Our Next Joint Meeting with the Baltimore SIGAda Chapter
is scheduled for
Tuesday, 12 November 2002 at 7:30 P.M.
Dr. Jonathan Shapiro, Assistant Professor, JHU Information Security Institute
will be speaking on
EROS: A Foundation for Usefully Secure Systems
at the Baltimore SIGAda Venue
(Johns Hopkins University/Applied Physics Laboratory in Laurel, Maryland)
The presentation will start at 7:30 P.M. (Refreshments and Social at 7:00 P.M.) at the Johns Hopkins University/Applied Physics Laboratory in Laurel, Maryland
Munchies and soft drinks will be served at 7:00 PM, the general meeting will start at 7:30 PM, followed by the program.
As vaporware goes, Ted Nelson's Xanadu, the Dynabook, and general purpose secure operating systems are hard to beat. Each was announced more than 25 years ago, and none have actually been delivered. The highest practically achievable assurance rating for commodity operating systems under current standards, EAL4, might be characterized politely as "does not meet expectations". We must (and can) do better.
The EROS operating system is an attempt to construct a usefully secure system from the ground up. The design goal of the system might be stated as: "Given that only a very small number of programs can be made reliable and trustworthy, design a system that is robust. In particular, assume that actively hostile programs will be executed (through malice, enticement, ignorance, or error), and construct a system that is robust in the face of this assumption."
Following the failures of the Mach microkernel and the i432 microprocessor, capability-based operating systems were abandoned in the mid-1970's for performance reasons. EROS, a software-implemented capability system that runs on commodity hardware, outperforms current commodity operating systems on microbenchmarks, and is presently the fastest protected microkernel in existence. It is based on a formally specified information flow model, and the correctness of its core security features have been formally verified. EROS's predecessor, the KeyKOS system, has been running production applications since 1982, with a measured MTBF in the field exceeding 15 years.
This talk will provide an overview of the EROS system. The talk opens with a "reality check" challenging commonly held assumptions about how to achieve security. It identifies a set of feasible security objectives, and describes a system architecture that directly supports these objectives. Along the way, we will discuss the pros and cons of capabilities as a protection primitive and the security implications of composing systems from authenticatable, secure components.
Jonathan Shapiro is presently an Assistant Professor in the Department of Computer Science at Johns Hopkins University. His current research areas include operating systems and information security. While he is primarily a "systems" researcher, he has also done foundational work in formal verification of security policies. In previous research positions Dr. Shapiro was a Research Staff Member at the IBM T.J. Watson Research Center and a Member of Technical Staff at AT&T Bell Laboratories.
Dr. Shapiro is also a recidivist entrepreneur. He built the CASE group at Silicon Graphics in 1990, co-founded HaL Computer Systems where he headed the compiler group and contributed to the architecture of the 64-bit SPARC processor, performed a successful turnaround as CEO of the Xanadu Operating Company, has helped organize a number of startup companies, and now consults for a range of companies on strategic planning and security.
Information on the EROS system can be found at http://www.eros-os.org.
Detailed Directions and Maps are available at: http://www.acm.org/sigada/locals/dc/Directions_JHU_APL.html
Please put on your calendar the next meeting of the ACM DC SIGAda Chapter Meeting for Thursday, 9 January 2003.
Please provide suggestions on the Web site and its contents. We are particularly interested in ways the DC SIGAda Home Page can serve you better.
Consider subscribing to our e-mail list. Simply send an email to:
with the body containing:
subscribe SIGAda-DC Your Name
To be removed from the list, send an email request to:
with the body containing:
Please forward this message to people who might be interested in attending. We welcome all new members as our attendance and interests grow.
Many thanks to all earlier participants, contributors, speakers, advisors, and friends, who are involved in helping to produce and attend the meetings.
Jeff Castellow, Chair, DC SIGAda
If you have comments or suggestions,
email the DC SIGAda Webmaster
updated 6 November 2002