Jonathan S. Shapiro and Sam Weber. Verifying Operating System Security. Department of Computer and Information Science Technical Report MS-CIS-97-26, Forthcoming.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....earlier capability system from which the EROS architecture is derived [Har85] Originally constructed for the IBM 370, and later ported to the Motorola 88000 family, KeyKOS delivered performance rougly equivalent to that of Mach 2. 5 [Bom92] In addition to formal underpinnings described elsewhere [Sha97], EROS brings the performance of the architecture into line with that of more aggressive systems such as L4. 9.2 Mach 4.0 Bryan Ford has given considerabley attention to the problem of IPC performance in Mach, and has shown that it can be substantially improved MACH4:Migrating. For dekernelized ....

Jonathan S. Shapiro and Sam Weber. Verifying Operating System Security. Department of Computer and Information Science Technical Report MS-CIS-97-26, Forthcoming.

.... [Har85, Bom92] It has been used to process VISA transactions, and exhibits unusual stability in this class of applications [Lan93] EROS, a research system at the University of Pennsylvania, has shown that the performance of capability systems can match that of access list based architectures [Sha97a, Sha96c]. 2 Naming and Access Rights Metagap e describes a family of capability systems. A capability is Access Rights Descriptor Object Figure 1: A capability a pair (o; r) consisting of an object descriptor o (a name) and a set of access rights r (Figure 1) Den66] Any program that possesses a ....

....not, the transmitted rights do not increase potential information flow or integrity exposure. In KeyKOS [Har85] the issue does not arise due to type partitioning; all objects reachable by traversal contain data only, so the issue of access right transmission in this fashion does not arise. EROS [Sha97a] does permit capability pages as the result of a traversal. In practice this has not been a problem, since data writes and capability writes are prohibited under identical conditions in all subsystems implemented to date. With this said, it should be acknowledged that the combination of the ....

Jonathan S. Shapiro. EROS: A Capability System. Department of Computer and Information Science Technical Report MS-CIS-97-04, University of Pennsylvania, 1997.

....that it can reach via a sequence of references. This is rather a weak basis for security, however, because possession of a reference confers both the ability to read and write that location. A key observation of this paper is that capabilities [Den66] as used in such operating systems as EROS [Sha97a, Sha97b, Sha98] and KeyKOS [Har85] are similar in nature to references in programming languages. The essential difference is that capabilities allow one to restrict the manner in which the holder of the capability is permitted to use that capability. We therefore propose a new programming language construct: ....

J. S. Shapiro, S. Weber. A Family of Securable Protection Systems. Department of Computer and Information Science Technical Report MS-CIS-98-18, University of Pennsylvania, 1998.

....that it can reach via a sequence of references. This is rather a weak basis for security, however, because possession of a reference confers both the ability to read and write that location. A key observation of this paper is that capabilities [Den66] as used in such operating systems as EROS [Sha97a, Sha97b, Sha98] and KeyKOS [Har85] are similar in nature to references in programming languages. The essential difference is that capabilities allow one to restrict the manner in which the holder of the capability is permitted to use that capability. We therefore propose a new programming language construct: ....

Jonathan S. Shapiro. EROS: A Capability System. Department of Computer and Information Science Technical Report MS-CIS-97-04, University of Pennsylvania, 1997.

....earlier capability system from which the EROS architecture is derived [Har85] Originally constructed for the IBM 370, and later ported to the Motorola 88000 family, KeyKOS delivered performance rougly equivalent to that of Mach 2. 5 [Bom92] In addition to formal underpinnings described elsewhere [Sha97], EROS brings the performance of the architecture into line with that of more aggressive systems such as L4. 9.2 Mach 4.0 Bryan Ford has given considerabley attention to the problem of IPC performance in Mach, and has shown that it can be substantially improved MACH4:Migrating. For dekernelized ....

Jonathan S. Shapiro and Sam Weber. Verifying Operating System Security. Department of Computer and Information Science Technical Report MS-CIS-97-26, Forthcoming.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC