conf-isca-2006

8/6/2019 conf-isca-2006

1/27

An Integrated Framework for Dependable

and Revivable Architecture Using

Multicore Processors

Weidong Shi Motorola Labs

Hsien-Hsin Sean Lee Georgia Tech

Laura Falk University of Michigan

Mrinmoy Ghosh Georgia Tech

8/6/2019 conf-isca-2006

2/27

2

Problem Statement

Highly Available, Reliable, and Revivable networkedservices.

Explore new programming and usage models for Multi-

core processors

Provide architectural support for network services to be Autonomic

Remote-exploits revivable Self-recoverable

Achieve high performance

8/6/2019 conf-isca-2006

3/27

3

Problem Statement

Highly Available, Reliable, and Revivable networkedservices.

Explore new programming and usage models for

Multi-core processors

Provide architectural support for network services to be Autonomic

Remote-exploits revivable Self-recoverable

Achieve high performance

8/6/2019 conf-isca-2006

4/27

4

Toward Self-recovery Network Services

Causes of Network Service Loss

AccidentalTransient Heisenbugs Damage Aging

IntentionalDoS Buffer

Overflow

Solutions

Replication

Rejuvenation

Checkpoint

RemoteExploit Self-

recovery

8/6/2019 conf-isca-2006

5/27

5

Multicore: An ideal platform

Exploit insulation:

Each core of a multicore can be

programmed to run at different

privilege levels with different OS.

Dual Core (Merome)

ServerCore

Monitor

Core

SharedL2

Tight coupling of cores comparing with SMPFine-grained processor state monitoring

Concurrent monitoring, efficient state backup and recovery

Massive multi-core will have many idle cores

8/6/2019 conf-isca-2006

6/27

6

INDRA: A Dependable and Revivable Architecture

Monitor Core

L2 Cache

IL1

Cache

DL1

Cache

Monitor

Insulation

Issue Recovery

Control

Memory Interface

Watch Dog

Physical Memory Space(used by service OS and applications)

Protected Memory Space(monitor BIOS, OS, and SW)

Server Core(Network Apps)

IL1

Cache

DL1

Cache

TraceFilter

TraceFIFO

Code origin check

CFG check

Control signals

8/6/2019 conf-isca-2006

7/277

Data Page

Code Page

Monitor Core: Insulated Parallel Inspection[Kiriansky et al., USENIX 2002]

Vuln_func()

{

//Attack!!// Return address changed

}

FunctionA()

{

Vuln_func();A =3;

}

Malicious_func()

{}

Code Page

Code Origin Check

Control Flow Graph Check

Exception Handling

8/6/2019 conf-isca-2006

8/278

Server Core: Request Based Recovery

Issue state backuprequest

Read network request(Request for page

arch.ece.gatech.edu)

Process networkrequest

Monitor SignalledError?

No Yes

Restore CheckpointedState

8/6/2019 conf-isca-2006

9/279

Comparison of Backup and Recovery

Backup RecoveryApproach

Software

checkpointing Slow

Fast, modify page

translationMemory Update

Log FastLog based undo

slow

Virtual

Checkpointing

Copy dirty page on

demand, slow

Fast, modify TLB

entry

INDRAFast, no page copy Fast, no page

copy

8/6/2019 conf-isca-2006

10/2710

INDRA Backup Page Record

Active Page

Modified TLB

Global TimestampRegister (GT) GT=4

Backup Page

TLB Extension for Backup and Rollback

Dirty BlockBitvector

Backup Page(PhysicalAddress)

RollbackBitvector

RollbackValid

LocalTimestamp

Active Page(Physical Address)

Tag



LocalTimestamp

RollbackBitvector

RollbackValid

3

ProcessorMemory

8/6/2019 conf-isca-2006

11/2711

INDRA Backup Page Record

Active Page

Modified TLB


Backup Page

TLB Extension for Backup and Rollback

Backup Page RecordProcessorMemory



LocalTimestamp

RollbackBitvector

3



RollbackBitvector

BackpRecord

RollbackValid

LocalTimestamp


Tag

RollbackValid

3

8/6/2019 conf-isca-2006

12/2712

INDRA Recovery Example

Active Page


Backup Page

Modified TLB TLB Extension for Backup and Rollback

3



RollbackBitvector

BackupRecord

RollbackValid

LocalTimestamp


Tag

Current Operation

Wr memory line 7REQUEST n

5

8/6/2019 conf-isca-2006

13/2713


Active Page


Backup Page


3



RollbackBitvector

BackupRecord

RollbackValid

LocalTimestamp


Tag

Current Operation

REQUEST n

5

Wr memory line 2

8/6/2019 conf-isca-2006

14/2714


Active Page


Backup Page


3



RollbackBitvector

BackupRecord

RollbackValid

LocalTimestamp


Tag

REQUEST n

5

Failure Signal

Restore system resource allocationRestore process context

1

8/6/2019 conf-isca-2006

15/2715


Active Page


Backup Page


3



RollbackBitvector

BackupRecord

RollbackValid

1

LocalTimestamp


Tag

REQUEST n+1

5

Current Operation

Rd memory line 7

8/6/2019 conf-isca-2006

16/2716


Active Page


Backup Page


3



RollbackBitvector

BackupRecord

RollbackValid

1

LocalTimestamp


Tag

REQUEST n+1

5

Current Operation

Wr memory line 1

8/6/2019 conf-isca-2006

17/2717


Active Page


Backup Page


3



RollbackBitvector

BackupRecord

RollbackValid

1

LocalTimestamp


Tag

REQUEST n+1

5

Current Operation

Handle Next Request Global TimestampRegister (GT) GT=6

Record system resource allocationRecord process context

8/6/2019 conf-isca-2006

18/2718


Active Page


Backup Page


3



RollbackBitvector

BackupRecord

RollbackValid

1

LocalTimestamp


Tag

REQUEST n+2

5

Current Operation

Global TimestampRegister (GT) GT=6Wr memory line 4

6

8/6/2019 conf-isca-2006

19/2719

Test Bed (Bochs + TAXI [Vlaovic & Davidson, ICCD02])

Monitor(Stripped Down OS,Security SW, 10MB)

Linux NetworkServer

Bochs + TAXI

Host OS

NetworkRequests

ServerResponse

Run production OS with real service applications, httpd, ftpd,bind, sendmail, etc.

Recoverability evaluated by applying real x86 remoteexploits from security websites.

Experiment with documented exploits

8/6/2019 conf-isca-2006

20/2720

Inter-Request Interval (# of Instructions)

Average Network Request Interval(instructions/per request)

0

500000

1000000

1500000

2000000

2500000

ftp

http

bind

send

mail

imap nf

s

averag

e

8/6/2019 conf-isca-2006

21/27

21

I-Cache Miss RateL1 Miss Rate

0.0%

0.5%

1.0%

1.5%

2.0%

2.5%

3.0%

3.5%

4.0%

ftp http bind sendmail imap nfs average

Code Origin Check reads traces of code read from L2 Cache

Number of Instructions in the Trace is Proportional to L1 I Cache Miss Rate

Overhead of monitoring code origin depends on L1 I Cache Miss Rate

8/6/2019 conf-isca-2006

22/27

22

Monitoring Overhead

Request Response Time Slowdown

0

0.2

0.4

0.6

0.8

1

1.2

ftpd

http

dbi

nd

send

mail

imap nf

s

averag

e

8/6/2019 conf-isca-2006

23/27

23

Sensitivity of Monitoring Queue Size

1

1.1

1.2

1.3

1.4

1.5

1.6

8 16 32 64 128

Queue Size

Queue Size vs. Performance

Slowdo

wn

8/6/2019 conf-isca-2006

24/27

24

Backup Overhead of Modified Lines

Percentage of Modified Lines Requiring Backup

0%

2%

4%

6%

8%

10%

12%

14%

ftpd

http

dbi

nd

send

mail

imap nf

s

averag

e

8/6/2019 conf-isca-2006

25/27

25

Performance of Recovery + Monitoring

Slowdown of Service Response Time

1

1.2

1.4

1.6

1.8

2

2.2

2.4

2.6

2.8

ftpd httpd bind sendmail imap nfs average

Monitor+Backup Monitor+Backup+Rollback

8/6/2019 conf-isca-2006

26/27

26

Conclusions

Real time exploit monitoring with autonomic recoveryincreases revivability and availability.

Multicore architectures are an ideal candidate for new typeof revivable system.

INDRA-based Multicore system can provide improvedreliability and availability.

More research is required to explore the trade-off betweenavailability, performance, architecture design, and cost.

8/6/2019 conf-isca-2006

27/27

Questions and Answers

http://arch.ece.gatech.edu

Thank you !

conf-isca-2006

Documents

Transcript of conf-isca-2006