a design for comprehensive kernel instrumentation · 01 / 16 motivation transparent fault isolation...
TRANSCRIPT
![Page 1: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/1.jpg)
01 / 16
A Design for Comprehensive Kernel
Instrumentation
1
Peter Feiner Angela Demke Brown Ashvin [email protected] [email protected] [email protected]
University of Toronto
![Page 2: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/2.jpg)
01 / 16
MotivationTransparent fault isolation for device drivers
‣ Want to isolate existing driver binaries
Inspired by Byte Granularity Isolation
‣ Requires source code
Use Dynamic Binary Instrumentation (DBI)
‣ Does not require source code
‣ Inspect & modify instructions before they execute
2
x86 Driver CodeKernel
![Page 3: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/3.jpg)
01 / 16
MotivationTransparent fault isolation for device drivers
‣ Want to isolate existing driver binaries
Inspired by Byte Granularity Isolation
‣ Requires source code
Use Dynamic Binary Instrumentation (DBI)
‣ Does not require source code
‣ Inspect & modify instructions before they execute
2
x86 Driver Code
Instrumented DriverKernel
![Page 4: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/4.jpg)
01 / 16
MotivationTransparent fault isolation for device drivers
‣ Want to isolate existing driver binaries
Inspired by Byte Granularity Isolation
‣ Requires source code
Use Dynamic Binary Instrumentation (DBI)
‣ Does not require source code
‣ Inspect & modify instructions before they execute
2
x86
Driver
Cod
e
x86 Driver Code
Instrumented DriverKernel DBI
![Page 5: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/5.jpg)
01 / 16
MotivationDBI applied for debugging and security at the user level
‣ Memcheck - checks memory errors
‣ Program Shepherding - control flow integrity
Various user-level DBI frameworks are available
‣ APIs for inspecting and modifying instructions
‣ e.g., Valgrind, DynamoRIO, Pin
These frameworks don’t work in the kernel
‣ What would it take?
3
![Page 6: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/6.jpg)
01 / 16
OS
The Key DifferenceUser frameworks sit between applications and the OS
‣ Interpose on system calls
‣ Take advantage of OS services, e.g. I/O
Kernel frameworks need to sit between the OS & CPU
‣ Isn’t that what hypervisors do?
4
Apps
DBI
CPU
![Page 7: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/7.jpg)
01 / 16
Our ApproachWe need to combine a DBI framework with a hypervisor
‣ Choice 1: Port DBI to an existing hypervisor
• Pros: both exist
• Cons: both very complex
‣ Choice 2: Create a minimal hypervisor, similar to SecVisor’s approach
• Pros: easier to do
• Pros: possibly higher performance
We designed a minimal hypervisor around a DBI framework
‣ Let’s see how DBI works & what it needs
5
OS
Kernel DBI
Apps
CPU
![Page 8: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/8.jpg)
01 / 16
DBI TechniqueCopy basic blocks of x86 code into code cache before execution
‣ Code executed from cache
‣ Instrumentation added to copy
‣ Manipulate copies to return control to the dispatcher
6
Execute from Code Cache
Dispatch
Cached? Copy BlockNo
Yes
x86 Code
Start
![Page 9: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/9.jpg)
01 / 16
DBI RequirementsNever execute machine’s original code
‣ Necessary for security applications
Hide framework from instrumented code
‣ Instrumented code should observe un-instrumented machine state
Dispatcher should use instrumented code with care
‣ Implementation cannot use non-reentrant instrumented code
Detect changes to the original code
‣ Invalidate stale code in the cache
Preserve multicore concurrency
‣ Essential for performance and accuracy
7
![Page 10: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/10.jpg)
01 / 16
We’ll look at the first three in more detail
Meeting DBI Requirements
8
User Kernel
Never Execute Original Code
New Threads,Signals Kernel Entry Points
Transparency Signals Interrupts,Exceptions
Reentrance Use OS Code Implement Everything From Scratch
Detect Code Changes System Callsmmap, mprotect, etc. Shadow Page Tables
Concurrency Locking,Thread Private CPU Private
![Page 11: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/11.jpg)
01 / 16
Never Execute Original Code
9
User Code
ExceptionsInterrupts
OS Binaries(kernel, drivers)
User ModeSupervisor Mode
![Page 12: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/12.jpg)
01 / 16
Never Execute Original Code
9
User Code
ExceptionsInterrupts
User ModeSupervisor Mode
DispatcherCode Cache
‣ Load kernel module that redirects entry points to the dispatcher
OS Binaries(kernel, drivers)
![Page 13: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/13.jpg)
01 / 16
Redirecting Entry Points
10
Entry 1
Entry 2
Table Register OS Binaries
Descriptor Table
![Page 14: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/14.jpg)
01 / 16
Redirecting Entry Points
10
Entry 1
Entry 2
Table Register
Dispatcher
OS Binaries
Entry 1
Entry 2
Code Cache
Descriptor Table
Shadow Table
![Page 15: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/15.jpg)
01 / 16
Redirecting Entry Points
10
Entry 1
Entry 2
Table Register
Dispatcher
OS Binaries
Entry 1
Entry 2
Code Cache
‣ Can’t write to table register, otherwise loose control
Descriptor Table
Shadow Table
![Page 16: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/16.jpg)
01 / 16
Redirecting Entry Points
10
Entry 1
Entry 2
Table Register
Dispatcher
OS Binaries
Entry 1
Entry 2
Shadow Register Code Cache
‣ Can’t write to table register, otherwise loose control
‣ Can’t drop the write, otherwise you loose transparency
Descriptor Table
Shadow Table
![Page 17: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/17.jpg)
01 / 16
TransparencyNeed to hide DBI framework from instrumented code
‣ Sometimes essential for correctness
Many transparency issues, including
‣ Code cache return addresses
‣ Shadowed registers
‣ Exception stack frame
‣ Interrupt stack frame
11
![Page 18: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/18.jpg)
01 / 16
Exception TransparencyDispatching kernel’s exception handlers is tricky because they inspect machine state
‣ Registers stolen by instrumentation
‣ Address of instruction that triggers the exception
• Handlers need to see original instruction addresses
• Linux panics on page faults from non white-listed instructions
• Problem is that code cache isn’t on the white list
• Solution is to translate from code cache to original address
Solution for interrupt handlers is similar
12
![Page 19: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/19.jpg)
01 / 16
Interrupt Transparency
13
H = Interrupt HandlerI = Instrumentation = Interrupt
![Page 20: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/20.jpg)
01 / 16
Interrupt Transparency
13
A
H = Interrupt HandlerI = Instrumentation = Interrupt
Original Code
![Page 21: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/21.jpg)
01 / 16
Interrupt Transparency
13
A
H = Interrupt HandlerI = Instrumentation = Interrupt
Original Code
![Page 22: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/22.jpg)
01 / 16
Interrupt Transparency
13
IHA
H = Interrupt HandlerI = Instrumentation = Interrupt
Original Code
![Page 23: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/23.jpg)
01 / 16
Interrupt Transparency
13
IHA A
H = Interrupt HandlerI = Instrumentation = Interrupt
Original Code
![Page 24: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/24.jpg)
01 / 16
Interrupt Transparency
13
IH BA A
H = Interrupt HandlerI = Instrumentation = Interrupt
Original Code
![Page 25: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/25.jpg)
01 / 16
Interrupt Transparency
13
Copy A
IH BA A
H = Interrupt HandlerI = Instrumentation = Interrupt
Original Code
Dispatcher
![Page 26: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/26.jpg)
01 / 16
Interrupt Transparency
13
A
Copy A
IH BA A
A
H = Interrupt HandlerI = Instrumentation = Interrupt
Original Code
Dispatcher Code Cache
Original Addresses
![Page 27: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/27.jpg)
01 / 16
Interrupt Transparency
13
A
Copy A
IH BA A
A I
H = Interrupt HandlerI = Instrumentation = Interrupt
Original Code
Dispatcher Code Cache
Original Addresses
![Page 28: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/28.jpg)
01 / 16
Interrupt Transparency
13
A
Copy A
IH BA A
A I
H = Interrupt HandlerI = Instrumentation = Interrupt
Original Code
Dispatcher Code Cache
Original Addresses
![Page 29: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/29.jpg)
01 / 16
Delay interrupts until next code-cache exit
Interrupt Transparency
13
A
Copy A
IH BA A
A I
H = Interrupt HandlerI = Instrumentation = Interrupt
Original Code
Dispatcher Code Cache
Original Addresses
![Page 30: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/30.jpg)
01 / 16
Delay interrupts until next code-cache exit
Interrupt Transparency
13
A
Copy A
IH BA A
A I
H = Interrupt HandlerI = Instrumentation = Interrupt
Original Code
Dispatcher Code Cache
Original Addresses
![Page 31: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/31.jpg)
01 / 16
Delay interrupts until next code-cache exit
Interrupt Transparency
13
A
Copy A
IH BA A
A I A
H = Interrupt HandlerI = Instrumentation = Interrupt
Original Code
Dispatcher Code Cache
AOriginal
Addresses
![Page 32: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/32.jpg)
01 / 16
Delay interrupts until next code-cache exit
Interrupt Transparency
13
A
Copy A
IH BA A
A I A
H = Interrupt HandlerI = Instrumentation = Interrupt
Original Code
Dispatcher Code Cache
AOriginal
Addresses
![Page 33: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/33.jpg)
01 / 16
Delay interrupts until next code-cache exit
Copy IH
Interrupt Transparency
13
A
Copy A
IH BA A
A I A
H = Interrupt HandlerI = Instrumentation = Interrupt
Original Code
Dispatcher Code Cache
AOriginal
Addresses
![Page 34: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/34.jpg)
01 / 16
Delay interrupts until next code-cache exit
Copy IH
Interrupt Transparency
13
A
IHCopy A
IH BA A
A I A
IH
H = Interrupt HandlerI = Instrumentation = Interrupt
Original Code
Dispatcher Code Cache
AOriginal
Addresses
![Page 35: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/35.jpg)
01 / 16
Delay interrupts until next code-cache exit
Copy IH
Interrupt Transparency
13
A
IHCopy A Copy B
IH BA A
A I A
IH
H = Interrupt HandlerI = Instrumentation = Interrupt
Original Code
Dispatcher Code Cache
AOriginal
Addresses
![Page 36: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/36.jpg)
01 / 16
Delay interrupts until next code-cache exit
Copy IH
Interrupt Transparency
13
A
IHCopy A Copy B
IH BA A
BA I A
IH B
H = Interrupt HandlerI = Instrumentation = Interrupt
Original Code
Dispatcher Code Cache
AOriginal
Addresses
![Page 37: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/37.jpg)
01 / 16
Code is not reentrant if it is unsafe to execute before other executions of the same code finish
‣ Dispatcher cannot use any non-reentrant OS code, e.g. print, because the non-reentrant code might be currently executing
Say, print consists of basic blocks P1, P2
‣ P1 has executed from code cache
‣ Dispatcher copies P2
‣ Dispatcher uses print for debugging and invokes P1
‣ print fails because it is non-reentrant
Reentrance
14
Copy P2P1 P1 ✗
DispatcherCode Cache
![Page 38: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/38.jpg)
01 / 16
Reentrance SolutionTypical solution is to reimplement non-reentrant code using lower-level uninstrumented code
‣ e.g., user-level DBI has custom print that makes system calls
OS-level framework has no lower-level code
‣ Dispatcher must be entirely self sufficient
‣ Implement our own heap
Some code too difficult to implement from scratch
‣ Detach and reattach framework to use existing OS code
‣ Have custom user program make system calls on our behalf
• Framework cannot depend on user program’s correctness
15
![Page 39: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/39.jpg)
01 / 16
Our ProposalWe chose to port DynamoRIO to a minimal hypervisor because it is
‣ Open source
‣ Performance oriented
‣ Mature
Applications
‣ Transparent fault isolation
‣ Dynamic optimization
We will open source our port!
‣ What would you do with in-kernel DBI?
16
![Page 40: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/40.jpg)
01 / 16
Backup Slides
17
![Page 41: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/41.jpg)
01 / 16
Existing HypervisorsVMWare
‣ Uses a code cache to translate sensitive instructions
‣ Does not have an instrumentation API
PinOS
‣ Pin DBI + Xen Hypervisor
‣ Does whole-system instrumentation (user + kernel)
‣ Dispatching is much slower for whole-system (50x slowdown)
‣ Delegates I/O to a separate uninstrumented VM
Neither is open source
18
![Page 42: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/42.jpg)
01 / 16
Minimal HypervisorSimpler than a full-fledged hypervisor
‣ No multiplexing
‣ Shadow page tables have same address mappings, just more restrictive permissions
‣ Don’t need to be completely transparent
• We can piggy-back on existing OS code, like segment selectors for CPU-private data
19
![Page 43: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/43.jpg)
01 / 16
Design AssumptionsOnce booted, OS runs exclusively in 64-bit long mode
‣ Emulating obsolete x86 modes would be a pain
‣ Confirmed validity on Linux by inspection
‣ We believe it is valid on Windows
Can store dispatcher and code cache in pages that are in all page tables at the same virtual addresses
‣ Otherwise, we need to steal RAM from the OS at bootup
‣ Provided by Linux
‣ We believe this is provided by Windows
Design should work with OS that meets assumptions
‣ We are currently targeting Linux
20
![Page 44: A Design for Comprehensive Kernel Instrumentation · 01 / 16 Motivation Transparent fault isolation for device drivers ‣ Want to isolate existing driver binaries Inspired by Byte](https://reader033.vdocuments.net/reader033/viewer/2022042022/5e7937325afebb57ce792637/html5/thumbnails/44.jpg)
01 / 16
Hardware Virtualization ExtensionsDo not make implementation simpler
‣ Removes the need to inspect sensitive instructions
‣ However, we already can inspect sensitive instructions
Could make implementation more complex
‣ Need to emulate instructions that cause exits
‣ Easier for us to emit fix-up code in the code cache
Could improve performance
‣ Extended page tables might perform better than shadow
‣ We want to experiment with this
21