case study of distributed operating system (week: 13)
TRANSCRIPT
Slide 1
Case Study of Distributed Operating System(Week: 13)Case Study of Distributed Operating SystemIntroductionA distributed operating system is the logical aggregation of operating system software over a collection of independent, networked, communicating, and physically separate computational nodes. Individual nodes each hold a specific software subset of the global aggregate operating system. Each subset is a composite of two distinct service provisioner. The first is a ubiquitous minimal kernel, or microkernel, that directly controls that nodes hardware. Second is a higher-level collection of system management components that coordinate the node's individual and collaborative activities. These components abstract microkernel functions and support user applicationsAmoebaIntroductionOriginated at a university in Holland, 1981Currently used in various EU countriesBuilt from the ground up. UNIX emulation added laterGoal was to build a transparent distributed operating systemResources, regardless of their location, are managed by the system, and the user is unaware of where processes are actually runThe Amoeba System ArchitectureAssumes that a large number of CPUs are available and that each CPU ha 10s of Mb of memoryCPUs are organized into processor poolsCPUs do not need to be of the same architecture (can mix SPARC, Motorola PowerPC, 680x0, Intel, Pentium, etc.)When a user types a command, system determines which CPU(s) to execute it on. CPUs can be timeshared.Terminals are X-terminals or PCs running X emulatorsThe processor pool doesn't have to be composed of CPU boards enclosed in a cabinet, they can be on PCs, etc., in different rooms, countries,...Some servers (e.g., file servers) run on dedicated processors, because they need to be available all the time
The Amoeba System Architecture
The Amoeba MicrokernelThe Amoeba microkernel is used on all terminals (with an on-board processor), processors, and serversThe microkernel manages processes and threads provides low-level memory management support inter process communication (point-to-point and group)handles low-level I/O for the devices attached to the machineProcess ManagementAll processes are objects protected by capabilitiesProcesses are managed at 3 levelsby process servers, part of the microkernelby library procedures which act as interfacesby the run server, which decides where to run the processesProcess management uses process descriptorsContains: platform descriptionprocess' owner's capabilityetc
Memory ManagementDesigned with performance, simplicity and economics in mindProcess occupies contiguous segments in memoryAll of a process is constantly in memoryProcess is never swapped out or pagedCommunicationPoint-to-point (RPC) and GroupConclusion A distributed system potentially will be more reliable and low cost than a time sharing system.By placing the other service outside the kernel and keeping the kernel as small as possible, the system is more flexible and reliable. The client-server model with remote procedure call have proved that using basic primitive communication the overhead of communication can be reduced.Amoeba is the only one Distributed Operating System which implements Wide Area Network.
Managing Multiple processing System(Week:14)Multi-processor schedulingIf Multiple CPUs are available, load sharing becomes possible, but the scheduling problem becomes correspondingly more complex. Many possibilities have been tried, but there is no optimal solution is available. If the processors are identicalhomogeneousin terms of their functionality; we can then use any available processor to run any process in the queue. Loosely coupled multiprocessor or clusterConsists of a collection of relatively autonomous system, each processor has its own memory and I/O channels.Multi-processor schedulingTightly coupled multiprocessingConsists of a set of processors that share a common main memory and are under the integrated control of an operating systemThe discussion on the following slides is based on the tightly coupled multiprocessing.When a computer system contains more than a single processor, several new issues are introduced into the design of scheduling function. Design IssuesThe assignment of processes to processorsThe use of multiprogramming on individual processorsThe actual dispatching of a process
Multiple processor SchedulingAssignment of Processes to ProcessorsSymmetric multiprocessing All processors are autonomous (act independently) and treated equally. There is one copy of the supervisor or kernel that can only be executed by all processors concurrently.However, concurrent access to the shared data structure need to be controlled i.e. only one processor to execute the operating system at a time.This method is called floating master.The symmetric configuration is the most flexible and versatile of all the configurations.
Master/Slave assignmentKernel functions always run on a particular processor. Other processors execute user processes. Advantage: Resource conflict resolution simplified since single processor has control.Problem: Failure of master processor? Master processor does the scheduling ==> bottleneck.Peer assignmentOS can execute on any processor. Each processor does its own scheduling from the pool of available processes. This is similar to Solaris or NT symmetric multiprocessing (SMP).
The use of multiprogramming on individual processorsWe are concerned to provide the best performance, on average for the applications.An application that consist of a number of threads may run poorly unless all of its threads are available to run concurrently.Process DispatchingActual selection of process to run.Single processor multiprogramming strategies may be counter-productive here.Simpler approach may be more effective with less overhead.
Thread scheduling: An application can be implemented as a set of threads that cooperate and execute concurrently in the same address space. Criteria: When related threads run in parallel performance improves.Load sharing or Self scheduling : Processes are not assigned to a particular processor. A global queue of ready threads is maintained and each processor when idle selects a thread from queue . Disadvantage, centre queue must be accessed in a manner to enforce mutual exclusion, because many processors look for the work at the same time. However, it is most commonly used schemes. Gang scheduling: A set of related threads is scheduled to run on a set of processors at the same time on a one-to-one basis. Scheduling overhead, but good performance.
Multi-processor schedulingThread SchedulingDedicated processor assignment: It is the extreme form of gang scheduling. Each program is allocated a number of processors equal to the number of threads in the program, for the duration of the program execution.Dynamic scheduling: More like demand scheduling.
Real-Time Operating System(Week:15)INTRODUCTIONReal Time Operating system (RTOS) is specially designed to run applications with very precise timing and a high degree of reliability. This can be especially important in measurement and automation systems where downtime is costly or a program delay could cause a safety hazard.RTOS has an advanced algorithm forscheduling (response fast). Scheduler flexibility enables a wider, computer-system orchestration (arrangement) of process priorities, but a real-time OS is more frequently dedicated to a narrow set of applications. Key factors in a real-time OS are minimalinterrupt latencyand minimal thread switching latency; a real-time OS is valued more for how quickly or how predictably it can respond than for the amount of work it can perform in a given period of time.NECESSITY OF RTOSA key characteristic of an RTOS is the level of its consistency concerning the amount of time it takes to accept and complete an application'stask; Hard real time OS must have known maximum time for each of the critical operations that it performs .Examples are airbag system for a new car, missile firing etc... Ahardreal-time operating system has less jitter., Soft real time OS only guarantee a maximum most of the time.Softreal-time operating system has more jitter (e.g. mobile phone received shaky video). The chief design goal is not high throughput, but rather a guarantee of asoft or hardperformance category. An RTOS that can usually orgenerallymeet adeadlineis a soft real-time OS, but if it can meet a deadlinedeterministicallyit is a hard real-time OS.Systems ClassificationNon Real Time systemsA non real time system is a system where there are no deadlines involved. Non-RT systems could be described as follow:A non real time system is a system where the programmed reaction to a stimulus will certainly happen sometime in the future.Soft Real Time (SRT) systemsA Soft real time system is a system where not meeting a deadline can have undesirable but not catastrophic effects, a performance degradation for example SRTs could be described as follow:A soft real time system is a system where the programmed reaction to a stimulus is almost always completed within a known finite time.
Systems ClassificationHard Real Time systemsAn Hard Real Time (HRT) system is a system where not meeting a deadline can have catastrophic effects. HRT systems require a much more strict definition and could be described as follow:An hard real time system is a system where the programmed reaction to a stimulus is guaranteed to be completed within a known finite time.Embedded systemsAnembedded systemis acomputer system designed for specific control functions within a larger system, often withreal-time computingconstraints.It isembeddedas part of a complete device often including hardware and mechanical parts (for e.g. heavy duty printer and Intelligent workstation connected with a mini or mainframe computer) By contrast, a general-purpose computer, such as apersonal computer, is designed to be flexible and to meet a wide range of end-user needs. Embedded systems control many devices in common use today.
Embedded systemsEmbedded systems contain processing cores that are eithermicrocontroller or digital signal processor.The key characteristic, however, is being dedicated to handle a particular task. Since the embedded system is dedicated to specific tasks, design engineers can optimize it to reduce the size and cost of the product and increase the reliability and performance. Some embedded systems are mass-produced, benefiting fromeconomies scale.
Embedded systemsPhysically, embedded systems range from portable devices such asdigital watchesand MP3, to large stationary installations liketraffic lights,factory controllers (PLCs: programmable logic controller). Complexity varies from low, with a singlemicrocontroller chip, to very high with multiple units, peripheralsand networks mounted inside a largechassisor enclosure.Generally Embedded systems consists of Microcontroller , RAM and ROM (contains RTOS)
Examples & ApplicationsTelecom Missiles and Satellites, Computer Networking, Digital Consumer Electronics, and Automotive Mobile phoneDigital camera RobotsPoint of sales terminals Examples & Applications Automatic Chocolate Vending Machine Stepper motor controllers for a robotics system Washing or cooking system Multitasking Toys Microcontroller- based single or multi-display digital panel meter for voltage, current, resistance and frequency Keyboard controller
Operating System Security(Week:16)Resource Security & ProtectionIntroductionDeals with the control of unauthorized use of software and hardware.Business applications such as banking requires high security and protection during any transactionSecurity techniques should not only prevent the misuse of secret information but also its destruction
Basic TerminologyPotential Security ViolationsUnauthorized information release : unauthorized person is able to read information, unauthorized use of computer programUnauthorized information modification: unauthorized person is able to modify information e.g. changing grade of a university student, changing account balances in bank databasesUnauthorized denial of service : Unauthorized person should not succeed in Preventing an authorized person from accessing the information
External vs. Internal SecurityExternal SecurityAlso called physical securityDeals with regulating the access to premises ofcomputer systems [ e.g. hardware, disks, tapes]Can be enforced by placing a guard at the door, bygiving a secret key to authorized person.Issues to be dealt are administrativeInternal SecurityDeals with the use of computer hardware and software information stored in computer systemsRequires an issue of authentication
Policies and MechanismsPolicyWhat should be done?Policy gives assignment of the access rights to users tovarious resources.Policies Decides which user has access to what resourcesPolicies can change with Time and applicationMechanismHow it should be done?Protection mechanism provides a set of tools that can beused to design or specify a wide array of protectionpoliciesProtection mechanism in OS controls user access to systemresources.Protection Scheme must be amenable to a wide variety ofpolicies.Protection is a mechanism and Security is a policy.
Protection Domain of a ProcessSpecifies Resources that a process can access and type of operation that a process can perform on the resources.Required for enforcing securityAllow the process to use only those resources that it requires.Every process executes in its protection domain and protection domain is switched appropriately whenever control jumps from process to process.Advantage :Eliminates the possibility of a process breaching security maliciously or unintentionally and increases accountability
Design Principles for a Secure SystemEconomyProtection mechanism should be economical to develop and use. Should add extra high costs for the system?.Complete MediationRequires that every request to access an object be checked for the authority to do so.Open DesignA protection mechanism should work even if its underlying principles are known to the attacker.Separation of PrivilegesProtection Mechanism requires two keys to unlock a lock i.e. should satisfy two independent conditions before an access is allowed.Least PrivilegeSubject should be given bare minimum access rights that are sufficient for completion of task.Least Common MechanismPortion common to more than one user should be minimized. Coupling among users represents potential information path between users and hence a potential threat to their security.AcceptabilityProtection Mechanism must be simple to use.Fail-Safe DefaultsDefault case should mean lack of access (due to any reason few ways to access). If a design or implementation mistake is responsible for denial of an access, it will eventually be discovered and be fixed.Access Matrix ModelModel proposed by Lampson. Enhanced and Refined further by Graham, Denning and Harrison.Protection System consists of mechanism to control user access for various resources or to control information flow.Current ObjectsFinite set (O) of entities to which access is to be controlled. [Files]Current SubjectsFinite set (S) of entities that access current objects. e.g. subject may be a process. Subjects themselves can be treated as objects and can be accessed like an object by other subjects. [Users]Generic RightsA finite set of generic rights R={r1,r2,r3,rm} gives various access rights that subjects can have to objects e.g. read, write , execute .own , delete etc
Protection State of a System : Protection state of a system is represented by a triplet (S,O,P)Access Matrix has a row for every current subject and a column for every current object.
( S , O , P )Set of current subjectsSet of current objectsAccess MatrixSubjectssoObjectsP[s,o]P[s,o] is a subset of R, the generic rights and denotes the access rights which subject S has to object O.Access Matrix Model cont..Access Matrix Representing Protection StateO1O2O3O4O5S1read,writeown,deleteownsendmailrecmailS2executecopyrecmail
ownblock,wakeupS3ownread,writesendmail
block,wakeupownAccess matrix Model contEnforcing a Security PolicyA security Policy is enforced by validating every user access for appropriate access rightsEvery Object has a monitor that validates all accesses to that object in the following manner:(i)A subject s requests an access to object o.Protection System presents triplet(s,,o) to monitor of oMonitor looks into access rights of s to o. If belongs to subset of P[s,o] then access is permitted Else it is denied.
Implementation of Access Matrix ModelThree Implementations of Access matrix modelCapabilities BasedAccess Control ListLock-key MethodCapabilitiesCapability based method corresponds to the row-wise decomposition of the access matrix.Each subject s is assigned a list of tuples (o, P [s , o]) for all objects o that it is allowed to access. These tuples are known as capability.Typical view of capability
read , write, execute etc. Object DescriptorAccess RightsCapability has two fields. Object Descriptor (address of the corresponding object for e.g. address of a word within an object) is identifier for objects and the second allowed access rights (read, write etc. )for the object.Capabilities cont..Possession of a capability treated as a evidence that user has authority to access the object in the ways specified in the capability.At any point of time, a subject is authorized to access only those objects for which it has capabilities.
Capability Based AddressingCapabilities can be used for addressing mechanism by the system using object descriptorThe Main advantage of using capability as an addressing mechanism that itprovides an address that is context independent absolute addressHowever, System must allow embedding of capabilities in user programs and data structures. Capability Based Addressing cont..offsetlengthlengthbaseObject TableCapability idOffsetAccess RightsObject DescriptorAn address in a programCapability list of the userCapability Based Addressing cont..A user Program issues a request to access a word with an object.Address contains capability ID of the object and an offset with in the objectSystem uses capability ID to search the capability list of the user to locate the capability that contains the allowed access rights and an object descriptor.System checks the access rights.Object descriptor is used to search the object table to locate entry for the object.Object entry contains the base address of the object in main memory. Capability Based Addressing cont..Two Salient features :Re-locatability [ An object can be relocated any where within main memory without changing the capability]Sharing[ Several programs can share the same object with different names for the same object]Implementation Considerations:To maintain a forgery-free capability, a user should not be able to access [read, modify or construct] a capability.Two ways for implementation:Tagged approachPartitioned approach Capability Based Addressing cont..Tagged approach : One or more bits are attached to each memory location and every processor tag indicates whether a memory word or register contains a capability.If tag = ON , the information is capability otherwise ordinary data.When tag =ON user can not manipulate the word.Example: Burroughs B6700Partitioned Approach:Capabilities and Ordinary data are partitioned[ stored separately]Every object has two segments : one for data other for capabilitiesProcessor has two sets of registers : one for data other for capabilitiesExamples : Chicago Magic Number Machine, Plessey System Advantages Drawbacks of CapabilitiesAdvantagesEfficient : validity can be easily testedSimple : due to natural correspondence between structural properties ofcapabilities and semantic properties of addressing variables.Flexible : user can decide which of his address contain capabilitiesDisadvantages:Control of propagationReviewRevocation of access rightsGarbage CollectionAccess Control List MethodColumn wise decomposition of the access matrix.Each object o is assigned a pairs (s, P[s,o]) for all subjects s that are allowed to access the object.P[s,o] denotes the access rights that subject s has to oWhen a subject s requests access to object o, it is executed in the following manner:System searches the access control list of o to find out if an entry(s,) existsfor subject s.If exists then system checks for whether access is permitted ( belongs to )If yes access is granted otherwise a Exception is raised.Schematic of an access control listSmithread,write,executeJonesreadLeewriteGrant executeSubjectsAccess RightsExecution efficiency of the access control list method is poor because an access control list must be searched for every access to a protected object.Access Control List Method cont..Main features :Easy Revocation: Revocation of access rights is simple, fast and efficient. Can beachieved simply by removing subjects entry from objects access control list.Easy review of an access: Can be easily determined what subjects have access rights toan object Implementation ConsiderationsEfficiency of Execution : Since access control list needs to be searched for every access to a protected object, it can be very slow. [Can be avoided using shadow registers]Efficiency of storage: List may require a huge amount of storage [ Can be avoided using protection groups]Lock Key MethodHybrid of the capability-based method and access control list methodEvery subject has a capability list that contains tuples of the form (O,k) indicating that the subject can access Object O using key k.Every Object has an access control list that contains tuples of the form (l,y) called a lock entry. It indicates that any subject which can lock l can access this object in modes contained in y.When a subject makes a request to access object o in , the system is executed in the following manner:System locates tuple (o,k) in the capability list of the subject. If no such tuple is found access is not permittedOtherwise access is permitted only if there exists a lock entry (l,y) in the access control list of the object o such that k=l and belongs to y.
Data SecurityUnauthorized User can gain access to confidential informationUser may by pass protection mechanism of systemTo add extra protection techniques are needed to ensure the an intruder is unable to understand or make use of any information obtained by wrongful access.Cryptography can be used for extra protectionConverting one piece text in to cryptic form before storing it on to computer Model of CryptographyPlaintext (or a cleartext) is the original message that is to be converted into encrypted formCiphertext: is a message in encrypted formEncryption: is process of converting a plaintext to ciphered textDecryption: is the process of converting ciphertext back to plaintext textCryptosystem: is the system for encryption and decryption of informationSymmetric Cryptography : If the key is same for both encryption and decryptionAsymmetric Cryptography : If the key is not same for both encryption and decryption
General Structure of a Cryptographic SystemEDCAKeKdMMSImC = Eke(M)Encrption keyDecrption keyM = Plain text , Ke= Encryption key, C = Ciphertext = EKe(M), EKe = Encryption operation using Ke CA=CryptoAnalyst (Intruder), SI=Side Information (freq. of letters & words), Kd=Decryption KeyDesign PrinciplesShannons principle : Principle of Diffusion : Spreading the correlation and dependencies among key- string variables over substrings To maximize the length of the plaintext needed to break the systemPrinciple of confusion : change the piece of information so that output has no oblivious relation with the input.Exhaustive search principle:Determination of key needed to break the system Requires exhaustive search of a space.Classification of Cryptographic SystemsCryptographic SystemsConventional SystemsModern SystemsPrivate key SystemsPublic key SystemsOpen designConventional CryptographyCaesar CipherA letter is transformed into third letter following in the alphabetical sequenceE : M(M+3)modulo 26, where 0