SRL Publications Projects Courses

Courses

600.318/600.418

600.328/600.428

600.436

600.438

600.439

FINAL EXAM: 600.439: Microkernel Architecture and Design

Rules:

You must work alone. You may consult the papers on the syllabus or any other papers or books published in the open literature. For this purpose, your classmates are not considered ``published in the open literature.'' You must work individually. Use of a Ouija board is permitted, but please supply your own.

Your answers are due on Friday, December 16 by noon. This is the end of the exam period. Please supply them BY EMAIL directly to shap (at) cs.jhu.edu. Please do NOT send them to the class list by mistake!!!

I will acknowledge each submission by Friday afternoon. If you do not get an acknowledgement, please contact me immediately, because grades must be filed by the 19th.

Note that on reflection I decided to take this exam in a rather different direction than the one initially described in class.

Questions:

  1. (20 pts) In class, I have discussed a number of design patterns that exploit persistence to allow a process to reliably ``wrap'' capabilities. Given an example of a security problem where wrapping a capability in this fashion is useful. For your example, explain the policy that the wrapper is implementing, and explain why this policy could not easily be implemented in a non-persistent design.

  2. (20 pts) Engler et al. have proposed some very clever mechanisms for demultiplexing, where the implementation of the demultiplexing procedure can be supplied by untrusted code but can nonetheless be safely executed by trusted code following some fairly minimal checks.

    Given an example other than packet filtering where this would be useful. Explain the problem and your solution. Your example should have many simultaneous clients, and it should either (a) explain how clients can pay for storage without compromising performance, or (b) why it is okay that they do not.

  3. (30 pts) Section 5 of the ``Labels and Event Processes...'' paper describes a labeling scheme implemented in the Asbestos prototype operating system. This question has several parts:

    1. Explain in detail the final form of the label comparison that is required at IPC time.

    2. Given the implementation sketch provided in section 5.6, explain why the label comparison is likely to be expensive.

    3. Based on the algebra required for the label comparisons, it is possible to cache the outcome of the label comparison in some cases. Identify these cases, describe the caching mechanism, and in particular indicate what are the indexing criteria for the cache. That is: what will you look up in order to retrieve a previously cached value?

    4. A cache of this form will be helpful only if certain assumptions about system behavior are satisfied. What are these assumptions, and how likely are they?

  4. (30 pts) Propose and answer a final exam question. The criteria for an appropriate question are:

    1. It reflects or builds on the materials covered in the class and the readings,

    2. The answer demonstrates whether the student understood the material, or better still can extend the concepts into new areas, and

    3. It requires combining two or more of the key concepts from the class in an interesting way.

    I will be giving at least as much attention to the quality of the question as the answer. Those of you who gave careless answers on the midterm may want to look at the number of points assigned to this question and think about it more carefully!