Trent Jaeger, Kevin Elphinstone, Jochen Liedtke, Vsevolod Panteleenko, and Yoonho Park. Flexible access control using IPC redirection. In 7th Workshop on Hot Topics in Operating Systems, Rio Rico, Arizona, March 1999.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....latency of thread migrating IPC is low enough that applications can be factored into multiple protection domains, each encapsulated by a process boundary and selectively linked by protected, IPC based communication. Domain based isolation is an essential building block for high assurance systems [19, 33, 29, 5, 12, 31]. At least one commercial system has been constructed using this approach to domain enforcement [11] Selected denial of service attacks against the L4 microkernel and its servers (including several re examined here) have been briefly examined in the literature [22] This paper provides an ....

....applications to accept the complexity of multithreading, has unfortunate implications for resource consumption, and does not address the problem of session establishment for such services. An experimental design modification by Jaeger has proposed a capability like IPC redirection mechanism [12] that provides access control and renders the recipient identity opaque. This design has not yet been incorporated into the L4 specification, but is expected to add between 20 (typical) and 50 to the cost of an L4 IPC operation. The timeout mechanism mitigates certain low cost denial of service ....

T. Jaeger, K. Elphinstone, J. Liedtke, V. Panteleenko, and Y. Park. Flexible access control using IPC redirection. In Proc. 7th Workshop on Hot Topics in Operating Systems, pages 191--196. IEEE, Mar. 1999.

....using the clans and chiefs mechanism [4] potentially leading to costly message redirects through chief tasks. Currently, this is not a problem because on all L4 systems we know of, the device drivers run within the root clan anyway, and in the future the mechanism set to replace clans and chiefs [2] will provide an efficient solution. Finally, Omega0 may fail to notice when a driver thread is deleted, preventing new attachments to IRQs forever. This problem is closely related to rights management: How does Omega0 determine if an IRQ attachment request that possibly conflicts with ....

....discussed two possible policies and how they could be implemented on the x86 platform. In the near future, we envision further refinements and first implementations of this interface. An important precondition is an implementation of the IPC redirection and access control framework presented in [2]. A number of important topics relevant to this work must be investigated in future work: How can the interrupt related L4 kernel interfaces be improved How should access rights and name service be managed How does Omega0 learn of clients that have disappeared Acknowledgements We would like ....

Trent Jaeger, Kevin Elphinstone, Jochen Liedtke, Vsevolod Panteleenko, and Yoonho Park. Flexible access control using IPC redirection. In 7th Workshop on Hot Topics in Operating Systems (HotOS), Rio Rico, Arizona, March 1999.

....may invoke any other process. If required, access controls must be implemented by an intervening process known as a chief, doubling the cost of an authenticated IPC. The most recent iteration of Lava (the L4 successor) incorporates an IPC redirection mechanism that is very similar to capabilities [24]. Even in the newest implementation, however, capabilities are not transferable. Transferring an authority from one process to another requires interaction with the indirection table manager. L3 is also persistent [31] but lacks an equivalent to the EROS KeyKOS consistency check. Its checkpoint ....

T. Jaeger, K. Elphinstone, J. Liedtke, V. Panteleenko, and Y. Park. Flexible access control using IPC redirection. In Proc. 7th Workshop on Hot Topics in Operating Systems, pages 191--196. IEEE, Mar. 1999.

No context found.

Trent Jaeger, Kevin Elphinstone, Jochen Liedtke, Vsevolod Panteleenko, and Yoonho Park. Flexible access control using IPC redirection. In 7th Workshop on Hot Topics in Operating Systems, Rio Rico, Arizona, March 1999.

No context found.

Trent Jaeger, Kevin Elphinstone, Jochen Liedtke, Vsevolod Panteleenko, and Yoonho Park. Flexible access control using IPC redirection. In 7th Workshop on Hot Topics in Operating Systems, Rio Rico, Arizona, March 1999.

No context found.

T. Jaeger et al. Flexible access control using IPC redirection. In Proc. 7th HotOS, 1999.

....mapping without using IPC. This is not directly relevant for protection because the new mapping can be derived only from resources already present in either B s or G s address space; however, it can be used to circumvent IPC based control mechanisms such as Clans and Chiefs [31] or IPC redirection [24] when they are used to monitor or to restrict communication [25] This problem could be solved by handling re imported mappings as if they were established using IPC, i.e. by submitting them to the monitor for inspection. Another option would be to replace the system global threadIDs with a local ....

Trent Jaeger, Kevin Elphinstone, Jochen Liedtke, Vsevolod Panteleenko, and Yoonho Park. Flexible access control using IPC redirection. In Proceedings of the seventh Workshop on Hot Topics in Operating Systems, Mar 1999.

No context found.

T. Jaeger, K. Elphinstone, J. Liedtke, V. Panteleenko, and Y. Park. Flexible access control using ipc redirection. In Hot Topics in Operating Systems (HotOS VII), Rio Rico, AZ, March 1999.

.... redirection of source IPCs using its portals to implement customized IPC, but the redirection is not transparent to the destination because it sees that the message is from the redirected task, not the original source [2] Other IPC mechanisms, such as Clans Chiefs [6] and IPC Redirection [3], enable monitors to intercept and forward IPCs while claiming to be the original source of the IPC. Thus, the destination receives the IPC from the source, not the monitor, so it need not know that an IPC is being monitored. Unfortunately, such mechanisms are not truly transparent because the ....

....Figure 1: Monitors may be inserted by the source, destination, or system. Source and destination monitors are adjacent to the those tasks are viewed as extensions of the source and destination by the system. 2. 2 Changing Source Destination In the Clans Chiefs [6] and IPC redirection mechanisms [3], it is possible, within some restrictions, for a monitor to redirect an IPC to another destination or change the identity of the source from which the destination receives the IPC. Regardless of these changes, synchronous IPC is defined with respect to the original source. Therefore, the original ....

[Article contains additional citation context not shown here]

T. Jaeger, K. Elphinstone, J. Liedtke, V. Panteleenko, and Y. Park. Flexible access control using IPC redirection. In Proceedings of the 7th Workshop on Hot Topics in Operating Systems, 1999.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC