Intégration de systèmes hétérogènes en termes de niveaux de sécurité. (Integration of systems with heterogeneous security levels)

Cette these etudie les principes de mise en oeuvre pour l'execution sur un meme ordinateur, de tâches de niveaux de criticite differents, et dont certaines peuvent avoir des contraintes temps reel dur. Les difficultes pour realiser ces objectifs forment trois categories. Il faut d'abord prouver que les tâches disposeront d'assez de ressources pour s'executer; il doit etre ainsi possible d'avoir des politiques d'allocations et d'ordonnancement sures, previsibles et simples. Il faut egalement apporter des garanties de securite pour s'assurer que les tâches critiques s'executeront correctement en presence de defaillances ou malveillances. Enfin, le systeme doit pouvoir etre reutilise dans une variete de situations. Cette these propose de s'attaquer au probleme par la conception d'un systeme hautement securise, extensible, et qui soit independant des politiques d'allocation de ressources. Cela est notamment accompli par le pret de ressource, qui permet de decompter les ressources independamment des domaines de protection. Cette approche evite d'avoir a partitionner les ressources, ce qui simplifie le probleme global de l'allocation et permet de ne pas gâcher de ressources. Les problemes de type inversion de priorite, famine ou denis de service sont supprimes a la racine. Nous demontrons la faisabilite de cette approche e l'aide d'un prototype, Anaxagoros. La demarche que nous proposons simplifie drastiquement l'allocation des ressources mais implique des contraintes dans l'ecriture de services partages (comme les pilotes de peripheriques). Les principales difficultes consistent en des contraintes de synchronisation supplementaires. Nous proposons des mecanismes originaux et efficaces pour resoudre les problemes de concurrence et synchronisation, et une methodologie generale pour faciliter l'ecriture securisee de ces services partages.

[1]  Maurice Herlihy,et al.  Linearizability: a correctness condition for concurrent objects , 1990, TOPL.

[2]  Larry L. Peterson,et al.  Implementing Atomic Sequences on Uniprocessors Using Rollforward , 1996, Softw. Pract. Exp..

[3]  Matthieu Lemerre,et al.  Equivalence between Schedule Representations: Theory and Applications , 2008, 2008 IEEE Real-Time and Embedded Technology and Applications Symposium.

[4]  Dan Tsafrir,et al.  Secretly Monopolizing the CPU Without Superuser Privileges , 2007, USENIX Security Symposium.

[5]  Butler W. Lampson,et al.  Reflections on an operating system design , 1976, CACM.

[6]  William A. Wulf,et al.  Policy/mechanism separation in Hydra , 1975, SOSP.

[7]  Scott A. Brandt,et al.  Dynamic integrated scheduling of hard real-time, soft real-time, and non-real-time processes , 2003, RTSS 2003. 24th IEEE Real-Time Systems Symposium, 2003.

[8]  Sanjoy K. Baruah,et al.  Generalized Multiframe Tasks , 1999, Real-Time Systems.

[9]  Robert C. Daley,et al.  An experimental time-sharing system , 1962, AIEE-IRE '62 (Spring).

[10]  F. J. Corbat INTRODUCTION AND OVERVIEW OF THE MULTICS SYSTEM , 2010 .

[11]  Theodore P. Baker,et al.  Stack-based scheduling of realtime processes , 1991, Real-Time Systems.

[12]  Kevin Elphinstone,et al.  Kernel design for isolation and assurance of physical memory , 2008, IIES '08.

[13]  Sergio Loureiro,et al.  Mobile code security , 2000 .

[14]  Jochen Liedtke,et al.  On micro-kernel construction , 1995, SOSP.

[15]  Sanjoy K. Baruah,et al.  Hybrid-priority Scheduling of Resource-Sharing Sporadic Task Systems , 2008, 2008 IEEE Real-Time and Embedded Technology and Applications Symposium.

[16]  Hermann Härtig,et al.  Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors , 2004, EW 11.

[17]  T. Anderson Kernels for Safety ? , 1989 .

[18]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[19]  Edsger W. Dijkstra,et al.  The structure of the “THE”-multiprogramming system , 1968, CACM.

[20]  Trent Jaeger,et al.  Preventing denial-of-service attacks on a /spl mu/-kernel for WebOSes , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[21]  Jochen Liedtke,et al.  OS-controlled cache predictability for real-time systems , 1997, Proceedings Third IEEE Real-Time Technology and Applications Symposium.

[22]  Dawson R. Engler,et al.  DPF: fast, flexible message demultiplexing using dynamic code generation , 1996, SIGCOMM 1996.

[23]  Jonathan S. Shapiro,et al.  Design of the EROS Trusted Window System , 2004, USENIX Security Symposium.

[24]  Morrie Gasser,et al.  Building a Secure Computer System , 1988 .

[25]  John Rushby A Trusted Computing Base for Embedded Systems , 1984 .

[26]  Bryan M. Cantrill Runtime Performance Analysis of the M-to-N Scheduling Model , 1996 .

[27]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[28]  Jochen Liedtke,et al.  The performance of μ-kernel-based systems , 1997, SOSP.

[29]  Peter Druschel,et al.  Resource containers: a new facility for resource management in server systems , 1999, OSDI '99.

[30]  Leslie Lamport,et al.  Concurrent reading and writing , 1977, Commun. ACM.

[31]  Leslie Lamport,et al.  How to Make a Multiprocessor Computer That Correctly Executes Multiprocess Programs , 2016, IEEE Transactions on Computers.

[32]  Jonathan S. Shapiro,et al.  Paradigm Regained: Abstraction Mechanisms for Access Control , 2003, ASIAN.

[33]  Giorgio Buttazzo Rate Monotonic vs. EDF: Judgment Day , 2003, EMSOFT.

[34]  Leonid Ryzhyk,et al.  Dingo: taming device drivers , 2009, EuroSys '09.

[35]  Hendrik Tews,et al.  Preemption Abstraction: A Lightweight Approach to Modelling Concurrency , 2009, FMICS 2009.

[36]  Bryan Ford,et al.  CPU inheritance scheduling , 1996, OSDI '96.

[37]  Dawson R Engler,et al.  The design and implementation of a prototype exokernel operating system , 1995 .

[38]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[39]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[40]  Mark S. Miller,et al.  Capability Myths Demolished , 2003 .

[41]  Brian N. Bershad,et al.  Fast mutual exclusion for uniprocessors , 1992, ASPLOS V.

[42]  Jochen Liedtke,et al.  Improving IPC by kernel design , 1994, SOSP '93.

[43]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[44]  William J. Bolosky,et al.  Mach: A New Kernel Foundation for UNIX Development , 1986, USENIX Summer.

[45]  Ken Thompson,et al.  The UNIX time-sharing system , 1974, CACM.

[46]  Abraham Silberschatz,et al.  The Pebble Component-Based Operating System , 1999, USENIX Annual Technical Conference, General Track.

[47]  Keir Fraser,et al.  Revocable locks for non-blocking programming , 2005, PPOPP.

[48]  Neal H. Walfield,et al.  A critique of the GNU hurd multi-server operating system , 2007, OPSR.

[49]  Joseph Y.-T. Leung,et al.  On-Line Scheduling of Real-Time Tasks , 1992, IEEE Trans. Computers.

[50]  Peter G. Neumann,et al.  Principled assuredly trustworthy composable architectures , 2003 .

[51]  Steven M. Hand,et al.  Self-paging in the Nemesis operating system , 1999, OSDI '99.

[52]  Vincent David,et al.  A method and a technique to model and ensure timeliness in safety critical real-time systems , 1998, Proceedings. Fourth IEEE International Conference on Engineering of Complex Computer Systems (Cat. No.98EX193).

[53]  Gary L. Peterson,et al.  Myths About the Mutual Exclusion Problem , 1981, Inf. Process. Lett..

[54]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[55]  K. K. Ramakrishnan,et al.  Eliminating receive livelock in an interrupt-driven kernel , 1996, TOCS.

[56]  Sanjoy K. Baruah,et al.  Proportionate progress: a notion of fairness in resource allocation , 1993, STOC '93.

[57]  Evangelos P. Markatos,et al.  First-class user-level threads , 1991, SOSP '91.

[58]  Margo I. Seltzer,et al.  Dealing with disaster: surviving misbehaved kernel extensions , 1996, OSDI '96.

[59]  Jonathan S. Shapiro,et al.  EROS: A Principle-Driven Operating System from the Ground Up , 2002, IEEE Softw..

[60]  Daniel J. Bernstein,et al.  Some thoughts on security after ten years of qmail 1.0 , 2007, CSAW '07.

[61]  Jonathan S. Shapiro,et al.  USENIX Association Proceedings of the General Track : 2004 USENIX Annual Technical Conference , 2004 .

[62]  Gernot Heiser,et al.  Implementation of Fast Address-Space Switching and TLB Sharing on the StrongARM Processor , 2003, Asia-Pacific Computer Systems Architecture Conference.

[63]  Gérard Roucairol,et al.  A language theoretic approach to serialization problem in concurrent systems , 1985, FCT.

[64]  Robert N. M. Watson,et al.  Jails: confining the omnipotent root , 2000 .

[65]  Maurice Herlihy,et al.  A methodology for implementing highly concurrent data objects , 1993, TOPL.

[66]  Theodore A. Linden Operating System Structures to Support Security and Reliable Software , 1976, CSUR.

[67]  J. Shapiro,et al.  EROS: a fast capability system , 2000, OPSR.

[68]  Dan Hildebrand,et al.  An Architectural Overview of QNX , 1992, USENIX Workshop on Microkernels and Other Kernel Architectures.

[69]  Sanjoy K. Baruah,et al.  Static-priority scheduling on multiprocessors , 2001, Proceedings 22nd IEEE Real-Time Systems Symposium (RTSS 2001) (Cat. No.01PR1420).

[70]  Hermann Härtig,et al.  Fast component interaction for real-time systems , 2005, 17th Euromicro Conference on Real-Time Systems (ECRTS'05).

[71]  Maurice Herlihy,et al.  Obstruction-free synchronization: double-ended queues as an example , 2003, 23rd International Conference on Distributed Computing Systems, 2003. Proceedings..

[72]  T. J. Watson,et al.  Fuss , Futexes and Furwocks : Fast Userlevel Locking in Linux Hubertus Franke IBM , 2005 .

[73]  Rajeev Alur,et al.  A Theory of Timed Automata , 1994, Theor. Comput. Sci..

[74]  Shuichi Oikawa,et al.  Resource kernels: a resource-centric approach to real-time and multimedia systems , 2001, Electronic Imaging.

[75]  Lui Sha,et al.  Priority Inheritance Protocols: An Approach to Real-Time Synchronization , 1990, IEEE Trans. Computers.

[76]  Stefan Savage,et al.  Processor Capacity Reserves for Multimedia Operating Systems , 1993 .

[77]  Gérard Roucairol,et al.  On serializability of iterated transactions , 1982, PODC '82.

[78]  Alan Burns,et al.  Guide for the use of the Ada Ravenscar Profile in high integrity systems , 2004, ALET.

[79]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[80]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[81]  Brian N. Bershad,et al.  Practical considerations for non-blocking concurrent objects , 1993, [1993] Proceedings. The 13th International Conference on Distributed Computing Systems.

[82]  Maurice Herlihy,et al.  A methodology for implementing highly concurrent data structures , 1990, PPOPP '90.

[83]  Vincent David,et al.  Deterministic Distributed Safety-Critical Real-Time Systems within the Oasis Approach , 2005, IASTED PDCS.

[84]  Hermann Kopetz,et al.  Distributed fault-tolerant real-time systems: the Mars approach , 1989, IEEE Micro.

[85]  J. Rushby,et al.  The MILS component integration approach to secure information sharing , 2008, 2008 IEEE/AIAA 27th Digital Avionics Systems Conference.

[86]  Per Brinch Hansen,et al.  The nucleus of a multiprogramming system , 1970, CACM.

[87]  Aloysius K. Mok,et al.  Multiprocessor On-Line Scheduling of Hard-Real-Time Tasks , 1989, IEEE Trans. Software Eng..

[88]  Brian N. Bershad,et al.  Scheduler activations: effective kernel support for the user-level management of parallelism , 1991, TOCS.

[89]  Mary Shaw,et al.  Global variable considered harmful , 1973, SIGP.

[90]  Norman Feske,et al.  A Nitpicker’s guide to a minimal-complexity secure GUI , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[91]  Markus S. Miller,et al.  Towards a Verified , General-Purpose Operating System Kernel † , 2004 .

[92]  Daniel Pierre Bovet,et al.  Understanding the Linux Kernel , 2000 .

[93]  Roger M. Needham,et al.  The Cambridge CAP computer and its protection system , 1977, SOSP '77.

[94]  David R. Cheriton An experiment using registers for fast message-based interprocess communication , 1984, OPSR.

[95]  Norman C. Hutchinson,et al.  Kea-a dynamically extensible and configurable operating system kernel , 1996, Proceedings of International Conference on Configurable Distributed Systems.

[96]  Jay Lepreau,et al.  Evolving Mach 3.0 to A Migrating Thread Model , 1994, USENIX Winter.

[97]  Jonathan M. Smith,et al.  The measured performance of a fast local IPC , 1996, Proceedings of the Fifth International Workshop on Object-Orientation in Operation Systems.

[98]  Keir Fraser,et al.  Practical lock-freedom , 2003 .

[99]  Jochen Liedtke,et al.  Improved Address-Space Switching on Pentium Processors by Transparently Multiplexing User Address Sp , 1995 .

[100]  Maurice Herlihy,et al.  Transactional Memory: Architectural Support For Lock-free Data Structures , 1993, Proceedings of the 20th Annual International Symposium on Computer Architecture.

[101]  Jonathan S. Shapiro,et al.  The KeyKOS Nanokernel Architecture , 1992, USENIX Workshop on Microkernels and Other Kernel Architectures.

[102]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[103]  Harrick M. Vin,et al.  A hierarchial CPU scheduler for multimedia operating systems , 1996, OSDI '96.

[104]  Jonathan M. Smith,et al.  Eros: a capability system , 1999 .

[105]  Jonathan S. Shapiro Vulnerabilities in synchronous IPC designs , 2003, 2003 Symposium on Security and Privacy, 2003..

[106]  Alan L. Cox,et al.  A Portable Kernel Abstraction for Low-Overhead Ephemeral Mapping Management , 2005, USENIX Annual Technical Conference, General Track.

[107]  Michael L. Dertouzos,et al.  Control Robotics: The Procedural Control of Physical Processes , 1974, IFIP Congress.

[108]  Larry L. Peterson,et al.  Making paths explicit in the Scout operating system , 1996, OSDI '96.

[109]  Mike Hibler,et al.  Microkernels meet recursive virtual machines , 1996, OSDI '96.

[110]  S. Gribble,et al.  Scale and performance in the Denali isolation kernel , 2002, OSDI '02.

[111]  David L. Black,et al.  Translation lookaside buffer consistency: a software approach , 1989, ASPLOS III.

[112]  Michael B. Jones,et al.  Modular real-time resource management in the Rialto operating system , 1995, Proceedings 5th Workshop on Hot Topics in Operating Systems (HotOS-V).

[113]  Anne-Marie Déplanche,et al.  Adequacy between AUTOSAR OS specification and real-time scheduling theory , 2007, 2007 International Symposium on Industrial Embedded Systems.

[114]  Christophe Rippert,et al.  Protection dans les architectures de systèmes flexibles , 2003 .

[115]  Andreas Haeberlen,et al.  User-Level Management of Kernel Memory , 2003, Asia-Pacific Computer Systems Architecture Conference.

[116]  Graham Hamilton,et al.  The Spring Nucleus: A Microkernel for Objects , 1993 .

[117]  Henry Massalin,et al.  Synthesis: an efficient implementation of fundamental operating system services , 1992 .

[118]  Mike Hibler,et al.  Interface and execution models in the Fluke kernel , 1999, OSDI '99.

[119]  Norman Hardy,et al.  KeyKOS architecture , 1985, OPSR.

[120]  Brian N. Bershad,et al.  Lightweight remote procedure call , 1989, TOCS.

[121]  Chung Laung Liu,et al.  Scheduling Algorithms for Multiprogramming in a Hard-Real-Time Environment , 1989, JACM.

[122]  M. Lipow,et al.  Number of Faults per Line of Code , 1982, IEEE Transactions on Software Engineering.

[123]  Leslie Lamport,et al.  A new solution of Dijkstra's concurrent programming problem , 1974, Commun. ACM.

[124]  Borko Furht,et al.  Real-Time Operating Systems , 1991 .

[125]  David R. Cheriton,et al.  A caching model of operating system kernel functionality , 1995, OPSR.

[126]  Leslie Lamport Concurrent reading and writing of clocks , 1990, TOCS.

[127]  Claude Kaiser,et al.  Overview of the CHORUS ® Distributed Operating Systems , 1991 .

[128]  Krithi Ramamritham,et al.  The Spring kernel: a new paradigm for real-time operating systems , 1989, OPSR.

[129]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[130]  Jonathan Adams,et al.  Design Evolution of the EROS Single-Level Store , 2002, USENIX Annual Technical Conference, General Track.

[131]  Timothy Roscoe,et al.  The structure of a multi-service operating system , 1995 .

[132]  David R. Cheriton,et al.  The synergy between non-blocking synchronization and operating system structure , 1996, OSDI '96.

[133]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[134]  Larry L. Peterson,et al.  Defending against denial of service attacks in Scout , 1999, OSDI '99.

[135]  Margo Seltzer,et al.  Issues in Extensible Operating Systems , 1997 .

[136]  Andrew S. Tanenbaum,et al.  Modern operating systems, 2nd Edition , 2001 .

[137]  K. Loepere,et al.  Mach 3 Kernel Principles , 1992 .

[138]  Leonid Ryzhyk,et al.  Automatic device driver synthesis with termite , 2009, SOSP '09.

[139]  Tavis Ormandy An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments Tavis , 2007 .

[140]  James R. Larus,et al.  Sealing OS processes to improve dependability and safety , 2007, EuroSys '07.

[141]  David D. Redell,et al.  NAMING AND PROTECTION IN EXTENDABLE OPERATING SYSTEMS , 1974 .

[142]  Michael B. Jones,et al.  CPU reservations and time constraints: efficient, predictable scheduling of independent activities , 1997, SOSP.

[143]  Timothy L. Harris,et al.  A Pragmatic Implementation of Non-blocking Linked-Lists , 2001, DISC.

[144]  Jim Alves-Foss,et al.  The MILS architecture for high-assurance embedded systems , 2006, Int. J. Embed. Syst..

[145]  Peter J. Denning,et al.  Fault Tolerant Operating Systems , 1976, CSUR.

[146]  James K. Archibald,et al.  Cache coherence protocols: evaluation using a multiprocessor simulation model , 1986, TOCS.