NealH.WalfieldandMarcusBrinkmann
{neal,marcus}@gnu.org
ternalinput,anattackerisabletoconfuseAlice’swebAbstract
browserandgainallofherauthority.SuchattacksaresoCommodityoperatingsystemsfailtomeetthesecu-easy,thesecompromisedmachines,so-calledbots,canrity,resourcemanagementandintegrationexpectations
bepurchasedontheblackmarketfor$0.04each[30].ofusers.Weproposeaunifiedsolutionbasedonaca-pabilityframeworkasitsupportsfinegrainedobjects,
straightforwardaccesspropagationandvirtualizablein-terfacesandexplorehowtoimproveresourceuseviaac-cessdecompositionandpolicyrefinementwithminimuminterposition.Wearguethatonlyasmallstaticnumberofschedulingpoliciesareneededinpracticeandadvocatehierarchicalpolicyspecificationandcentralrealization.
2.2
ResourceManagement
Commodityoperatingsystemstransparentlymanagescarceresources,ostensiblyrelievingapplicationsofthiscomplexity.Theexposedresourceabstractions,however,havelooseaccesscharacteristics,i.e.,alargegapbe-tweenaverageandworstcaseaccesstimes,frustratingapplicationeffortstomaximizeperformanceandrealizereal-timeproperties.2.2.1
Efficientresourceusage
Theeverincreasingperformancegapbetweenbackingstoreandmainmemorymakespagingincreasinglyex-pensive.Manyapplicationspossessinformationwhichcansignificantlyimproveschedulingbutisinaccessibletoaschedulerwhichonlymonitorsbehavior.
PerformanceGarbagecollectorsanddatabasesaretwoclassesofapplicationsevaluatedagainsttheclock.Al-thoughtheseapplicationsoftenhaveaccesspatternswhichdiffersignificantlyfromthosewhichtheoperat-ingsystemcandetectandsomeareabletopredicttheirownaccesspatterns,exploitingthislocalinformationre-quireseitherhavingcloselyguardedprivilegetouse,e.g.,mlock,orrelyingonimplementationdetails[29,1,16].Althoughextensionsexisttoprovidemechanismsforap-plicationinput,theyarenotexpressive,e.g.,madvise,orcooperative,makingthememorymanagervulnerabletomaliciousapplications[16].
CachingManyapplicationsareabletosaveasignifi-cantnumberofCPUcyclesaswellaspowerbycachingcalculateddataandintermediateresultsforopportunisticreuse.Asthedataisoftenlarge,e.g.,adecompressedJPEG,thereisasignificantopportunitycostassociatedwithsuchcaching:thedataoccupiesmemorypossiblycausingmorevaluabledatatobepaged;andtheoperat-ingsystemmaypagethecacheddatawhichmaybemoreexpensivethansimplyrecomputingitondemand.
Becausecommodityoperatingsystemsprovidenowayforapplicationstopreventthispagingandbecauseapplicationsdonotknowhowmuchmemoryisidle,theymustactconservatively.GQView,apopularim-ageviewerforGNOME,maintains,bydefault,a10MBcacheofrenderedimages[11].gThumb,anotherimageviewerforGNOME,keepsastaticcacheoffourimagesandpreloadstheimagefollowingandthatprevioustotherequestedimage[4].Neitherapplicationpro-activelyfreesitscache.1
1Introduction
Commodityoperatingsystemsprovideinadequatepro-tectionmechanismspreventingusersfromarticulatingsomeusefulsecuritypolicies;theyexposeresourceab-stractionswhich,inhidingresourcemultiplexing,reduceefficiency,limitapplicationadaptabilityandimpedetherealizationofreal-timeproperties;andtheylackextensi-bility,reducingconsistencyofmechanismandintegra-tion.Althoughtheresearchcommunityhasexploredtheseproblemsindividually,theresultingmodelsoftenignoreoneoftheseconcernslimitingapplicability.
Wehavechosenanobjectcapabilitysystemasourfoundation.Byconflatingdesignationandauthorization,therebyeliminatingprincipalidentifiersandsharednamespaces,suchasystemenablesfinegrainedauthorizationandsimplifiesaccesspropagation.Thisisnecessaryforthedynamicrealizationoftheprincipleofleastprivi-lege(POLP).Itsvirtualizabilityenablesbetterintegra-tionbypermittinguntrustedextensionswithoutnecessi-tatingparallelworlds.Toenablebetteruseofresources,weexplorehowtodecomposeauthorityandrefinepolicywithoutexpensiveandinaccurateinterposition.
2
2.1
Motivation
SecurityandProtection
WhenAlicelaunchesaprogramonacommodityoperat-ingsystem,theprograminstancetypicallyrunswithherfullauthority.Awebbrowser,althoughitscorefunction-alityonlydependsonanetworkconnection,awindowonwhichtorendercontentandafixednumberofresourcesknowninadvance,hasaccesstoallofherresourcesandcanevencontrolotherprograminstancesrunningonherbehalf.Alicehasnoprotectionfromunauthorizeddis-closure,tamperingordisruptionofservice.
AlthoughAlicemayhavelearnedthroughexperiencetotrustherwebbrowser,itoperatesonexternallysup-plieddataandloadsplug-ins.Italsocontainsbugs[22].Byfindingaweaknessinthecodewhichprocessesex-
Nokia,inthedevelopmentoftheirInternetTabletplat-form,Maemo,acknowledgedthisproblemandintro-ducedafeedbackmechanism,aneventsource,allowingcooperativeapplicationstoobtainglobalcontentionandtoadapttheirresourceuseaccordingly[21].
VirtualizationVirtualmachinemonitors(VMMs)arecurrentlyusedforresourceconsolidationwithcompart-mentssometimesrequiringguaranteedlevelsofqualityofservice[33].Theyarealsobeingusedasanisola-tionmechanismfortheenforcementofsecuritypolicies[23].Asthistechnologyisimproved,itisplausiblethatitwillbeappliedatafinergranularityandmadeavail-abletousers.Thiswillrequiremechanismsforlimitedbreachingoftheisolationbarriertoenablecompositionandcollaboration.(SuchVMMswouldincreasinglyre-semblereferencemonitors[2].)Toprovidequalityofserviceandenableefficiency,suchaschemewouldre-quirethatresourcesbestrictlyaccounted,easilydecom-posed,delegatableanddynamicallyreallocatable.
EngineeringandeconomyofscaleDevices,especiallyconsumerelectronics,arebeingincreasinglysoldbasednotontheirresourceabundancebutontheirfunction-ality.Thisisintensionwiththedesiretoreduceen-gineeringcostsbyusingcommodityoperatingsystemswithmoderateincreasesinresourcerequirementsrela-tivetomorespecializedsystems.Onemightexpectsuchatradeofftobequicklymitigatedbytheeverincreasingabundanceofprocessingpowerandmemoryandtheirrespectivedecreasesincost.Contrariwise,Linksysre-centlyrevisedtheirpopularroutertousevxworksin-steadofGNU/Linuxandwereabletohalvethe16MBRAMand4MBofflashtherebyincreasingprofitabilitydespitetheengineeringcosts[20].Thisargument,thatitissignificantlycheapertoimprovethesoftwarethantoincreasetheavailableresources,hasalsobeenmadebythedevelopersoftheOneLaptopPerChildproject[13].2.2.2
Real-timeproperties
(VFS).Normally,usersarenotabletoprovidenewim-plementationsorstartnewfilesysteminstanceswhichintegrateintotheVFSasthisisnormallyonlyavailabletoprogramsrunninginthekernel.Althoughitispossi-bletouploadcodeintothekernel,itisundesirableasitisnotabletobeconstrained.
Thissituationhasledtothedevelopmentofparallelin-terfaces.TheGNOMEproject’sGnomeVFSandKDE’sKIO-SlavebothexposeanewVFStototheirrespec-tiveapplicationssoastomoreseamlesslyintegrateinter-estingfilesystemssuchasthoseaccessibleoverftpandssh.Yetthesetechnologiesare,atbest,onlyhalfinte-grated:anapplicationthatdoesnotmakeuseof,e.g.,theKDEVFSexposesaverydifferentfilesystemlay-out.TheLinuxdevelopershavealsoacknowledgedthisandrecentlyintroducedanAPItoallowuserstosafelyprovidetheirownfilesystemsrunninginuserspace.
3ASystemStructure
Wehaveselectedacapabilitybasedframework[7,34,15,27,12]asitappearstoprovidethenecessaryfounda-tionalmechanisms.Thepowerofcapabilitiesliesintheirbundlingofauthorizationanddesignation.Thispermitsfinegrainedobjectsandenablesaccesstobepropagatedinasinglestepunlike,e.g.,onanACLbasedsystemwheredesignationandauthorizationareseparated,frus-tratingdelegation[19].
Below,webrieflyaddresshowcapabilitieshelpsolvetheaforementionedproblemsandoutlinetheadditionalmechanismsrequiredtobuildasystem.3.1
ProtectionandSecurity
Oncommodityoperatingsystems,programsrunwithalloftheauthorityoftheuserwhostartedthem.Thisisexcessive.Amoresecuremodeofoperationwouldbeonewhereusersareabletodelegatejusttheauthorityaprograminstancerequirestocarryouttheirintent,theprincipleofleastprivilege(POLP)[24].Thus,whenaprogramgoesawry,damagewouldberestrictedtothoseresourcestowhichithasaccess.
Althoughitistechnicallypossibletoachievesuchcontrolledsharing,e.g.,onUnixusinganadditionalUIDandchroot,itissounwieldytoconfigureastobeusedonlybyexpertsinspecialscenarios.Asuccessfulmecha-nismmustbeconsistentwiththeprincipleoffail-safede-faults:itmustbethedefaultandrequireefforttoviolate[24].Inaddition,forinteractiveprogramswherearea-sonableminimumauthoritycannotbecalculatedapriori,itmustbestraightforwardfortheusertodelegateaddi-tionalaccessrightsafterithasstarted,dynamicPOLP.Capabilitysystemscanprovidethiswiththehelpofaso-calledpowerbox[28,25].Insteadofcreatinganopenorsavedialog,theapplicationinvokestheuser’strustedpowerbox,which,havingalloftheuser’sauthor-2
Real-timeandadaptiveapplicationsneedamechanismtoobtainstatisticalguaranteesregardingresourcesched-ules[9].AlthoughPOSIXprovidesmechanismssuchasmlocktoallocatephysicalmemory,thisprivilegeiscloselyheldtopreventmisuseandabuse.Yet,fewcommodityapplicationsactuallyrequiresuchfirmguar-antees.Toworkaroundthisdeficiency,applicationde-velopersoftentakeadvantageofimplementationdetails.RelianceonthisisproblematicasthebehaviorisnotpartoftheAPIcontractandcanchange.TheauthorsofCedega,aWindowsemulatorforgames,encounteredthiswhenLinux’sCPUschedulerwasmodified[31].2.3
Integration
Integrationdependsonuniformaccessmechanisms.Oneofthemostvisibleinterfacesisthevirtualfilesystem
ity,interactswiththeuserandthendelegatesaccesstotheselectedresourcestotheprogram.Thischangeislargelyinvisibletousersandapplications.
Ascapabilitiesareheldbyprocesses,amechanismneedstobeprovidedfortheirrecovery,forprogramstobeabletorestoretheirconfigurationonsystemrestart.Adesktopmanager,forinstance,wouldliketorememberwhatprogramswererunning;applicationswouldliketorecordresourcesinuse.Thisconfigurationmanagementproblemisreferredtoastrustedrecovery[8]andisig-noredbycommodityoperatingsystemsasallofauser’sprogramsruninthesametrustdomain.
Currently,applicationsstorefilenames,however,thisrequiresthatprograminstancesrunwiththefullauthor-ityoftheuserinviolationofPOLP.Havingprogramin-stancesrememberdelegationsandreplaythemonrestartisfragileandcomplicatedbythefactthatdelegationsaremadetoprograminstancesandseveralinstancesofapro-grammayrunindifferenttrustdomains.Instead,thisproblemcanbecircumventedbymakingthesystemper-sistent:theaccessgraphneed,then,neverberecreated.Althoughseeminglyoverkill,thisisalreadytheaimofdesktopmanagersandisdirectlyrealizedbymanylap-topsandanincreasingnumberofdesktopsintheformofsuspendorhibernate.Tothisend,EROSusesasinglelevelstoretorealizeorthogonalpersistence[26].An-otherapproachisexportablestate[32,14].3.2
ResourceManagement
Moreeffectiveuseofresourcescanbeachievedbypro-vidingresourceswithtighteraccesscharacteristics,ex-posingtheresourcescheduleandinexpensivedecompo-sitionanddelegation.Wetemperthesolutionspacewiththerequirementthatmechanismsandpoliciesmustalsobesafe.Toachievethis,wepreferspecificityovergen-eralitythroughtheeliminationofunmotivatedfunction-ality.Thisisincontrasttoextensiblekernelswhoseem-phasisisongenerality,whichhasbeencriticizedasin-troducingunjustifiedcomplexityfrustratingsafety[10].Exokernels,aclassofextensiblekernels,aimtose-curelyexportphysicalresourcesatasfineagranularityaspossibleandhideasfewpolicydecisionsasfeasibleincludingresourcerevocation[18].Toachievethis,anexokernelusesso-calledvisiblerevocation.Weobservetwoshortcomingswiththisapproach.
Whenanapplicationischosentoyieldmemory,itre-ceivesanupcallandisgivenasetamountoftimetoreturnsomeamountofmemory.Toavoidcreatingafunctionaldependencyonthecorrectbehaviorofappli-cations,thekernelmustimposeadeadline.Whenthisistooshort,anotherwisecorrectapplicationwillgener-ateaspuriousfault.Whenthisistoolong,amaliciousapplicationmaybeabletoinduceadenialofservice.Althoughspuriousfaultscanbeavoidedbytakingthe
3
positionthatallcodeinthepage-outpathmustbehardreal-timecapable,writingcorrectreal-timecapablecodeisnotoriouslydifficultanditinducesconservativebehav-iorreducingthepossibilityofbesteffortoptimizations.Second,becausemanagingresourcesrequiresre-sourcesthatthekernelmaychoosetoreclaimatanytimeanapplicationmustmakeprovisionstoallowathirdpartytomanagetheselatterresourcesonitsbehalf.
Theseshortcomingsmotivatethereintroductionoftransparentpagingandcouldbeviewedasafailureofexokernelprinciplestogeneralize.Wesacrificegeneral-ityandinsteadaimtoallowapplicationstodriveresourcemanagementinaconsistent,straightforwardfashion.DistributionPolicyTherearethreepartiesinterestedinspecifyingschedulingpolicyonothers:supervisors,de-velopersandusers.
Asystemadministratorwouldliketheavailablere-sourcestobedistributedaccordingtosomeratherstaticfairnesspropertyamongusersandthevarioussystemservices(orVMMs).Thisshouldnotbeunderstoodtomeanthattheallocationsarestaticbutthattheallocationpolicychangesrelativelyinfrequently.
Developerswhobuildsystemswithanumberofac-tivitiesgenerallystaticallyassignprioritiestothem.Amultimediaplayerorgameengine,forinstance,wouldassigntheaudiodecoderahigherprioritythanthevideodecoderaspeoplearemoresensitivetoaudiojitter.
Users,toensurethattheyalwaysremainincontrol,haveastheirtopprioritiestheeventinputthreadandthewindowmanager.Thesetrustedapplicationswouldberununderahighestpriorityfirst(HPF)regime.Thebalancewouldbeaggregatedunderalowerpriorityandscheduledaccordingto,e.g.,aproportionalsharepolicy.Thedistributionofprioritiesamongtheseapplicationsdependsonauser’spriorities,i.e.,itisafunctionofrealworldtasksandgoals.Havingtheuserchangeappli-cationprioritiesmanuallyiscumbersome.Fortunately,prioritiescanoftenbeinferredfromauser’sactions.Theapplicationwiththefocuslikelyhasahighimportancetotheuserandshouldthereforehaveahighpriority.Min-imizedapplicationsarelikelylessimportant.Forsomeapplications,e.g.,anaudioplayer,theusermaydesireapermanentlyhighpriorityindependentoftheirrespec-tivewindowstates.Toaccommodatethis,theusermusthavethepossibilitytooverridetheprioritywhichcanberememberedbythewindowmanager.Thedistribu-torcouldalsoprovidehintsabouttheappropriatepolicy.Wepostulatethatasmallnumberoffixedpoliciesissufficientformostusefulschedulingscenarios.
MultiplexingPolicyAsresourcesarescarce,applica-tionshaveaninterestinmultiplexingwhatisavailable:determininghowCPUisusedandwhichdataisheldinmemory.Thiscanbeachievedwithscheduleractivations[3]andprovidingcontrolovertheevictionpolicy.
Additionally,applicationswhichneedtoarticulateschedulingparameterssuchasdurationandjitter,inpar-ticular,real-timeandadaptiveapplications,alsoneedtobesupportedvia,e.g.,imprecisecomputation[17].
FrameworkInnoneofthepresenteddistributionscenar-iosdoestheparentprocessneedtoparticipateinadmis-sionorallocation:itissufficientforittodescribeapol-icy.Likewise,applicationsdonotgenerallycarewhatthecontrollingpolicyis:theyrequestscheduleswhichareeitheradmittedornot.Assuch,weallowpolicytobear-ticulatedhierarchicallybutcentralizeadmissioncontrolandschedulingtherebycircumventingtheprocesshier-archyfortherealizationofthismechanism.
Byseparatingthespecificationofpolicyfromschedul-ing,thelattercanbedeterminedquicklyandmoreaccu-rately.Ahighlynestedprocessneednotrequestasched-ulefromitsparentwhichmusttranslatetherequesttoitsparent’svocabulary,etc.;itdirectlyrequestsaschedulefromthesystemscheduler.Likewise,whenthesched-ulemustbechangedeitherduetopolicy(based,e.g.,oncontention)orduetoapolicychange,schedulescanbequicklyrecalculatedandprocessesdirectlyinformed.Astheschedulinghierarchycanbecomplex,thecal-culationofschedulescanbecomecomplicated.Wecon-tend,however,thatpolicychangeisrelativelyinfrequentcomparedwithadmissionrequestsandresourceusagereducingpotentialoverhead.
Adherencetoschedulesaswellasreductionofcrosstalkrequireaccurateresourceaccountingofboththere-sourcesaprincipaldirectlyusesaswellasthoseitindi-rectlyuses,i.e.,thoseallocatedbyserversonitsbehalf.Toachievethis,weintroduceamechanism,resourcepools,similartoEROS’sspacebanks[26]andresourcecontainers[5].Weaccountmemoryandbackingstoreindividually,unlikeEROS.
Aresourcepoolspecifiesaschedulingpolicyforre-sourcesallocatedagainstit.Anewpoolcanbederivedfromanexistingpoolanddelegated.Thepolicyappliedtothederivedpoolcanrefinethepolicyimposedbytheparent.Assuch,resourcepoolsformahierarchyandchildrenarestrictlydominatedbytheirparents.
Resourcepoolsareusedforcontrollinginferiorpro-cesses.Aprocessderivesaresourcepoolfromitsownandspecifiesanyschedulingparameters.Itthenrunsthechildoutofthisinferiorpoolandpassesitaweakenedform,whichdoesnotallowcontroloftheschedulingpol-icy.Thechildallocatesallresourcesoutofthispool.Atanytime,theparentcandestroythederivedpooland,indoingso,destroythechildandeverythingthatitallo-catedincludingtemporaryfilesandotherprocesses.Poolsarealsopassedtoserverswhentheservermustallocateresourcesonbehalfofaclient,e.g.,memoryforsessionstate(although,wetrytoavoidsessionswhenpossible).Thisimprovestheabilityoftheservertohonor
4
anyqualityofserviceguaranteesandprovidesawayfortheclienttoreclaimresourcesiftheservermisbehaves.RevocationWhenaprocess’sschedulehaschanged,ac-tionmayneedtobetakentoreclaimresources.Forin-stance,whenaprocess’smemoryallocationisreduced,pagesmayneedtobesaved.Similarly,whenresourcesneedtobemultiplexed,aschedulingdecisionmustbemade.Allowingapplicationscontrolofthispolicyises-sentialtoexploitinglocalinformation,improvingperfor-manceandmeetingreal-timerequirements.
Wehavenotedthatrendereddatacanberecomputedwithoutlossofinformationand,thus,canbediscardedwithoutnegativeconsequences.Cachingthisdatainidlememoryisdesirableasitcansignificantlyimprovebest-effortapplications.Ascommodityoperatingsystemsareunabletodistinguishthismemoryfromnormalanony-mousmemory,theymustpageit.
Weproposetwomechanismswhichpermitthemem-orymanagertobeabletodistinguishsuchdataandtobeabletodiscarditwithnonegativeconsequences.Weintroduceafunctionwhichallowsapplicationstomarkdataasbeingdiscardable.Thisallowsthememoryman-agertosimplydiscarditwhenitischosenforeviction.Whenathreadnextaccessesthevirtualmemoryregion,itreceivesafaultindicatingwhathashappenedallow-ingtheapplicationtorecomputethedata.Thesemech-anismsneverrequirethatthememorymanagerwaitonaresponsefromtheapplication:whentheapplicationmustact,itisinresponsetoafault.
Toallowincreasedcontrolofhowtherestofmem-oryispaged,i.e.,theevictionpolicy,theapplicationas-signsprioritiestoallocatedmemory.Whenthemanagerevictsapage,itselectsthelowestprioritypage.Iftherearemultiplepages,thenitselectstheoneapproximatelyleastrecentlyused.
Whenapageisevicted,theapplicationcanrequesttoreceiveaneventthenexttimeitisscheduled.Thisrequiresresourcesforthemanagertoholdwhichpagewasevictednecessitatingcare.Whenthevirtualmemoryisagainreferenced,theoperatingsystemcansendafaulttotheapplicationortransparentlypageitbackin.3.3
Integration
Capabilitysystemsenablefinegrainedvirtualization:whetherakerneloruserobject,itsmethodsareaccessedusingthesamemechanism,capabilityinvocation.Fur-ther,aseachserviceistypicallyencapsulatedbyadiffer-entobject,asingleservicecanbeproxied,extendedormonitoredwithoutimposingoverheadonotherservices.
4Conclusion
Wehaveidentifiedanumberofproblemswithcommod-ityoperatingsystems:theyfailtoprovideadequatepro-tection;theirresourcemanagementstrategiesleadtoin-
efficientresourceuseandcannotbeeffectivelyusedinmeetingreal-timeproperties;andtheylackintegration.Weproposeaclassofoperatingsystemswhichmaybeabletosolvethemostegregiousofthese.Basedonacapabilityframework,suchasystempermitsthere-alizationofdynamicPOLPandvirtualizableinterfaces.Toimproveresourcescheduling,weprovideapplicationswithmorecontrolovertheschedulingpolicy.Wearguethatonlyasmallnumberofschedulingpoliciesarere-quiredinpractice.Thussacrificinggeneralityforsafety,wepermitapplicationstoarticulateschedulingpolicytoacentralizedscheduler.Thispermitsaccessdecomposi-tionandpolicyrefinementwithoutprocessinterposition.Weacknowledgethatradicalnewdesignswillnotbeacceptedifuserscannotrunevenoneortwooftheirlegacyapplications.TheHurd,anothermulti-serversys-tem,successfullyprovidedahighdegreeofAPIcompat-ibilityviaaso-calledfatClibrarywhichimplementedthelegacyinterfacesintermsofHurdmechanisms[6].
5Acknowledgements
Wethank:J.Shapiroformanydiscussionsaboutsecurityandsystemdesign;andT.Schwingeforfeedback.
References
[1]ALONSO,R.,ANDAPPEL,A.W.Anadvisorforflexiblework-ingsets.InProceedingsofthe1990ACMSIGMETRICSconfer-enceonMeasurementandmodelingofcomputersystems(1990).[2]ANDERSON,J.P.Computersecuritytechnologyplanningstudy.
Tech.rep.,ElectronicSystemsDivision,Oct.1972.
[3]ANDERSON,T.E.,BERSHAD,B.N.,LAZOWSKA,E.D.,AND
LEVY,H.M.Scheduleractivations:Effectivekernelsupportfortheuser-levelmanagementofparallelism.InProceedingsofthe13thACMsymposiumonOperatingsystemsprinciples(1991).[4]BACCHILEGA,P.gThumbv2.8.0.http://gthumb.sf.
net,Nov.2006.
[5]BANGA,G.,DRUSCHEL,P.,ANDMOGUL,J.C.Resourcecon-tainers:Anewfacilityforresourcemanagementinserversys-tems.In3rdUSENIXSymposiumonOperatingSystemsDesignandImplementation(Feb.1999).
[6]BUSHNELL,M.TowardsanewstrategyofOSdesign.GNU’s
Bulletin1,16(Jan.1994).
[7]DENNIS,J.B.,ANDVANHORN,E.C.Programmingseman-ticsformultiprogrammedcomputations.CommunicationsoftheACM9,3(Mar.1966),143–155.
[8]DEPARTMENTOFDEFENSE.TrustedComputerSystemEvalua-tionCriteriaDOD5200.28-STD.Dec.1985.
[9]DOMJAN,H.,ANDGROSS,T.R.Managingresourcereserva-tionsandadmissioncontrolforadaptiveapplications.In30thInternationalConferenceonParallelProcessing(2001).
[10]DRUSCHEL,P.,PAI,V.S.,ANDZWAENEPOEL,W.Extensible
kernelsareleadingosresearchastray.Proceedingsofthe6thWorkshoponHotTopicsinOperatingSystems(May1997).
[11]ELLIS,J.GQViewv2.0.4.http://gqview.sf.net,Dec.
2006.
[12]FORD,B.,HIBLER,M.,LEPREAU,J.,TULLMANN,P.,BACK,
G.,ANDCLAWSON,S.Microkernelsmeetrecursivevirtualma-chines.2ndUSENIXSymposiumonOperatingsystemsdesignandimplementation(Oct.1996).
[13]GETTY,J.$100laptop/OLPC(OneLaptopPerChild).http:
//gettysfamily.org/wordpress/?p=11,Nov.2005.
[14]HAEBERLEN,A.,ANDELPHINSTONE,K.User-levelmanage-mentofkernelmemory.InProceedingsoftheEighthAsia-PacificComputerSystemsArchitectureConference(Sept.2003).
[15]HARDY,N.TheKeyKOSarchitecture.InOperatingSystems
Review(Oct.1985),vol.19,pp.8–25.
[16]HERTZ,M.,FENG,Y.,ANDBERGER,E.D.Garbagecollec-tionwithoutpaging.InProceedingsofthe2005ACMSIGPLANconferenceonProgramminglanguagedesignandimplementa-tion(June2005).
[17]HULL,D.,FENG,W.,ANDLIU,J.W.S.Operatingsystem
supportforimprecisecomputation.InAAAIFallSymposiumonFlexibleComputation(Nov.1996).
[18]KAASHOEK,M.F.,ENGLER,D.R.,GANGER,G.R.,BRICEO,
H.M.,HUNT,R.,MAZIRES,D.,PINCKNEY,T.,GRIMM,R.,JANNOTTI,J.,ANDMACKENZIE,K.Applicationperformanceandflexibilityonexokernelsystems.16thSymposiumonOper-atingSystemsPrinciples(1997).
[19]MILLER,M.S.,TULLOH,B.,ANDSHAPIRO,J.S.Thestruc-tureofauthority:Whysecurityisnotaseperableconcern.InMOZ2004Workshop(2005),vol.3389ofLectureNotesinArti-ficialIntelligence,Springer-Verlag.
[20]NEEDLEMAN,R.Technologymarchesbackward.http:
//reviews.cnet.com/4520-30007-6542073.html,June2006.
[21]NOKIA.Maemo,theapplicationdevelopmentplatformforthe
Nokia770internettablet.http://maemo.org.
[22]OSTRAND,T.,WEYUKER,E.,ANDBELL,R.Wherethebugs
are.InACMSIGSOFTInternationalSymposiumonSoftwareTestingandAnalysis(2004),pp.86–96.
[23]SAILER,R.,JAEGER,T.,VALDEZ,E.,CCERES,R.,PEREZ,
R.,BERGER,S.,GRIFFIN,J.,ANDVANDOORN,L.BuildingaMAC-basedsecurityarchitecturefortheXenopensourcehyper-visor.21stAnnualComputerSecurityApplicationsConference(Dec.2005).
[24]SALTZER,J.H.,ANDSCHROEDER,M.D.Theprotectionof
informationincomputersystems.InProceedingsoftheIEEE(1975),vol.63,pp.1278–1308.
[25]SEABORN,M.Plash:toolsforpracticalleastprivilege.http:
//plash.beasts.org.
[26]SHAPIRO,J.S.,ANDADAMS,J.DesignevolutionoftheEROS
single-levelstore.In2002USENIXAnnualTechnicalConference(2002),pp.59–72.
[27]SHAPIRO,J.S.,SMITH,J.M.,ANDFARBER,D.J.EROS:
afastcapabilitysystem.InSymposiumonOperatingSystemsPrinciples(1999),pp.170–185.
[28]STIEGLER,M.,KARP,A.H.,YEE,K.-P.,ANDMILLER,M.
Polaris:VirussafecomputingforWindowsXP.CommunicationsoftheACM49,9(2006),83–88.
[29]STONEBRAKER,M.Operatingsystemsupportfordatabaseman-agement.CommunicationsoftheACM24,7(July1981),412–418.
[30]THOMAS,R.,ANDMARTIN,J.Theundergroundeconomy:
priceless.;login:31,6(Dec.2006).
[31]TRANSGAMING.Septemberdevelopmentstatusandvotingre-port.http://www.transgaming.com/showthread.php?news=126,2004.
[32]TULLMANN,P.,LEPREAU,J.,FORD,B.,ANDHIBLER,M.
User-levelcheckpointingthroughexportablekernelstate.IEEEInternationalWorkshoponObject-OrientationinOperatingSys-tems(Oct.1996).
[33]WALDSPURGER,C.A.Memoryresourcemanagementin
VMwareESXserver.5thSymposiumonOperatingSystemsDe-signandImplementation(Dec.2002).
[34]WULF,W.,COHEN,E.,CORWIN,W.,JONES,A.,LEVIN,R.,
PIERSON,C.,ANDPOLLACK,F.HYDRA:Thekernelofamul-tiprocessoroperatingsystem.CommunicationsoftheACM17,6(June1974),337–345.
5
因篇幅问题不能全部显示,请点此查看更多更全内容