Scriptable Operating Systems with Lua Lourival Vieira Neto The NetBSD Foundation lnetoNetBSD - PDF document

up=80down=30overheated=100functionthrottle(cpu,cur,max,min)--getutilizationsincelastchecklocalload=get_load(cpu)--gettemperaturelocaltemp=acpi.get_temp(cpu)iftemp�=overheatedthen--decreasefrequencyby20%cpufreq.target(cpu,cur*80/100,'=')elseifload&#x-590;upthen--risefrequencytothemaximumvaluecpufreq.target(cpu,max,'&#x-590;=')elseifloaddownthen--decreasefrequencyby20%cpufreq.target(cpu,cur*80/100,'=')endendend Figure1.LuascriptforcontrollingCPUfrequencyningthevulnerableSSHimplementation.Blockingthetrafccom-ingfromtheseserversprotectsthemfromaccessesthatcanexploittheirvulnerability.Figure2showsaLuaextensionscriptthatimplementsthislteringfacility.Toactivatetheltering,wecanassociatethescripttoaNPFrulethatappliesittooutgoingpacketsfromTCPconnectionsonport22.Functionfilterreceivestheheader(hdr)andpayload(pld)ofanetworkpacket.BecauseitonlyreceivesTCPpacketsorigi-natedonport22,itcanassumethatthepayloadcontainsanSSHmessage.IntheSSHprotocol,whenaconnectionhasbeenestab-lished,bothsidessendanidenticationstring;thescriptparsesthisstringtoverifywhetherthemessagehasbeensentbyaserverrun-ningthevulnerableSSHimplementation.Ifso,itsignalizesthatthepacketshouldbedropped.functionfilter(hdr,pld)--getasegmentofthepayloadlocalseg=pld:segment(0,255)--convertsegmentdatatostringlocalstr=tostring(seg)--patterntocapturethesoftwareversionlocalpattern='SSH%-[^-%G]+%-([^-%G]+)'--getthesoftwareversionlocalsoftware_version=str:match(pattern)ifsoftware_version=='OpenSSH_6.4'then--rejectthepacketreturnfalseend--acceptthepacketreturntrueend Figure2.LuascriptforinspectingSSHpacketsToextracttheSSHimplementationversion,functionfilterconvertstherst255bytesofthepayloadtoaLuastringandusesapatterntolocateandextracttheSSHversion.Thepatternusedbythescriptmatchesstringsbeginningwith“SSH-”(the`%'characterworksasanescapeinLuapatterns),followedbyoneormoreprintablecharacterswiththeexceptionofhyphenandwhitespace,anhyphen,oneormoreprintablecharacterswiththeexceptionofhyphenandwhitespace(whichspeciestheversion).2.2AddressingScriptableOperatingSystemIssuesBecausescriptableoperatingsystemsallowuserstoloadandruncodeinprivileged(kernel)mode,theyinvolvethesameclassofissuesexperiencedbypreviousworkonextensibleoperatingsys-tems[30,33].Becausetypicalscriptingdevelopmentpracticesareapplied,theyalsoinvolveissuesthatarepresentinregularscript-ableapplicationsscenarios.Scriptableoperatingsystemsissuesaremostlyrelatedtomain-tainingtheintegrityofthesystem,providingeaseofdevelopmentandenforcingeffectivenessandefciencyofkernelscripts.Amongthoseissues,themainconcernwhenprovidingscriptingfacilitiestoanOSkernelistopreserveitsintegrity.Kernelscriptsmustnotbeallowedtocauseanyharm.Inotherwords,theyshouldnotbeallowedtointroducemalfunctioning,intentionallyornot,eithertothesystemitselfortotheapplicationsrunningonit.Inpractice,scriptscancompromisethesystemintegrityinmanyways,suchas:Correctness:kernelscriptscouldintroduceerroneousbehaviortothesystem,likecrashingorcorruptingit.Isolation:kernelscriptsloadedbyaspecicusercouldcorruptresourcesownedbyotherusersorcompromisesystemfairness.Liveliness:kernelscriptscouldfallintoanendlessloop,blockanexecutionow,orrunforsolongthatitcouldcompromisethewholesystemresponsiveness.Conventionaloperatingsystemstypicallytrytoguaranteesys-temintegritybyallowingonlyprivilegeduserstoloadandrunkernelextensions.Ontheotherhand,extensibleoperatingsystemsusuallyallowuserstoloadandrununprivilegedcodeinsidetheirkernels.Scriptableoperatingsystemscanusebothapproaches,pro-vidingdifferentprivilegelevelsfordifferentinstancesofthekernel-embeddedinterpreter.However,duetothehigher-levelnatureofascriptingenvironment,kernelscripts,eitherprivilegedornot,can-notbefullyresponsibleforguaranteeingsystemintegrity.Inpar-ticular,evenprivilegedkernelscriptsshouldnotberesponsibleformanagingmemoryallocationorexplicitsynchronization.Thisre-sponsibilityshouldbeconnedtothesystem-programinglanguagecodetopreservetheseparationofrolesthatistypicalofscriptingenvironments.Thatis,weshouldpreventkernelscriptstocompro-misethesystemintegrityduetotheproblemsofmanagingmemoryallocation(e.g.,nullpointerdereference,memoryleak)andexplicitsynchronization(e.g.,deadlock,starvation).Thesystemlanguageshouldbeusedtoimplementthecoreandlow-leveloperations,suchasmemoryallocationandsynchronization,andthescriptinglanguageshouldbeusedtoimplementthehigh-levelandcongu-rationpart,suchasresourceallocationpolicies.Extensibleoperatingsystemsfrequentlyuseprogramming-languageresourcestopreventextensionsmalfunctioningandguar-anteesystemintegrity.Forexample,Exokernelprovidesacollec-tionofdomain-specicextensionlanguagestoallowuserstocreatetheirowndiskandnetworkabstractions;theselanguagesareveryrestrictedtopreventextensionsfromcausingharmtothesystem(theyarenotTuring-completelanguages).Singularity[13]providestoolsforstaticcodeanalysis,alsotopreventextensionviolations. meanstoisolateextensionsfromeachotherandfromthekernelitself.Becausedifferentsetsoflibrariescanbeprovidedforthosestates,itispossibletocreateindependentprotectiondomains,withdifferentprivilegelevels.4.AKernel-scriptingEnvironmentbasedonLuaOurprogrammingandexecutionenvironmentforkernelscriptingconsistsoffourbasiccomponents:theLuainterpreterproperlyem-beddedinthekernel,forexecutingLuascripts;aprogrammingin-terface,usedbykerneldeveloperstomaketheirsubsystemsscript-able;auserinterface,forloadingandrunningscriptsinthekernel-embeddedLuainterpreter;andLuabindings,forsharingfunctionsanddatastructuresbetweenthekernelanduser-denedscripts.Fig-ure3outlinesthearchitectureandoperationofthisenvironment. Figure3.ArchitectureandoperationofkernelscriptingwithLua4.1OperationoverviewLetusconsiderthescriptingextensionoftheCPUfreqsubsystem,discussedinSection2.1.SupposeauserwantstoactivatetheCPUfrequencycontrollershowninFigure1.Todoso,sheneedstoloadthisscriptintothekernel-embeddedLuainterpreter.Toloadherscript,sheusesthecommand-linetoolprovidedbytheUserInterface(UI),whichallowshertodynamicallyinteractwiththeLuainterpreter.Oncethescripthasbeenloadedintothekernel,theCPUfreqsubsystemusesitsembeddingbindingtoperiodicallycallfunc-tionthrottle,whichimplementstheuser-denedpolicy.BesidesallowingkernelsubsystemstocallLuascripts,embeddingbind-ingsarealsoresponsibleforhandlingerrorsduringtheexecutionofthosescripts.Asanexample,iftheexecutionoffunctionthrottlefails,CPUfreq'sembeddingbindingcaninvokeadefaultroutinetoprocessthefrequencyscaling.ToobtaincurrentCPUtemperature,functionthrottleusesanextensionbinding,whichprovidesthisinformationthroughfunc-tionacpi.get_temp.AnextensionbindingalsoallowsthescripttosettheCPUfrequency,throughfunctioncpufreq.target.Functionget_loadisauser-denedfunctionwhichalsousesanextensionbindingtoobtaininformationtocomputethecurrentCPUload.Kernelextensionbindingsaretypicallydevelopedasloadablekernelmodules(LKM),andareprovidedtoscriptsasregularLuaextensionlibraries,implementedinC.Theycanbeloadedintoker-nelLuastatesbythekernelsubsystem(throughtheKernelPro-grammingInterface),bytheUserInterface(throughacommand),andalsobythescriptitself(throughfunctionrequire,providedbytheLuastandardlibrary).4.2Kernel-embeddedLuaThemaincomponentofourkernel-scriptingenvironmentistheLuainterpreter,properlyembeddedintheOSkernel.AlthoughsomechangeswerenecessarytoembedLuaintheLinuxandNetBSDkernels,allthosechangeswerenon-intrusive,involvingonlythemodicationofsomemacrosintheLuacongurationheaderleandthereplacementofsomefacilitiesfromtheCstandardlibrarythatarenotpresentinakernelenvironment.Themostsignicantchangewehadtomakeconcernedtheuseofoating-pointtypes.Aswediscussedbefore,OSkernelsdonotprovidesupportforoating-pointtypes.WesubstitutedthestandardLuanumbertype,denedasdouble,fortheintegertypeintmax_t;thischangerequiredonlytheredenitionofninemacrosinleluaconf.h.Wechosetheintegertypeintmax_tfortheconvenienceofhavingthelargestintegertypeavailableintheunderlyingplatform.TheLuainterpreterdoesnotdependontheCstandardlibraryformemoryallocation.Instead,itallowshostprogramstoprovidetheirownimplementationsofmemoryallocators.WeimplementedallocatorfunctionsforbothLinuxandNetBSDusingthememoryallocationprimitivesavailableintheirkernels.Bothmemoryallo-cationfunctionshavelessthaneighteenlinesofcode.Anotherchangewehadtomakewasthereplacementofthepairoffunctionssetjmp/longjmp,usedbyLuaforexceptionhandling.WereplacedthesefunctionsbyequivalentfunctionsavailableintheLinuxandNetBSDkernels.Thischangerequiredonlytheredenitionofthreemacrosinleluaconf.h.BesidestheLuainterpreter,wealsoembeddedtheLuabasiclibraryandsomeLuastandardlibrariesthatdonotdependentirelyonoperatingsystemsresourcesoroating-pointtypes(thedebug,coroutine,tableandstringlibraries).TheonlymodicationsweneededtomakewastheremovalofsomeOS-dependentfacilitiesfromthebasicanddebuglibraries,andtheremovalofoating-pointformatsfromthestringlibrary.4.3UserInterfaceTheUserInterface(UI)hastwoparts:onerunninginuserspaceandtheotherinsidethekernel.Theuser-levelcomponentconsistsofacommand-linetoolandapseudo-devicedescriptorle.Thekernelcomponentisthecorrespondingpseudo-devicedriver.Theuser-leveltoolresemblesaLuastand-aloneinterpreter,butinsteadofexecutingLuascriptsinuserspace,itexecutestheminthekernel-embeddedLuainterpreter.Theuser-levelcommandinterfaceisactuallyafront-endforthepseudo-devicedriver.Whenauserissuesacommand,theUIuser-levelcomponentforwardsit,byinvokinganioctlsystemcall,toahandlerfunctionregisteredbythepseudo-devicedriver.Thishandlerfunction,runninginsidethekernel,providestheactualcommandsforhandlingkernelLuastatesandforloadingandrunningscriptsinsidethesestates.Thepseudo-devicedriverallowsonlyprivilegedaccess;thatis,itprocessesonlyrequestssubmittedbyprivilegedusers.Beforeprocessinganycommandsubmittedfromuserspace,thehandlerfunctioncheckstheusercredentials.Iftheuserhasadministrativeprivileges,thecommandisprocessed;otherwise,anaccesserrorisreturned. 96Mbps.Thus,wedidnotintroduceameasurableoverheadbyusingapacket-lteringruleimplementedinLua.TheSSHprotocollteringscripthas22linesofLuacode.WecannotimplementanequivalentlteringfacilityusingonlyNPFrules.Theembeddingbindinghasaround200linesofCcode.OurlteringscriptusesLuadata,aLuaextensionlibraryspeciallydevelopedforourkernel-scriptingenvironment.LuadataexposeskernelmemorysafelytoLuacode,andallowsLuascriptstoapplydatalayoutstomemoryblocks,sothattheycanaccessdelimitedeldsinsidethoseblocks.Theuseofafull-edgedlanguage,alongwithadequatelibraries(suchastheLuastringlibrary,andLuadata)allowedustoeasilyimplementtheSSH-lteringfacility.Ourkernel-scriptingenvironmentallowsonlyprivilegeduserstoloadandrunextensionscriptsinsidethekernel.Thus,kernelscriptscannotcompromisesystemintegritymorethanloadableker-nelmodulesdo.Ourenvironmentalsolimitthenumberofinstruc-tionsexecutedbytheLuainterpreter,thuspreventinganexten-sionscripttomonopolizekernelexecutiontime.TheembeddingbindingscreateindividualLuaexecutionstates,providingisolationamongextensions.Extensionscriptsarealsosandboxed;thatis,theycanuseonlyarestrictedsetofextensionbindings.IndependentresearchgroupshaveusedLunatik,ourrstimple-mentationofakernel-scriptingenvironmentbasedonLua,toex-perimentwithOSkernelextensions.TheComputerNetworksRe-searchGroupattheUniversityofBaseldevelopedbindingsfortheLinuxsubsystemNetltertoallowuserstoimplementfacilitiesforprocessingnetworkpacketsusingLuascripts[11].Intheirexper-iments,theyimplementednetworkaddresstranslation(NAT)withLua,usingarouterrunningonanIntelCeleronCPU2.4GHzanda100Mbpslocalnetwork,andmeasuredthemaximumthroughputofboththeirNATimplementationusingLuaandtheLinuxbuilt-inNATimplementation.Forbothcases,themeasuredthroughputwasaround90Mbps.TheiranalysisalsoshowedthattheLuascriptandthebuilt-inimplementationhadapproximatelythesamelatencyandsaturationinterval.TheirNATimplementationhas19linesofLuacode.ResearchgroupsattheUniversityofPaderbornandattheUni-versityofMainzusedLunatiktointroducescriptingfacilitiesintothepNFSlesystem,allowingpNFSclientstoimplementlelay-outsusingLuaforconguringstoragestrategies[12].Theymea-suredtheexecutiontimeofseveralle-layoutscriptsusinganIntelXeonCPU3.30GHz.Theaverageexecutiontimewas1sforthesimplestscriptand8sforafull-featuredone.Intheirexperiment,asimplele-layoutscripthadonly8linesofLuacode.Bothresearchgroupsenforcedsystemreliabilitybysandbox-ing;thatis,throughrestrictingtheextensionbindingsexposedtothekernelscripts.6.RelatedWorkManyextensibleoperatingsystemsuseprogramminglanguagere-sourcestoprovideextensibility.Someofthem,suchasSPIN[6]andSingularity[13],usesystemlanguages;SPINusesasubsetofModula-3andSingularityusesanextensionofC#.Thisisalsothecaseofmostconventionaloperatingsystems,whichusuallyuseCfortheirloadablekernelmodules.Somesystemsuseinsteadasetofdomain-speciclanguages;onesuchsystemisExokernel[8],whichusesrestrictedlanguagessuitableforspecictaskssuchascreatingharddiskandnetworkabstractions.Thisisalsothecaseofsomeconventionaloperatingsystems,whichuseDSLsforprovid-ingpacketltering.Whatdistinguishesourapproachfrombothkindsofextensiblesystemsisthelevelofextensibilityprovided.Extendingtheoperat-ingsystemkernelthroughscriptingstandshalfwaybetweenprovid-inglimiteddomain-speciclanguagesandprovidingafull-featuredsystemprogramminglanguage.BecausethelevelofextensibilityiscloselyrelatedtotheissueswediscussedinSection2.2,thechoiceofalanguageforextendingtheOSkernelisatrade-offamongthesefactors.Whencomparedtosystemlanguages,scriptinglanguagesareusuallyeasierfordevelopingextensionsandforenforcingprotec-tion.However,theyarealsousuallylessusefulandefcient.Thesedownsidescanbemitigated,respectively,byprovidingproperbind-ingsandbyapplyingoptimizationtechniques.WhencomparedtosomeDSLs,scriptinglanguagesareusuallymoreusefulandefcient.Ontheotherhand,DSLscanbeeas-ierfordevelopingextensionsandforenforcingprotection.Thesedownsidescanbemitigatedwiththeuseofproperbindingsandbyapplyingsandboxingtechniques.Scriptinglanguageshavealsotheadvantageofprovidingacom-monlanguagecorethatcanbeusedinmanydifferentdomains.Onceakernel-scriptingenvironmenthasbeenprovidedtosupportsomeextension(e.g.,apacketlteringfacility),itcanbereusedinseveralotherscenarios,bothforwritingotherextensions—devicedrivers,networkprotocols,diskabstractions—andforexperimen-tation.Moreover,havingonlyoneextensionlanguageenginefacil-itatesthetaskofguaranteeingsystemintegrity.Besidesextensiblesystemsthatusesystemlanguagesandthosethatusedomain-speciclanguages,thereisalsoanextensiblesys-temthatactuallyusesascriptinglanguage.TheChoicesoperatingsystem[7]providesascriptinglanguagesimilartoTclforwritingkernelextensions,allowinguserstoloadandrunscriptsinsideitskernel.Usingscripts,userscanaggregatesystemcallsinbatchestoavoidcontextswitchesandthusimprovesystemperformance.Extensionscriptsareloadedintoinstancesofakernel-embeddedTclinterpreterthatexecuteinindependentsystemprocesses[22].Asetofextensionbindingsexposestothescriptsthenecessaryre-sourcesforextendingthekernel.WhatdistinguishesourapproachfromChoicesisoursupportofscriptingbyembeddingthelan-guageinterpreter,inadditiontoscriptingbyextendingit.Finally,anotherimportantpointthatdistinguishesourapproachfrommostpreviousextensibleoperatingsystemsisthatwehavebeenfocusingonextendingexistinggeneral-purposeoperatingsys-temsthroughkernelscripting,insteadofimplementingawholescriptableoperatingsystemfromscratch.7.ConclusionsInthispaperwepresentedourconceptofascriptableoperat-ingsystem,whichresultsfromapplyingtheideaofextensibilitythroughscriptingtotheconceptofextensibleoperatingsystems.Basedonthisconcept,wedevelopedascriptingenvironmentthatallowstheextensionofkernelsubsystemsthroughuserscripts,dy-namicallyloadedandexecutedinsidethekernel.Ourkernel-scriptingenvironmentusesLua,apopularscriptinglanguage,withminimalchanges.TheeaseofembeddingLuainbothLinuxandNetBSDkernelsattesteditsnotableportability,showingthatitcanbeusedeveninhostileenvironmentssuchasOSkernels.PreviousworkshavealreadyexploredtheideaofextendinganOSthroughuserscripts;however,mostofthemproviderestricteddomain-speciclanguages,suitableforspecictasks.Ourenviron-ment,instead,providesageneral-purpose,full-edgedprogram-minglanguage,whichnotonlyallowsthedevelopmentofmoresophisticatedextensionsbutalsoprovidesaninterestingprogram-mingenvironmentforkerneldevelopersthemselves.Asfarasweknow,itisalsotherstenvironmentthatprovideskernelextensibil-itybybothembeddingandextendingascriptinglanguage.More-over,weworkedontopofexistinggeneral-purposeoperatingsys-tems,notonsystemsinitiallydesignedforscripting.Wehavealreadyimplementedourscriptingenvironmentfortwogeneral-purposeoperatingsystems:LinuxandNetBSD.Our [34]C.SmallandM.Seltzer.VINO:AnIntegratedPlatformfor OperatingSystemandDatabaseResearch.Technicalreport, 1994. [35]T.Voigt,R.Tewari,D.Freimuth,andA.Mehra.Kernelmech- anismsforservicedifferentiationinoverloadedwebservers. In USENIXAnnualTechnicalConference,GeneralTrack , pages189–202,2001. [36]T.YlonenandC.Lonvick.TheSecureShell(SSH)Transport LayerProtocol,2006.URL http://www.ietf.org/rfc/ rfc4253.txt .