From imagination to impact
|
|
- Marylou Blair
- 6 years ago
- Views:
Transcription
1 From imagination to impact
2 Kernel Design for Isolation an Assurance of Physical Memory Dhammika Elkauwe Philip Derrin Kevin Elphinstone
3 Embee Systems Increasing functionality Increasing software complexity Millions of lines of coe Mutually untruste SW venors Consoliate functionality Connectivity Attacks from outsie No longer close systems Downloa SW IIES08/seL4 1
4 Embee Systems Diverse applications Real-time Vs. best effort Tight resource bugets Mission/life- critical applications Sensitive information Reliability is paramount IIES08/seL4 2
5 Small Kernel Approach Smaller, more trustworthy founation Hypervisor, microkernel, isolation kernel,.. Facilitate controlle integration an isolation Isolate: fault isolation, iversity Untruste Sensitive Sensitive Sensitive Sensitive Integrate: performance Linux Server Device Driver Device Driver Device Driver Supervisor Small kernel (e.g. Microkernel) Harware IIES08/seL4 3A
6 Small Kernel Approach Smaller, more trustworthy founation Hypervisor, microkernel, isolation kernel,.. Facilitate controlle integration an isolation Isolate: fault isolation, iversity Untruste Sensitive Sensitive Sensitive Sensitive Integrate: performance Linux Server Device Driver Device Driver Device Driver Microkernel shoul: Provie sufficient API Correct realisation of API Ahere to isolation/integration requirements of the system Supervisor Small kernel (e.g. Microkernel) Harware IIES08/seL4 3
7 Issue Kernel consumes resources Machine cycles Physical memory (kernel metaata) Example: threas threa control block, Untruste Sensitive Sensitive Sensitive Sensitive aress space page-tables bookkeeping to reclaim memory Linux Server Device Driver Device Driver Device Driver Supervisor P T Microkernel P T IIES08/seL4 4
8 Possible Approaches How o we manage kernel metaata? Cache like behaviour [ER,Cache kernel, HiStart..] No preictability, limite RT applicability Static allocations Works for static systems Dynamic systems: overcommit or fail uner heavy loa Domain specific kernel moifications? Linux Server Untruste Device Driver Supervisor Sensitive Sensitive Sensitive Sensitive Device Driver Device Driver P T Microkernel P T IIES08/seL4 5
9 Moifie Verifie L4.Verifie project: Formally verify the implementation correctness of the kernel Properties: Isolation, information flow... Formal refinement Formally connect the properties with the kernel implementation Mathematically proven properties Abstract Moel Property preserving refinement C Coe HW IIES08/seL4 6A
10 Moifie Verifie L4.Verifie project: Formally verify the implementation correctness of the kernel Properties: Isolation, information flow... Formal refinement Formally connect the properties with the kernel implementation Mathematically proven properties Abstract Moel Property preserving refinement C Coe HW IIES08/seL4 6
11 Moifie Verifie L4.Verifie project: Formally verify the implementation correctness of the kernel Properties: Isolation, information flow... Formal refinement Formally connect the properties with the kernel implementation Moifications invaliate refinement Verification is labour intensive 10K C-lines = 100K proof lines (1 st refinement) Memory management is core functionality Mathematically proven properties Abstract Moel C Coe Property preserving refinement HW IIES08/seL4 6C
12 Approach in a nutshell Truste Kernel heap... supervisory sel4 Microkernel No implicit allocations within the kernel No heap, no slab allocation etc.. All abstractions are provie by first-class kernel objects Threas object Aress space Page table objects All objects are create upon explicit user request IIES08/seL4 7
13 Memory Management Moel Truste... No implicit allocations within the kernel Physical memory is ivie into untype objects Authority conferre via capabilities supervisory Untype capability is sufficient authority to allocate kernel objects Kernel Coe sel4 Microkernel untype object1 untype object2.. untype object n All abstractions are provie via first class kernel objects Allocate on explicit user request Creator gets the full authority Distribute capabilities to allow other access the service IIES08/seL4 8A
14 Memory Management Moel Truste Kernel Coe... supervisory sel4 Microkernel Kernel objects Untype untype object2 (Threa Control locks) Capability tables (CT) Comm. ports..... untype object n No implicit allocations within the kernel Physical memory is ivie into untype objects Authority conferre via capabilities Untype capability is sufficient authority to allocate kernel objects All abstractions are provie via first class kernel objects Allocate on explicit user request Creator gets the full authority Distribute capabilities to allow other access the service IIES08/seL4 8
15 Memory Management Moel Truste Kernel Coe... supervisory sel4 Microkernel Kernel objects Untype PT PT (Threa Control locks) Capability tables (CT) Comm. ports... Objects are manage by user-level.. untype object n No implicit allocations within the kernel Physical memory is ivie into untype objects Authority conferre via capabilities Untype capability is sufficient authority to allocate kernel objects All abstractions are provie via first class kernel objects Allocate on explicit user request Creator gets the full authority Distribute capabilities to allow other access the service IIES08/seL4 8C
16 Memory Management Moel... Truste... Delegate authority Allow others to obtain services Delegate resource management Kernel Coe supervisory Microkernel untype object2.. untype object n Memory management policy is completely in user-space Isolation of physical memory = Isolation of authority (capabilities) Capability issemination is controlle by a Take-Grant like protection moel IIES08/seL4 8D
17 Memory Management Moel... Truste... De-allocation upon explicit user request Call revoke on the Untype capability Memory can be reuse supervisory Kernel tracks capability erivations Kernel Coe sel4 Microkernel unty pe cap 1 untype object2 CDT.. untype object n Recore in capability erivation tree (CDT) Nee bookkeeping Doubly-linke list through capabilities Space allocate with capability tables T C T C copy T C IIES08/seL4 9
18 Capability Derivation Tree Truste Kernel Coe... supervisory sel4 Microkernel unty pe cap 1 untype object2 CDT.. untpe object n For allocation: The untype capability shoul not have any CDT chilren Guarantees that there are no previously allocate objects Size of the object(s) must be small or equal to untype object T C T C copy T C IIES08/seL4 10
19 Evaluation Formal properties: Formalise the protection moel in Isabelle/HOL Machine checke, abstract moel of the kernel Formal, machine checke proof that mechanisms are sufficient for enforcing spatial partitioning Proof also ientify the invariants the supervisory nees to enforce for isolation to hol... supervisory sel4 Microkernel IIES08/seL4 11A
20 Evaluation Formal properties: Formalise the protection moel in Isabelle/HOL Machine checke, abstract moel of the kernel Formal, machine checke proof that mechanisms are sufficient for enforcing spatial partitioning Proof also ientify the invariants the supervisory nees to enforce for isolation to hol Can not share moifiable page/capability tables Can not share threa control blocks Can not have communication channels that allow capability propagation... supervisory sel4 Microkernel IIES08/seL4 11
21 Evaluation... Performance Use paravirtualise Linux as an example Compare with L4/Wombat (Linux) for running LMench Linux Driv ers... supervisory sel4 Microkernel ench mark L4 ( s) sel4( s) Gain(%) fork exec shell page faults Null Syscall ctx Proxy via Iguana Linux Driv (Wom ers bat)... Iguana L4 Microkernel IIES08/seL4 12
22 Status Empirical work Runs on ARM11 Investigate performance as a virtualisation platform Mathematically proven properties Formal work Information flow properties Abstract Moel (example: Clark-Wilson) Formal refinement work in progress Property preserving refinement C Coe HW Performance IIES08/seL4 13
23 Conclusion No implicit allocations within the kernel Users explicitly allocate kernel objects No heap, slab.. (no hien bookkeeping) Authority confinement guarantees control of kernel memory All kernel memory management policy is outsie the kernel Different isolation/integration configurations Support iverse, co-existing policies No moification to the kernel (remains verifie) Har guarantees on kernel memory consumption Facilitate formal reasoning of physical memory consumption Improve performance by controlle elegation Similar performance in other case IIES08/seL4 14
24 Questions?
25 From imagination to impact
10/17/2008. Kernel Design for Isolation and Assurance of Physical Memory. Embedded Systems. Embedded Systems. Small Kernel Approach
Desig for Isolatio a Assurace of hysical Memory Dhammika Elkauwe hilip Derri Kevi Elphistoe From imagiatio to impact Embee Systems Embee Systems Icreasig fuctioality Diverse applicatios Real-time Vs. best
More informationMicrokernel Design A walk through selected aspects of
Microkernel Design A walk through selected aspects of kernel design and sel4 These slides are made distributed under the Creative Commons Attribution 3.0 License, unless otherwise noted on individual slides.
More informationTowards a Practical, Verified Kernel
Towards a Practical, Verified Kernel Kevin Elphinstone and Gerwin Klein, National ICT Australia and the University of New South Wales Philip Derrin, National ICT Australia Timothy Roscoe, ETH Zürich Gernot
More informationGerwin Klein Kevin Elphinstone Gernot Heiser June Andronick David Cock Philip Derrin Dhammika Elkaduwe Kai Engelhardt Rafal Kolanski Michael Norrish
Gerwin Klein Kevin Elphinstone Gernot Heiser June Andronick David Cock Philip Derrin Dhammika Elkaduwe Kai Engelhardt Rafal Kolanski Michael Norrish Thomas Sewell Harvey Tuch Simon Winwood 1 microkernel
More informationPolitehnica University of Timisoara Mobile Computing, Sensors Network and Embedded Systems Laboratory. Testing Techniques
Politehnica University of Timisoara Mobile Computing, Sensors Network an Embee Systems Laboratory ing Techniques What is testing? ing is the process of emonstrating that errors are not present. The purpose
More informationKernel Design for Isolation and Assurance of Physical Memory
Kernel Design for Isolation and Assurance of Physical Memory Dhammika Elkaduwe Philip Derrin Kevin Elphinstone NICTA and University of New South Wales Sydney, Australia ABSTRACT Embedded systems are evolving
More informationImproving Interrupt Response Time in a Verifiable Protected Microkernel
Improving Interrupt Response Time in a Verifiable Protected Microkernel Bernard Blackham Yao Shi Gernot Heiser The University of New South Wales & NICTA, Sydney, Australia EuroSys 2012 Motivation The desire
More informationVerified Protection Model of the sel4 Microkernel
Verified Protection Model of the sel4 Microkernel Dhammika Elkaduwe, Gerwin Klein, and Kevin Elphinstone NICTA and University of New South Wales, Sydney, Australia {dhammika.elkaduwe,gerwin.klein,kevin.elphinstone}@nicta.com.au
More informationFormal methods for software security
Formal methods for software security Thomas Jensen, INRIA Forum "Méthodes formelles" Toulouse, 31 January 2017 Formal methods for software security Formal methods for software security Confidentiality
More informationKomodo: Using Verification to Disentangle Secure-Enclave Hardware from Software
Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software Andrew Ferraiuolo, Andrew Baumann, Chris Hawblitzel, Bryan Parno* Microsoft Research, Cornell University, Carnegie Mellon
More informationRESOURCE MANAGEMENT MICHAEL ROITZSCH
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group RESOURCE MANAGEMENT MICHAEL ROITZSCH AGENDA done: time, drivers today: misc. resources architectures for resource
More informationRESOURCE MANAGEMENT MICHAEL ROITZSCH
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group RESOURCE MANAGEMENT MICHAEL ROITZSCH AGENDA done: time, drivers today: misc. resources architectures for resource
More informationExplicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières
Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières Too much trusted software Untrustworthy code a huge problem Users willingly run malicious
More informationsel4 Reference Manual Version 8.0.0
Data61 Trustworthy Systems https://ts.data61.csiro.au/projects/ts/ sel4 Reference Manual Version 8.0.0 Trustworthy Systems Team, Data61 https://sel4.systems/contact/ 17 January 2018 c 2018 General Dynamics
More informationOperating System Kernels
Operating System Kernels Presenter: Saikat Guha Cornell University CS 614, Fall 2005 Operating Systems Initially, the OS was a run-time library Batch ( 55 65): Resident, spooled jobs Multiprogrammed (late
More informationOperating System Security
Operating System Security Operating Systems Defined Hardware: I/o...Memory.CPU Operating Systems: Windows or Android, etc Applications run on operating system Operating Systems Makes it easier to use resources.
More informationTranslation Validation for a Verified OS Kernel
To appear in PLDI 13 Translation Validation for a Verified OS Kernel Thomas Sewell 1, Magnus Myreen 2, Gerwin Klein 1 1 NICTA, Australia 2 University of Cambridge, UK L4.verified sel4 = a formally verified
More informationTransient analysis of wave propagation in 3D soil by using the scaled boundary finite element method
Southern Cross University epublications@scu 23r Australasian Conference on the Mechanics of Structures an Materials 214 Transient analysis of wave propagation in 3D soil by using the scale bounary finite
More informationUse of Formal Methods in Assessment of IA Properties
Use of Formal Methods in Assessment of IA Properties George W. Dinolt gwdinolt@nps.navy.mil 44 th Meeting of IFIP Working Group 10.4 Computer Science Department Naval Postgraduate School 833 Dyer Road
More informationA Memory Allocation Model For An Embedded Microkernel
A Memory Allocation Model For An Embedded Microkernel Dhammika Elkaduwe Philip Derrin Kevin Elphinstone National ICT Australia and University of New South Wales Sydney, Australia firstname.lastname@nicta.com.au
More informationChapter 9 Memory Management
Contents 1. Introuction 2. Computer-System Structures 3. Operating-System Structures 4. Processes 5. Threas 6. CPU Scheuling 7. Process Synchronization 8. Dealocks 9. Memory Management 10.Virtual Memory
More informationCSC 5930/9010 Cloud S & P: Virtualization
CSC 5930/9010 Cloud S & P: Virtualization Professor Henry Carter Fall 2016 Recap Network traffic can be encrypted at different layers depending on application needs TLS: transport layer IPsec: network
More informationProtection. Thierry Sans
Protection Thierry Sans Protecting Programs How to lower the risk of a program security flaw resulting from a bug? 1. Build better programs 2. Build better operating systems Build Better Programs Why are
More informationInitial Evaluation of a User-Level Device Driver Framework
Initial Evaluation of a User-Level Device Driver Framework Stefan Götz Karlsruhe University Germany sgoetz@ira.uka.de Kevin Elphinstone National ICT Australia University of New South Wales kevine@cse.unsw.edu.au
More informationRISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas
RISCV with Sanctum Enclaves Victor Costan, Ilia Lebedev, Srini Devadas Today, privilege implies trust (1/3) If computing remotely, what is the TCB? Priviledge CPU HW Hypervisor trusted computing base OS
More informationAUTOBEST: A United AUTOSAR-OS And ARINC 653 Kernel. Alexander Züpke, Marc Bommert, Daniel Lohmann
AUTOBEST: A United AUTOSAR-OS And ARINC 653 Kernel Alexander Züpke, Marc Bommert, Daniel Lohmann alexander.zuepke@hs-rm.de, marc.bommert@hs-rm.de, lohmann@cs.fau.de Motivation Automotive and Avionic industry
More informationOS Structure. Kevin Webb Swarthmore College January 25, Relevant xkcd:
OS Structure Kevin Webb Swarthmore College January 25, 2018 Relevant xkcd: One of the survivors, poking around in the ruins with the point of a spear, uncovers a singed photo of Richard Stallman. They
More informationTessellation: Space-Time Partitioning in a Manycore Client OS
Tessellation: Space-Time ing in a Manycore Client OS Rose Liu 1,2, Kevin Klues 1, Sarah Bird 1, Steven Hofmeyr 3, Krste Asanovic 1, John Kubiatowicz 1 1 Parallel Computing Laboratory, UC Berkeley 2 Data
More informationCombining program verification with component-based architectures. Alexander Senier BOB 2018 Berlin, February 23rd, 2018
Combining program verification with component-based architectures Alexander Senier BOB 2018 Berlin, February 23rd, 2018 About Componolit 2 What happens when we use what's best? 3 What s Best? Mid-90ies:
More informationLOCAL OPERATING SYSTEMS R&D AND OPPOR TUNITIES FOR STUDENTS
OVERVIEW Cool systems stuff happening at: LOCAL OPERATING SYSTEMS R&D AND OPPOR TUNITIES FOR STUDENTS COMP9242 2006/S2 Week 14 UNSW Gelato@UNSW Linux scalability and performance on Itanium National ICT
More informationsel4 Reference Manual Version 2.0.0
NICTA Trustworthy Systems http://ssrg.nicta.com.au/projects/ts/ sel4 Reference Manual Version 2.0.0 Trustworthy Systems Team, NICTA ssrg@nicta.com.au 1 December 2015 c 2015 General Dynamics C4 Systems.
More informationCreating a Practical Security Architecture Based on sel4
Creating a Practical Security Architecture Based on sel4 Xinming (Simon) Ou University of South Florida (many slides borrowed/adapted from my student Daniel Wang) 1 Questions for sel4 Community Is there
More informationComprehensive Formal Verification of an OS Microkernel
Comprehensive Formal Verification of an OS Microkernel GERWIN KLEIN, JUNE ANDRONICK, KEVIN ELPHINSTONE, TOBY MURRAY, THOMAS SEWELL, RAFAL KOLANSKI, and GERNOT HEISER, NICTA and UNSW, Sydney, Australia
More informationINFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD OVERVIEW Fundamental
More informationPresented by: Alvaro Llanos E
Presented by: Alvaro Llanos E Motivation and Overview Frangipani Architecture overview Similar DFS PETAL: Distributed virtual disks Overview Design Virtual Physical mapping Failure tolerance Frangipani
More informationM 3 Microkernel-based System for Heterogeneous Manycores
M 3 Microkernel-based System for Heterogeneous Manycores Nils Asmussen MKC, 06/29/2017 1 / 35 Outline 1 Introduction 2 Data Transfer Unit 3 Prototype Platforms 4 M 3 5 Summary 2 / 35 Outline 1 Introduction
More informationsel4 Reference Manual Version
Data61 Trustworthy Systems https://ts.data61.csiro.au/projects/ts/ sel4 Reference Manual Version 10.0.0 Trustworthy Systems Team, Data61 https://sel4.systems/contact/ 28 May 2018 c 2018 General Dynamics
More information6.823 Computer System Architecture. Problem Set #3 Spring 2002
6.823 Computer System Architecture Problem Set #3 Spring 2002 Stuents are strongly encourage to collaborate in groups of up to three people. A group shoul han in only one copy of the solution to the problem
More informationYou Can Do That. Unit 16. Motivation. Computer Organization. Computer Organization Design of a Simple Processor. Now that you have some understanding
.. ou Can Do That Unit Computer Organization Design of a imple Clou & Distribute Computing (CyberPhysical, bases, Mining,etc.) Applications (AI, Robotics, Graphics, Mobile) ystems & Networking (Embee ystems,
More informationCOMP9242 Advanced Operating Systems S2/2011 Week 9: Microkernel Design Gernot Heiser, NICTA
COMP9242 Advanced Operating Systems S2/2011 Week 9: Microkernel Design Copyright Notice These slides are distributed under the Creative Commons Attribution 3.0 License You are free: to share to copy, distribute
More informationMODULE VII. Emerging Technologies
MODULE VII Emerging Technologies Computer Networks an Internets -- Moule 7 1 Spring, 2014 Copyright 2014. All rights reserve. Topics Software Define Networking The Internet Of Things Other trens in networking
More informationIntroduction. COMP9242 Advanced Operating Systems 2010/S2 Week 1
Introduction COMP9242 Advanced Operating Systems 2010/S2 Week 1 2010 Gernot Heiser UNSW/NICTA/OK Labs. Distributed under Creative Commons Attribution License 1 Copyright Notice These slides are distributed
More informationOverview. Operating Systems I. Simple Memory Management. Simple Memory Management. Multiprocessing w/fixed Partitions.
Overview Operating Systems I Management Provie Services processes files Manage Devices processor memory isk Simple Management One process in memory, using it all each program nees I/O rivers until 96 I/O
More informationInfluential OS Research Security. Michael Raitza
Influential OS Research Security Michael Raitza raitza@os.inf.tu-dresden.de 1 Security recap Various layers of security Application System Communication Aspects of security Access control / authorization
More informationCoupling the User Interfaces of a Multiuser Program
Coupling the User Interfaces of a Multiuser Program PRASUN DEWAN University of North Carolina at Chapel Hill RAJIV CHOUDHARY Intel Corporation We have evelope a new moel for coupling the user-interfaces
More informationThe Evolution of Secure Operating Systems
The Evolution of Secure Operating Systems Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University 1 Operating Systems
More informationPart 1: Introduction to device drivers Part 2: Overview of research on device driver reliability Part 3: Device drivers research at ERTOS
Some statistics 70% of OS code is in device s 3,448,000 out of 4,997,000 loc in Linux 2.6.27 A typical Linux laptop runs ~240,000 lines of kernel code, including ~72,000 loc in 36 different device s s
More informationCSCE Operating Systems Interrupts, Exceptions, and Signals. Qiang Zeng, Ph.D. Fall 2018
CSCE 311 - Operating Systems Interrupts, Exceptions, and Signals Qiang Zeng, Ph.D. Fall 2018 Previous Class Process state transition Ready, blocked, running Call Stack Execution Context Process switch
More informationOpal. Robert Grimm New York University
Opal Robert Grimm New York University The Three Questions What is the problem? What is new or different? What are the contributions and limitations? The Three Questions What is the problem? Applications
More informationUser-level Management of Kernel Memory
User-level Management of Memory Andreas Haeberlen University of Karlsruhe Karlsruhe, Germany Kevin Elphinstone University of New South Wales Sydney, Australia 1 Motivation: memory Threads Files memory
More informationPractical and Efficient Exploit Mitigation for Embedded Devices
Practical and Efficient Exploit Mitigation for Embedded Devices Matthias Neugschwandtner IBM Research, Zurich Collin Mulliner Northeastern University, Boston Qualcomm Mobile Security Summit 2015 1 Embedded
More informationSECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM
1 SRIFY: A COMPOSITIONAL APPROACH OF BUILDING SRITY VERIFIED SYSTEM Liu Yang, Associate Professor, NTU SG-CRC 2018 28 March 2018 2 Securify Approach Compositional Security Reasoning with Untrusted Components
More informationRapiLog: Reducing System Complexity Through Verification
: Reducing System Complexity Through Verification Gernot Heiser, Etienne Le Sueur, Adrian Danis, Aleksander Budzynowski, Tudor-Ioan Salomie, Gustavo Alonso 1 Database Transactions Transactions implement
More informationInkTag: Secure Applications on an Untrusted Operating System. Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin
InkTag: Secure lications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin You trust your... should you? The is the software root of trust on most
More informationFormal Methods for MILS: Formalisations of the GWV Firewall Ruud Koolen and Julien Schmaltz
Formal Methods for MILS: Formalisations of the GWV Firewall Ruud Koolen and Julien Schmaltz Eindhoven University of Technology Department of Mathematics and Computer Science Model Driven Software Engineering
More informationIntroduction. COMP /S2 Week Gernot Heiser UNSW/NICTA/OKL. Distributed under Creative Commons Attribution License 1
Introduction COMP9242 2008/S2 Week 1 2008 Gernot Heiser UNSW/NICTA/OKL. Distributed under Creative Commons Attribution License 1 Copyright Notice These slides are distributed under the Creative Commons
More informationApplying MILS to multicore avionics systems
Applying MILS to multicore avionics systems Eur Ing Paul Parkinson FIET Principal Systems Architect, A&D EuroMILS Workshop, Prague, 19 th January 2016 2016 Wind River. All Rights Reserved. Agenda A Brief
More informationAmplifying. Only stack module can alter, read x So process doesn t get capability, but needs it when x is referenced a problem!
Amplifying Allows temporary increase of privileges Needed for modular programming Module pushes, pops data onto stack module stack endmodule. Variable x declared of type stack var x: module; Only stack
More informationFaculty of Engineering Computer Engineering Department Islamic University of Gaza Network Lab # 7 Permissions
Faculty of Engineering Computer Engineering Department Islamic University of Gaza 2012 Network Lab # 7 Permissions Objective: Network Lab # 7 Permissions Define permissions. Explain the characteristics
More informationUsing a Separation Kernel to Protect against the Remote Exploitation of Unaltered Passenger Vehicles
Safety & Security for the Connected World Using a Separation Kernel to Protect against the Remote Exploitation of Unaltered Passenger Vehicles 16 th June 2015 Mark Pitchford, Technical Manager, EMEA Today
More informationTrustworthy Whole-System Provenance for the Linux Kernel
Trustworthy Whole-System Provenance for the Linux Kernel Adam Bates, Dave (Jing) Tian, Thomas Moyer, and Kevin R. B. Butler In association with USENIX Security Symposium, Washington D.C., USA 13 August,
More informationOS Extensibility: Spin, Exo-kernel and L4
OS Extensibility: Spin, Exo-kernel and L4 Extensibility Problem: How? Add code to OS how to preserve isolation? without killing performance? What abstractions? General principle: mechanisms in OS, policies
More informationTolerating Malicious Drivers in Linux. Silas Boyd-Wickizer and Nickolai Zeldovich
XXX Tolerating Malicious Drivers in Linux Silas Boyd-Wickizer and Nickolai Zeldovich How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory,...
More informationAdvanced Systems Security: Virtual Machine Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationAn Information Model for High-Integrity Real Time Systems
An Information Model for High-Integrity Real Time Systems Alek Radjenovic, Richard Paige, Philippa Conmy, Malcolm Wallace, and John McDermid High-Integrity Systems Group, Department of Computer Science,
More informationQualifying exam: operating systems, 1/6/2014
Qualifying exam: operating systems, 1/6/2014 Your name please: Part 1. Fun with forks (a) What is the output generated by this program? In fact the output is not uniquely defined, i.e., it is not always
More informationAchieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors
Safety & Security for the Connected World Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors 13 October 2015 Mark Pitchford, Technical Manager, EMEA Achieving safe,
More informationHoare logic. A proof system for separation logic. Introduction. Separation logic
Introduction Hoare logic Lecture 6: Examples in separation logic In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing separation logic.
More informationVIRTUAL ENVIRONMENT SECURITY MODELING
VIRTUAL ENVIRONMENT SECURITY MODELING Dmitry Zegzhda, Ekaterina Rudina Saint-Petersburg State Polytechnic University Our goal is the well-grounded use of hybrid systems Sensitive data Incompatible application
More informationL4/Darwin: Evolving UNIX. Charles Gray Research Engineer, National ICT Australia
L4/Darwin: Evolving UNIX Charles Gray Research Engineer, National ICT Australia charles.gray@nicta.com.au Outline 1. Project Overview 2. BSD on the Mach microkernel 3. Porting Darwin to the L4 microkernel
More informationOutline. SLD challenges Platform Based Design (PBD) Leveraging state of the art CAD Metropolis. Case study: Wireless Sensor Network
By Alberto Puggelli Outline SLD challenges Platform Based Design (PBD) Case study: Wireless Sensor Network Leveraging state of the art CAD Metropolis Case study: JPEG Encoder SLD Challenge Establish a
More informationChapter 6: Integrity Policies
Chapter 6: Integrity Policies Overview Requirements Biba s models Clark-Wilson model Slide #6-1 Overview Requirements Very different than confidentiality policies Biba s model Clark-Wilson model Slide
More informationSingularity Reviewed an Operating System Challenging Common Concepts
an Operating System Challenging Common Concepts by Lothar Schäfer lothar.schaefer@sbg.ac.at Overview Singularity is a research operating system at Microsoft Research. The project started in 2003 and is
More informationVirtual Memory. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University
Virtual Memory Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu SSE3044: Operating Systems, Fall 2017, Jinkyu Jeong (jinkyu@skku.edu) Virtual Memory:
More informationHAMES Review at SRI, 7 October 2008 partly based on Layered Assurance Workshop 13, 14 August 2008, BWI Hilton and based on Open Group, 23 July 2008,
HAMES Review at SRI, 7 October 2008 partly based on Layered Assurance Workshop 13, 14 August 2008, BWI Hilton and based on Open Group, 23 July 2008, Chicago Component Security Integration John Rushby Computer
More informationPART 2. Organization Of An Operating System
PART 2 Organization Of An Operating System CS 503 - PART 2 1 2010 Services An OS Supplies Support for concurrent execution Facilities for process synchronization Inter-process communication mechanisms
More informationOperating- System Structures
Operating- System Structures 2 CHAPTER Practice Exercises 2.1 What is the purpose of system calls? Answer: System calls allow user-level processes to request services of the operating system. 2.2 What
More informationCSCI 6411: Operating Systems. Acknowledgements: Some slide material derived from Silberschatz, et al.
CSCI 6411: Operating Systems Acknowledgements: Some slide material derived from Silberschatz, et al. High level Cars Computers ...details... Cars Computers ... low level Cars Computers What is an Operating
More informationTurning proof assistants into programming assistants
Turning proof assistants into programming assistants ST Winter Meeting, 3 Feb 2015 Magnus Myréen Why? Why combine proof- and programming assistants? Why proofs? Testing cannot show absence of bugs. Some
More informationRuntime Integrity Checking for Exploit Mitigation on Embedded Devices
Runtime Integrity Checking for Exploit Mitigation on Embedded Devices Matthias Neugschwandtner IBM Research, Zurich eug@zurich.ibm.com Collin Mulliner Northeastern University, Boston collin@mulliner.org
More informationAdvanced Systems Security: Securing Commercial Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 3.1: OS Security Basics of secure design Endadul Hoque Slide Acknowledgment Contents are based on slides from Ninghui Li (Purdue), John Mitchell (Stanford), Dan Boneh (Stanford)
More informationComputer Organization
Computer Organization Douglas Comer Computer Science Department Purue University 250 N. University Street West Lafayette, IN 47907-2066 http://www.cs.purue.eu/people/comer Copyright 2006. All rights reserve.
More informationWhat is an Operating System? A Whirlwind Tour of Operating Systems. How did OS evolve? How did OS evolve?
What is an Operating System? A Whirlwind Tour of Operating Systems Trusted software interposed between the hardware and application/utilities to improve efficiency and usability Most computing systems
More informationAdvanced Systems Security: Virtual Machine Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationLabels and Information Flow
Labels and Information Flow Robert Soulé March 21, 2007 Problem Motivation and History The military cares about information flow Everyone can read Unclassified Few can read Top Secret Problem Motivation
More informationQuestions? Post on piazza, or Radhika (radhika at eecs.berkeley) or Sameer (sa at berkeley)!
EE122 Fall 2013 HW3 Instructions Recor your answers in a file calle hw3.pf. Make sure to write your name an SID at the top of your assignment. For each problem, clearly inicate your final answer, bol an
More informationMARTE Based Modeling Tools Usage Scenarios in Avionics Software Development Workflows
MARTE Based Modeling Tools Usage Scenarios in Avionics Software Development Workflows Alessandra Bagnato, Stefano Genolini Txt e-solutions FMCO 2010, Graz, 29 November 2010 Overview MADES Project and MADES
More informationPrivilege Escalation
Privilege Coleman Kane Coleman.Kane@ge.com February 9, 2015 Security Vulnerability Assessment Privilege 1 / 14 root, or Privilege or Elevation is the act of gaining access to resources which were intended
More informationVirtual Memory 1. To do. q Segmentation q Paging q A hybrid system
Virtual Memory 1 To do q Segmentation q Paging q A hybrid system Address spaces and multiple processes IBM OS/360 Split memory in n parts (possible!= sizes) A process per partition Program Code Heap Operating
More informationMicrokernel Construction
Introduction SS2013 Class Goals Provide deeper understanding of OS mechanisms Introduce L4 principles and concepts Make you become enthusiastic L4 hackers Propaganda for OS research at 2 Administration
More informationBasic Memory Management
Basic Memory Management CS 256/456 Dept. of Computer Science, University of Rochester 10/15/14 CSC 2/456 1 Basic Memory Management Program must be brought into memory and placed within a process for it
More informationA Userspace Packet Switch for Virtual Machines
SHRINKING THE HYPERVISOR ONE SUBSYSTEM AT A TIME A Userspace Packet Switch for Virtual Machines Julian Stecklina OS Group, TU Dresden jsteckli@os.inf.tu-dresden.de VEE 2014, Salt Lake City 1 Motivation
More informationBuilding Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal Devices OpenIT - 07.03.2014 by Javier González Javier González - jgon@itu.dk Philippe Bonnet - phbo@itu.dk Digital Society Distrust Users Personal Information! Information
More informationRESOURCE MANAGEMENT MICHAEL ROITZSCH
Department of Computer Science Institute for System Architecture, Operating Systems Group RESOURCE MANAGEMENT MICHAEL ROITZSCH AGENDA done: time, drivers today: misc. resources architectures for resource
More informationAdvanced Systems Security: Principles
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationVirtual Machine Security
Virtual Machine Security CSE443 - Spring 2012 Introduction to Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ 1 Operating System Quandary Q: What is the primary goal
More informationOnline Appendix to: Generalizing Database Forensics
Online Appenix to: Generalizing Database Forensics KYRIACOS E. PAVLOU an RICHARD T. SNODGRASS, University of Arizona This appenix presents a step-by-step iscussion of the forensic analysis protocol that
More informationMICROKERNEL CONSTRUCTION 2014
MICROKERNEL CONSTRUCTION 2014 THE FIASCO.OC MICROKERNEL Alexander Warg MICROKERNEL CONSTRUCTION 1 FIASCO.OC IN ONE SLIDE CAPABILITY-BASED MICROKERNEL API single system call invoke capability MULTI-PROCESSOR
More informationFaculty of Computer Science Institute for System Architecture, Operating Systems Group. Memory. Björn Döbel. Dresden,
Faculty of Computer Science Institute for System Architecture, Operating Systems Group Memory Björn Döbel Dresden, 2013-11-05 So far... Introduction Monolithic vs. microkernels L4 concepts: Threads and
More information