DOCSLIB.ORG

Sealing OS Processes to Improve Dependability and Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

MSR-TR-2006-51 This is a draft paper that is under submission. Please contact Galen Hunt for citation information. Sealing OS Processes to Improve Dependability and Security Galen Hunt, Mark Aiken, Paul Barham, Manuel Fähndrich, Chris Hawblitzel, Orion Hodson, James Larus, Steven Levi, Nick Murphy, Bjarne Steensgaard, David Tarditi, Ted Wobber, Brian Zill Microsoft Research Abstract On most modern operating systems, a process is a hardware-protected abstraction for executing potentially mutable code and data. Common features of processes include: dynamic code loading, dynamic code generation, access to cross-process shared memory, and a universal API. This paper argues that many of the dependability and security weaknesses of modern systems are exacerbated by this open process architecture. Moreover, this architecture impairs the ability of tools to analyze code statically, to improve its performance or dependability. By contrast, a sealed process architecture prohibits dynamic code loading, prohibits self-modifying code, prohibits shared memory, and replaces a universal API with a process-limited API. This paper describes an implementation of a sealed process architecture in the Singularity operating system, discusses its merits, and evaluates its impact. Among the benefits are: improved static program analysis, strong security guarantees, elimination of OS redundancies found in language runtimes such as the JVM and CLR, and better software engineering. 1. Introduction 1.1. Disadvantages of Open Processes The process, as a recognized operating system Although common, open processes are not “free.” abstraction, debuted in Multics [52] in the 1960s. This architecture has negative consequences for Multics processes included support for dynamic code dependability, correctness, security, and performance. loading, dynamic code generation, access to cross- Almost all open process systems use hardware process shared memory, and a universal API capable protection [41] to ensure process isolation. All of the of directly modifying data in another process. systems named above, and many others, rely on paged This open process architecture is now nearly memory management and differentiated user and universal. Aspects of this architecture, such as kernel instructions to ensure process isolation. dynamic code loading and cross-process shared Hardware-based process isolation is so common that it memory, were not in the early versions of UNIX [38] is generally assumed to be a “free” processor feature. or early PC operating systems. However, their Unfortunately, hardware-based isolation is not free. In absences reflected limited address spaces and a lack of Aiken et al. [3], we demonstrated performance costs dynamic linking technology, and this “weakness” was from 2.5% (in a compute-bound task with no paging) quickly remedied. Today, for example, all four aspects to 33% (in an IPC bound task). Page table of open processes are found in FreeBSD, Linux, management and cache and TLB misses are Solaris, and Windows. responsible for this increase in execution time. In the beginning, open processes gained popularity Moreover, the extension mechanism commonly because they improved memory utilization by sharing associated with open processes is a major cause of library code across processes. Today, open process software reliability, security, and backward architecture’s most characteristic feature is the ease compatibility problems. Although extension code is with which the OS or an application can be extended rarely trusted, verified, or even fully correct, it is with plug-ins. New features and functionality are loaded directly into a host’s process with no hard routinely loaded directly into these systems’ kernels interface or boundary between host and extension. The and processes. For example, Microsoft Windows outcome is often unpleasant. For example, Swift supports over 100,000 in-kernel device drivers, which reports that faulty device drivers cause 85% of enable it to control almost any hardware device. Other diagnosed Windows system crashes [47]. Moreover, examples of widely used in-process extensions include because an extension lacks a hard interface, it can use dynamic content extensions in web servers (like private aspects of its host’s implementation, which can ISAPI extensions to Microsoft’s IIS), extended stored constrain evolution of a program and require extensive procedures in databases, and web browser plug-ins. testing to avoid future incompatibilities. 1 MSR-TR-2006-51 This is a draft paper that is under submission. Please contact Galen Hunt for citation information. Dynamic code loading imposes a less obvious tax on behavior is easier to verify, and run-time failures can performance and correctness. Software that can load be contained. code is an open environment, in which it is impossible The rest of the paper is organized as follows. Section to make sound assumptions about the system’s states, 2 describes the sealed process architecture and invariants, or valid transitions. Consider the Java discusses its qualitative merits. Section 3 describes the Virtual Machine (JVM). An interrupt, exception, or implementation of sealed processes in Singularity. thread switch can invoke code that loads a new file, Section 4 contains a quantitative evaluation of the overwrites class and method bodies, and modifies sealed process architecture in Singularity. Section 5 global state [45]. In general, the only feasible way to describes related work and Section 6 contains analyze a program running under such conditions is to conclusions and a discussion of future work. start with the unsound assumption that the environment will not change arbitrarily between any 2. Sealed Process Architecture two operations. A sealed process architecture is an architecture in Open processes complicate security. If the code which the operating system guarantees that the code of running in a process is not known a priori, it is a process cannot be altered once the process starts difficult to rationalize subsequent access control executing and in which the state of a process cannot decisions based on code identity. Perhaps for this be directly modified by another process. reason it is rare for operating systems to provide any A sealed kernel is an OS kernel whose code cannot be strong guarantees about application identity, relying altered after system boot and whose state cannot be instead on the identity of an authenticated user or an modified by any process. An operating system with an application masquerading as a user. Software open kernel could provide sealed processes. However, attestation solutions like Terra [20] and NGSCB [35] in this paper, we shall assume that a sealed process must use hardware and virtual machines to prevent architecture also implies a sealed kernel. modifications to the code of running processes. 1.2. Contributions We can draw an instructive analogy between sealed processes and sealed classes in object-oriented This paper describes a new sealed process languages. Practice has shown that designers and architecture in which the OS guarantees that the code implementers of classes need a mechanism to limit in a process cannot be altered once the process starts class extension and force extensions to use a declared executing. The architecture prohibits dynamic code interface [8] in order to avoiding errors that typically loading, prohibits self-modifying code, prohibits appear only at runtime. Similarly, by running dynamic cross-process sharing of memory, and replaces a extensions in a separate process, the sealed process universal API with a process-limited API. Of architecture increases system dependability by forcing particular import, the sealed architecture incorporates application and system extensions to use declared a single extension mechanism for both OS and interfaces. applications: extension code executes in a new 2.1. Sealed Process Invariants process, distinct from its host. The sealed process architecture maintains four Sealed processes offer many advantages. They invariants: increase the potential of static program analysis to improve performance and reliability. They enable The fixed code invariant: Code within a process stronger security guarantees. They allow the cannot be altered once the process starts elimination of duplication of OS-level features in execution. virtual execution environments such as the Sun’s JVM The state isolation invariant: Data within a and Microsoft’s Common Language Runtime (CLR). process cannot be directly accessed by another Finally, they encourage better software engineering. process. The explicit communication invariant: All We have implemented sealed process in the communication between processes must occur Singularity operating system. Singularity is a new through explicit mechanisms, with explicit system being developed as a basis for more identification of the sender, and explicit receiver dependable system and application software [28, 29]. admission control over incoming communication. Singularity exploits advances in programming The closed API invariant: The API between a languages and tools to create an environment in which process and the system must maintain the fixed software is more likely to be built correctly, program 2 MSR-TR-2006-51 This is a draft paper that is under submission. Please contact Galen Hunt for citation information. code, state isolation, and explicit communication mechanism that could subvert the fixed code, state invariants. isolation, or explicit communication
Recommended publications
  • Draft SP 800-125A Rev. 1, Security Recommendations for Server

    Draft SP 800-125A Rev. 1, Security Recommendations for Server

    The attached DRAFT document (provided here for historical purposes), released on April 11, 2018, has been superseded by the following publication: Publication Number: NIST Special Publication (SP) 800-125A Rev. 1 Title: Security Recommendations for Server-based Hypervisor Platforms Publication Date: June 2018 • Final Publication: https://doi.org/10.6028/NIST.SP.800-125Ar1 (which links to https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-125Ar1.pdf). • Related Information on CSRC: Final: https://csrc.nist.gov/publications/detail/sp/800-125a/rev-1/final 1 Draft NIST Special Publication 800-125A 2 Revision 1 3 4 Security Recommendations for 5 Hypervisor Deployment on 6 ServersServer-based Hypervisor 7 Platforms 8 9 10 11 12 Ramaswamy Chandramouli 13 14 15 16 17 18 19 20 21 22 23 C O M P U T E R S E C U R I T Y 24 25 Draft NIST Special Publication 800-125A 26 Revision 1 27 28 29 30 Security Recommendations for 31 Server-based Hypervisor Platforms 32 33 Hypervisor Deployment on Servers 34 35 36 37 Ramaswamy Chandramouli 38 Computer Security Division 39 Information Technology Laboratory 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 April 2018 56 57 58 59 60 61 U.S. Department of Commerce 62 Wilbur L. Ross, Jr., Secretary 63 64 National Institute of Standards and Technology 65 Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology 66 67 Authority 68 69 This publication has been developed by NIST in accordance with its statutory responsibilities under the 70 Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C.
  • Ebook - Informations About Operating Systems Version: August 15, 2006 | Download

    Ebook - Informations About Operating Systems Version: August 15, 2006 | Download

    eBook - Informations about Operating Systems Version: August 15, 2006 | Download: www.operating-system.org AIX Internet: AIX AmigaOS Internet: AmigaOS AtheOS Internet: AtheOS BeIA Internet: BeIA BeOS Internet: BeOS BSDi Internet: BSDi CP/M Internet: CP/M Darwin Internet: Darwin EPOC Internet: EPOC FreeBSD Internet: FreeBSD HP-UX Internet: HP-UX Hurd Internet: Hurd Inferno Internet: Inferno IRIX Internet: IRIX JavaOS Internet: JavaOS LFS Internet: LFS Linspire Internet: Linspire Linux Internet: Linux MacOS Internet: MacOS Minix Internet: Minix MorphOS Internet: MorphOS MS-DOS Internet: MS-DOS MVS Internet: MVS NetBSD Internet: NetBSD NetWare Internet: NetWare Newdeal Internet: Newdeal NEXTSTEP Internet: NEXTSTEP OpenBSD Internet: OpenBSD OS/2 Internet: OS/2 Further operating systems Internet: Further operating systems PalmOS Internet: PalmOS Plan9 Internet: Plan9 QNX Internet: QNX RiscOS Internet: RiscOS Solaris Internet: Solaris SuSE Linux Internet: SuSE Linux Unicos Internet: Unicos Unix Internet: Unix Unixware Internet: Unixware Windows 2000 Internet: Windows 2000 Windows 3.11 Internet: Windows 3.11 Windows 95 Internet: Windows 95 Windows 98 Internet: Windows 98 Windows CE Internet: Windows CE Windows Family Internet: Windows Family Windows ME Internet: Windows ME Seite 1 von 138 eBook - Informations about Operating Systems Version: August 15, 2006 | Download: www.operating-system.org Windows NT 3.1 Internet: Windows NT 3.1 Windows NT 4.0 Internet: Windows NT 4.0 Windows Server 2003 Internet: Windows Server 2003 Windows Vista Internet: Windows Vista Windows XP Internet: Windows XP Apple - Company Internet: Apple - Company AT&T - Company Internet: AT&T - Company Be Inc. - Company Internet: Be Inc. - Company BSD Family Internet: BSD Family Cray Inc.
  • Microkernels in a Bit More Depth • Early Operating Systems Had Very Little Structure • a Strictly Layered Approach Was Promoted by Dijkstra

    Microkernels in a Bit More Depth • Early Operating Systems Had Very Little Structure • a Strictly Layered Approach Was Promoted by Dijkstra

    Motivation Microkernels In a Bit More Depth Early operating systems had very little structure A strictly layered approach was promoted by Dijkstra THE Operating System [Dij68] COMP9242 2007/S2 Week 4 Later OS (more or less) followed that approach (e.g., Unix). UNSW Such systems are known as monolithic kernels COMP9242 07S2 W04 1 Microkernels COMP9242 07S2 W04 2 Microkernels Issues of Monolithic Kernels Evolution of the Linux Kernel E Advantages: Kernel has access to everything: all optimisations possible all techniques/mechanisms/concepts implementable Kernel can be extended by adding more code, e.g. for: new services support for new harwdare Problems: Widening range of services and applications OS bigger, more complex, slower, more error prone. Need to support same OS on different hardware. Like to support various OS environments. Distribution impossible to provide all services from same (local) kernel. COMP9242 07S2 W04 3 Microkernels COMP9242 07S2 W04 4 Microkernels Approaches to Tackling Complexity Evolution of the Linux Kernel Part 2 A Classical software-engineering approach: modularity Software-engineering study of Linux kernel [SJW+02]: (relatively) small, mostly self-contained components well-defined interfaces between them Looked at size and interdependencies of kernel "modules" enforcement of interfaces "common coupling": interdependency via global variables containment of faults to few modules Analysed development over time (linearised version number) Doesn't work with monolithic kernels: Result 1:
  • Building Performance Measurement Tools for the MINIX 3 Operating System

    Building Performance Measurement Tools for the MINIX 3 Operating System

    Building Performance Measurement Tools for the MINIX 3 Operating System Rogier Meurs August 2006 Contents 1 INTRODUCTION 1 1.1 Measuring Performance 1 1.2 MINIX 3 2 2 STATISTICAL PROFILING 3 2.1 Introduction 3 2.2 In Search of a Timer 3 2.2.1 i8259 Timers 3 2.2.2 CMOS Real-Time Clock 3 2.3 High-level Description 4 2.4 Work Done in User-Space 5 2.4.1 The SPROFILE System Call 5 2.5 Work Done in Kernel-Space 5 2.5.1 The SPROF Kernel Call 5 2.5.2 Profiling using the CMOS Timer Interrupt 6 2.6 Work Done at the Application Level 7 2.6.1 Control Tool: profile 7 2.6.2 Analyzing Tool: sprofalyze.pl 7 2.7 What Can and What Cannot be Profiled 8 2.8 Profiling Results 8 2.8.1 High Scoring IPC Functions 8 2.8.2 Interrupt Delay 9 2.8.3 Profiling Runs on Simulator and Other CPU Models 12 2.9 Side-effect of Using the CMOS Clock 12 3 CALL PROFILING 13 3.1 Introduction 13 3.1.1 Compiler-supported Call Profiling 13 3.1.2 Call Paths, Call and Cycle Attribution 13 3.2 High-level Description 14 3.3 Work Done in User-Space 15 3.3.1 The CPROFILE System Call 15 3.4 Work Done in Kernel-Space 16 3.4.1 The PROFBUF and CPROF Kernel Calls 16 3.5 Work Done in Libraries 17 3.5.1 Profiling Using Library Functions 17 3.5.2 The Procentry Library Function 17 3.5.3 The Procexit Library Function 20 3.5.4 The Call Path String 22 3.5.5 Testing Overhead Elimination 23 3.6 Profiling Kernel-Space/User-Space Processes 24 3.6.1 Differences in Announcing and Table Sizes 24 3.6.2 Kernel-Space Issue: Reentrancy 26 3.6.3 Kernel-Space Issue: The Call Path 26 3.7 Work Done at the Application
  • Designing and Implementing the OP and OP2 Web Browsers

    Designing and Implementing the OP and OP2 Web Browsers

    Designing and Implementing the OP and OP2 Web Browsers CHRIS GRIER, SHUO TANG and SAMUEL T. KING, University of Illinois at Urbana-Champaign Current web browsers are plagued with vulnerabilities, providing hackers with easy access to computer systems via browser-based attacks. Browser security efforts that retrofit existing browsers have had lim- ited success because the design of modern browsers is fundamentally flawed. To enable more secure web browsing, we design and implement a new browser, called the OP web browser, that attempts to improve the state-of-the-art in browser security. We combine operating system design principles with formal methods to design a more secure web browser by drawing on the expertise of both communities. Our design philosophy is to partition the browser into smaller subsystems and make all communication between subsystems sim- ple and explicit. At the core of our design is a small browser kernel that manages the browser subsystems and interposes on all communications between them to enforce our new browser security features. To show the utility of our browser architecture, we design and implement three novel security features. First, we develop flexible security policies that allow us to include browser plugins within our security framework. Second, we use formal methods to prove useful security properties including user interface invariants and browser security policy. Third, we design and implement a browser-level information-flow tracking system to enable post-mortem analysis of browser-based attacks. In addition to presenting the OP browser architecture, we discuss the design and implementation of a second version of OP, OP2, that includes features from other secure web browser designs to improve on the overall security and performance of OP.
  • Real-Time Operating System in Java

    Real-Time Operating System in Java

    University of Wollongong Theses Collection University of Wollongong Theses Collection University of Wollongong Year Real-time operating system in Java Qinghua Lu University of Wollongong Lu, Qinghua, Real-time operating system in Java, MA thesis, School of Computer Science and Software Engineering, University of Wollongong, 2007. http://ro.uow.edu/theses/29 This paper is posted at Research Online. http://ro.uow.edu.au/theses/29 Real-time Operating System in Java A thesis submitted in fulfilment of the requirements for the award of the degree Master of Computer Science -Research from UNIVERSITY OF WOLLONGONG by Qinghua Lu School of Computer Science & Software Engineering August, 2007 1 Dedicated to My Parents, Lu Changyou and Luo Xiue! 2 The following papers were written as part of this research. 1. McKerrow, P.J., Lu, Q., Zhou, Z.Q. and Chen, L. (2007), Developing real-time systems in Java on Macintosh, Submitted to AUC’07, Apple University Consortium, Gold Coast, September, 23-26, 2007. 2. McKerrow, P.J., Lu, Q., Zhou, Z.Q. and Chen, L. (2007), Software development of embedded systems on Macintosh, Submitted to AUC’07, Apple University Consortium, Gold Coast, September, 23-26, 2007. 3 Declaration I, Qinghua Lu, declare that this thesis, submitted in fulfilment of the requirements for the award of Master of Computer Science -Research, in the School of Computer Science & Software Engineering, University of Wollongong, is wholly my own work unless otherwise referenced or acknowledged. The document has not been submitted for qualifications
  • Alpha ELT Listing

    Alpha ELT Listing

    Lienholder Name Lienholder Address City State Zip ELT ID 1ST ADVANTAGE FCU PO BX 2116 NEWPORT NEWS VA 23609 CFW 1ST COMMAND BK PO BX 901041 FORT WORTH TX 76101 FXQ 1ST FNCL BK USA 47 SHERMAN HILL RD WOODBURY CT 06798 GVY 1ST LIBERTY FCU PO BX 5002 GREAT FALLS MT 59403 ESY 1ST NORTHERN CA CU 1111 PINE ST MARTINEZ CA 94553 EUZ 1ST NORTHERN CR U 230 W MONROE ST STE 2850 CHICAGO IL 60606 GVK 1ST RESOURCE CU 47 W OXMOOR RD BIRMINGHAM AL 35209 DYW 1ST SECURITY BK WA PO BX 97000 LYNNWOOD WA 98046 FTK 1ST UNITED SVCS CU 5901 GIBRALTAR DR PLEASANTON CA 94588 W95 1ST VALLEY CU 401 W SECOND ST SN BERNRDNO CA 92401 K31 360 EQUIP FIN LLC 300 BEARDSLEY LN STE D201 AUSTIN TX 78746 DJH 360 FCU PO BX 273 WINDSOR LOCKS CT 06096 DBG 4FRONT CU PO BX 795 TRAVERSE CITY MI 49685 FBU 777 EQUIPMENT FIN LLC 600 BRICKELL AVE FL 19 MIAMI FL 33131 FYD A C AUTOPAY PO BX 40409 DENVER CO 80204 CWX A L FNCL CORP PO BX 11907 SANTA ANA CA 92711 J68 A L FNCL CORP PO BX 51466 ONTARIO CA 91761 J90 A L FNCL CORP PO BX 255128 SACRAMENTO CA 95865 J93 A L FNCL CORP PO BX 28248 FRESNO CA 93729 J95 A PLUS FCU PO BX 14867 AUSTIN TX 78761 AYV A PLUS LOANS 500 3RD ST W SACRAMENTO CA 95605 GCC A/M FNCL PO BX 1474 CLOVIS CA 93613 A94 AAA FCU PO BX 3788 SOUTH BEND IN 46619 CSM AAC CU 177 WILSON AVE NW GRAND RAPIDS MI 49534 GET AAFCU PO BX 619001 MD2100 DFW AIRPORT TX 75261 A90 ABLE INC 503 COLORADO ST AUSTIN TX 78701 CVD ABNB FCU 830 GREENBRIER CIR CHESAPEAKE VA 23320 CXE ABOUND FCU PO BX 900 RADCLIFF KY 40159 GKB ACADEMY BANK NA PO BX 26458 KANSAS CITY MO 64196 ATF ACCENTRA CU 400 4TH
  • Isolation, Resource Management, and Sharing in Java

    Isolation, Resource Management, and Sharing in Java

    Processes in KaffeOS: Isolation, Resource Management, and Sharing in Java Godmar Back, Wilson C. Hsieh, Jay Lepreau School of Computing University of Utah Abstract many environments for executing untrusted code: for example, applets, servlets, active packets [41], database Single-language runtime systems, in the form of Java queries [15], and kernel extensions [6]. Current systems virtual machines, are widely deployed platforms for ex- (such as Java) provide memory protection through the ecuting untrusted mobile code. These runtimes pro- enforcement of type safety and secure system services vide some of the features that operating systems pro- through a number of mechanisms, including namespace vide: inter-application memory protection and basic sys- and access control. Unfortunately, malicious or buggy tem services. They do not, however, provide the ability applications can deny service to other applications. For to isolate applications from each other, or limit their re- example, a Java applet can generate excessive amounts source consumption. This paper describes KaffeOS, a of garbage and cause a Web browser to spend all of its Java runtime system that provides these features. The time collecting it. KaffeOS architecture takes many lessons from operating To support the execution of untrusted code, type-safe system design, such as the use of a user/kernel bound- language runtimes need to provide a mechanism to iso- ary, and employs garbage collection techniques, such as late and manage the resources of applications, analogous write barriers. to that provided by operating systems. Although other re- The KaffeOS architecture supports the OS abstraction source management abstractions exist [4], the classic OS of a process in a Java virtual machine.
  • Research Purpose Operating Systems – a Wide Survey

    Research Purpose Operating Systems – a Wide Survey

    GESJ: Computer Science and Telecommunications 2010|No.3(26) ISSN 1512-1232 RESEARCH PURPOSE OPERATING SYSTEMS – A WIDE SURVEY Pinaki Chakraborty School of Computer and Systems Sciences, Jawaharlal Nehru University, New Delhi – 110067, India. E-mail: [email protected] Abstract Operating systems constitute a class of vital software. A plethora of operating systems, of different types and developed by different manufacturers over the years, are available now. This paper concentrates on research purpose operating systems because many of them have high technological significance and they have been vividly documented in the research literature. Thirty-four academic and research purpose operating systems have been briefly reviewed in this paper. It was observed that the microkernel based architecture is being used widely to design research purpose operating systems. It was also noticed that object oriented operating systems are emerging as a promising option. Hence, the paper concludes by suggesting a study of the scope of microkernel based object oriented operating systems. Keywords: Operating system, research purpose operating system, object oriented operating system, microkernel 1. Introduction An operating system is a software that manages all the resources of a computer, both hardware and software, and provides an environment in which a user can execute programs in a convenient and efficient manner [1]. However, the principles and concepts used in the operating systems were not standardized in a day. In fact, operating systems have been evolving through the years [2]. There were no operating systems in the early computers. In those systems, every program required full hardware specification to execute correctly and perform each trivial task, and its own drivers for peripheral devices like card readers and line printers.
  • The Synthesis Kernel

    The Synthesis Kernel

    ... " The Synthesis Kernel Calton Pu, Henry Massalin and 21 ~; John loannidis Columbia University ABSTRACT: The Synthesis distributed operating system combines etticient kernel calls with a high­ level, orthogonal interface. The key concept is the use of a code synthesizer in the kernel to generate specialized (thus short and fast) kernel routines for specific situations. We have three methods of synthesizing code: Factoring Invariants to bypass redundant computations; Collapsing Layers to eliminate unnecessary procedure calls and context switches; and Executable Data Structures to shorten data structure traversal time. Applying these methods, the kernel call synthesized to read Idevlmem takes about 15 microseconds on a 68020 machine. A simple model of computation called a synthetic machine supports parallel and distributed processing. The interface to synthetic machine consists of six operations on four kinds of ohjects. This combination of a high-level interface with the code synthesizer avoids the traditional trade-off in operating systems between powerful interfaces and efficient implementations . ., Complliing .\'yslt'nIS, Vol. 1 • No.1' Winter IIJI!I! I I I. Introduction and data, and synthetic 1/0 units to move data in to and out of the synthetic machine. The synthetic machine interface and kernel code synthesizer A trade-off between powerful features and efficient arc independent ideas that have a synergistic eliect. Without the implementation exists in many operating systems. Systems with code synthesizer. even a sophisticated implementation of synthetic high-level interfaces and powerful features, like Argus lO and Eden/ machines would be very inetlicient. Each high-level kernel call require a lot of code for their implementation, and this added would require a large amount of code with a long execution time.
  • Cali: Compiler-Assisted Library Isolation

    Cali: Compiler-Assisted Library Isolation

    Cali: Compiler-Assisted Library Isolation Markus Bauer Christian Rossow CISPA Helmholtz Center for Information Security CISPA Helmholtz Center for Information Security Saarbrücken, Saarland, Germany Saarbrücken, Saarland, Germany [email protected] [email protected] ABSTRACT the full program’s privileges and address space. This lack of privi- Software libraries can freely access the program’s entire address lege separation and memory isolation has led to numerous critical space, and also inherit its system-level privileges. This lack of sepa- security incidents. ration regularly leads to security-critical incidents once libraries We can significantly reduce this threat surface by isolating the contain vulnerabilities or turn rogue. We present Cali, a compiler- library from the main program. In most cases, a library (i) neither assisted library isolation system that fully automatically shields a requires access to the entire program’s address space, (ii) nor needs program from a given library. Cali is fully compatible with main- the full program’s privileges to function properly. In fact, even line Linux and does not require supervisor privileges to execute. We complex libraries such as parsers require only limited interaction compartmentalize libraries into their own process with well-defined with the program and/or system. Conceptually, there is thus little security policies. To preserve the functionality of the interactions need to grant an untrusted library access to the program or to between program and library, Cali uses a Program Dependence critical system privileges. Basic compartmentalization principles Graph to track data flow between the program and the library dur- thus help to secure a program from misuse by untrusted code.
  • A Complete Bibliography of Publications in Software—Practice and Experience

    A Complete Bibliography of Publications in Software—Practice and Experience

    A Complete Bibliography of Publications in Software|Practice and Experience Nelson H. F. Beebe University of Utah Department of Mathematics, 110 LCB 155 S 1400 E RM 233 Salt Lake City, UT 84112-0090 USA Tel: +1 801 581 5254 FAX: +1 801 581 4148 E-mail: [email protected], [email protected], [email protected] (Internet) WWW URL: http://www.math.utah.edu/~beebe/ 23 July 2021 Version 3.26 Title word cross-reference [Bar82a, Bar82c, Bar84b]. < [SMGMOFM07a, SMGMOFM07b]. > [SMGMOFM07a, SMGMOFM07b]. 2 [MST13, MDB19]. 3 [DS09]. 4 [MSR+07]. \ 0 [GW96]. 1 [GW96]. $1.50 [Bar78d]. $11 [PK04]. TM [MZB00, Win02]. 8 [DB21b]. k [Bar84a]. $12.00 [Rob72]. $13 [Bar84a]. [AW93, Mer93]. κ [MG94]. µ $13.00 [Rob72]. $18.50 [Jon74]. $185 [BS90c, BDS+92, SMNB21]. N [Bar79b]. $19.30 [Lan74a]. $19.50 [Dav78]. [MS98, Coh98, KST94, YAVHC21]. P 3 $25.00 [Pet77, And78]. 3 [BE02, FMA02]. [DC03]. PM [CLD+17]. q [GSR17]. τ $31-25 [Pet77]. $31.35 [Bri82]. 32 [VED06]. 2:5 [TSZ14, UDS+07]. $35.00 [Inc86]. $39.50 [Sim83]. 5 [CPMAH+20]. $58.50 [Wal81a]. $6.95 -ary [MS98]. -bit [AM10, SF85, VED06]. [Tho74]. 64 [AM10, VED06]. 68 -gram [Coh98, KST94, YAVHC21]. -grams [Ear76, Hol77]. $68.25 [Pit82]. $7.00 [GSR17]. -level [FM77]. -queens [Plu74]. [Bar72a]. $7.50 [Bar78d]. $7.95 -R [Ear76, Hol77]. -shortest-paths [MG94]. [Bar76a, Lav77]. $78.50 [Sim83]. 8 -System [BS90c]. [Plu74, SF85]. $8.95 [Bar82a, Bar82c, Bar84b]. $9.75 . [Bis81b]. .NET [Coo04, Han04]. [Bar77e, Mul76]. $9.80 [Atk79a]. $9.95 1 2 0 [Bar81, Edw98a, Edw98b, Gru83, Llo82, 2 [Bar74a, Bar74b, Bar80b, Bud85, Cor88b, Val77a, Val78, Wal83b].