Engler, D. R., Kaashoek, M. F., and O'Toole, J. W. The Operating System Kernel as a Secure Programmable Machine. MIT Technical Report, 1994.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....as a basis [Sch75] An essential presumption of the security arguments for these designs was that the system layers underpinning the operating system, whether hardware, firmware, or both, were trusted. We find it surprising, given the great attention paid to operating system security [MBD89] EKO94] over the years that so little attention has been paid to the underpinnings required for secure operation, e.g. a secure bootstrapping phase for these operating systems. In effect, these secure systems were operating in an environment that was established by unsecure software. Over the ....

Dawson R. Engler, M. Frans Kaashoek, and James W. O'Toole. The operating system kernel as a secure programmable machine. In Proceedings of the Sixth SIGOPS European Workshop, pages 62--67, September 1994.

....functionalities and performance for the application. These services come with applications and are loaded when the applications need them. This requires a modular design of the RTOS. To provide modularity and 2 performance, operating system kernels should have only minimal embedded functionality [3]. Our primary motivation is to allow all kernel components to be updated at runtime on a heterogeneous multiprocessor architecture, which was not addressed in the previous work [2,3,4] The approach presented here can ease RTOS management by omitting a reboot of the system each time a kernel ....

.... To provide modularity and 2 performance, operating system kernels should have only minimal embedded functionality [3] Our primary motivation is to allow all kernel components to be updated at runtime on a heterogeneous multiprocessor architecture, which was not addressed in the previous work [2,3,4]. The approach presented here can ease RTOS management by omitting a reboot of the system each time a kernel update occurs. All kernel components are modular and can be dynamically loaded and unloaded as needed. For example, a fixed prioritybased scheduler can be updated to an earliest deadline ....

D. R. Engler, M. F. Kaashoek, and J. W. O'Toole Jr., "The operating system kernel as a secure programmable machine," Operating Systems Review, Jan. 1995, pp. 78-82.

....be eliminated by redirecting call sites to the new function. This technique is explored in Chapter 8. Dynamic kernel instrumentation may also be used to change kernel functionality, such as installing a process specific version of a kernel resource management routine. Extensible operating systems [10, 11, 21, 35, 36, 47] have focused on this subject. It is worthwhile to note that dynamic instrumentation can provide a similar operation in a commodity kernel by splicing the following code at the appropriate kernel policy function: If current pid equals some pid then jump to customized version, else fall through . ....

....locations where kernel code can be inserted, can be almost any machine code instruction within the kernel. Runs on a commodity kernel. This enables instrumentation under real world workloads. It is worthwhile to note that much recent operating system research has taken place on custom kernels [10, 11, 21, 34, 35, 36, 37, 47, 59, 61, 62, 68, 73, 74, 75, 81, 82, 83, 84]; this dissertation shows that run time instrumentation is feasible on a commodity kernel. Runs on an unmodified kernel. This contribution is important, because requiring a modified or somehow customized kernel, even an otherwise commodity one, would likely preclude an instrumentation tool s ....

[Article contains additional citation context not shown here]

D.R. Engler, M.F. Kaashoek, and J.W. O'Toole, Jr. The Operating System Kernel as a Secure Programmable Machine. 6th ACM SIGOPS European Workshop, Dagstuhl Castle, Germany, September 1994.

....allowed, since such access would eliminate many system calls. An alternative optimization is to have the kernel execute user code. Since Orca is a type secure language, it is possible to have the kernel execute operations on shared objects in a secure way. Several groups are working on this idea [17, 8]. Acknowledgements Raoul Bhoedjang implemented parts of the Orca runtime system and Panda RPC. Tim R uhl also implemented parts of Panda RPC and the Panda system layer. Rutger Hofman implemented Panda s broadcast protocol, and helped in analyzing its performance characteristics. Ceriel Jacobs ....

D. Engler, M.F. Kaashoek, and J. O'Toole. The Operating System Kernel as a Secure Programmable Machine. In Proceedings of the 6th SIGOPS European Workshop, Wadern, Germany, September 1994. ACM SIGOPS.

....but not for many database applications that scan their data sequentially. Lately, some researchers have proposed that the kernel should shed not only policies but also the abstractions over physical resources, while retaining only the minimal control needed to ensure protected allocation [EKO94] Other benefits of keeping system services outside the kernel are well known. Servers from third party vendors can be installed as desired after the kernel is in place. In fact, multiple APIs may be provided by different servers on the same machine. In a network of computers, the servers can be ....

Dawson R. Engler, M. Frans Kaashoek, and James O'Toole. The operating system kernel as a secure programmable machine. Proceedings of the Sixth SIGOPS European Workshop, September 1994.

....access to management primitives. This approach has been used for individual resources, such as the network [Mogul et al. 87] and virtual memory [Lee et al. 94] This technique is just now being investigated as an architecture for entire operating systems in SPIN [Bershad et al. 94] and Aegis [Engler et al. 94] among others. 7 2.5 Virtual memory replacement policies Before data can be fetched from backing storage, the virtual memory system must decide into which page frame to store the data.When free frames are exhausted, a page replacement policy is used to choose which frames to reuse. The ....

Dawson Engler, M. Frans Kaashoek, and James O'Toole. The Operating System Kernel as a Secure Programmable Machine. In Proceedings of the 6th SIGOPS European Workshop, Germany, September 1994.

....the size of a microkernel and the time needed to run non application code 3. Proposed Architecture Currently, there are many ongoing research projects trying to solve the problems that have arisen with the first generation microkernels. Among the most impressive ones could be listed Exokernel ([5], 8] Cache Kernel ( 2] 6] L3 L4 ( 1] 7] Fluke ( 11] and SPIN ( 4] 9] They all take completely different approach to the problem. From the perspective of the abstraction provided, they can classified into three groups: no abstraction systems (Exokernel) minimal abstraction ....

....[9] They all take completely different approach to the problem. From the perspective of the abstraction provided, they can classified into three groups: no abstraction systems (Exokernel) minimal abstraction systems (L3, Fluke, Cache Kernel) meta abstraction systems (SPIN) Exokernel s ([5], 8] main role (as a no abstraction system) is to multiplex access to the sole hardware, thus allowing the applications to view the machine the way they prefer, without any compromises. On the other hand, meta abstraction approach provides a way to describe the abstraction of the system viewed ....

Engler, D.R., Kaashoek, M.F., O'Toole, J.W. Jr.: The Operating System Kernel as a Secure Programmable Machine. Operating System Review, January 1995, pp. 78-82

....deal with special but infrequent cases. In fact, this could be done as well on top of a pure # kernel by means of according pagers. #Kernel data structures, e.g. thread control blocks, could be held in virtual memory in the same way as other data.# Exokernel. In contrast to Spin, the Exokernel #Engler et al. 1994; Engler et al. 1995# is a small and hardware dependent # kernel. In accordance with our processor dependency thesis, the exokernel is tailored to the R2000 and gets excellent performance values for its primitives. In contrast to our approach, it is based on the philosophy that a kernel should not ....

Engler, D., Kaashoek, M. F., and O'Toole, J. 1994. The operating system kernel as a secure programmable machine. In 6th SIGOPS European Workshop,Schlo# Dagstuhl, Germany, pp. 62#67.

....Once the code has been checked, the kernel can compile it to machine code and install it. It can then call this code to perform the relevant tests and transformations and then interpret the results, without actually having to know what is being tested or what the format of the original data was[12]. The real power of downloaded code is, however, not speed, but the ability to delegate management from the kernel to application code even in situations where the kernel cannot trust the application: Downloaded code can be checked and execution times and access be bounded at download time. This ....

D. R. Engler, M. F. Kaashoek, and J. O'Toole. The operating system kernel as a secure programmable machine. In Proceedings of the Sixth SIGOPS European Workshop, pages 62-- 67, September 1994.

....switching in the AK is time consuming, as it will call IPC functions many times and need to load and unload many kernel object descriptors. Their design is adequate for embedded systems , but not general purpose, memory intensive applications. Other developing systems, the SPIN [3] Exokernel [11] and VINO kernel [23] have the ability to export the memory caching management to user applications. Specific applications can dynamic load the executable object codes into the operating system kernel to tailor the system service to match their needs. The system safety is based on the advanced ....

D. R. Engler, M. F. Kaashoek, J. W. O'Toole Jr., 'The Operating System Kernel as a Secure Programmable Machine', ACM Operating Systems Review, 29, (1), 78-82 (1995).

....not actually distributed and is not transparently multiplexing both local and remote resources. A major drawback of current distributed operating systems is their lack of adaptability. It is known that adaptability can be achieved using a minimal kernel as a foundation for the operating system [EKO96, CD94, BSP 97, FHL 96] If the kernel is centralized, adaptation of system services for particular requirements may harm the distribution of those services. Because they are distributed on top of the kernel, this distribution is not supported by the kernel itself. User extensions may ....

D. Engler, M. F. Kaashoek, and J. O'Toole. The Operating System Kernel as a Secure Programmable Machine. In Proc. of the 6th SIGOPS European Workshop, pages pages 62-67, Wadern, Germany, Sept. 1996. ACM SIGOPTS.

....abstractions. 5] The idea of omitting the high level abstractions and their implementations from the kernel is originated from the facts: the easiest kernel primitive to extend is the one that is not there and the most efficient, reliable, and extensible OS abstraction is the one that is not there. [2,4] One of the main goals of the exokernel is to allow customization. This feature is essential in an operating system for several reasons. First, customization allows specialized policies to given hardware configurations which enable applications to advance with hardware technologies. Second, ....

D.R.Engler, M.F.Kaashoek and J.W.O'Toole Jr. The Operating System Kernel as a Secure Programmable Machine. In the prceedings of the Sixth SIGOPS European Workshop, 1994. [http://www.amsterdam.lcs.mit.edu/PDOS-papers.html/papers/osrexo. ps]

....its own and only hardware, even in the cases where microkernels at different nodes cooperate. A major drawback of current distributed operating systems is their lack of adaptability. It is known that adaptability can be achieved using a minimal microkernel as a foundation for the operating system [7][6] 4] 11] If the microkernel used is centralized, adaptation of system services for particular requirements may harm the distribution of those services because they are distributed on top of the microkernel and their distribution is not supported by the microkernel itself. The reason is that ....

....with consequent efficiency and simplicity benefits. This harms applications using system distribution but not in the way the system provides it. ffl The microkernel abstractions are usually heavyweighted. This leads to poor reliability, adaptability performance and flexibility; as it is said in [7]. The addition of yet another layer of abstraction only make things even worse in this respect. In many cases specific or low level abstractions must be implemented using more generic or upper level ones; Distributed Shared Memory systems usually do this [15] We name this phenomenon abstraction ....

[Article contains additional citation context not shown here]

D. Engler, M. F. Kaashoek, and J. O'Toole. The operating systems kernel as a secure programmable machine. In Proc. of the 6th SIGOPS European Workshop, pages 62--67, Wadern, Germany, Sept 1994. ACM SIGOPS.

....limiting the range of possible extensions. Second, the interface between the language s programming environment and the rest of the system is generally narrow, making system integration difficult. Finally, interpretation overhead may be a limiting factor to performance. Several projects [Luc94, EKO94, SS94] are exploring the use of software fault isolation [WLAG93] to allow application code, written in any language, to be linked into the kernel s virtual address space. Software fault isolation relies on a binary rewriting tool that inserts explicit checks on memory references and branch ....

....colocation mechanism for relatively large code and data segments, but it is not clear if the mechanism is appropriate for systems that fine grained sharing. Researchers at MIT are building a microkernel that exports fine grained hardware services, such as TLB management, directly to applications [EKO94] The system uses a combination of techniques, including software fault isolation, code inspection, type safety, and probabilistic capabilities, to provide low latency access to hardware resources. Unlike the SPIN kernel, which provides extension oriented facilities for logical protection domains ....

[Article contains additional citation context not shown here]

Dawson Engler, M. Frans Kaashoek, and James O'Toole. The Operating System Kernel as a Secure Programmable Machine. In Proceedings of the 1994 European SIGOPS Workshop, September 1994.

....environment as a basis [20] An essential presumption of the security arguments for these designs was that system layers underpinning the operating system, whether hardware, firmware, or both, are trusted. We find it surprising, given the great attention paid to operating system security [13] [8] that so little attention has been paid to the underpinnings required for secure operation, e.g. a secure bootstrapping phase for these operating systems. Without such a secure bootstrap the operating system kernel cannot be trusted since it is invoked by an untrusted process. Designers of ....

Engler, D. R., Kaashoek, M. F., and Jr., J. W. O. The operating system kernel as a secure programmable machine. In Proceedings of the Sixth SIGOPS European Workshop (September 1994), pp. 62--67.

....we propose is simple: complete elimination of operating system abstractions by lowering the operating system interface to the hardware level. 1 Introduction Throughout the history of computer science there has been a fairly constant opinion that current operating systems are inadequate [4, 7, 9, 11, 15, 18]. The literature is rife with specific examples that describe the cost of the inappropriate, inefficient abstractions peddled by operating systems [2, 4, 12, 13, 18, 23, 24] This situation has persisted for the last three decades, and has survived numerous assaults (object oriented operating ....

.... propagation is done in a direct manner by (perhaps) saving a few scratch registers in some agreed upon location in application space and then jumping to an application specified PC address [24] Of course, all of these operations can be sped up by downloading application code into the kernel [4, 9] or using a software TLB [14, 3] to cache translations. These implementation techniques aside, the full functionality provided by the underlying hardware should be exposed (e.g. reference bits, the ability to disable caching on a page basis, the ability to use different pagesizes, etc. ....

[Article contains additional citation context not shown here]

D. R. Engler, M. F. Kaashoek, and J. O'Toole. The operating system kernel as a secure programmable machine. In Proceedings of the Sixth SIGOPS European Workshop, September 1994.

No context found.

D. R. Engler, M. F. Kaashoek, and J. W. O'Toole Jr. The operating system kernel as a secure programmable machine. In Proceedings of the Sixth SIGOPS European Workshop: Matching Operating Systems to Application Needs, 1994.

....Acknowledgments The exokernel project has been the work of many people. The basic principles of Chapter 2 and Aegis implementation come from a paper [25] written jointly with Frans Kaashoek and James O Toole (which descended from my master s thesis, done under Kaashoek, with ideas initated by [26, 27]) In contrast to Aegis, Xok has been written largely by others. Dave Mazieres implemented the initial Xok kernel. Thomas Pinckney Russell Hunt, Greg Ganger, Frans Kaashoek, and Hector Briceno further developed Xok and made ExOS into a real Unix system. Greg Ganger designed and implemented C FFS ....

D. R. Engler, M. F. Kaashoek, and J. O'Toole. The operating system kernel as a secure programmable machine. In Operating systems review, January 1995.

....Acknowledgments The exokernel project has been the work of many people. The basic principles of Chapter 2 and Aegis implementation come from a paper [25] written jointly with Frans Kaashoek and James O Toole (which descended from my master s thesis, done under Kaashoek, with ideas initated by [26, 27]) In contrast to Aegis, Xok has been written largely by others. Dave Mazieres implemented the initial Xok kernel. Thomas Pinckney Russell Hunt, Greg Ganger, Frans Kaashoek, and Hector Briceno further developed Xok and made ExOS into a real Unix system. Greg Ganger designed and implemented C FFS ....

....The advantages of downloading code are that potentially expensive crossings can be avoided and that this code can run without requiring the application itself to be scheduled. Type safe languages [9, 75] interpretation, and sandboxing [89] can be used to execute untrusted application code safely [26]. 2.6 Methodology Discussion You can t learn too soon that the most useful thing about a principle is that it can always be sacrificed to expediency. W. Somerset Maugham (1874 1965) Stylistically, exokernel design consists of two different activities: giving applications control of ....

D. R. Engler, M. F. Kaashoek, and J. O'Toole. The operating system kernel as a secure programmable machine. In Proceedings of the Sixth SIGOPS European Workshop, pages 62--67, September 1994.

....a microkernel based operating system. However, our techniques can be applied to other operating system organizations, such as large single address space systems [6] and systems with software segmentation [24] Furthermore, with the current emphasis on application controlled resource management [2, 10], our prefetching techniques could become even more effective, since the prefetching strategy can be tailored for individual applications. Prefetching can also be integrated with other VM functions such as prefetching cache entries. Section 2 presents some background material on page table ....

D. Engler, M. F. Kaashoek, and J. O'Toole. The operating system kernel as a secure programmable machine. In Proceedings of the 6th European SIGOPS Workshop, Germany, September 1994.

No context found.

Engler, D. R., Kaashoek, M. F., and O'Toole, J. W. The Operating System Kernel as a Secure Programmable Machine. MIT Technical Report, 1994.

No context found.

D.R. Engler, M.F. Kaashoek, and J. O'Toole, "The Operating System Kernel as a Secure Programmable Machine," Operating Systems Review, Vol. 29, No. 1, January 1995, pp. 78-82. Available at http://www.pdos.lcs.mit.edu/~engler/xsigops.ps

No context found.

D. R. Engler, M. F. Kaashoek, and J. W. O'Toole. The Operating System Kernel as a Secure Programmable Machine. In Proceedings of the Sixth SIGOPS European Workshop, pages 62--67, September 1994.

No context found.

ENGLER, D., KAASHOEK, M. & O'TOOLE, J., The Operating System Kernel as a Secure Programmable Machine, In: Proceedings of the Sixth SIGOPS European Workshop, September 1994.

No context found.

REFERENCES 133 Engler, D., Kaashoek, M.F., & O'Toole, J. 1994. The Operating System Kernel as a Secure Programmable Machine. Pages 62--67 of: Proceedings of the Sixth ACM SIGOPS European Workshop.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC