Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...
Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...
Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Chapter 6. Security in Open Source Software<br />
6.2.1. Bandwidth Protection<br />
As the bandwidth protection of the host system’s hardware r<strong>es</strong>ource is of high relevance, possible<br />
solutions for Prob.1 are introduced in this subsection. Unlimited bandwidth consumption<br />
is a possibility to influence or compromise the execution of other implementations over the<br />
boundari<strong>es</strong> of a VM.<br />
Unfortunately, a general solution for any kind of hardware r<strong>es</strong>ource cannot currently be<br />
provided. Neverthel<strong>es</strong>s, a possible solution is the usage of partitioning, which will be d<strong>es</strong>cribed<br />
exemplary for CPUs and network interfac<strong>es</strong>.<br />
6.2.1.1. Proc<strong>es</strong>s Scheduling<br />
For a host system, a VM is mainly like a normal proc<strong>es</strong>s, which is executed, but knowledge<br />
about certain proc<strong>es</strong>s<strong>es</strong> in a VM is typically not available in the host. Therefore, partitioning<br />
for the proc<strong>es</strong>s execution must be done on the host system for the hypervisor proc<strong>es</strong>s.<br />
As for static memory partitioning (Subsection 6.1.1), the ARINC 653P1-2 requir<strong>es</strong> for<br />
embedded avionics systems the usage of static temporal partitioning [3]. This means a<br />
global sample or cycle time T c is defined, which is divided in n temporal slots s i with i ∈<br />
{0, 1, 2, . . . , n−1}, t i = length(s i ), and T c = ∑ n−1<br />
i=0 t i. Each temporal slot s i is exactly executed<br />
once in one cycle T c for the duration of its execution time t i while a certain proc<strong>es</strong>s is assigned<br />
to each temporal slot s i . Static temporal partitioning is very robust and and easy to implement<br />
but inflexible and mainly usable in embedded systems.<br />
Proc<strong>es</strong>s scheduling for multi-proc<strong>es</strong>s operating systems with a not-fixed number of proc<strong>es</strong>s<strong>es</strong><br />
is far more complex because statical temporal partitioning cannot be used. One important<br />
requirement for the scheduler of the host system is that it behav<strong>es</strong> – at least partly – deterministically.<br />
Thus, it must be assured that no proc<strong>es</strong>s starv<strong>es</strong> [77, pp. 457-504]. It exist several<br />
scheduler strategi<strong>es</strong> that are deterministic and avoid starving, but a fair-share scheduler [77,<br />
pp. 457-504] probably fits the requirements the b<strong>es</strong>t. It do<strong>es</strong> not only avoid starving of proc<strong>es</strong>s<strong>es</strong><br />
completely and is deterministic but also provid<strong>es</strong> the possibility to group proc<strong>es</strong>s<strong>es</strong> while the<br />
execution of th<strong>es</strong>e groups is done in a “fair way”. Accordingly, if supplier and open model<br />
implementations are in separated groups, a malicious or faulty supplier implementation could<br />
only influence other supplier implementation in their scheduling.<br />
6.2.1.2. Network Traffic Scheduling<br />
It is not avoidable that proc<strong>es</strong>s<strong>es</strong> of the software have to communicate with proc<strong>es</strong>s<strong>es</strong> on other<br />
computers or systems and also proc<strong>es</strong>s<strong>es</strong> jailed in VMs need acc<strong>es</strong>s to real network interfac<strong>es</strong>.<br />
Although this acc<strong>es</strong>s is never direct, a malicious or faulty implementation could consume too<br />
much network bandwidth by, for example, sending plenty of user datagram protocol (UDP)<br />
packets. This could limit the ability of any other proc<strong>es</strong>s on the local system – independent<br />
from if it is executed in a VM or not – to transfer data. This problem is mainly related to<br />
network traffic or bandwidth outgoing from the local system because network traffic incoming<br />
to the local system is generated by other computers on the network, which can be hardly<br />
influenced by the retrieving system.<br />
72