DOCSLIB.ORG

Capability-Based Addressing Is Course, to Some Scheme for Preserving the Integrity of the Discussed

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Capability-Based Addressing Is Course, to Some Scheme for Preserving the Integrity of the Discussed Introduction The idea of a capability which acts like a ticket au- thorizing the use of some object was developed by Dennis and Van Horn [15] as a generalization of ad- dressing and protection schemes such as the codewords of the Rice computer [28], the descriptors of the Bur- roughs machines [6, 7], and the segment and page tables Capability-Based in computers such as the GE-645 and IBM 360/67 [1, 14]. Dennis and Van Horn extended the earlier schemes to Addressing include not just memory but all systems objects--mem- R.S. Fabry ory, processes, input/output devices, and so on--and to University of California. allow the explicit manipulation of access control by non- system programs. The idea is that a capability is a special kind of address for an object, that these addresses can be created only by the system, and that, in order to use any object, one must address it via one of these addresses. The use of capabilities as a protection mechanism has been the subject of considerable interest [24, 29, 32, 43]. It is assumed that the reader is familiar with the use of capabilities for protection; a different aspect of capa- Various addressing schemes making use of segment bilities is developed here. tables are examined. The inadequacies of these schemes It is argued below that there is an advantage in using when dealing with shared addresses are explained. These capabilities as a basic component of the address of every inadequacies are traced to the lack of an efficient absolute object (except for objects associated with the processor address for objects in these systems. The direct use of a such as its registers). In order to accomplish this, user capability as an address is shown to overcome these programs must be able to store capabilities freely into difficulties because it provides the needed absolute ad- various permanent user data structures (subject, of dress. Implementation of capability-based addressing is course, to some scheme for preserving the integrity of the discussed. It is predicted that the use of tags to identify representation of capabilities). Not all schemes which capabilities will dominate. A hardware address translation use capabilities actually allow capabilities to be used as scheme which never requires the modification of the permanent addresses in this way. For example, the representation of capabilities is suggested. The scheme original Dennis and Van Horn scheme did not because uses a main memory hash table for obtaining a segment's it insisted that capabilities be stored only in C-lists asso- location in main memory given its unique code. The hash ciated with computations. table is avoided for recently accessed segments by means of a set of associative registers. A computer using capa- bility-based addressing may be substantially superior to Context-Independent Addresses present systems on the basis of protection, simplicity of programming conventions, and efficient implementation. The advantage of a capability used as an address is Key Words and Phrases: addressing, capabilities, that its interpretation is context independent. It provides addressing hardware, protection, protection hardware, an absolute address for an object. This fact is more im- shared addresses, information sharing, operating systems, portant than it may at first appear. computer utility, segmentation, tagged architecture Before the use of address relocation--such as base CR Categories: 4.30, 4.32, 4.34, 6.21 and limit registers, paging, and segmentation--jobs were allocated fixed areas of physical memory. Addresses within the jobs were relocated at load time, and a job was not moved once it had started running. The lack of Copyright (~) 1974, Association for Computing Machinery, Inc. the ability to dynamically relocate resulted in under- General permission to republish, but not for profit, all or part utilized computers. To avoid this underutilization, ad- of this material is granted provided that ACM's copyright notice is given and that reference is made to the publication, to its date dress relocation was introduced. But in doing so, a new of issue, and to the fact that reprinting privileges were granted problem was also introduced. Consider two jobs which by permission of the Association for Computing Machinery. need to interact with each other. In a system without This is a revised version of a paper presented at the Fourth ACM Symposium on Operating Systems Principles, IBM Thomas relocation, jobs share an address space and can be al- J. Watson Research Center, Yorktown Heights, New York, Oc- lowed to interact freely, sharing data structures and ad- tober 15-17, 1973, under the title "The Case for Capability-Based dresses as easily as if they were a single job. With address Computers." Author's address: Computer Science Division, Evans Hall, relocation, however, the meaning of an address becomes University of California, Berkeley, CA 94720. context dependent; each job has its own address space, 403 Communications July 1974 of Volume 17 the ACM Number 7 or perhaps several. This fact is generally interpreted as Fig. 1. Segment addresses. an advantage: base and limit registers, paging, and seg- mentation, by virtue of their address relocation, allow users to be isolated from each other, thus providing pro- ? tection of one job from another. On the other hand, the jPC sharing of addresses becomes more difficult, and this side effect is generally ignored. This effect is particulaly ironic for those systems which stress their usefulness for 1 RE I CALL 1 cooperating users who want to work together, sharing 2 programs and data. ACCESS 2 Although a capability functions as an absolute ad- SEGMENT TABLE dress, the use of capabilities does not prevent a system from using address relocation. A capability is an abso- lute address for a virtual object; the system is free to relocate the virtual object so long as it maintains the correspondence between the object and its capabilities. The Problem of Shared Segment References Various addressing schemes making use of segment tables have been implemented in present day systems. Fig. 2. Shared segment addresses. Although the inadequacies of these schemes when deal- ing with shared segment addresses may be apparent to users of the systems, the inadequacies have not (with rare exception) been explained in sysfem descriptions, nor does there exist a systematic comparison of the F problems which arise with each of the schemes. As an example of the problems encountered in these systems, consider a particular structure, a set of inter- acting subprograms. Figure 1 shows a process which has three segments: a data segment, a main program, and a I CALL ? ACCESS ? subroutine. The segment table translates integer segment addresses into references to the appropriate segments SEGMENTTABLE I FOR PROCESS1 and specifies the permitted types of access. R means reading is allowed, W means writing is allowed, and E SUB means executing is allowed. The entries in the segment table can be thought of as descriptors, capabilities, code- words, or pointers; for our purposes these are the same. The main program in Figure 1 contains two segment references, a call on the subroutine, coded as CALL 1, and RE an access of the data segment, coded as ACCESS 2. The RW PC register associated with the process contains the seg- ment number of the segment which the program counter addresses. In an actual system, the location of a word SEGMENTTABLE within a segment is also important. For simplicity, the FOR PROCESS2 word number components of addresses are omitted. Figure 2 shows the case in which the program and the segment references which it contains are shared. As- sume for the moment that the correspondence between integers and segments is constructed independently for each process. Then, as in the figure, a segment may be referred to by different integers in different processes. How can the segment references in the shared main pro- gram be coded? For process 1, the references should be coded CALL 1 and ACCESS 2. For process 2, however, they should be coded CALL 0 and ACCESS 1. Four different solutions to this problem of shared segment references are presented below. 404 Communications July 1974 of Volume 17 the ACM Number 7 Fig. 3. Uniform address solution. Fig. 4. Indirect evaluation solution. LINKAGE SEGMENT FOR PROCESS I 0 RW DATA FOR FOR MAIN I RE 2 RE ] LINKAGE SEGMENT l FOR PROCESS I 4 , R FOR SUB 2 I ACCEBS21 SEGMENT TABLE FOR PROCESS SEGMENT TABLE FOR PROCESS l LINKAGE SEGMENT FOR PROCESS 2 FOR MAIN OR 1 R l RE 0 2E LINKAGE SEGMENT 3 RE 2 FOR PROCESS 2 FOR SUB 4 RW SEGMENT TABLE FOR PROCESS 2 SEGMENT TABLE FOR PROCESS 2 Uniform Address Solution at once (except for certain standard system-wide sub- The uniform address solution is shown in Figure 3. routines). Thus the compiler can allocate the integer This solution requires that a shared integer segment ad- segment addresses at compile time and embed them in dress be interpreted in a functionally equivalent manner the code. The Program Reference Table of the B5700 for all processes sharing the address. A shared address functions exactly as the segment table in Figure 3 does is said to receive a functionally equivalent interpretation [6, 7, 351. for a set of processes if the objects referred to by the address are used in the same way by each process. For Indirect Evaluation Solution example, in Figure 3, the segment address 2 refers to the The indirect evaluation solution is shown in Figure 4. data segment used by the process making the reference, A shared integer segment address is treated as an index while the segment address 1 refers to the segment con- of a position within a linkage segment and the linkage taining the subroutine called by the main program in a segment contains segment table indexes.
Load more

Recommended publications
  • SCALABLE CAPABILITY-BASED AUTHORIZATION for HIGH- PERFORMANCE PARALLEL FILE SYSTEMS Nicholas Mills Clemson University, [email protected]
    Clemson University TigerPrints All Theses Theses 5-2011 SCALABLE CAPABILITY-BASED AUTHORIZATION FOR HIGH- PERFORMANCE PARALLEL FILE SYSTEMS Nicholas Mills Clemson University, [email protected] Follow this and additional works at: https://tigerprints.clemson.edu/all_theses Part of the Computer Engineering Commons Recommended Citation Mills, Nicholas, "SCALABLE CAPABILITY-BASED AUTHORIZATION FOR HIGH-PERFORMANCE PARALLEL FILE SYSTEMS" (2011). All Theses. 1131. https://tigerprints.clemson.edu/all_theses/1131 This Thesis is brought to you for free and open access by the Theses at TigerPrints. It has been accepted for inclusion in All Theses by an authorized administrator of TigerPrints. For more information, please contact [email protected]. SCALABLE CAPABILITY-BASED AUTHORIZATION FOR HIGH-PERFORMANCE PARALLEL FILE SYSTEMS A Thesis Presented to the Graduate School of Clemson University In Partial Fulfillment of the Requirements for the Degree Master of Science Computer Engineering by Nicholas L. Mills May 2011 Accepted by: Dr. Walter B. Ligon III, Committee Chair Dr. Richard R. Brooks Dr. Adam W. Hoover Abstract As the size and scale of supercomputers continues to increase at an exponential rate the number of users on a given supercomputer will only grow larger. A larger number of users on a supercomputer places a greater importance on the strength of information security. Nowhere is this requirement for security more apparent than the file system, as users expect their data to be protected from accidental or deliberate modification. In spite of the ever-increasing demand for more secure file system access the majority of parallel file systems do not implement a robust security protocol for fear it will negatively impact the performance and scalability of the file system.
    [Show full text]
  • On Access Checking in Capability-Based Systems1
    On Access Checking in Capability-Based Systems1 Richard Y. Kain Carl E. Landwehr University of Minnesota Naval Research Laboratory ABSTRACT Public descriptions of capability-based system designs often do not clarify the necessary details concerning the propagation of access rights within the sys- tems. A casual reader may assume that it is adequate for capabilities to be passed in accordance with the rules for data copying. A system using such a rule cannot enforce either the military security policy or the Bell and LaPadula rules. The paper shows why this problem arises and provides a taxonomy of capability-based designs. Within the space of design options de®ned by the tax- onomy we identify a class of designs that cannot enforce the Bell-LaPadula rules and two designs that do allow their enforcement. Index Terms--Access control, capabilities, capability-based architectures, secu- rity policy, *-property, taxonomy. 1. Introduction Capability systems were ®rst described in the literature in the mid-1960's. Their informal descriptions are typically based upon the notion that a capability is equivalent to a ``ticket,'' in the sense that possession of the ticket allows the possessing process access to the object described in the capability, provided that the access mode is compatible with the ``access rights'' stored within the capability. Several systems using the capability concept have been marketed (IBM System 38, CAP, i432, Plessey S250) [1]. Whether a computer system based upon capabilities can provably enforce the DoD security policy [2] has been a matter of discussion for some time. Boebert [3] has argued that an ``unmodi®ed'' capability machine must be incapable of enforcing the *-property de®ned by Bell and LaPadula [4].
    [Show full text]
  • Secure Capability Systems
    141 CHAPTER 10 Secure Capability Systems A capability system [181] is an operating system that represents its access control policy from the subjects’ perspectives. Recall from Chapter 2 that Lampson’s access ma- trix [176] identified two views of an access control policy: (1) an object-centric view, called access control lists, where the policy is defined in terms of which subjects can access a particular object (the columns of the matrix) and (2) a subject-centric view, called capabilities, where the policy is defined in terms of which objects can be accessed by a particular subject (the rows in the matrix). Although the access control decisions made by capability and access control list systems are the same, the capability perspective provides some opportunities to build more secure systems, but this perspective also introduces some challenges that must be overcome to ensure enforcement of security goals. In this chapter, we identify these opportunities and challenges, and describe capability system designs that can leverage the opportunities while mitigating the challenges. 10.1 CAPABILITY SYSTEM FUNDAMENTALS A capability is a reference to an object and a set of operations that the capability enti- tles the holder, first formalized by Dennis and van Horn [72]. Such capability references are extended memory references in that they not only provide location or naming in- formation, but they may also provide access rights for that reference [333]. This form of addressing is known as capability-based addressing [89]. Thus, a capability is like a house key [128] in that it permits the holder the access associated with the key.
    [Show full text]
  • Capability-Based Computer Systems Capability-Based Computer Systems
    Capability-Based Computer Systems Capability-Based Computer Systems Henry M. Levy BBmoBc1” DIGITAL PRESS Copyright 0 1984 Digital Equipment Corporation All rights reserved. Reproduction of this book, in part or in whole, is strictly prohibited. For copy information contact: Digital Press, 12 Crosby Dr., Bedford, Mass. 01730 Printed in the United States of America 10987654321 Documentation Number: EY-00025-DP ISBN: O-932376-22-3 Library of CongressCataloging in Publication Data Levy, Henry M., 1952- Capability-based computer systems. Bibliography: p. 205 Includes index. 1. Computer architecture. 2. Operating systems (Com- puters) 3. System design. I. Title. QA76.9.A73L48 1983 621.3819’58 83-21029 ISBN O-932376-22-3 Trademarks Bell Laboratories: UNIX. Burroughs Corporation: B5000. Cam- bridge University: CAP. Control Data Corporation: CDC 6400, SCOPE. Digital Equipment Corporation: DEC, LSI-11, PDP-1, PDP-11, TOPS-20. Hewlett-Packard Company: HP 3000. Intel Cor- poration: iAPX 432, iMAX, Intel 8086. IBM: CPF, IBM 370, IBM Systemi38, SWARD. International Computers Ltd.: Basic Language Machine. Plessey Telecommunications Ltd. Plessey System 250. Xerox Corporation: Smalltalk. In Memory of Manny and Sonia Preface The purpose of this book is to provide a single source of infor- mation about capability-based computer systems. Although capability systems have existed for nearly two decades, only recently have they appeared in architecture and operating sys- tem textbooks. Much has been written about capability sys- tems in the technical literature, but finding this information is often difficult. This book is an introduction, a survey, a history, and an evaluation of capability- and object-based computer systems.
    [Show full text]
  • Arxiv:1904.12226V1 [Cs.NI] 27 Apr 2019
    The Ideal Versus the Real: Revisiting the History of Virtual Machines and Containers Allison Randal, University of Cambridge Abstract also have greater access to the host’s privileged software (kernel, operating system) than a physically distinct ma- The common perception in both academic literature and chine would have. the industry today is that virtual machines offer better se- curity, while containers offer better performance. How- Ideally, multitenant environments would offer strong ever, a detailed review of the history of these technolo- isolation of the guest from the host, and between guests gies and the current threats they face reveals a different on the same host, but reality falls short of the ideal. The story. This survey covers key developments in the evo- approaches that various implementations have taken to lution of virtual machines and containers from the 1950s isolating guests have different strengths and weaknesses. to today, with an emphasis on countering modern misper- For example, containers share a kernel with the host, ceptions with accurate historical details and providing a while virtual machines may run as a process in the host solid foundation for ongoing research into the future of operating system or a module in the host kernel, so they secure isolation for multitenant infrastructures, such as expose different attack surfaces through different code cloud and container deployments. paths in the host operating system. Fundamentally, how- ever, all existing implementations of virtual machines and containers
    [Show full text]
  • The Design and Application of an Extensible Operating System
    THE DESIGN AND APPLICATION OF AN EXTENSIBLE OPERATING SYSTEM Leendert van Doorn VRIJE UNIVERSITEIT THE DESIGN AND APPLICATION OF AN EXTENSIBLE OPERATING SYSTEM ACADEMISCH PROEFSCHRIFT ter verkrijging van de graad van doctor aan de Vrije Universiteit te Amsterdam, op gezag van de rector magnificus prof.dr. T. Sminia, in het openbaar te verdedigen ten overstaan van de promotiecommissie van de faculteit der Exacte Wetenschappen / Wiskunde en Informatica op donderdag 8 maart 2001 om 10.45 uur in het hoofdgebouw van de universiteit, De Boelelaan 1105 door LEENDERT PETER VAN DOORN geboren te Drachten Promotor: prof.dr. A.S. Tanenbaum To Judith and Sofie Publisher: Labyrint Publication P.O. Box 662 2900 AR Capelle a/d IJssel - Holland fax +31 (0) 10 2847382 ISBN 90-72591-88-7 Copyright © 2001 L. P. van Doorn All rights reserved. No part of this publication may be reproduced, stored in a retrieval system of any nature, or transmitted in any form or by any means, electronic, mechani- cal, now known or hereafter invented, including photocopying or recording, without prior written permission of the publisher. Advanced School for Computing and Imaging This work was carried out in the ASCI graduate school. ASCI dissertation series number 60. Parts of Chapter 2 have been published in the Proceedings of the First ASCI Workshop and in the Proceedings of the International Workshop on Object Orientation in Operat- ing Systems. Parts of Chapter 3 have been published in the Proceedings of the Fifth Hot Topics in Operating Systems (HotOS) Workshop. Parts of Chapter 5 have been published in the Proceedings of the Sixth SIGOPS Euro- pean Workshop, the Proceedings of the Third ASCI Conference, the Proceedings of the Ninth Usenix Security Symposium, and filed as an IBM patent disclosure.
    [Show full text]
  • P-1935-J-Conc-Biblio
    5.0 Conclusions The intent of this document has been: (1) to provide a comprehensive overview of the important properties of traditional capability-based systems, (2) to point out the advantages and deficiencies of such systems with regard to the NCSC [TCSEC83] requirements, (3) to outline some possible approaches for the elimination of such deficiencies, and (4) to compare the properties of such systems to those of descriptor-based systems (with which the computer security community has been somewhat more familiar). Thus, this document can be used as a background document by both evaluators and designers of capability-based systems. 'In both cases, the reader should make use of the references provided in this document in order to help him understand some of its more subtle conclusions. [For the readers with special research and/or development interests in this area, an extensive bibliography is also provided as an appendix to this paper.] The research work necessary for this paper has led to the following findings. First, the notion of a "traditional" capability-based system can be defined based on a set of properties which are common to many capability-based systems. These properties are found in the areas of capability-based addressing and protection, and they support a number of general security and integrity policies. The discussion of the set of common properties has been essential to the investigation of the TCSEC impact on traditional capability systems. Without such a defmition, the impact and corresponding analysis would be questionable at best, because no general conclusions could be drawn from individual case studies.
    [Show full text]
  • A Survey of Distributed Capability File Systems and Their Application to Cloud Environments
    Calhoun: The NPS Institutional Archive Theses and Dissertations Thesis Collection 2014-09 A survey of distributed capability file systems and their application to cloud environments Jatho, Edgar W., III Monterey, California: Naval Postgraduate School http://hdl.handle.net/10945/43930 NAVAL POSTGRADUATE SCHOOL MONTEREY, CALIFORNIA THESIS A SURVEY OF DISTRIBUTED CAPABILITY FILE SYSTEMS AND THEIR APPLICATION TO CLOUD ENVIRONMENTS by Edgar W. Jatho, III September 2014 Thesis Co-Advisors: Peter Denning Mark Gondree Approved for public release; distribution is unlimited THIS PAGE INTENTIONALLY LEFT BLANK REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704{0188 Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202{4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188) Washington DC 20503. 1. AGENCY USE ONLY (Leave Blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED 09-26-2014 Master’s Thesis 09-01-2013 to 09-26-2014 4. TITLE AND SUBTITLE 5. FUNDING NUMBERS A SURVEY OF DISTRIBUTED CAPABILITY FILE SYSTEMS AND THEIR APPLI- CATION TO CLOUD ENVIRONMENTS 6. AUTHOR(S) Edgar W. Jatho, III 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION REPORT NUMBER Naval Postgraduate School Monterey, CA 93943 9.
    [Show full text]
  • University Microfilms International 300 N
    INFORMATION TO USERS This was produced from a copy of a document sent to us for microfilming. While the most advanced technological means to photograph and reproduce this document have been used, the quality is heavily dependent upon the quality of the material submitted. The following explanation of techniques is provided to help you understand markings or notations which may appear on this reproduction. 1.The sign or "target” for pages apparently lacking from the document photographed is "Missing Page(s)”. If it was possible to obtain the missing page(s) or section, they are spliced into the film along with adjacent pages. This may have necessitated cutting through an image and duplicating adjacent pages to assure you of complete continuity. 2. When an image on the film is obliterated with a round black mark it is an indication that the film inspector noticed either blurred copy because of movement during exposure, or duplicate copy. Unless we meant to delete copyrighted materials that should not have been filmed, you will find a good image of the page in the adjacent frame. If copyrighted materials were deleted you will find a target note listing the pages in the adjacent frame. • 3. When a map, drawing or chart, etc., is part of the material being photo­ graphed the photographer has followed a definite method in “sectioning” the material. It is customary to begin filming at the upper left hand corner of a large sheet and to continue from left to right in equal sections with small overlaps. If necessary, sectioning is continued again—beginning below the first row and continuing on until complete.
    [Show full text]
  • Navigating the Attack Surface
    Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript Imperial College, March 2018 Risk as Attack Surface a Expected Risk: ∫likelihood * damage Potential damage Likelihood of exploitable vulnerability a Expected Risk: ∫likelihood * damage Resources to damage Fallible agents a Access Matrix Permission or Authority? Resources to damage Fallible agents a Hollow Out the Attack Surface! /etc/passwd Alan’s stuff Barb’s stuff Doug’s stuff Kernel + root OS’s TCB ~alan ~barb ~doug a Decouple accounts /etc/passwd Alan’s stuff Barb’s stuff Doug’s stuff Kernel + root OS’s TCB ~alan ~barb ~doug a a Decouple applications contact info pgp keyring calc.xls Net access Shell, Desktop Browser Spreadsheet Email client a Decouple apps contact info pgp keyring calc.xls Net access MobileOS Doug’s TCB Browser app Spreadsheet doc Mail a app Decouple apps contact info pgp keyring calc.xls Net access MobileOS Doug’s TCB Browser app Spreadsheet doc Mail a app Substrate Historical System System CMNM, Plessey 250, C.mmp, CM*, Crash-SAFE, CHERI, Risc-V Hardware CAP, Flex, IBM System/38, Intel 432 DVH, Hydra, StarOS, RATS, Capsicum, CloudABI, Genode, OS Cal-TSS, PSOS, NLTSS, Spring Barrelfish, Fuchsia Gnosis, KeyKOS, GuardOS, seL4 KeyKOS family OS EROS, CapROS, Coyotos Distributed OS Ameoba, Mach, Midori Gedanken, W7, J-Kernel, Joe-E, Emily, Monte, Frozen Realms, Language CaPerl, Caja, Tamed Pict, Plash shill, Wyvern, wasm-gc Act-1, Eden, Emerald, Pony, Kappa, Dr.SES Distributed Language Vulcan, Joule, E, Oz-E, M# Distributed Storage
    [Show full text]
  • CHERI: a RISC Capability Machine for Practical Memory Safety
    UCAM-CL-TR-858 Technical Report ISSN 1476-2986 Number 858 Computer Laboratory CHERI: A RISC capability machine for practical memory safety Jonathan D. Woodruff July 2014 15 JJ Thomson Avenue Cambridge CB3 0FD United Kingdom phone +44 1223 763500 http://www.cl.cam.ac.uk/ c 2014 Jonathan D. Woodruff This technical report is based on a dissertation submitted March 2014 by the author for the degree of Doctor of Philosophy to the University of Cambridge, Clare Hall. Technical reports published by the University of Cambridge Computer Laboratory are freely available via the Internet: http://www.cl.cam.ac.uk/techreports/ ISSN 1476-2986 Abstract This work presents CHERI, a practical extension of the 64-bit MIPS instruction set to sup- port capabilities for fine-grained memory protection. Traditional paged memory protection has proved inadequate in the face of escalating security threats and proposed solutions include fine-grained protection tables (Mondrian Memory Protection) and hardware fat- pointer protection (Hardbound). These have emphasised transparent protection for C executables but have lacked flexibility and practicality. Intel's recent memory protection extensions (iMPX) attempt to adopt some of these ideas and are flexible and optional but lack the strict correctness of these proposals. Capability addressing has been the classical solution to efficient and strong memory protection but it has been thought to be incompatible with common instruction sets and also with modern program structure which uses a flat memory space with global pointers. CHERI is a fusion of capabilities with a paged flat memory producing a program-managed fat pointer capability model.
    [Show full text]
  • The Design and Application of an Extensible Operating System
    THE DESIGN AND APPLICATION OF AN EXTENSIBLE OPERATING SYSTEM Leendert van Doorn VRIJE UNIVERSITEIT THE DESIGN AND APPLICATION OF AN EXTENSIBLE OPERATING SYSTEM ACADEMISCH PROEFSCHRIFT ter verkrijging van de graad van doctor aan de Vrije Universiteit te Amsterdam, op gezag van de rector magnificus prof.dr. T. Sminia, in het openbaar te verdedigen ten overstaan van de promotiecommissie van de faculteit der Exacte Wetenschappen / Wiskunde en Informatica op donderdag 8 maart 2001 om 10.45 uur in het hoofdgebouw van de universiteit, De Boelelaan 1105 door LEENDERT PETER VAN DOORN geboren te Drachten Promotor: prof.dr. A.S. Tanenbaum To Judith and Sofie Publisher: Labyrint Publication P.O. Box 662 2900 AR Capelle a/d IJssel - Holland fax +31 (0) 10 2847382 ISBN 90-72591-88-7 Copyright ! 2001 L. P. van Doorn All rights reserved. No part of this publication may be reproduced, stored in a retrieval system of any nature, or transmitted in any form or by any means, electronic, mechani- cal, now known or hereafter invented, including photocopying or recording, without prior written permission of the publisher. Advanced School for Computing and Imaging This work was carried out in the ASCI graduate school. ASCI dissertation series number 60. Parts of Chapter 2 have been published in the Proceedings of the First ASCI Workshop and in the Proceedings of the International Workshop on Object Orientation in Operat- ing Systems. Parts of Chapter 3 have been published in the Proceedings of the Fifth Hot Topics in Operating Systems (HotOS) Workshop. Parts of Chapter 5 have been published in the Proceedings of the Sixth SIGOPS Euro- pean Workshop, the Proceedings of the Third ASCI Conference, the Proceedings of the Ninth Usenix Security Symposium, and filed as an IBM patent disclosure.
    [Show full text]