Computer Laboratory Home Page Search A-Z Directory Help
University of Cambridge Home Computer Laboratory
January 15th 2004
Computer Laboratory > Research > Systems Research Group > NetOS > Seminars > January 15th 2004

Retrospective on the EROS Secure Operating System

Jonathan S. Shapiro

EROS is a secure research operating system that resulted from work at the University of Pennsylvania, IBM, The EROS Group, and Johns Hopkins University. It's novelty lies in two areas. First, EROS is the first high performance, protected, software-based capability system that runs on commodity hardware. Second, the EROS access control model has been formalized and used to verify the system's key security properties. EROS also provides transparent persistence: all system state, including running processes, is efficiently saved on a periodic basis. An incidental consequence of the design is that the system provides very exacting control over resource allocation and scheduling.

This talk will provide an introduction and overview of the EROS system architecture and highlight some unusual aspects of the design. In particular, it will discuss how various elements of the design interact to provide an efficient and secure protection framework, and describe some of the techniques that were used to achieve high performance in the resulting system.

For those who are interested, some possibly relevant background reading is listed below. The IEEE Software paper provides generally useful background. The others are listed only for the convenience of people who may wish to look further into particular topics.


EROS: A Principle-Driven System from the Ground Up

An IEEE Software article that provides a light introduction to the EROS system.

EROS: A Fast Capability System (SOSP 1999)

Describes and evaluates the first, monolithic version of the system.

Of more specialized interest:

Design Evolution of the EROS Single-Level Store

Describes the design and implementation of the EROS persistence mechanism.

Verifying the EROS Confinement Mechanism

Describes out verification proof that the EROS confinement mechanism uses a correct test of confinement.

Vulnerabilities in Synchronous IPC Designs (Oakland 2003)

Explores a number of conflicting security objectives that appear to be inherent in high-performance IPC designs, and how they have manifested in the EROS and L4 designs.