Distributed operating systems

In the past five years, distributed operating systems research has gone through a consolidation phase. On a large number of design issues there is now considerable consensus between different research groups.\ud \ud In this paper, an overview of recent research in distributed systems is given. In turn, the paper discusses overall system structure, protection issues, file system designs, problems and solutions for fault tolerance and a mechanism that is rapidly becoming very important for efficient distributed systems design: hints.\ud \ud An attempt was made to provide sufficient references to interesting research projects for the reader to find material for more detailed study

Trusting in computer systems

We need to be able to reason about large systems, and not just about their components. For this we would like to have conceptual tools that will help us to understand the behaviour of these systems, and to help us make sense of other, possibly conflicting, views. In this dissertation we have sought to indicate the need for a new methodology that will allow us to better identify and understand those areas of possible conflict or lack of knowledge, and we have looked for ways to improve the design of computer-based systems in a practical manner that can be readily understood and applied. In particular, we have taken the concept of trust and how this can help us understand some of the basic security aspects of a system. We have paid particular attention to the nature and type of assumptions that are made both within and between computer systems when they seek to communicate with each other. The work contained in this dissertation has been motivated by a belief that the design and implementation of many computer-based systems in operation today do not meet the needs of users and operators; and by a strong desire to identify ways in which the design and engineering of such systems can be improved. We note that many assumptions are frequently made on a de facto basis and which are frequently not acknowledged or even recognised for what they are. We show that an incomplete understanding of what is being assumed, relied upon and trusted can lead to an inadequate understanding of true vulnerabilities of systems. We examine various trust aspects of systems and introduce a definition of trust that we believe can help towards a greater understanding of system weaknesses. We propose that systems are examined in a manner that analyses the conditions under which it has been designed to perform, examines the circumstances under which it has been implemented, and then compares the two. We believe such an approach to be essential since we have (sadly) seldom found in our experience the two situations to be the same. It is unfortunately all too common to find the application of a design for one context being inappropriately implemented in another. We are proposing that anyone planning the design of a system or part of a system should look at it from the point of view of each of the participants, and that this should include all of the components - including users and implementers to see what they are relying on and to make sure that these assumptions are compatible. We look at this problem from the approach of what is being trusted in a system, or what a system is being trusted for. We start from some approaches developed in a (military) security context and in widespread use in commercial distributed systems, and demonstrate how the inappropriate application of this concept can lead to unanticipated risks to the system. We show how the usual use of trust as a system property can restrict the ability to reason about the security properties of a system; and we introduce a new notion of trust that we show is more fruitful for the analysis of the risk characteristics of systems. In particular, we show how, in contrast, our approach can be applied to the analysis of subsystems and systems components. We propose that trust be considered a "relative" concept, in contrast to the more usual usage, and that it is not the result of knowledge but a substitute for it. We show that although the concepts arose in a security domain, they are equally applicable to the analysis of assumption and risk throughout a system and its components. In contrast to the standard use of trust as a property of a system, our notion of trust applies only within the context of a specific viewpoint from which to judge risks. We argue that it is only after the introduction of a specific context from which trust is to be judged, that we can understand many of the intrinsic vulnerabilities of a distributed system. We have introduced the concept of there being more than one viewpoint from which to describe the behaviour of a system, and therefore the trust relationships that pertain. The utility of this concept lies in its ability to enable the nature of the risks associated with a specific participant to be measured, whether these are explicitly recognised and accepted by them, or not. We propose a distinction between trust and trustworthy, and demonstrate that most current uses of the term trust are more appropriately to be viewed as statements of trustworthiness. In particular we propose that trust is more properly understood and used as a substitute for knowledge; rather than the traditional "Orange Book" [DOD85] concept of it being the result of knowledge; where something is trusted if it exists within the security boundary of the system, and can violate the security policy of the system.Digitisation of this thesis was sponsored by Arcadia Fund, a charitable fund of Lisbet Rausing and Peter Baldwin

The construction of recoverable multi-level systems

PhD ThesisSystems structures and data structures which make possible the state restoration of user objects, are described in this thesis. Recovery is linked with types, which suggests making a distinction between recoverable and unrecoverable types. For convenience, recovery is discussed in terms of recovery blocks as developed at the University of Newcastle upon Tyne. Recovery is taken to mean restoring the values of recoverable types. Recoverable multi-level systems are considered. On the one hand levels in such systems can be backed out. On the other hand these levels provide explicit recovery for new types they introduce, and so can be called on to restore states of objects used in higher levels. The concepts and issues are discussed and explained; mechanisms and techniques for building such systems are presented. Recovery techniques for complex global data structures and techniques to maintain consistency at any time, even when recovery is impossible such as after a crash, are described and compared. Many of the presented techniques are employed in an implemented recoverable two-level system, with a recoverable filing system. This two-level system is described in detail. It is argued that in order to implement recoverability in multi-level systems with efficiency and flexibility, the interfaces of the system should provide both recoverable and unrecoverable types. It is also shown that the way in which complex data structures are updated is of major importance if recovery is to be provided in a "reasonably" efficient way and consistency is to be guaranteed after a crash.Netherlands Organisation for the Advancement of Pure Research

A Primer for the Act-1 Language

This document is intended to describe the current design for computer programming language, Act-1. It describes the Actor computational model, which Act-1 was designed to support. A perspective is provided from which to view the language, with respect to existing computer language systems and to the computer system and environment under development for support of the language. The language is informally introduced in a tutorial fashion and demonstrated through examples. A programming strategy for the language is described, further illustrating its use.MIT Artificial Intelligence Laborator

The exokernel operating system architecture

Thesis (Ph.D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 1999.Includes bibliographical references (p. 115-120).This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.On traditional operating systems only trusted software such as privileged servers or the kernel can manage resources. This thesis proposes a new approach, the exokernel architecture, which makes resource management unprivileged but safe by separating management from protection: an exokernel protects resources, while untrusted application-level software manages them. As a result, in an exokernel system, untrusted software (e.g., library operating systems) can implement abstractions such as virtual memory, file systems, and networking. Themain thrusts of this thesis are: (1) how to build an exokernel system; (2) whether it is possible to build a real one; and (3) whether doing so is a good idea. Our results, drawn from two exokernel systems [25, 48], show that the approach yields dramatic benefits. For example, Xok, an exokernel, runs a web server an order of magnitude faster than the closest equivalent on the same hardware, common unaltered Unix applications up to three times faster, and improves global system performance up to a factor of five. The thesis also discusses some of the new techniques we have used to remove the overhead of protection. Themost unusual technique, untrusted deterministic functions, enables an exokernel to verify that applications correctly track the resources they own, eliminating the need for it to do so. Additionally, the thesis reflects on the subtle issues in using downloaded code for extensibility and the sometimes painful lessons learned in building three exokernel-based systems.by Dawson R. Engler.Ph.D

Netzwerkmanagement und Hochgeschwindigkeits- Kommunikation. Teil XVII

Der vorliegende Interne Bericht enthält die Beiträge zum Seminar "Netzwerk-Management und Hochgeschwindigkeits- Kommunikation, das im Wintersemester 1997/98 zum siebzehnten Mal stattgefunden hat. Die Themenauswahl kann grob in folgende Blöcke gegliedert werden: Ein Block beschäftigt sich mit drahtlosen Kommunikations- protokollen. Der erste Beitrag widmet sich drahtlosem ATM, während ein zweiter Beitrag Möglichkeiten der Satelliten- kommunikation vorstellt. Außerdem werden Sicherheitsaspekte im GSM diskutiert. Ein Beitrag stellt das Transis-System zur zuverlässigen, geordneten Gruppenkommunikation über IP vor. Ein dritter Block präsentiert Möglichkeiten der Unterstützung schneller Kommunikation. Hier werden etwa die sogenannten xDSL-Techniken vorgestellt. Außerdem wird der Firewire-Ansatz konventionellen Bussystemen in Rechnern gegenübergestellt. Schließlich widmen sich zwei Beiträge neuartigen Konzepten im Betriebssystem-Bereich, welche eine Kommunikationsunter- stützung versprechen. Ein Block mit dem Schwerpunkt auf neuen Netzkonzepten geht in zwei Beiträgen auf sogenannte Aktive Netzwerke ein. Außerdem wird das in den USA betriebene Internet2 vorgestellt. Ein letzter Block befaßt sich mit Fragen des Managements. Hier stehen die DISMAN- und die SNMPv3-Arbeitsgruppe im Vordergrund. Außerdem wird in einem Beitrag das Telecommunication Management Network (TMN) vorgestellt

An Open Operating System for a Single-User Machine

The file system and modularization of a single-user operating system are described. The main points of interest are the openness of the system, which establishes no sharp boundary between itself and the user's programs, and the techniques used to make the system robust, 1. Introduction In the last few years a certain way of thinking about operating systems has come to be widely accepted. According to this view, the function of an operating system is to provide a kind of womb (or, if you like, a virtual machine) within which the user or her program can live and develop, safely insulated from the harsh realities of the outside world [2, 5, 13]. One of the authors, in fact, was an early advocate of such "closed" systems [12]. They have a number of attractive features: . When the hardware is too dreadful for ordinary mortals to look upon, concealment is a kindness, if not a necessity. . Useful and popular facilities can be made available in a uniform manner, with the name binding and s..