Jon A. Solworth

Write-only disk caches

With recent declines in the cost of semiconductor memory and the increasing need for high performance I/O disk systems, it makes sense to consider the design of large caches. In this paper, we consider the effect of caching writes. We show that cache sizes in the range of a few percent allow writes to be performed at negligible or no cost and independently of locality considerations.

Doubly distorted mirrors

Traditional mirrored disk systems provide high reliability by multiplexing disks. Performance is improved with parallel reads and shorter read seeks. However, writes must be performed by both disks, limiting performance. Doubly distorted mirrors increase the number of physical writes per logical write from 2 to 3, but performs logical writes more efficiently. This reduces the cost of a random logical write to 1/3 of the cost of a read. Moreover, much of the write cost can be absorbed in the rotational latency of the reads, performing under certain conditions all the writes for free. Doubly distorted mirrors achieves a 135% performance improvement over traditional mirrors in the TP1 benchmark. Although these techniques require a disk cache for writes, the cache need not be safe nor is recovery time impacted very much.

A layered design of discretionary access controls with decidable safety properties

An access control design can be viewed as a three layered entity: the general access control model; the parameterization of the access control model; and the initial users and objects of the system before it goes live. The design of this three-tiered mechanism can be evaluated according to two broad measures, the expressiveness versus the complexity of the system. In particular, the question arises: What security properties can be expressed and verified? We present a general access control model which can be parameterized at the second layer to implement (express) any of the standard Discretionary Access Control (DAC) models. We show that the safety problem is decidable for any access control model implemented using our general access control model. Until now, all general access control models that were known to be sufficiently expressive to implement the full range of DAC models had an undecidable safety problem. Thus, given our model all of the standard DAC models (plus many others) can be implemented in a system in which their safety properties are decidable.

MinimaLT: minimal-latency networking through better security

MinimaLT is a new network protocol that provides ubiquitous encryption for maximal confidentiality, including protecting packet headers. MinimaLT provides server and user authentication, extensive Denial-of-Service protections, privacy-preserving IP mobility, and fast key erasure. We describe the protocol, demonstrate its performance relative to TLS and unencrypted TCP/IP, and analyze its protections, including its resilience against DoS attacks. By exploiting the properties of its cryptographic protections, MinimaLT is able to eliminate three way handshakes and thus create connections faster than unencrypted TCP/IP.

The complexity of discretionary access control

A recent paper presented an access control scheme for discretionary access controls with a decidable safety problem. This paper deals with the complexity analysis of that access control, and finds it to be, in its worst cases, PSPACE-complete, but polynomial time for practical cases. The PSPACE-hardness reduction uses the theory of succinct problems in a more general manner than circuit representation.

Security Property Based Administrative Controls

Access control languages which support administrative controls, and thus allow the ordinary permissions of a system to change, have traditionally been constructed with first order predicate logic or graph rewriting rules. We introduce a new access control model to implement administrative controls directly in terms of the security properties – we call this Security Property Based Administrative Controls (SPAC).

Application security support in the operating system kernel

Application security is typically coded in the application. In kernelSec, we are investigating mechanisms to implement application security in an operating system kernel. The mechanisms are oriented towards providing authorization properties, and this goal drives the design of permissions and protection mechanisms.The resulting system is dynamic, allowing the set of permissions for a program to evolve during program execution. This reduces the need for users and applications to be aware of protection mechanism, since the protection mechanism provides the user with more freedom in how they do things. We explore these properties through a number of examples.KernelSec also supports a group (role) mechanism which can define constrained groups enabling groups which only grow, only shrink, are constant, are mutually exclusive with other groups, and which allow inheritance. Moreover groups are used to regulate group membership and allow group administration by non-privileged users.

Instant Revocation

PKI has a history of very poor support for revocation. It is both too expensive and too coarse grained, so that private keys which are compromised or otherwise become invalid remain in use long after they should have been revoked. This paper considers Instant Revocation, or revocations which take place within a second or two. A new revocation scheme, Certificate Push Revocation (CPR)is described which can support instant revocation. CPR can be hundreds to thousands of times more Internet-bandwidth efficient than traditional and widely deployed schemes. It also achieves significant improvements in cryptographic overheads. Its costs are essentially independent of the number of queries, encouraging widespread use of PKI authentication. Although explored in the context of instant revocation, CPR is even more efficient--both in relative and absolute terms--when used with coarser grain (non-instant) revocations.

Arbitrary Order Operations on Trees

We consider techniques for the large scale parallel execution of algorithms on trees. We show that there is much parallelism in these algorithms, and introduce efficient means to exploit this parallelism. In particular, arbitrary order operations on trees are considered. An execution of a set arbitrary order operations must be equivalent to some sequential execution of a permutation of these operations.

Distorted mapping techniques to achieve high performance in mirrored disk systems

Mirrored disk systems provide high reliability by multiplexing disks. Performance is improved with parallel reads and shorter read seeks. However, writes must be performed by both disks, limiting performance. We introducedistorted mirrors, a mirroring system which combineswrite anywhere semantics with traditional database-specified block locations. This technique radically reduces the cost of small writes, making it attractive for random access applications such as OLTP, while retaining the ability to efficiently perform large sequential accesses. Distorted mirrors also scale better than traditional mirrors in terms of both disk caching and large mirrored sets. We show the effectiveness of distorted mirrors on the TP1 benchmark.