1.1 Basic Concepts (The following section contains excerpts from [Liedtke 1993b; Liedtke 1993a; Liedtke 1995]. We reason about the minimal concepts or primitives that a u-kernel should implement. The determining criterion used is functionality, not performance. More precisely, a concept is tolerated inside the u-kernel only if moving it outside the kernel, i.e. permitting competing implementations would prevent the implementation of the system's required functionality. We assume that the target system has to support interactive and/or not completely trustworthy applications, i.e., it has to deal with protection. We further assume that the hardware implements page-based virtual memory. One inevitable requirement for such a system is that a programmer must be able to implement an arbitrary subsystem S in such a way that it cannot be disturbed or corrupted by other subsystems S'. This is the principle of independence: S can give guarantees independent of S'. The second requirement is that other subsystems must be able to rely on these guarantees. This is the principle of integrity: there must be a way for S1 to address S2 and to establish a communication channel which can neither be corrupted nor eavesdropped by S'. Provided hardware and kernel trustworthy, further security services, like those described by Gasser et. al [1989], can be implemented by servers...
By: Jochen Liedtke
Published in: RC20549 in 1996
This Research Report is not available electronically. Please request a copy from the contact listed below. IBM employees should contact ITIRC for a copy.
Questions about this service can be mailed to reports@us.ibm.com .