skip to main content
10.1145/1095810.1095814acmconferencesArticle/Chapter ViewAbstractPublication PagessospConference Proceedingsconference-collections
Article

Mondrix: memory isolation for linux using mondriaan memory protection

Published: 20 October 2005 Publication History

Abstract

This paper presents the design and an evaluation of Mondrix, a version of the Linux kernel with Mondriaan Memory Protection (MMP). MMP is a combination of hardware and software that provides efficient fine-grained memory protection between multiple protection domains sharing a linear address space. Mondrix uses MMP to enforce isolation between kernel modules which helps detect bugs, limits their damage, and improves kernel robustness and maintainability. During development, MMP exposed two kernel bugs in common, heavily-tested code, and during fault injection experiments, it prevented three of five file system corruptions.The Mondrix implementation demonstrates how MMP can bring memory isolation to modules that already exist in a large software application. It shows the benefit of isolation for robustness and error detection and prevention, while validating previous claims that the protection abstractions MMP offers are a good fit for software. This paper describes the design of the memory supervisor, the kernel module which implements permissions policy.We present an evaluation of Mondrix using full-system simulation of large kernel-intensive workloads. Experiments with several benchmarks where MMP was used extensively indicate the additional space taken by the MMP data structures reduce the kernel's free memory by less than 10%, and the kernel's runtime increases less than 15% relative to an unmodified kernel.

References

[1]
M. J. Accetta, R. V. Baron, W. Bolosky, D.B. Golub, R. F. Rashid, A. Tevanian, and M.W. Young. Mach: A new kernel foundation for unix development. In Proceedings of Summer Usenix, 1986.]]
[2]
Advanced Micro Devices. http://www.amd.com/, 2004.]]
[3]
Thomas Ball and Sriram K. Rajamani. The slam project: Debugging system software via static analysis. In POPL '02, 2002.]]
[4]
Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski, David Becker, Craig Chambers, and Susan J. Eggers. Extensibility, safety and performance in the SPIN operating system. In SOSP-15, pages 267--284, Copper Mountain, Colorado, 1995.]]
[5]
Jeff Bonwick. The slab allocator: An object-caching kernel memory allocator. In USENIX Summer, pages 87--98, 1994.]]
[6]
Nicholas P. Carter, Stephen W. Keckler, and William J. Dally. Hardware support for fast capability-based addressing. In ASPLOS-VI, pages 319--327, San Jose, California, 1994.]]
[7]
Jeffrey Chase. An Operating System Structure for Wide-Address Architectures. PhD thesis, University of Washington, August 1995.]]
[8]
Peter M. Chen, Wee Teck Ng, Subhachandra Chandra, Christopher Aycock, Gurushankar Rajamani, and David Lowell. The Rio file cache: Surviving operating system crashes. In ASPLOS-VII, 1996.]]
[9]
J. Condit, M. Harren, S. McPeak, G. Necula, and W. Weimer. CCured in the real world. In PLDI, 2003.]]
[10]
Intel Corp. Intel Itanium Architecture Software Developer's Manual v2.1, 2002.]]
[11]
Microsoft Corporation. Microsoft Windows Vista Developer Center, 2005. http://msdn.microsoft.com/windowsvista/default.aspx.]]
[12]
B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, I. Pratt, A. Warfield, P. Barham, and R. Neugebauer. Xen and the art of virtualization. In SOSP '03, 2003.]]
[13]
Dawson Engler and Ken Ashcraft. RacerX: Effective, static detection of race conditions and deadlocks. In SOSP-19, 2003.]]
[14]
Steven M. Hand. Self-paging in the nemesis operating system. In Operating Systems Design and Implementation, pages 73--86, 1999.]]
[15]
Hermann Härtig, Michael Hohmuth, Jochen Liedtke, Sebastian Schonberg, and Jean Wolter. The performance of microkernel-based systems. In SOSP-16, Oct. 1997.]]
[16]
John Hartman, Larry Peterson, Andy Bavier, Peter Bigot, Patrick Bridges, Brady Montz, Rob Piltz, Todd Proebsting, and Oliver Spatscheck. Experiences building a communication-oriented javaos. Software: Practice and Experience, 30(10):1107--1126, 2000.]]
[17]
Gernot Heiser, Kevin Elphinstone, Jerry Vochteloo, Stephen Russell, and Jochen Liedtke. The Mungi single-address-space operating system. Software Practice and Experience, 28(9):901--928, 1998.]]
[18]
Merle E. Houdek, Frank G. Soltis, and Roy L. Hoffman. IBM System/38 support for capability-based addressing. In Proceedings of the 8th Symposium on Computer Architecture, pages 341--348, May 1981.]]
[19]
Galen Hunt, James Larus, David Tarditi, and Ted Wobber. Broad new os research: Challenges and opportunities. In Proceedings of the 10th Workshop on Hot Topics in Operation Systems, June 2005.]]
[20]
Richard K. Johnsson and John D. Wick. An overview of the mesa processor architecture. In Proceedings of the first international symposium on architectural support for programming languages and operating systems, 1982.]]
[21]
Eric J. Koldinger, Jeffrey S. Chase, and Susan J. Eggers. Architectural support for single address space operating systems. SIGPLAN Notices, 27(9):175--186, 1992.]]
[22]
Butler Lampson. Protection. In Proceedings of the 5th Annual Princeton Conference on Information Sciences and Systems, pages 437--443, Princeton University, 1971.]]
[23]
Kevin Lawton. bochs: The cross platform IA-32 emulator, 2004. http://bochs.sourceforge.net/.]]
[24]
Henry M. Levy. Capability-Based Computer Systems. Digital Press, Bedford, Massachusetts, 1984.]]
[25]
David Lie, Chandramohan Thekkath, and Mark Horowitz. Implementing an untrusted operating system on trusted hardware. In SOSP '03, 2003.]]
[26]
David Lie, Chandramohan Thekkath, Mark Mitchell, Patrick Lincoln, Ban Boneh, John Mitchell, and Mark Horowitz. Architectural support for copy and tamper resistant software. In ASPLOS-IX, 2000.]]
[27]
P. S. Magnusson, M. Christensson, J. Eskilson, D. Forsgren, G. Hallberg, J. Hogberg, F. Larsson, A. Moestedt, and B. Werner. Simics: A full system simulation platform. IEEE Computer, 35(2):50--58, 2002.]]
[28]
Madanlal Musuvathi, David Park, Andy Chou, Dawson R. Engler, and David L. Dill. CMC: A Pragmatic Approach to Model Checking Real Code. In OSDI-5, December 2002.]]
[29]
George C. Necula, Scott McPeak, and Westley Weimer. CCured: type-safe retrofitting of legacy code. In Symposium on Principles of Programming Languages, pages 128--139, 2002.]]
[30]
Norman Ramsey and Simon Peyton Jones. A single intermediate language that supports multiple implementations of exceptions. ACM SIGPLAN Notices, 35(5):285--298, 2000.]]
[31]
Jerome H. Saltzer. Protection and the control of information sharing in Multics. Communications of the ACM, 17(7):388--402, July 1974.]]
[32]
Jerome H. Saltzer and Michael D. Schroeder. The protection of information in computer systems. In Proceedings of the IEEE 63 9, pages 1278--1308, 1975.]]
[33]
Jonathan S. Shapiro. EROS: A Capability System. PhD thesis, University of Pennsylvania, 1999.]]
[34]
Jonathan S. Shapiro, Jonathan M. Smith, and David J. Farber. EROS: a fast capability system. In Symposium on Operating Systems Principles, pages 170--185, 1999.]]
[35]
Jonathan S. Shapiro, John Vanderburgh, Eric Northup, and David Chizmadia. Design of the EROS trusted window system. In USENIX Security, 2004.]]
[36]
G. Sirer, M. Fiuczynski, P. Pardyak, and B. N. Bershad. Safe dynamic linking in an extensible operating system. Technical Report TR-95-11-01, University of Washington, 1995.]]
[37]
Michael Swift, Brian N. Bershad, and Henry M. Levy. Improving the reliability of commodity operating systems. In SOSP-19, 2003.]]
[38]
Michael Swift, Muthukaruppan, Brian N. Bershad, and Henry M. Levy. Recovering device drivers. In OSDI-6, 2004.]]
[39]
A. Whitaker, M. Shaw, and S. Gribble. Scale and performance in the denali isolation kernel. In OSDI '02, 2002.]]
[40]
Maurice V. Wilkes and Roger M. Needham. The Cambridge CAP Computer and Its Operating System. North Holland, New York, 1979.]]
[41]
Niklaus Wirth. Project Oberon: The Design of an Operating System and Compiler. Addison-Wesley, 1992.]]
[42]
Emmett Witchel and Krste Asanović. Hardware works, software doesn't: Enforcing modularity with Mondriaan memory protection. In HotOS-9, 2003.]]
[43]
Emmett Witchel, Josh Cates, and Krste Asanović. Mondrian memory protection. In 10th International Conference on Architectural Support for Programming Languages and Operating Systems, Oct 2002.]]

Cited By

View all
  • (2024)SafeBPF: Hardware-assisted Defense-in-depth for eBPF Kernel ExtensionsProceedings of the 2024 on Cloud Computing Security Workshop10.1145/3689938.3694781(80-94)Online publication date: 19-Nov-2024
  • (2024)Toast: A Heterogeneous Memory Management SystemProceedings of the 2024 International Conference on Parallel Architectures and Compilation Techniques10.1145/3656019.3676944(53-65)Online publication date: 14-Oct-2024
  • (2023)DOPE: DOmain Protection Enforcement with PKSProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627113(662-676)Online publication date: 4-Dec-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SOSP '05: Proceedings of the twentieth ACM symposium on Operating systems principles
October 2005
259 pages
ISBN:1595930795
DOI:10.1145/1095810
  • cover image ACM SIGOPS Operating Systems Review
    ACM SIGOPS Operating Systems Review  Volume 39, Issue 5
    SOSP '05
    December 2005
    290 pages
    ISSN:0163-5980
    DOI:10.1145/1095809
    Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 October 2005

Permissions

Request permissions for this article.

Check for updates

Author Tag

  1. fine-grained memory protection

Qualifiers

  • Article

Conference

SOSP05
Sponsor:

Acceptance Rates

Overall Acceptance Rate 174 of 961 submissions, 18%

Upcoming Conference

SOSP '25
ACM SIGOPS 31st Symposium on Operating Systems Principles
October 13 - 16, 2025
Seoul , Republic of Korea

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)51
  • Downloads (Last 6 weeks)8
Reflects downloads up to 14 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)SafeBPF: Hardware-assisted Defense-in-depth for eBPF Kernel ExtensionsProceedings of the 2024 on Cloud Computing Security Workshop10.1145/3689938.3694781(80-94)Online publication date: 19-Nov-2024
  • (2024)Toast: A Heterogeneous Memory Management SystemProceedings of the 2024 International Conference on Parallel Architectures and Compilation Techniques10.1145/3656019.3676944(53-65)Online publication date: 14-Oct-2024
  • (2023)DOPE: DOmain Protection Enforcement with PKSProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627113(662-676)Online publication date: 4-Dec-2023
  • (2023)Accelerating Extra Dimensional Page Walks for Confidential ComputingProceedings of the 56th Annual IEEE/ACM International Symposium on Microarchitecture10.1145/3613424.3614293(654-669)Online publication date: 28-Oct-2023
  • (2023)ISA-Grid: Architecture of Fine-grained Privilege Control for Instructions and RegistersProceedings of the 50th Annual International Symposium on Computer Architecture10.1145/3579371.3589050(1-15)Online publication date: 17-Jun-2023
  • (2023)EC: Embedded Systems Compartmentalization via Intra-Kernel Isolation2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179285(2990-3007)Online publication date: May-2023
  • (2021)μSCOPE: A Methodology for Analyzing Least-Privilege Compartmentalization in Large Software ArtifactsProceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3471621.3471839(296-311)Online publication date: 6-Oct-2021
  • (2021)SCALPEL: Exploring the Limits of Tag-enforced CompartmentalizationACM Journal on Emerging Technologies in Computing Systems10.1145/346167318:1(1-28)Online publication date: 29-Sep-2021
  • (2020)Harmonizing performance and isolation in microkernels with efficient intra-kernel isolation and communicationProceedings of the 2020 USENIX Conference on Usenix Annual Technical Conference10.5555/3489146.3489173(401-417)Online publication date: 15-Jul-2020
  • (2020)Efficiently mitigating transient execution attacks using the unmapped speculation contractProceedings of the 14th USENIX Conference on Operating Systems Design and Implementation10.5555/3488766.3488830(1139-1154)Online publication date: 4-Nov-2020
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media