In open and configurable applications, external programs are often used to handle different functions and data formats. This is particularly true for applications that communicate through the Internet, where new protocols and data formats are frequently introduced. These external programs are often installed quickly and without a full security auditing, even when the sources are available. This makes the users of such applications vulnerable to viruses and Trojan horses introduced by misconfiguration or flaws in the security of these applications. In this paper we introduce a mechanism called "protection wrappers" that allows an application to run external programs in a restricted environment called a "sandbox". Programs running in a sandbox will execute with the identity of a user with limited privileges. This reduces the potential damage to the system and to the data of the user who originally launched the application. 1 I n t r o d u c t i o n The dramatic growth of the Internet and the popularity of the World Wide Web have given birth to a new network community where individual users, academic and industrial institutions, in all countries, are exchanging data and software freely across the network. The Internet was previously used to exchange software and data among a small community of researchers who knew and trusted each other just like computer hobbyists have exchanged software on diskettes with friends, neighbors, and colleagues but today people connected to the Internet are receiving data and using software from various unknown sources, e.g. installing and using a new video player found on a Web server. In principle both programs and data should be carefully verified before being used, the program by the administrator who installs it and the data by the program *Universitfi Joseph Fourier, Grenoble tINRIA Rh6ne-Alpes that manipulates them. However, in many cases software or data are used without prior verification and without authentication of the source. Internet communication softwares like web browsers or mail readers are increasingly relying on external programs to display images or postscript files, play music or video dips, convert MIME encoded mail, or simply allow users to specify external pagers and editors. These programs are potential Trojan horses for two reasons: first because they may have been written by malicious programmers and secondly because they rarely implement a protection policy that allow them to verify data before operating on them. Most of these external programs are developed to be used in safe environments where data are generally trusted. Two good examples of this are Ghostscript (gs(1)) that allows users to preview their PostScript documents and MS-Word that can be used to prepare reports and write documentation for programs. However, PostScript is a full programming language, that for instance allows programs to access files in the file system, and MS-Word has the ability to create or update macros, based
在开放和可配置的应用程序中,通常使用外部程序来处理不同的功能和数据格式。对于通过Internet进行通信的应用程序尤其如此,因为经常会引入新的协议和数据格式。这些外部程序通常安装得很快,而且没有进行完整的安全审计,即使在源代码可用时也是如此。这使得这些应用程序的用户容易受到由于这些应用程序的错误配置或安全性缺陷而引入的病毒和特洛伊木马的攻击。在本文中,我们介绍了一种称为“保护包装器”的机制,它允许应用程序在称为“沙箱”的受限环境中运行外部程序。在沙箱中运行的程序将以具有有限特权的用户身份执行。这减少了对系统和最初启动应用程序的用户的数据的潜在损害。互联网的迅速发展和万维网的普及催生了一个新的网络社区,在这个社区里,各国的个人用户、学术机构和工业机构都在通过网络自由地交换数据和软件。互联网以前是用来在一个相互了解和信任的研究人员的小社区之间交换软件和数据的,就像计算机爱好者与朋友、邻居和同事交换软盘上的软件一样,但今天,连接到互联网的人们正在接收来自各种未知来源的数据和使用软件,例如安装和使用在Web服务器上找到的新视频播放器。原则上,程序和数据在使用前都应该仔细验证,程序由安装它的管理员验证,数据由程序*Universitfi Joseph Fourier, Grenoble tINRIA Rh6ne-Alpes操作它们。然而,在许多情况下,软件或数据的使用没有事先验证,也没有对来源进行认证。像网络浏览器或邮件阅读器这样的互联网通信软件越来越依赖于外部程序来显示图像或后记文件,播放音乐或视频片段,转换MIME编码的邮件,或者只是允许用户指定外部寻呼机和编辑器。这些程序是潜在的特洛伊木马,有两个原因:首先是因为它们可能是由恶意程序员编写的,其次是因为它们很少实现允许它们在操作之前验证数据的保护策略。大多数这些外部程序都是为了在数据通常可信的安全环境中使用而开发的。两个很好的例子是Ghostscript (gs(1)),它允许用户预览他们的PostScript文档,MS-Word可以用来准备报告和编写程序文档。然而,PostScript是一种完整的编程语言,例如,它允许程序访问文件系统中的文件,MS-Word具有基于文档中找到的定义创建或更新宏的能力。当这些程序在因特网的潜在恶意环境中使用时,从web服务器检索到的PostScript文档或附加到电子邮件中的Word文档可能是由攻击者精心准备的,这些程序可以像特洛伊木马一样破坏用户文件或帮助潜在的入侵者破坏站点安全。因此,提供保护服务以防止使用这些程序损坏机器和运行程序的用户的环境是至关重要的。在本文中,我们提出了一种可移植机制,该机制将程序隔离在具有受限权限的沙盒中。这种机制的工作原理是将应用程序包装在实现“需要知道”原则的前端程序(包装器)中,而不修改应用程序本身。隔离在沙箱中的程序最初可能没有明确定义的访问权限。其他的权利是
{"title":"Protection wrappers: a simple and portable sandbox for untrusted applications","authors":"C. Jensen, D. Hagimont","doi":"10.1145/319195.319211","DOIUrl":"https://doi.org/10.1145/319195.319211","url":null,"abstract":"In open and configurable applications, external programs are often used to handle different functions and data formats. This is particularly true for applications that communicate through the Internet, where new protocols and data formats are frequently introduced. These external programs are often installed quickly and without a full security auditing, even when the sources are available. This makes the users of such applications vulnerable to viruses and Trojan horses introduced by misconfiguration or flaws in the security of these applications. In this paper we introduce a mechanism called \"protection wrappers\" that allows an application to run external programs in a restricted environment called a \"sandbox\". Programs running in a sandbox will execute with the identity of a user with limited privileges. This reduces the potential damage to the system and to the data of the user who originally launched the application. 1 I n t r o d u c t i o n The dramatic growth of the Internet and the popularity of the World Wide Web have given birth to a new network community where individual users, academic and industrial institutions, in all countries, are exchanging data and software freely across the network. The Internet was previously used to exchange software and data among a small community of researchers who knew and trusted each other just like computer hobbyists have exchanged software on diskettes with friends, neighbors, and colleagues but today people connected to the Internet are receiving data and using software from various unknown sources, e.g. installing and using a new video player found on a Web server. In principle both programs and data should be carefully verified before being used, the program by the administrator who installs it and the data by the program *Universitfi Joseph Fourier, Grenoble tINRIA Rh6ne-Alpes that manipulates them. However, in many cases software or data are used without prior verification and without authentication of the source. Internet communication softwares like web browsers or mail readers are increasingly relying on external programs to display images or postscript files, play music or video dips, convert MIME encoded mail, or simply allow users to specify external pagers and editors. These programs are potential Trojan horses for two reasons: first because they may have been written by malicious programmers and secondly because they rarely implement a protection policy that allow them to verify data before operating on them. Most of these external programs are developed to be used in safe environments where data are generally trusted. Two good examples of this are Ghostscript (gs(1)) that allows users to preview their PostScript documents and MS-Word that can be used to prepare reports and write documentation for programs. However, PostScript is a full programming language, that for instance allows programs to access files in the file system, and MS-Word has the ability to create or update macros, based","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130186510","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Yasushi Saito, Eric Hoffman, B. Bershad, H. Levy, D. Becker, B. Folliot
This paper describes the design and preliminary performance of the Porcupine mail server, a clusterbased mail server that can handle up to I billion messages a day. Unlike common large-scale mail servers deployed today, there is no role separation among nodes. Each node in the cluster runs all the services supported by the cluster and balances the workload dynamically using the cluster membership information. This architecture is more available, manageable, and scalable than traditional architecture.
{"title":"The Porcupine scalable mail server","authors":"Yasushi Saito, Eric Hoffman, B. Bershad, H. Levy, D. Becker, B. Folliot","doi":"10.1145/319195.319203","DOIUrl":"https://doi.org/10.1145/319195.319203","url":null,"abstract":"This paper describes the design and preliminary performance of the Porcupine mail server, a clusterbased mail server that can handle up to I billion messages a day. Unlike common large-scale mail servers deployed today, there is no role separation among nodes. Each node in the cluster runs all the services supported by the cluster and balances the workload dynamically using the cluster membership information. This architecture is more available, manageable, and scalable than traditional architecture.","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"89 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114563332","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
An increasing number of users access the W W W from small portable mobile hosts connected through different network interfaces supporting mobility: wireless low bandwidth connections over long distances (GSM 9.6 Kbi t /s ) , wireless medium bandwidth connections over small distances (waveLAN 2 Mbit /s) , desk area infrared connections to stationary LANs (NetBeamIR 4 Mbit/s) . The connections have different distance coverage, bandwidth, latency, cost, and quality of service (error rate, j i t ter) and the parameters may vary over time. GSM provides global untethered connectivity thus allowing ubiquitous mobile access to the WWW: anywhere, anytime. However, it suffers from relatively slow bandwidth and important cost compared to its wired counterpart. Various client devices can use GSM ranging from PDAs to full-featured laptops. In order to use GSM efficiently, we need system and application support for reducing bandwidth requirements, adapting to hardware variations, and optimizing connection costs. In this paper, we propose an application support for W W W access based on a different paradigm than the previous work: we use mobile agents to delegate all t ime-consuming operations to the network, in particular, downloading documents and data type specific distillation of their contents.
{"title":"Efficient mobile access to the WWW over GSM","authors":"X. Delord, S. Perret, A. Duda","doi":"10.1145/319195.319196","DOIUrl":"https://doi.org/10.1145/319195.319196","url":null,"abstract":"An increasing number of users access the W W W from small portable mobile hosts connected through different network interfaces supporting mobility: wireless low bandwidth connections over long distances (GSM 9.6 Kbi t /s ) , wireless medium bandwidth connections over small distances (waveLAN 2 Mbit /s) , desk area infrared connections to stationary LANs (NetBeamIR 4 Mbit/s) . The connections have different distance coverage, bandwidth, latency, cost, and quality of service (error rate, j i t ter) and the parameters may vary over time. GSM provides global untethered connectivity thus allowing ubiquitous mobile access to the WWW: anywhere, anytime. However, it suffers from relatively slow bandwidth and important cost compared to its wired counterpart. Various client devices can use GSM ranging from PDAs to full-featured laptops. In order to use GSM efficiently, we need system and application support for reducing bandwidth requirements, adapting to hardware variations, and optimizing connection costs. In this paper, we propose an application support for W W W access based on a different paradigm than the previous work: we use mobile agents to delegate all t ime-consuming operations to the network, in particular, downloading documents and data type specific distillation of their contents.","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126958628","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
L. Baum, Martin Becker, L. Geyer, G. Molter, P. Sturm
Reusing app roved components is an a ttractive approach for the c ustomization o f runtime platforms in an economically sensible manner. However, the successful t ransition from particular requirements to a suitable architecture including appropriate components heavily relies on the expertise of t he system designers. In this paper, we propose an a rchitecture-driven approach to support runtime platform developers in the c omposition o f customized p latforms. Central to this approach is the explicit consideration of architectural aspects on an intermediate level of description. At this level, the appropriate matching o f requirements against properties of available components is controlled by formalized architectural knowledge. With SDL patterns and design spaces we present t wo techniques for performing this mapping process.
{"title":"Driving the composition of runtime platforms by architectural knowledge","authors":"L. Baum, Martin Becker, L. Geyer, G. Molter, P. Sturm","doi":"10.1145/319195.319217","DOIUrl":"https://doi.org/10.1145/319195.319217","url":null,"abstract":"Reusing app roved components is an a ttractive approach for the c ustomization o f runtime platforms in an economically sensible manner. However, the successful t ransition from particular requirements to a suitable architecture including appropriate components heavily relies on the expertise of t he system designers. In this paper, we propose an a rchitecture-driven approach to support runtime platform developers in the c omposition o f customized p latforms. Central to this approach is the explicit consideration of architectural aspects on an intermediate level of description. At this level, the appropriate matching o f requirements against properties of available components is controlled by formalized architectural knowledge. With SDL patterns and design spaces we present t wo techniques for performing this mapping process.","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"19 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120948552","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Experiences gained from the design of micro-kernel related to either high-performance or hard real-time computing have shown that customization plays a major role to enhance the performance of applications while maintaining a reusable and flexible software architecture. Our goal is to cover both fields by developing a customizable library operating system (DREAMS 1) intended to be used as a basis for the synthesis of application-specific run-time platforms or operating system kernel.
{"title":"A customizable library to support software synthesis for embedded applications and micro-kernel systems","authors":"C. Ditze","doi":"10.1145/319195.319209","DOIUrl":"https://doi.org/10.1145/319195.319209","url":null,"abstract":"Experiences gained from the design of micro-kernel related to either high-performance or hard real-time computing have shown that customization plays a major role to enhance the performance of applications while maintaining a reusable and flexible software architecture. Our goal is to cover both fields by developing a customizable library operating system (DREAMS 1) intended to be used as a basis for the synthesis of application-specific run-time platforms or operating system kernel.","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"8 2","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132340681","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
P. Havinga, A. Helme, S. Mullender, G. Smit, J. Smit
Mobile personal computers will be a vital technology for making electronic information processing available to people on the move. We expect personal mobile computers, 'mobile digital companions', to be small enough that they can be carried along all day, versatile enough that they can be used for all kinds of information processing -- diary, notebook, pager, telephone, walk man, dictation, e-mail, e-money, keys, ID -- and frugal enough that they can be used all day without recharging. This paper reports ongoing work on Moby Dick, a research project that addresses fundamental issues in the architecture, design and implementation of lowpower hand-held computers, with particular emphases on energy conservation and security. The goal is to investigate architectural issues in hardware and software design in concert, so that opportunities in hardware design can be exploited by supportive software.
{"title":"Battery-powered distributed systems (extended abstract)","authors":"P. Havinga, A. Helme, S. Mullender, G. Smit, J. Smit","doi":"10.1145/319195.319227","DOIUrl":"https://doi.org/10.1145/319195.319227","url":null,"abstract":"Mobile personal computers will be a vital technology for making electronic information processing available to people on the move. We expect personal mobile computers, 'mobile digital companions', to be small enough that they can be carried along all day, versatile enough that they can be used for all kinds of information processing -- diary, notebook, pager, telephone, walk man, dictation, e-mail, e-money, keys, ID -- and frugal enough that they can be used all day without recharging. This paper reports ongoing work on Moby Dick, a research project that addresses fundamental issues in the architecture, design and implementation of lowpower hand-held computers, with particular emphases on energy conservation and security. The goal is to investigate architectural issues in hardware and software design in concert, so that opportunities in hardware design can be exploited by supportive software.","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125338287","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
People have long trusted central authorities to coordinate secure collaboration on local-area networks. Unfortunately, the Internet doesn’t provide the kind of administrative structures individual organizations do. As such, users risk painful consequen ces if global, distributed systems rely on central authorities for security. Fortunately, securit y need not come at the price of centralized control. To prove it, we present SFS, a secure, global, decen tralized file system permitting easy cross-administrative realm collaboration. With a simple i d a, self-certifying pathnames, SFS lets users escape the evils of centralized control.
{"title":"Escaping the evils of centralized control with self-certifying pathnames","authors":"David Mazires, Frans Kaashoek","doi":"10.1145/319195.319213","DOIUrl":"https://doi.org/10.1145/319195.319213","url":null,"abstract":"People have long trusted central authorities to coordinate secure collaboration on local-area networks. Unfortunately, the Internet doesn’t provide the kind of administrative structures individual organizations do. As such, users risk painful consequen ces if global, distributed systems rely on central authorities for security. Fortunately, securit y need not come at the price of centralized control. To prove it, we present SFS, a secure, global, decen tralized file system permitting easy cross-administrative realm collaboration. With a simple i d a, self-certifying pathnames, SFS lets users escape the evils of centralized control.","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"26 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117236672","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
When parallel processing became popular at the end of the eighties, it became evident that common operating systems were not able to deliver the pure performance of parallel hardware to parallel applications. Much processing power was wasted with complex system call mechanisms and sometimes vast resource consumptions of the operating system itself. Even micro-kernel based systems were often too slow, because these also relied on computing power consuming concepts like address space separation or virtual memory systems. Nevertheless, some applications required exactly those functionalities that others denied for performance reasons. Since this contradiction can hardly be solved within a single operating system, the PEACE operating system family[10] was developed at GMD-FIRST. The most simple family members were represented as highly efficient runtime libraries while the most complex members can be regarded as full fledged micro-kernel based operating systems. Family based systems can be implemented conveniently by means of object oriented programming paradigms. Thus the PEACE operating system family has entirely been implemented in C++. Operating system services are implemented as classes and users can extend and specialize these system classes by means of inheritance mechanisms. In theory this scenario is sound and straight forward but in practice the conceptual advantages of object orientation are extremely hard to exploit without suitable object models and language-level support for object-oriented implementation techniques in distributed contexts. When users extend and specialize PEACE classes by means of inheritance mechanisms, class hierarchies need to be extended across address spaces as well as network boundaries and objects can be fragmented across address spaces. This in turn can lead to serious performance bugs caused by frequent remote invocations, when application classes closely interact with their system-level base classes. On the other hand it is obvious that client classes cannot have full access to system-level state information to avoid forgery and ease resource sharing amongst many clients. Implementing system services as fragmented objects[7] like in the SOS system [12] would have supported independence as well as encapsulation of object fragments allocated in different address spaces. Nevertheless we considered that model already too complex for those very lightweight system structures we were aiming at, because
{"title":"Dual objects—an object model for distributed system programming","authors":"J. Nolte, Wolfgang Schröder-Preikschat","doi":"10.1145/319195.319235","DOIUrl":"https://doi.org/10.1145/319195.319235","url":null,"abstract":"When parallel processing became popular at the end of the eighties, it became evident that common operating systems were not able to deliver the pure performance of parallel hardware to parallel applications. Much processing power was wasted with complex system call mechanisms and sometimes vast resource consumptions of the operating system itself. Even micro-kernel based systems were often too slow, because these also relied on computing power consuming concepts like address space separation or virtual memory systems. Nevertheless, some applications required exactly those functionalities that others denied for performance reasons. Since this contradiction can hardly be solved within a single operating system, the PEACE operating system family[10] was developed at GMD-FIRST. The most simple family members were represented as highly efficient runtime libraries while the most complex members can be regarded as full fledged micro-kernel based operating systems. Family based systems can be implemented conveniently by means of object oriented programming paradigms. Thus the PEACE operating system family has entirely been implemented in C++. Operating system services are implemented as classes and users can extend and specialize these system classes by means of inheritance mechanisms. In theory this scenario is sound and straight forward but in practice the conceptual advantages of object orientation are extremely hard to exploit without suitable object models and language-level support for object-oriented implementation techniques in distributed contexts. When users extend and specialize PEACE classes by means of inheritance mechanisms, class hierarchies need to be extended across address spaces as well as network boundaries and objects can be fragmented across address spaces. This in turn can lead to serious performance bugs caused by frequent remote invocations, when application classes closely interact with their system-level base classes. On the other hand it is obvious that client classes cannot have full access to system-level state information to avoid forgery and ease resource sharing amongst many clients. Implementing system services as fragmented objects[7] like in the SOS system [12] would have supported independence as well as encapsulation of object fragments allocated in different address spaces. Nevertheless we considered that model already too complex for those very lightweight system structures we were aiming at, because","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"42 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116064103","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
G. Czajkowski, Chi-Chao Chang, C. Hawblitzel, Deyu Hu, T. V. Eicken
With the continued spread of the Internet the typical computing model for servers is undergoing a drastic change. In the past, server systems have moved from providing interactive time-sharing service to providing fileserver and now more general back-office (mail, database, web, etc.) services. While the characteristics of the new Internet server systems are not yet clear, we expect that Internet servers will have at least three characteristics that distinguish them drastically from today’s servers: (i) high code mobility, (ii) large numbers of anonymous users, and (iii) significant concern for the efficient use of resources.
{"title":"Resource management for extensible Internet servers","authors":"G. Czajkowski, Chi-Chao Chang, C. Hawblitzel, Deyu Hu, T. V. Eicken","doi":"10.1145/319195.319201","DOIUrl":"https://doi.org/10.1145/319195.319201","url":null,"abstract":"With the continued spread of the Internet the typical computing model for servers is undergoing a drastic change. In the past, server systems have moved from providing interactive time-sharing service to providing fileserver and now more general back-office (mail, database, web, etc.) services. While the characteristics of the new Internet server systems are not yet clear, we expect that Internet servers will have at least three characteristics that distinguish them drastically from today’s servers: (i) high code mobility, (ii) large numbers of anonymous users, and (iii) significant concern for the efficient use of resources.","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125316721","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The majority of work on protection in single-language mobile code environments focuses on information security issues and depends on the language environment for solutions to the problems of resource management and process isolation. We believe that what is needed in these environments are not ad-hoc or incremental changes but a coherent approach to security, failure isolation, and resource management. Protection, separation, and control of the resources used by mutually untrusting components, applets, applications, or agents are exactly the same problems faced by multi-user operating systems. We believe that real solutions will come only if an OS model is uniformly applied to these environments. We present Alta, our prototype Java-based system patterned on Fluke, a highly structured, hardware-based OS, and report on its features appropriate to mobile code. 1 Operating System Model Required In the last European SIGOPS Workshop, our paper [17] argued that the local operating system is an essential foundation for global applications. We described the many demands that a reasonably well functioning distributed system places on the local OS, and particularly emphasized end-system security in the widespread presence of mobile code. The focus of that paper was on making the case for the importance of the local OS, and outlining an appropriate OS for that environment: the Fluke [10] operating system, an OS based on a recursive virtual machine model, analogous to the Cambridge CAP Computer [30], but implemented by a microkernel instead of special hardware. In this paper we assume that the importance of the local This research was supported in part by the Defense Advanced Research Projects Agency, monitored by the Department of the Army under contract number DABT63–94–C–0058, and the Air Force Research Laboratory, Rome Research Site, USAF, under agreement number F30602–96–2–0269. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation hereon. OS to distributed applications is evident. From that base, we endeavor to make four points concerning platforms for mixed trust components and mobile code: (i) A coherent, structured approach is required, driven by a full-blown OS model; language-level patches are not enough. (ii) Existing security-oriented approaches fall short in resource management. (iii) Applying an OS model is feasible, based upon our initial experiences with Alta. (iv) Alta provides features useful for mobile code, including hierarchical resource management and flexible object sharing. 1.1 Application Scenario In 1997 MCI developed and distributed its Denial of Service Tracker (DoSTracker) [19], after getting their router vendor to add the required interfaces and code to the routers. DoSTracker works as follows. Many denial of service attacks involve generating packets that spoof the IP address of the victim’s host. For example, fabricating broadcast packets will
{"title":"Nested Java processes: OS structure for mobile code","authors":"Patrick Tullmann, Jay Lepreau","doi":"10.1145/319195.319212","DOIUrl":"https://doi.org/10.1145/319195.319212","url":null,"abstract":"The majority of work on protection in single-language mobile code environments focuses on information security issues and depends on the language environment for solutions to the problems of resource management and process isolation. We believe that what is needed in these environments are not ad-hoc or incremental changes but a coherent approach to security, failure isolation, and resource management. Protection, separation, and control of the resources used by mutually untrusting components, applets, applications, or agents are exactly the same problems faced by multi-user operating systems. We believe that real solutions will come only if an OS model is uniformly applied to these environments. We present Alta, our prototype Java-based system patterned on Fluke, a highly structured, hardware-based OS, and report on its features appropriate to mobile code. 1 Operating System Model Required In the last European SIGOPS Workshop, our paper [17] argued that the local operating system is an essential foundation for global applications. We described the many demands that a reasonably well functioning distributed system places on the local OS, and particularly emphasized end-system security in the widespread presence of mobile code. The focus of that paper was on making the case for the importance of the local OS, and outlining an appropriate OS for that environment: the Fluke [10] operating system, an OS based on a recursive virtual machine model, analogous to the Cambridge CAP Computer [30], but implemented by a microkernel instead of special hardware. In this paper we assume that the importance of the local This research was supported in part by the Defense Advanced Research Projects Agency, monitored by the Department of the Army under contract number DABT63–94–C–0058, and the Air Force Research Laboratory, Rome Research Site, USAF, under agreement number F30602–96–2–0269. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation hereon. OS to distributed applications is evident. From that base, we endeavor to make four points concerning platforms for mixed trust components and mobile code: (i) A coherent, structured approach is required, driven by a full-blown OS model; language-level patches are not enough. (ii) Existing security-oriented approaches fall short in resource management. (iii) Applying an OS model is feasible, based upon our initial experiences with Alta. (iv) Alta provides features useful for mobile code, including hierarchical resource management and flexible object sharing. 1.1 Application Scenario In 1997 MCI developed and distributed its Denial of Service Tracker (DoSTracker) [19], after getting their router vendor to add the required interfaces and code to the routers. DoSTracker works as follows. Many denial of service attacks involve generating packets that spoof the IP address of the victim’s host. For example, fabricating broadcast packets will ","PeriodicalId":335784,"journal":{"name":"Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications","volume":"21 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127028132","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: