User-level Extensibility in the Mona File System

厦门一中2024届高三年英语科期中考试卷英语试卷一、阅读理解(共30 分)FIVE UNUSUAL SPORTSWhat sports are you into? Football? Tennis? Swimming? If you’re looking for a change, you might like to try one of these.OctopushOctopush (or underwater hockey as it’s also known) is a form of hockey that’s played in a swimming pool. Participants wear a mask and snorkel and try to move a puck (水球) across the bottom of a pool. The sport has become popular in countries such as the UK, Australia, Canada, New Zealand and South Africa. An ability to hold your breath for long periods of time is a definite plus.ZoobombingZoobombing involves riding a children’s bike down a steep hill. The sport originated in the US city of Portland in Oregon in 2002. Participants carry their bikes on the MAX Light Rail and go to the Washington Park station next to Oregon Zoo (which is why it’s called “zoobombing”). From there, they take a lift to the surface, and then ride the mini-bikes down the hills in the area.Office Chair RacingOffice Chair Racing consists of racing down a hill in office chairs that can reach speeds of up to30kph. Strict rules are in place for competitors: they’re allowed to fit in-line skate wheels and handles to their chairs, but no motors. “We check each chair carefully in advance,”one of the organizers explained. The participants race in pairs wearing protective padding as they launch themselves from a ramp (坡道). Prizes are given to the fastest competitors and also for the best-designed chairs.Fit 4 DrumsFit 4 Drums is a new form of cardio-rhythmic exercise. Led by an instructor, the class involves beating a specially-designed drum with two sticks while dancing at the same time. It’s the first group fitness activity where you get to play a drum while getting an intense workout. A sense of rhythm is a definite advantage!Horse BoardingHorse Boarding involves being towed behind a horse at 35mph on an off-road skateboard. Professional stuntman Daniel Fowler Prime invented the sport after he strung a rope between his off-road “mountain board” and a horse. Participants stand on a board while holding onto a rope, attemptingto maintain their balance as the horse gallops (疾驰) ahead. “The horse rider and the horse have to work together because if they don’t, the horse goes flying,”Daniel explained.So, which sport would you like to try?1. What do you need to do if you want to play Octopush?A.Swim on the surface of the water.B.Hold your breath before the sport.C.Play it by the side of the seashore.D.Wear underwater breathing devices.2. Which activity will you choose if you want to take part in collective fitness?A.ZoobombingB.Office Chair RacingC.Fit 4 DrumsD.Horse Boarding3. What proverb does Horse Boarding tell us?A.The spirit is willing, but the flesh is weak.B.Never let your feet run faster than your shoes.C.The bigger they come, the harder they fall.D.Every chess master was once a beginner.【答案】1. D 2. C 3. B【导语】这是一篇说明文。

艾尔登法中英文对照艾尔登法（Alden Method）是一种流利阅读的学习方法，它的中英文对照如下：艾尔登法（Alden Method）。

艾尔登法，也被称为艾尔登阅读法，是由美国教育家和作家艾尔登（Edward William Dolch）提出的一种流利阅读的学习方法。

该方法旨在帮助学生通过系统性的练习和训练，提高他们的阅读速度和理解能力。

Alden Method, also known as the Alden Reading Method,is a learning approach for fluent reading, proposed by Edward William Dolch, an American educator and writer. This method aims to help students improve their reading speed and comprehension through systematic practice and training.艾尔登法的核心理念是通过快速而准确地识别和理解常见的高频词汇，来提高阅读效率。

艾尔登教授认为，掌握这些常见词汇是阅读的基础，因为它们在文本中出现的频率很高。

他将这些常见词汇称为“艾尔登词汇”（Dolch Words），并将它们分为不同的级别，以便学生逐步掌握。

The core idea of the Alden Method is to improve reading efficiency by quickly and accurately recognizing and understanding common high-frequency words. Professor Dolch believed that mastering these common words is thefoundation of reading because they appear frequently in texts. He referred to these common words as "Dolch Words" and categorized them into different levels for students to gradually master.艾尔登法的训练过程包括词汇识别、词汇理解和阅读理解三个方面。

油画演讲稿尊敬的评委、亲爱的观众们：大家好！我今天要和大家分享的主题是油画。

油画作为一种重要的艺术形式，具有悠久的历史和独特的魅力。

它以其独特的表现方式，不仅赋予艺术家创造的自由度，也能够带给观众们无穷的视觉享受。

首先，让我们来了解一下油画的历史。

油画的起源可以追溯到公元七世纪的古埃及，当时的艺术家使用油和天然颜料来绘制壁画。

但真正意义上的油画，则可追溯到15世纪的文艺复兴时期。

在这个时期，画家们开始使用油料来创作，达到了更加细腻和真实的效果。

荷兰画家伦勃朗和弗拉芒画家梵高等人的作品，使油画走向了巅峰。

油画与其他艺术形式相比，具有极高的可塑性和延展性。

画家可以根据自己的创意和想象力，选择不同的油画材料和工具，运用各种技巧和手法，创造出丰富多样的作品。

无论是细腻的肖像画、唯美的风景画，还是富有表现力的抽象画，都可以通过油画得到最好的呈现。

另外，油画的色彩和质感也给人以强烈的冲击力。

油画作品的色彩鲜艳、光线效果浓郁、层次感丰富，这些优点使得观者和画作之间建立了紧密的联系。

通过色彩的运用，油画能够传达情感的复杂性和深度，让观众们沉浸其中，感受到画家的思想和情感。

此外，油画还能够永久保存，能够在时间的考验中保持其艺术价值。

油画作品的颜料和介质具有稳定性，可以确保画作的长久保存。

例如迎接我们的名画《蒙娜丽莎》，它经历了数百年的时间考验，依然保存完好。

这使得油画作品成为一种重要的文化遗产，流传至今，仍为人们所欣赏和研究。

最后，我想强调油画对于观众们的意义。

油画不仅仅是一幅画作，更是一种艺术的语言。

它通过画家的创作，将画面中的故事和情感传递给观众，引发他们的共鸣和思考。

观众们在欣赏油画的过程中，不仅能够感受到艺术家对于美的追求，也能够从中汲取灵感和力量。

总结一下，油画是一种有着悠久历史和独特魅力的艺术形式。

它具有可塑性、色彩鲜艳、质感丰富以及永久保存的特点。

油画不仅为艺术家提供了创作的自由度和表现力，也给观众们带来视觉上的享受和思考的空间。

WiringPrecautions for Safe Use1)The product is designed for indoor use only. Do not use the product outdoors•or in any of the following locations.E Places directly subject to heat radiated from heating equipment.E Places subject to splashing liquid or oil atmosphere.E Places subject to direct sunlight. Places subject to icing and condensation. E Places subject to dust or corrosive gas (in particular, sulfide gas andammonia gas).E Places subject to intense temperature change.E Places subject to vibration and large shocks.2)Use/store within the rated temperature and humidity ranges.Provide forcedcooling if required.3)Install K8AB in a correct direction.4)Be sure to wire properly with correct polarity of terminals.5)Wire the input and output terminals correctly.6)Use this product within the rated load and power supply.7)Be sure that the temperature sensor type and the input type set on K8AB arethe same.8)When extending the lead wires on a thermocouple, be sure to use compensating conductors suitable for the thermocouple type.9)When extending the lead wires on a platinum resistance thermometer, uselead wires with a low resistance (5 ƒ max. per line) and be sure that the resistance is the same for all three lead wires.10)Use the recommended solderless terminals.11)Do not wire the terminals which are not used.12)Make sure that the rated voltage is attained within 1 seconds13)Design system (control panel, etc) considering the 1 second of delay thatK8AB's output to be determined after power ON.14)Make sure that K8AB has 30 minutes or more to warm up after power ON.Turning ON the power before starting monitor to the correct temperature.15)Separate the high-voltage or large-current power lines from other lines, andavoid parallel or common wiring with the power lines when you are wiring to the terminals.16)Allow as much space as possible between K8AB and devices that generatepowerful high frequencies or surge.17)Do not use a microwave receiver near K8AB. Microwave interference mayaffect K8AB.18) A switch or circuit breaker should be provided close to this unit. The switch orcircuit breaker should be within easy reach of the operator, and must be marked as a disconnecting means for this unit.19)Do not use paint thinner or similar chemical to clean with. Use standard gradealcohol.20)Use tools when dismantling parts for disposal.21)Install the K8AB inside a cabinet.22) This is a class A product. In residential area‚ it may cause radio interference,in which case the user may be required to take adequate measures to reduce interference.SpecificationsPower supply voltage Operating frequency Operating valtage rangeOperating frequency rangePower consumption Inrus current Accuracy Relay outputAmbient temperatureAmbient humidity Strage temperature Strage humidity WeightDegree of protection Altitude Installation environmentExternal input Output currentMemory protectionAC100-240V type AC/DC24V type 50-60Hz85 to 110% of the rated voltage 95 to 105% of the rated frequency5VA max.(AC100-240V)4VA max.(AC24V)2W max.(DC24V)15A max.(AC100-240V)10A max.(AC/DC24V)2%FS3A,250VAC/30VDC(resisteve load)1A,250VAC/30VDC(inductive load)Mechanical life 10million times Electorical life 50,000times(N.O) 30,000times(N.C)1c contact -10 to 55•(Avoide freezing or condensation)RH 25 to 85%-25 to 65•RH 25 to 85%Approx.130g IP20Max 2,000mSetup category ‡U ,pollutionDegree 2(as per EN61010-1)Output current:approx.10mAContact input ON :1kƒ max., OFF:100kƒ min.No-contact input ON :residual voltage (NPN) 1.5Vmax.,OFF:leakage current 0.1mA min. EEPROM(non-volatile memory)(endurance:200,000 erase/write cycles)Dimensions (mm)Names of partsSetting rangeSensor input rangeSwitch OperationTime ChartMountingDismountingConnectionsTH11STH12SSolderless terminals Use the small screw driver when you operate the SWs or the Button.OMRON ELECTRONICS LLC.One Commerce Drive Schaumburg, IL 60173-5302 U.S.A Phone 1-847-843-7900 FAX 1-847-843-7787OMRON CANADA INC. 885 Milner Avenue Scarborough, Ontario M1B 5V8, Canada Phone 1-416-286-6465 Fax 1-416-286-6648OMRON EUROPE B.V.Wegalaan 67-69 2132 JD Hoofddorp The Netherlands Phone 31-23-56-81-300 FAX 31-23-56-81-388OMRON ELECTRONICS PTY. LTD. 71 Epping Road, North Ryde, Sydney, N.S.W 2113, Australia Phone 61-2-9878-6377 Fax 61-2-9878-6981OMRON ASIA PACIFIC PTE. LTD.No.438A Alexandra Road #05-05/08(Lobby 2), Alexandra Technopark, Singapore 119967Phone 65-6835-3011 FAX 65-6835-2711OMRON CORPORATIONShiokoji Horikawa, Shimogyo-ku, KYOTO, 600-8530 Japan Phone 81-75-344-7109 FAX 81-75-344-7149Alarm type:Hysteresis 2•(or ßF )Non-failsafe/Failsafe Latch:Holding the relay output until •g latch reset”SV protect mode: In this mode, the changes of SW or R_SWs are • • NOT available. When K8AB comes out from this • •mode, the changes are available.Behavior of LEDs Relay(Failsafe)Relay(Non-failsafe)Alarm, Other errs Source Relay(Latch)Alarm, Other errsSourceSV protect modeSourcePWR_LED Sv protect modeSourceALM_LEDAlarm Source Other errs Lower-limit alarm Upper-limit alarm SV* Other errs:Sensor burnout,Input range over,Setting range over, memory err.* If LATCH_RST or EXTERNAL INPUT has been ON more than 5s, K8AB-TH goes into or comes out from SV protect mode.SWErrors(ALM_LED:flash)Comes out of SV protect mode.A Reset the latch.B Confirm the wiring and parameter settings.C Reset the SOUCE.If K8AB return to normal state, the cause may be the • noise.If not, there is need to replace it.The state of latched output and the state of SV • protect mode are backed up by EEPROM.Trouble shootingFollowing (1)•(3) may occur.(1)Sensor burn out or Senor input range over. (2)Setting range over.(3)Inner error(devices,memories,etc.).O NOF FF O N F OF FF O N F OF F。

Reddist问答会记录官方编译版（上）* 修理费Diablownaway：为什么你们认为增加修理费比其他方法更好？魔兽世界里，解决拖尸打法的方法也不是大幅度增加修理费。

而是让地区所有人都进入战斗，来尽可能地限制拖尸的可能性，并让Boss和怪物在战斗结束之后恢复生命值。

不要把以前解决的很好的问题弄的更糟。

大幅度增加修理费会伤害到寻求挑战的玩家，他们不肯放弃，也不会放过每一次战斗。

应该是去鼓励玩家进行挑战。

这种改动会让玩家回去每天踢12个小时的罐子而不是打游戏。

请重新考虑一下，谢谢。

Wyatt Cheng ：这仍然是我们在考虑的选择，我们还没有最终决定，只是量的问题。

让我们假设改动之后修理一次要4万金币。

你要多久才能赚4万金币呢？目前来看如果你玩炼狱ACT1（只是举例），将所有的蓝装都卖NPC，然后有75%的Gold Find并叠满奈非天勇气，你一个小时应该很轻松地有12万-15万的收入。

死亡10次你的装备就全部损坏了，也就是说你每个小时可以死30-40次。

到底多少我不知道，看起来是不少。

但如我所说，这只是量的问题。

5万修理费会更糟吗？3万如何？2万？我想说的就是现在6000-10000的修理费有些太可笑了。

我可以认为5万太高了，但显然正确的答案就在两者之间。

我们将会在实装之后测试效果并找到我们认为可行的额度。

* 元素伤害KaydenFox：为什么元素伤害被取消了？燃烧的火焰，治疗解毒，眩晕闪电，治疗神圣…… 如果都加进来的话对游戏体验非常棒。

Jay Wilson ：因为玩家倾向于DPS高过一切。

我们测试时发现大家只会选择伤害最高的属性。

如果我们平等伤害值，他们不会选择没有控制效果的。

现在的情况就是，我们保留的寒冰属性上的减速效果并降低了其伤害，现在它就成为使用人数最少的了。

* 随机事件Grug16：我在2009年嘉年华上玩了ACT2的体验版。

那个区域的事件比现在多的多，比如仪式中的教徒，或者一群被沉沦魔抓住的商人。

软考高级架构师系统设计40题1. In a system design, which of the following is the most important consideration for scalability?A. Hardware performanceB. Software architectureC. Network bandwidthD. User interface design答案：B。

解析：软件架构对于系统的可扩展性至关重要。

硬件性能在一定程度上影响，但不是最关键的。

网络带宽主要影响数据传输，对可扩展性的直接影响较小。

用户界面设计与系统的可扩展性关系不大。

2. When designing a system, which principle should be followed to ensure high availability?A. RedundancyB. Minimization of componentsC. Simple architectureD. Low cost答案：A。

解析：冗余是确保高可用性的重要原则。

减少组件可能会降低复杂性，但不一定能保证高可用性。

简单架构有助于理解和维护，但不是保证高可用性的关键。

低成本通常不是高可用性设计的首要考虑因素。

3. Which of the following is a key factor in determining theperformance of a system?A. The number of usersB. The algorithm usedC. The color scheme of the interfaceD. The brand of the hardware答案：B。

解析：算法的优劣直接决定了系统的性能。

用户数量会影响系统负载，但不是决定性能的根本因素。

界面的颜色方案与性能无关。

硬件品牌对性能有一定影响，但算法的影响更为关键。

Protection in Flexible Operating System ArchitecturesChristophe RippertChristophe.Rippert@inria.frSARDES project,LSR-IMAG laboratoryINRIA Rhˆo ne-Alpes,655avenue de l’EuropeMontbonnot38334St Ismier Cedex,FranceAbstractThis paper presents our work concerningflexibility and protection in operating system kernels.In most existing operating systems,security is enforced at the price offlexibility by imposing protection models on the system programmer when building his system.We prove thatflexibility can be preserved by separating the management of the protection policy from the tools used to enforce it.We present the secure software framework we have implemented in the Think architecture to manage protection policies and guarantee they are carried out as specified.We then detail the elementary protection tools provided to the programmer so he can protect his system against unauthorized accesses and denial of service attacks.These tools are implemented in a policy-neutral way so as to guarantee theirflexibility.Finally we validate our results by evaluating theflexibility of the protection provided on selected examples of dynamic modification of the protection policy.1IntroductionFlexibility and security are often seen as two conflicting goals in traditional operating systems.Securing a system often results in imposing constraints on the system architecture and on the services provided.On the other hand,improving theflexibility of the system is generally seen as introducing vulnerabilities.For example,recent Linux kernels supports the use of modules,that is system services which can be loaded and unloaded at will in the kernel.This permits the system administrator to add functionnalities to the kernel without having to recompile it,thus enhancingflexibility.However,a malicious user might trick the system administrator into loading a harmful module in the kernel to gain extra privileges for example.On the other hand,forbidding the use of modules strengthens the security of the system but reduces itsflexibility since the system administrator is forced to recompile it each time he wants to add a service.We believe that it is possible to guarantee bothflexibility and security in an operating system.Our work focuses especially on protection as defined in[5],that is access control and protection against denial of service attacks.We prove in this paper thatflexibility can be preserved in a secure system by separating the management of the protection policy from the tools used to enforce it.The protection policy is the set of rules specifying the access rights of principals and the management of ressources in the system.We thus propose a secure software framework that regulates the interactions between the components in the system and includes the security manager,a component dedicated to the management of policies.Coupled with a set of policy-neutral protection tools,we guarantee that protection policies can be changed dynamically to suit the needs of the system administrator,without needing to recompile or reboot the system,thus preserving its flexibility.Our work is validated using Think,aflexible system architecture which permits the programmer to build customized operating systems.Wefirst present the Think architecture and the secure software framework we have implemented with it.We then describe the elementary protection tools we have specified and implemented to be policy-neutral.Finally,we present the experiments we have conducted to test theflexibility of our protections tools by dynamically changing the protection policy.We conclude by presenting the future work we plan to conduct concerning the specification of protection policies.2The Think architectureThe Think1architecture aims at providing a programming model and a set a tools to ease the task of system builders.This architecture is specified in[4]where itsfirst implementation is also described.This implementation does not address protection issues and let the system vulnerable to abuses.We present below our secure implementation of the Think software framework,before detailling in Section3the elementary protection tools we have devised.2.1ArchitectureThink is composed of three main entities:the nano-kernel,the service library,and the software framework.The nano-kernel is the part of the kernel in charge of booting the system and providing access to the underlying hardware.It does not add any system abstraction nor provides any service.It is meant to be as small as possible since it is a mandatory part of the system and we want to minimize the code imposed to the system programmer,as advocated by the Exokernel philosophy[3].The service library is composed of system services which can be used by the system programmer when he builds his system.Each service is implemented as a stand-alone component.It means that a service can depend on another service’s interface(as for example afile system depends on the interface of the hard drive driver),but not on the implementation of this service.Thus,any service can be replaced by another one exporting the same interface.This provides a completeflexibility since no component is mandatory in the system and the programmer can replace any library component by his own if it better suits his needs.The software framework materializes the programming model advocated in Think.It is based on the ODP model[6],and includes the well-known notions of interface,component,binding,binding factory, name and naming context.This model specifies the way components must interact,as presented here with the example of a component Src calling the method meth of the component Dst:ponent Dst exports its interface with the export method of the naming context interface.ponent Src uses the bind method of the binding factory interface to create a binding with theinterface exported by component Dst.ponent Src calls the method meth of the Dst component using the call method provided bythe software framework.In thefirst implementation of the Think framework,this call method is in fact a wrapper so as to optimize its performances.It is important to note that methods exported by components cannot be called directly since they are protected by the static C statement.2.2ImplementationWe present here the secure version of the Think software framework.This framework guarantees that the interactions between the components respect the protection policy specified by the system programmer.We present the implementation of the main notions of the programming model proposed in the Think architec-ture.1Think stands for THink Is Not a Kernel2.2.1InterfacesInterfaces are implemented as a structure composed of the static name of the exporting component,its methods and its public data.The static name is an unique identifier which can be used to statically define the access rights of the component.2.2.2NameNames represent interfaces in a given naming context.Our implementation of a name is a structure composed of an identifier used tofind the interface corresponding to the name,and the naming context in which the name is defined.2.2.3The security managerThe security manager is the component dedicated to the management of security policies on the system, which includes protection policies.Its interface is described in Figure1.Secret getSecret(Itf itf);boolean checkBind(char*staticName,Secret secret,Name dstName);boolean checkExport(char*staticName,boolean checkCall(char*staticName,Secret secret,Secret secret,Itf itf,Itf dstItf,NamingContext nc);char*methStaticName);Figure1:Interface of the security managerThe getSecret method is called when a component is initialized and returns a secret token.This token permits to dynamically identify a component in a way similar to a PGP public key[9]which identifies a user. In our implementation this token is a128-bit integer,which makes it statistically very difficult to forge.The checkExport method is used to check that the calling component has the right to export the interface itf. The checkBind method verifies that the calling component can create a binding with the interface dstName. The method checkCall checks that the calling component has the right to call the method methStaticName exported in the interface itf.2.3Naming contextsNaming contexts are components managing the naming tables containing the names of the interfaces in the system.The interface of a naming context is presented in Figure2.Name byteToName(NamingContext nc,Name export(NamingContext nc,char*str);char*staticName,Secret secret,Itf itf);Figure2:The Naming Context interfaceThe byteToName method takes as a parameter the serialized form of a name and returns that name if it exists in the given naming context.In our implementation,names are serialized as strings.The export method is used by a component identified by its static name and its secret to export an interface in the givennaming context.It returns a name which identifies the interface in the naming context.This methodfirst calls the checkExport method of the security manager to verify that the component has the right to export the given interface in this naming context.2.4Bindings and binding factoriesBindings are not represented as components in Think but they can be seen as communication channels between components.Binding factories are components exporting the interface presented in Figure3.Itf bind(char*staticName,Secret secret,Name dstName);Figure3:The Binding Factory interfaceThe bind method creates a binding between the calling component,identified by its static name and secret,and the interface which name is given as a parameter.It returns the interface corresponding to the given name.Before creating the binding,the bind method calls the checkBind method of the security manager to verify that the component has the right to create it.2.5Inter-component callsComponents call interfaces using the method exported by the inter-component calls component which inter-face is presented in Figure4.void*call(char*staticName,Secret secret,Itf dstItf,char*methStaticName,void*params);Figure4:The inter-component calls interfaceThe call method is used by a component identified by its static name and secret to call a method exported by a given interface.The called method is identified by its static name so as to permit the static specification of call rights.This methodfirst calls the checkCall method of the security manager to verify that the component has the right to call the method.If this verification succeeds,the method is called with the proper parameters.3Elementary protection toolsWe have implemented some elementary protection tools that we have included in Think library.We call these tools elementary since each one can protect the system against a particular threat.All these tools are implemented as components and thus remain independant from each other.We show that these tools are policy neutral which ensures theirflexibility.3.1An adaptable disk manager3.1.1PrincipleClassical disk managers typically use a geographical scheduling policy which treat request according to the distance between the desired sector and the current position of the head[8].These algorithms are well suited for all-purpose operating systems but not for specific uses as in real time or multimedia systems for example.Moreover,they are usually vulnerable to denial of service attacks as a malicious process issuing lots of requests so as to slow down the treatment of other requests.We have implemented an adaptable disk manager which permits to dynamically change the scheduling policy.The scheduling algorithm can thus be changed according to the needs of the applications or to counter a denial of service attack.3.1.2ImplementationThe disk manager we have implemented is detailled in Figure5.typedef struct{void initQueue();DiskReq*getQueue();int readOrWrite;char*readSector(unsigned sect,void setSched(void(*f)());unsigned sector;char*buffer,void delReq(DiskReq*req);char*buffer;unsigned pid);unsigned pid;void writeSector(unsigned sect,}DiskReq;char*buffer,unsigned pid);void flushQueue();Figure5:Interface of the adaptable disk managerThe DiskReq structure describes a request emitted by a process identified by its process identifier(pid)to a given sector.The initQueue method initializes the request queue and the readSector and writeSector methods permit components such as afile system to send read and write requests to the disk manager.The flushQueue method treats the requests stored in the queue when called by the process managing the burst mode.The getQueue method is ourfirst elementary tool.It offers a view of the current state of the request queue to the security manager to help him take decisions according to the protection policy.The setSched method is our second elementary tool.It permits the security manager to change the scheduling algorithm by passing the corresponding function as a parameter to the setSched method.This function is called by the flushQueue method before beginning to treat the requests,so as to sort them in an order matching the scheduling policy.The delReq method is our third elementary tool.It can be used by the security manager to remove a request from the queue.This is useful during a denial of service attack to clean the queue of the requests emitted by the malicious process.All these tools are policy neutral since all decisions are made by the security manager.These tools provide the necessary support for the security manager to enforce the protection policy.For example,the security manager can detect a denial of service attack using the getQueue method and change the scheduling algorithm with the setSched method or erase the offending requests with the delReq method.Criteria defining a denial of service attack and the countermeasures to take in case of attack are specified by the protection policy.3.2Software-based memory isolation3.2.1PrincipleMemory isolation is a mandatory mechanism in a multi-user operating system.It is indeed necessary to prevent a malicious or malfunctionning process to read or modify other processes’data.However,most oper-ating systems base memory isolation on hardware mechanisms provided by the processor,like segmentation for example.This approach has several drawbacks.First it requires that the memory management unit of the processor provides an isolation mechanism which is not always true especially on embedded systems. Moreover,hardware isolation usually induces a high overhead for interprocess communication since processes must use services as sockets to circumvent the hardware isolation.Finally,hardware isolation lakesflexibility since the test carried out to validate the access is hard coded in the memory management unit and cannot be changed by the system programmer.Thus,we chose to implement a software-based memory isolation mechanism that allow the programmer to fully customize the access control he wants to enforce in his system.3.2.2ImplementationThe tool we have implemented is inspired from the software-based fault isolation mechanisme presented in[7]. When a process is created,the tool parses the binary code of this process and replaces memory accesses with a branch to a well-known entry point in the security manager.This entry point corresponds to a function which task is to check that the memory access is allowed by the protection policy.Thus all memory accesses are checked dynamically when the process code is executed.The access is executed if it is allowed by the protection policy and the execution of the process continues.If the verification fails,a security exception is thrown so as to notify the operating system.This tool is veryflexible since the access control is enforced by a function programmed by the system builder.Thus he can program it as needed tofit the protection policy he wants to enforce in the system. Moreover,our tool permits to choose which memory access must be checked.The programmer can for example decide to verify only branches and not load and store instructions if it suits his needs.3.2.3Evaluation for segment matchingThe tool we have implemented permits to implement any kind of access control.To evaluate it,we have programmed a segment matching policy in the security manager.This policy simply consists in verifying that the destination address of the memory access belongs to a segment defined by its lower and upper bounds. It is very similar to the technique presented in[7].We detail its operation on a simple example.The original code of the process is presented in Figure6.It is composed of a single PowerPC load instruction which task is to copy in register R1the content of the memory word at the address computed by adding8to the content of register R2.Initial_code:lwz1,8(2)Figure6:Initial code:32-bit integer loadingThis code is modified by the memory isolation tool by replacing the load instruction by a branch to the checking function in the security manager,as detailled in Figure7.The verifying code can be generated dynamically when the process is created since this code is very simple.This permits to generate a code optimized for the replaced instruction,as shown in Figure8.For a more complicated verification it may not be possible to dynamically generate the checking function.In our example,the codefirst calculate the destination address in a temporary register(add14,2,8),then check this address against the lower and upper bounds,and raise an exception if the address is not in the allowedModified_code:ba Entry_Point_LWZFigure7:Modified code:branching to the security managersegment(tw8,14,15and tw16,14,16).If the test is successful,the original instruction is executed(lwz 1,8(2))and the instruction pointer returns to the next instruction in the process(ba Modified Code+4).Verification_code:add14,2,8tw8,14,15tw16,14,16lwz1,8(2)ba Modified_Code+4Figure8:Generated code:checking the destination address and loading the integer if allowedA simple optimization of this tool is not to generate code for memory access which can be checked before the process execution.For example,the PowerPC platform provides a relative branch instruction for which the destination address is computed by adding an immediate value to the address of the branch instruction.Since this immediate value is coded into the branch instruction itself,the destination address can be computed when the process is created and verified without having to execute the code.This optimization is very effective since relative branches are mostly used in loops for which a dynamic verification for each iteration would be very costly.3.2.4BenchmarksCode generation delay The verification code is generated when the process his created in our example for segment matching.We monitored the delay induced by this code generation and found that the process creation delay increases by3.20ms for a test program composed of29000instructions(including9000memory accesses).Since the time necessary to read thefile on the hard drive and allocate the memory for the process is approximately16.5ms,the overhead of our tool is only20%,which seems moderate for most programs.Execution overhead We monitored the overhead induced by the execution of the verification code for various program types.Load/store instruction The execution time of a single load or store instruction is multiplied by3.5 when verified by our tool.This might seem prohibitive but obviously a program is never composed only of load and store instructions.Relative branch There is no overhead for the exectution of a relative branch since the destination address of this type of instructions can be computed when the process is created,using the optimization presented above.Absolute branch This type of instructions is mostly used for interprocess communication.We thus compared the cost of an inter-segment call using our software isolation mechanism with the cost of an IPC call over a hardware isolation provided by the processor.The IPC mechanism is based on LRPC[1]and takes 0.490µs.With our software isolation tool,the delay is0.019µs which is26.4times pared to anabsolute call without any isolation,the overhead is only of16.67%,which seems very moderate.Software-based memory isolation is therefore very interesting for interprocess communication.Square root computation This algorithm is an example of a program which includes very few memory accesses.It is an iterative algorithm based on Heron of Alexandria’s well-known method for com-puting square roots.The overhead for the computation of the square root of100000is only1.55%which is obviously negligible.GZip This program includes lots of memory accesses since it is based on the comparison of strings stored in a ing maximum compression(with the-9option),the overhead for a128MBfile is 117%,which can be considered prohibitive.Conclusion These benchmarks show that performances of a software-based memory isolation mechanism strongly depend of the type of program isolated.However,the system programmer can choose which programs he wants to isolate with it,which is not possible with a hardware isolation.Moreover,the system programmer can customize the access control he wants to enforce by changing the protection policy as needed,thus permitting him to implement lightweight tests for performance critical applications.4EvaluationTo evaluate theflexibility of our framework and our tools,we present below several situations where the protection policy is dynamically modified during execution of the operating system.4.1Dynamic modification of the memory isolation politic4.1.1Using the software-based memory isolation toolWe show on a simple example how our software-based memory isolation tool can be dynamically recon-figurated.In our system,component C2is exporting a set of public variables which might be accessed by component C1,but only after they have been initialized.So the segment containing component C2is initially isolated from the segment containing component C1,as shown in the access matrix in Figure9.SegC1SegC2SegC1RWX∅SegC2∅RWXFigure9:Access matrix for the memory isolation toolIn the security manager,the access rights are stored as capacity lists[5].These capacities are protected from tampering since the security manager itself is located in a isolated segment.The read,write and execution access rights are stored as boolean which can be modified using the interface presented in Figure10.The method getRights permits to get the current access rights of the segment containing the component identified by its static name and secret.This method returns the read,write and execution rights for the segment segSrc.The method setRights permits to set the access rights in a similar way.This scheme guarantees theflexibility of the isolation.The memory isolation tool generates code to check that the replaced instruction has the right to access the destination segment,which basically means checking that the corresponding boolean is set to true.Thus,all the programmer of component C2needs to do to grant to C1the access to C2public variables after they have been initialized is to set the boolean using the setRights method.The modification of the policy is immediate and the generated code does not have to be changed.Dynamic modification of the isolation policy is therefore very simple thanks to the separationvoid getRights(char *staticName,void setRights(char *staticName,Secret secret,Secret secret,unsigned srcSeg,unsigned srcSeg,boolean *read,boolean read,boolean *write,boolean write,boolean *exec);boolean exec);Figure 10:The access rights modification interfacebetween the management of the protection policy in the security manager and the tool used to enforce it,that is the software-based memory isolation mecanism.4.1.2Combining the tool and the frameworkThe memory isolation tool provides a way to isolate areas of memory from each other.A finer grain access control can be provided by combining the isolation tool and the secure framework implemented in Think .Figure 11illustrates an example of a component C1calling method meth of component C2.checkCallcheckBindC1callbindcall C2BindingfactorySecuritymanagerInter−componentcalls Figure 11:Fine-grain access control between two componentsThe dashed lines represent segments enforced by the memory isolation tool.The access rights for this isolation are summed up in Figure 12.SegC1SegC2SegFramework SegC1RWX ∅X SegC2∅RWX X SegFramework RWX RWX RWXFigure 12:Access matrix for the three segmentsAs can be seen in Figure 12,component C1and C2can call methods of the framework since it is located in a segment for which they have the execution right,but cannot call each other’s methods directly.So component C1is forced to use the binding factory and inter-component calls interface to call componentC2’s method meth,thus allowing the framework to check that the protection policy allows that call,using the checkBind and checkCall methods of the security manager.4.2Dynamic modification of the disk scheduling algorithmTo test theflexibility of our adaptable disk manager,we devised a simple scenario of a denial of service attack.A malicious process which wants to slow down accesses to the disk simplyfloods the disk manager with requests chosen according to the current scheduling algorithm.For example,if the current algorithm implements a Shortest Seek Time First scheduling[8],the malicious process sends lots of requests for sectors close to the current position of the head so as to cause a starvation for the other processes.The security manager can detect this kind of attacks using the getQueue method of our adaptable disk manager.A denial of service attack is usually caracterized by lots of requests coming from the same process. The security manager decides according to the protection policy if the current distribution of requests in the queue corresponds to an attack and what countermeasures should be taken.The security must describe the characteristics of an attack since a great number of requests coming from the same process in the queue can be legitimate if this process needs to access a bigfile on the disk for example.The protection policy can specify that if a denial of service attack is detected,the current disk scheduling algorithm must be replaced by a fair scheduling algorithm.This type of algorithms reorganizes the requests in the queue according to the process which emitted them.Figure13describes an example of this reorganization for two processes P1and P2and compares it with a Shortest Seek Time First scheduling.A PxRy request means“request emitted by process Px to read sector y”.Emission order:[P1R1,P1R8,P2R4,P2R1]Fair scheduling:[P1R1,P2R4,P1R8,P2R1]SSTF scheduling:[P1R1,P2R1,P2R4,P1R8]Figure13:Reorganization of requests by a fair algorithm It is important to note that this fair algorithm is not meant to be used as a default scheduling algorithm since its performances are much worst than most geographical algorithms.Its goal is only to prevent starva-tion by interleaving requests from the processes accessing the disk.When using this algorithm,performances will therefore be slowed down equally for all processes,instead of being very high for the attacking process and very low for all the others.Once the risk of starvation is cancelled by the fair scheduling algorithm,the security manager can use the delReq method to delete from the queue requests coming from the attacking process.It can also ask the process scheduler to kill the offending process if the protection policy requires it.The security manager may need to analyze the request queue for some time before deciding to kill the process,which emphasize the need for a fair disk scheduling algorithm to protect from starvation the processes accessing the disk legitimately during the time needed to take the decision.This example illustrates theflexibility of the adaptable disk manager.By separating the management of the scheduling policy(implemented by the function passed as a parameter of the setSched method) from the tool used to enforce it(which is the adaptable disk manager itself,with its methods readSector, writeSector and flushQueue),we guarantee that the scheduling policy can be changed dynamically without modifying the tool itself.We chose here an example of a denial of service attack to illustrate a situation where the scheduling algorithm needs to be changed,but the adaptable disk manager can also be useful to adapt the scheduling policy for different types of applications.For example,the system administrator of a general-purpose operating system may want to change the scheduling policy to an algorithm optimized for multimedia applications when such an application is executed on the system,then switch back to a classical geographic algorithm when it is over.。