Practical Fine-grained Privilege Separation in Multithreaded Applications

An inherent security limitation with the classic multithreaded programming model is that all the threads share the same address space and, therefore, are implicitly assumed to be mutually trusted. This assumption, however, does not take into consideration of many modern multithreaded applications that involve multiple principals which do not fully trust each other. It remains challenging to retrofit the classic multithreaded programming model so that the security and privilege separation in multi-principal applications can be resolved. This paper proposes ARBITER, a run-time system and a set of security primitives, aimed at fine-grained and data-centric privilege separation in multithreaded applications. While enforcing effective isolation among principals, ARBITER still allows flexible sharing and communication between threads so that the multithreaded programming paradigm can be preserved. To realize controlled sharing in a fine-grained manner, we created a novel abstraction named ARBITER Secure Memory Segment (ASMS) and corresponding OS support. Programmers express security policies by labeling data and principals via ARBITER's API following a unified model. We ported a widely-used, in-memory database application (memcached) to ARBITER system, changing only around 100 LOC. Experiments indicate that only an average runtime overhead of 5.6% is induced to this security enhanced version of application

Globular Clusters in the Outer Halo of M31

In this paper, we present photometry of 53 globular clusters (GCs) in the M31 outer halo, including the {\sl GALEX} FUV and NUV, SDSS $ugriz$, 15 intermediate-band filters of BATC, and 2MASS $JHK_{\rm s}$ bands. By comparing the multicolour photometry with stellar population synthesis models, we determine the metallicities, ages, and masses for these GCs, aiming to probe the merging/accretion history of M31. We find no clear trend of metallicity and mass with the de-projected radius. The halo GCs with age younger than $\approx$ 8 Gyr are mostly located at the de-projected radii around 100 kpc, but this may be due to a selection effect. We also find that the halo GCs have consistent metallicities with their spatially-associated substructures, which provides further evidence of the physical association between them. Both the disk and halo GCs in M31 show a bimodal luminosity distribution. However, we should emphasize that there are more faint halo GCs which are not being seen in the disk. The bimodal luminosity function of the halo GCs may reflect different origin or evolution environment in their original hosts. The M31 halo GCs includes one intermediate metallicity group ($-1.5 <$ [Fe/H] $< -0.4$) and one metal-poor group ([Fe/H] $<-1.5$), while the disk GCs have one metal-rich group more. There are considerable differences between the halo GCs in M31 and the Milky Way (MW). The total number of M31 GCs is approximately three times more numerous than that of the MW, however, M31 has about six times the number of halo GCs in the MW. Compared to M31 halo GCs, the Galactic halo ones are mostly metal-poor. Both the numerous halo GCs and the higher-metallicity component are suggestive of an active merger history of M31.Comment: 14 pages, 16 figures, 6 tables. Accepted for publication in A&