Just an archival note

[Jonathan Shapiro]

I'm sending this mostly to get it captured in the mail archive.

A discussion arose about the security (discretion) implications of
admission control in real-time systems.  The problem is that two
processes can signal by attempting to admit schedules whose
requirements are known to conflict, and using the yes/no answers of
the admission control system as a signalling channel.  If the
admission control system provides advisory feedback in addition to the
"yes/no", then higher bandwidth channels are possible.

A possible solution is to require secure real-time processes to
reserve a processor (set) on which they schedule, and to present the
processor set authority to the admission control agent.  Their
schedules will be built only against that processor set, and without
regard to other processors.  Because they schedule against previously
dedicated resources that the collaborator cannot access, the admission
channel is reduced to those tasks that have access to that processor
set.

I suspect that this is incomplete, because there remain issues of
admission on multiplexed resources such as disk and network, but
analogous reservation strategies suggest themselves.

We might take this a step further, and define a characterization of a
virtual processor - one which is itself built on a rate-monotonic
(perhaps a fair-share) schedule, and then do admission control on top
of the virtual processor.  This complicates admission control a bit,
but ultimately doesn't change the in-kernel scheduling executive all
that much.

Just a thought.


Jonathan