Program for Tuesday, 12 November 2002

Our Next Joint Meeting with the Baltimore SIGAda Chapter
is scheduled for
Tuesday, 12 November 2002 at 7:30 P.M.
Dr. Jonathan Shapiro, Assistant Professor, JHU Information Security Institute
will be speaking on
EROS: A Foundation for Usefully Secure Systems
at the Baltimore SIGAda Venue
(Johns Hopkins University/Applied Physics Laboratory in Laurel, Maryland)


To Members and Friends of DC SIGAda

Next Meeting:

Our Next Meeting is scheduled for Tuesday, 12 November 2002, as a Joint Meeting of the Baltimore and DC SIGAda Chapters. Dr. Jonathan S. Shapiro will be speaking on "EROS: A Foundation for Usefully Secure Systems".

The presentation will start at 7:30 P.M. (Refreshments and Social at 7:00 P.M.) at the Johns Hopkins University/Applied Physics Laboratory in Laurel, Maryland

Munchies and soft drinks will be served at 7:00 PM, the general meeting will start at 7:30 PM, followed by the program.

Abstract: EROS: A Foundation for Usefully Secure Systems

As vaporware goes, Ted Nelson's Xanadu, the Dynabook, and general purpose secure operating systems are hard to beat. Each was announced more than 25 years ago, and none have actually been delivered. The highest practically achievable assurance rating for commodity operating systems under current standards, EAL4, might be characterized politely as "does not meet expectations". We must (and can) do better.

The EROS operating system is an attempt to construct a usefully secure system from the ground up. The design goal of the system might be stated as: "Given that only a very small number of programs can be made reliable and trustworthy, design a system that is robust. In particular, assume that actively hostile programs will be executed (through malice, enticement, ignorance, or error), and construct a system that is robust in the face of this assumption."

Following the failures of the Mach microkernel and the i432 microprocessor, capability-based operating systems were abandoned in the mid-1970's for performance reasons. EROS, a software-implemented capability system that runs on commodity hardware, outperforms current commodity operating systems on microbenchmarks, and is presently the fastest protected microkernel in existence. It is based on a formally specified information flow model, and the correctness of its core security features have been formally verified. EROS's predecessor, the KeyKOS system, has been running production applications since 1982, with a measured MTBF in the field exceeding 15 years.

This talk will provide an overview of the EROS system. The talk opens with a "reality check" challenging commonly held assumptions about how to achieve security. It identifies a set of feasible security objectives, and describes a system architecture that directly supports these objectives. Along the way, we will discuss the pros and cons of capabilities as a protection primitive and the security implications of composing systems from authenticatable, secure components.

Presenter: Dr. Jonathan S. Shapiro

Jonathan Shapiro is presently an Assistant Professor in the Department of Computer Science at Johns Hopkins University. His current research areas include operating systems and information security. While he is primarily a "systems" researcher, he has also done foundational work in formal verification of security policies. In previous research positions Dr. Shapiro was a Research Staff Member at the IBM T.J. Watson Research Center and a Member of Technical Staff at AT&T Bell Laboratories.

Dr. Shapiro is also a recidivist entrepreneur. He built the CASE group at Silicon Graphics in 1990, co-founded HaL Computer Systems where he headed the compiler group and contributed to the architecture of the 64-bit SPARC processor, performed a successful turnaround as CEO of the Xanadu Operating Company, has helped organize a number of startup companies, and now consults for a range of companies on strategic planning and security.

Information on the EROS system can be found at http://www.eros-os.org.

Directions From Washington, DC

From the Capital Beltway (I-495), Take the I-95 North exit;
10 miles to Columbia exit (MD Rte. 32 West);
2.5 miles to Washington, DC, exit (U.S. Rte. 29 S);
1.5 miles to make a logical RIGHT to go WEST on Johns Hopkins Road (There is now a new style dual-traffic circle overpass/interchange which replaced the traffic light at this intersection.)
APL is located to the right, just past the service station;
Turn right at the sign: "Building 1 Visitor Parking";
Use Building 1 entrance near the flag-pole; The meeting is in the cafeteria.

Detailed Directions and Maps are available at: http://www.acm.org/sigada/locals/dc/Directions_JHU_APL.html

Please Put on Your Calendar

Please put on your calendar the next meeting of the ACM DC SIGAda Chapter Meeting for Thursday, 9 January 2003.

DC SIGAda Home Page and Maillist

Please visit the DC SIGAda Web site at http://www.acm.org/sigada/locals/dc/ for additional information.

Please provide suggestions on the Web site and its contents. We are particularly interested in ways the DC SIGAda Home Page can serve you better.

Consider subscribing to our e-mail list. Simply send an email to:


with the body containing:

subscribe SIGAda-DC Your Name

To be removed from the list, send an email request to:


with the body containing:

signoff SIGAda-DC


Please forward this message to people who might be interested in attending. We welcome all new members as our attendance and interests grow.

Many thanks to all earlier participants, contributors, speakers, advisors, and friends, who are involved in helping to produce and attend the meetings.

Jeff Castellow, Chair, DC SIGAda

If you have comments or suggestions, email the DC SIGAda Webmaster

updated 6 November 2002