|Speaker:||Jonathan S. Shapiro|
IBM T.J. Watson Research Center
|Topic:||EROS: A Capability System|
|Date:||Thursday, March 2, 2000|
|Place:||Gould-Simpson, Room 701|
EROS is a capability-based operating system that uses a consistent single-level storage model for all state including processes. The performance consequences of support for capability-based architectures and single-level stores are generally believed to be negative. Surprisingly, the basic operations of EROS (such as IPC) are generally comparable in cost to similar operations in conventional systems. EROS achieves this performance by coupling carefully chosen kernel abstractions with effective caching techniques for these abstractions. The objects implemented by the kernel are well-supported by the hardware, reducing the overhead of capabilities. The resulting performance suggests that composing protected subsystems may be less costly than commonly believed.
Capability-based architectures lend themselves to the construction and verification of certain security policies, most notably confinement. This has proven challenging on commodity systems. EROS incorporates a confinement mechanism that is intuitively straightforward. It's correctness has been rigorously verified with respect to a model covering a broad class of capability-based architectures.
This talk motivates the need for a new system of this kind. It sketches the EROS architecture and it's correspondence to commodity hardware, and presents the resulting microbenchmark performance. It describes the confinement mechanism and argues that confinement is an exceptionally useful primitive building block for higher-level security policies. While the talk does not detail the verification, it describes the method and the two complications that arise in the verification. Also, it identifies two lemmas from the verification that stand out as (a) useful design rules for secure systems that (b) are not satisfied by current commodity OS architectures.