Dune: Safe User-level Access to Privileged CPU Features
نویسندگان
چکیده
Dune is a system that provides applications with direct but safe access to hardware features such as ring protection, page tables, and tagged TLBs, while preserving the existing OS interfaces for processes. Dune uses the virtualization hardware in modern processors to provide a process, rather than a machine abstraction. It consists of a small kernel module that initializes virtualization hardware and mediates interactions with the kernel, and a user-level library that helps applications manage privileged hardware features. We present the implementation of Dune for 64bit x86 Linux. We use Dune to implement three userlevel applications that can benefit from access to privileged hardware: a sandbox for untrusted code, a privilege separation facility, and a garbage collector. The use of Dune greatly simplifies the implementation of these applications and provides significant performance advantages.
منابع مشابه
Integrating Multi-threading and Accelerators into DUNE-ISTL
A major challenge in PDE software is the balance between user-level flexibility and performance on heterogeneous hardware. We discuss our ideas on how this challenge can be tackled, exemplarily for the DUNE framework and in particular its linear algebra and solver components. We demonstrate how the former MPI-only implementation is modified to support MPI+[CPU/GPU] threading and vectorisation. ...
متن کاملCS262A Midterm Solutions
[Yahel Ben-David:] I’ll presume the hardware used is the easier case of MIPS. The x86 architecture complicates things as some instructions may silently fail if not run under a real “ring-0” privileges. Before delving into the flow of control for handling a system-call (syscall) on a virtualized system, let’s briefly discuss what happens in a traditional setting (without virtualization): When th...
متن کاملA Smart HPC Interconnect for Clusters of Virtual Machines
In this paper, we present the design of a VM-aware, highperformance cluster interconnect architecture over 10Gbps Ethernet. Our framework provides a direct data path to the NIC for applications that run on VMs, leaving non-critical paths (such as control) to be handled by intermediate virtualization layers. As a result, we are able to multiplex and prioritize network access per VM. We evaluate ...
متن کاملSpyglass: Demand-Provisioned Linux Containers for Private Network Access
System administrators are required to access the privileged, or “super-user,” interfaces of computing, networking, and storage resources they support. This low-level infrastructure underpins most of the security tools and features common today and is assumed to be secure. A malicious system administrator or malware on the system administrator’s client system can silently subvert this computing ...
متن کاملDemand-Provisioned Linux Containers for Private Network Access
System administrators are required to access the privileged, or “super-user,” interfaces of computing, networking, and storage resources they support. This low-level infrastructure underpins most of the security tools and features common today and is assumed to be secure. A malicious system administrator or malware on the system administrator’s client system can silently subvert this computing ...
متن کامل