Check out the new USENIX Web site. next up previous
Next: Principals and Permissions Up: Operating System Protection for Previous: Process Mediation

Implementation

 

The security model is implemented upon the Lava Nucleus. The Lava Nucleus provides minimal, general, and efficient functionality for building operating systems. It enables the creation of tasks (i.e., processes) with potentially-overlapping address spaces that may contain multiple threads of execution. An optimized IPC mechanism is provided for intertask communication. The Lava Nucleus also provides a mechanism for IPC redirection which we use to redirect controlled operations to our monitors.

The prototype implementation of this security model is as follows. The Grub boot loader loads the Lava Nucleus and the root Lava task. This task bootstraps the memory system and provides some basic system functionality (e.g., page-fault handling and task-id creation). This task initiates the process load server and the core system services (e.g., a network server to download components and the downloading principal's task). In general, these tasks may also have a monitor assigned to them, but do not at present. The downloading principal's task may request that a new executable task be downloaded by asking the process load server to retrieve the task's content. The process load server has the code authenticated and derives its permissions and transforms. Depending on the load option, the process load server assigns a monitor task to control the new executable. The monitor starts the new executable (or restarts the requestor if loaded into the same address space). Monitors perform both the permission management and authorization services for their tasks using transforms and permissions, respectively.

In this paper, we focus primarily on the implementation of the architecture's monitors. The monitors store the current and maximal permissions of its content, implement its content's permission transformations, intercepts IPCs that are sent by or destined for the its content, determines the authorization requirements of the operation encapsulated in the IPC, and authorizes the operation using the content's permissions. We first describe the monitor's permission representation and how it enables flexible and efficient authorization. Next, we detail the Lava Nucleus's IPC redirection mechanism. Then, we outline how an IPC is converted to the set of operations to be authorized. Lastly, we detail the authorization mechanisms used by the monitor. The monitor uses two mechanisms: a slow one for ``binding'' to an actual object and a fast one for subsequent calls to the same object.




next up previous
Next: Principals and Permissions Up: Operating System Protection for Previous: Process Mediation

Trent Jaeger
Tue Dec 9 10:40:18 EST 1997