IOSR Journal of Computer Engineering (IOSR-JCE) e-ISSN: 2278-0661, p- ISSN: 2278-8727Volume 13, Issue 1 (Jul. - Aug. 2013), PP 07-11 www.iosrjournals.org
Towards Reliable Systems with User Action Tolerance and Recovery Vivek Thachil1, Dileesh E D2 1 2
(Computer Science and Engineering, Govt. Engineering College/ University of Calicut, India) (Computer Science and Engineering, Govt. Engineering College/ University of Calicut, India)
Abstract : This paper presents mechanisms that enables operating system to be tolerant to certain user actions and recovery of some resources such as files. Certain user actions can make the system completely unavailing or unreliable. To remedy this situation, we introduce series of mechanisms under the name Tolerance Driver. Tolerance driver can transparently protect system from user actions, recover the system configurations and resources. There are two drivers for tolerance and recovery such as strategic and stringent. Stringent driver uses strict methods of tolerance and Strategic driver uses strategic methods for tolerance and recovery. We have created tolerance drivers on Linux distribution Ubuntu 12.04 as character drivers. We expect the tolerance drivers can improve the reliability of the system. Lastly these mechanism was easily added as kernel module to kernel as part of operating system. Keywords - Action Tap, Stringent driver, Strategic driver, Tolerance driver, User Action Tolerance I. Introduction Reliability is one significant factor every operating system should try to improve. System failures due to user actions such as accidental actions are common in every domain. Failures bring user frustration and loss of various forms. Sometimes failures can result in huge business loss. Most of the actions are related to loss of data by accidental deletion of files. User would go about deleting some system file or important work file and lead to unstable system or loss of data. Hence mechanisms to tolerate user actions are important to protect system and save user business. Most of the accidental file deletions are stopped by user privilege levels. Some files are kept at higher privilege (accessible only to administrator) and cannot be removed by non privileged users are so protected from normal users. But problem arises when normal users are given higher privilege for performing certain privileged actions and end up accidentally deleting the important files. This paper presents a new mechanism called tolerance driver which can improve system reliability by protecting a list of files the user want to protect. The driver makes the system tolerant to harmful user actions and helps in recovering resources which are essential for system. In general tolerance driver track user actions and on detecting actions that are harmful it take necessary steps to tolerate that action. Sometimes the driver would let the user to continue the harmful action and take measures to recover the system before system goes completely unrecoverable from damage created by action. We make following assumptions regarding the the user environment: 1. Specific user actions such as file deletion goes through same interface or procedures leading to deletion. 2. Intention of user action is not malicious, but are accidental and sometimes harmful. We implemented the tolerance driver as two separate drivers with different methods for tolerance on Linux based operating systems. Our results shows that tolerance driver could : 1. Tolerate user actions such as deletion of important files. 2. Recover important files which has gone undergone actual deletion from backup before system goes partially or completely non-operational. 3. Can be easily integrated into the operating system. 4. Requires minimum overhead.
SE Linux (Security Enhanced Linux) is feature of Linux that provides mechanisms to support access control polices. It has been integrated into Linux mainline since version 2.6. It can be used to control activities privilege of user, process and daemon. But the mechanism is not made to tolerate privileged user, process or daemon actions. Shadow driver is a mechanism used to tolerate device driver failures affecting operating system and applications dependent on it. It makes this possible by tracking driver actions in passive mode and handling functionality of driver being shadowed in active mode. www.iosrjournals.org
7 | Page
Towards Reliable Systems with User Action Tolerance and Recovery III.
Kernel Module and Tolerance Driver Design
Kernel modules are units that are used to improve or add the functionality of kernel. One such kernel module is driver. Device drivers are used to communicate with devices attached to the system. But drivers are also used to perform some other actions other than communicating with device which require privilege. Drivers execute in highest privilege level and can do many privileged actions. User process communicate with driver via device file and make the driver do the required advanced functionality. 3.1 User Actions and Kernel Calls User actions including creating, opening, reading, writing and writing are converted to kernel system calls which will call kernels and kernel will do the required functionality. System calls are interface to the kernel used by programs to do any operations. Tolerance driver function by creating another interface between user actions and kernel system call interface. 3.2 Tolerance Driver A tolerance driver act as kernel module to provide tolerance for particular user action. In some system most of the system resources are in the form of files. Hence it is essential to protect these files from removal or permanent removal. The user action that is tolerated by tolerance driver is removal of system resource in the form of files. All the user actions invoke one of the kernel interfaces. Tolerance driver functionality are split into two drivers such as Stringent and Strategic driver. Stringent Tolerance Driver function by acting as interface between User action and Kernel Interface of system call. While Strategic tolerance driver functionality has nothing to do with intercepting user action and kernel interface. But it function to tolerate user action by means of backup and recovery between startup and shutdown of the system. 3.3 Active and Passive Mode Driver function in both active and passive mode. Both strategic and stringent driver are active on the system startup. On startup they call a program called Link Collector to collect links of the files that user wants to protect. The links are collected from Links file associated with link collector. Link collector communicate with driver by means of device file and export the information regarding file links. When user actions are related to file removal or deletion, stringent tolerance driver gets into active mode. It collects information regarding the the file being removed such as its location, name and take necessary action. It matches these information with the data collected from Link Collector. If match found it blocks the user action to remove the file. Strategic driver is active only on system startup and shutdown. Strategic driver is passive on actions related to file removal. But on system startup it gets active and creates backup of links representing the files that user require tolerance. On shutdown the driver check the existence of files represented by links collects by Link Collector. If match found it recovers the files from backup. Backup is location hidden from user by kernel mechanisms. Backup will develop directory structure depending on which files are to be protected similar to system file directory structure. This helps to backup to contain files of same name. 3.4 File Classes Tolerance driver bring protection to system files including important user files. Files protected by drivers are classified into two such as Type1 and Type2. Type1 files are essential for system function throughout its working. Type2 files are essential for system to start working. Stringent driver tolerant user actions to remove Type1 file and Strategic driver tolerate that with Type2 files. Type 2 files are allowed to be removed during system working since they are recovered by the driver on system shutdown. Since the system could start normally with Type2 files, they are backed up to Backup on startup. 3.5 Action Taps Stringent driver function by inserting methods called Action Taps between User Action program and Kernel Interface. It get activated on respective user action it represents such as file read, write or removal and stays in passive mode otherwise. Removal Action Tap is invoked on file removal. Removal action tap invoke the Stringent driver on file removal action. Stringent driver check the file to be removed with the Link Collector information and take action. Fig.1 show the position of the driver and Removal action tap.
8 | Page
Towards Reliable Systems with User Action Tolerance and Recovery
Fig.1 Position of Tolerance Driver and Action Tap 3.6 Stringent Tolerance Driver Design Stringent driver need to collect links (representing files) on startup and so need to call user program Link Collector. Link collector export the links to driver. Driver need to tap file removal actions by removal action taps. And also to check the links of files to be removed and block user action to remove the file representing the links. Fig.2 shows the functioning of Stringent driver. Fig.3 shows the lifetime of Stringent driver in active and passive mode. 3.7 Strategic Tolerance Driver Design Strategic driver also need collection of links by Link collector. Unlike Stringent driver it does not require the removal action tap but need shutdown action tap which activate the driver on system shutdown. On startup after link collection it need to backup the files representing links to backup for which it call user program File Backup. File Backup program backup all files represented by links from their respective location in Backup location. And on system shutdown it need to check the existence of file links and if not present recover it from backup by invoking File Recovery user program. This allows users to have flexibility to experiment with system files compared to stringent mechanism. Fig.4 shows the lifetime of Strategic driver in active and passive mode. Fig.5 shows the function of Strategic driver. Fig.2 Functioning of Stringent Driver
9 | Page
Towards Reliable Systems with User Action Tolerance and Recovery
Fig.3 Lifetime of Stringent Driver
Fig.4 Lifetime of Strategic Driver
Fig.5 Functioning of Strategic Driver
10 | Page
Towards Reliable Systems with User Action Tolerance and Recovery IV.
Tolerance Driver Implementation
Drivers where implementation as character drivers in Linux distribution Ubuntu 12.04 with kernel version 3.5. Link Collector program works as process in user space and gets called on system startup by driver. Functionality of link collection was delegated to user program since it was file related tasks and takes time. And since drivers are kernel modules and execute in kernel space, we didn't want the module to do file related actions in kernel module since it lead to may system crashes. Link Collector communicate with drivers by means of writing to device file associated with strategic or stringent character driver. Removal and Shutdown action taps mechanism are implemented by patching system calls. So patch system calls are called on respective user action. Patch code invoke the driver to do necessary action for tolerance and recovery.
Evaluation of tolerance drivers at three aspects are done namely performance, action-tolerance and limitation. 1. Performance. Performance overhead imposed by to tolerance drivers is almost nil in passive mode. But is invoked by action tap for each action tapped. Since processing is done only for files to be protected, overhead in active mode is also less. Strategic driver block the system shutdown until Type2 files are recovered and add to overhead on the system. 2. Limitations. Tolerance drivers are to tolerate accidental user actions but not to tolerate malicious intentional user action to damage the system. Updated Links file get exported to tolerance driver only on next system startup. 3. Action-tolerance. System was found to be tolerant to user actions related to file removal as long as limited kernel interface patched by action tap is used for removal. IV. Conclusion Tolerance to harmful actions is essential for improving system reliability. We have developed and designed tolerance drivers which could tolerate accidental user actions which may be harmful. From our experience we see that tolerance driver could block certain user actions and recovery resources easily. Finally these tolerance mechanisms require no change to user programs or kernel.
References Books:  Bill McCarty, SELinux, NSA's Open Source Security Enhanced Linux (O'Reilly Media, 2004)  Michael Kerrisk, The Linux Programming Interface: A Linux and UNIX System Programming Handbook (1st ed, No Starch Press, 2010).  William von Hagen, Ubuntu Linux Bible (1st ed, Wiley Publishing Inc., 2007). Journal Papers:  Michael M.Swift, Muthukaruppan Annamalai, Brian N. Bershad and Henry M. Levy, Recovering Device Drivers, ACM Transactions on Computer Systems, 24(2), 2006, 333 â€“ 360. Proceedings Papers:  Michael M.Swift, Brian N. Bershad and Henry M. Levy, Improving the reliability of c ommodity operating systems, Proc. ACM symposium on Operating systems principles, 19th, 2003, New York, USA, 207-222.
11 | Page