We present a flexible architecture for trusted computing, called Terra, that allows applications with a wide range of security requirements to run simultaneously on commodity hardware. Applications on Terra enjoy the semantics of running on a separate, dedicated, tamper-resistant hardware platform, while retaining the ability to run side-by-side with normal applications on a generalpurpose computing platform. Terra achieves this synthesis by use of a trusted virtual machine monitor (TVMM) that partitions a tamper-resistant hardware platform into multiple, isolated virtual machines (VM), providing the appearance of multiple boxes on a single, general-purpose platform. To each VM, the TVMM provides the semantics of either an “open box, ” i.e. a general-purpose hardware platform like today’s PCs and workstations, or a “closed box, ” an opaque special-purpose platform that protects the privacy and integrity of its contents like today’s game consoles and cellular phones. The software stack in each VM can be tailored from the hardware interface up to meet the security requirements of its application(s). The hardware and TVMM can act as a trusted party to allow closed-box VMs to cryptographically identify the software they run, i.e. what is in the box, to remote parties. We explore the strengths and limitations of this architecture by describing our prototype implementation and several applications that we developed for it.

Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein.

The goal of Denali is to safely execute many independent, untrusted server applications on a single physical machine. This would enable any developer to inject a new service into third-party Internet infrastructure; for example, dynamic content generation code could be introduced into content-delivery networks or caching systems. We believe that virtual machine monitors (VMMs) are ideally suited to this application domain. A VMM provides strong isolation by default, since one virtual machine cannot directly name a resource in another. In addition, VMMs defer the implementation of high-level abstractions to guest OSs, which greatly simplifies the kernel and avoids "layer-below" attacks. The main challenge in using a VMM for this application domain is in scaling the number of concurrent virtual machines that can simultaneously execute on it.

We have studied the performance of a high-speed commercial spread-spectrum wireless LAN that uses the CSMA/CA multiple-access strategy. Employing synthetic workloads, we measured packet capture success more so than signal propagation characteristics. Specifically, we measured throughput, packet loss rates, range, and patterns of errors within packets. We conclude that CSMA/CA is quite successful in allocating bandwidth under stress, but that packet capture rate degrades very quickly once the LAN's effective range is exceeded. Hence, network maintainers should plan the layout of wireless networks at least as carefully as they plan wired networks. 1 Introduction Thanks to regulatory decisions and improvements in technology, the last several years have seen an explosion of developments in the commercial wireless sector of the telecommunications industry. So far the emphasis has been on low-speed, voice-oriented telephony applications. Another promising application is data movement over...

Application sandboxes provide restricted execution environments that limit an application's access to sensitive OS resources. These systems are an increasingly popular method for limiting the impact of a compromise. While a variety of mechanisms for building these systems have been proposed, the most thoroughly implemented and studied are based on system call interposition. Current interpositionbased architectures offer a wide variety of properties that make them an attractive approach for building sandboxing systems. Unfortunately, these architectures also possess several critical properties that make their implementation error prone and limit their functionality. We present

this paper are only a small step away from many different pieces of prior work. The notion of automatically starting the program that is a message's destination is present in

The Denali project provides system support for running several mutually distrusting Internet services on the same physical infrastructure. For example, this would enable a developer to push dynamic content into third party hosting infrastructure such as content distribution networks. To accomplish this, we propose a new kernel architecture called an isolation kernel to isolate untrusted applications. An isolation kernel is a simple, thin software layer that runs directly on hardware (and hence below operating systems), whose function is to subdivide a physical machine into a set of fully isolated protection domains. Isolation kernels resemble virtual machine monitors in that they expose a virtualized hardware interface to a set of virtual machines. Unlike VMMs, however, isolation kernels do not attempt to precisely emulate the underlying physical architecture. By selectively modifying the hardware architecture, we enable our system to scale up to 1000’s of virtual machines on commodity hardware. In this paper, we describe a set of design principles that govern isolation kernels, briefly discuss a prototype isolation kernel, and present future work and applications of isolation kernels. 1.

The Software Engineering Research department at Murray Hill writes and distributes several widely used development tools and reusable libraries that are portable across virtually all UNIX platforms. [1] To enhance reuse of these tools and libraries, we want to make them available on systems running Windows NT [2] and/or Windows 95 [3] . We did not want to support multiple versions of these libraries, and we wanted to minimize the amount of conditionally compiled code. This paper describes an effort of trying to build a UNIX interface layer on top of the Windows NT and Windows 95 operating system. The goal was to build an open environment rich enough to be both a good development environment and a suitable execution environment. This meant that the overhead needed to be small enough so that there was no incentive to program to the native operating system directly. The openness meant that the complete facilities of the native operating system were accessible through this environmen...

Redundant disk arrays are a popular method of improving the dependability and performance of disk storage and an ever-increasing number of array architectures are being proposed to balance cost, performance, and dependability. Despite their differences, there is a great deal of commonality between these architectures; unfortunately, it appears that current implementations are not able to effectively exploit this commonality due to their ad hoc approach to error recovery. Such techniques rely upon a case-by-case analysis of errors, a manual process that is tedious and prone to mistakes. For each distinct error scenario, a unique procedure is implemented to remove the effects of the error and complete the affected operation. Unfortunately, this form of recovery is not easily extended because the analysis must be repeated as new array operations and architectures are introduced. Transaction-processing systems utilize logging techniques to mechanize the process of recovering from errors. However, the expense of guaranteeing that all operations can be undone from any point in their execution is too expensive to satisfy the performance and resource requirements of redundant disk arrays. This dissertation describes a novel programming abstraction and execution mechanism based upon transactions that simplifies implementation. Disk array algorithms are modeled as directed acyclic graphs: the nodes are actions such as "XOR" and the arcs represent data and control dependencies between them. Using this abstraction, we implemented eight array architectures in RAIDframe, a framework for prototyping disk arrays. Code reuse was consistently above 90%. The additional layers of abstraction did not affect the response time and throughput characteristics of RAIDframe; however, RAIDframe co...

The complexity of advanced disk array architectures makes accurate representation necessary, arduous, and error-prone. In this paper, we present RAIDframe, an array framework that separates architectural policy from execution mechanism. RAIDframe facilitations rapid prototyping of new RAID architectures by localizing modifications and providing libraries of existing architectures to extend. In addition, RAIDframe implemented architectures run the same code as a synthetic and trace-driven simulator, as a user-level application managing raw disks, and as a Digital Unix device-driver capable of mounting a filesystem. Evaluation shows that RAIDframe performance is equivalent to less complex array implementations and thance is equivalent to less complex array implementations and that case studies of RAID levels 0, 1, 4, 5, 6, and parity declustering achieve expected performance.