Weiwei Jia,Cheng Wang,Xusheng Chen,Jianchen Shan,Xiaowei Shang,Heming Cui,Xiaoning Ding,Luwei Cheng,Francis C. M. Lau,Yuexuan Wang,Yuangang Wang

2018-01-01

Abstract:In clouds where CPU cores are time-shared by virtual CPUs (vCPU), vCPUs are scheduled and descheduled by the virtual machine monitor (VMM) periodically. In each virtual machine (VM), when its vCPUs running I/O bound tasks are descheduled, no I/O requests can be made until the vCPUs are rescheduled. These inactivity periods of I/O tasks cause severe performance issues, one of them being the utilization of I/O resources in the guest OS tends to be low during I/O inactivity periods. Worse, the I/O scheduler in the host OS could suffer from low performance because the I/O scheduler assumes that I/O tasks make I/O requests constantly. Fairness among the VMs within a host can also be at stake. Existing works typically would adjust the time slices of vCPUs running I/O tasks, but vCPUs are still descheduled frequently and cause I/O inactivity.Our idea is that since each VM often has active vCPUs, we can migrate I/O tasks to active vCPUs, thus mitigating the I/O inactivity periods and maintaining the fairness. We present VMIGRATER, which runs in the user level of each VM. It incorporates new mechanisms to efficiently monitor active vCPUs and to accurately detect I/O bound tasks. Evaluation on diverse real-world applications shows that VMIGRATER can improve I/O performance by up to 4.42X compared with default Linux KVM. VMIGRATER can also improve I/O performance by 1.84X to 3.64X compared with two related systems.

Gang Chen,Hai Jin,Deqing Zou,Bing,Weizhong Qiang,Gang Hu

DOI: https://doi.org/10.1109/cluster.2010.18

2010-01-01

Abstract:When multiple instances of an application running on multiple virtual machines, an interesting problem is how to utilize the fault handling result from one application instance to heal the same fault occurred on other sibling instances, and hence to ensure high service availability in a cloud computing environment. This paper presents SHelp, a lightweight runtime system that can survive software failures in the framework of virtual machines. It applies weighted rescue points and error virtualization techniques to effectively make applications by-pass the faulty path. A two-level storage hierarchy is adopted in the rescue point database for applications running on different virtual machines to share error handling information to reduce the redundancy and to more effectively and quickly recover from future faults caused by the same bugs. A Linux prototype is implemented and evaluated using four web server applications that contain various types of bugs. Our experimental results show that SHelp can make server applications to recover from these bugs in just a few seconds with modest performance overhead.

Kevin Elphinstone,Amirreza Zarrabi,Kent Mcleod,Gernot Heiser

DOI: https://doi.org/10.1145/3124680.3124727

2017-09-02

Abstract:In the paper, we argue that it is worthwhile to revisit building microkernel-based multiserver operating systems, and introduce a multiserver OS architecture. We argue that recent formal verification of microkernels provides a compelling platform for constructing general purpose systems, and that existing systems are not appropriate to take advantage of a formally verified microkernel. Our vision is of mostly-POSIX multiserver systems based on rump kernels, with a small set of fundamental services and frameworks. We expect the approach to provide a balance between componentisation, development effort, and legacy system compatibility. We present our initial efforts with a promising performance evaluation of a rump kernel running on seL4.

Kejiang Ye,Xiaohong Jiang,Deshi Ye,Dawei Huang

DOI: https://doi.org/10.1109/hpcc.2010.95

2010-01-01

Abstract:Virtualization brings many benefits such as improving system utilization and reducing cost through server consolidation. However, it also introduces isolation problem when running multiple virtual machine workloads in one physical platform. Additionally, with the advent of multi-core technology, more and more cores are built into one die in today's data center that will share and compete for the resource like cache. It's worthy to study the isolation of server consolidation in modern multi-core platform. However, to our knowledge there are few work done on the isolation property especially the fault isolation property when one of the virtual machine workloads is attacked in server consolidation. In this paper, we study the isolation property from performance perspective and provide two optimization methods to improve the isolation property. We first define the isolation property and quantify the performance isolation in consolidation and propose a VM-level optimization method. Then we study the fault isolation by introducing a misbehavior virtual machine in server consolidation scenario and propose a core-level cache-aware optimization method to improve the fault isolation. Experimental results show that our two optimization methods can effectively improve the performance isolation and fault isolation with 29.39% and 19.52% respectively. What's more, Oprofile/Xenoprof toolkits are used to find out the factors affecting isolation property from the hardware events level.

Hao Fu,Ming Cai,Wenmin Zhu,Zhongdong Huang,Jinxiang Dong

DOI: https://doi.org/10.1109/CSCWD.2007.4281405

2007-01-01

Abstract:Hybrid P2P technique recently has become more and more popular for collaborative systems. However, reliability is issue of major importance in the server end of these systems. TMR technique for Collaborative System (CS-TMR) is presented in this paper to improve the server reliability. This software schema incorporates three homogeneous microcomputers and provides the fault-tolerant function through package interfaces to server applications. As it is COS-based, the method is more general-purpose, and programmers need not pay too much attention to the fault tolerance technology in detail. This method helps the collaborative server work in normal and degraded (duple or even single modular) modes, and can tolerate transient or permanent faults. Meanwhile, due to the importance of the server in hybrid P2P server, server application upgrade is impossible without server stop. A novel seamless software upgrade method is brought forward through the intelligent state-transition-control in CS-TMR package to reduce the cost of software upgrade.

Dong Du,Zhichao Hua,Yubin Xia,Binyu Zang,Haibo Chen

DOI: https://doi.org/10.1145/3307650.3322218

2019-01-01

Abstract:Microkernel has many intriguing features like security, fault-tolerance, modularity and customizability, which recently stimulate a resurgent interest in both academia and industry (including seL4, QNX and Google's Fuchsia OS). However, IPC (inter-process communication), which is known as the Achilles' Heel of microkernels, is still the major factor for the overall (poor) OS performance. Besides, IPC also plays a vital role in monolithic kernels like Android Linux, as mobile applications frequently communicate with plenty of user-level services through IPC. Previous software optimizations of IPC usually cannot bypass the kernel which is responsible for domain switching and message copying/remapping; hardware solutions like tagged memory or capability replace page tables for isolation, but usually require non-trivial modification to existing software stack to adapt the new hardware primitives. In this paper, we propose a hardware-assisted OS primitive, XPC (Cross Process Call), for fast and secure synchronous IPC. XPC enables direct switch between IPC caller and callee without trapping into the kernel, and supports message passing across multiple processes through the invocation chain without copying. The primitive is compatible with the traditional address space based isolation mechanism and can be easily integrated into existing microkernels and monolithic kernels. We have implemented a prototype of XPC based on a Rocket RISC-V core with FPGA boards and ported two microkernel implementations, seL4 and Zircon, and one monolithic kernel implementation, Android Binder, for evaluation. We also implement XPC on GEM5 simulator to validate the generality. The result shows that XPC can reduce IPC call latency from 664 to 21 cycles, up to 54.2x improvement on Android Binder, and improve the performance of real-world applications on microkernels by 1.6x on Sqlite3 and 10x on an HTTP server with minimal hardware resource cost.

A.S. Tanenbaum,J.N. Herder,H. Bos

DOI: https://doi.org/10.1109/mc.2006.156

2006-05-01

Computer

Abstract:Microkernels long discarded as unacceptable because of their lower performance compared with monolithic kernels might be making a comeback in operating systems due to their potentially higher reliability, which many researchers now regard as more important than performance. Each of the four different attempts to improve operating system reliability focuses on preventing buggy device drivers from crashing the system. In the Nooks approach, each driver is individually hand wrapped in a software jacket to carefully control its interactions with the rest of the operating system, but it leaves all the drivers in the kernel. The paravirtual machine approach takes this one step further and moves the drivers to one or more machines distinct from the main one, taking away even more power from the drivers. Both of these approaches are intended to improve the reliability of existing (legacy) operating systems. In contrast, two other approaches replace legacy operating systems with more reliable and secure ones. The multiserver approach runs each driver and operating system component in a separate user process and allows them to communicate using the microkernel's IPC mechanism. Finally, Singularity, the most radical approach, uses a type-safe language, a single address space, and formal contracts to carefully limit what each module can do.

computer science, software engineering, hardware & architecture

Yanyan Shen,Kevin Elphinstone

DOI: https://doi.org/10.1109/EDCC.2015.16

2015-01-01

Abstract:Trustworthy isolation is required to consolidate safety and security critical software systems on a single hardware platform. Recent advances in formally verifying correctness and isolation properties of a microkernel should enable mutually distrusting software to co-exist on the same platform with a high level of assurance of correct operation. However, commodity hardware is susceptible to transient faults triggered by cosmic rays, and alpha particle strikes, and thus may invalidate the isolation guarantees, or trigger failure in isolated applications. To increase trustworthiness of commodity hardware, we apply redundant execution techniques from the dependability community to a modern microkernel. We leverage the hardware redundancy provided by multicore processors to perform transient fault detection for applications and for the microkernel itself. This paper presents the mechanisms and framework for microkernel based systems to implement redundant execution for improved trustworthiness. It evaluates the performance of the resulting system on x86-64 and ARM platforms.

Jinyu Gu,Xinyue Wu,Wentai Li,Nian Liu,Zeyu Mi,Yubin Xia,Haibo Chen

2020-01-01

Abstract:This paper presents UnderBridge, a redesign of traditional microkernel OSes to harmonize the tension between messaging performance and isolation. UnderBridge moves the OS components of a microkernel between user space and kernel space at runtime while enforcing consistent isolation. It retrofits Intel Memory Protection Key for Userspace (PKU) in kernel space to achieve such isolation efficiently and design a fast IPC mechanism across those OS components. Thanks to PKU's extremely low overhead, the inter-process communication (IPC) roundtrip cost in UnderBridge can be as low as 109 cycles. We have designed and implemented a new microkernel called ChCore based on UnderBridge and have also ported UnderBridge to three mainstream microkernels, i.e., seL4, Google Zircon, and Fiasco.OC. Evaluations show that UnderBridge speeds up the IPC by 3.0× compared with the state-of-the-art (e.g., SkyBridge) and improves the performance of IPC-intensive applications by up to 13.1× for the above three microkernels.

Yubin Xia,Dong Du,Zhichao Hua,Binyu Zang,Haibo Chen,Haibing Guan

DOI: https://doi.org/10.1145/3532861

2021-01-01

ACM Transactions on Computer Systems

Abstract:IPC (inter-process communication) is a critical mechanism for modern OSes, including not only microkernels such as seL4, QNX, and Fuchsia where system functionalities are deployed in user-level processes, but also monolithic kernels like Android where apps frequently communicate with plenty of user-level services. However, existing IPC mechanisms still suffer from long latency. Previous software optimizations of IPC usually cannot bypass the kernel that is responsible for domain switching and message copying/remapping across different address spaces; hardware solutions such as tagged memory or capability replace page tables for isolation, but usually require non-trivial modification to existing software stack to adapt to the new hardware primitives. In this article, we propose a hardware-assisted OS primitive, XPC (Cross Process Call), for efficient and secure synchronous IPC. XPC enables direct switch between IPC caller and callee without trapping into the kernel and supports secure message passing across multiple processes without copying. We have implemented a prototype of XPC based on the ARM AArch64 with Gem5 simulator and RISC-V architecture with FPGA boards. The evaluation shows that XPC can reduce IPC call latency from 664 to 21 cycles, 14×–123× improvement on Android Binder (ARM), and improve the performance of real-world applications on microkernels by 1.6× on Sqlite3.

于淑英,黄皓,刘国斌

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.01.064

2009-01-01

Computer Science

Abstract:To avoid the security mechanism applied in operating systems being bypassed or tampered,this paper proposed the use of micro-kernel,multiserver architecture to assure the integrity of security kernel.Process isolation and message passing provided by the micro-kernel make the processes above isolated and protect the integrity of them effectively.Simplicity and modularity,the most obvious advantages of micro-kernel,laid an excellent base for the future formal verification.The prototype operating system,Nutos,was presented as an example on how to use these mechanisms to enforce security.It combined the multiserver architecture and the Flask security infrastructure to provide for flexibi-lity in security policies and integrity assurance for security sever and reference monitor.

Zhiyong Shan,Yang Yu,Tzi-cker Chiueh

DOI: https://doi.org/10.48550/arXiv.1609.04781

2016-09-15

Operating Systems

Abstract:As OS-level virtualization technology usually imposes little overhead on virtual machine start-up and running, it provides an excellent choice for building intrusion/fault tolerant applications that require redundancy and frequent invocation. When developing Windows OS-level virtual machine, however, people will inevitably face the challenge of confining Windows Inter-Process Communications (IPC). As IPC on Windows platform is more complex than UNIX style OS and most of the programs on Windows are not open-source, it is difficult to discover all of the performed IPCs and confine them. In this paper, we propose three general principles to confine IPC on Windows OS and a novel IPC confinement mechanism based on the principles. With the mechanism, for the first time from the literature, we successfully virtualized RPC System Service (RPCSS) and Internet Information Server (IIS) on Feather-weight Virtual Machine (FVM). Experimental results demonstrate that multiple IIS web server instances can simultaneously run on single Windows OS with much less performance overhead than other popular VM technology, offering a good basis for constructing dependable system.

Zeyu Mi,Haoqi Zhuang,Binyu Zang,Haibo Chen

DOI: https://doi.org/10.1109/tc.2021.3130751

IF: 3.183

2022-01-01

IEEE Transactions on Computers

Abstract:IPC (Inter-Process Communication) is a widely used operating system (OS) technique that allows one process to invoke the services of other processes. The IPC participants may share the same OS (internal IPC) or use a separate OS (external IPC). Even though a long line of researches has optimized the performance of IPC, it is still a major factor of the run-time overhead of IPC-intensive applications. Furthermore, there is no one-size-fits-all solution for both internal and external IPC. This paper presents SkyBridge, a general communication technique designed and optimized for both types of IPC. SkyBridge requires no involvement of the privileged software (the kernel or the hypervisor) and enables a process to directly switch to the virtual address space of the target process, regardless of whether they are running on the same OS or not. We have implemented SkyBridge on two microkernels (seL4 and Google Zircon) as well as an open-source serverless hypervisor (Firecracker). The evaluation results show that SkyBridge improves the latency of internal IPC and external IPC by up to 19.6x and 1265.7x, respectively.

Cheng Zhonghan,Xu Xin,Huang Hao,Zhu Runsheng

DOI: https://doi.org/10.1049/cje.2015.04.007

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:The trends of exponential growing core counts incur new requirements on operating systems. The contemporary monolithic OSs protect shared kernel data by locking in multicore environment. However, the lock contention of OS functions may lead to overall performance degradation. This paper adopts microkernel architecture for scalability concerns, since it has flexibilities for the management of computing resources and explicit data layout to avoid locking. We present a scalable Memory management service（MMS） based on microkernel OS. The physical memory is distributed into servers to remove the lock contention over page pools. Then we discuss the new problems, including load balance and "distributed memory fragmentation". MMS is divided into one master and multiple slaves. The master is a coordinator for adjusting loads and routing requests with a global memory view,while the slaves are responsible for the management of distributed page zones and virtual memory areas. The experimental results show that MMS achieves better scalability than Linux on a 32-core machine.

Peng Zhou,De-Cheng Zuo,Kun-Mean Hou,Zhan Zhang,Hong-Ling Shi

DOI: https://doi.org/10.2991/icwcsn-16.2017.92

2017-01-01

Abstract:Cyber Physical Systems (CPS) is regarded as a new technological revolution, which tightly integrates computing, communication, and control technologies, to build a kind of smart networked distributed embedded control system. CPS is designed to interact autonomously with the volatile external environment, which implies that the requirements is constantly changing during run-time. So guaranteeing the reliability of system becomes extremely difficult. Flexible self-healing mechanisms are needed urgently to improve the reliability and availability of CPS. This paper presents a light-weight container-based virtualization for event-driven CPS. By providing a unique run-time stack for each application, the container isolates faults and limits the effect of failures. Furthermore, a multilevel fault detection and recovery method is integrated to protect applications and to limit the fault propagation. And the analysis shows the container has very low memory footprint (939 bytes) and constant performance overhead. Also the testing manifests that the multilevel recovery is high reliable on WCET violation failure recovery even if the application is not well designed or malicious.

Jianbao Ren,Yong Qi,Yue-hua Dai,Xuan Yu

DOI: https://doi.org/10.1109/paap.2011.41

2011-01-01

Abstract:Running multi-OS on a physical machine is the major method to improve the utilization of computer. With the widely use of virtualization technology in cloud computing, the efficiency of inter-domain communication becomes the key factor for performance of distributed applications especially for some network-intensive applications. The communication synchronous mechanism used by traditional VMM is based on asynchronous signal provided by VMM and often leads to high latency, low performance. In this paper, we design and implement a communication mechanism named OSVSocket which uses inter-processor interruption(IPI) to synchronize and eliminate some useless packet check. We use shared-memory to reduce the time for data copying. Our prototype is implemented on a X86 VMM which is developed by ourselves. The experiment shows that OSVSocket has lower latency and higher performance compared with UNIX IPC.

Hong Mei,Gang Huang,Tiancheng Liu,Junguo Li

2007-01-01

International Journal of Software and Informatics

Abstract:Being the most popular runtime infrastructure for distributed systems, middleware can be viewed as a collection of common services. Since the development, deployment and maintenance of distributed systems rely largely on middleware services, the failure of middleware services puts a significant impact on the reliability and availability of the whole system. Though recovery-based fault tolerance is an effective way to improve the reliability of middleware services, it is far away from practice mainly because of the high complexity and cost of the recovery of correlated failures between interdependent services. In this paper, a framework for detecting and recovering the correlated failures of middleware services in an automated way is presented. First, the problem is investigated from two perspectives, i.e., analyzing the role and impact of middleware services and illustrating a set of correlated failures in J2EE standard services as motivating examples. Then, a general coordinated recovery model is constructed with the elements necessary and sufficient for detecting and recovering correlated failures in middleware services. The supporting framework is demonstrated on three J2EE application servers, i.e., PKUAS, JBoss and JOnAS, one by one without fundamental modifications. Finally, based on the three enhanced application servers, many cases on J2EE common services, including the transaction service, database service, naming and directory service, security service and messaging service, are studied. The experiment results show the effectiveness and applicability of the framework presented in this paper.

Hao Zheng,Xiaoshe Dong,Endong Wang,Baoke Chen,Nan Wu,Xingjun Zhang

DOI: https://doi.org/10.1109/snpd.2013.64

2013-01-01

Abstract:With the development of virtualization technologies, the server resources are maximized by integrating multiple operating systems into a high-performance server. So the server is possible to provide services to more users simultaneously. However, the driver fault still impacts the reliability of the operating system in the virtual machine, and impacts the continuity and stability of services. This paper proposes a architecture to improve the reliability of the virtual machine environments. By monitoring the driver's memory usage, the architecture creates the authorization table. Through setting the corresponding shadow page table in the virtual machine manager of the whole kernel space of the virtual machine, the architecture captures the write operation of the virtual machine. Combing with the authorization table, the correctness of the writing operations can be determined. Our architecture needn't to modify the drivers and is easy to develop. Experimental results show that the architecture can effectively isolate the driver faults, and improve the reliability of the virtual machine environments.

Xianjun Sun,Chuang Lin,Yixin Jiang,Weidong Liu,Xiaowen Chu

DOI: https://doi.org/10.1109/ICC.2010.5501978

2010-01-01

Abstract:Intricate malware can result in the failure of on-line Comprehensive Protection (CP) in distributed systems, and place the system in an unsafe state which is difficult to recover from. There lacks an effective scheme to defend against this extreme attack. In this paper, based on the Two-layer Protection and Co-operative Recovery (TPCRS) mechanism, we propose an efficient survivable scheme against malware attacks in distributed systems. The basic strategy is to deploy an Emergency Response/Recovery (ER) agent at each node to recognize the state of the system whenever the CP fails, and to carry out cooperative security among multiple nodes so that the infected nodes can be rapidly recovered. Furthermore, a Preventive Maintenance (PM) model is adopted to enhance the reliability of the distributed system. Si-mulation results demonstrate the practicality and efficiency of the proposed schemes.

Jin-Biao YANG,Xiang-Lan CHEN

2016-01-01

Abstract:Computer systems require high reliability in space environment. Contrary to limited storage space for embedded real-time systems, considering the memory reliability and Fault-tolerant task, we propose a two level of fault-tolerant solution. The program consists of a periodic memory detecting and an error correcting mechanism of system-level and an improved master/slave version scheduling mechanisms of task-level. The experimental verification of the program is carried out in an embedded operating system named MiniCore which based on a service body/execution flow model (SEFM). The introduction of fault-tolerant mechanism increases the code size of MiniCore kernel by 33% and ensures the accuracy of the memory data, with the system's time performance declining slightly and the success rate and scheduling performance of task execution improving significantly.