DOCSLIB.ORG

Arxiv:2009.01869V3 [Cs.CR] 23 Nov 2020 1 Introduction Opers to Manually Bridge This Semantic Gap [76]

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Arxiv:2009.01869V3 [Cs.CR] 23 Nov 2020 1 Introduction Opers to Manually Bridge This Semantic Gap [76] Enclave-Aware Compartmentalization and Secure Sharing with Sirius Zahra Tarkhani Anil Madhavapeddy University of Cambridge University of Cambridge Abstract Host App ! (3) Enclave " (4) (6) Hardware-assisted trusted execution environments (10) (1) shared Enclave #n Process #m memory (TEEs) are critical building blocks of many modern Threads applications. However, they have a one-way isolation (2) EL0 (5) (7) SEL0 model that introduces a semantic gap between a TEE and (9) (8) its outside world. This lack of information causes an ever- Normal world systems resources TEE systems resources increasing set of attacks on TEE-enabled applications OS Kernel & TEE driver (EL1) TEE Kernel/runtime (SEL1) that exploit various insecure interactions with the host OSs, applications, or other enclaves. We introduce Sirius, Security Monitor (EL3) the first compartmentalization framework that achieves strong isolation and secure sharing in TEE-assisted Figure 1: Simplified data flows in TZ-based TEE systems applications by controlling the dataflows within primary kernel objects (e.g. threads, processes, address spaces, files, sockets, pipes) in both the secure and normal worlds. Sirius replaces ad-hoc interactions in current However, in practice, TEEs are used in much more TEE systems with a principled approach that adds strong complex application architectures like web services [16, inter- and intra-address space isolation and effectively 40, 42], secure payments [1, 10, 12, 75], databases [64], eliminates a wide range of attacks. We evaluate Sirius on autonomous vehicle control [2], and privacy-preserving ARM platforms and find that it is lightweight (≈ 15K machine learning [37,39,40,60,68,79]. These applica- LoC) and only adds ≈ 10:8% overhead to enable TEE tions need fast bidirectional communications with their support on applications such as httpd, and improves the enclaves (e.g. via shared memory or RPC) and rely on performance of existing TEE-enabled applications such OS facilities for multithreading, networking, file opera- as the Darknet ML framework and ARM’s LibDDSSec tions, and IPC with other processes or enclaves. Despite by 0:05% − 5:6%. the fact that TEEs introduce a new secure kernel/runtime (Figure1), existing systems expect application devel- arXiv:2009.01869v3 [cs.CR] 23 Nov 2020 1 Introduction opers to manually bridge this semantic gap [76]. The resulting ad-hoc approaches have exposed TEE-enabled Hardware-assisted trusted computing primitives such as applications to severe attacks across these interaction lay- ARM TrustZone [13], Intel SGX [27], AMD SEV [56] or ers [41,51,70,71,76,84,91,92]. Even worse, mitigations RISC-V Keystone [46] exist to establish strong security based on sanitising the existing TEE interfaces are failing guarantees even in the presence of malicious privileged due to the wide attack surface [41, 76]. code. These TEEs1 assume a threat model in which only the CPU itself is trusted, and not the host applications, OS, We analysed 41 existing TEE-based open-source appli- or hypervisor. They expect in-enclave code to be small, cations to classify the vulnerabilities from these attacks verifiable, and need minimal external interactions [32]. (§A).We identified the following classes of vulnerabilities across the host/enclave boundary that leads to sensitive 1For simplicity, we use the terms TEE and enclave interchangeably. data compromise: 1 Category Num Thread Memory IPC/RPC Priv Reference monitor & Auditing 8 network sockets. Misusing these objects either directly Web apps 7 G# permits the earlier attacks, or increases the attack’s dam- Data analytics 5 Key management 4 G# age by propagating vulnerabilities or transferring ex- Attestation 2 G# G# G# Databases 4 G# G# tracted secrets to untrusted sources. 38 out of the 41 SSL/TLS 5 G# Blockchain 6 G# TEE-enabled applications we analysed depend on at least HPE [76] 95 G# three of these facilities. Therefore to comprehensively TEE-enabled Applications BOOMERANG [51] COIN Attacks [41] 10 G# mitigate these classes of vulnerabilities, we need a system CVE-2019-1010298 G# CVE-2018-11950 G# G# to selectively enable the protection and secure sharing of CVE-2017-8252 G# G# CVE-2017-8276 G# G# G# these objects across both the secure and normal worlds. CVE-2016-10297 G# G# CVE-2016-5349 G# G# We thus present Sirius, a framework for strongly com- CVE-2016-2431 G# G# TCB Vulnerabilities partmentalising and securely sharing systems resources CVE-2015-4422 G# and application data across normal world and enclave Object/feature is involved, partially involved userspaces. It does so by extending the normal world and Priv: Inadequate Privilege separation G# enclave kernels with interfaces that (i) allow applications Table 1: Summary of analyzing TEE-enabled applica- to compartmentalise sensitive data in both worlds; (ii) tions and known attacks. Sirius fully addresses these enforce intra-process protection such that these compart- threats or significantly weakens the damage. ments are protected even in multi-threaded applications with shared address space; and (iii) support flexible and mutually distrustful access control across systems objects Insecure threading and procedure calls: Attackers within both worlds. can launch malicious threads from within the host appli- Since TEE systems require running kernels on differ- cation process to exploit synchronisation vulnerabilities ent privilege levels, we need a decentralized approach such as TOCTTOU [90,91] or other types of concurrency for enabling mutually distrustful compartments in each attacks [41] on enclave interfaces (Figure1 (1,2,4)). This world. Sirius adopts decentralised information flow con- greatly limits the secure use of enclaves within a multi- trol (DIFC) [57] techniques for its unified access control threaded application; 56% of TEE-enabled applications to enforce mutual distrust, which provides application we analysed used multiple threads within the application programmers with a simple-to-use labeling interface to or enclave. control the flow of their private data. Our implementation of Sirius on ARM Trustzone runs efficiently on com- Memory vulnerabilities: Attackers take advantage of modity hardware (e.g. a Raspberry Pi). We have ported inadequate address space isolation in each world to complex multithreaded use cases such as the Apache web- launch ROP attacks [21, 47, 51] for extracting cryptog- server, the Darknet ML framework, and safety-critical raphy keys or bypass remote attestation (Figure1 (2,3)). applications such as autonomous vehicles or medical de- Additionally, insecure shared memory buffers are impor- vices that rely on secure data distribution services. Sirius tant attack vectors for extracting secrets or compromising framework provides a simple userspace API, and straight- RPC interfaces [41]. forward extensions to the Linux kernel and the TrustZone kernel. In return, the applications are comprehensively Insufficient privilege separation: A compromised protected from sensitive data leakage via the vulnerabili- or malicious third-party enclave can collect sensitive ties described earlier and with small performance over- data [52, 70] and leak them using OS facilities such heads on commodity hardware. as files, network sockets or pipes (Figure1 5–10). At- tackers can launch horizontal privilege escalation (HPE) 2 Background & Threat Model attacks [76] to compromise other process via a misbe- having enclave, or launch BOOMERANG attacks [51] to Secure enclaves are a hardware facility that allow for par- gain control of the host OS by tricking the secure world titioning sensitive data and associated computation away into modifying host kernel memory. No applications we from the “normal” world. Widespread TEE hardware studied implemented even a simple form of access con- includes ARM TrustZone (TZ) and Intel SGX, and they trol which would mitigate these vulnerabilities. both support running a separate kernel within a secure Table1 summarises the attack vectors used by the TEE world. Figure1 illustrates the architecture of a typical applications we studied. TEE applications use their OS (existing) TEE application on ARM TrustZone. interfaces to access system resources from userspace; This paper focuses on the changes required to the host e.g. threads, memory regions, IPCs or RPCs, files, and and ARM TZ-based enclaves to support Sirius’ stronger 2 security guarantees. We chose TZ for our prototype since receives client application (CA) data, processes it, and its secure world is more powerful than other enclaves— returns a result without retaining any data across invoca- and so exploited TZ enclaves can easily lead to a full OS tions. On the other hand, in stateful RPCs it persists some compromise. TZ also does not directly support attestation CA data across multiple invocations as a session state and as SGX does [27], which increases the possibility of global variables (.bss section) or inside persistent storage hosting malicious enclaves. Also, billions of embedded for larger objects. Typical secure storage in TZ is im- devices use TZ-based TEEs, which requires Sirius to plemented by encrypting memory blocks that are stored be resource-efficient. Porting Sirius to x86-64 requires in the NW’s file system. For Example, OPTEE uses a straightforward engineering that we discuss later (§7). secure storage key (SSK), enclave storage key (ESK), We will first describe how TZ hardware works (§2.1) and and file encryption key (FEK) for encrypting a persistent then elaborate on the threat model (§2.2). storage area in
Load more

Recommended publications
  • Access Control and Operating System
    Outline (may not finish in one lecture) Access Control and Operating Access Control Concepts Secure OS System Security • Matrix, ACL, Capabilities • Methods for resisting • Multi-level security (MLS) stronger attacks OS Mechanisms Assurance • Multics • Orange Book, TCSEC John Mitchell – Ring structure • Common Criteria • Amoeba • Windows 2000 – Distributed, capabilities certification • Unix Some Limitations – File system, Setuid • Information flow • Windows • Covert channels – File system, Tokens, EFS • SE Linux – Role-based, Domain type enforcement Access control Access control matrix [Lampson] Common Assumption Objects • System knows who the user is File 1 File 2 File 3 … File n – User has entered a name and password, or other info • Access requests pass through gatekeeper User 1 read write - - read – OS must be designed monitor cannot be bypassed User 2 write write write - - Reference Subjects monitor User 3 - - - read read User process ? Resource … User m read write read write read Decide whether user can apply operation to resource Two implementation concepts Capabilities Access control list (ACL) File 1 File 2 … Operating system concept • “… of the future and always will be …” • Store column of matrix User 1 read write - Examples with the resource User 2 write write - • Dennis and van Horn, MIT PDP-1 Timesharing Capability User 3 - - read • Hydra, StarOS, Intel iAPX 432, Eros, … • User holds a “ticket” for … • Amoeba: distributed, unforgeable tickets each resource User m read write write • Two variations References – store
    [Show full text]
  • Research Purpose Operating Systems – a Wide Survey
    GESJ: Computer Science and Telecommunications 2010|No.3(26) ISSN 1512-1232 RESEARCH PURPOSE OPERATING SYSTEMS – A WIDE SURVEY Pinaki Chakraborty School of Computer and Systems Sciences, Jawaharlal Nehru University, New Delhi – 110067, India. E-mail: [email protected] Abstract Operating systems constitute a class of vital software. A plethora of operating systems, of different types and developed by different manufacturers over the years, are available now. This paper concentrates on research purpose operating systems because many of them have high technological significance and they have been vividly documented in the research literature. Thirty-four academic and research purpose operating systems have been briefly reviewed in this paper. It was observed that the microkernel based architecture is being used widely to design research purpose operating systems. It was also noticed that object oriented operating systems are emerging as a promising option. Hence, the paper concludes by suggesting a study of the scope of microkernel based object oriented operating systems. Keywords: Operating system, research purpose operating system, object oriented operating system, microkernel 1. Introduction An operating system is a software that manages all the resources of a computer, both hardware and software, and provides an environment in which a user can execute programs in a convenient and efficient manner [1]. However, the principles and concepts used in the operating systems were not standardized in a day. In fact, operating systems have been evolving through the years [2]. There were no operating systems in the early computers. In those systems, every program required full hardware specification to execute correctly and perform each trivial task, and its own drivers for peripheral devices like card readers and line printers.
    [Show full text]
  • Mixed-Criticality Scheduling and Resource Sharing for High-Assurance Operating Systems
    Mixed-Criticality Scheduling and Resource Sharing for High-Assurance Operating Systems Anna Lyons Submitted in fulfilment of the requirements for the degree of Doctor of Philosophy School of Computer Science and Engineering University of New South Wales Sydney, Australia September 2018 Abstract Criticality of a software system refers to the severity of the impact of a failure. In a high-criticality system, failure risks significant loss of life or damage to the environ- ment. In a low-criticality system, failure may risk a downgrade in user-experience. As criticality of a software system increases, so too does the cost and time to develop that software: raising the criticality also raises the assurance level, with the highest levels requiring extensive, expensive, independent certification. For modern cyber-physical systems, including autonomous aircraft and other vehicles, the traditional approach of isolating systems of different criticality by using completely separate physical hardware, is no longer practical, being both restrictive and inefficient. The result is mixed-criticality systems, where software applications with different criticalities execute on the same hardware. Sufficient mechanisms are required to ascertain that software in mixed-criticality systems is sufficiently isolated, otherwise, all software on that hardware is promoted to the highest criticality level, driving up costs to impractical levels. For mixed-criticality systems to be viable, both spatial and temporal isolation are required. Current aviation standards allow for mixed-criticality systems where temporal and spatial resources are strictly and statically partitioned in time and space, allowing some improvement over fully isolated hardware. However, further improvements are not only possible, but required for future innovation in cyber-physical systems.
    [Show full text]
  • Operating System Verification—An Overview
    Sadhan¯ a¯ Vol. 34, Part 1, February 2009, pp. 27–69. © Printed in India Operating system verification—An overview GERWIN KLEIN Sydney Research Laboratory, NICTA,∗ Australia, School of Computer Science and Engineering, University of New South Wales, Sydney, Australia e-mail: [email protected] Abstract. This paper gives a high-level introduction to the topic of formal, interactive, machine-checked software verification in general, and the verification of operating systems code in particular. We survey the state of the art, the advantages and limitations of machine-checked code proofs, and describe two specific ongoing larger-scale verification projects in more detail. Keywords. Formal software verification; operating systems; theorem proving. 1. Introduction The fastest, cheapest and easiest way to build something is properly the first time (Parker 2007). This engineer’s credo has made it into popular literature, but it seems to be largely ignored in the world of software development. In the late 1960s a software crisis was diagnosed on a summit in the Bavarian Alps (Naur & Randell 1969): Software was getting more and more complex, and we had no structured way of building it. We ended up with projects that took significantly longer than planned, were more expensive than planned, delivered results that did not fully address customer needs, or at worst were useless. This summit in the late 1960s is widely seen as the birth of the discipline of software engineering. Now, almost 40 years later, we have come a long way. There are numerous books on software engineering, a plenitude of methodologies, programming languages, and processes to choose from.
    [Show full text]
  • Scalability of Microkernel-Based Systems
    Scalability of Microkernel-Based Systems Zur Erlangung des akademischen Grades eines DOKTORS DER INGENIERWISSENSCHAFTEN von der Fakultat¨ fur¨ Informatik der Universitat¨ Fridericiana zu Karlsruhe (TH) genehmigte DISSERTATION von Volkmar Uhlig aus Dresden Tag der mundlichen¨ Prufung:¨ 30.05.2005 Hauptreferent: Prof. Dr. rer. nat. Gerhard Goos Universitat¨ Fridericiana zu Karlsruhe (TH) Korreferent: Prof. Dr. sc. tech. (ETH) Gernot Heiser University of New South Wales, Sydney, Australia Karlsruhe: 15.06.2005 i Abstract Microkernel-based systems divide the operating system functionality into individ- ual and isolated components. The system components are subject to application- class protection and isolation. This structuring method has a number of benefits, such as fault isolation between system components, safe extensibility, co-existence of different policies, and isolation between mutually distrusting components. How- ever, such strict isolation limits the information flow between subsystems including information that is essential for performance and scalability in multiprocessor sys- tems. Semantically richer kernel abstractions scale at the cost of generality and mini- mality–two desired properties of a microkernel. I propose an architecture that al- lows for dynamic adjustment of scalability-relevant parameters in a general, flex- ible, and safe manner. I introduce isolation boundaries for microkernel resources and the system processors. The boundaries are controlled at user-level. Operating system components and applications can transform their semantic information into three basic parameters relevant for scalability: the involved processors (depending on their relation and interconnect), degree of concurrency, and groups of resources. I developed a set of mechanisms that allow a kernel to: 1. efficiently track processors on a per-resource basis with support for very large number of processors, 2.
    [Show full text]
  • Introduction Course Outline Why Does This Fail? Lectures Tutorials
    Course Outline • Prerequisites – COMP2011 Data Organisation • Stacks, queues, hash tables, lists, trees, heaps,…. Introduction – COMP2021 Digital Systems Structure • Assembly programming • Mapping of high-level procedural language to assembly COMP3231/9201/3891/9283 language – or the postgraduate equivalent (Extended) Operating Systems – You are expected to be competent Kevin Elphinstone programmers!!!! • We will be using the C programming language – The dominant language for OS implementation. – Need to understand pointers, pointer arithmetic, explicit 2 memory allocation. Why does this fail? Lectures • Common for all courses (3231/3891/9201/9283) void func(int *x, int *y) • Wednesday, 2-4pm { • Thursday, 5-6pm *x = 1; *y = 2; – All lectures are here (EE LG03) – The lecture notes will be available on the course web site } • Available prior to lectures, when possible. void main() – The lecture notes and textbook are NOT a substitute for { attending lectures. int *a, *b; func(a,b); } 3 4 Tutorials Assignments • Assignments form a substantial component of • Start in week 2 your assessment. • A tutorial participation mark will • They are challenging!!!! – Because operating systems are challenging contribute to your final assessment. • We will be using OS/161, – Participation means participation, NOT – an educational operating system attendance. – developed by the Systems Group At Harvard – Comp9201/3891/9283 students excluded – It contains roughly 20,000 lines of code and comments • You will only get participation marks in your enrolled tutorial. 5 6 1 Assignments Assignments • Assignments are in pairs • Don’t under estimate the time needed to do the – Info on how to pair up available soon assignments. • We usually offer advanced versions of the – ProfQuotes: [About the midterm] "We can't keep you working assignments on it all night, it's not OS.“ Ragde, CS341 – Available bonus marks are small compared to amount of • If you start a couple days before they are due, you will be late.
    [Show full text]
  • A Look at the EROS Operating System Jonathan S
    A Look at the EROS Operating System Jonathan S. Shapiro Johns Hopkins University Abstract EROS is a capability-based, secure operating system originally designed to address the needs of shared computing utilities involving mutually suspicious users. The deploy­ ment plan for the original design was to provide leased compute service to competing business entities, potentially running on a single machine. As a result, the system was structured to preserve security in the face of both hostile dynamic content and hostile users. While the EROS platform can support the efficient deployment of multilevel se­ cure environments, it is primarily focused on business security requirements. These re­ quirements often address integrity as well as security concerns. An EROS-based deploy­ ment can ensure that business-critical data is manipulated exclusively by authorized ap­ plication software, which in turn is guarded against user tampering. Simultaneously, EROS enables users to run untrusted utility software, hand private or proprietary data to that software, and be assured (within reason) that the data cannot be disclosed to the out­ side world. This paper gives a general overview of the EROS system and what it can do. The EROS research project has now ended. Further work based on the EROS system is being pursued under the CapROS project (www.capros.org). The EROS team has moved on to a successor system: Coyotos (www.coyotos.org). 1 Introduction in other publications. Others result from chains of reasoning that are omitted for reasons of space. A This paper accompanies a talk for the 2005 Libre few are opinions derived from years of in-depth Software Meeting in Dijon, France.
    [Show full text]
  • El Debat Polític D'ahir; Al Parlament De La Repúb Ica, Desenrotllat En
    EL TEMPS. - Al pla de Lleida, Penedès, Bages I Via, hi ha bol· res matinals. Per tota la resta de catalunya el cel està completament se~. pel qual motiu les glaçades I gebrades són tmpartants, I ha experimentat la temperatura un notable descens. Les mlnlmes registrades ahir han tingut lloc a Núria amb 11 graus sota zero I a Adrall I Sant Juilià de VIlatorta, amb 6 graus sota zero. IV _ Núm. 700 - Preue 10 cèntims AnY fundadort LLUIS COMPANYS Barcelona, dijous, s de febrer del 19J4 El MOMENT POUTIC El debat polític d'ahir; al Parlament de la Repúb ica, desenrotllat en un ambient de gran passió, vé a augnientar el confusionisme actual - o Uftfi[H[IA ~·~HJI11IUA[II A~~~R~A IPrieto, en nom dels socialistes, s'expresà en SENSE AUTORITAT NI GAllARDIA termes de gran violència.-Segueix la divisió l dintre el Govern lerroux, destacada novament e S darreres hores A despit de la votació de coníiança al Govern Lerroux, obtingudR en la intervenció de Martínez Barrio del Govern Lerroux després de l'apassionat debat parlamentari d'ahir, la situació politica segueiX més con1usa que mat. Si la crisi era inevitable abans d'ahir, ho és Proposicions llei sobre intensificació del Cultiu. la situació social als camps i espe­ El senyor ALVAREZ MENDIZA­ cialment a la provincia de Jaén. (Crònica del nostre redactor a Madrid Alard Prats) .rob apremiant urgencia des d'avui. La sessió parlamentària tingué l'ab· Madrid, 7. - A dos quarts i cmc surd& conseqi.ièncJa de complicar com mat la situació 1 de posar de re­ BAL presenta una esmena en la L'efervescencia que s'observa al carrer, ha tingut per fi ressò al Parla­ minuts de cinc comença la sess10 com lleu en el saló de sessions la profunda esquerda del gabinet, sense solda­ qual demana que es determinin El debat polític ment.
    [Show full text]
  • Labels and Event Processes in the Asbestos Operating System
    Labels and Event Processes in the Asbestos Operating System Petros Efstathopoulos∗ Maxwell Krohn† Steve VanDeBogart∗ Cliff Frey† David Ziegler† Eddie Kohler∗ David Mazieres` ‡ Frans Kaashoek† Robert Morris† ∗UCLA †MIT ‡Stanford/NYU http://asbestos.cs.ucla.edu/ ABSTRACT purposes [20]. Most servers instead revert to the most insecure de- sign, monolithic code running with many privileges. It should come Asbestos, a new prototype operating system, provides novel la- as no surprise that high-impact breaches continue. beling and isolation mechanisms that help contain the effects New operating system primitives are needed [21], and the best of exploitable software flaws. Applications can express a wide place to explore candidates is the unconstrained context of a new range of policies with Asbestos’s kernel-enforced label mechanism, OS. Hence the Asbestos operating system, which can enforce strict including controls on inter-process communication and system- application-defined security policies even on efficient, unprivileged wide information flow. A new event process abstraction provides servers. lightweight, isolated contexts within a single process, allowing the same process to act on behalf of multiple users while preventing Asbestos’s contributions are twofold. First, all access control it from leaking any single user’s data to any other user. A Web checks use Asbestos labels, a primitive that combines advantages server that uses Asbestos labels to isolate user data requires about of discretionary and nondiscretionary access control. Labels deter- 1.5 memory pages per user, demonstrating that additional security mine which services a process can invoke and with which other can come at an acceptable cost. processes it can interact.
    [Show full text]
  • Download Full Book
    For Business and Pleasure Keire, Mara Laura Published by Johns Hopkins University Press Keire, Mara Laura. For Business and Pleasure: Red-Light Districts and the Regulation of Vice in the United States, 1890–1933. Johns Hopkins University Press, 2010. Project MUSE. doi:10.1353/book.467. https://muse.jhu.edu/. For additional information about this book https://muse.jhu.edu/book/467 [ Access provided at 1 Oct 2021 16:48 GMT with no institutional affiliation ] This work is licensed under a Creative Commons Attribution 4.0 International License. For Business & Pleasure This page intentionally left blank studies in industry and society Philip B. Scranton, Series Editor Published with the assistance of the Hagley Museum and Library For Business & Pleasure Red-Light Districts and the Regulation of Vice in the United States, 1890–1933 mara l. keire The Johns Hopkins University Press Baltimore ∫ 2010 The Johns Hopkins University Press All rights reserved. Published 2010 Printed in the United States of America on acid-free paper 2 4 6 8 9 7 5 3 1 The Johns Hopkins University Press 2715 North Charles Street Baltimore, Maryland 21218-4363 www.press.jhu.edu Library of Congress Cataloging-in-Publication Data Keire, Mara L. (Mara Laura), 1967– For business and pleasure : red-light districts and the regulation of vice in the United States, 1890–1933 / Mara L. Keire. p. cm. — (Studies in industry and society) Includes bibliographical references and index. isbn-13: 978-0-8018-9413-8 (hbk. : alk. paper) isbn-10: 0-8018-9413-1 (hbk. : alk. paper) 1. Red-light districts—United States—History—20th century.
    [Show full text]
  • Mobile and Embedded Device
    Mobile and Embedded Device Selecting an Operating System Why use an OS? ● In our previous work we have seen how to execute a number of tasks on our system ● Some of these tasks can run asynchronously – For example interrupt driven tasks ● So if we want to exploit the resources of our system efficiently we require some software support to do this – Namely an operating system Which Operating System? ● There are a number of choices when selecting an OS – Size, cost, features ● Free – FreeRTOS: http://www.freertos.org – TinyOS: http://www.tinyos.net – Chibios: http://www.chibios.org/ – eCos, uKOS, EROS, Nut/OS – Various Linux flavours ● Commercial – VxWorks: http://www.windriver.com – QNX: http://www.qnx.com – SafeRTOS: http://www.highintegritysystems.com/safertos.html – uC/OSII: http://www.micrium.com – Salvo: http://www.pumpkininc.com – INTEGRITY, VelOSity, THEOS, RMX Why FreeRTOS ● Free (Both “Speech” and “Beer”) – No Royalties, Open Source – Although documentation costs ● Lightweight – Low overhead, simple code ● Portable – ~8 major architectures officially supported, more unofficially ● Cooperative or Preemptive – We're going to be using preemptive ● Good Documentation – http://www.freertos.org – Look under FreeRTOS API – Functional docs plus code examples ● Developed by an Ex-Student! – Richard Barry, BSc CRTS What required from an OS? ● For small embedded systems they are required to be – Small memory footprint – Efficient use of resources – Fast ● We require what is normally called an 'executive' rather than an operating system – Lots
    [Show full text]
  • Reinterpreting Eros in Plato's Symposium
    Reinterpreting Eros in Plato’s Symposium Master’s Thesis Presented to The Faculty of the Graduate School of Arts and Sciences Brandeis University Department of Ancient Greek and Roman Studies Leonard Muellner, Advisor In Partial Fulfillment of the Requirements for Master’s Degree by Peter Caccavale May 2012 Acknowledgements I would like to thank everyone who encouraged me throughout this process including my family, friends and colleagues. Without your support and guidance I am sure this thesis would never have been successful. I owe special thanks to my advisor, Professor Leonard Muellner, whose continued guidance and suggestions transformed this thesis from scattered thoughts to a structured work. From weekly meetings to editing a constant stream of drafts, your help was invaluable and I am very thankful for all of your advice. I would also like to thank my readers, Professor Patricia Johnston and Professor Cheryl Walker. I appreciate the time you took to read such a large thesis and your suggestions and comments were instrumental in fixing my errors in both grammar and logic. Finally, I am happy to be able to thank Christina for her unwavering support and encouragement. By now you have probably heard more about Plato and Greek grammar than you ever would have wanted, but you have also added more to this work than I think you realize. P.G.C. ii ABSTRACT Redefining Eros in Plato’s Symposium A thesis presented to the Department of Classical Studies Graduate School of Arts and Sciences Brandeis University Waltham, Massachusetts By Peter Caccavale At the heart of the Symposium there lies the conceptual problem of defining the term eros in a manner that remains faithful to both its linguistic and philosophical context.
    [Show full text]