Things You Can Read Now
What? You think that while our trusty software elves are hacking away we have time to write documents? Well, you're right. (And very clever to have guessed it, too!)
Hao Chen and Jonathan S. Shapiro Using Build-Integrated Static Checking to Preserve Correctness Invariants
Describes our experiences using MOPS to validate some of the kernel implementation invariants. Appears in the Proc. 11th ACM Conference on Computer and Communications Security, Washington, D.C., 2004.
Jonathan S. Shapiro, John Vanderburgh, Eric Northup, and David Chizmadia. Design of the EROS Trusted Window System
Describes how to build a robust, high-performance, secure window system using the EROS-provided mechanisms for protection and separation of concerns. Appears in Proc. 2004 USENIX Security Conference, San Diego CA, 2004.
Anshumal Sinha, Sandeep Sarat, and Jonathan S. Shapiro. Network Subsystems Reloaded: A High-Performance, Defensible Network Subsystem
Describes how to build a high-performance network subsystem providing defense in depth using the EROS-provided mechanisms for protection and separation of concerns. Appears in Proc. 2004 USENIX Annual Technical Conference, Boston MA, 2004.
Jonathan S. Shapiro Vulnerabilities in Synchronous IPC Designs
An examination of basic communication vulnerabilities between suspicious collaborators. Appears in the proceedings of the 2003 IEEE Symposium on Security and Privacy (Oakland).
Jonathan S. Shapiro, Jonathan Adams Design Evolution of the EROS Single-Level Store
Appears in the proceedings of the 2002 USENIX Technical Conference.
J. S. Shapiro, N. Hardy EROS: A Principle-Driven Operating System from the Ground Up
A copy of our article in the Jan/Feb 2002 issue of IEEE Software. IEEE has been gracious enough to allow us to make it available online from the web site.
J. S. Shapiro, S. Weber Verifying the EROS Confinement Mechanism
A copy of our 2000 IEEE Symposium on Security and Privacy paper, which describes the verification proof for the EROS constructor.
J. S. Shapiro, Jonathan M. Smith, and David J. Farber EROS: A Fast Capability System
A copy of our 1999 SOSP paper, which describes the EROS architecture and the current performance results.
J. S. Shapiro. EROS: A Capability System
Shapiro's dissertation. Provides an overview of the EROS system architecture, the implementation, recent performance results, and a set of formal tools for reasoning about capability systems in general.
J. S. Shapiro, S. Weber, Verifying Operating System Security. Department of Computer and Information Science Technical Report MS-CIS-97-26, University of Pennsylvania
Gives the proof of correctness for the EROS constructor mechanism, including a formal description of the system semantics.
J. S. Shapiro, S. J. Muir, J. M. Smith, and D. J. Farber. Operating System Support for Active Networks, Department of Computer and Information Science Technical Report MS-CIS-97-03, University of Pennsylvania
Describes an active network switching node constructed on top of EROS.
J. S. Shapiro. EROS: A Capability System, Department of Computer and Information Science Technical Report MS-CIS-97-04, University of Pennsylvania
Provides an overview of the EROS system architecture.
- Jonathan S. Shapiro, David J. Farber, and Jonathan M. Smith. The Measured Performance of a Fast Local IPC, Published in the 5th International Workshop on Object-Orientation in Operating Systems Seattle, Washington. 1996
Describes the performance of a very early version of the EROS system.
- Jonathan S. Shapiro, David J. Farber, and Jonathan M. Smith. State Caching in the EROS Kernel -- Implementing Efficient Orthogonal Persistence in a Pure Capability System, Presented at the 7th International Workshop on Persistent Object Systems, Cape May, N.J. 1996
A look at how EROS uses caching techniques to take a simple abstract process model and implement it on a real machine. Caching is a useful mechanism for keeping complexity localized.
Papers Related to Capabilities and Security
Various papers that are not directly related to EROS, but set a broader context for the work.
Mark S. Miller, E. Dean Tribble, and Jonathan S. Shapiro. Concurrency Among Strangers: Programming in E as Plan Coordination
Appears in Proc. 2005 Symposium on Trustworthy Global Computing, 2005 (Part of the European Joint Conference on Theory and Practice of Software, ETAPS05. (Invited Paper)
Mark S. Miller and Jonathan S. Shapiro. Paradigm Regained: Abstraction Mechanisms for Access Control
Appears in Proc. Eigth Asian Computing Science Conference (ASIAN '03), Tala Institute of Fundamental Research, Mumbai India, December 10-13 2003. (Invited Paper)
Mark S. Miller, Bill Tulloh, and Jonathan S. Shapiro The Structure of Authority: Why Security is Not a Separable Concern
Explains why security is intimately intertwined with semantics in the design of a system. Appears in Proc 2nd International Conference on Multiparadigm Programming in Mozard/OZ (MOZ/2004) Charleroi Belgium, October 2004. (Invited Paper)
Michael Hohmuth, Hermann Hartig, and Jonathan S. Shapiro Reducing TCB Size by Using Trusted Components — Small Kernels Versus Virtual Machine Monitors
A position piece from the L4 team. Appears in Proc 11th ACM SIGOPS European Workshop, Leuven Belgium, 2004.
Selected KeyKOS Papers
A few of the core KeyKOS papers are listed below. A more complete collection can be found at the KeyKOS Home Page.
Alan C. Bomberger, A. Peri Frantz, William S. Frantz, Ann C. Hardy, Norman R. Hardy, Charles Landau, Jonathan Shapiro. The KeyKOS NanoKernel Architecture, Proceedings of the USENIX Workshop on Micro-Kernels and Other Kernel Architectures. USENIX Association. April 1992. pp. 95-112
An overview of the KeyKOS object kernel and the UNIX emulation that was built on top of it.
Norm Hardy. The KeyKOS Architecture, Operating Systems Review. September, 1985
This paper provides an extremely dense and precise description of the KeyKOS architecture. This is, in most respects, the definitive description of the KeyKOS architecture. The version provided here is somewhat revised from the OSR version.
Copyright 1999 by Jonathan Shapiro. All rights reserved. For terms of redistribution, see the GNU General Public License