MIDTERM EXAM: 600.439: Microkernel Architecture and Design
Rules:
You must work alone. You may consult the papers on the syllabus or any other papers or books published in the open literature. For this purpose, your classmates are not considered ``published in the open literature.'' You must work individually. Use of a Ouija board is permitted, but please supply your own.
You can also consult the sequence of discussions that has occurred recently on the l4-hurd mailing list. All of the relevant discussion occurred during October 2005.
Your answers are due on Monday, October 24 by the beginning of class. Please supply them BY EMAIL directly to shap (at) cs.jhu.edu. Please do NOT send them to the class list by mistake!!!
Questions:
-
One approach to resource deallocation is reference counts (which is a form of garbage collection). Illustrate how to execute a denial of resource attack in such a system. Your solution should illustrate that there is a generic pattern for such an attack, and it should illustrate the pattern with a specific example.
-
As a solution to this, I have argued in class that objects should be explicitly destructible. That is: every object should implement a destroy() operation, and as a last resort we should be able to destroy the storage occupied by an object.
What should happen to a capability when the object it names to is destroyed? That is, if your program tries to invoke a capability to an object that has been destroyed, what should occur?
-
There is an argument that IPC (invocation) should allow an unbounded payload. Explain what this means and what the implications are for the underlying microkernel design. In particular, can a microkernel support this and still be ``real time''? If so, how?
-
In any microkernel that does not have an unbounded IPC operation, there will exist some request that exceeds the permitted payload. Given the mechanisms we have discussed in class, explain how an untrusted client can call a shared service in such a way that a long message of this type can be transmitted without compromising the safety of the receiver.
-
In ``Toward Real Microkernels,'' Liedtke gives an elegant argument about why IPC performance matters. What other considerations are important for the design of an IPC system?
-
What conclusions should be drawn from ``The Failure of Personalities to Generalize'' and ``Experience with the Development of a Microkernel-Based, Multiserver Operating System,'' and why?
-
The EROS Trusted Window System is vulnerable to resource exhaustion. Explain the cause of this vulnerability, and why it is not straightforwardly removed.