Assignment 12, due May 5

Solutions

Part of the homework for 22C:112, Spring 2008
by Douglas W. Jones
THE UNIVERSITY OF IOWA Department of Computer Science

  1. Background: Read Task Communication in Demos, a 9-page paper describing a nice little operating system, much smaller and better organized than, for example, Unix or Windows.

    Modern operating systems can frequently be divided into a kernel, the innermost privileged part that can bypass memory protection, and various middleware and system support processes that are outside the kernel. On Unix, for example, read() and fork() are kernel calls, while the X window manager and the mailer, as well as many daemon processes, are outside the kernel.

    a) Enumerate the kernel services of Demos (all of them are listed very briefly in the paper). (0.5 points)

    In order of first mention in the paper:

    • RECEIVE, section 3.4, p28
    • REQUEST, REPLY, SEND, MOVE, DESTROY, DUPLICATE, section 4, p28
    • CALL, CREATE, BYPASS, section 4, p29

    b) Identify several system functions that are outside the Demos kernel but that are included in the Unix kernel. (0.5 points)

    Process management, file and device management, in sum, all of the usual system functions are handled by processes to which other user and system processes send requests and from which they receive replies.

  2. Background: In Demos, there are several cases where messages are sent implicitly over links. That is, the kernel sends a message to the task referenced by the link as a result of some activity, where the initiator of that activity did not explicitly send a message.

    a) Explain why a task might need to know when a link is duplicated or destroyed. (0.5 points)

    In order to maintain a reference count for references to that link, in order to know when it is safe to reuse the associated channel or the associated code for another object. (Logically, either the codes or channels can be used to specify the specific object at the server that is being manipulated by the client).

    b) Explain why one link type does not include such notification. Why? Is this a design error in Demos? (0.5 points)

    Demos assumes that there is no need to garbage collect request links. This could be an error, since there is no way for a server to discover that none of its clients still have links for it, and as a result, the server can't tell when it is safe to exit. The assumption seems to be that servers will never exit -- true for system servers, but not necessarily true for user-created servers.

  3. Background: Read Experiences with the Amoeba Distributed Operating System, an 18-page paper describing a nice distributed operating system. Note that this paper does not mention the Demos system. Despite this, focus your reading on parallels between Demos and Amoeba.

    a) Describe the parallels between Demos and Amoeba. Specifically, relate the use of Demos links to Amoeba capabilities. (0.5 points)

    Both systems are agressively structured around client-server interactions. Demos links are a kind of capability allowing sending messages to other processes, exactly like Amoeba capabilities.

    b) In Demos, there is no way for a user to forge a link. In Amoeba, a malicious user could attempt to forge a link. Briefly describe the tools Amoeba provides to prevent such a forgery from being useful. (0.5 points)

    Demos uses server-side authentication -- links include "magic" numbers, the 48-bit check field, that allow the server to verify that the capability is valid. There is a small chance that a client could guess the check field needed to tamper with or forge a capability, but it is very difficult. (48 bits does not make it difficult enough to be called highly secure, but a system redesign with a larger check field is straightforward).

    Similarly, the server port field is also cryptographically secured, so a client wishing to impersonate a server cannot do so, since Amoeba provides no way for a client, knowing the public number of the server, to recreate the private number needed to impersonate that server.