Sealing OS Processes to Improve Dependability and Security
- Galen Hunt ,
- Mark Aiken ,
- Paul Barham ,
- Manuel Fahndrich ,
- Chris Hawblitzel ,
- Orion Hodson ,
- Jim Larus ,
- Steven Levi ,
- Nick Murphy ,
- Bjarne Steensgaard ,
- David Tarditi ,
- Ted Wobber ,
- Brian Zill
MSR-TR-2006-51 |
On most modern operating systems, a process is a hardware-protected abstraction for executing potentially mutable code and data. Common features of processes include: dynamic code loading, dynamic code generation, access to cross-process shared memory, and a universal API.
This paper argues that many of the dependability and security weaknesses of modern systems are exacerbated by an open process architecture. Moreover, this architecture impairs the ability of tools to analyze code statically, to improve its performance or dependability. By contrast, a sealed process architecture prohibits dynamic code loading, prohibits self-modifying code, prohibits shared memory, and replaces a universal API with a process-limited API. This paper describes an implementation of a sealed process architecture in the Singularity operating system, discusses its merits, and evaluates its impact. Among the benefits are: improved static program analysis, strong security guarantees, elimination of OS redundancies found in language runtimes such as the JVM and CLR, and better software engineering.