Dynamic Privilege
OA Version
Citation
Abstract
This dissertation introduces Dynamic Privilege, an operating system (OS) model. With Dynamic Privilege, threads may transition independently between hardware modes of execution, adding a temporal dimension to hardware privilege beyond the conventional separation in systems software. Dynamic Privilege enables multiple derivative privilege policies and system organizations. Dynamic Privilege differentiates from existing privilege transfers, such as system calls, interrupts, and their associated returns, because it decouples hardware mode transitions from transitions in control flow. In OS design, developers operate under an implicit assumption: access to hardware privilege is a static property. A consistent separation is upheld throughout the entire software lifetime, from the initial development of source code to the creation of binaries and, eventually, the deployment of running systems. This separation distinguishes between code designed to operate with hardware privileges, like the kernel and its modules, and application code that does not possess these privileges.
The ubiquitous use of address spaces and virtual address translation further reinforces this divide, leading to system designs that fundamentally rely on isolating kernels and applications. This separation is explored and manipulated differently in traditional kernel architectures like Monolithic, Microkernels, Exokernels, and Unikernels. These models navigate this design space by statically positioning system components in privileged or unprivileged binaries and attendant address spaces, reaching different trade-offs in performance, fault tolerance, verification, etc.
Kernels are powerful but austere; applications are full-featured but sandboxed. This exploration of Dynamic Privilege focuses on extending user processes with access to hardware privilege, targeting the simultaneous benefits of these two worlds and blurring the conventional distinction between kernel and application.
While we imagine a future where hardware implements Dynamic Privilege directly, this dissertation develops and explores Dynamic Privilege within the Linux OS with a new system call: kElevate. kElevate toggles a thread's execution mode, providing full hardware access. With support from the kernel module subsystem, privileged applications build up to OS-level access. They can reuse and re-implement all the kernel symbols, types, macros, inline functions, and standalone subroutines. We pioneer dynamically linking the Linux kernel into privileged processes using standard shared library formats. In this fashion, elevated processes may cooperate with the existing kernel or arbitrarily diverge from its design.
We use kElevate to optimize energy and performance across the application-kernel divide while preserving compatibility with existing software. This includes transparent optimization, compatibility with the application binary interface (ABI), dynamic linking, scripting, containerization, and high-level (even interpreted) languages. We demonstrate this on microbenchmarks as well as the Redis and Memcached key-value stores. The kElevate mechanism is prototyped as a system call for x86_64 and Arm64 processors.
Description
2024