Making information flow explicit in HiStar

HiStar is a new operating system designed to minimize the amount of code that must be trusted. HiStar provides strict information flow control, which allows users to specify precise data security policies without unduly limiting the structure of applications. HiStar's security features make it possible to implement a Unix-like environment with acceptable performance almost entirely in an untrusted user-level library. The system has no notion of superuser and no fully trusted code other than the kernel. HiStar's features permit several novel applications, including an entirely untrusted login process, separation of data between virtual private networks, and privacy-preserving, untrusted virus scanners.

[1]  Parag A. Pathak,et al.  Massachusetts Institute of Technology , 1964, Nature.

[2]  Jerome H. Saltzer,et al.  A hardware architecture for implementing protection rings , 1972, CACM.

[3]  J. Saltzer,et al.  A hardware architecture for implementing protection rings , 1972, OPSR.

[4]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[5]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[6]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[7]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[8]  Carl E. Landwehr,et al.  Formal Models for Computer Security , 1981, CSUR.

[9]  James A. Reeds,et al.  Multilevel security in the UNIX tradition , 1992, Softw. Pract. Exp..

[10]  Jonathan S. Shapiro,et al.  The KeyKOS Nanokernel Architecture , 1992, USENIX Workshop on Microkernels and Other Kernel Architectures.

[11]  Mendel Rosenblum,et al.  The design and implementation of a log-structured file system , 1991, SOSP '91.

[12]  Graham Hamilton,et al.  The Spring Nucleus: A Microkernel for Objects , 1993 .

[13]  Graham Hamilton,et al.  The Spring Nucleus: A Microkemel for Objects , 1993, USENIX Summer.

[14]  Wei Hu,et al.  Scalability in the XFS File System , 1996, USENIX Annual Technical Conference.

[15]  Rob Pike Plan 9 from Bell Labs (特集 ネットワ-クOS--これからの分散コンピュ-ティング) , 1996 .

[16]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[17]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[18]  Timothy Fraser,et al.  LOMAC: Low Water-Mark integrity protection for COTS environments , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[19]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[20]  Martín Abadi,et al.  An Overview of the Singularity Project , 2005 .

[21]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[22]  T. J. Watson,et al.  Fuss , Futexes and Furwocks : Fast Userlevel Locking in Linux Hubertus Franke IBM , 2005 .

[23]  Steve Vandebogart,et al.  Make Least Privilege a Right (Not a Privilege) , 2005, HotOS.

[24]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[25]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[26]  Christoforos E. Kozyrakis,et al.  Hardware Enforcement of Application Security Policies Using Tagged Memory , 2008, OSDI.