Scribd Logo
Importer

Bienvenue sur Scribd !

  • Safety in Systemtap: Discussion Notes

    Transféré par

    savio77
    11 vues11 pages
    apr

    Titre original

    Safety April2005

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    apr

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    11 vues11 pages

    Safety in Systemtap: Discussion Notes

    Transféré par

    savio77
    apr

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 11

    Safety in Systemtap Intel Corporation

    1
    Safety in Systemtap
    Discussion Notes
    Brad Chen
    Intel Corporation
    20 April 2005
    Safety in Systemtap Intel Corporation
    2
    Outline
    Goals
    Feature List
    Design Overview
    Possible Enhancements
    Open Questions
    Safety in Systemtap Intel Corporation
    3
    Goals
    Systemtap should be:
    crash-proof
    easy to program/debug
    easy to trust
    at least as safe as comparable systems on
    other platforms
    These are goals, not requirements.
    Systemtap should have escape to disable
    certain safety features as required for kernel
    debugging.
    Safety in Systemtap Intel Corporation
    4
    Feature Review
    Instruction restrictions
    division by zero
    illegal instructions
    privileged instructions
    Control flow restrictions
    infinite loops
    recursion
    kernel subroutines
    Memory bug protection
    array bounds errors
    invalid pointer errors
    heap memory bugs
    Memory restrictions
    memory read/write
    restrictions
    Version alignment
    End-to-end safety
    Separate safety policy
    from mechanism
    Note: Checks applied to compiled script only. Runtime assumed safe.
    Safety in Systemtap Intel Corporation
    5
    Design Overview
    Language Design
    | Language Implementation
    | | insmod checks
    | | | Runtime Checks
    | | | | Memory Portal
    | | | | | Static Validator
    | | | | | |
    infinite loops x x o
    recursion x x o
    division by zero x x o
    array bounds errors x x o
    invalid pointer errors x o
    heap memory bugs x o
    illegal instructions x x
    privileged instructions x x
    memory read/write restrictions x x o o
    memory execute restrictions x x o o
    version alignment x
    end-to-end safety x x
    separate policy from mechanism x
    Safety in Systemtap Intel Corporation
    6
    Possible Enhancements
    Safety in Systemtap Intel Corporation
    7
    Static Validator
    Disassemble .ko before loading
    Check unrecognized code for conformance to
    safety rules
    instruction restrictions
    control flow restrictions
    memory reference restrictions
    Recognize runtime and accept as safe
    Caveat: may need to restrict binaries to make
    them checkable
    optimization flags
    Safety in Systemtap Intel Corporation
    8
    Static Validator Demonstration
    Safety in Systemtap Intel Corporation
    9
    Memory Portal
    A special-purpose interpreter
    Policy is provided independently of script
    Portal validates memory references with
    respect to policy, accept or reject
    Checks applied to compiled script only.
    Runtime assumed safe
    Check data and code memory references
    Optionally, static checker could verify that
    portal is being used
    Safety in Systemtap Intel Corporation
    10
    Memory Portal Policy Examples
    Systemtap default
    all reads okay
    no external writes
    no external calls
    Guru mode
    all reads okay
    all writes okay
    external calls okay
    UID protection
    restrict reads by UID
    no external writes
    no external calls
    Script-specific policy
    permit writes to a list of
    data structures or
    address range
    permit calls to a list of
    kernel subroutines
    Note: Checks applied to compiled script only. Runtime assumed safe.
    Safety in Systemtap Intel Corporation
    11
    Open Questions
    How to position the script validator
    Separation of safety policy from mechanism
    Do we want to use a memory portal?
    If not, do we want to make a different plan?
    Do tapset authors need the same safety
    features as script authors?
    use of C and asm
    external calls
    native libraries

    Vous aimerez peut-être aussi