Creation and reflexive rights in grammatical protection systems

In the context of operating system protection mechanism, safety refers to the ability to decide who can obtain certain rights to resources by some future sequence of command invocations. In an earlier paper, a very large class of protection mechanisms. so-called grammatical protection systems, were shown to possess a polynomial time algorithm for deciding the safety question. Those systems, however, did not permit the creation of new nodes. In this paper we show how relaxing some restrictions on grammatical systems with creates results in a polynomial time algorithm generating an upper bound for the safety question.     

Measurement of cryptographic capability protection algorithms

A capability is an unforgeable, unstealable ticket which allows access to an object in a computer system or network. In a single computer, hardware mechanisms can be used to implement capabilities; in a network, there can be many different kinds of computers, some or all of which may not have the necessary hardware to implement capabilities. However, it is possible to implement capabilities in a network using cryptography. Capability-based protection using secret-key cryptography is currently being implemented in LLNL's Octopus Network. The protection algorithms being implemented are explained in detail. Some hypothetical operating system kernel calls and their operation are shown. Actual performance measurements for the proposed crytographic operations and operating system functions are presented. The trade-offs between performing the operations entirely in a host computer and performing them using an encryption unit attached to the host as a peripheral device are discussed.     

Protection switching schemes and mapping strategies for fail-operational hard real-time NoCs

Communication infrastructures designed for mixed-critical MPSoCs must provide isolation of traffic, hard real-time guarantees, and fault-tolerance. In previous work, we proposed the combination of protection-switching with a hybrid Time-Division-Multiplexed (TDM) and packet-switched Network-on-Chip (NoC) to achieve all three goals. In this paper, we present an FPGA implementation of such a NoC with all its features. We give synthesis results for the hybrid NoC, including the network interface, and show that our router uses over 32% fewer LUTs and registers than a competitive state-of-the-art router for mixed-critical MPSoC. We then explore different channel and task mapping strategies for critical applications which use protection switching and evaluate the effect these mappings have on the best-effort (BE) traffic in the system. Results show, that spreading out the critical traffic rather than naively dividing the system in critical and non-critical application domains is advantageous or even necessary in many cases and can allow for up to 13% more BE traffic. We give a comprehensive trade-off analysis of three protection switching schemes—1:n, 1:1, and 1+1—and show that 1+1 protection has less than half the worst case latency for critical traffic that 1:n and 1:1 protection have. At the same time, 1+1 protection, on average, only causes a 1.18% earlier saturation rate for BE traffic, which we consider to be affordable. We conclude that 1+1 protection is ideally suited for use in mixed-critical systems with high safety requirements.     

Randomized control of T-policy for an M/G/1 system

We study an M/G/1 queueing system with a server that can be switched on and off. The server can take a vacation time T after the system becomes empty. In this paper, we investigate a randomized policy to control a server with which, when the system is empty, the server can be switched off with probability p and take a vacation or left on with probability (1 − p) and continue to serve the arriving customers. For this system, we consider the operating cost and the holding cost where the operating cost consists of the system running and switching costs (start up and shut down costs). We describe the structure and characteristics of this policy and solve a constrained problem to minimize the average operating cost per unit time under the constraint for the holding cost per unit time.     

Unified security enhancement framework for the Android operating system

In these days there are many malicious applications that collect sensitive information owned by third-party applications by escalating their privileges to the higher level on the Android operating system. An attack of obtaining the root-level privilege in the Android operating system can be a serious threat to users because it can break down the whole system security. This paper proposes a new Android security framework that can meet the following three goals: (1) preventing privilege escalation attacks, (2) maintaining system integrity, and (3) protecting users’ personal information. To achieve these goals, our proposed framework introduces three mechanisms: Root Privilege Protection (RPP), Resource Misuse Protection (RMP), and Private Data Protection (PDP). RPP keeps track of a list of trusted programs with root-level privileges and can detect and respond to malware that illegally tries to acquire root-level privileges by exploiting system-level vulnerabilities. RMP keeps track of a list of critical system resources and can protect system resources from illegal manipulation by malicious applications. PDP keeps personal information safe by enforcing strict access controls so that even privileged applications cannot access users’ private data if the applications violate the least privilege rule. The framework is verified using experiments on the Android operating system, which shows that our framework achieved the goals with processing overheads of 25.33 % on average.     

基于仿生控制机理的信息系统内生免疫体系研究

随着信息通信系统的架构日益复杂,承载的数据量呈指数级增长,现有的安全防护体系存在严重缺陷:先建网络、后做防护导致安全防护难以到位;集中式防御模式导致信息系统对外服务能力下降严重;防御机制与信息系统的安全状况关联不大导致防御效能低下.如何从根源上突破以上瓶颈成为未来信息系统安全的核心问题,需要改变被动式防御方式,实施主动...     

Windows操作系统防御中的先天免疫机制应用

传统的操作系统安全防御方法存在误区,即用静态防火墙、病毒库,安全规则等方法抵御动态入侵,效率较低.目前,计算机专家借鉴生物获得性免疫机制,在操作系统防御过程中引入人工免疲系统.取得了一定改进.但这种方法识别范围不广,耗时长,对从未遇到过的异常,如未知病毒,没有防御能力.因此,借鉴生物免疫的另一个重要机制,先天免疫,提出一种操作系统先天免疫防御的方法,通过设置先天免疫层、定义基础细胞、构造数字巨噬细胞,对操作系统的异常变化进行动态监测和防护.     

The Elmwood multiprocessor operating system

Elmwood is an object-oriented, multiprocessor operating system designed and implemented during a graduate seminar. It consists of a minimal kernel and a collection of user-implemented services. The kernel provides two major abstractions: objects, which consist of code and data, and processes, which represent asynchronous activity. Objects, like programs, are passive. To operate on an abstraction or to request a service, processes invoke an entry procedure defined by the corresponding object. Objects implement their own protection and synchronization policies using minimal kernel mechanisms. We describe the Elmwood kernel interface, an implementation on the BBN Butterfly parallel processor, and our experiences in developing a multiprocessor operating system under rigid time constraints. These experiences illustrate several general lessons regarding kernel design and trade-offs for implementation expedience.     

安全关键实时操作系统时间隔离保护机制的设计与实现

为了设计高可信的安全关键实时操作系统CRTOS2．0，在分析现有操作系统可信性保障机制的基础上，提出了基于时空隔离保护机制构建安全关键实时操作系统的新思想．空间隔离保护的目的是防止不同地址空间内的程序无意或恶意越界进行非法读写，而时间隔离保护的目的则是为了防止某程序长期独占或超时使用处理器而阻止或延迟其他程序的运行．为实现时间隔离保护机制，在改进传统处理器能力预留机制的基础上，基于两级调度的思想，提出了新的实现方法．时空隔离保护机制的提出，可从本质上增强安全关键实时操作系统的可信性．     

On servers in series with losses in descrete time

We study a m-phase queueing system without buffers, operating in discrete time. The input flow is Bernoulli with parameter a. Service times in server i have geometric distribution with parameter b _i. A customer, trying to enter a server at an instant, when it is busy, is lost. There have been obtained system of equilibrium equations and recurrence relations for its coefficients which enable us to formulate the algorithm to build the system. Recurrence formulas for computation of the empty system probability and some other performance characteristics of the system, are determined. The problem of optimal allocation of the servers is studied numerically.     

Software health management: a necessity for safety critical systems

As software and software intensive systems are becoming increasingly ubiquitous, the impact of failures can be tremendous. In some industries such as aerospace, medical devices, or automotive, such failures can cost lives or endanger mission success. Software faults can arise due to the interaction between the software, the hardware, and the operating environment. Unanticipated environmental changes lead to software anomalies that may have significant impact on the overall success of the mission. Latent coding errors can at any time during system operation trigger faults despite the fact that usually a significant effort has been expended in verification and validation (V&V) of the software system. Nevertheless, it is becoming increasingly more apparent that pre-deployment V&V is not enough to guarantee that a complex software system meets all safety, security, and reliability requirements. Software Health Management (SWHM) is a new field that is concerned with the development of tools and technologies to enable automated detection, diagnosis, prediction, and mitigation of adverse events due to software anomalies, while the system is in operation. The prognostic capability of the SWHM to detect and diagnose failures before they happen will yield safer and more dependable systems for the future. This paper addresses the motivation, needs, and requirements of software health management as a new discipline and motivates the need for SWHM in safety critical applications.     

面向物联网设备安全的多层次内核访问控制方法

物联网设备受能耗、计算能力等因素限制, 通常采用轻量化的操作系统以及精简化的安全保护机制, 导致物联网设备的操作系统安全保护能力不足, 更容易被用户态程序攻破。为了增强操作系统的隔离能力, 现有的安全保护方法通常限制应用程序可访问的系统调用种类, 使其仅能访问运行所必须的系统调用, 从而缩小操作系统的攻击面。然而, 现有的动态或者静态程序分析方法无法准确获取目标程序运行所依赖的系统调用。动态跟踪方法通过跟踪程序执行过程中触发的系统调用, 仅能获取程序依赖系统调用的子集, 以此作为依据的访问控制可能会影响程序的正常执行。而静态分析方法通常构造程序及其依赖库的控制流图并分析其可达的系统调用, 然而由于静态分析无法精准构建控制流图, 仅能获取目标程序依赖系统调用的超集, 会在访问控制中引入多余的系统调用, 造成操作系统攻击面依然较大。针对现有系统调用访问控制面临的可用性以及精准度问题, 研究多层次的内核访问控制方法, 在现有系统调用访问控制的基础上, 引入了动态链接库的访问控制, 并提出了多层联动的动态安全分析机制, 以动态分析的方法排除由于静态分析不准确引入的额外系统调用, 从而进一步缩小物联网系统的攻击面, 提升物联网设备的隔离能力与安全性。实验结果表明, 相比于现有内核访问控制方法, 本文提出的方法能够抵御更多漏洞而且引入的实时负载更低。     

Post-release information privacy protection: A framework and next-generation privacy-enhanced operating system

In today’s digital world, privacy issues have received widespread public attention. Current research on information privacy protection focuses on release control and subject identity obscurity. Little work has been done, however, to prevent a piece of private information from being misused after that information has been released to external entities. This paper focuses on information privacy protection in a post-release phase. Without entirely depending on the information collector, an information owner is provided with powerful means to control and audit how his/her released information will be used, by whom, and when. The goal is to minimize the asymmetry of information flow between an information owner and an information collector. A set of innovative owner-controlled privacy protection and violation detection techniques has been proposed: Self-destroying File, Mutation Engine System, Automatic Receipt Collection, and Honey Token-based Privacy Violation Detection. Next generation privacy-enhanced operating system, which supports the proposed mechanisms, is introduced. Such a privacy-enhanced operating system stands for a technical breakthrough, which offers new features to existing operating systems. We discuss the functionalities of such an operating system and the design guidelines. To our best knowledge, no similar technical work has been found to provide post-release information privacy protection.     

Action graphs and user performance analysis

A user operating an interactive system performs actions such as “pressing a button” and these actions cause state transitions in the system. However to perform an action, a user has to do what amounts to a state transition themselves, from the state of having completed the previous action to the state of starting to perform the next action; this user transition is out of step with the system's transition. This paper introduces action graphs, an elegant way of making user transitions explicit in the arcs of a graph derived from the system specification. Essentially, a conventional transition system has arcs labeled in the form “user performs action A” whereas an action graph has arcs labelled in the form “having performed action P, the user performs Q.” Action graphs support many modelling techniques (such as GOMS, KLM or shortest paths) that could have been applied to the user's actions or to the system graph, but because it combines both, the modelling techniques can be used more powerfully.Action graphs can be used to directly apply user performance metrics and hence perform formal evaluations of interactive systems. The Fitts Law is one of the simplest and most robust of such user modelling techniques, and is used as an illustration of the value of action graphs in this paper. Action graphs can help analyze particular tasks, any sample of tasks, or all possible tasks a device supports—which would be impractical for empirical evaluations. This is an important result for analyzing safety critical interactive systems, where it is important to cover all possible tasks in testing even when doing so is not feasible using human participants because of the complexity of the system.An algorithm is presented for the construction of action graphs. Action graphs are then used to study devices (a consumer device, a digital multimeter, an infusion pump) and results suggest that: optimal time is correlated with keystroke count, and that keyboard layout has little impact on optimal times. Many other applications of action graphs are suggested.     

Optimum preventive maintenance policies for systems subject to random working times,replacement, and minimal repair

This paper proposes, from the economical viewpoint of preventive maintenance in reliability theory, several preventive maintenance policies for an operating system that works for jobs at random times and is imperfectly maintained upon failure. As a failure occurs, the system suffers one of two types of failure based on a specific random mechanism: type-I (repairable) failure is rectified by a minimal repair, and type-II (non-repairable) failure is removed by a corrective replacement. First, a modified random and age replacement policy is considered in which the system is replaced at a planned time T, at a random working time, or at the first type-II failure, whichever occurs first. Next, as one extended model, the system may work continuously for N jobs with random working times. Finally, as another extended model, we might consider replacing an operating system at the first working time completion over a planned time T. For each policy, the optimal schedule of preventive replacement that minimizes the mean cost rate is presented analytically and discussed numerically. Because the framework and analysis are general, the proposed models extend several existing results.     

A new method for the detection of protection faults in capability-based protection systems

This paper proves that capability-based protection systems yield interesting algebraic structures, in terms of which the properties of protection systems can be formally analzed. Map tables, used in segmented virtual memories to map processes name spaces into the system memory space, are first proved to define a partially ordered set which is a distributive lattice. Based on this property, an efficient algorithm is then introduced for the detection of protection faults. The paper shows that substitute, more efficient methods of protection-fault detection (different from classical ones, but still operating in polynomial time) can be introduced when the mathematical properties of the system are exploited.     

Type-safe casting

Many modern extensible systems, such as Java and the SPIN operating system, depend on type safety for memory protection. Unfortunately, current type-safe languages do not support systems programming well, because they do not give programmers the ability to deal with untyped data easily. In particular, they do not support the ability to cast between untyped data and language-level types. We describe a powerful, type-safe cast operator that helps programmers write low-level systems codes in type-safe languages. We have implemented this operator in Modula-3 for the SPIN operating system, and we give specific examples of how we use it in SPIN. © 1998 John Wiley & Sons, Ltd.     

Enhancing reliability in Wireless Sensor Networks for adaptive river monitoring systems: Reflections on their long-term deployment in Brazil

Several adaptive systems have been proposed that are based on the concepts of smart cities, which can be successfully adapted to natural disasters or other public safety concerns. Since these systems are embedded in a critical and dynamic environment, it is really important to have an infrastructure that is capable of providing real-time environmental information. This paper discusses two research questions that arise from adaptive ubicomp systems: (i) what are the key requirements to provide a reliable WSN-based system (e.g. a river monitoring system)? and (ii) how can an adaptable and reliable WSN-based system be developed? This paper seeks to respond to the former question with the aid of the RESS standard platform. The latter question is answered by employing a generic approach for adaptation. The term “critical systems”, means that any error may result in the loss of human life. We devised the RESS standard after deploying the WSN-based river monitoring system in Brazil for five years. Our prototype underwent several trials, sometimes leading to failure or damage, before we came up with a more reliable solution, which is outlined in this article. Finally, while our RESS platform is policy-free, it is extensible/adaptable and hence can naturally be adapted to new policies.     

电子文档安全管理技术研究与实现

设计并实现了一个具有文件安全保护能力的终端文档安全保护系统。在技术上主要采用内核与应用层相结合的方法来实现文档透明加、解密。在内核层实现功能上的控制,而在应用层实现相应的权限控制和策略制定。在操作系统内核对访问电子文档的进程进行审核与控制,利用文件系统过滤驱动技术过滤掉非法进程对文档的读取。对于拥有访问权限和安装该系统的客户端用户,才可以正常读取加密的电子文档,排除了电子文档泄密的可能,实现了对电子文档的安全管理。     

一个基于COP的控制软件安全性增强方法

控制软件往往是安全攸关系统的核心,其正确性对系统安全起着至关重要的作用。然而由于系统面对的环境因素越来越复杂,软件设计之初不可能考虑到所有可能面对的环境变化因素,系统的安全性面临新的挑战。因此在软件维护阶段,以环境变化为中心,增量式地增强软件的安全性显得非常重要。面向上下文编程方法(Context-Oriented Programming,COP)正是一种以软件运行上下文环境为中心的编程方法。现有的支撑COP思想的运行机制可以使得系统根据精确的上下文信息动态地调整系统的行为,但是有些上下文引发的系统行为调整会导致系统执行器的现有运行被打断,对于这类影响系统执行器行为的上下文,现有的COP运行机制还没有提供有效处理方法。根据现有的COP方法,给出了一个基于软件上下文保存与恢复的控制软件安全性增强的编程模型,并在LegoNXT控制器上实现了相应的运行支撑和编程工具,通过一个产品分拣系统的安全性增强实例,初步验证了该编程模型的合理性。