[note] nooks reliability system (SOSP '03)

Nooks

The Nooks is a reliability subsystem that seeks to greatly enhance OS reliability by isolating the OS from driver failures.

Nooks Design

Nooks Isolation Manager (NIM) is a transparent OS layer inserted between the kernel and kernel extensions. NIM provides four major architectural functions: Isolation, Interposition, Object Tracking and Recovery.

Isolation

Memory management: lightweight kernel protection domain with access to a limited proportion of the kernel's address space.

Extension procedure call (XPC): transfer control safely between extensions and the kernel.

Interposition

Wrapper stubs: provide transparent control and data transfer across address space boundaries. Wrappers are in kernel's domain

Kernel wrappers: kernel supplied functions

Extension wrappers: extension supplied functions

Object-tracking

Maintain, control modification and provide info for cleanup.

Recovery

Detect and recover from a variety of extension faults.​

Detects when the processor raise an exception

All extension access domain-local memory is managed and tracked through wrappers.

Nooks Implementation

This part talks about implementation of Nooks.

Isolation

Memory Management

Light-weight kernel protection domain each contains a single extension. All extensions exist in the kernel’s address space but with different access right: e.g. the kernel has full access to the entire address space, while each extension is restricted to read-only kernel access and full access to itself.

The Nooks maintains a synchronized copy of the kernel page table for each domain. Each Light-weight kernel protection domain has private structures, including heaps, stacks, MMIOs and kernel memory buffers.

Extension Procedure Call (XPC)

XPC transfer control safely between extensions and the kernel. These functions take a function pointer, an argument list, and a protection domain. The transfer routines save the caller’s context on the stack and find a stack for the calling domain, change page tables to the target domain, and then call the function. The reverse operations are performed when the call returns.

Modifications to Kernels

  1. Maintain extension page tables and insert code wherever the kernel modifies kernel page table.
  2. Modify exception handlers to detect domain exceptions. On return from exception, the code restores the stack pointers and page table.
  3. Use a global variable to hold the task pointer since original system store task structure in stack.

Interposition

Wrapper stubs: provide transparent control and data transfer across address space boundaries. Wrappers are in kernel's domain

Kernel wrappers: kernel supplied functions

Extension wrappers: extension supplied functions

Object-tracking

Maintain, control modification and provide info for cleanup.

Recovery

Detect and recover from a variety of extension faults.​

Detects when the processor raise an exception

All extension access domain-local memory is managed and tracked through wrappers.