This paper describes proof-carrying code (PCC), a mechanism by which a host system can determine with certainty thatitissafetoexecute a program supplied (possibly in binary form) by anuntrusted source. For this to be possible, the untrusted code producer must supply with the code a safety proof that attests to the code's adherence to a previously de ned safety policy. The host can then easily and quickly validate the proof without using cryptography and without consulting any external agents. In order to gain preliminary experience with PCC, we have performed several case studies. We showinthis paper how proof-carrying code mightbeusedtodevelop safe assembly-language extensions of ML programs. In the context of this case study, we present and prove the adequacy of concrete representations for the safety policy, the safety proofs, and the proof validation. Finally, we brie y discuss how we use proof-carrying code to develop network packet lters that are faster than similar lters developed using other techniques and are formally guaranteed to be safe with respect to a given operating system safety policy.

This paper presents the design, implementation, and evaluation of IO-Lite, a unified I/O buffering and caching system. IO-Lite unifies all buffering and caching in the system, to the extent permitted by the hardware. In particular, it allows applications, interprocess communication, the filesystem, the file cache, and the network subsystem to share a single physical copy of the data safely and concurrently. Protection and security are maintained through a combination of access control and read-only sharing. The various subsystems use (mutable) buffer aggregates to access the data according to their needs. IO-Lite eliminates all copying and multiple buffering of I/O data, and enables various cross-subsystem optimizations. Performance measurements show significant performance improvements on Web servers and other I/O intensive applications. 1 Introduction This paper presents the design, the implementation, and the performance of IO-Lite, a unified I/O buffering and caching system. IO-Li...

The ability to provide differentiated services to users with widely varying requirements is becoming increasingly important, and Internet Service Providers would like to provide these differentiated services using the same shared network infrastructure. The key mechanism, that enables differentiation in a connectionless network, is the packet classification function that parses the headers of the packets, and after determining their context, classifies them based on administrative policies or real-time reservation decisions. Packet classification, however, is a complex operation that can become the bottleneck in routers that try to support gigabit link capacities. Hence, many proposals for differentiated services only require classification at lower speed edge routers and also avoid classification based on multiple fields in the packet header even if it might be advantageous to service providers. In this paper, we present new packet classification schemes that, with a worst-case and tr...

The Sanctuary project at UCSD is building a secure infrastructure for mobile agents, and examining

The engineers who analyze traffic on high bandwidth networks must filter and aggregate either recorded traces of network packets or live traffic from the network itself. These engineers perform operations similar to database queries, but cannot use conventional data managers because of performance concerns and a semantic mismatch between the analysis operations and the operations supported by commercial DBMSs. Traffic analysis does not require fast random access, transactional update, or relational joins. Rather, it needs fast sequential access to a stream of traffic records and the ability to filter, aggregate, define windows, demultiplex, and remultiplex the stream. Tribeca is an extensible, stream-oriented DBMS designed to support network traffic analysis. It combines ideas from temporal and sequence databases with an implementation optimized for databases stored on high speed ID-1 tapes or arriving in real time from the network. The paper describes Tribeca's query language, executo...

Syntax Possible Dynamic Input Value-Specific Optimizations Register Allocation Coarse Scheduling Code Generation AMMA G Possible Dynamic Input Peephole Optimization Code Layout Branch Prediction Assembly ELTA D Possible Dynamic Input Peephole Optimization Code Layout Branch Prediction Assembly ELTA D Possible Dynamic Input Dynamic Input Dynamically Optimizing Native Code PSILON E Create Specialized Code Generators Java VM Code LPHA A High-Level IR Mid-Level IR Low-Level IR Native Code Program Analysis Code Improvements Figure 2: Staged Compiler Architecture ffl Dynamic method dispatch and higher-order procedures can make it impossible to determine a program's control flow graph until run time; ffl Dynamically allocated data structures can make static loop transformations difficult, e.g., array bounds may not be known at compile time; ffl Separate compilation makes it difficult to optimize data representations across module boundaries. It is therefore possible to postpone part...

. Continuous media such as audio and video pose new challenges to all parts of multipurpose operating systems. We discuss issues related to CPU scheduling, memory allocation, system support and application environments and summarize some of the solutions proposed in the literature. Key words: Continuous media { Operating system enhancement { CPU scheduling { Network implementation 1 Introduction Operating systems play a crucial role in supporting multimedia applications. Here we investigate the problems that are introduced by multimedia and some approaches to their solution. General introductions to operating systems can be found in (Tanenbaum 1987; Peterson and Silberschatz 1983), with specic surveys of the UNIX operating system in (Lefer, McKusick, Karels, and Quarterman 1988; Bach 1986). Although only a combination of network and operating system design can guarantee performance, network issues seem to have required far more attention in the past. As higherspeed LANs touting integ...

In this paper, we describe an implementation of a ad-hoc, distributed sensor platform that provides synchronized time to its users. By abstracting the time synchronization layer away, we allow developers to focus on the core challenges of their applications (e.g., signal processing, aggregation, routing) rather than dealing with the algorithmic and systems issues that inevitably arise when integrating sensing with distributed synchronization. Through a variety of techniques, notably the use of Reference-Broadcast Synchronization (RBS) [5], our platform offers better than 5sec precision when comparing streams of audio data sampled at nodes separated by one network hop.

User-level networking has been applied mostly in the area of high-performance computing since it allows applications to obtain maximum performance from the hardware. We argue that running network protocol stacks in the user space also allows applications to reduce the amount of state that the operating system kernel maintains on their behalf enabling much greater application elasticity and mobility. We describe a lightweight user-level networking framework that does not require any modi cation to existing networking hardware nor protocols. The main advantages of our framework are its simplicity and ease of implementation. 1