Separating presentation from interface in RPC and IDLs

Journal ArticleIn RPC-based communication, we term the interface the set of remote procedures and the types of their arguments; the presentation is the way these procedures and types are mapped to the target language environment in a particular client or server, including semantic requirements. For example, presentation includes the local names assigned to RPC stubs, the physical representation of a logical block of data (e.g., in-line, out-of-line, linked blocks), and trust requirements (e.g., integrity, security). In existing systems, the presentation of a given RPC construct is largely fixed. Separating presentation from interface, both in the interface definition language (IDL) itself and in the RPC implementation, is the key to interoperability, with many benefits in the area of elegance, as well. This separation and resulting cleanliness makes it manageable to generate specialized kernel code paths for each type of client-server pair. This is a key element o/end-to-end optimization. The separation should also allow the integration of disparate RPC optimization techniques, such as those applied in LRPC[2] and fbufs[6], into a single system, in a uniform and fully interoperable way. In initial work we demonstrate a variant of threaded code generation and two presentation-based optimizations, transparently activated by the RPC system. Each of these optimizations speeds up local RPC by approximately 25%.

Interface and execution models in the fluke kernel

technical reportWe have defined and implemented a new kernel API that makes every exported operation either fully interruptible and restartable, thereby appearing atomic to the user. To achieve interruptibility, all possible states in which a thread may become blocked for a "long" time are completely representable as valid kernel API calls, without needing to retain any kerncl internal state

Using annotated interface definitions to optimize RPC

Journal ArticleIn RPC-based communication, it is useful to distinguish the RPC interface, which is the "network contract" between the client and the server, from the presentation, which is the "programmer's contract" between the RPC stubs and the code that calls or is called by them. Presentation is usually a fixed function of the RPC interface, but some RPC systems, such as DCE and Concert, support the notion of a flexible presentation or endpoint modifier, allowing controlled modification of the behavior of the stubs on each side without affecting the contract between the client and the server. Up until now, the primary motivation for flexible presentation has been for programmer convenience and improved interoperability. However, we have found flexible presentation also to be useful for optimization of RPC, and in many cases necessary to achieving maximal performance without throwing out the RPC system and resorting to hand-coded stubs. In this paper we provide examples demonstrating this point for a number of different operating systems and IPC transport mechanisms, with RPC performance improvements ranging from 5% to an order of magnitude. In general, we observe that the more efficient the underlying IPC transport mechanism is, the more important it is for the RPC system to support flexible presentation, in order to avoid unnecessary user-space overhead?

Notes on thread models in Mach 3.0

Journal ArticleDuring the Mach In-Kernel Servers work, we explored two alternate thread models that could be used to support traps to in-kernel servers. In the "migrating threads" model we used, the client's thread temporarily moves into the server's task for the duration of the call. In t h e "thread switching" model, an actual server thread is dispatched to handle client traps. Based on our experience, we find that the migrating threads model is quite complex and difficult to implement in t h e context of the current design of Mach and the Unix single server. The thread switching model would fit more naturally and would probably be much simpler and more robust than migrating threads, making it a valuable approach to explore in the near future. However, we believe migrating threads inherently to be faster than thread switching, and ultimately to be the best long term direction

Isolation of malicious external inputs in a security focused adaptive execution environment

pre-printReliable isolation of malicious application inputs is necessary for preventing the future success of an observed novel attack after the initial incident. In this paper we describe, measure and analyze, Input-Reduction, a technique that can quickly isolate malicious external inputs that embody unforeseen and potentially novel attacks, from other benign application inputs. The Input-Reduction technique is integrated into an advanced, security-focused, and adaptive execution environment that automates diagnosis and repair. In experiments we show that Input-Reduction is highly accurate and efficient in isolating attack inputs and determining casual relations between inputs. We also measure and show that the cost incurred by key services that support reliable reproduction and fast attack isolation is reasonable in the adaptive execution environment

The flask security architecture: system support for diverse security policies

technical reportOperating systems must be flexible in their support for security policies, i.e., the operating system must provide sufficient mechanisms for supporting the wide variety of real-world security policies. Systems claiming to provide this support have failed to do so in two ways: they either fail to provide sufficient control over the propagation of access rights, or they fail to provide enforcement mechanisms to support fine-grained control and dynamic security policies. In this paper we present an operating systems security architecture that solves both of these problems. The first problem is solved by ensuring that the security policy (through a consistent replica) is consulted for every security decision. The second problem is solved through mechanisms that are directly integrated into the service-providing components of the system. The architecture is described through its prototype implementation in the Flask microkernel-based OS, and the policy flexibility of the prototype is evaluated. We present initial evidence that the architecture's performance impact is modest. Moreover, our architecture is applicable to many other types of operating systems and environments

A unified storage and deployment model for the emulab network testbed

poste

No association of vitamin D metabolism-related polymorphisms and melanoma risk as well as melanoma prognosis: a case–control study

Melanoma is one of the most aggressive human cancers. The vitamin D system contributes to the pathogenesis and prognosis of malignancies including cutaneous melanoma. An expression of the vitamin D receptor (VDR) and an anti-proliferative effect of vitamin D in melanocytes and melanoma cells have been shown in vitro. Studies examining associations of polymorphisms in genes coding for vitamin D metabolism-related proteins (1α-hydroxylase [CYP27B1], 1,25(OH)2D-24hydroxylase [CYP24A1], vitamin D-binding protein [VDBP]) and cancer risk are scarce, especially with respect to melanoma. Mainly VDR polymorphisms regarding melanoma risk and prognosis were examined although other vitamin D metabolism-related genes may also be crucial. In our hospital-based case–control study including 305 melanoma patients and 370 healthy controls single nucleotide polymorphisms in the genes CYP27B1 (rs4646536), CYP24A1 (rs927650), VDBP (rs1155563, rs7041), and VDR (rs757343, rs731236, rs2107301, rs7975232) were analyzed for their association with melanoma risk and prognosis. Except VDR rs731236 and VDR rs2107301, the other six polymorphisms have not been analyzed regarding melanoma before. To further improve the prevention as well as the treatment of melanoma, it is important to identify further genetic markers for melanoma risk as well as prognosis in addition to the crude phenotypic, demographic, and environmental markers used in the clinic today. A panel of genetic risk markers could help to better identify individuals at risk for melanoma development or worse prognosis. We, however, found that none of the polymorphisms tested was associated with melanoma risk as well as prognosis in logistic and linear regression models in our study population

The greening of Arabia: multiple opportunities for human occupation of the Arabian peninsula during the Late Pleistocene inferred from an ensemble of climate model simulations

Climate models are potentially useful tools for addressing human dispersals and demographic change. The Arabian Peninsula is becoming increasingly significant in the story of human dispersals out of Africa during the Late Pleistocene. Although characterised largely by arid environments today, emerging climate records indicate that the peninsula was wetter many times in the past, suggesting that the region may have been inhabited considerably more than hitherto thought. Explaining the origins and spatial distribution of increased rainfall is challenging because palaeoenvironmental research in the region is in an early developmental stage. We address environmental oscillations by assembling and analysing an ensemble of five global climate models (CCSM3, COSMOS, HadCM3, KCM, and NorESM). We focus on precipitation, as the variable is key for the development of lakes, rivers and savannas. The climate models generated here were compared with published palaeoenvironmental data such as palaeolakes, speleothems and alluvial fan records as a means of validation. All five models showed, to varying degrees, that the Arabia Peninsula was significantly wetter than today during the Last Interglacial (130 ka and 126/125 ka timeslices), and that the main source of increased rainfall was from the North African summer monsoon rather than the Indian Ocean monsoon or from Mediterranean climate patterns. Where available, 104 ka (MIS 5c), 56 ka (early MIS 3) and 21 ka (LGM) timeslices showed rainfall was present but not as extensive as during the Last Interglacial. The results favour the hypothesis that humans potentially moved out of Africa and into Arabia on multiple occasions during pluvial phases of the Late Pleistocene

Microkernels meet recursive virtual machines (draft. May 10, 1996))

Journal ArticleThis paper describes a novel approach to providing modular and extensible operating system functionality, and encapsulated environments, based on a synthesis of micro-kernel and virtual machine concepts. We have developed a virtualizable architecture that allows recursive virtual machines (virtual machines running on other virtual machines) to be efficiently implemented, in software, by a microkernel running on generic hardware. A complete virtual machine interface is provided at each level; efficiency derives from needing to implement only new functionality at each level. This infrastructure allows common OS functionality, such as process management, demand paging, fault tolerance, and debugging support, to be provided by cleanly modularized, independent, stackable virtual machine monitors, implemented as ordinary user processes. It can also provide uncommon or unique OS features, including the above features specialized for particular applications' needs, or virtual machines transparently distributed cross-node, or security monitors that allow arbitrary untrusted binaries to be safely executed. Our prototype implementation of this model indicates that it is practical to modularize operating systems this way: some types of virtual machine layers impose almost no overhead at all, while others impose some overhead (typically 10-20%), but only on certain classes of applications