EROS: A capability system
Capability-based operating systems have logical advantages over access-control list based systems for security, and potential advantages for performance as well. This dissertation makes four contributions. First, it extends the capability access model proposed by Jones, Lipton, and Snyder and enhanced by Bishop to address object metadata, opaque indirection, and certain additional access checks. These extensions bridge the gap from the original model to the behavior of real systems, and are necessary to account for securely dekernelized memory and file management. Second, it provides a formal model of capability architectures, SW, that allows precise statements to be made about access and operations. SW makes it possible to prove that the conditions imposed by some implementation actually enforce the security policy they are designed to support. In particular, I have shown this for the confinement policy. SW defines a family of capability systems, of which any realization satisfies the proven security properties. Derived from the EROS architecture, the SW family includes at least one complete, general purpose operating system architecture that has actually been implemented. SW is the first formal model of its kind for which proofs of security policies have been favorably completed; previously successful proof efforts have proven only negative results. Third, this dissertation presents the Extremely Reliable Operating System (EROS). EROS is one realization of an SW system. It discusses the EROS virtual machine architecture, and describes how the capabilities defined by that architecture are mapped to SW. By virtue of this mapping, the EROS design is covered by both the SW model and the proof of confinement presented here. Finally, this dissertation presents a prototype implementation of the EROS system on the Intel x86 machine architecture. By mapping EROS virtual machine abstractions to hardware-supported objects, this implementation yields measured performance competative with, and in many cases exceeding, the performance of conventionally architected ACL-based operating systems and microkernels. Quantitative evaluation presented here shows that neither the use of capabilities nor aggressive dekernelization needs to be a limiting factor in system performance.* *This dissertation includes a CD that is compound (contains both a paper copy and a CD as part of the dissertation). The CD requires the following application: EROS Operating System.
Shapiro, Jonathan Strauss, "EROS: A capability system" (1999). Dissertations available from ProQuest. AAI9926195.