Nayeem Islam

Designing and implementing Choices : an object-oriented system in C++

We describe our experiences in constructing Choices and a design methodology that extends existing design approaches by explicitly encouraging specialization, as well as design and code reuse. Although many operating system techniques and designs are well documented, few object-oriented operating systems exist and have been described. SOS [23], CHORUS [18], and Apertos [26] are other examples of object-oriented operating systems. None of the descriptions of the design of these operating systems provide a methodology for design reuse or describe how the design methodology may be used in conjunction with prototyping

Flexible control of downloaded executable content

We present a security architecture that enables system and application a ccess control requirements to be enforced on applications composed from downloaded executable content. Downloaded executable content consists of messages downloaded from remote hosts that contain executables that run, upon receipt, on the downloading principals machine. Unless restricted, this content can perform malicious actions, including accessing its downloading principals private data and sending messages on this principals behalf. Current security architectures for controlling downloaded executable content (e.g., JDK 1.2) enable specification of access control requirements for content based on its provider and identity. Since these access control requirements must cover every legal use of the class, they may include rights that are not necessary for a particular application of content. Therefore, using these systems, an application composed from downloaded executable content cannot enforce its access control requirements without the addition of application-specific security mechanisms. In this paper, we define an access control model with the following properties: (1) system administrators can define system access control requirements on applications and (2) application developers can use the same model to enforce application access control requirements without the need for ad hoc security mechanisms. This access control model uses features of role-based access control models to enable (1) specification of a single role that applies to multiple application instances; (2) selection of a contents access rights based on the contents application and role in the application; (3) consistency maintained between application state and content access rights; and (4) control of role administration. We detail a system architecture that uses this access control model to implement secure collaborative applications. Lastly, we describe an implementation of this architecture, called the Lava security architecture.

Choices, frameworks and refinement

Presents a method for designing operating systems using object-oriented frameworks. A framework can be refined into subframeworks. Constraints specify the interactions between the subframeworks. The authors describe how they used object-oriented frameworks to design Choices, an object-oriented operating system.<<ETX>>

Achieved IPC performance (still the foundation for extensibility)

Extensibility can be based on cross-address-space interprocess communication (IPC) or on grafting application-specific modules into the operating system. For comparing both approaches, we need to explore the best achievable performance for both models. This paper reports the achieved performance of cross-address-space communication for the L4 microkernel on Intel Pentium, Mips R4600 and DEC Alpha processors. The direct costs range from 45 cycles (Alpha) to 121 cycles (Pentium). Since only 2.3% of the L1 cache are required (Pentium), the average indirect costs are not to be expected much higher.

A technique for documenting the framework of an object-oriented system

The paper presents techniques for documenting the design of frameworks for object-oriented systems and applies the approach to the design of a configurable message passing system. The technique decomposes a framework into six concerns: the class hierarchy, protocols, control flow, synchronization, entity relationships and configurations of the system. An abstract description of each concern is specified using standard notations. Subtyping is used to ensure that the abstract specifications apply to the abstract classes, concrete classes, and instances of the system. The message passing framework documented with these techniques is general, portable, and efficient. It supports parallel message based applications on both tightly coupled shared memory architectures and loosely coupled distributed memory architectures. The message passing system framework has been coded in C++, runs on the Choices operating system, and has been benchmarked on a system of Encore Multimax 320 tightly-coupled multiprocessors. The system is being implemented on a network of SUN SPARCstation 2s.<<ETX>>

MOCA: a service framework for mobile computing devices

MOCA is an adaptable service framework targeting mobile computing devices with limited memory footprint. TO ensure portability across a large spectrum of these devices, it is written in Java.%4OCA is based on the notion of serrices, and assumes that applications can be decomposed into sets of cooperating services. A service is a loadable software component that performs a specific function such as data encryption or caching. The MOCA framework is composed of a service registry and a set of essential services. The registry provides life-cycle management qf services including dynamic registration and look-up. Essential services, stored on the device, provide the minimum functionality required to establish a generic secure computing environment on top of a Java Virtual Machine (JVM). In particular, MOCA securely supports multiple applications as well as optional services running on a single JVM. Optional services and applications can reside locally on the device or be dynamically downloaded from remote locations. MOCA also allows a device to adapt to its environment by enabling dynamic discovery and registration of remote services published by surrounding devices. A single mechanism is used to support both local and remote services, which allows a device to access remote services on other devices as if these services were local to the device itself. Unique features of MOCA include a distributed service discovery model, use of a single registry for both local and remote services, and a lazy service loading policy that minimizes memory consumption. keywords: component software, service framework, service discovery, mobile device, Java

Extensible resource management for cluster computing

Advanced general purpose parallel systems should be able to support diverse applications with different resource requirements without compromising effectiveness and efficiency. We present a resource management model for cluster computing that allows multiple scheduling policies to co-exist dynamically. In particular, we have built Octopus, an extensible and distributed hierarchical scheduler that implements new space sharing, gang scheduling and load sharing strategies. A series of experiments performed on an IBM SP2 suggest that Octopus can effectively match application requirements to available resources, and improve the performance of a variety of parallel applications within a cluster.

An essential design pattern for fault-tolerant distributed state sharing

vpvpv pvpvp vpvpv pvpvp vpvpv pvpvp vpvpv pvpvp vpvpv pvpvp N a y e e m I s l a m a n d M u r t h y D e v a r a k o n d a An EssentialDesign Pattern for Fault-Tolerant Distributed State Sharing Because developers of distributed programs focus on performance and fault tolerance, distributed design patterns should highlight these aspects of their solutions. One such OO design pattern—the Recoverable Distributor—allows mixing and matching of fault-tolerance and data-consistency protocols and has been used in a distributed scheduler and a distributed lock manager.

Dynamic Partitioning in Different Distributed-Memory Environments

In this paper we present a detailed analysis of dynamic partitioning in different distributed-memory parallel environments based on experimental and analytical methods. We develop an experimental test-bed for the IBM SP2 and a network of workstations, and we apply a general analytic model of dynamic partitioning. This experimental and analytical framework is then used to explore a number of fundamental performance issues and tradeoffs concerning dynamic partitioning in different distributed-memory computing environments. Our results demonstrate and quantify how the performance benefits of dynamic partitioning are heavily dependent upon several system variables, including workload characteristics, system architecture, and system load.

Preventing denial-of-service attacks on a /spl mu/-kernel for WebOSes

A goal of World Wide Web operating systems (WebOSes) is to enable clients to download executable content from servers connected to the World Wide Web (WWW). This will make applications more easily available to clients, but some of these applications may be malicious. Thus, a WebOS must be able to control the downloaded contents behavior. We examine a specific type of malicious activity: denial of service attacks using legal system operations. A denial of service attack occurs when an attacker prevents other users from performing their authorized operations. Even when the attacker may not be able to perform such operations. Current systems either do little to prevent denial of service attacks or have a limited scope of prevention of such attacks. For a WebOS, however, the ability to prevent denial of service should be an integral part of the system. We are developing a WebOS using the L4 /spl mu/ kernel as its substrate. We evaluate L4 as a basis of a system that can prevent denial of service attacks. In particular, we identify the /spl mu/ kernel related resources which are subject to denial of service attacks and define /spl mu/ kernel mechanisms to defend against such attacks. Our analysis demonstrates that system resource utilization can be managed by trusted user level servers to prevent denial of service attacks on such resources.