Sealing OS Processes to Improve Dependability and Safety

  • ,
  • Mark Aiken ,
  • Manuel Fahndrich ,
  • ,
  • Orion Hodson ,
  • Jim Larus ,
  • Steven Levi ,
  • Bjarne Steensgaard ,
  • David Tarditi ,
  • Ted Wobber

Proceedings of the European Conference on Computer Systems (EuroSys) |

Published by Association for Computing Machinery, Inc.

View Publication

On most modern operating systems, a process is a hardware-protected abstraction for executing potentially mutable code and data. Common features of processes include: dynamic code loading, dynamic code generation, access to cross-process shared memory, and a universal API.

This paper argues that many of the dependability and security weaknesses of modern systems are exacerbated by this open process architecture. Moreover, this architecture impairs the ability of tools to analyze code statically, to improve its performance or dependability. By contrast, a sealed process architecture prohibits dynamic code loading, prohibits self-modifying code, prohibits shared memory, and replaces a universal API with a process-limited API. This paper describes an implementation of a sealed process architecture in the Singularity operating system, discusses its merits, and evaluates its impact. Among the benefits are: improved static program analysis, strong security guarantees, elimination of OS redundancies found in language runtimes such as the JVM and CLR, and better software engineering.