1 / 18

New Results in Fluke/Flask

New Results in Fluke/Flask. Jay Lepreau Flux Group University of Utah http://www.cs.utah.edu/projects/flux/ July 13, 1998. Refresher: The Nested Process Model. Child process is encapsulated in its parent. Traditional Process Model. Nested Process Model. Parent Process State. Parent

eheard
Download Presentation

New Results in Fluke/Flask

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New Results in Fluke/Flask Jay Lepreau Flux Group University of Utah http://www.cs.utah.edu/projects/flux/ July 13, 1998

  2. Refresher: The Nested Process Model Child process is encapsulated in its parent. Traditional Process Model Nested Process Model Parent Process State Parent Process State Child State Child State Child State Child State Parent has complete control over the child.

  3. Resource mgmt in several code/architecture bases Fluke (microkernel) OSKit (COM components) Alta: Fluke in a JVM Flask: high-security version of Fluke Alta: Fluke architecture implemented in a JVM, using type-safety for memory protection Some New Work (Results?)andYet More Obscure Names

  4. CPU cpu inheritance scheduling in the OSKit, partly in Fluke, will be in JVM policy-free (nearly) stride scheduling (WFQ) in Fluke Physical memory: min-funding revocation in Fluke Both are: Provided by arbitrary user process (mem) or thread (cpu) Hierarchical, extensible… Network bandwidth and buffers incoming buffer space outgoing links in JVM-based systems (partially impl) 1. Resource Management

  5. CPU - Stride Scheduling 600 400 50 50 60 % CPU 20 % CPU 20 % CPU

  6. Joint with NSA R23, SCC Augments Fluke with fine grained security mechanisms Explicit security bindings Mandatory controls Mutual authentication User-mode security policy server makes all policy decisions 2. Flask: High-security version of Fluke

  7. FSPM (SCC, Utah, NSA) and resulting architectural changes Secure servers memory mgrs, filesystem, network, process manager process mgr has interesting issues: low integrity parent can exec hi integrity child read-without-execute inherited process state across exec ... Support for atomic revocation and flexible policy (demo) Flask new things…

  8. Demo - a) Static Role Relationships Office Chief Payroll Division Chief Branch Chief Branch Chief Branch Employee Branch Employee Only branch, division, and office chiefs may approve timesheets and send them to payroll. (Employees may not.)

  9. Demo - b) Delegation Office Chief Payroll Branch Employee Branch Chief The office chief will designate Pete, an employee, as a temporary branch chief. Steve will submit a timesheet to Pete. Branch Employee

  10. 3. “Alta”Same Fluke architecture, new mechanism

  11. Nested Process Model and Protection • Provides a new way to use protection domains • Can use various protection mechanisms: • Hardware (working) • Type-safe language (Java: mostly working) • Proof-carrying code (planned)

  12. Motivation and Goals • Our group’s focus is local system security, including resource management • Java-based systems need this! Info security… AND flexible resource control and failure isolation • Java-based systems will be everywhere; opportunity to influence while in a formative stage

  13. Thesis • Ad hoc language-oriented approaches are not enough • Requirements are similar to multi-user OS requirements • … so apply a coherent OS model! • …we happen to have one • Have a model with specific properties • Have structure: design, interfaces, implementation • Documented: model, properties, interfaces

  14. Processes In Java • What is a Java Process? • Namespace • Memory allocation limit • CPU allocation limit • More than an applet, ClassLoader or ThreadGroup

  15. Example: Web “servlets” • WWW server allow clients to upload Java applications (servlets) • Each servlet would be a separate process: • separate, controlled namespace • separate memory limit • separate CPU limit • controlled access to server’s system • Java provides memory safety and namespace integrity • Processes provide accounting and control

  16. Configurations • Naked hardware - OSKit • On traditional OS’s • Run on top of Flask/Fluke for additional assurance and defense • Add fine-grain access control a la Flask

  17. “Fluke V3” • Components are good • OSKit++

  18. “Lessons Learned” • Too much “multi” is bad for research prototypes • multiprocessor support • multithreading • Strict layering creates problems(34 layers in Fluke microkernel impl.) • COM vs. MOM • Collaboration is good • Keep models, evolve mechanisms

More Related