Blog

In this blog, I plan to record some of my reflection on my research, [[operating systems|blog/os]] and security, politics, in particular [[free culture|blog/freeculture]], hacking, my life and other miscellanea.

Papers

• Viengoos: A Framework for Stakeholder-Directed Resource Allocation. Submitted to EuroSys 2009.

General-purpose operating systems not only fail to provide adaptive applications the information they need to intelligently adapt, but also schedule resources in such a way that were applications to aggressively adapt, resources would be inappropriately scheduled. The problem is that these systems use demand as the primary indicator of utility, which is a poor indicator of utility for adaptive applications.

We present a resource management framework appropriate for traditional as well as adaptive applications. The primary difference from current schedulers is the use of stakeholder preferences in addition to demand. We also show how to revoke memory, compute the amount of memory available to each principal, and account shared memory. Finally, we introduce a prototype system, Viengoos, and present some benchmarks that demonstrate that it can efficiently support multiple aggressively adaptive applications simultaneously.

• Fast Capability Transfer using Existing Commodity Hardware with Tom Bachmann. Submitted to OSDI 2008.

Current operating systems provide inadequate mechanisms to protect user data. The main problem is that all of a user's programs run in the same trust domain. A better model is one which is consistent with the principle of least authority (POLA). An object-capability system may be able to better achieve this: capabilities bundle authorization and designation thereby easing delegation and the dynamic creation and management of fine-grained trust domains.

Despite this, object-capability designs are rejected due to a perceived excessive overhead resulting from the degree of decomposition and the corresponding rise in the amount of inter-process communication (IPC). Although the work on L4 has demonstrated that IPC can be made extremely fast, historically, L4 lacks mechanisms to efficiently delegate fine-grained authority.

In this paper, we present a capability transfer mechanism that exploits the memory management unit (MMU) present in all modern commodity hardware by using it to build a content addressable memory (CAM) to expedite capability resolution. For the common case of an IPC carrying a single capability, we observe a 2% increase in message transfer time compared to a less flexible but more commonly used IPC implementation based on capability registers. Relative to the time taken to transfer a similarly sized message containing just data on L4Ka::Pistachio, we observe a 16% increase.

• A Critique of the GNU Hurd Multi-server Operating System with Marcus Brinkmann. ACM SIGOPS Operating Systems Review special issue on Secure Small-Kernel Systems, 41(3), July 2007. (bibtex)

The GNU Hurd's design was motivated by a desire to rectify a number of observed shortcomings in Unix. Foremost among these is that many policies that limit users exist simply as remnants of the design of the system's mechanisms and their implementation. To increase extensibility and integration, the Hurd adopts an object-based architecture and defines interfaces, in particular those for the composition of and access to name spaces, that are virtualizable.

This paper is first a presentation of the Hurd's design goals and a characterization of its architecture primarily as it represents a departure from Unix's. We then critique the architecture and assess it in terms of the user environment of today focusing on security. Then follows an evaluation of Mach, the microkernel on which the Hurd is built, emphasizing the design constraints which Mach imposes as well as a number of deficiencies its design presents for multi-server like systems. Finally, we reflect on the properties such a system appears to require.

• Improving Usability via Access Decomposition and Policy Refinement with Marcus Brinkmann. Technical report.

Commodity operating systems fail to meet the security, resource management and integration expectations of users. We propose a unified solution based on a capability framework as it supports fine grained objects, straightforward access propagation and virtualizable interfaces and explore how to improve resource use via access decomposition and policy refinement with minimum interposition. We argue that only a small static number of scheduling policies are needed in practice and advocate hierarchical policy specification and central realization.

• Coyotos Microkernel Specification with Jonathan S. Shapiro, Ph.D., Eric Northup, M. Scott Doerrie, Swaroop Sridhar and Marcus Brinkmann. Version 0.3+ published online March 20, 2006.

Coyotos is a security microkernel. It is a microkernel in the sense that it is a minimal protected platform on which a complete operating system can be constructed. It is a security microkernel in the sense that it is a minimal protected platform on which higher level security policies can be constructed.

• First Remarks on a Market Based Approach to Resource Scheduling for the GNU Hurd Multiserver Operating System presented at the Libre Software Meeting in Dijon, France on July 6, 2005.

Through the use of a multiserver capability-based architecture, the GNU Hurd has attempted to increase security and flexibility relative to traditional Unix-like operating systems. This shift away from a monolithic design requires a reevaluation of conventional operating system praxis to determine its degree of continued applicability. Resource scheduling appears particularly defunct in this regard: to make smarter scheduling decisions, monolithic systems cross component boundaries to gain insight into application behavior. This introspection is incompatible with a multiserver architecture and its elimination, as observed in Mach, the current microkernel used by the GNU Hurd, results in noticeable performance degradation. To this end, I propose that rather than have the operating system provide virtualized resources, i.e.~schedule the contents of resources on behalf of applications, it offer near raw access to the principals which they must multiplex as required thereby relieving e.g.~the memory manager of paging decisions. The resource managers must still partition the physical resources among the competing principals. For this, I suggest a market based solution in which principals have a periodically renewed credit allowance and lease the required resources. This approach also suits adaptive and soft real-time applications.

• The Function of Intellectual Property at the Present Time presented at the Literature, Communication, and Democracy Symposium held at University of Massachusetts, Lowell on April 2, 2003.

Intellectual property presupposes the individuality of the author by asserting that the author is unique and is able to transcend the realm of the mundane to discover a novel idea. Intellectual property denies T.S. Elliot's assertion in Tradition and the Individual Talent that the ``poet's mind is in fact a receptacle for seizing and storing up numberless feelings, phrases, images, which remain there until all the particles which can unite to form a new compound are present together.'' Intellectual property is a logical impossibility for its fundamental tenant is that thoughts and ideas, once shared, can be owned and controlled by an individual.

Contact

You can email me at: neal@walfield.org .

If you send mail to spamtrap@walfield.org, it will not reach me and be automatically classified as spam.