DARPA prototypes take new approach to design

While software developers slave away to develop innovative applications that will run efficiently on operating systems (OSes) designed in a different computing age next-generation OSes are beginning to take shape.

Sponsored by the Defense Advanced Research Projects Agency (DARPA) these efforts are aimed at making OSes sleeker faster and more flexible. The new designs manipulate the kernel or core of the operating system to make the system software more adaptable to application needs.

But the performance-increasing designs challenge traditional security notions. The OS kernel code is placed in user space or a user application code is put in kernel space both of which give applications greater control of computer operations.

DARPA describes the process as less than a complete break with the National Security Agency's decade-old "Orange Book " the standard reference for computer security.

The new concepts violate the concept of "trust " which is enshrined in the Orange Book. The book assumes among other things that the kernel be fixed - not dynamic - and that all security functions be concentrated in it. The changes therefore raise the question of the standard's continuing relevance.

The first operating system and software tool project being developed under the DARPA program is called Flux which combines a stripped-down "microkernel" with tight process control in an approach that has considered security from the outset said Jay Lepreau assistant director of the University of Utah's Computer Systems Laboratory in Salt Lake City. At 80K the kernel contains little more than mechanisms for managing address space mapping synchronization threads and communications "ports and references " Lepreau said.

Excluded from the kernel are features for managing virtual memory peripheral devices the file system and scheduling. Now residing in user space these features can be selected - or not - through applications depending on the user's needs. The system also is oriented toward hardware-based OS and application protection.

Flux's most unique feature - and its most promising attribute from a security viewpoint - is its ability to run processes in a nested fashion - one inside of the other - allowing parent processes to control the resources consumed by children grandchildren and so on including memory CPU and higher-level services.

Exokernel Traffic Cop

A second DARPA project the Exokernel project at the Massachusetts Institute of Technology likewise shrinks the kernel to an "absolute minimum " intending it to do nothing more than resource allocation hardware protection and fault isolation said Frans Kaashoek associate professor of electrical engineering. The focus is on "discretionary access control" systems rather than the rarefied "mandatory access control" systems he said.

Exokernel researchers "want to eliminate the overhead" of OS "abstractions " such as communications services file systems displays and other devices "and create a very thin kernel that acts as a traffic cop " said Gary Koob who manages DARPA's Operating Systems and Services subprogram.

Perhaps the most unique and important factor in this approach is its exposure of the hardware to application programs something that past operating systems have avoided religiously. If an application wants to display something on a screen it can write to it directly without going through an intermediate window manager for example.

Exokernel researchers have already implemented a World Wide Web server that has provided an order-of-magnitude performance increase on short files compared with that of Harvest a commercially available fast Unix Web server Kaashoek said.

In the Exokernel's security approach library OSes will "define their own abstractions with appropriate security models " Kaashoek said. Security developers would enjoy the fact that it is easier to write code that runs in user space than it is to write OS code because developers can use standard debuggers and other development tools.

The Spin project at the University of Washington Seattle is the third of the DARPA OS projects. It is aimed at higher performance by "customizing the kernel to the requirements of the application " Koob said. Under the Spin approach "users can write their own variations of kernel services and plug them into the kernel" at runtime.

Because these kernel extensions run in the kernel address space "they interact with the rest of the kernel not by way of messages but by way of [faster] direct procedure calls and memory sharing " explained Brian Bershad associate professor of computer science at Washington.

A key issue however is safety. "If you're letting people write code into the kernel how do you make sure that it doesn't do anything bad?" Koob asked.

The answer is twofold. First Spin requires kernel extensions - the parts of applications that reside in the kernel - to be written in Modula 3 which provides low-level protection by limiting the ways in which different types of data such as an integer can be manipulated.

Second higher-level security will leverage the work on "domain type enforcement" (DTE) by Trusted Information Systems Inc. Glenwood Md. in other DARPA-sponsored research Bershad said. DTE promises to allow system administrators to prescribe "the domains that can be active" on a machine and for each domain the resources that can be active he said.

Scouting Paths

The fourth DARPA effort Scout likewise customizes the operating system but for communications applications. Scout is built around a new concept called "path abstraction " said Larry Peterson professor of computer science at the University of Arizona Tucson.

"We're extending the path abstraction into the host OS so that everything from the wire to the operating system all the way to the application is designed around the same set of abstractions " Peterson said.

Scout attempts to combine different standardized components at system build time Koob said."It's not dynamically creating new parts of the OS but optimizing them" - via compiler techniques - to suit the needs of particular devices he added.

Focusing on communications functionality also "gives us a nice leverage on security " Peterson said. With Scout "you can define the secure attributes of a path and have a policy [tailored] to that path " he said.The final DARPA project dubbed Synthetix also attempts to increase performance by customizing the operating system - via compiler technology - to specific application requirements.

The Synthetix approach would build into an OS the option of using higher-performance code when certain assumptions are met. For example if it is assumed that only one person has access to a certain file the code that checks whether anyone else wants access could be eliminated.Adams is a free-lance writer based in Alexandria Va.