Quote: for security, Inferno provides message digests, encrypted channels, authenticated file names, and signed modules; based on CryptoLib [»dorwSM1_1997]

Quote: a security kernel mistakenly combines separation and mediation of security issues [»rushJ7_1983]

Quote: EDSYS is a secure system because users can not create load modules; only completely debugged programs are allowed to run [»bernN3_1977]

Quote: EROS has formal verification of security properties and very little performance loss [»shapJS1_2002]

Quote: SPIN depends only on Modula-3's interfaces, type safety, and automatic memory management; no dangling pointers or array overflow [»bersBN12_1995]

Quote: SPIN uses Modula-3 to guarantee that an extension's interface is obeyed; compiler is part of trusted computing base [»grimR2_2001]

Quote: SPIN's core services (e.g., memory and processor) must be trusted; incorrect usage isolated to the extension [»bersBN12_1995]

Quote: simple, fast proof-carrying code; guaranteed conformance with a operating system's safety policy; e.g., network packet filters [»necuGC10_1996]

Quote: use region-based memory allocation for secure systems; smaller trusted computing base, avoids garbage collection pauses, region profiling, safe memory operations without leaks [»walkD7_2000]

Quote: in Overshadow, a hypervisor encrypts memory in a virtual machine; it appears normal to the unmodified application; 30% slower [»chenX3_2008]

Quote: a secure system must start in a consistent and secure state; EROS periodically verifies a consistent, global checkpoint of the entire state of the machine; used for bootstrapping [»shapJS1_2002]

Quote: Nooks wraps a device driver in a lightweight protection domain; copies kernel objects and checks parameters [»taneAS5_2006]

Quote: Intel x86 provides segment protection levels and page protection levels [»chiuTC3_1999]

Quote: efficient intra-address space protection by combining segmentation and paging hardware [»chiuTC3_1999]

Quote: protect the kernel from extension modules by loading each module into a less privileged segment within kernel space [»chiuTC3_1999]

Quote: on Intel architectures, an interrupt gate allows user processes to call kernel services [»chiuTC3_1999]

Quote: 10x cost for hardware-based extensions vs. 40x cost for kernel-process call-return; also, avoids TLB misses [»chiuTC3_1999]

Quote: huge operating systems with poor fault isolation; any statement can overwrite key data structures of unrelated components [»taneAS5_2006]