Using registers to optimize cross-domain call performance
ASPLOS III Proceedings of the third international conference on Architectural support for programming languages and operating systems
Certification of programs for secure information flow
Communications of the ACM
Protection and the control of information sharing in multics
Communications of the ACM
Letters to the editor: A protection model and its implementation in a dataflow system
Communications of the ACM
A hardware architecture for controlling information flow
ISCA '78 Proceedings of the 5th annual symposium on Computer architecture
Dynamic linking and environment initialization in a multi-domain process.
SOSP '75 Proceedings of the fifth ACM symposium on Operating systems principles
Protection in the Hydra Operating System
SOSP '75 Proceedings of the fifth ACM symposium on Operating systems principles
The enforcement of security policies for computation
SOSP '75 Proceedings of the fifth ACM symposium on Operating systems principles
An experimental implementation of the kernel/domain architecture
SOSP '73 Proceedings of the fourth ACM symposium on Operating system principles
On attaining reliable software for a secure operating system
Proceedings of the international conference on Reliable software
Hi-index | 0.06 |
This thesis describes practical protection mechanisms that allow mutually suspicious subsystems to cooperate in a single computation and still be protected from one another. The mechanisms are based on the division of a computation into independent domains of access privilege, each of which may encapsulate a protected subsystem. The central component of the mechanisms is a hardware processor that automatically enforces the access constraints associated with a multidomain computation implemented as a single execution point in a segmented virtual memory. This processor allows a standard interprocedure call with arguments to change the domain of execution of the computation. Arguments are automatically communicated on cross-domain calls - even between domains that normally have no access capabilities in common. The processor, when supported by a suitable software system which is also discussed, provides the protection basis for a computer utility in which users may encapsulate data bases as protected subsystems, and then, without compromising the protection of the individual subsystems, combine protected subsystems of different users to perform various computations.