The Confused Deputy, OSR 1988 and EROS: a fast capability system, SOSP 1999
The confused deputy describes an issue where users can trick a compiler into overwriting the billing file. How would you fix this issue on POSIX systems? Does EROS avoid this by design?
Figures 2, 3, and 6 of the EROS paper illustrate address spaces and processes. Take Figure 6 for example. When a process tries to access page p0 for the first time, a page fault will be triggered. Try to reconstruct how EROS might handle the page fault. Briefly describe the steps based on your understanding.
Compared to POSIX and exokernels, how does this design prevent a malicious process from accessing a page that it doesn’t own?
Section 6.2 and Figure 11 show that the page-fault benchmark takes 3.67μs on EROS, which is much faster than Linux. Why do you think that’s the case?
Provide a list of questions you would like to discuss in class. Feel free to provide any comments on the paper and related topics (e.g., which parts you like and which parts you find confusing). For example, EROS provides transparent persistence: it uses a single-level store and and periodically writes snapshots of the system state to disk. What do you think about this design (e.g., trade-offs and applicability to persistent memory)?
CAP_*
sendmsg