Rethinking Operating System Interfaces to Support Robust Network Applications
thesisposted on 24.10.2013, 00:00 by W Michael Petullo
This dissertation describes the network programming environment provided by Ethos, an operating system designed for security. Often, the interfaces provided by existing systems are very low-level. Experience shows that programmers on these systems have difficulty managing the resulting complexity when writing network applications. They must implement or integrate their own key isolation, encryption, authentication protocols, and authorization policies. Administrators must configure the same, often independently for each application. Ethos eases the burden on application programmers and system administrators by providing more abstract interfaces and reducing code duplication. Instead of relying on applications to protect secret keys, Ethos keeps them in kernel space and allows their indirect use by applications through cryptographic system calls (e.g., sign). Ethos encrypts all network traffic and performs network authentication at the system level. Moving these protections to the operating system kernel allows Ethos to provide more informed access control, reducing the need for application-internal controls. Thus Ethos provides a number of security properties unavailable in other systems. In many cases, Ethos application developers can write robust applications with zero lines of application-specific security code. Likewise, administrators do not need to learn application-specific configuration options. Instead, the majority of their work uses system-wide mechanisms, affecting all applications individually and the system in aggregate. Many of the protections provided by Ethos sound straightforward to implement. However, we have found that the system design that makes them possible is highly interconnected and not entirely self-evident. For example, Ethos authenticates users at the system level even though it is impossible for a system administrator to know every user that may be encountered on the Internet. Furthermore, Ethos supports anonymous network requests despite mandatory authentication. In other cases, our design decisions became feasible only recently due to developments in hardware. Our hope is that our design appears clean, concise, and possibly---in retrospect---somewhat obvious.