Genode Components
-
Upload
vasily-sartakov -
Category
Education
-
view
372 -
download
1
description
Transcript of Genode Components
Genode OS Framework - Components
Norman Feske<[email protected]>
Outline
1. Classification of components
2. Kernelization example
3. Unified configuration concept
4. Session routing
5. Components overview
Genode OS Framework - Components 2
Outline
1. Classification of components
2. Kernelization example
3. Unified configuration concept
4. Session routing
5. Components overview
Genode OS Framework - Components 3
Classification
Kernel enables base platform
Device driver translates device interface to API
Protocol stack translates API to API
Application is leaf node in process tree
Runtime environment has one or more children
Resource multiplexer has multiple clients
combinations are possible
Genode OS Framework - Components 4
Kernel
Genode OS Framework - Components 5
Device driver
Translates device interface to session interface
Uses core’s IO MEM, IO PORT, IRQ services
Single client
Contains no policy
Enforces policy (device-access arbitration)
Genode OS Framework - Components 6
Device driver (2)
Critical because of DMA
MMU protects physical memory from driver codeDriver code accesses device via MMIODevice has access to whole physical memory (DMA)
→ Device driver can access whole physical memory
IOMMUs can help ...but are no golden bullet
Genode OS Framework - Components 7
Device driver (3)
Even with no IOMMU, isolating drivers has benefits
Taming classes of non-DMA-related bugs
I Memory leaksI Synchronization problems, dead-locksI Flawed driver logic, wrong state machinesI Device initialization
Minimizing attack surface from the outside
Genode OS Framework - Components 8
Protocol stack
Translates API to another (or the same) API
Does not enforce policy
Single client
May be co-located with device driver
Genode OS Framework - Components 9
Protocol stack (2)
Libraries
Library Translation
Qt4 Qt4 API → various Genode sessionslwIP socket API → NIC session
Components translating sessions
Component Translation
TCP terminal Terminal session → NIC sessioniso9660 ROM session → Block sessionffat fs File-system session → Block session
Genode OS Framework - Components 10
Protocol stack (3)
Components that filter sessions
Genode OS Framework - Components 11
Protocol stack (4)
Operate on session interfaces, not physical resources
→ May be instantiated any number of times
→ Critical for availablility
→ Not neccessarily critical for integrity and confidentiality
→ Information leakage constrained to used interfaces
complex code should go in here
Genode OS Framework - Components 12
Application
Leaf node in process tree
Uses services
Implements application logic
Provides no service
Genode OS Framework - Components 13
Runtime environment
Hosts other processes as children
Defines and imposes policy!
Examples
InitVirtual machine monitorDebuggerPython interpreter
Genode OS Framework - Components 14
Resource multiplexer
Multiplexes session interface
Multiple clients → Potential multi-level component
Free from policy
Enforce policy dictated by parent
Prone to cross-client information leakage
Prone to resource-exhaustion-based DoS
Genode OS Framework - Components 15
Resource multiplexer (2)
→ Often as critical as the kernel
→ Must be as low complex as possible
→ Must work on client-provided resources
→ Must employ heap partitioning
only a few resource multiplexers needed
Genode OS Framework - Components 16
Outline
1. Classification of components
2. Kernelization example
3. Unified configuration concept
4. Session routing
5. Components overview
Genode OS Framework - Components 17
Kernelizing the GUI server
Persistent security problems of GUIs
Impersonation(Trojan horses, phishing, man in the middle)Spyware(input loggers, arcane observers)Robustness/availability risks(resource-exhaustion-based denial of service
GUI belongs to TCB → low complexity is important!
Genode OS Framework - Components 18
Starting point: DOpE as secure GUI
Genode OS Framework - Components 19
DOpE as secure GUI - Drawbacks
Prone to resource exhaustion by malicious clientsProvides custom look and feel*
I Stands in the way when using legacy softwareI May be enhanced by theme support
Complexity of 12,000 LOC
Genode OS Framework - Components 20
Straight-forward attempt: Shrinking DOpE
Revisiting the implementation
Keeping only essential functionality→ 7,000 LOC
We loose:
Majority of widgets (grid, scale, scrollbar, etc.)Flexible command interfaceCoolness, fancyness, convenienceReal-time support
7,000 LOC are too much for such a crippled GUI!
Genode OS Framework - Components 21
Bottom-up approach
What do we really need in the GUI server?
Widgets? → NoFont support? → NoWindow decoration? → NoTextual command interface? → NoLook and feel, gradients, translucency? → NoHardware abstractions (e. g., color-space conversion)? → NoWindows displaying pixel buffers? → YESDistribution of input events? → YESSecure labeling? → YES
Genode OS Framework - Components 22
Buffers and views
Genode OS Framework - Components 23
User interaction
Input-event handling
Only one receiver of each input eventFocused view defines input routingRouting controlled by the user only
Genode OS Framework - Components 24
Client-side window handling
Report motion events to focused view while a button is pressed→ Client-side window policies (move, resize, stacking)→ Key for achieving low server-side complexity
Emergency break→ Special key regains control over misbehaving applications
Genode OS Framework - Components 25
Trusted path
It is not sufficient to label windows!
A Trojan Horse could present an image of a secure windowNot the secure window must be marked, but all others!
Revoke some degree of freedom from the clients
Dedicated screen area, reserved for the trusted GUIRevoking the ability to use the whole color space
→ X-Ray mode, activated by special key (x-ray key)
Genode OS Framework - Components 26
Trusted path (2)
Genode OS Framework - Components 27
Nitpicker results
Source-code complexity
GUI server Lines of code
X.org > 80,000Trusted X 30,000DOpE 12,000EWS 4,500Nitpicker < 2,000
Low performance overhead, no additional copyLow-complexity clients are possible (Scout: 4,000 LOC)
Genode OS Framework - Components 28
Nitpicker results (2)
Support for legacy softwareProtection against spywareHelps to uncover Trojan horsesLow source-code complexity
→ Poster child of a resource multiplexer
Genode OS Framework - Components 29
Outline
1. Classification of components
2. Kernelization example
3. Unified configuration concept
4. Session routing
5. Components overview
Genode OS Framework - Components 30
Traditional approaches to system configuration
Boot-loader configurationI vbeset command in GRUB menu.lst
Command line arguments specified to boot modules
Kernel command line
Custom configuration filesI Needs file providers, file name spaceI Varying syntax → parsing problems
Genode OS Framework - Components 31
Unified configuration concept
Genode OS Framework - Components 32
Unified configuration concept (II)
Genode OS Framework - Components 33
Unified configuration concept (III)
→ Uniform syntax
→ Extensible through custom tags at each level
→ XML parser adds less than 300 LOC to TCB
Genode OS Framework - Components 34
Outline
1. Classification of components
2. Kernelization example
3. Unified configuration concept
4. Session routing
5. Components overview
Genode OS Framework - Components 35
Session routing example
<config>
<parent-provides>
<service name="CAP"/>
<service name="LOG"/>
</parent-provides>
<start name="timer">
<resource name="RAM" quantum="1M"/>
<provides> <service name="Timer"/> </provides>
<route>
<service name="CAP"> <parent/> </service>
</route>
</start>
<start name="test-timer">
<resource name="RAM" quantum="1M"/>
<route>
<service name="Timer"> <child name="timer"/> </service>
<service name="LOG"> <parent/> </service>
</route>
</start>
</config>
Genode OS Framework - Components 36
Using wildcards
<route>
<service name="ROM"> <parent/> </service>
<service name="RAM"> <parent/> </service>
<service name="RM"> <parent/> </service>
<service name="PD"> <parent/> </service>
<service name="CPU"> <parent/> </service>
</route>
generalized:
<route>
<any-service> <parent/> </any-service>
</route>
Genode OS Framework - Components 37
Combining wildcards with explicit routes
<route>
<service name="LOG"> <child name="nitlog"/> </service>
<any-service> <parent/> </any-service>
</route>
Genode OS Framework - Components 38
Useful routing template
<route>
<any-service> <parent/> </any-service>
<any-service> <any-child/> </any-service>
</route>
abbreviated:
<route>
<any-service> <parent/> <any-child/> </any-service>
</route>
Genode OS Framework - Components 39
Poly-instantiating the same binary
<start name="nit_fb">
...
<start name="nit_fb"> <!-- XXX ambiguous name! -->
...
ambiguity resolved:
<start name="nit_fb_1">
<binary name="nit_fb"/> <!-- binary name != process name -->
...
<start name="nit_fb_2"> <!-- unique name -->
<binary name="nit_fb"/>
...
Genode OS Framework - Components 40
Routing through hierarchies
Genode OS Framework - Components 41
Routing through hierarchies (2)
<config>
<parent-provides> ... </parent-provides>
<start name="timer"> <resource name="RAM" quantum="1M"/>
<provides> <service name="Timer"/> </provides>
<route> <service name="CAP"> <parent/> </service> </route>
</start>
<start name="init"> <resource name="RAM" quantum="1M"/>
<config>
<parent-provides>
<service name="Timer"/> <service name="LOG"/>
</parent-provides>
<start name="test-timer"> <resource name="RAM" quantum="1M"/>
<route> <service name="Timer"> <parent/> </service>
<service name="LOG"> <parent/> </service> </route>
</start>
</config>
<route> <service name="Timer"> <child name="timer"/> </service>
<any-service> <parent/> </any-service> </route>
</start>
</config>
Genode OS Framework - Components 42
Real-time priorities
Kernels provide static priorities
How to make the feature available?
Priorities have side effects on otherwise unrelated subsystemsPriority inversionPriority inversion + time-slice donation = hard-to-find bug
Genode OS Framework - Components 43
Real-time priorities (2)
Genode OS Framework - Components 44
Real-time priorities (3)
<config prio_levels="2">
...
<start name="init.1" priority="0">
...
<config prio_levels="4">
...
<!-- priority -1 results in platform priority 112 -->
<start name="init.11" priority="-1"> ... </start>
<!-- priority -2 results in platform priority 96 -->
<start name="init.12" priority="-2">
<config>
<start name="init.121"> ... </start>
</config>
</start>
</config>
</start>
<!-- priority -1 results in platform priority 64 -->
<start name="init.2" priority="-1"> ... </start>
</config>
Genode OS Framework - Components 45
Configuration concept in practice
DevelopmentWildcards are handyConcise configurations, easy to maintain
DeploymentUse explicit routes only→ Default deny→ Whitelist only permitted session types→ Mandatory access control
Absence of wildcards is easy to validate
Genode OS Framework - Components 46
Outline
1. Classification of components
2. Kernelization example
3. Unified configuration concept
4. Session routing
5. Components overview
Genode OS Framework - Components 47
Interfaces
LOG Unidirectional debug output
Terminal Bi-directional input and outputsynchronous bulk
Timer Facility to block the client
Input Obtain user inputsynchronous bulk
Framebuffer Display pixel buffersynchronous bulk
PCI Represents PCI bus, find and obtain PCI devices
Genode OS Framework - Components 48
Interfaces (2)
ROM Obtain read-only data modulesshared memory
Block Block-device accesspacket stream
File system File-system accesspacket stream
NIC Bi-directional transfer of network packets2 x packet stream
Audio out Audio outputpacket stream
Genode OS Framework - Components 49
Device drivers
Session type Location
Timer os/src/drivers/timer
Block os/src/drivers/atapi
os/src/drivers/ahci
os/src/drivers/sd card
dde linux/src/drivers/usb drv
Input os/src/drivers/input/ps2
dde linux/src/drivers/usb drv
Framebuffer os/src/drivers/framebuffer/vesa
os/src/drivers/framebuffer/sdl
os/src/drivers/framebuffer/pl11x
os/src/drivers/framebuffer/omap4
Audio out linux drivers/src/drivers/audio out
Terminal os/src/drivers/uart
NIC dde ipxe/src/drivers/nic
dde linux/src/drivers/usb drv
PCI os/src/drivers/pci
Genode OS Framework - Components 50
Resource multiplexers and protocol stacks
Session type Location
LOG os/src/server/terminal log
demo/src/server/nitlog
Framebuffer, demo/src/server/liquid framebuffer
Input os/src/server/nit fb
Nitpicker os/src/server/nitpicker
Terminal os/src/server/terminal crosslink
gems/src/server/terminal
gems/src/server/tcp terminal
Genode OS Framework - Components 51
Resource multiplexers and protocol stacks (2)
Session type Location
Audio out os/src/server/mixer
NIC os/src/server/nic bridge
ROM os/src/server/rom prefetcher
os/src/server/tar rom
os/src/server/iso9660
Block os/src/server/rom loopdev
os/src/server/part blk
gems/src/server/http block
File system os/src/server/ram fs
libports/src/server/ffat fs
Genode OS Framework - Components 52
Protocol-stack libraries
API Location
POSIX libports/lib/mk/libc.mk
libports/lib/mk/libc log.mk
libports/lib/mk/libc fs.mk
libports/lib/mk/libc rom.mk
libports/lib/mk/libc lwip.mk
libports/lib/mk/libc ffat.mk
libports/lib/mk/libc lock pipe.mk
libports/lib/mk/libc terminal.mk
Qt4 qt4/lib/mk/qt *
OpenGL libports/lib/mk/gallium.mk
Genode OS Framework - Components 53
Runtime environments
Runtime Location
Init os/src/init
Loader os/src/server/loader
L4Linux ports-foc/src/l4linux
L4Android ports-foc/src/l4android
OKLinux ports-okl4/src/oklinux
Vancouver ports/src/vancouver
Noux ports/src/noux
GDB Monitor ports/src/app/gdb monitor
Python libports/lib/mk/x86 32/python.mk
Lua libports/lib/mk/moon.mk
Genode OS Framework - Components 54
Thank you
What we covered todayComponents
1. Classification of components2. Kernelization of the GUI
server3. Unified configuration
concept4. Session routing5. Components overview
Coming up next...Compositions
1. Virtualization techniques2. Enslaving services3. Dynamic workloads
More information and resources:http://genode.org
Genode OS Framework - Components 55