlines being satisfied
application close to missing deadlines→ lessen isolation between components
laxity in application deadlines→ increase isolation between components
Parmer, West, BU CS Mutable Protection Domains 7/27
![Page 10: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/10.jpg)
Mutable Protection Domains (MPD) (II)
Mutable Protection Domains appropriate for soft real-timesystems
Protection domains can be made immutable where appropriate
Parmer, West, BU CS Mutable Protection Domains 8/27
![Page 11: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/11.jpg)
Setup and Assumptions
TCP UDP
P. Filter
IP
Socket
System is a collection of components
Arranged into a directed acyclic graph (DAG)
nodes = components themselves
edges = communication between them,indicative of control flow
Isolation over an edge can be configured tobe one of the three isolation levels
Protection Domains Components
Threads
Stacks
Parmer, West, BU CS Mutable Protection Domains 9/27
![Page 12: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/12.jpg)
Isolation cost and benefit
Isolation between components causes a performance penaltydue to:
1 processing cost of a single invocation between thosecomponents
2 the frequency of invocations between those components
→ cost of each isolation level/edge
Different isolation levels yield higher dependability
stronger isolation → higher dependability
Isolation between specific components more important
debugging, testing, unreliable components, . . .
→ benefit of each isolation levels/edge
This paper studies the policies concerning whenand where isolation should be present
Parmer, West, BU CS Mutable Protection Domains 10/27
![Page 13: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/13.jpg)
Isolation cost and benefit
Isolation between components causes a performance penaltydue to:
1 processing cost of a single invocation between thosecomponents
2 the frequency of invocations between those components
→ cost of each isolation level/edge
Different isolation levels yield higher dependability
stronger isolation → higher dependability
Isolation between specific components more important
debugging, testing, unreliable components, . . .
→ benefit of each isolation levels/edge
This paper studies the policies concerning whenand where isolation should be present
Parmer, West, BU CS Mutable Protection Domains 10/27
![Page 14: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/14.jpg)
Problem Definition
For a solution set swhere si ∈{1, . . . , # isolation levels}
Maximize the dependability ofthe system . . .
maximize∑∀i∈edges benefitisi
While meeting task deadlines. . .
while∑∀i∈edges costisi
k
≤surplus resources
k
For each task in the system ∀k ∈ tasks
Parmer, West, BU CS Mutable Protection Domains 11/27
![Page 15: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/15.jpg)
Problem Definition
For a solution set swhere si ∈{1, . . . , # isolation levels}
Maximize the dependability ofthe system . . .
maximize∑∀i∈edges benefitisi
While meeting task deadlines. . .
while∑∀i∈edges costisi
k
≤surplus resources
k
For each task in the system ∀k ∈ tasks
Parmer, West, BU CS Mutable Protection Domains 11/27
![Page 16: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/16.jpg)
Problem Definition
For a solution set swhere si ∈{1, . . . , # isolation levels}
Maximize the dependability ofthe system . . .
maximize∑∀i∈edges benefitisi
While meeting task deadlines. . .
while∑∀i∈edges costisi
k
≤surplus resources
k
For each task in the system ∀k ∈ tasks
Parmer, West, BU CS Mutable Protection Domains 11/27
![Page 17: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/17.jpg)
Problem Definition
For a solution set swhere si ∈{1, . . . , # isolation levels}
Maximize the dependability ofthe system . . .
maximize∑∀i∈edges benefitisi
While meeting task deadlines. . .
while∑∀i∈edges costisik ≤
surplus resourcesk
For each task in the system ∀k ∈ tasks
Parmer, West, BU CS Mutable Protection Domains 11/27
![Page 18: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/18.jpg)
Multi-Dimensional, Multiple-Choice Knapsack
maximize∑
∀i∈edges
benefitisi
subject to∑
∀i∈edges
costisik ≤ surplus resourcesk , ∀k ∈ tasks
si ∈ {1, . . . , max isolation level}, ∀i ∈ edges
This problem is a multi-dimensional, multiple-choice knapsackproblem (MMKP)
multi-dimensional - multiple resource constraints
multiple-choice - configure each edge in one of theisolation levels
NP-Hard problem
heuristics, pseudo-poly dynamic prog., branch-boundParmer, West, BU CS Mutable Protection Domains 12/27
![Page 19: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/19.jpg)
One-Dimensional Knapsack Problem
Effective and inexpensive greedy solutions to one-dimensionalknapsack problem exist
sort isolation levels/edges based on benefit density, ratioof benefit to cost
increase isolation by including isolation levels/edges fromhead until resources are expended
. . . but we have multiple dimensions of cost
Parmer, West, BU CS Mutable Protection Domains 13/27
![Page 20: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/20.jpg)
Solutions - Reducing Resource Dimensions
Compute an aggregate cost for each edge
single value representing a combination of the costs for alltasks for an edge: ∀k , costisik → agg costisi
some tasks very resource constrained, some aren’t
intelligently weight costs for task k to compute aggregatecost
Parmer, West, BU CS Mutable Protection Domains 14/27
![Page 21: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/21.jpg)
Solutions - HEU
1 compute aggregate cost for each isolation level/edge
2 include isolation level/edge with best benefit density insolution configuration
3 goto 1 until resources expended
Fine-grained refinement of aggregate cost
recompute once every time an isolation level/edge isadded to the current solution configuration
Parmer, West, BU CS Mutable Protection Domains 15/27
![Page 22: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/22.jpg)
Solutions - coarse and oneshot Refinement
1 compute aggregate cost for each isolation level/edge
2 sort by benefit density
3 include isolation level/edge from head
4 goto 3, until resources expended
5 recompute aggregate costs based on resource surpluseswith solution configuration
6 goto 2 N times and return highest benefit configuration
N > 1: coarse-grained refinement
recompute once per total configuration found
execution time linearly increases with N
N = 1: oneshot
very quick
no aggregate cost refinementParmer, West, BU CS Mutable Protection Domains 16/27
![Page 23: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/23.jpg)
Solution Runtimes
1
10
100
1000
10000
100000
1000000
100 500 1500 3000
Number of Isolation Instances
Runt
ime
(micr
osec
onds
)
oneshot coarse fine
Parmer, West, BU CS Mutable Protection Domains 17/27
![Page 24: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/24.jpg)
System Dynamics
System is dynamic
changing communication costs over edges as threads alterexecution paths between components
changing resource availabilities as threads varyintra-component execution time
per-invocation cost overheads vary
different cache working sets, invocation argument size,. . .
System must refine the system isolation configuration as thesevariables change
Parmer, West, BU CS Mutable Protection Domains 18/27
![Page 25: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/25.jpg)
Solutions over time
System dynamics require re-computation of systemconfiguration
1 disregard current system state, recompute entirely newsystem configuration
traditional knapsack (MMKP) approach: ks
2 solve for the next system configuration starting from thecurrent system configuration
Successive State Heuristic (ssh)
modifies coarse and oneshot to start from the currentsystem configurationaim to reduce isolation changes to existing configuration
Parmer, West, BU CS Mutable Protection Domains 19/27
![Page 26: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/26.jpg)
Experimental Simulations
Simulate a system with
widely varying resource surplus for 3 tasks
changing communication costs
200 edges, 3 isolation levels
Parmer, West, BU CS Mutable Protection Domains 20/27
![Page 27: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/27.jpg)
Resource Usage for Task 1
0
2000
4000
6000
8000
10000
0 5 10 15 20 25 30 35 40 45 50 55
Reso
urce
s Us
ed F
or Is
olat
ion
(Tas
k 1)
Reconfiguration Number
ks oneshotks coarse
ssh oneshotssh coarse
ks fineResource Avail.
Parmer, West, BU CS Mutable Protection Domains 21/27
![Page 28: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/28.jpg)
System Isolation-Derived Benefit
10000
12000
14000
16000
18000
20000
22000
24000
0 5 10 15 20 25 30 35 40 45 50 55
Bene
fit
Reconfiguration Number
ks oneshotks coarse
ssh oneshotssh coarse
ks fine
Parmer, West, BU CS Mutable Protection Domains 22/27
![Page 29: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/29.jpg)
OS Support for MPD
Composite: component-based OS designed to support MPD
KCap
UCap clientstub
user−levelkernel
client_fn server_fn
stubserver
Parmer, West, BU CS Mutable Protection Domains 23/27
![Page 30: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/30.jpg)
OS Support for MPD (II)
Composite: component-based OS designed to support MPD
KCap
UCap serverstub
clientstub
user−levelkernel
server_fnclient_fn
Parmer, West, BU CS Mutable Protection Domains 24/27
![Page 31: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/31.jpg)
OS Support for MPD (III)
Switching between the two isolation levels requires changingUCap, KCap, and protection domains
Prototype running on x86 Pentium IV @ 2.4 Ghz
Invocation via kernel - 1510 cycles (0.63 µsecs)
Direct invocation - 55 cycles (0.023 µsecs)
Parmer, West, BU CS Mutable Protection Domains 25/27
![Page 32: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/32.jpg)
Conclusions
Solution to MMKP based on lightweight successive refinementgiven dynamic changes in system behavior
possibly useful in e.g. QRAM
Mutable Protection Domains
dynamically reconfigure protection domains to maximizefault isolation while meeting application deadlines
makes the performance/predictability ↔ fault isolationtradeoff explicit
Parmer, West, BU CS Mutable Protection Domains 26/27
![Page 33: Mutable Protection Domains: Towards a Component-based ...cs-pub.bu.edu/fac/richwest/slides/mpd_rtss2007.pdf · Run-time interactions are difficult to predict and can cause faults](https://reader034.fdocuments.in/reader034/viewer/2022042406/5f2052df2dbd8a002416c62b/html5/thumbnails/33.jpg)