DOCSLIB.ORG

University Microfilms International 300 N

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
University Microfilms International 300 N INFORMATION TO USERS This was produced from a copy of a document sent to us for microfilming. While the most advanced technological means to photograph and reproduce this document have been used, the quality is heavily dependent upon the quality of the material submitted. The following explanation of techniques is provided to help you understand markings or notations which may appear on this reproduction. 1.The sign or "target” for pages apparently lacking from the document photographed is "Missing Page(s)”. If it was possible to obtain the missing page(s) or section, they are spliced into the film along with adjacent pages. This may have necessitated cutting through an image and duplicating adjacent pages to assure you of complete continuity. 2. When an image on the film is obliterated with a round black mark it is an indication that the film inspector noticed either blurred copy because of movement during exposure, or duplicate copy. Unless we meant to delete copyrighted materials that should not have been filmed, you will find a good image of the page in the adjacent frame. If copyrighted materials were deleted you will find a target note listing the pages in the adjacent frame. • 3. When a map, drawing or chart, etc., is part of the material being photo­ graphed the photographer has followed a definite method in “sectioning” the material. It is customary to begin filming at the upper left hand corner of a large sheet and to continue from left to right in equal sections with small overlaps. If necessary, sectioning is continued again—beginning below the first row and continuing on until complete. 4. For any illustrations that cannot be reproduced satisfactorily by xerography, photographic prints can be purchased at additional cost and tipped into your xerographic copy. Requests can be made to our Dissertations Customer Services Department. 5. Some pages in any document may have indistinct print. In all cases we have filmed the best available copy. University Microfilms International 300 N. ZEEB RD., ANN ARBOR, Ml 48106 8121864 Tsay, D u e n -Ping MIKE: A NETWORK OPERATING SYSTEM FOR THE DISTRIBUTED DOUBLE-LOOP COMPUTER NETWORK The Ohio Slate University PH.D. 1981 University Microfilms International300 N. Zeeb Road, Ann Arbor. M I 48106 MIKE: A NETWORK OPERATING SYSTEM FOR THE DISTRIBUTED DOUBLE-LOOP COMPUTER NETWORK DISSERTATION Presented in Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the Graduate School of The Ohio State University By Duen-Ping Tsay, B.S.E.E., M.S. ***** The Ohio State University 1981 Reading Committee: Approved by Dr. Ming T. Liu, Chairman Dr. Kenneth J. Breeding Dr. Bruce W. Weide Adviser Department of Computer and Information Science I dedicate this dissertation and all of its related efforts to my mother, the late Shu-Ming Hung Tsay. ii ACKNOWLEDGMENTS I thank my adviser, Professor Ming T. Liu, for his constant support and guidance during the development of this research and my graduate education. His faith and encouragement on all my work are truly appreciated. I would like to express ray gratitude to Dr. Kenneth J. Breeding and Dr. Bruce W. Weide for serving on my reading committee. Their understanding and support throughout this entire process is very much appreciated. Many persons have also furnished much appreciated help in completing this research. Dr. Jacob J. Wolf, C. P. Chou, and J. J. Lin contributed in creating an interesting atmosphere in which to work. I am especially grateful to Richard C. Lian for his many insights and for his efforts to clarify the ideas presented here. I would like to thank the Graduate School of The Ohio State University (Presidential Fellowship) and the National Science Foundation (Grant MCS-77-23496) for their financial support. Finally, I am grateful to my parents, Dr. Jeh-Sheng Tsay and Mrs. Ai-Chu Chai Tsay, for their never-ending support and enthusiasm. I would also like to thank my wife, Kung-Tai, who has been very understanding throughout my entire graduate education. There are no words that could express ray appreciation for her except that this Ph.D. is jointly hers in every respect. VITA September 3, 1949. Born - Taipei, Taiwan, China. 1971 .................. B.S.E.E., National Taiwan University, Taipei, Taiwan, China. 1 971 -19 73 ............. Second Lieutenant, Signal Corps, Chinese Army, Quemoy, Fukien, China. 1 973-1 974 ............. Teaching Assistant, Department of Electrical Engineering, National Taiwan University, Taipei, Taiwan, China. 1975-1 976............. Graduate Teaching Assistant, Department of Computer Science, Northwestern University, Evanston, Illinois . 1976 ........ M. S., Northwestern University, Evanston, Illinois. 1 9 76-1 977 ............. Graduate Teaching Fellow, Department of Computer Science, University of Utah, Salt' Lake City, Utah. 1 977-1978 ............. Graduate Teaching Associate, Department of Computer and Information Science, The Ohio State University, Columbus, Ohio. 1978-1980 ............. Graduate Research Associate, Department of Computer and Information Science, The Ohio State University, Columbus, Ohio. 1980-1981 ............. Graduate Fellow, Graduate School, The Ohio State University, Columbus, Ohio. iv PUBLICATIONS "A Study of Free Space Allocation and File Reorganization Problem of VSAM Data Set," Master Thesis, Northwestern University, Computer Science Department, Evanston, Illinois, December 19 75. "A Study of VSAM's Behavior of Free Space Allocation and Maintenance Cost," Accepted for Presentation and Publication by the ACM 1976 Annual Conference, Houston, Texas, October 1976. (C. H. Chin, coauthor.) "Design of a Distributed Fault-Tolerant Loop Network," Proceedings o_f 19 79 International Sympos ium o n Fault-Tolerant Comput ing , pp. 17-24, June 1979. (M. T. Liu, J. J. Wolf, and B. W. Weide, coauthors.) "System Design of the Distributed Double-Loop Computer Network (DDLCN)," Proceedings of First International Conference o n Distributed Comput ing Systems, pp. 95-105 , October 1979. (M . T. Liu, J. J. Wolf, B. W. Weide, R. Pardo, and C. P. Chou, coauthors.) "Interface Design for the Distributed Double-Loop Computer Network (DDLCN)," Proceedings of 19 79 National Telecommunicat ions Conf erence, pp. 59.3.1-6, November 1979. (M. T. Liu, coauthor.) "Design of a Reconfigurable Front-End Processor for Computer Networks," Proceed ings o f 19 80 International S ympos ium o n Fault-Tolerant Comp ut ing, pp. 369-371 , October 1980. (M. T. Liu, coauthor.) v "Design of a Robust Front-End for the Distributed Double-Loop Computer Network (DDLCN)," Proceed ings of Distributed Data Acquisition, Computing, a nd Control Sympos ium, pp. 141-155, December 1980. (M. T. Liu, coauthor.) "Design of the Distributed Double-Loop Computer Network (DDLCN)," Journal of Digital Systems, Vol. 4, No. 4, April 1981. (M. T. Liu, C. P. Chou, and C M. Li, coauthors.) "MIKE: A Network Operating System for the Distributed Double-Loop Computer Network (DDLCN)," to appear in Proceedings o f CO MP SAC'81, Chicago, Illinois, November 18, 1981. (M . T. Liu, coauthor.) "Design of a Network Operating System for the Distributed Double-Loop Computer Network (DDLCN)," submitted to the International Symposium on Local Computer Networks , Florence, Italy, April 1982. (M. T. Liu and R. C. Lian, coauthors.) FIELDS OF STUDY Major Field: Computer and Information Science Digital Computer Architecture and Organization. Dr. Ming T. Liu Computer Programming, including System Programming. Dr. Sandra A. Mamrak Theory and Processing of Programming Languages. Dr. Jayashree Ramanathan TABLE OF CONTENTS Page ACKNOWLEDGMENTS.............................................. iii VITA ........................................................... iv TABLE OF CONTENTS........................................... vii LIST OF T A B L E S ............... xi LIST OF................ FIGURES............................... xii C hapter I. INTRODUCTION........................................... 1 Problems of Distributed Systems............. 5 Objectives of Dissertation .................. 9 Significant Features of Research .......... 12 Organization of Dissertation ............... 18 II. BACKGROUND AND PREVIOUS RESEARCH................. 21 Related Works.................................... 23 Ar ch o n s ...................................... 25 C A P 2 6 H y d r a ......................................... 27 O c t o p u s ...................................... 28 Roscoe......................................... 28 StarOS......................................... 29 MIKE: An Operating System for DDLCN . 31 Distinct Characteristics.................. 33 Functional Capabilities .................. 35 System Transparency.................... 35 Cooperative Autonomy .................. 36 Related Works............................ 37 System Utilities............................ 39 Reliability and Robustness .......... 39 vii Extensibility and Configurability. AO Principles of Kernel Design...... 41 Data Abstraction................ 43 Capability-Based Addressing . 46 Domain-Based Protection .......... 47 Related Works........................ 50 Software-Directed Architecture...... 57 Related Works........................ 58 Breakdown of Research..................... 62 III. THE DISTRIBUTED DOUBLE-LOOP COMPUTER NETWORK. 63 General System Overview. ......... 64 Reliable Communication Network ...... 66 Loop Interface Design .................... 67 Loop Operation.......................... 68 Multi-Destination Protocols ............. 70 Distributed Programming Systems........
Load more

Recommended publications
  • Automatic Sandboxing of Unsafe Software Components in High Level Languages
    Master Thesis Automatic Sandboxing of Unsafe Software Components in High Level Languages Benjamin Lamowski Technische Universität Dresden Fakultät Informatik Institut für Systemarchitektur Professur Betriebssysteme Betreuender Hochschullehrer: Prof. Dr. rer. nat. Hermann Härtig Betreuender Mitarbeiter: Dr. Carsten Weinhold 3. Mai 2017 Aufgabenstellung Neue “sichere“ Programmiersprachen wie Go, Swift oder Rust wurden nicht nur für die normale Anwendungsentwicklung entworfen, sondern sie zielen auch auf eine hochper- formante Ausführung und Programmierung vergleichsweise systemnaher Funktionalität ab. Eine attraktive Eigenschaft beispielsweise von Rust ist das gegenüber C und C++ deutlich strengere Speicherverwaltungsmodell, bei dem bereits zur Kompilierzeit der Lebenszyklus und die Erreichbarkeit von Objekten sowie die Zuständigkeit für deren Allokation und Deallokation wohldefiniert sind. Ganze Klassen von Programmfehlern wie etwa Buffer Overflows oder Dereferenzierung ungültige Zeiger werden dadurch eliminiert und die Programme mithin sicherer und robuster. Aus diversen Gründen müssen Programme, die in sicheren Sprachen geschriebenen wurden, aber oftmals auf “unsicheren“ Legacy-Code zurückgreifen. So bietet etwa Rust über das “unsafe“-Sprachelement die Möglichkeit, Funktionen innerhalb von Bibliotheken aufzurufen, die in fehleranfälligem C geschrieben sind. Leider werden die vom Com- piler durchgesetzten Garantien der sicheren Sprache hinfällig, sobald im Code einer C-Bibliothek ein Speicherfehler auftritt. Ein Schreibzugriff etwa durch
    [Show full text]
  • A Microkernel API for Fine-Grained Decomposition
    A Microkernel API for Fine-Grained Decomposition Sebastian Reichelt Jan Stoess Frank Bellosa System Architecture Group, University of Karlsruhe, Germany freichelt,stoess,[email protected] ABSTRACT from the microkernel APIs in existence. The need, for in- Microkernel-based operating systems typically require spe- stance, to explicitly pass messages between servers, or the cial attention to issues that otherwise arise only in dis- need to set up threads and address spaces in every server for tributed systems. The resulting extra code degrades per- parallelism or protection require OS developers to adopt the formance and increases development effort, severely limiting mindset of a distributed-system programmer rather than to decomposition granularity. take advantage of their knowledge on traditional OS design. We present a new microkernel design that enables OS devel- Distributed-system paradigms, though well-understood and opers to decompose systems into very fine-grained servers. suited for physically (and, thus, coarsely) partitioned sys- We avoid the typical obstacles by defining servers as light- tems, present obstacles to the fine-grained decomposition weight, passive objects. We replace complex IPC mecha- required to exploit the benefits of microkernels: First, a nisms by a simple function-call approach, and our passive, lot of development effort must be spent into matching the module-like server model obviates the need to create threads OS structure to the architecture of the selected microkernel, in every server. Server code is compiled into small self- which also hinders porting existing code from monolithic sys- contained files, which can be loaded into the same address tems. Second, the more servers exist | a desired property space (for speed) or different address spaces (for safety).
    [Show full text]
  • A Practical UNIX Capability System
    A Practical UNIX Capability System Adam Langley <[email protected]> 22nd June 2005 ii Abstract This report seeks to document the development of a capability security system based on a Linux kernel and to follow through the implications of such a system. After defining terms, several other capability systems are discussed and found to be excellent, but to have too high a barrier to entry. This motivates the development of the above system. The capability system decomposes traditionally monolithic applications into a number of communicating actors, each of which is a separate process. Actors may only communicate using the capabilities given to them and so the impact of a vulnerability in a given actor can be reasoned about. This design pattern is demonstrated to be advantageous in terms of security, comprehensibility and mod- ularity and with an acceptable performance penality. From this, following through a few of the further avenues which present themselves is the two hours traffic of our stage. Acknowledgments I would like to thank my supervisor, Dr Kelly, for all the time he has put into cajoling and persuading me that the rest of the world might have a trick or two worth learning. Also, I’d like to thank Bryce Wilcox-O’Hearn for introducing me to capabilities many years ago. Contents 1 Introduction 1 2 Terms 3 2.1 POSIX ‘Capabilities’ . 3 2.2 Password Capabilities . 4 3 Motivations 7 3.1 Ambient Authority . 7 3.2 Confused Deputy . 8 3.3 Pervasive Testing . 8 3.4 Clear Auditing of Vulnerabilities . 9 3.5 Easy Configurability .
    [Show full text]
  • On the Construction of Reliable Device Drivers Leonid Ryzhyk
    On the Construction of Reliable Device Drivers Leonid Ryzhyk Ph.D. 2009 ii iii ‘I hereby declare that this submission is my own work and to the best of my knowledge it contains no materials previously pub- lished or written by another person, or substantial proportions of material which have been accepted for the award of any other degree or diploma at UNSW or any other educational institution, except where due acknowledgement is made in the thesis. Any contribution made to the research by others, with whom I have worked at UNSW or elsewhere, is explicitly acknowledged in the thesis. I also declare that the intellectual content of this the- sis is the product of my own work, except to the extent that as- sistance from others in the project’s design and conception or in style, presentation, and linguistic expression is acknowledged.’ Signed .................................. Date .................................. iv Abstract This dissertation is dedicated to the problem of device driver reliability. Software defects in device drivers constitute the biggest source of failure in operating systems, causing sig- nificant damage through downtime and data loss. Previous research on driver reliability has concentrated on detecting and mitigating defects in existing drivers using static analysis or runtime isolation. In contrast, this dissertation presents an approach to reducing the number of defects through an improved device driver architecture and development process. In analysing factors that contribute to driver complexity and induce errors, I show that a large proportion of errors are due to two key shortcomings in the device-driver architecture enforced by current operating systems: poorly-defined communication protocols between drivers and the operating system, which confuse developers and lead to protocol violations, and a multithreaded model of computation, which leads to numerous race conditions and deadlocks.
    [Show full text]
  • SCALABLE CAPABILITY-BASED AUTHORIZATION for HIGH- PERFORMANCE PARALLEL FILE SYSTEMS Nicholas Mills Clemson University, [email protected]
    Clemson University TigerPrints All Theses Theses 5-2011 SCALABLE CAPABILITY-BASED AUTHORIZATION FOR HIGH- PERFORMANCE PARALLEL FILE SYSTEMS Nicholas Mills Clemson University, [email protected] Follow this and additional works at: https://tigerprints.clemson.edu/all_theses Part of the Computer Engineering Commons Recommended Citation Mills, Nicholas, "SCALABLE CAPABILITY-BASED AUTHORIZATION FOR HIGH-PERFORMANCE PARALLEL FILE SYSTEMS" (2011). All Theses. 1131. https://tigerprints.clemson.edu/all_theses/1131 This Thesis is brought to you for free and open access by the Theses at TigerPrints. It has been accepted for inclusion in All Theses by an authorized administrator of TigerPrints. For more information, please contact [email protected]. SCALABLE CAPABILITY-BASED AUTHORIZATION FOR HIGH-PERFORMANCE PARALLEL FILE SYSTEMS A Thesis Presented to the Graduate School of Clemson University In Partial Fulfillment of the Requirements for the Degree Master of Science Computer Engineering by Nicholas L. Mills May 2011 Accepted by: Dr. Walter B. Ligon III, Committee Chair Dr. Richard R. Brooks Dr. Adam W. Hoover Abstract As the size and scale of supercomputers continues to increase at an exponential rate the number of users on a given supercomputer will only grow larger. A larger number of users on a supercomputer places a greater importance on the strength of information security. Nowhere is this requirement for security more apparent than the file system, as users expect their data to be protected from accidental or deliberate modification. In spite of the ever-increasing demand for more secure file system access the majority of parallel file systems do not implement a robust security protocol for fear it will negatively impact the performance and scalability of the file system.
    [Show full text]
  • Executive Summary
    Mobile Commerce Security: Legal & Technological Perspectives Michael Triguboff Table of Contents EXECUTIVE SUMMARY 4 INTRODUCTION 7 The Need for Security 11 PART I TECHNOLOGY 12 Client-Side Vulnerabilities 12 Browser Software 13 Java Applets 14 ActiveX controls 16 JavaScript 18 Plug-Ins and Graphic Files 18 Push technology 18 Web Server Security 19 Front-end 20 Firewalls 22 Back-end Database vulnerabilities 23 Server- Side Middleware 24 Operating System Problems 25 Hardened versions of Operating Systems 36 Distributed systems 37 Software Testing 38 Mobile Commerce Issues 43 Device Properties 43 Wireless Communication 45 Wireless Communication Protocols 47 Ad Hoc Networks 49 Ad Hoc Networks and Key Management 51 Network Protection in Ad Hoc Networks 54 Location Dependent Information and Mobile Computing 55 Mobile Agents 56 Protecting the Host from the Mobile Agent 59 Safe Code Interpretation 61 Digital Signatures 63 Proof Carrying Code 63 Path Histories 64 Software-Based Fault Isolation [“Sandboxing”] 64 Protecting the Agent From the Host and Other Agents 64 Secure Control of Remote Agents 65 Read-Only/Append-Only 65 Partial Results Encapsulation 66 Code Obfuscation 67 Computing with Encrypted Functions 67 Environmental Key Generation 68 Execution Tracing 68 Itinerary Recording 69 Security Through Shared Secrets and Interlocking 69 Other Approaches 69 Attacks Based on Device Limitations 71 2 Prevention, Detection and Reaction 71 Intrusion Detection 72 Intrusion Detection and Mobile Agents 75 Part I Conclusion 76 PART 11 THE LEGAL PERSPECTIVE 80 The Debate: A Confluence of Two Streams 81 Uniform Electronic Transactions Act 85 Article 2B of the Uniform Commercial Code 85 The Electronic Signatures in Global and National Commerce Act [“E-Sign Act”] 88 Jurisdiction Selection 90 Reaction- Criminal Law 96 Convention on Cyber-Crime 97 Evidentiary or Procedural Law 99 Practical Considerations 100 Part II Conclusion 101 APPENDIX 103 Digital Millennium Copyright Act 103 BIBLIOGRAPHY 107 3 EXECUTIVE SUMMARY The objectives of this project are twofold.
    [Show full text]
  • Open Ongtang-Phd-Dissertation.Pdf
    The Pennsylvania State University The Graduate School SECURING MOBILE PHONES IN THE EVOLVING MOBILE ECOSYSTEM A Dissertation in Computer Science and Engineering by Machigar Ongtang © 2010 Machigar Ongtang Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy August 2010 The dissertation of Machigar Ongtang was reviewed and approved∗ by the following: Patrick D. McDaniel Associate Professor of Computer Science and Engineering Dissertation Advisor, Chair of Committee Thomas F. La Porta Distinguished Professor of Computer Science and Engineering Trent Jaeger Associate Professor of Computer Science and Engineering Ling Rothrock Associate Professor of Industrial and Manufacturing Engineering Raj Acharya Professor of Computer Science and Engineering Department Head ∗Signatures are on file in the Graduate School. Abstract The revolution of mobile phone industry has been altering our life and business practices over the past few decades. Driven by user demands and technological advancement, we now experience rich mobile phone applications and sophisticated cellular services ranging from mobile payment, stock trading, to social networking, vehicle tracking to in-car control. As more players joining the community, this mobile phone environment has transformed into a complex network of interacting companies, known as mobile ecosystem. Unfortunately, this opening and converging mobile ecosystem has brought in more opportunities for more attacks on mobile phones, a key element of the system. This dissertation aims to achieve mobile phone security. We reveal two main chal- lenges that we need to overcome, namely developing a clear definition of secure phones, and building security infrastructure that imposes such definition on the phones. We also identify three key elements that contribute to the fidelity of mobile phones, namely, mobile phone platforms, mobile phone applications, and mobile content.
    [Show full text]
  • Capability Myths Demolished
    Capability Myths Demolished Mark S. Miller Ka-Ping Yee Jonathan Shapiro Combex, Inc. University of California, Berkeley Johns Hopkins University [email protected] [email protected] [email protected] ABSTRACT The second and third myths state false limitations on We address three common misconceptions about what capability systems can do, and have been capability-based systems: the Equivalence Myth (access propagated by a series of research publications over the control list systems and capability systems are formally past 20 years (including [2, 3, 7, 24]). They have been equivalent), the Confinement Myth (capability systems cited as reasons to avoid adopting capability models cannot enforce confinement), and the Irrevocability and have even motivated some researchers to augment Myth (capability-based access cannot be revoked). The capability systems with extra access checks [7, 13] in Equivalence Myth obscures the benefits of capabilities attempts to fix problems that do not exist. The myths as compared to access control lists, while the Confine- about what capability systems cannot do continue to ment Myth and the Irrevocability Myth lead people to spread, despite formal results [22] and practical see problems with capabilities that do not actually exist. systems [1, 9, 18, 21] demonstrating that they can do these supposedly impossible things. The prevalence of these myths is due to differing inter- pretations of the capability security model. To clear up We believe these severe misunderstandings are rooted the confusion, we examine three different models that in the fact that the term capability has come to be have been used to describe capabilities, and define a set portrayed in terms of several very different security of seven security properties that capture the distinctions models.
    [Show full text]
  • Plugging Into High-Volume Consumer Products
    ISSUE 53, SECOND QUARTER 2005ISSUE 53, SECOND QUARTER XCELL JOURNAL XILINX, INC. Issue 53 Second Quarter 2005 XcellXcelljournaljournal THETHE AUTHORITATIVEAUTHORITATIVE JOURNALJOURNAL FORFOR PROGRAMMABLEPROGRAMMABLE LOGICLOGIC USERSUSERS PluggingPlugging intointo High-VolumeHigh-Volume ConsumerConsumer ProductsProducts HIGH VOLUME Spartan-3E: A New Era Multimedia for Automotive DSP Algorithms DESIGN TOOLS New ISE 7.1i Software Control Your Designs SERIAL I/O Extend Your Reach SUBSCRIBE NOW R SEE PAGE 3 Xilinx is the only FPGA supplier in the world to have achieved high-volume 90nm production, resulting in the lowest-cost FPGAs in the industry. Our leadership in 90nm products gives you all the performance and features you need, at the lowest price points ever. Both our SpartanTM and VirtexTM product lines__ the world's most widely adopted FPGAs__ are shipping on our optimized 90nm process now. Contact your Xilinx rep today and let's ramp up for success together. The Programmable Logic CompanySM www.xilinx.com/spartan3 Pb-free devices available now ©2004 Xilinx, Inc., 2100 Logic Drive, San Jose, CA 95124. Europe +44-870-7350-600; Japan +81-3-5321-7711; Asia Pacific +852-2-424-5200; Xilinx is a registered trademark, Spartan and Virtex are trademarks, and The Programmable Logic Company is a service mark of Xilinx, Inc. LETTER FROM THE EDITOR What’s Both High and Low, and Used Everywhere...? This issue of the Xcell Journal focuses on high-volume, low-cost consumer applications and the design tools used to implement them. Business Viewpoints Our Business Viewpoints column offers an independent business perspective by Rich Wawrzyniak, Senior Analyst, ASICs Services for Semico Research Corporation.
    [Show full text]
  • On Access Checking in Capability-Based Systems1
    On Access Checking in Capability-Based Systems1 Richard Y. Kain Carl E. Landwehr University of Minnesota Naval Research Laboratory ABSTRACT Public descriptions of capability-based system designs often do not clarify the necessary details concerning the propagation of access rights within the sys- tems. A casual reader may assume that it is adequate for capabilities to be passed in accordance with the rules for data copying. A system using such a rule cannot enforce either the military security policy or the Bell and LaPadula rules. The paper shows why this problem arises and provides a taxonomy of capability-based designs. Within the space of design options de®ned by the tax- onomy we identify a class of designs that cannot enforce the Bell-LaPadula rules and two designs that do allow their enforcement. Index Terms--Access control, capabilities, capability-based architectures, secu- rity policy, *-property, taxonomy. 1. Introduction Capability systems were ®rst described in the literature in the mid-1960's. Their informal descriptions are typically based upon the notion that a capability is equivalent to a ``ticket,'' in the sense that possession of the ticket allows the possessing process access to the object described in the capability, provided that the access mode is compatible with the ``access rights'' stored within the capability. Several systems using the capability concept have been marketed (IBM System 38, CAP, i432, Plessey S250) [1]. Whether a computer system based upon capabilities can provably enforce the DoD security policy [2] has been a matter of discussion for some time. Boebert [3] has argued that an ``unmodi®ed'' capability machine must be incapable of enforcing the *-property de®ned by Bell and LaPadula [4].
    [Show full text]
  • Scalability of Microkernel-Based Systems
    Scalability of Microkernel-Based Systems Zur Erlangung des akademischen Grades eines DOKTORS DER INGENIERWISSENSCHAFTEN von der Fakultat¨ fur¨ Informatik der Universitat¨ Fridericiana zu Karlsruhe (TH) genehmigte DISSERTATION von Volkmar Uhlig aus Dresden Tag der mundlichen¨ Prufung:¨ 30.05.2005 Hauptreferent: Prof. Dr. rer. nat. Gerhard Goos Universitat¨ Fridericiana zu Karlsruhe (TH) Korreferent: Prof. Dr. sc. tech. (ETH) Gernot Heiser University of New South Wales, Sydney, Australia Karlsruhe: 15.06.2005 i Abstract Microkernel-based systems divide the operating system functionality into individ- ual and isolated components. The system components are subject to application- class protection and isolation. This structuring method has a number of benefits, such as fault isolation between system components, safe extensibility, co-existence of different policies, and isolation between mutually distrusting components. How- ever, such strict isolation limits the information flow between subsystems including information that is essential for performance and scalability in multiprocessor sys- tems. Semantically richer kernel abstractions scale at the cost of generality and mini- mality–two desired properties of a microkernel. I propose an architecture that al- lows for dynamic adjustment of scalability-relevant parameters in a general, flex- ible, and safe manner. I introduce isolation boundaries for microkernel resources and the system processors. The boundaries are controlled at user-level. Operating system components and applications can transform their semantic information into three basic parameters relevant for scalability: the involved processors (depending on their relation and interconnect), degree of concurrency, and groups of resources. I developed a set of mechanisms that allow a kernel to: 1. efficiently track processors on a per-resource basis with support for very large number of processors, 2.
    [Show full text]
  • What Have We Learnt in 20 Years of L4 Microkernels?
    Lecture 6 From L3 to seL4: What Have We Learnt in 20 Years of L4 Microkernels? Kevin Elphinstone and Gernot Heiser Operating Systems Practical 12 November, 2014 OSP Lecture 6, L4 Microkernels 1/42 Contents Introduction and design principles Brief history of microkernels L4: Basic abstractions L4: Design and implementation choices Keywords Questions OSP Lecture 6, L4 Microkernels 2/42 Outline Introduction and design principles Brief history of microkernels L4: Basic abstractions L4: Design and implementation choices Keywords Questions OSP Lecture 6, L4 Microkernels 3/42 Context and terminology I Operating system I Kernel I Monolithic kernel I Microkernel OSP Lecture 6, L4 Microkernels 4/42 Operating system I abbrv. OS I Software (collection) to interface hardware with user I Components: I Kernel: Linux, FreeBSD, Windows NT, XNU, L4, ::: I Services/daemons: sysvinit, CUPS print server, udev, ::: I Utilities: ls, Windows Commander, top I Other applications OSP Lecture 6, L4 Microkernels 5/42 Kernel I Components directly interfacing with hardware I Examples? I \Core" of OS I No general definition of \core" OSP Lecture 6, L4 Microkernels 6/42 Monolithic vs. Micro-kernel Application Syscall User VFS "ode Uni File Server Device Server IPC, file system Application Driver Scheduler, virtual memory !ernel "ode Device drivers, dispatcher IPC, virtual memory IPC Hardware Hardware Source: http://www.cse.unsw.edu.au/ OSP Lecture 6, L4 Microkernels 7/42 Monolithic vs. Micro-kernel Monolithic kernel Microkernel I IPC, scheduling, I IPC, scheduling, memory management memory management I File systems I API closer to the I Drivers hardware I Higher-level API OSP Lecture 6, L4 Microkernels 8/42 Microkernel principles: minimality I If it's not critical, leave it out of the kernel I Pros: I Small code base I Easy to debug I Trusted Computing Base, feasible for formal verification I Cons: I Harder to find the \right" API design I Harder to optimize for high-performance OSP Lecture 6, L4 Microkernels 9/42 Microkernel principles: user-level services I Drivers, file systems, etc.
    [Show full text]