This paper presents the design and an evaluation of Mondrix, a version of the Linux kernel with Mondriaan Memory Protection (MMP). MMP is a combination of hardware and software that provides efficient fine-grained memory protection between multiple protection domains sharing a linear address space. Mondrix uses MMP to enforce isolation between kernel modules which helps detect bugs, limits their damage, and improves kernel robustness and maintainability. During development, MMP exposed two kernel bugs in common, heavily-tested code, and during fault injection experiments, it prevented three of five file system corruptions.The Mondrix implementation demonstrates how MMP can bring memory isolation to modules that already exist in a large software application. It shows the benefit of isolation for robustness and error detection and prevention, while validating previous claims that the protection abstractions MMP offers are a good fit for software. This paper describes the design of the memory supervisor, the kernel module which implements permissions policy.We present an evaluation of Mondrix using full-system simulation of large kernel-intensive workloads. Experiments with several benchmarks where MMP was used extensively indicate the additional space taken by the MMP data structures reduce the kernel's free memory by less than 10%, and the kernel's runtime increases less than 15% relative to an unmodified kernel.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	M. J. Accetta, R. V. Baron, W. Bolosky, D.B. Golub, R. F. Rashid, A. Tevanian, and M.W. Young. Mach: A new kernel foundation for unix development. In Proceedings of Summer Usenix, 1986.
	2	Advanced Micro Devices. http://www.amd.com/, 2004.
	3	Thomas Ball , Sriram K. Rajamani, The SLAM project: debugging system software via static analysis, Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.1-3, January 16-18, 2002, Portland, Oregon
	4	B. N. Bershad , S. Savage , P. Pardyak , E. G. Sirer , M. E. Fiuczynski , D. Becker , C. Chambers , S. Eggers, Extensibility safety and performance in the SPIN operating system, Proceedings of the fifteenth ACM symposium on Operating systems principles, p.267-283, December 03-06, 1995, Copper Mountain, Colorado, United States
	5	Jeff Bonwick. The slab allocator: An object-caching kernel memory allocator. In USENIX Summer, pages 87--98, 1994.
	6	Nicholas P. Carter , Stephen W. Keckler , William J. Dally, Hardware support for fast capability-based addressing, Proceedings of the sixth international conference on Architectural support for programming languages and operating systems, p.319-327, October 05-07, 1994, San Jose, California, United States
	7	Jeffrey Scott Chase, An operating system structure for wide-address architectures, University of Washington, Seattle, WA, 1996
	8	Peter M. Chen , Wee Teck Ng , Subhachandra Chandra , Christopher Aycock , Gurushankar Rajamani , David Lowell, The Rio file cache: surviving operating system crashes, Proceedings of the seventh international conference on Architectural support for programming languages and operating systems, p.74-83, October 01-04, 1996, Cambridge, Massachusetts, United States
	9	Jeremy Condit , Matthew Harren , Scott McPeak , George C. Necula , Westley Weimer, CCured in the real world, Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation, June 09-11, 2003, San Diego, California, USA
	10	Intel Corp. Intel Itanium Architecture Software Developer's Manual v2.1, 2002.
	11	Microsoft Corporation. Microsoft Windows Vista Developer Center, 2005. http://msdn.microsoft.com/windowsvista/default.aspx.
	12	B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, I. Pratt, A. Warfield, P. Barham, and R. Neugebauer. Xen and the art of virtualization. In SOSP '03, 2003.
	13	Dawson Engler , Ken Ashcraft, RacerX: effective, static detection of race conditions and deadlocks, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	14	Steven M. Hand, Self-paging in the Nemesis operating system, Proceedings of the third symposium on Operating systems design and implementation, p.73-86, February 1999, New Orleans, Louisiana, United States
	15	Hermann Härtig , Michael Hohmuth , Jochen Liedtke , Sebastian Schönberg, The performance of μ-kernel-based systems, Proceedings of the sixteenth ACM symposium on Operating systems principles, p.66-77, October 05-08, 1997, Saint Malo, France
	16	John Hartman , Larry Peterson , Andy Bavier , Peter Bigot , Patrick Bridges , Brady Montz , Rob Piltz , Todd Proebsting , Oliver Spatscheck, Experiences building a communication-oriented JavaOS, Software—Practice & Experience, v.30 n.10, p.1107-1126, Aug. 2000  [doi>10.1002/1097-024X(200008)30:10<1107::AID-SPE331>3.3.CO;2-S]
	17	Germont Heiser , Kevin Elphinstone , Jerry Vochteloo , Stephen Russell , Jochen Liedtke, The Mungi single-address-space operating system, Software—Practice & Experience, v.28 n.9, p.901-928, July 25, 1998  [doi>10.1002/(SICI)1097-024X(19980725)28:9<901::AID-SPE181>3.0.CO;2-7]
	18	Merle E. Houdek , Frank G. Soltis , Roy L. Hoffman, IBM System/38 support for capability-based addressing, Proceedings of the 8th annual symposium on Computer Architecture, p.341-348, May 12-14, 1981, Minneapolis, Minnesota, United States
	19	Galen Hunt, James Larus, David Tarditi, and Ted Wobber. Broad new os research: Challenges and opportunities. In Proceedings of the 10th Workshop on Hot Topics in Operation Systems, June 2005.
	20	Richard K. Johnsson , John D. Wick, An overview of the mesa processor architecture, Proceedings of the first international symposium on Architectural support for programming languages and operating systems, p.20-29, March 01-03, 1982, Palo Alto, California, United States
	21	Eric J. Koldinger , Jeffrey S. Chase , Susan J. Eggers, Architecture support for single address space operating systems, ACM SIGPLAN Notices, v.27 n.9, p.175-186, Sept. 1992
	22	Butler Lampson. Protection. In Proceedings of the 5th Annual Princeton Conference on Information Sciences and Systems, pages 437--443, Princeton University, 1971.
	23	Kevin Lawton. bochs: The cross platform IA-32 emulator, 2004. http://bochs.sourceforge.net/.
	24	Henry M. Levy, Capability-Based Computer Systems, Butterworth-Heinemann, Newton, MA, 1984
	25	David Lie , Chandramohan A. Thekkath , Mark Horowitz, Implementing an untrusted operating system on trusted hardware, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	26	David Lie, Chandramohan Thekkath, Mark Mitchell, Patrick Lincoln, Ban Boneh, John Mitchell, and Mark Horowitz. Architectural support for copy and tamper resistant software. In ASPLOS-IX, 2000.
	27	Peter S. Magnusson , Magnus Christensson , Jesper Eskilson , Daniel Forsgren , Gustav Hållberg , Johan Högberg , Fredrik Larsson , Andreas Moestedt , Bengt Werner, Simics: A Full System Simulation Platform, Computer, v.35 n.2, p.50-58, February 2002  [doi>10.1109/2.982916]
	28	Madanlal Musuvathi , David Y. W. Park , Andy Chou , Dawson R. Engler , David L. Dill, CMC: a pragmatic approach to model checking real code, Proceedings of the 5th symposium on Operating systems design and implementation Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading , December 09-11, 2002, Boston, Massachusetts  [doi>10.1145/1060289.1060297]
	29	George C. Necula , Scott McPeak , Westley Weimer, CCured: type-safe retrofitting of legacy code, Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.128-139, January 16-18, 2002, Portland, Oregon
	30	Norman Ramsey , Simon Peyton Jones, A single intermediate language that supports multiple implementations of exceptions, ACM SIGPLAN Notices, v.35 n.5, p.285-298, May 2000
	31	Jerome H. Saltzer, Protection and the control of information sharing in multics, Communications of the ACM, v.17 n.7, p.388-402, July 1974  [doi>10.1145/361011.361067]
	32	Jerome H. Saltzer and Michael D. Schroeder. The protection of information in computer systems. In Proceedings of the IEEE 63 9, pages 1278--1308, 1975.
	33	Jonathan Strauss Shapiro , David J. Farber , Jonathan M. Smith, Eros: a capability system, 1999
	34	Jonathan S. Shapiro , Jonathan M. Smith , David J. Farber, EROS: a fast capability system, Proceedings of the seventeenth ACM symposium on Operating systems principles, p.170-185, December 12-15, 1999, Charleston, South Carolina, United States
	35	Jonathan S. Shapiro, John Vanderburgh, Eric Northup, and David Chizmadia. Design of the EROS trusted window system. In USENIX Security, 2004.
	36	G. Sirer, M. Fiuczynski, P. Pardyak, and B. N. Bershad. Safe dynamic linking in an extensible operating system. Technical Report TR-95-11-01, University of Washington, 1995.
	37	Michael M. Swift , Brian N. Bershad , Henry M. Levy, Improving the reliability of commodity operating systems, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	38	Michael Swift, Muthukaruppan, Brian N. Bershad, and Henry M. Levy. Recovering device drivers. In OSDI-6, 2004.
	39	Andrew Whitaker , Marianne Shaw , Steven D. Gribble, Scale and performance in the Denali isolation kernel, Proceedings of the 5th symposium on Operating systems design and implementation Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading , December 09-11, 2002, Boston, Massachusetts  [doi>10.1145/1060289.1060308]
	40	M. V Wilkes, The Cambridge CAP computer and its operating system (Operating and programming systems series), North-Holland, 1979
	41	Niklaus Wirth , Jürg Gutknecht, Project Oberon: the design of an operating system and compiler, ACM Press/Addison-Wesley Publishing Co., New York, NY, 1992
	42	Emmett Witchel and Krste Asanović. Hardware works, software doesn't: Enforcing modularity with Mondriaan memory protection. In HotOS-9, 2003.
	43	Emmett Witchel , Josh Cates , Krste Asanović, Mondrian memory protection, Proceedings of the 10th international conference on Architectural support for programming languages and operating systems, October 05-09, 2002, San Jose, California

• ACM SIGOPS Operating Systems Review
  Volume 39 ,  Issue 5   December 2005