Wilson Hsieh, Marc Fiuczynski, Charles Garrett, Stefan Savage, David Becker, and Brian Bershad. Language support for extensible operating systems. In Workshop on Compiler Support for System Software, pages 127--133, Tucson, AZ, February 1996.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....between different representations that can be accomplished with a cast in C requires object allocation, initialization and copying in Java. Other systems projects have extended high level languages with comparable facilities, for example, SPIN introduced the view construct into Modula 3 [ Hsieh et al. 1996 ] Another useful mechanism would be runtime support for array subsetting, which would enable regions of a buffer to be protected efficiently. These mismatches do not indicate tasks that cannot be accomplished in Java, but rather tasks that are not well supported. For example, introspection ....

Wilson Hsieh, Marc Fiuczynski, Charles Garrett, Stefan Savage, David Becker, and Brian Bershad. Language Support for Extensible Operating Systems. In Workshop on Compiler Support for System Software, February 1996.

....mobile code. Some have been designed for use in executable content and others for use in agents [15, 34] Parallel e orts in extensible networks and operating systems have also focused attention on language design for mobility. These e orts include work on active networks [33, 38] the SPIN kernel [2, 17] and Exokernel [8] What these e orts have in common is a need for security. We can roughly separate security concerns in this setting into code security and host security. The former is concerned with protecting mobile code from untrusted hosts while the latter is concerned with protecting hosts ....

....a digital signature to executing untrusted code. It would also establish a computational lower bound on executing untrusted code using JDK1.1. Such properties are important in situations where you need guarantees against certain faults. An example is isolating execution behind trust boundaries [17]. access a dead address, access an address with an invalid o set, read an uninitialized address, or declare an empty or negative sized array. The rst two errors are due to pointers in the language. Now one may expect the type system to detect the rst error in which case our type ....

Wilson C. Hsieh, et al. Language support for extensible operating systems. Unpublished manuscript. Available at www-spin.cs.washington.edu., 1996. 17

....concentrating on one side of the security issue: protecting the server from potentially malicious agents. Related work in downloadable executable content (Java [13] Software Fault Isolation [29] Proof Carrying Code [24, 25] OS extension mechanisms such as packet lters [21] type safe languages [9, 16], etc) all focus on this problem. The converse side of the agent security problem, however, is largely neglected and needs to be addressed: how do we protect agents from potentially malicious servers Why should we believe that the result returned by our software agents are actually correct and ....

Wilson C. Hsieh, Marc E. Fiuczynski, Charles Garrett, Stefan Savage, David Becker, and Brian N. Bershad. Language support for extensible operating systems. In Proceedings of the Workshop on Compiler Support for System Software, February 1996.

....performance. As shown by the Workplace project at IBM, a compromise cannot necessarily be reached [6] Recently, several research projects have aimed at developing extensible OSes [3, 5] Such OSes do not rely on hardware protection boundaries; instead, they use either strongly typed languages [11] or softwarefault isolation [23] Extensible kernels consist of fine grain components which enable low level functionalities to be exposed. This system architecture drastically improve code re use. Although extensible OSes provide an effective solution to code re use, they do not address expertise ....

W.C. Hsieh, Fiuczynski M.E., Garrett C., Savage S., Becker D., and Bershad B.N. Language support for extensible operating systems. In Workshop Record of WCSSS'96 -- The Inaugural Workshop on Compiler Support for Systems Software, pages 127--133, Tucson, AZ, USA, February 1996.

.... at IBM, a compromise cannot necessarily be reached [6] Recently, several research projects have aimed at developing extensible OSes [3, 5] Such OSes do not rely on hardware protection boundaries; instead, they use either strongly typed Irisa Towards Robust OSes for Appliances 5 languages [10] or software fault isolation [22] Extensible kernels consist of fine grain components which enable low level functionalities to be exposed. This system architecture drastically improve code re use. Although extensible OSes provide an effective solution to code re use, they do not address ....

W.C. Hsieh, Fiuczynski M.E., Garrett C., Savage S., Becker D., and Bershad B.N. Language support for extensible operating systems. In Workshop Record of WCSSS'96 -- The Inaugural Workshop on Compiler Support for Systems Software, pages 127--133, Tucson, AZ, USA, February 1996.

....because they are in the protected kernel region of the address space. There are a number of limitations to this approach: the kernel is not protected from malicious or faulty extension code and there is no support for user level development tools. Methods of protecting the kernel are well known [35, 26, 43, 41]. By supplying extensions with the same interface, whether at the user level or in the kernel, extensions can be safely developed at the user level and then inserted into the kernel. This enables development in a safe environment without sacrificing the potential for good performance. SLIC ....

....a number of kernel interfaces. These interfaces have been explicitly designed for extensibility, rather than enabling extensibility on existing interfaces, which SLIC supports. SPIN and VINO also aggressively focus on ensuring kernel protection from extensions, SPIN by using a type safe language [44, 26], and VINO through software fault isolation [50] and in kernel transactions [41] We assume trusted extensions. Interposition Agents [27] demonstrated that it is useful to construct interposition extensions in terms of the underlying abstractions of the interposed interface, rather than in terms ....

Wilson Hsieh, Marc Fiuczynski, Charles Garrett, Stefan Savage, David Becker, and Brian N. Bershad. Language support for extensible operating systems. In Proceedings of the Workshop on Compiler Support for System Software, February 1996.

....of the agent) Different solutions have been proposed to try to protect the agent from possible attacks from the servers ( 9, 12, 1] Another security problem is how to protect the servers from malicious agents. Related work can be found based on different approaches like type safe languages ([3, 8]) and proofcarrying code ( 11] among others. Although the usefulness of agents to buy or sell products on their owners behalf is often pointed out, there exist few examples in the literature explicitly showing how this can be accomplished. In [10] the concept of intelligent trade agent (ITA) is ....

W. C. Hsieh, M. E. Fiuczynski, C. Garrett, S. Savage, D. Becker and B. N. Bershad, "Language support for extensible operating systems". In Proceedings of the Workshop on Compiler Support for System Software, Feb. 1996.

....concentrating on one side of the security issue: protecting the server from potentially malicious agents. Related work in downloadable executable content (Java [7] Software Fault Isolation [19] Proof Carrying Code [16, 17] OS extension mechanisms such as packet filters [13] type safe languages [4, 9], etc) all focus on this problem. The converse side of the agent security problem, however, is largely neglected and needs to be addressed: how do we protect agents from potentially malicious servers Why should we believe that the result returned by our software agents are actually correct and ....

Wilson C. Hsieh, Marc E. Fiuczynski, Charles Garrett, Stefan Savage, David Becker, and Brian N. Bershad. Language support for extensible operating systems. In Proceedings of the Workshop on Compiler Support for System Software, February 1996.

....code. Some have been designed for use in executable content and others for use in agents [15, 34] Parallel efforts in extensible networks and operating systems have also focused attention on language design for mobility. These efforts include work on active networks [33, 38] the SPIN kernel [2, 17] and Exokernel [8] What these efforts have in common is a need for security. We can roughly separate security concerns in this setting into code security and host security. The former is concerned with protecting mobile code from untrusted hosts while the latter is concerned with protecting ....

....a digital signature to executing untrusted code. It would also establish a computational lower bound on executing untrusted code using JDK1.1. 4 Such properties are important in situations where you need guarantees against certain faults. An example is isolating execution behind trust boundaries [17]. access a dead address, access an address with an invalid offset, read an uninitialized address, or declare an empty or negative sized array. The first two errors are due to pointers in the language. Now one may expect the type system to detect the first error in which case our ....

Wilson C. Hsieh, et al. Language support for extensible operating systems. Unpublished manuscript. Available at www-spin.cs.washington.edu., 1996.

....provided by interrupt handlers in other programming languages are provided by an alternative mechanism which is modular and parallelisable. While other operating system and language designs have provided interfaces to OS resources from advanced languages, such as the Spin project s use of Modula 3 [Spin], or the Standard ML of New Jersey s interface to Posix [SML NJ] none of these systems have managed to exploit automatic storage management to manage the operating system s resources in this manner. Although we ve considered Scheme and three different Unix resources as our examples, the ideas ....

Wilson Hsieh, Marc Fiuczynski, Charles Garrett, Stefan Savage, David Becker, and Brian Bershad. Language support for extensible operating systems. In Workshop on Compiler Support for System Software, February 1996. (Also available as URL http://www. cs.washington.edu/research/projects/spin/ www/papers/WCS/language.ps)

....by any other means with which we are familiar. In particular, we show that PCC leads to faster and safer packet filters than previous approaches to code safety in systems software, including Berkeley Packet Filters [12] Software Fault Isolation [24] and programming in the safe subset of Modula 3 [1, 9, 17]. Although we have worked out many of the theoretical underpinnings for PCC (and indeed, most of the theory is based on old and well known principles from logic, type theory [4, 11] and formal verification [5, 6, 8] there are many difficult problems that remain to be solved before the approach ....

....of the four PCC packet filters and of functionally equivalent filters implemented using alternative approaches: the BSD Packet Filter architecture, Software Fault Isolation and programming in the safe subset of Modula 3. In our experiments with Modula 3 packet filters we use the VIEW extension [9] for pointer safe casting. The result of the measurements are shown in Figure 26. From a per packet latency point of view, the PCC packet filters outperform filters developed using any other considered approach. However, the PCC method has a startup cost significantly larger than the other ....

Hsieh, W. C., Fiuczynski, M. E., Garrett, C., Savage, S., Becker, D., and Bershad, B. N. Language support for extensible operating systems. In The Inaugural Workshop on Compiler Support for Systems Software (Feb. 1996), pp. 127--133.

....region of the address space. There are a number of limitations to this approach: the kernel is not protected from malicious or faulty extension code and there is no support for user level development tools. A number of methods of protecting the kernel from extensions have been explored by others [34, 24, 41, 39, 31]. By supplying extensions with the same interface, whether at the user level or in the kernel, extensions can be safely developed at the user level and then inserted into the kernel. This enables development in a safe environment without sacrificing the potential for good performance. SLIC ....

....on a number of kernel interfaces, but have explicitly crafted those interfaces for extensibility, rather than enabling SLIC style extensibility on existing interfaces. SPIN and VINO also aggressively focus on ensuring kernel protection from untrusted extensions, SPIN by using a type safe language [42, 24], and VINO through software fault isolation [47] and in kernel transactions [39] SLIC assumes trusted extensions. Interposition Agents [25] demonstrated that it is useful to construct interposition extensions in terms of the high level abstractions of the interposed interface, rather than in ....

Wilson Hsieh, Marc Fiuczynski, Charles Garrett, Stefan Savage, David Becker, and Brian N. Bershad. Language support for extensible operating systems. In Proceedings of the Workshop on Compiler Support for System Software, February 1996.

....faulty applications and are enforced on uncoopertive applications. This feature enables extensions which manage shared resources and or enforce security guarantees. Note that SLIC assumes that extensions are trusted. Other research efforts have addressed issues involved with untrusted extensions [45, 5, 18, 26, 29, 33]. Ease of Development: During development and testing, extension writers are able to use state of theart programming tools such as symbolic debuggers and performance analysis utilities. Efficiency: Once development is complete, extensions impose minimal overhead on the system. Per extension ....

....in concept to our work. Both offer extensibility through interposition on a number of kernel interfaces, but have explicitly crafted those interfaces for extensibility. SPIN and VINO also aggressively focus on ensuring kernel protection from untrusted extensions, SPIN by using a type safe language [35, 18], and VINO through software fault isolation [45] and in kernel transactions [33] In contrast, SLIC assumes trusted extensions and focuses on an evaluation of the technique of interposition and its suitability for legacy operating systems. Interposition Agents [20] demonstrated the usefulness of ....

Wilson Hsieh, Marc Fiuczynski, Charles Garrett, Stefan Savage, David Becker, and Brian N. Bershad. Language support for extensible operating systems. In Proceedings of the Workshopon Compiler Support for System Software, February 1996.

....while maintaining or improving performance. In particular, we show that PCC leads to faster and safer packet filters than previous approaches to code safety in systems software, including Berkeley Packet Filters [12] Software Fault Isolation [23] and programming in the safe subset of Modula 3 [1, 9, 17]. Finally, we conclude with a discussion of the remaining difficulties and speculate on what might be necessary to make the approach work on a practical scale. CPU CODE PRODUCER USER PROCESS UNTRUSTED CLIENT CODE CONSUMER OS KERNEL NETWORK SERVER SAFETY POLICY PCC ENABLE VALIDATION SOURCE PROGRAM ....

....of the four PCC packet filters and of functionally equivalent filters implemented using alternative approaches: the BSD Packet Filter architecture, Software Fault Isolation and programming in the safe subset of Modula 3. In our experiments with Modula 3 packet filters we use the VIEW extension [9] for pointer safe casting. The result of the measurements are shown in Figure 8. From a per packet latency point of view, the PCC packet filters outperform filters developed using any other considered approach. However, the PCC method has a startup cost significantly larger than the other ....

Hsieh, W. C., Fiuczynski, M. E., Garrett, C., Savage, S., Becker, D., and Bershad, B. N. Language support for extensible operating systems. In The Inaugural Workshop on Compiler Support for Systems Software (Feb. 1996), pp. 127--133.

....been concentrating on one side of the security issue: protecting the server from potentially malicious agents. Related work in downloadable executable content (Java, Software Fault Isolation [14] Proof Carrying Code [12, 11] OS extension mechanisms such as packet filters [8] type safe languages [3, 6], etc) all focus on this problem. The converse side of the agent security problem, however, is largely neglected and needs to be addressed: how do we protect agents from potentially malicious servers Why should we believe that the result returned by our software agents are actually correct and ....

Wilson C. Hsieh, Marc E. Fiuczynski, Charles Garrett, Stefan Savage, David Becker, and Brian N. Bershad. Language support for extensible operating systems. In Proceedings of the Workshop on Compiler Support for System Software, February 1996.

No context found.

Wilson Hsieh, Marc Fiuczynski, Charles Garrett, Stefan Savage, David Becker, and Brian Bershad, `Language Support for Extensible Operating Systems', Proceedings of the 1996 Workshop on Compiler Support for System Software, February 1996.

....code. In particular, a program cannot access or jump to arbitrary memory locations, and cannot use values in ways not prescribed by the language. As our type safe language we are using a version of Modula 3 1 that has been enhanced to support efficient, low level, systems code. Hsieh et al. [16, 17] describes these language enhancements in further detail. SPINE and its extensions use the following two Modula 3 language enhancements: type safe casting and isolation from untrusted code. The former allows data created outside of the language to be given a Modula 3 1 Although Modula 3 [15] is ....

W.C. Hsieh, M.E. Fiuczynski, C. Garrett, S. Savage, D. Becker and B.N. Bershad. "Language Support for Extensible Operating Systems." In Proceedings of the First Workshop on Compiler Support for System Software. 1996.

....validation y and for easy transfer to other systems. Third, the implementation should be fast to impose as little performance overhead as possible. 4. 1 Structure and Interfaces In SPIN, a statically linked core provides the most basic services, including hardware support, the Modula 3 runtime [39, 20], the linker loader [38] threads and the event dispatcher [32] All other services, including networking and file system support, are provided by dynamically linked extensions. Services in the static core are trusted and, if they misbehave, can undermine the security of the system (and also crash ....

Wilson C. Hsieh, Marc E. Fiuczynski, Charles Garrett, Stefan Savage, David Becker, and Brian N. Bershad. Language Support for Extensible Operating Systems. Workshop on Compiler Support for System Software, February 1996.

....and well structured to allow for validation y and for easy transfer to other systems. Third, the implementation should be fast to impose as little performance overhead as possible. In SPIN, a statically linked core provides most basic services, including hardware support, the Modula 3 runtime [39, 18], the linker loader [38] threads, and the event dispatcher [32] All other services, including networking and file system support, are provided by dynamically linked extensions. We have implemented the basic abstractions of our access control mechanism, such as security identifiers and access ....

W. C. Hsieh, M. E. Fiuczynski, C. Garrett, S. Savage, D. Becker, and B. N. Bershad. Language Support for Extensible Operating Systems. In Proceedings of the Workshop on Compiler Support for System Software, pages 127--133, Tucson, Arizona, February 1996.

No context found.

Wilson Hsieh, Marc Fiuczynski, Charles Garrett, Stefan Savage, David Becker, and Brian Bershad. Language support for extensible operating systems. In Workshop on Compiler Support for System Software, pages 127--133, Tucson, AZ, February 1996.

No context found.

Wilson Hsieh, Marc Fiuczynski, Charles Garrett, Stefan Savage, David Becker, and Brian N. Bershad. Language support for extensible operating systems. In Proceedings of the Workshop on Compiler Support for System Software, February 1996.

No context found.

W. C. Hsieh, M. Fiuczynski, C. Garrett, S. Savage, D. Becker, and B. N. Bershad. Language Support for Extensible Operating Systems. First Workshop on Compiler Support for System Software, Tucson, AZ, February 1996.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC