Thank you for your [email protected] I read, I hope you find this helpful analysis; In addition, if you find this article analyze errors, changes or seL4 version update feature, you can send an email to tell me, so that I can update. Considering the large amount of information about, difficult to understand the semantics of words is inevitable in the reading process, for all non-public vocabulary previously appeared, later will clarify its meaning, please be patient to read.
seL4 review - may be a control privileges based microkernel
---------- ---------- seL4 related concepts
1. Since seL4 official document does not distinguish between Thread and Process, and therefore the following expressions are used thread
2. With regard to rights, seL4 described as the ability to express abstract three major basic elements:
Read, Write, Grant (permission is granted, ie transfer).
#define seL4_ReadWrite seL4_CapRights_new(0, 1, 1)
#define seL4_AllRights seL4_CapRights_new(1, 1, 1)
#define seL4_CanRead seL4_CapRights_new(0, 1, 0)
#define seL4_CanWrite seL4_CapRights_new(0, 0, 1)
#define seL4_CanGrant seL4_CapRights_new(1, 0, 0)
#define seL4_NoWrite seL4_CapRights_new(1, 1, 0)
#define seL4_NoRead seL4_CapRights_new(1, 0, 1)
#define seL4_NoRights seL4_CapRights_new(0, 0, 0)
3. The explicit access control
SeL4 control authority is explicit, all operations seL4
(Hereinafter referred to basic services provided seL4)
Have to perform in the presence of the relevant authority CSpace
4. Permissions: Grant
Permissions seL4 in CNode units can be copied, transferred.
Since permission to copy generated sub-rights, privileges the tree can be formed.
Accordingly CSpace i.e. tissue CNode, formed to FIG.
5. threads VSpace and CSpace
Creating a thread will be created VSpace and CSpace, VSpace namely virtual address space;
CSpace为Capability Space,
Provide the basis for a comprehensive control seL4 core Capability
6. threads IPC Buffer
Exist in the other thread-thread communication, and communication needs of the kernel,
When you create that is to join IPC Buffer, the latter based on the IPC,
To set IPC Buffer threads can not external communications.
7. Memory Management
seL4 may only dispense power (2, n) and the memory is greater than the 16byte
8. General platform independent memory object size
n-bit Untyped对象 power(2,n) bytes(n>=4)
n-bit CNode对象 16*power(2,n) bytes(n>=2)
Endpoint objects 16 bytes
Notification object 16 bytes
IRQ Control --
IRQ Handler --
9. Other platforms related objects
TCB objects - usually 1KB / 512bytes
Page table related objects
ASID related objects
Glossary ---------- ---------- seL4
1. Capability-- complex permissions, content-rich
(Probably seL4 the essence of the concept, because everything seL4 hereby expansion).
Each thread has not only address space (VSpace),
There CapabilitySpace.
Thread want to call system function, will by calling
Ability to achieve the ability to space the system function
(Such as IPC calls the endpoint capability)
2. CNode(capability node)
Capability foundation bearer,
That determines the number of slot owned (power of 2) When you create,
slot for saving Capabilities,
Capability is stored deeper CNode, i.e. formed to FIG.
Thus also, when the parent CNode of Capability is canceled,
His son will be recursively cancel this Capability.
3. TCB general Thread Control Block
4. Endpoints
Provide support for inter-thread communication (see detailed IPC)
5. Notification general signaling mechanism
poll
6. Untyped Memory Memory untyped
Untyepd Retype memory can be defined as seL4 some memory objects.
7. CDT树(capability derivation tree)
- tracing capability to replicate the source of capability.
Although the CDT is an independent concept, but the actual implementation is part of the object CNode
(Which may be implemented CNode data structure)
seL4_Untyped_Retype () // roughly application memory
seL4_CNode_Mint (); // copy CNode (may include permission to reduce)
seL4_CNode_Copy (); // copy CNode
seL4_CNode_Mutate (); // migration CNode (may include permission to reduce)
The above functions are generated sub capability, CDT are tracked.
8. Slot-- some entity physical memory space.
---------- ---------- seL4 basic services
1. The threads (Threads)
Context switching, the basic unit of processor time slice.
1.1 each thread, there will be a corresponding CSpace (Capability Space)
和VSpace(Virtual Space);
At the same time, the thread will have IPC buffer,
To achieve inter-thread communication (detailed see 1.3 IPC).
1.2 each thread has its home domain scheduling
(There is a big difference here in scheduling domain and linux).
Upon completion compiled kernel determines the number of scheduling domain in this kernel,
Kernel will timing cycle each domain scheduling.
There may be a plurality of scheduling threads in the art (no upper limit),
If and only if the thread where the scheduling is scheduling domain, the thread could be scheduled before execution.
1.3 scheduling domain, seL4 256 cycles preemptive priority scheduler.
2. Address Space (Address space)
Virtual address space, completed by the page table address translation.
Due to resource constraints ASID, seL4 designed a ASID Pool,
By ASID Control capability, and ASID Pool VSpace thread link
And by using the ASID ASID Pool.
3. inter-thread communication (IPC Inter-process communication)
SeL4 communication between threads through the endpoint (I think it should be some kind of meaning endpoint),
The first paragraph of the message content as tag segments,
Flag, message length, the number of capacity, the ability to open the region: containing four parts.
seL4 in the IPC communication, will use as much of the CPU registers,
Many short message content will be completed directly transferred by the CPU registers.
seL4 support for IPC communication is not concerned with the content,
All users need to obtain a message layer according to the capacity IPC message tag, message came.
(Feeling similar socket? Optimized socket.)
Other details are still a lot of give here only briefly.
4. Notification
Nonblocking signaling mechanism (similar to the linux), such as support for multiplexed I / O and the like.
5. Device primitive
seL4 drive is executed as nonprivileged programs outside the core,
Kernel implements hardware distribution terminal by IPC.
6. Capability Spaces(CSpace)
FIG CSpace is set to a thread consisting of at CNode;
That is, a collection of threads owned by Capability.
seL4 in threads have CSpace,
Creating CSpace kernel starts the first user is the thread of,
This CSpace will contain all CNode it creates,
Of course it contains all CSpace its child threads.
CSpace contain CNodes, CNode address can be found in the slot,
There slot (or no) Capability;
When the Capability slot for another CNode, directed graph can be formed;
For each thread, which are present CSpace root CNode, all nodes can communicate,
another:
Thread system call occurs, you will find the thread CSpace,
About this system call address Capability of
And then read into the corresponding slot, slot content of the decision whether to execute this system call.
By CSpace CNodes kernel object management thread;
(It simply is CNode are all linked together, share a common root,
According to the parent and child, CSpace produced by progressively rely CNode)
---------- ---------- seL4 create a thread
1. seL4_Untyped_Retype()
Retype objects to create TCB thread
2. seL4_TCB_SetSpace()/seL4_TCB_Configer()
Set the TCB CSpace, VSpace and EndPoint, etc.
3. seL4_TCB_WriteRegisters()
Some operations on the instruction pointer and stack pointer
4. seL4_TCB_Resume()
Active thread, the thread will join his father, where the CPU scheduling
5. At this point, the thread will be executed
6. seL4_TCB_SetAffinity()
In the multi-core platform, the CPU can be set to perform this thread
Some features ---------- ---------- seL4
1. The buffer overflow immunity (based on stringent design capability)
Buffer overflows are a classic security attack against operating systems, trying to make the software crash or even to inject malicious code into the cycle. We have proved that no such attack can be successful on seL4.
2. Access null pointer immunity (principle unknown)
Null pointer dereferences are another common issue in the C programming language. In applications they tend to lead to strange error messages and lost data. In operating systems they will usually crash the whole system. They do not occur in seL4.
3.C Data Pointer refers to the type of immune error (unknown principle)
In C it is possible to accidentally use a pointer to the wrong type of data. This is a common programming error. It does not happen in the seL4 kernel.
4. Immune memory leak (based stringent design capability)
Memory leaks occur when memory is requested, but never given back. The other direction is even worse: memory could be given back, even though it is still in use. Neither of these can happen in seL4.
5. Arithmetic overflow / abnormal immune (principle unknown)
Humans and mathematics usually have a concept of numbers that can be arbitrarily big. Machines do not, they need to fit them into memory, usually into 32 or 64 bits worth of storage. Machines also generate exceptions when you attempt to do things that are undefined like dividing by zero. In the OS, such exceptions would typically crash the machine. This does not occur in seL4.
6. undefined behavior immunization (principle unknown)
There are many static analysis and verification tools that check for the absence of undefined behaviour in C. Our proof explicitly checks that no such undefined behaviour occurs.
------------ ---------- seL4 summary
1. seL4 explicit kernel level access control can provide high security, such as DDOS is no longer valid.
Memory Management System 2. seL4 provide similar partners can effectively reduce memory fragmentation, again, do not flexible memory management scheme should be difficult to make full use of memory.
3. seL4 an IPC based Endpoint, Capability subject, the short message transmission result of the CPU registers, the efficiency does not decrease significantly, but the mechanism relies on the message length IPC Buffer replication efficiency.
4. seL4 scheduling fundamental domain isolation, I did not bring security think, but still set up a schedule should be brought within the domain of the thread delayed response to the user, resulting in user operation Caton.
Thus, based on the above analysis,
seL4 formal verification is a highlight,
Its explicit rights management can also bring security,
But seL4 still young, community activity is not very high;
Based application development framework seL4 C language, the interface must be used - physical development model,
Does not support variable-length argument functions, function pointers, etc., so there may be difficulty code migration.
Inadequate infrastructure, few industrial applications based on its design ideas,
To really put into use, requires a detailed analysis of its core details,
A detailed analysis of defects that may exist, and then consider whether to apply difficult.
seL4 follow-up
1.seL4 interrupted by the Notification Distribution
After the interrupt is triggered, signal specific kernel Notification,
Thread seL4_Wait () / seL4_Poll () this notification
User mode with
seL4_IRQHandler_SetNotification()
After the thread starts seL4_Wait () / seL4_Poll () this notification
Interrupt arrives, the thread has been dealt with
seL4 IRQHandler Ack () kernel prompt processed, the kernel can send additional data or subsequent interrupts
seL4_IRQHandler_Clear () in contact with the Notification of Registration
seL4 not support DMA in the main line
But for x86
seL4 support IOMMU
But also as a kind of ability
seL4 use musl libc
seL4 may have a file system (Tongji Pei Xilong)
seL4 use the gcc -O1,
There had formal verification compiler CompCert
Norman Feske is out of Genode,
Genode on the system microkernel frame,
This framework is similar to the linux rootfs,
Norman Feske the Genode transplanted to the seL4.
Write to 2018.10
