New Results in Fluke/Flask Jay Lepreau Flux Group University of Utah July 13, 1998

Refresher: The Nested Process Model Child process is encapsulated in its parent. Parent has complete control over the child. Traditional Process ModelNested Process Model Parent Process State Child State Child State Child State Child State Parent Process State

Some New Work (Results?) and Yet More Obscure Names Resource mgmt in several code/architecture bases ÜFluke (microkernel) ÜOSKit (COM components) ÜAlta: Fluke in a JVM Flask: high-security version of Fluke Alta: Fluke architecture implemented in a JVM, using type-safety for memory protection

1. Resource Management CPU Ücpu inheritance scheduling in the OSKit, partly in Fluke, will be in JVM »policy-free (nearly) Üstride scheduling (WFQ) in Fluke Physical memory: min-funding revocation in Fluke Both are: ÜProvided by arbitrary user process (mem) or thread (cpu) ÜHierarchical, extensible… Network bandwidth and buffers Üincoming buffer space Üoutgoing links Üin JVM-based systems (partially impl)

CPU - Stride Scheduling % CPU 60 % CPU

2. Flask: High-security version of Fluke Joint with NSA R23, SCC Augments Fluke with fine grained security mechanisms ÜExplicit security bindings ÜMandatory controls ÜMutual authentication User-mode security policy server makes all policy decisions

Flask new things… FSPM (SCC, Utah, NSA) and resulting architectural changes Secure servers Ümemory mgrs, filesystem, network, process manager Üprocess mgr has interesting issues: »low integrity parent can exec hi integrity child »read-without-execute »inherited process state across exec »... Support for atomic revocation and flexible policy (demo)

Demo - a) Static Role Relationships Payroll Office Chief Division Chief Branch Chief Branch Employee Branch Chief Only branch, division, and office chiefs may approve timesheets and send them to payroll. (Employees may not.)

Demo - b) Delegation Payroll Office Chief Branch Employee Branch Chief Branch Employee The office chief will designate Pete, an employee, as a temporary branch chief. Steve will submit a timesheet to Pete.

3. “Alta” Same Fluke architecture, new mechanism

Nested Process Model and Protection Provides a new way to use protection domains Can use various protection mechanisms: ÜHardware (working) ÜType-safe language (Java: mostly working) ÜProof-carrying code (planned)

Motivation and Goals Our group’s focus is local system security, including resource management Java-based systems need this! Info security… AND flexible resource control and failure isolation Java-based systems will be everywhere; opportunity to influence while in a formative stage

Thesis Ad hoc language-oriented approaches are not enough Requirements are similar to multi-user OS requirements … so apply a coherent OS model! …we happen to have one ÜHave a model with specific properties ÜHave structure: design, interfaces, implementation ÜDocumented: model, properties, interfaces

Processes In Java What is a Java Process? ÜNamespace ÜMemory allocation limit ÜCPU allocation limit ÜMore than an applet, ClassLoader or ThreadGroup

Example: Web “servlets” WWW server allow clients to upload Java applications (servlets) Each servlet would be a separate process: Üseparate, controlled namespace Üseparate memory limit Üseparate CPU limit Ücontrolled access to server’s system Java provides memory safety and namespace integrity Processes provide accounting and control

Configurations Naked hardware - OSKit On traditional OS’s Run on top of Flask/Fluke for additional assurance and defense Add fine-grain access control a la Flask

“Fluke V3” Components are good OSKit++

“Lessons Learned” Too much “multi” is bad for research prototypes Ümultiprocessor support Ümultithreading Strict layering creates problems (34 layers in Fluke microkernel impl.) COM vs. MOM Collaboration is good Keep models, evolve mechanisms