RFC 822 defines a message representation protocol which specifies considerable detail about message headers, but which leaves the message content, or message body, as flat ASCII text. This document redefines the format of message bodies to allow multi-part textual and non-textual message bodies to be represented and exchanged without loss of information. This is based on earlier work documented in RFC 934 and RFC 1049, but extends and revises that work. Because RFC 822 said so little about message bodies, this document is largely orthogonal to (rather than a revision of) RFC 822. In particular, this document is designed to provide facilities to include multiple objects in a single message, to represent body text in character sets other than US-ASCII, to represent formatted multi-font text messages, to represent non-textual material such as images and audio fragments, and generally to facilitate later extensions defining new types of Internet mail for use by cooperating mail agents. Thi...

Integrity is rarely a valid presupposition in many systems architectures, yet it is necessary to make any security guarantees. To address this problem, we have designed a secure bootstrap process, AEGIS, which presumes a minimal amount of integrity, and which we have prototyped on the Intel x86 architecture. The basic principle is sequencing the bootstrap process as a chain of progressively higher levels of abstraction, and requiring each layer to check a digital signature of the next layer before control is passed to it. A major design decision is the consequence of a failed integrity check. A simplistic strategy is to simply halt the bootstrap process. However, as we show in this paper, the AEGIS bootstrap process can be augmented with automated recovery procedures which preserve the security properties of AEGIS under the additional assumption of the availability of a trusted repository. We describe two means by which such a repository can be implemented, and focus our attention on a network-accessible repository.

Current routing protocols are monolithic, specifying the algorithm used to construct forwarding tables, the metric used by the algorithm (generally some form of hop count), and the protocol used to distribute these metrics as an integrated package. The Flexible Intra-AS Routing Environment (FIRE) is a link-state, intra-domain routing protocol that decouples these components. FIRE supports run-time-programmable algorithms and metrics over a secure link-state distribution protocol. By allowing the network operator to dynamically reprogram both the properties being advertised and the routing algorithms used to construct forwarding tables, FIRE enables the development and deployment of novel routing algorithms without the need for a new protocol to distribute state. FIRE supports multiple concurrent routing algorithms and metrics, each constructing separate forwarding tables. By using operator-specified packet filters, separate classes of traffic may be routed using completely different routing algorithms, all supported by a single routing protocol. This paper

Abstract not found

No work the size of this dissertation is done in isolation, and I would like to thank the people who worked with and supported me over the last four years. Harold F. Bower has worked with me on numerous occasions. He found and added the entry points in the BIOS source to call AEGIS. He also served as a sounding board for me in the design of AEGIS, and the AEGIS interrupt service routine (ISR). Hal and I also worked together on a pre-cursor of AEGIS, the Security Enhanced Processor (SEP). The problems encountered with the SEP project lead to AEGIS. Hal is also responsible for RATBAG which is described in Chapter 3. Angelos Keromytis and I jointly designed the protocol used with the AEGIS network recovery and DHCP++. Angelos also served as the ideal person to discuss ideas. He is never shy about telling someone that their idea is nuts. Scott Alexander, Angelos, and I worked together on the design of SANE, Section 7.1. Scott’s contributions are “above the OS”, and mine are “below the OS”. Angelos worked with both Scott and myself, and developed the naming and threat models. Ralph Droms et. al. developed the DHCP authentication scheme described in Section 7.2. I developed the delayed aspect of the authentication mechanism along with the threat model.

Subsystem (IMS) technologies are rapidly being adopted by consumers, enterprises, governments and militaries. These technologies offer higher flexibility and more features than traditional telephony (PSTN) infrastructures, as well as the potential for lower cost through equipment consolidation and, for the consumer market, new business models. However, VoIP/IMS systems also represent a higher complexity in terms of architecture, protocols and implementation, with a corresponding increase in the potential for misuse. Here, we begin to examine the current state of affairs on VoIP/IMS security through a survey of known/disclosed security vulnerabilities in bug-tracking databases. This paper should serve as a starting point for understanding the threats and risks in a rapidly evolving set of technologies that are seeing increasing deployment and use. Our goal is to gain a better understanding of the security landscape with respect to VoIP/IMS, toward directing future research in this and other similar emerging technologies. I.

The alien architecture exposes all node-resident features to modi cation by a module loader, with the exception of the loader itself. As a

The ongoing transition from uniprocessor to multiprocessor computers requires support from the operating system kernel. Although many general-purpose multiprocessor operating systems exist, there is a large number of specialized operating systems which require porting in order to work on multiprocessors. In this paper we describe the multiprocessor port of a cluster operating system kernel from a producer of industrial systems. Our initial implementation uses a giant locking scheme that serializes kernel execution. We also employed a method in which CPU-local variables are placed in a special section mapped to per-CPU physical memory pages. The giant lock and CPU-local section allowed us to implement an initial working version with only minor changes to the original code, although the giant lock and kernel-bound applications limit the performance of our multiprocessor port. Finally, we also discuss experiences from the implementation.

Users often find that local resources are too limited to solve large computing problems. At the same time, unused machines remain inaccessible because of incompatible architectures, ignorance of their capabilities, or incompatible administrative restrictions. To preserve this investment in equipment, yet allow for the solution of large problems, mechanisms are needed to join these systems into cooperating groups across the boundaries of administrative domains and physical locality. In this paper, we describe messiahs, a system intended to provide scalable mechanisms for the efficient implementation of scheduling policies on distributed systems, while preserving the autonomy of the component systems. These systems can range from a few workstations to hundreds of heterogeneous, autonomous systems interconnected via networks ranging from local-area networks to geographically large networks, connected by arbitrary links. This work was supported by a NASA Graduate Student Researchers Fell...

Abstract. A Gals (Globally Asynchronous Locally Synchronous) system typically consists of a collection of sequential, deterministic components that execute concurrently and communicate using slow or unreliable channels. This paper proposes a general approach for modelling and verifying Gals systems using a combination of synchronous languages (for the sequential components) and process calculi (for communication channels and asynchronous concurrency). This approach is illustrated with an industrial case-study provided by Airbus: a Tftp/Udp communication protocol between a plane and the ground, which is modelled using the Eclipse/TopCased workbench for model-driven engineering and then analysed formally using the Cadp verification and performance evaluation toolbox. 1