# Part Number 83-0902023A000 Version Date 26 September 1996 # DTOS FORMAL SECURITY POLICY MODEL (FSPM) # CONTRACT NO. MDA904-93-C-4209 CDRL SEQUENCE NO. A004 Prepared for: Maryland Procurement Office Prepared by: Secure Computing Corporation 2675 Long Lake Road Roseville, Minnesota 55113 | Authenticated by | | Approved by | | |------------------|----------------------|-------------|--------------| | · | (Contracting Agency) | _ | (Contractor) | | | | | | | Date | | Date | | Distribution limited to U.S. Government Agencies Only. This document contains NSA information (26 September 1996). Request for the document must be referred to the Director, NSA. Not releasable to the Defense Technical Information Center per DOD Instruction 3200.12. © Copyright, 1993–96, Secure Computing Corporation. All Rights Reserved. This material may be reproduced by or for the U.S. Government pursuant to the copyright license under the clause at DFARS 252.227-7013 (OCT.88). # **Technical Note** # DTOS FORMAL SECURITY POLICY MODEL (FSPM) **Secure Computing Corporation** Abstract This report identifies the services provided by the DTOS kernel and the security requirements governing when the kernel provides the services. Part Number 83-0902023A000 Created **Revised** 26 September 1996 **Done for** Maryland Procurement Office **Distribution** Secure Computing and U.S. Government CM /home/cmt/rev/dtos/docs/fspm/RCS/fspm-driver.vdd,v 1.25 26 September 1996 This document was produced using the TEX document formatting system and the IATEX style macros. $LOCK server^{TM},\ LOCK station^{TM},\ NETCourier^{TM},\ Security\ That\ Strikes\ Back^{TM},\ Sidewinder^{TM},\ and\ Type\ Enforcement^{TM}\ are\ trademarks\ of\ Secure\ Computing\ Corporation.$ $LOCK^{\textcircled{\$}}$ , $LOCKguard^{\textcircled{\$}}$ , $LOCKix^{\textcircled{\$}}$ , $LOCKout^{\textcircled{\$}}$ , and the padlock logo are registered trademarks of Secure Computing Corporation. All other trademarks, trade names, service marks, service names, product names and images mentioned and/or used herein belong to their respective owners. $\odot$ Copyright, 1993–96, Secure Computing Corporation. All Rights Reserved. This material may be reproduced by or for the U.S. Government pursuant to the copyright license under the clause at DFARS 252.227-7013 (OCT.88). # **Contents** | 1 | Scope | | | | | |---|-------------|----------------------------------------------|----------|--|--| | - | 1.1 | Identification | 1 | | | | | 1.2 | System Overview | 1 | | | | | 1.3 | Document Overview | 1 | | | | 2 | Appl | licable Documents | 3 | | | | 3 | FSPI | M Overview | 4 | | | | 5 | 3.1 | Policy Development Approach | 4 | | | | | 3.2 | Separation of Enforcer and Decider | 6 | | | | 4 | Basi | c Kernel State Definition | 7 | | | | • | 4.1 | Primitive Entities | 7 | | | | | 4.2 | Process Management | 9 | | | | | 4.3 | Port Name Space | 18 | | | | | 4.4 | Ports | 23 | | | | | 4.5 | Notifications | 25 | | | | | 4.6 | Special Ports | 26 | | | | | 4.7 | Total Send Rights | 32 | | | | | 4.7 | Registered Rights | 33 | | | | | 4.8<br>4.9 | | 34 | | | | | 4.9<br>4.10 | Memory System | 34<br>41 | | | | | | Messages | 52 | | | | | 4.11 | Processors and Processor Sets | 54 | | | | | 4.12 | Time | | | | | | 4.13 | Devices | 54 | | | | | 4.14 | Summary | 56 | | | | 5 | DTO | S State Extensions | 58 | | | | | 5.1 | Subject Security Information | 58 | | | | | 5.2 | Object Security Information | 59 | | | | | 5.3 | Security Identifiers for Access Computations | 61 | | | | | 5.4 | Permissions | 63 | | | | | 5.5 | Access Vector Cache | 70 | | | | | 5.6 | Message Security Information | 72 | | | | | 5.7 | Task Creation Information | 73 | | | | | 5.8 | Server Ports | 75 | | | | | 5.9 | Memory Region Protections | 75 | | | | | 5.10 | Summary of DTOS Kernel State | 76 | | | | 6 | DTO | S Services | 77 | | | | _ | 6.1 | Kernel Requests and State Transitions | 77 | | | | | 6.2 | IPC Services | 80 | | | | | 6.3 | Port Services | 85 | | | | | 6.4 | VM Services | 96 | | | | | 6.5 | | 98 | | | | | 6.6 | Pager Services | 101 | | | | | 0.0 | | IUI | | | | | 6.7 | Task Services | | |---|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----| | | 6.8 | Host Name Port Services | | | | 6.9 | Host Control Port Services | | | | 6.10 | Processor Services | | | | 6.11 | Processor Set Control Port Services | | | | 6.12 | Kernel Reply Services | | | | 6.13 | Device Services | | | | 6.14<br>6.15 | Outcall Services | | | | 0.15 | implementation services | 121 | | 7 | Base | Kernel Policy | 124 | | | 7.1 | Requirements on $client$ to $\underline{port\_sid'(device\_port'(dev))}$ Accesses | 124 | | | 7.2 | Requirements on $client$ to $port\_sid'(task\_self'(child))$ Accesses | 124 | | | 7.3 | Requirements on client to $port\_sid'(task\_self'(task))$ Accesses | 124 | | | 7.4 | Requirements on client to $port\_sid(device\_port(dev))$ Accesses | 125 | | | 7.5 | Requirements on client to $\overline{port\_sid}(\underline{host\_control\_port})$ Accesses | 125 | | | 7.6 | Requirements on $client$ to $port\_sid(\underline{host\_name\_port})$ Accesses | 126 | | | 7.7 | Requirements on $client$ to $port\_sid(kernel\_reply\_port)$ Accesses | 126 | | | 7.8 | Requirements on $client$ to $port\_sid(control\_port(memory))$ Accesses | | | | 7.9 | Requirements on $client$ to $\overline{p}$ $ort\_sid(port)$ Accesses | | | | 7.10 | Requirements on $client$ to $\overline{p}$ $ort\_sid(proc\_self(proc))$ Accesses | | | | 7.11 | Requirements on $client$ to $\overline{\underline{p}}ort\_sid(procset\_self(procset))$ Accesses | | | | 7.12 | Requirements on $client$ to $task\_target(client, \underline{p}arent\_task'(child))$ Accesses | | | | 7.13 | Requirements on $client$ to $task\_target(client, \overline{task})$ Accesses | | | | 7.14 | Requirements on $client$ to $thread\_target(client, thread)$ Accesses | | | | 7.15 | Requirements on $\underline{k}ernel$ to $\underline{p}ort\_sid(\underline{a}udit\_server\_port)$ Accesses | | | | 7.16 | Requirements on $\underline{k}ernel$ to $\underline{\overline{p}}ort\_sid(object\_port(memory))$ Accesses | | | | 7.17 | Requirements on $\underline{\underline{k}} ernel$ to $\underline{\underline{p}} ort\_sid(port)$ Accesses | | | | 7.18 | Requirements on $\underline{\underline{k}}$ $\underline{ernel}$ to $\underline{\underline{p}}$ $\underline{ort}$ $\underline{sid}$ ( $\underline{\underline{security}}$ $\underline{server}$ $\underline{master}$ $\underline{port}$ ) Accesses | | | | 7.19 | Requirements on $kernel\_as(eff\_client)$ to $\underline{port\_sid(port)}$ Accesses | 133 | | | 7.20 | Requirements on $kernel\_as(eff\_client)$ to $\underline{port\_sid(task\_eport(task))}$ Accesses . | 133 | | | 7.21 | Requirements on $kernel\_as(eff\_client)$ to $\underline{p}$ or $t\_sid(thread\_eport(thread))$ Accesses | | | | 7.22 | Requirements on $\underline{p}$ $arent\_task'(child)$ to $\underline{p}$ $ort\_sid'(task\_self'(child))$ Accesses | 133 | | | 7.23 | Requirements on $\overline{t}ask$ to $\underline{p}age\_sid(task, \overline{p}age\_index)$ Accesses | 134 | | | 7.24 | Requirements on $task$ to $\underline{p}ort\_sid'(port)$ Accesses | | | | 7.25 | Requirements on $task$ to $\underline{p}ort\_sid'(task\_self'(task))$ Accesses | | | | 7.26 | Requirements on $task$ to $\underline{p}ort\_sid(port)$ Accesses | 134 | | | 7.27 | Prohibited Actions on port | 135 | | | 7.28 | Prohibited Actions on task | 135 | | | 7.29 | Requirements on client to dev Implementation Accesses | 135 | | | 7.30 | Requirements on client to host_control_port Implementation Accesses | 135 | | | 7.31 | Requirements on client to host_name_port Implementation Accesses | 136 | | | 7.32 | Requirements on client to memory Implementation Accesses | | | | 7.33 | Requirements on client to proc Implementation Accesses | | | | 7.34 | Requirements on client to ps_name_port Implementation Accesses | | | | 7.35 | Requirements on client to ps_control_port Implementation Accesses | | | | 7.36 | Requirements on client to task Implementation Accesses | | | | 7.37 | Requirements on client to thread Implementation Accesses | 139 | | 8 | Gene | eric Security Server Requirements | 141 | | 9 | Notes | | | | | |---|--------------|-------------------------------------|-----|--|--| | | 9.1 Acronyms | | | | | | | 9.2 | Glossary | | | | | | 9.3 | Open Issues | | | | | A | Bibl | liography | 151 | | | | В | Prof | totype Security Server Requirements | 152 | | | | | B.1 | Security Contexts | 152 | | | | | B.2 | Policy Database | | | | | | B.3 | Cacheability Database | | | | | | B.4 | Duration Database | | | | | | B.5 | Prototype Security Server State | 157 | | | | C | ΖE | xtensions | 160 | | | | | C.1 | Disjointness and Partitions | 160 | | | | | C.2 | · | 161 | | | | | C.3 | Sequences | 162 | | | Section 1 Scope # 1.1 Identification This Formal Security Policy Model (FSPM) states the security policy for the prototype kernel developed on the Distributed Trusted Operating System (DTOS) program, contract MDA904-93-C-4209. # 1.2 System Overview The DTOS prototype is an enhanced version of the CMU Mach 3.0 kernel that provides support for a wide variety of security policies by enforcing access decisions provided to it by asecurity server. The set of policies that can be supported is determined by the control points implemented in the prototype. Logically, an access computation query is sent to a security server whenever the DTOS kernel reaches a control point. Request processing cannot continue until the security server informs the DTOS kernel whether the security policy allows the processing to be performed. For efficiency reasons, the DTOS kernel is permitted to cache security decisions made by security servers. Ideally, most access checks can be performed by looking up entries in a cache rather than actually querying a security server. By implementing different security servers, a wide range of policies can be supported by the same DTOS kernel. By implementing a security server that allows all accesses, the DTOS kernel behaves essentially the same as the CMU Mach 3.0 kernel. Although this is uninteresting from a security standpoint, it demonstrates the compatibility of DTOS with Mach 3.0. By using appropriately developed security servers, the DTOS kernel can support interesting security policies such as MLS (multi-level security) and type enforcement. #### 1.3 Document Overview The report is structured as follows: - Section 1, **Scope**, defines the scope and this overview of the document. - Section 2, Applicable Documents, describes other documents that are relevant to this document. - Section 3, **FSPM Overview** provides motivation for the DTOS approach to security and an overview of the approach used to present the policy. - Section 4, **Basic Kernel State Definition**, provides a brief description of the Mach 3.0 kernel data structures. - Section 5, **DTOS State Extensions**, describes new kernel data structures required by the DTOS design. - Section 6, **DTOS Services**, describes the services provided by the DTOS kernel. - Section 7, **Base Kernel Policy**, describes the security requirements governing the DTOS kernel's enforcement of a policy specified by a security server. - Section 8, **Generic Security Server Requirements**, provides a general framework for DTOS security servers. - Section 9, **Notes**, contains a list of acronyms, a glossary, and a description of open issues relevant to the FSPM. - Appendix A, **Bibliography**, provides the bibliographical information for the documents referenced in the FSPM. - Appendix B, **Prototype Security Server Requirements**, describes the rules the prototype security server uses for computing accesses. - Appendix C, **Z Extensions** defines extensions to the Z formal specification language that are used in the specification of the system and policy. Note that while this report contains a description of the DTOS system state and services, it makes no attempt at providing a complete description. Readers that are unfamiliar with Mach and/or DTOS should consult references [3], [4], and [10]. Each component of the system model is described both informally and formally in the Z specification language. No effort is made at describing the syntax or semantics of Z in this document. Readers who are unfamiliar with Z should either skip the Z constructs, consult a separate version of this report (reference [8]) that is an "English-only" version of this report, or consult the Z reference manual (reference [11]). The "English-only" version of this report is roughly half the size of this report, and might provide a more gentle introduction to the DTOS FSPM for readers who just want a high-level description of the policy. Section 2 # **Applicable Documents** The following document provides a high level description of the Mach microkernel: ■ OSF Mach Kernel Principles [4] Although Section 4 provides a summary of the information contained in reference [4], some readers might need to consult the more complete information in reference [4]. The following documents provide a detailed description of the Mach and DTOS microkernels: - OSF Mach 3 Kernel Interface [3] - DTOS Kernel Interface Document (KID) [10] - DTOS Kernel and Security Server Software Design Document (SDD) [7] Although an understanding of these documents is desirable, such an understanding is not necessary to understand the majority of this document. The following documents provide formal descriptions of certain aspects of Mach-like systems: - CLI Mathematical Model of Mach [1] - DTMach FTLS [2] - DTOS FTLS [6] The model of Mach described in Section 4 is derived from references [1] and [2]. Although the material presented in Section 4 is intended to be self contained, some readers might want to consult references [1] and [2] for more details. Reference [2] is an earlier version of reference [6]. The former provides more complete coverage of the requests, while the latter provides more readable and more correct descriptions. The following document is the standard reference for DoD security policies: ■ DoD Trusted Computer System Evaluation Criteria [5] Some of the motivational examples in this document assume a basic understanding of security policies as defined in reference [5]. The following book is the standard reference for the Z specification language that is used to formally state the requirements in this document: ■ The Z Notation: A Reference Manual [11] Readers who are interested in the DTOS FSPM but uninterested in the Z formalization contained in this document should instead read the following reference: ■ DTOS Formal Security Policy Model (Non-Z Version) [8] # Section 3 FSPM Overview This section provides an overview of the DTOS FSPM. In addition to providing a high level description, this section also highlights differences between the DTOS FSPM and typical FSPMs. # 3.1 Policy Development Approach The goal of a security policy is to protect the confidentiality, integrity, and availability of the system against attacks by malicious users and mistakes made by innocent users. For example, the goal of an MLS policy[5] is to prevent users from obtaining information for which they are not cleared. As another example, a system policy that prohibits users other than system administrators from rebooting the machine addresses denial of service as the result of a mistake made by a user. Traditionally, there have been two related but distinct approaches to developing security policies. The first approach, the *threat based* approach is to identify the system threats that are of concern and develop requirements that address the threats. The second approach, the *criteria based* approach is to interpret a set of requirements specified by an evaluation criteria document (such as [5]) for the target system. The relation between the two approaches is that in the second approach it is assumed that the developers of the evaluation criteria have already identified all of the relevant threats. The criteria based approach is infeasible for DTOS due to the goal to support a wide range of policies. Regardless of whether an evaluation criteria document contains MLS, integrity, or availability requirements, there is always the possibility that the user of a DTOS system will want to enforce some other type of security. Consequently, the DTOS policy must provide a framework in which a variety of policies can be supported rather than simply interpreting requirements in an existing evaluation criteria. Thus, the DTOS policy development is threat based. However, the threats identified are of a different nature than those traditionally identified. When developing the policy for a system that is intended to enforce a single policy, the identified threats typically are specific to that policy. For example, while covert channels[5] are a threat with respect to MLS policies, they are typically not a threat with respect to integrity policies. Since the DTOS policy is intended to provide a framework that supports a wide variety of policies, the threats identified for DTOS must be policy independent. The intent is for users to be able to counter threats to their systems by appropriately configuring DTOS. Furthermore, as the set of threats against which a site must protect evolves, administrators should be able to reconfigure DTOS to address the new set of threats. This requires controls to be placed on essentially all services. For example, DTOS must control the setting of the scheduling policy for a thread since some users will want to protect against service denial to user threads. Although the denial of service threat might be of little concern to most users, the possibility that some users might be concerned suggests viewing it as a real threat. Since providing protection against every conceivable threat is impossible, a judgement call has been made on the set of threats that are of concern. The approach taken in the remainder of this document is to view any access of the kernel state as being a potential threat. By viewing each access as a potential threat and providing appropriate control mechanisms, the goal of supporting multiple policies can be achieved. In Section 6, we characterize the various types of accesses that can be made to the DTOS state as DTOS "services." For motivational purposes, we also provide some specific examples in Section 6 of how the threats associated with DTOS services relate to more general threats to computing systems. In stating the policy, we categorize each access as being either an *abstract service* or an *implementation service*. An abstract service is characterized by a relation on pairs of system states that specifies a change to a kernel data structure. For example, the service that creates a new task is characterized by a relation that specifies that the new system state contains a task that was not present in the old system state. Stating a policy on when an abstract service can be provided allows modifications to the kernel data structures associated with the service to be controlled. Note that the same abstract service can be provided by multiple requests. For example, **mach\_port\_allocate** and **mach\_port\_allocate\_name** both provide the abstract service of adding a name to a task's name space.[10] An implementation service is a specific Mach request. When it is difficult to formally define the abstract services associated with a specific Mach request, we address the request by controlling when the request itself can be invoked rather than controlling the abstract services provided by the request. In some cases, the reason for being unable to identify the abstract services is that the request alters data structures that are not visible at the level of the policy. For example, the <code>host\_adjust\_time</code> request (see reference [10]) alters the rate at which the system clock is updated, while the model presented in this document does not address the kernel data structures controlling the rate at which the system clock is updated. In these cases, the implementation services could be replaced by abstract services by developing a more detailed system model. The other primary examples of implementation services are services that "observe" rather than merely "modify" the system state. Observations are more difficult to detect than modifications since they do not leave a trace in the system state. A modification of a state component results in its value changing, while an observation does not. Regardless of whether a service is an abstract service or an implementation service, we associate a *permission* with the service. Note that the majority of this document is devoted to defining the abstract and implementation services provided by the kernel and the permissions enforced by the kernel. Once these are defined, the policy is essentially: The kernel ensures that each of the defined services is provided only when the client of the service has the appropriate permission. This policy controls only the providing of the defined services. Although the services defined in this document are intended to define all of the interesting services provided by the DTOS microkernel, we might have failed to identify some of the provided services. The policy places no constraints on the providing of any such services. To implement the policy, the set of services provided by each request must be identified. Once these services are identified, the requirements in this document can be used to derive the set of permission checks that must be performed. The DTOS Kernel Interface Document [10] and the DTOS Kernel and Security Server Software Design Document [7] identify a set of permission checks that are currently performed for each request. We are in the process of examining $<sup>^{1}</sup>$ See the DTOS Generalized Security Policy Specification [9] for more on supporting multiple policies. the consistency of these permission checks with those called for by the requirements in this document. # 3.2 Separation of Enforcer and Decider Another way in which the DTOS FSPM differs from a traditional security policy is that the requirements on the enforcer of the policy are separate from the requirements on the definer of the policy. Traditionally, the distinction between enforcer and decider has been abstracted away. For example, the \*-Property (see [5]): A subject may only write objects at its level or above. directly binds the abstract service of writing to an object with the MLS requirement. In DTOS, the set of permissions provides an intermediary between the enforcer and the decider. The kernel associates a permission with an abstract service and each security server associates a security requirement with the permission. By enforcing the access computations that a security server communicates as allowed permissions, the kernel can properly enforce the policy defined by the security server. In addition to supporting policy flexibility, explicitly addressing the separation of the kernel and security server functionality provides a cleaner mapping of the policy to the implementation. The requirements stated in Section 7 provide guidance for the implementation of the DTOS kernel, while the requirements stated in Section 8 and Appendix B state requirements that provide guidance for the implementation of the prototype security server. The mapping from implementation to policy is so direct that the tables and Z statements in Section 7 that define the DTOS formal security policy are automatically generated from a file that is also used to generate portions of the DTOS SDD[7] and kernel code. As opposed to manual updating of all of these components, this automated approach provides much greater confidence that the implementation of the DTOS kernel actually satisfies the policy.<sup>2</sup> #### Editorial Note: This document currently defines only those permissions and services relevant to the microkernel. To address a user space server such as a file server, definitions would need to be given for each of the services to be controlled and permissions would have to be defined to control each service. In addition, if the server policies were layered on top of the microkernel policy, discussion would need to be added concerning how the server and microkernel policies were related. Once policies were stated for each of the servers comprising the trusted operating system, an overall system policy could be stated. Although this is a desirable end result, the current scope of the DTOS program is only the microkernel. To unambiguously define the abstract services provided by DTOS, we must first provide a precise definition of the DTOS data structures. Sections 4 and 5 provide such a description by describing an abstract model of the DTOS kernel. Section 6 contains a description of the DTOS services in the context of this abstract model. The remaining sections use the abstract model and service definitions to state the policy. <sup>&</sup>lt;sup>2</sup>Of course, this approach still requires coordination between any individual who changes the security policy file and those individuals responsible for regenerating documents from the file. Section 4 # **Basic Kernel State Definition** The following describes the data structures contained in the Mach kernel state. The organization of this section is as follows: - Section 4.1, **Primitive Entities**, describes the primitive entities in Mach. Mach is an object-based system having these primitive entities as the defined objects. - Section 4.2, **Process Management**, describes data structures associated with process management. - Section 4.3, **Port Name Space**, describes data structures associated with task port name spaces. - Section 4.4, **Ports**, describes data structures associated with ports. - Section 4.5, **Notifications**, describes data structures associated with registered notifications. - Section 4.6, **Special Ports**, describes the various classes of ports associated with the primitive entities. - Section 4.7, **Total Send Rights**, describes the way in which send rights are counted in the kernel. - Section 4.8, **Registered Rights**, describes the data structures used to record the set of port rights registered for a task. - Section 4.9, **Memory System**, describes the data structures associated with the virtual memory system. - Section 4.10, **Messages**, describes the data structures associated with messages. - Section 4.11, **Processors and Processor Sets**, describes the data structures associated with processors and processor sets. - Section 4.12, **Time**, describes the data structures associated with clocks. - Section 4.13, **Devices**, describes the data structures associated with devices. The model of Mach presented in this section consists of both primitive and derived notions. The derived notions provide no additional information about the Mach state beyond that embodied in the primitive notions. In the following sections, derived notions are noted as being conveniences. For example, Section 4.2.1 introduces the derived notion embodied by the function threads to provide a more convenient representation for the primitive notion embodied by the relation $task_thread_rel$ . Although any statement about threads can be reworded as a statement about $task_thread_rel$ , it is often more desirable to write the statement in terms of threads. In many cases, the choice of whether to view a structure as being primitive or derived is subjective. For example, others might prefer to view $task_thread_rel$ as being derived from threads instead of threads being derived from $task_thread_rel$ . As a convention, we underline the first letter in the identifier for each primitive structure in the Mach state. This is most useful when identifying which primitive structures are affected by the DTOS services defined in Section 6. #### 4.1 Primitive Entities The primitive entities in Mach are: **Tasks** — environments in which threads execute; a task consists of an address space, a port name space, and a set of threads **Threads** — active entities comprised of an instruction pointer and a local register state **Ports** — unidirectional communication channels between tasks **Messages** — entities transmitted through ports **Memories** — memory object representing a shared memory **Pages** — logical units of memory; either a unit of physical memory or provided by a memory **Hosts** — instances of the Mach kernel **Processors** — devices capable of executing threads **Processor Sets** — groups of processors, each belonging to a host, to which threads are assigned for scheduling **Devices** — resources such as terminals and printers that can be used to transmit information between the system and its environment Each of these primitive entities can be viewed as an abstract data type. #### **Mach Definition 1** ``` [TASK, THREAD, PORT, MESSAGE, MEMORY, PAGE, HOST, PROCESSOR, PROCESSOR_SET, DEVICE] ``` At any given time, only certain primitive entities are present in the system. The sets $\underline{t}$ as $\underline{t}$ as $\underline{t}$ and $\underline{t}$ exists, $\underline{p}$ or $\underline{t}$ exists, $\underline{m}$ essage exists, $\underline{m}$ emory exists, $\underline{p}$ age exists, $\underline{p}$ roc\_exists, $\underline{p}$ rocset exists, and $\underline{d}$ evice exists denote the entities of each class that are present in the current system state. #### **Mach Definition 2** ``` TaskExist \triangleq [\underline{t}ask\_exists : \mathbb{P} \ TASK] ThreadExist \triangleq [\underline{t}hread\_exists : \mathbb{P} \ THREAD] MessageExist \triangleq [\underline{m}essage\_exists : \mathbb{P} \ MESSAGE] MemoryExist \triangleq [\underline{m}emory\_exists : \mathbb{P} \ MEMORY] PageExist \triangleq [\underline{p}age\_exists : \mathbb{P} \ PAGE] ProcessorExist \triangleq [\underline{p}roc\_exists : \mathbb{P} \ PROCESSOR] ProcessorSetExist \triangleq [\underline{p}rocset\_exists : \mathbb{P} \ PROCESSOR\_SET] DeviceExist \triangleq [\underline{d}evice\_exists : \mathbb{P} \ DEVICE] ``` $Ip\_null$ and $Ip\_dead$ are two special values in PORT which are never in the set of existing ports. $port\_pointer$ consists of $\underline{p}ort\_exists$ plus the special values $Ip\_null$ and $Ip\_dead$ . ``` Ip\_null, Ip\_dead : PORT Ip\_null \neq Ip\_dead ``` ## **Mach Definition 4** ``` \begin{array}{l} \_PortExist \\ \underline{port\_exists} : \mathbb{P}\ PORT \\ \underline{port\_pointer} : \mathbb{P}\ PORT \\ \\ Ip\_null \notin \underline{port\_exists} \\ Ip\_dead \notin \underline{port\_exists} \\ port\_pointer = \underline{port\_exists} \cup \{Ip\_null, Ip\_dead\} \end{array} ``` #### **Mach Definition 5** ``` Exist \\ Task Exist \\ Thread Exist \\ Port Exist \\ Message Exist \\ Memory Exist \\ Page Exist \\ Processor Exist \\ Processor Set Exist \\ Device Exist ``` Note that in the model, the kernel itself is viewed as an existing task and is denoted by *kernel*. ## **Mach Definition 6** ``` \underline{k}ernel = \underline{k}ernel : TASK \\ TaskExist \\ \underline{k}ernel \in \underline{t}ask\_exists ``` # 4.2 Process Management This section describes the data structures associated with process management. Multithreaded processes are supported by allowing tasks to contain multiple threads. #### 4.2.1 Thread to Task Relationship The relation $\underline{t}ask\_thread\_rel$ denotes the relationship between threads and tasks; a pair (task, thread) is an element of $\underline{t}ask\_thread\_rel$ exactly when thread is one of the threads contained in task. Each thread belongs to exactly one task. For convenience, the following additional notation is introduced: - $owning\_task(thread)$ the task to which thread belongs - threads(task) the set of threads belonging to task ``` TasksAndThreads TaskExist ThreadExist \underline{t}ask\_thread\_rel : TASK \leftrightarrow THREAD owning\_task : THREAD \to TASK threads : TASK \to \mathbb{P} \ THREAD dom \, \underline{t}ask\_thread\_rel \subseteq \underline{t}ask\_exists ran \, \underline{t}ask\_thread\_rel = \underline{t}hread\_exists owning\_task = \underline{t}ask\_thread\_rel^{\sim} threads = (\lambda \, task : TASK) | \, task \in \underline{t}ask\_exists \bullet \, \underline{t}ask\_thread\_rel(\{ \, task \} \}) ``` #### 4.2.2 Execution Status The execution status of a thread identifies whether a thread is running, waiting on an event, waiting uninterruptibly, and/or halted. A thread holds some subset of these characteristics at any point in time. The type $RUN\_STATES$ defines the possible thread characteristics. $RUN\_STATES$ has possible values Running, Stopped, Waiting, Uninterruptible and Halted. #### **Mach Definition 8** ``` RUN\_STATES ::= Running \mid Stopped \mid Waiting \mid Uninterruptible \mid Halted ``` The values of this type have the following meanings: - Running The thread is either executing on a processor or is in a run queue waiting to execute. - *Stopped* The thread has been asked to stop (and might have done so). A stopped thread does not execute any instructions. - *Waiting* The thread is waiting for an event. - *Uninterruptible* The thread is waiting uninterruptibly. - *Halted* The thread is halted at what the kernel considers to be a "clean" point (i.e., it can be resumed properly). The state Uninterruptible does not imply the state Waiting. A $\underline{run\_state}$ that includes the former but not the latter can result when the procedure clear\_wait is called on a thread that is both Uninterruptible and Waiting. The expression $\underline{run\_state}(thread)$ indicates which of the above characteristics are held by an existing thread. Each thread has an associated suspend count that determines whether the thread may execute user level instructions. This count is denoted by $\underline{t}hread\_suspend\_count(thread)$ . A thread may execute such instructions only if the value of its suspend count is zero. It is a consequence of the operation of the system (and therefore is not stated as an axiom here) that only stopped threads have a suspend count greater than zero. A thread may be swapped out. A thread that is swapped out has no kernel stack. The set of such threads is indicated by $\underline{s} \, wapped\_threads$ . Some threads may be wired into the system. A wired thread may not be swapped out. The set $\underline{t}hreads\_wired$ denotes the set of wired threads. Certain threads are called idle threads. An idle thread is one that runs on a processor that has no user threads to run. (That is, the thread keeps the processor "idling".) User threads will not be marked as idle. We use $\underline{i}dle\_threads$ to denote the set of idle threads. #### **Mach Definition 9** ``` ThreadExecStatus \\ \underline{run\_state} : THREAD \\ \rightarrow \mathbb{P} RUN\_STATES \\ \underline{t}hread\_suspend\_count} : THREAD \\ \rightarrow \mathbb{N} \\ \underline{s}wapped\_threads} : \mathbb{P} THREAD \\ \underline{t}hreads\_wired} : \mathbb{P} THREAD \\ \underline{idle\_threads} : \mathbb{P} THREAD \\ \underline{idle\_threads} : \mathbb{P} THREAD \\ \\ \underline{dom}\underline{run\_state} = \underline{t}hread\_exists \\ \underline{dom}\underline{t}hread\_suspend\_count = \underline{t}hread\_exists \\ \underline{s}wapped\_threads} \subseteq \underline{t}hread\_exists \\ \underline{t}hreads\_wired} \subseteq \underline{t}hread\_exists \\ \underline{idle\_threads} \subseteq \underline{t}hread\_exists \\ \underline{idle\_threads} \subseteq \underline{t}hread\_exists \\ \underline{t}hreads\_wired} \cap \underline{s}wapped\_threads} = \emptyset ``` Each task also has a suspend count. The expression $\underline{t}$ ask\_suspend\_count(task) denotes the count associated with task. If this value is non-zero, then none of the threads in task may execute regardless of their individual suspend counts. #### **Mach Definition 10** #### 4.2.3 Priority Levels Thread priority levels are used to determine thread execution scheduling priorities. Priority levels are represented as a subset of the integers (in particular by the numbers between 0 and 31 inclusive in current implementations). The set $Priority\_levels$ denotes the allowable priority levels. The relation $Lower\_priority$ indicates when a priority is lower than a second priority; in particular, (x,y) is an element of $Lower\_priority$ exactly when x is a lower priority than y. Since the implementation uses higher numbers to indicate lower priorities, x is lower than y when x > y. The relation $Higher\_priority$ is the inverse ordering indicating when a priority is higher than a second priority. The constants $Lowest\_possible\_priority$ and $Highest\_possible\_priority$ denote the maximum and minimum integers, respectively, in $Priority\_levels$ . ``` \begin{array}{c} Priority\_levels: \mathbb{P} \ \mathbb{Z} \\ Lower\_priority, Higher\_priority: \mathbb{Z} \longleftrightarrow \mathbb{Z} \\ Lowest\_possible\_priority, Highest\_possible\_priority: \mathbb{Z} \\ \hline\\ Lower\_priority \subset Priority\_levels \times Priority\_levels \\ \forall x,y: Priority\_levels \bullet (x,y) \in Lower\_priority \Leftrightarrow x > y \\ Higher\_priority = Lower\_priority^{\sim} \\ Lowest\_possible\_priority = max \ Priority\_levels \\ Highest\_possible\_priority = min \ Priority\_levels \\ \end{array} ``` Using these relations, the minimum and maximum priorities in a set of priorities can be defined. These are denoted by $Lowest\_priority(priority\_set)$ and $Highest\_priority(priority\_set)$ , respectively. #### **Mach Definition 12** ``` Lowest\_priority, Highest\_priority: \mathbb{P} \mathbb{Z} \to \mathbb{Z} dom Lowest\_priority = \mathbb{P}_1 \ Priority\_levels ran \ Lowest\_priority = Priority\_levels dom \ Highest\_priority = \mathbb{P}_1 \ Priority\_levels ran \ Highest\_priority = Priority\_levels \forall \ priority\_set: \mathbb{P}_1 \mathbb{Z} \bullet Lowest\_priority(priority\_set) = max \ priority\_set \forall \ priority\_set: \mathbb{P}_1 \mathbb{Z} \bullet Highest\_priority(priority\_set) = min \ priority\_set ``` There is a highest priority (equal to 12 in current implementations) normally granted to ordinary user threads. This priority is denoted by $Base\_user\_priority$ . #### **Mach Definition 13** ``` Base\_user\_priority : \mathbb{Z} Base\_user\_priority \in Priority\_levels ``` Three different types of priority values are associated with each thread. - The expression $\underline{thread\_priority}(thread)$ represents a base user-settable priority for thread. - The expression $\underline{t}hread\_max\_priority(thread)$ represents the maximum value to which $\underline{t}hread\_priority(thread)$ can be set. - The expression $\underline{t}hread\_sched\_priority(thread)$ represents the priority that the system uses to make scheduling decisions. This value is determined based upon $\underline{t}hread\_priority$ and the thread scheduling policy (discussed in Section 4.2.4), and is not directly set by the user. This value cannot exceed $thread\_priority(thread)$ . The priority level of a thread can temporarily be depressed by the request **swtch\_pri** or **thread\_switch** to allow other threads to run. When a thread is depressed, its priority is set to the lowest possible priority.<sup>3</sup> The set $\underline{d}$ epressed\_threads denotes those threads whose priority is currently depressed. The expression $\underline{p}$ riority\_before\_depression(thread) denotes the priority level th read had before depression if th read's priority level has been depressed and $\underline{t}$ hread\_priority(thread) otherwise. $<sup>^3</sup>$ Note, however, that not all threads having the lowest possible priority are depressed. ``` ThreadPri_ Th\, read\, Exist thread\_priority: THREAD \longrightarrow \mathbb{Z} thread\_max\_priority: THREAD \longrightarrow \mathbb{Z} \underline{t}\mathit{hread\_sched\_priority}:\mathit{THREAD} \to \mathbb{Z} depressed\_threads: \mathbb{P} THREAD priority\_before\_depression: THREAD \longrightarrow \mathbb{Z} ran thread\_priority \subseteq Priority\_levels \operatorname{ran} \underline{t} h \operatorname{read\_max\_priority} \subseteq \operatorname{Priority\_levels} ran\ th\ read\_sched\_priority \subset Priority\_levels ran\ priority\_before\_depression \subseteq Priority\_levels depressed\_threads \subset thread\_exists dom\ thread\_priority = dom\ thread\_max\_priority = dom\ thread\_sched\_priority = dom priority\_before\_depression = thread\_exists \forall thread : T\overline{H}READ \mid thread \in dom thread\_priority • (thread\_priority(thread), thread\_max\_priority(thread)) \notin Higher\_priority \land (\underline{t}hread\_sched\_priority(thread), \underline{t}hread\_priority(thread)) \notin Higher\_priority \forall thread : THREAD \mid thread \in dom thread\_priority \setminus depressed\_threads • priority\_before\_depression(thread) = thread\_priority(thread) \forall \overline{th} read : THREAD \mid thread \in depressed\_threads • thread\_priority(thread) = Lowest\_possible\_priority ``` Each existing task has an associated priority level, denoted by $\underline{t}ask\_priority(task)$ , that is used to assign the initial priority for any thread created within the task. #### **Mach Definition 15** ``` \begin{array}{c} TaskPriority \_ \\ TaskExist \\ \underline{t}ask\_priority: TASK \rightarrow \mathbb{Z} \\ \\ dom \underline{t}ask\_priority = \underline{t}ask\_exists \\ ran \underline{t}ask\_priority \subseteq Priority\_levels \end{array} ``` #### 4.2.4 Scheduling Policies Each thread has an associated scheduling policy, represented by $\underline{t}hread\_sched\_policy(thread)$ . The type $SCHED\_POLICY$ represents the set of available scheduling policies. Examples of supported policies are Timesharing (Timeshare) and Fixed Priority (Fixedpri). Some scheduling policies have associated policy specific data that must be associated with each thread. For example, threads scheduled under the Fixed Priority policy must have an associated scheduling quantum. The type $SCHED\_POLICY\_DATA$ denotes policy specific scheduling data. The expression $\underline{t}hread\_sched\_policy\_data(thread)$ denotes any such policy specific data associated with thread. The set $\underline{s}upported\_sp$ indicates which scheduling policies are actually supported by a given Mach system. All Mach systems are required to support Timeshare and each thread in a Mach system must be assigned one of the scheduling policies supported by the system. #### **Mach Definition 16** $[SCHED\_POLICY, SCHED\_POLICY\_DATA]$ ``` \frac{Timeshare, Fixedpri : SCHED\_POLICY}{Timeshare \neq Fixedpri} ``` #### **Mach Definition 17** ``` \begin{array}{c} ThreadSchedPolicy \\ \hline ThreadExist \\ \underline{t}hread\_sched\_policy: THREAD \rightarrow SCHED\_POLICY \\ \underline{t}hread\_sched\_policy\_data: THREAD \rightarrow SCHED\_POLICY\_DATA \\ \underline{s}upported\_sp: \mathbb{P}\ SCHED\_POLICY \\ \hline \\ dom\ \underline{t}hread\_sched\_policy\_data \subseteq dom\ \underline{t}hread\_sched\_policy = \underline{t}hread\_exists \\ Timeshare \in \underline{s}upported\_sp \\ ran\ \underline{t}hread\_sched\_policy \subseteq \underline{s}upported\_sp \\ \end{array} ``` #### 4.2.5 Instruction Pointer The set $VIRTUAL\_ADDRESS$ is used to denote the set of virtual addresses. These addresses are assumed to be ordered in some manner with $Vm\_start$ and $Vm\_end$ denoting, respectively, the smallest and largest addresses. #### **Mach Definition 18** ``` [VIRTUAL_ADDRESS] | Vm_start, Vm_end : VIRTUAL_ADDRESS ``` Each thread has an associated instruction pointer indicating the address at which the thread is currently executing. The expression $\underline{i}$ $nstruction\_pointer(thread)$ denotes thread's current instruction pointer. #### **Mach Definition 19** # 4.2.6 Emulation Environment Mach supports binary compatibility by allowing tasks to establish user-level handlers for system calls. This is accomplished by associating an *emulation vector* with each task. Each entry in an emulation vector specifies a system call and a virtual address. Whenever the task executes a system call that has an entry in the emulation vector, the code at the specified virtual address for the system call is executed rather than the system call. The expression $\underline{e}$ $\underline{mulation}$ $\underline{vector}(task)$ denotes task's emulation vector. ### 4.2.7 Sampling Any thread or task may be sampled. This causes the instruction pointer to be recorded in a buffer during clock interrupts or page faults if the thread or task is currently executing. The type SAMPLE represents the sampling information that is collected, and type $SAMPLE\_TYPES$ represents information that determines at which times during execution samples are collected for a given thread or task. There are six recognized sample types. They are: - Sample\_periodic each clock interrupt - Sample\_vm\_zfill\_faults zero-filling a virtual memory page - Sample\_vm\_reactivation\_faults reactivating a virtual memory page - Sample\_vm\_pagein\_faults bringing a virtual memory page in - $Sample\_vm\_cow\_faults$ virtual memory copy-on-write faults - $Sample\_vm\_faults\_any$ all virtual memory page faults. This includes miscellaneous faults beyond the above mentioned four types of virtual memory faults. These values comprise the elements of the set $Recognized\_sample\_types$ . #### **Mach Definition 21** ``` [SAMPLE, SAMPLE\_TYPES] ``` ``` Sample\_periodic, Sample\_vm\_zfill\_faults, \\ Sample\_vm\_reactivation\_faults, Sample\_vm\_pagein\_faults, \\ Sample\_vm\_cow\_faults, Sample\_vm\_faults\_any : SAMPLE\_TYPES \\ Recognized\_sample\_types : \mathbb{P}\ SAMPLE\_TYPES \\ \hline \langle Sample\_periodic, Sample\_vm\_zfill\_faults, \\ Sample\_vm\_reactivation\_faults, Sample\_vm\_pagein\_faults, \\ Sample\_vm\_cow\_faults, Sample\_vm\_faults\_any \rangle \\ Values\_partition\ Recognized\_sample\_types \\ \hline ``` For convenience, $SAMPLE\_VM\_FAULTS$ is used as the combination of the sample types $Sample\_vm\_zfill\_faults$ , $Sample\_vm\_reactivation\_faults$ , $Sample\_vm\_pagein\_faults$ and $Sample\_vm\_cow\_faults$ . There is a maximum number of samples (determined by the buffer size) that can be kept for any thread or task. This maximum is represented by $Max\_samples$ . #### **Mach Definition 22** ``` SAMPLE\_VM\_FAULTS == \{Sample\_vm\_zfill\_faults, Sample\_vm\_reactivation\_faults, Sample\_vm\_pagein\_faults, Sample\_vm\_cow\_faults\} | Max\_samples : \mathbb{N}_1 ``` The set $\underline{s}$ ampled\_threads denotes the set of threads that are currently being sampled. For each sampled thread there is a set of sample types, denoted by $\underline{t}$ $\underline{h}$ $\underline{r}$ $\underline{a}$ $\underline{m}$ $\underline{p}$ $\underline{l}$ $\underline{l$ been collected). The expression $\underline{t}hread\_samples(thread)$ denotes the currently stored samples for thread. Each sample is stored with an associated sample number. Only the $Max\_samples$ most recent samples are retained. #### **Mach Definition 23** ``` _{\perp} Thread Sampling _{\perp} ThreadExist sampled\_threads: \mathbb{P} THREAD \underline{t}hread\_sample\_types: THREAD \longrightarrow \mathbb{P}\ SAMPLE\_TYPES \underline{t}hread\_sample\_sequence\_number: THREAD \longrightarrow \mathbb{N} \underline{t}hread\_samples: THREAD \longrightarrow (\mathbb{N} \longrightarrow SAMPLE) \underline{s} ampled_threads \subset \underline{t} hread_exists \operatorname{dom} \underline{t} h read\_sample\_types = \underline{s} ampled\_threads dom \underline{t}hread\_sample\_sequence\_number = \underline{s}ampled\_threads dom \underline{t}hread\_samples = \underline{s}ampled\_threads \forall smpls : \mathbb{N} \longrightarrow SAMPLE; thread : THREAD; num, high: \mathbb{N} |(thread, smpls) \in \underline{t}hread\_samples \land high = thread\_sample\_sequence\_number(thread) \land num = min \{high, Max\_samples\} \bullet dom smpls = high - num + 1 \dots high ``` The same sampling information is kept for tasks. #### **Mach Definition 24** ``` TaskSampling ___ TaskExist sampled\_tasks : \mathbb{P} TASK task\_sample\_types: TASK \longrightarrow \mathbb{P}\ SAMPLE\_TYPES task\_sample\_sequence\_number: TASK \rightarrow \mathbb{N} task\_samples : TASK \longrightarrow (\mathbb{N} \longrightarrow SAMPLE) \underline{s} ampled\_tasks \subset \underline{t} ask\_exists dom \underline{t} ask\_sample\_types = \underline{s} ampled\_tasks dom \underline{t} ask\_sample\_sequence\_number = \underline{s} ampled\_tasks dom task\_samples = \underline{s}ampled\_tasks \forall smpls : \mathbb{N} \longrightarrow SAMPLE; task : TASK; num, high: \mathbb{N} |(task, smpls) \in \underline{t}ask\_samples \land high = task\_sample\_sequence\_number(task) \land num = min \{high, Max\_samples\} \bullet dom smpls = high - num + 1 \dots high ``` #### 4.2.8 Thread Time Statistics The system records time statistics for each thread. The following information is recorded: - $\underline{u}ser\_time(thread)$ the total user run time for thread - $\underline{system\_time(thread)}$ the total system run time for thread - $\underline{c}pu\_time(thread)$ thread's scaled CPU usage - $\underline{s}leep\_time(thread)$ the amount of time for which thread has been sleeping #### **Mach Definition 25** #### 4.2.9 Machine State The system records the machine state of each thread. Typically, the structure of the machine state varies depending upon the architecture of the machine to which the thread is assigned. The type $SUPP\_MACHINE\_ARCH$ represents the set of supported machine architectures. The set $THREAD\_STATE\_INFO\_TYPES$ denotes the names of the various structures that are associated with the supported architectures. The type $THREAD\_STATE\_INFO$ denotes the possible values of the state information recorded for a thread. The expression $State\_info\_avail(arch)$ denotes the types of state information which the architecture supports. #### **Mach Definition 26** ``` [SUPP\_MACHINE\_ARCH] \\ [THREAD\_STATE\_INFO\_TYPES, THREAD\_STATE\_INFO] \\ \\ State\_info\_avail: SUPP\_MACHINE\_ARCH \\ \\ \longrightarrow \mathbb{P} \ THREAD\_STATE\_INFO\_TYPES ``` The expression $\underline{t}hread\_state(thread, info\_type)$ returns the indicated type of state information recorded for thread. Review Note: Actually, the current instruction pointer is part of the machine state rather than being a separate state component. #### **Mach Definition 28** Threads\_ $Tasks And\ Th\ reads$ ThreadPri $Th \, read Sched Policy$ $Th\, read Instruction$ $Th\, read\, ExecStatus$ $Th\, read\, Statistics$ $Th\, read\, Machine State$ ThreadSampling TaskSampling # 4.3 Port Name Space Each task uses its own (local) set of names to refer to ports. The set NAME is used to name ports in a task's name space. #### **Mach Definition 29** [NAME] The names $Mach\_port\_null$ and $Mach\_port\_dead$ are reserved. They will never be used as an index in a task's port name space. The remainder of this section discusses the three types of entities that can be in name spaces: port rights, port sets, and dead names. #### **Mach Definition 30** $Mach\_port\_dead: NAME \\ Mach\_port\_null: NAME$ #### 4.3.1 Port Rights A port is only of use to a task if the task holds some kind of right to the port. The types of available rights are defined via the type RIGHT. A right for a port allows a task to either send or receive messages via that port. The task may have either a general right to send messages via a port or a one-time right to do so. Thus, the elements of type RIGHT are: Send, Receive, and $Send\_once$ . A *Capability* is the combination of a port and a right to do something with that port. Strictly speaking, a task associates a name with a particular right to a port, not simply with the port. The set $\underline{port\_right\_rel}$ relates the ports to which a task has rights with their right types and their local names. More specifically, each element of $\underline{port\_right\_rel}$ is a tuple of the form (task, port, name, right, i). Such a tuple is an element of $\underline{port\_right\_rel}$ only when name denotes in task's name space a right of type right to port. The i-value is used to allow a task to accumulate multiple send rights under the same name. For send-once or receive rights, the value of i is always equal to 1. For convenience, the expression $named\_port(task, name)$ denotes the port associated with name in task's name space. At most one task can receive messages from a port at any given time. The expression receiver(port) denotes the task (if any) that is currently permitted to receive messages from port, and $receiver\_name(port)$ denotes the receiver task's name for the port. Many tasks may have Send or $Send\_once$ rights to a port. The relation sender indicates the tasks currently permitted to send messages to a port; an element (port, task) is in sender exactly when task has a send right to port. #### **Mach Definition 31** ``` RIGHT ::= Send \mid Receive \mid Send\_once ``` ``` Capability \_ port: PORT right: RIGHT ``` ``` . TasksAndPorts \_ TaskExist PortExist port\_right\_rel : \mathbb{P}(TASK \times PORT \times NAME \times RIGHT \times \mathbb{N}_1) named\_port: TASK \times NAME \longrightarrow PORT receiver: PORT \longrightarrow TASK receiver\_name : PORT \longrightarrow NAME sender: PORT \longleftrightarrow TASK \textit{port\_right\_rel} \subseteq \underline{\textit{task\_exists}} \times \textit{port\_exists} \times \textit{NAME} \times \textit{RIGHT} \times \mathbb{N}_1 \forall task : TASK; port : PORT; right : RIGHT; i : \mathbb{N}_1 • (task, port, Mach\_port\_null, right, i) \notin port\_right\_rel \land (task, port, Mach\_port\_dead, right, i) \notin port\_right\_rel named\_port = \{ task : TASK; port : POR\overline{T}; name : NAME; right : RIGHT; i : \mathbb{N}_1 \} | (task, port, name, right, i) \in port\_right\_rel \bullet ((task, name), port) | receiver = \{ task : TASK; port : PORT; name : NAME \} \{(task, port, name, Receive, 1) \in port\_right\_rel \bullet (port, task)\} receiver\_name = \{ task : TASK; port : PORT; name : NAME \} | (task, port, name, Receive, 1) \in port\_right\_rel \bullet (port, name) | sender = \{ task : TASK; port : POR\overline{T}; name : NAME; right : RIGHT; i : \mathbb{N}_1 \} |(((task, port, name, right, i) \in port\_right\_rel) \land right \in \{Send, Send\_once\})| \bullet (port, task) } ``` The *i*-value is called the user reference count. As noted above, it is equal to 1 for receive and send-once rights, but is of interest for send rights. The expression $s\_right\_ref\_count(task, name)$ returns the user reference count for name in task's name space (when it is a send right). There is a system-wide maximum number of references to a given send right which a task may accumulate, represented by $Max\_right\_refs$ . ``` Max\_right\_refs: \mathbb{N}_1 ``` #### **Mach Definition 33** ``` UserReferenceCount \\ TasksAndPorts \\ s\_right\_ref\_count: TASK \times NAME \\ \rightarrow \mathbb{N}_1 \\ \forall task: TASK; port: PORT; name: NAME; right: \{Receive, Send\_once\}; i: \mathbb{N}_1 \\ \bullet (task, port, name, right, i) \in \underline{port\_right\_rel} \\ \Rightarrow i = 1 \\ s\_right\_ref\_count = \{ task: TASK; port: PORT; name: NAME; i: \mathbb{N}_1 \\ \mid (task, port, name, Send, i) \in \underline{port\_right\_rel} \\ \bullet ((task, name), i) \} \\ \forall task: TASK; name: NAME \\ \bullet s\_right\_ref\_count(task, name) \\ \leq Max\_right\_refs ``` #### For convenience: - The relations $s\_right$ , $r\_right$ , and $so\_right$ are used to identify the names of each of the types of rights which are associated with a given task. For example, (task, name) is an element of $s\_right$ exactly when name is a send right in task's name space. - The relation $s_r r_i ght$ is used to identify names that are either a receive or a send right. - The relation *port\_right\_name p* identifies names that are either receive, send, or send-once rights. The semantics of Mach are such that send and receive rights within a task coalesce into a single name. In other words: - If name is a receive right for port in task's name space, then no other name in task's name space may be a send right for port; the send rights must be associated with name, too. - If name is a send right for port in task's name space, then all of the send rights for port in task's name space are associated with name. Note, however, that the same task can have multiple names associated with send-once rights for the same port. Mach prohibits a name that is a send or a receive right from also being a send-once right. A message may be forcibly enqueued using a send right. In this case it will be added to the message queue of the named port even if the queue has reached its designated size limit. At most one message may be forcibly enqueued at a time using any given send right. After that message is removed from the queue, a message-accepted notification is sent and the send right can again be used to forcibly enqueue a message. The component $\underline{forcibly\_queued(task, name)}$ denotes the message, if any, forcibly enqueued using a send right name in task's ipc name space. ``` TasksAndRights \bot MessageExist Tasks And Ports s\_right: TASK \longleftrightarrow NAME r\_right: TASK \longleftrightarrow NAME so\_right: TASK \longleftrightarrow NAME s\_r\_right: TASK \longleftrightarrow NAME port\_right\_namep : TASK \longleftrightarrow NAME forcibly\_queued: (TASK \times NAME) \longrightarrow MESSAGE s\_right = \{ task : TASK; port : PORT; name : NAME; i : \mathbb{N}_1 \} | (task, port, name, Send, i) \in port\_right\_rel \bullet (task, name) | r\_right = \{ task : TASK; port : PORT; name : NAME \} \{(task, port, name, Receive, 1) \in port\_right\_rel \bullet (task, name)\} so\_right = \{ task : TASK; port : PORT; name : NAME \} \{(task, port, name, Send\_once, 1) \in port\_right\_rel \bullet (task, name)\} s\_r\_right = s\_right \cup r\_right port\_right\_namep = s\_r\_right \cup so\_right dom forcibly\_queued \subset s\_right ranforcibly\_queued \subseteq \underline{m}essage\_exists disjoint \langle so\_right, s\_r\_right \rangle \forall task : TASK; name_1, name_2 : NAME • (task, name_1) \in s\_r\_right \land (task, name_2) \in s\_r\_right \land named\_port(task, name_1) = named\_port(task, name_2) \Rightarrow name_1 = name_2 ``` Review Note: I'd like to tie the message indicated by $\underline{f}$ or $cibly\_queued$ back to the port indicated by the send right, but I'm not sure this will be accurate. #### 4.3.2 Port Sets A port set is a set of ports associated with a particular task and name. A port set is used to allow the receiving of a message via any member of the port set. Given a task and a port set name, the expression $port\_set(task, name)$ denotes the port set. The relation $port\_set\_namep$ identifies the port set names associated with each task. $containing\_set(port)$ denotes the name of the port set containing port, if any. Note that a port can be in at most one port set. Mach prohibits the reserved names $Mach\_port\_null$ and $Mach\_port\_dead$ from being port set names or the inclusion of the same receive right in two different port sets. ``` PortSets_ TaskExist TasksAndRights port\_set\_rel : \mathbb{P}(TASK \times NAME \times \mathbb{P} \ PORT) port\_set: (TASK \times NAME) \longrightarrow \mathbb{P} PORT port\_set\_namep: TASK \longleftrightarrow NAME containing\_set: PORT \longrightarrow NAME port\_set = \{task : TASK; name : NAME; set\_of\_ports : \mathbb{P} PORT \} |(task, name, set\_of\_ports) \in port\_set\_rel \bullet ((task, name), set\_of\_ports)\} port\_set\_namep = dom port\_set containing\_set = \{task : TASK; name : NAME; port : PORT\} |(task, name)| \in port\_set\_namep \land port \in port\_set(task, name)| \bullet (port, name)} \mathrm{dom}\,port\_set\_namep \subseteq \underline{t}\,ask\_exists \forall task : TASK; name : NAME; port : PORT \mid (task, name) \in dom port\_set • port \in port\_set(task, name) \Rightarrow task = receiver(port) \forall task : TASK; set\_of\_ports : \mathbb{P} PORT • ((task, Mach\_port\_null), set\_of\_ports) \notin port\_set \land ((task, Mach\_port\_dead), set\_of\_ports) \notin port\_set \forall task : TASK; name_1, name_2 : NAME |(task, name_1) \in dom \ port\_set \land (task, name_2) \in dom \ port\_set • name_1 \neq name_2 \Rightarrow disjoint \langle port\_set(task, name_1), port\_set(task, name_2) \rangle ``` #### 4.3.3 Dead Rights A dead name is a name which previously named a send, receive, or send-once right for a task, but no longer does. Each dead name in a task can have an associated count that is analogous to the reference count associated with send rights. This count is initially set based on the user reference counts for the right previously bearing the name. The count may be modified by subsequent actions of the kernel. The relation $\underline{d} \ ead \ right \ rel$ identifies the dead names and their associated counts for each task; an element (task, name, i) is an element of $\underline{d} \ ead \ right \ rel$ if name is a dead name in task with associated count i. The previously defined constant, $Max \ right \ ref s$ , is a system-wide maximum for the reference count of a given dead right. For convenience: - The relation $dead\_namep$ identifies the dead names associated with each task. - The expression $dead\_right\_ref\_count(task, name)$ denotes the count associated with name in task (when name is a dead name). Mach prohibits Mach\_port\_null and Mach\_port\_dead from being dead names. <sup>&</sup>lt;sup>4</sup>A dead name may also be specified in the body of a message in place of an actual port right. # 4.3.4 Summary A task's port right names (send, receive, and send-once), port set names, and dead names are mutually disjoint. The union of $port\_right\_namep$ , $port\_set\_namep$ , and $dead\_namep$ identifies the names in each task's name space. For convenience: - The relation *local\_namep* is used to denote this union. - The expression $number\_of\_rights(task)$ is used to denote the number of names that $local\_namep$ associates with task. This is the current size of task's name space. #### **Mach Definition 37** ``` \begin{tabular}{ll} PortNameSpace & & & & & & \\ TaskExist & & & & & & \\ TasksAndRights & & & & & & \\ UserReferenceCount & & & & \\ PortSets & & & & & \\ DeadRights & & & & & \\ local\_namep : TASK & & & & NAME \\ number\_of\_rights : TASK & & & & \\ \hline & & & & & \\ disjoint & & & & \\ port\_right\_namep & & & \\ port\_set\_namep & & & \\ dead\_namep & & \\ local\_namep & & & \\ port\_set\_namep & & \\ dead\_namep \\ dom & number\_of\_rights & & \\ \hline & & \\ task & : TASK & | & \\ task & & \\ \hline & & \\ exists & \\ \hline & & \\ number\_of\_rights(task) & = \#(local\_namep)\{\{task\}\}\}) \\ \hline \end{tabular} ``` #### 4.4 Ports This section describes data structures associated with ports. ## 4.4.1 Make Send Count Each time the receiver for a port creates a new send right for the port, the system increments a counter associated with the port. The expression $\underline{m}$ $ake\_send\_count(port)$ denotes the value of the counter associated with port. Note that this count does not necessarily represent the current number of send rights for the port since tasks other than the receiver can create send rights. Furthermore, the count does not necessarily represent the number of send rights the receiver has created because the count can directly be set to arbitrary values by user threads. #### **Mach Definition 38** ``` SendRightsCount PortExist \underline{m}ake\_send\_count : PORT \rightarrow \mathbb{N} dom \underline{m}ake\_send\_count = \underline{p}ort\_exists ``` #### 4.4.2 Message Queues Each port has an associated message queue. A message queue can be thought of as a sequence of messages. In Mach, a task may set a limit on the number of messages that are permitted in a given message queue. The value $Mach\_port\_q\_limit\_default$ represents the default limit the kernel uses for newly allocated ports. The value $Mach\_port\_q\_limit\_max$ represents a system-imposed limit on the value a task may specify as the limit for a message queue. #### **Mach Definition 39** ``` Mach\_port\_q\_limit\_max: \mathbb{N} Mach\_port\_q\_limit\_default: \mathbb{N} ``` For each port, $\underline{q}\_limit(port)$ indicates the current limit set for the port. This denotes an intended bound on the number of messages in the associated message queue. The expression $port\_size(port)$ indicates the number of messages that are actually present in port's message queue. Although it is intended that $port\_size(port)$ is always less than or equal to $\underline{q}\_limit(port)$ , the kernel does not actually guarantee that this property always holds. Examples of ways in which the property may be violated include: - The intended bound on the number of messages in a queue can be decreased below the number of messages already in the queue. - Messages sent with a send-once right are delivered regardless of whether the destination port's queue is already full. - Each name for a send right to a port may be used to forcibly enqueue one message at a time to the named full port. The expression $\underline{m}essage\_in\_port\_rel(port)$ denotes the sequence of messages in the queue associated with port. Each message is contained in at most one message queue. For convenience, the expression $containing\_port(message)$ is used to indicate the port associated with the message queue to which message belongs. Each port has an associated sequence number that is used to properly sequence messages received through the port. The expression $\underline{s} \, eq \, uence\_no \, (port)$ indicates port's current sequence number. ``` \begin{array}{c} \textit{MessageQueues} \\ \textit{PortExist} \\ \textit{\underline{q\_limit}} : \textit{PORT} \rightarrow \mathbb{N} \\ & \underline{\textit{m\_essage\_in\_port\_rel}} : \textit{PORT} \rightarrow \text{iseq } \textit{MESSAGE} \\ & \textit{port\_size} : \textit{PORT} \rightarrow \mathbb{N} \\ & \textit{containing\_port} : \textit{MESSAGE} \rightarrow \textit{PORT} \\ & \underline{\textit{s\_equence\_no}} : \textit{PORT} \rightarrow \mathbb{Z} \\ \\ & \textit{containing\_port} = \{ \textit{message} : \textit{MESSAGE}; \textit{port} : \textit{PORT} \\ & | \textit{message} \in \text{ran}(\underline{\textit{m\_essage\_in\_port\_rel(port)}}) \bullet \textit{message} \rightarrow \textit{port} \} \\ & (\forall \textit{port} : \textit{port\_exists} \\ & \bullet \textit{port\_size(port)} = \# (\underline{\textit{m\_essage\_in\_port\_rel(port)}}) \\ & \wedge \textit{q\_limit(port)} \leq \textit{Mach\_port\_q\_limit\_max}) \\ & \text{dom } \underline{\textit{q\_limit}} = \underline{\textit{port\_exists}} \\ & \text{dom } \underline{\textit{m\_essage\_in\_port\_rel}} = \underline{\textit{port\_exists}} \\ & \text{dom } \underline{\textit{m\_essage\_in\_port\_rel}} = \underline{\textit{port\_exists}} \\ & \text{dom } \underline{\textit{s\_equence\_no}} = \underline{\textit{p\_ort\_exists}} \\ & \text{dom } \underline{\textit{s\_equence\_no}} = \underline{\textit{p\_ort\_exists}} \\ & \text{dom } \underline{\textit{s\_equence\_no}} = \underline{\textit{p\_ort\_exists}} \\ \end{aligned} ``` # 4.4.3 Summary The data structures defined in this section consist of make-send counts, message queues, and sequence numbers associated with ports. #### **Mach Definition 41** ``` __PortSummary _____ SendRightsCount MessageQueues ``` ## 4.5 Notifications A task may request that a notification message be sent when one of the following changes occurs in the status of a port: - The port is destroyed. - The last send right for the port is deallocated. A task may also request a notification message be sent when a send right becomes a dead name. In each case, the task requesting the notification must register a port to which the notification should be sent. The relation $\underline{p}\ ort\_notify\_destroyed\_rel$ identifies the ports for which a destroyed notification has been requested and the associated notification ports. For convenience, $port\_notify\_destroyed(port)$ is used to denote the notification port registered for a destroyed notification on port. The relation $\underline{port\_notify\_no\_more\_senders\_rel}$ identifies the ports for which a no-more-senders notification has been requested and the associated notification ports. For convenience, $\underline{port\_notify\_no\_more\_senders(port)}$ is used to denote the notification port registered for a no-more-senders notification on $\underline{port}$ . The relation $\underline{p} \, ort\_notify\_dead\_rel$ identifies the task-name pairs for which a dead-name notification has been requested and the associated notification ports. For convenience, $port\_notify\_dead(task, name)$ is used to denote the notification port registered for a dead-name notification on name in task's name space. The registered notification ports remain in force as long as both the port in question and the registered port exist regardless of whether the same tasks remain related to these ports. #### **Mach Definition 42** ``` Notifications _ PortExist Tasks And Ports port\_notify\_destroyed\_rel: PORT \leftrightarrow PORT port\_notify\_no\_more\_senders\_rel: PORT \longleftrightarrow PORT port\_notify\_dead\_rel : \mathbb{P}(PORT \times TASK \times NAME) port\_notify\_destroyed : PORT \rightarrow PORT port\_notify\_no\_more\_senders : PORT \longrightarrow PORT port\_notify\_dead: TASK \times NAME \longrightarrow PORT port\_notify\_destroyed = port\_notify\_destroyed\_rel port\_notify\_no\_more\_senders = port\_notify\_no\_more\_senders\_rel \forall task : TASK; port : PORT; name : NAME • ((port, task, name) \in port\_notify\_dead\_rel \Leftrightarrow ((task, name), port) \in port\_notify\_dead) dom port\_notify\_destroyed = port\_exists dom port\_notify\_no\_more\_senders = port\_exists dom port\_notify\_dead = dom named\_port ran port\_notify\_destroyed \subseteq port\_exists \cup \{Ip\_null\} ran port\_notify\_dead \subseteq port\_exists \cup \{Ip\_null\} ran port\_notify\_no\_more\_senders \subseteq port\_exists \cup \{Ip\_null\} ``` Review Note: Should the range of these functions also include $I_{p-dead}$ ? It seems that it should because the port could die. Should look at the code to see what happens if we try to send a notification in this situation. # 4.6 Special Ports This section describes the special ports known to the kernel. Each of the special ports is associated with some kernel entity. #### 4.6.1 Task Ports In addition to the ports referenced in its port name space, each task has four special ports. The self port is used to request the kernel to perform actions upon the task. Any task holding a send right to a second task may use that right to request operations on the second task. The kernel is always the receiver for a task's self port. A task's sself port is normally equal to its self port, but may refer to a different port and have a task other than the kernel, such as a debugger, as its receiver. The relations $\underline{t}ask\_self\_rel$ and $\underline{t}ask\_sself\_rel$ identify the self and sself ports associated with each task. The other two special ports are the exception port and the bootstrap port. A task receives exception messages from the kernel via its exception port. A task's bootstrap port is provided as a start-up means for a task to obtain a send right to a service port for a server that can provide the task start-up information. The relations $\underline{t}ask\_eport\_rel$ and $\underline{t}ask\_bport\_rel$ identify the exception port and bootstrap port associated with each task. The sself, exception and bootstrap ports may be modified. Unlike the self port, they may become $Ip\_null$ or $Ip\_dead$ . ## For convenience: - The expression $task\_self(task)$ denotes task's self port. - The expression $task\_sself(task)$ denotes task's sself port. - The expression $task\_eport(task)$ denotes task's exception port. - The expression $task\_bport(task)$ denotes task's bootstrap port. - The expression $self\_task(port)$ denotes the task (if any) having port as its self port. #### **Mach Definition 43** ``` Special Task Ports ____ TaskExist PortExist Kernel Tasks And Ports task\_self\_rel: TASK \longleftrightarrow PORT \underline{t} \mathit{ask\_sself\_rel} : \mathit{TASK} \longleftrightarrow \mathit{PORT} task\_eport\_rel: TASK \longleftrightarrow PORT task\_bport\_rel: TASK \longleftrightarrow PORT task\_self: TASK \rightarrowtail PORT task\_sself: TASK \longrightarrow PORT task\_eport : TASK \longrightarrow PORT task\_bport: TASK \longrightarrow PORT self\_task : PORT \rightarrowtail TASK task\_self = task\_self\_rel task\_eport = task\_eport\_rel task\_bport = task\_bport\_rel task\_sself = \underline{t}ask\_sself\_rel dom \ task\_self = dom \ task\_sself = dom \ task\_eport = dom \ task\_bport = task\_exists ran task\_self \subset port\_exists ran\ task\_sself \subset port\_pointer ran \ task\_eport \subset port\_pointer \operatorname{ran} \, task\_b \, port \subset \, port\_pointer self\_task = port\_exists \lhd (task\_self^{\sim}) \forall task : TAS\overline{K} \mid task \in task\_exists \bullet receiver(task\_self(task)) = kernel ``` ## 4.6.2 Thread Ports Each thread has a self port, sself port, and an exception port with purposes parallel to the corresponding special ports for tasks. The relations and functions $\underline{t}hread\_self\_rel$ , $\underline{t}hread\_self\_thread\_self$ , $thread\_self$ th ``` SpecialThreadPorts Th \, read \, Exist PortExist TasksAndPorts Kernel thread\_self\_rel: THREAD \longleftrightarrow PORT thread\_sself\_rel: THREAD \longleftrightarrow PORT thread\_eport\_rel: THREAD \longleftrightarrow PORT thread\_self : THREAD \rightarrowtail PORT thread\_sself: THREAD \longrightarrow PORT thread\_eport: THREAD \longrightarrow PORT self\_thread : PORT \rightarrowtail THREAD thread\_self\_rel = thread\_self thread\_sself\_rel = thread\_sself thread\_eport\_rel = thread\_eport dom th read\_self = th read\_exists dom thread\_sself = \underline{t}hread\_exists dom th read\_eport = th read\_exists ran thread\_self \subset port\_exists ran thread\_sself \subset \overline{port\_pointer} ran thread\_eport \subset port\_pointer self\_thread = port\_exists \lhd (thread\_self^{\sim}) \forall thread : THREAD \mid thread \in \underline{t}hread\_exists \bullet receiver(thread\_self(thread)) = \underline{k}ernel ``` #### 4.6.3 Memory Ports A kernel and a memory object interact by engaging in a dialogue. The kernel sends messages to an object port and the object manager sends messages to a control port. There is also a name port used to identify the object in **vm\_region** requests. The relations $\underline{o}$ bject\_port\_rel, $\underline{c}$ ontrol\_port\_rel, and $\underline{n}$ ame\_port\_rel are used to represent the binding between a memory and its associated ports. For a particular Mach host kernel, there is at most one of each type of port associated with a given memory. Furthermore, no object port is associated with more than one memory object. For convenience: - The expressions object\_port(memory), control\_port(memory), and name\_port(memory) are used to denote, respectively, the object, control, and name port for memory. - The expression $object\_memory(port)$ denotes the memory object (if any) for which port is the object port. - The expression $control\_memory(port)$ denotes the memory object (if any) for which port is the control port. Memory objects are given a name port immediately upon allocation. However, they need not necessarily have object and control ports until a page that they back needs to be paged out. ``` .Memories And Ports Kernel MemoruExist TasksAndPorts object\_port\_rel: MEMORY \longleftrightarrow PORT \underline{control\_port\_rel}: MEMORY \longleftrightarrow PORT \underline{\textit{n}}\textit{ame\_port\_rel}: \textit{MEMORY} \longleftrightarrow \textit{PORT} object\_port : MEMORY \rightarrowtail PORT control\_port: MEMORY \rightarrowtail PORT name\_port : MEMORY \rightarrowtail PORT object\_memory : PORT \rightarrowtail MEMORY control\_memory: PORT \rightarrowtail MEMORY object\_port\_rel = object\_port control\_port\_rel = control\_port name\_port\_rel = name\_port object\_port^{\sim} = object\_memory control\_port^{\sim} = control\_memory \operatorname{dom} \underline{c} \operatorname{ontrol\_port\_rel} = \operatorname{dom} \underline{o} \operatorname{bject\_port\_rel} \subseteq \operatorname{dom} \underline{n} \operatorname{ame\_port\_rel} dom name\_port\_rel = memory\_exists \forall port : PORT \mid port \in ran \ control\_port\_rel • port \in dom\ receiver \land\ receiver(port) = \underline{k}ernel \forall port : PORT \mid port \in ran \underline{n} ame\_port\_rel • port \in dom\ receiver \land\ receiver(port) = kernel ``` #### 4.6.4 Host Ports Each host has two associated ports: the control port and the name port. These ports are denoted by $\underline{host\_control\_port}$ and $\underline{host\_name\_port}$ . The kernel is the receiver for each of these ports. The name port is used to service "unprivileged" requests while the control port is used to service "privileged" requests. #### **Mach Definition 46** ``` HostsAndPorts \\ Kernel \\ TasksAndPorts \\ \underline{h}ost\_control\_port : PORT \\ \underline{h}ost\_name\_port : PORT \\ \hline (\underline{h}ost\_name\_port, \underline{k}ernel) \in receiver \\ (\underline{h}ost\_control\_port, \underline{k}ernel) \in receiver \\ \hline ``` #### 4.6.5 Processor Ports Each processor has a port that is used to name it. The relation $\underline{p}$ rocessor $\underline{p}$ or $\underline{t}$ rel indicates the association between processors and their name ports. There is exactly one port associated with each processor. For convenience, $proc\_self(proc)$ and $the\_processor(port)$ are used to denote, respectively, the port associated with a given processor and the processor associated with a given port. Each processor set has two associated ports: the control port and the name port. The relations $\underline{ps\_control\_port\_rel}$ and $\underline{ps\_name\_port\_rel}$ are used to represent the binding between a processor set and its associated ports. In Mach, there is exactly one of each type of port associated with each existing processor set. For convenience: - The expression $controlled\_proc\_set(port)$ is used to indicate the processor set (if any) having port as its control port. - The expression $procset\_self(procset)$ is used to indicate procset's control port. - The expression $named\_proc\_set(port)$ is used to indicate the processor set (if any) having port as its name port. - The expression $procset\_name\_port(procset)$ is used to indicate procset's name port. ## **Mach Definition 47** ``` ProcessorsAndPorts _____ Kernel Tasks And Ports processor\_port\_rel : PROCESSOR \longleftrightarrow PORT ps\_control\_port\_rel : PROCESSOR\_SET \longleftrightarrow PORT \overline{ps\_name\_port\_rel}: PROCESSOR\_SET \longleftrightarrow PORT proc\_self: PROCESSOR \rightarrow PORT the\_processor: PORT \longrightarrow PROCESSOR controlled\_proc\_set: PORT \longrightarrow PROCESSOR\_SET procset\_self: PROCESSOR\_SET \longrightarrow PORT named\_proc\_set : PORT \longrightarrow PROCESSOR\_SET procset\_name\_port : PROCESSOR\_SET \longrightarrow PORT \operatorname{dom} ps\_control\_port\_rel = \operatorname{dom} ps\_name\_port\_rel p \, rocessor\_port\_rel^{\sim} = th \, e\_p \, rocessor processor\_port\_rel = proc\_self \overline{ps}_control_port_rel^{\sim} = controlled_proc_set \overline{ps\_control\_port\_rel} = procset\_self ps\_name\_port\_rel^{\sim} = named\_proc\_set \overline{ps}_name_port_rel = procset_name_port \overline{\forall} port : PORT \mid port \in ran ps\_control\_port\_rel • port \in dom\ receiver \land receiver(port) = \underline{k}ernel \forall port : PORT \mid port \in ran ps\_name\_port\_rel • port \in dom\ receiver \land receiver(port) = \underline{k}ernel \forall port : PORT \mid port \in ran processor\_port\_rel • port \in dom\ receiver \land receiver(port) = kernel ``` #### 4.6.6 Device Ports Each device is represented by a unique port. The relation $\underline{d}$ $evice\_port\_rel$ identifies the device port representing each device. The kernel is the receiver for a device port. For convenience: - The expression $device\_port(dev)$ is used to denote dev's device port. - The expression port\_device(port) is used to denote the device (if any) having port as its device port. ## 4.6.7 Device Master Port Tasks gain access to devices through the device master port which is denoted by $master\_device\_port$ . The kernel is the receiver for this port. #### **Mach Definition 49** ``` -MasterDevicePort TasksAndPorts Kernel \underline{m}aster\_device\_port: PORT (\underline{m}aster\_device\_port, \underline{k}ernel) \in receiver ``` ## 4.6.8 Summary Each special port for which the kernel is always the receiver must be distinct from all of the other special ports for which the kernel is always the receiver. For example, no two tasks may have the same self port, and no port may be both a task self port and a thread self port. Note, however, that the kernel does not prohibit overlaps between the special ports for which the kernel is always the receiver and the other special ports. For example, a task's bootstrap port might be set to some others task's self port (even though this would probably not serve any useful purpose). Editorial Note: The following needs some revision: - Add port classes for pager name ports and pager (object) ports. - Correct the misunderstanding that a port in a port class must have the kernel as the receiver. While this is true for most classes, memory object (pager) ports are a notable exception. The type $PORT\_CLASS$ denotes the classes of ports for which the kernel is the receiver. These are $Pc\_task$ , $Pc\_thread$ , $Pc\_host\_control$ , $Pc\_host\_name$ , $Pc\_ps\_control$ , $Pc\_ps\_name$ , $Pc\_processor$ , $Pc\_memory$ , and $Pc\_device$ . If the kernel is the receiver for port, then the expression $port\_class(port)$ denotes port's class. #### **Mach Definition 51** ``` \begin{array}{l} PORT\_CLASS ::= Pc\_task \mid Pc\_thread \mid Pc\_host\_control \mid Pc\_host\_name \\ \mid Pc\_ps\_control \mid Pc\_ps\_name \mid Pc\_processor \mid Pc\_memory \\ \mid Pc\_device \end{array} ``` # 4.7 Total Send Rights In addition to the send rights contained in the port name spaces associated with the tasks, the kernel maintains so-called naked send rights to the special ports. We occasionally need to know the total number of send rights to a given port including both those recorded in a name space and the naked rights. Naked rights are associated with the following ports: $task\_sself$ , $task\_eport$ , $task\_bport$ , $thread\_sself$ and $thread\_eport$ . We define $port\_right\_seq$ to be any sequence of the elements of the set $\underline{port\_right\_rel}$ (the precise ordering of elements is not important for our purposes). The expression $total\_name\_space\_srights(port)$ denotes the number of send rights to port in all name spaces, and $total\_naked\_srights(port)$ denotes the total number of send rights to port that are not stored in any name space. The expression $total\_srights(port)$ is the sum of these two numbers. Review Note: Need to determine if naked send rights are implied by any other special port relationships. Note that a naked send right is *not* created for the self port relationships (e.g., $th read\_self$ ). Need to determine whether rights in messages count as naked send rights too. #### **Mach Definition 52** ``` TotalSendRights = PortExist Tasks And Ports Special Purpose Ports port\_right\_seq : seq(TASK \times PORT \times NAME \times RIGHT \times \mathbb{N}_1) total\_name\_space\_srights: PORT \longrightarrow \mathbb{N} total\_naked\_srights: PORT \longrightarrow \mathbb{N} total\_srights: PORT \longrightarrow \mathbb{N} \operatorname{ran}\,\operatorname{po}\operatorname{rt}\operatorname{\!\_-righ} t\operatorname{\!\_-seq}\,=\,\operatorname{po}\operatorname{rt}\operatorname{\!\_-righ} t\operatorname{\!\_-rel} \#port\_right\_seq = \#port\_right\_rel (\forall port : PORT \mid port \in port\_exists) • total_name_space_srights(port) = Seq\_plus(squash \{task : TASK; name : NAME; i, n : \mathbb{N}_1) | (n, (task, port, name, Send, i)) \in port\_right\_seq \bullet (n, i) \land total\_naked\_srights(port) = \#(task\_sself \rhd \{port\}) + \#(task\_eport \rhd \{port\}) + \#(task\_bport \rhd \{port\}) + \#(thread\_sself \rhd \{port\}) + \#(thread\_eport \rhd \{port\}) \land \ total\_srights(port) = total\_name\_space\_srights(port) + total\_naked\_srights(port)) ``` # 4.8 Registered Rights Each task has a finite array of send rights, intended to use for access to the Network Name Server, the Environment Manager, and the Service server (although they may have any use). These rights are called "registered," to denote the fact that the kernel knows their identity. The expression $\underline{registered\_rights(task)}$ denotes the set of names of rights registered for task. There may be more than three registered rights, in fact their number need only be less than or equal to the system constant $Task\_port\_register\_max$ . The kernel has three constants $Name\_server\_slot$ , $Environment\_slot$ , and $Service\_slot$ which tell it which element of the array refers to each of these servers. ``` Task\_port\_register\_max: N Name\_server\_slot: N Environment\_slot: N Service\_slot: N ``` # 4.9 Memory System This section describes the components of the Mach system that are used to provide tasks with address spaces. ## 4.9.1 Memory Each memory can be viewed as mapping a memory offset to a value. Essentially, a memory can be viewed as an array of values indexed by offsets; the only difference is that a memory may have holes in the sense that some offsets do not map to any value. The mapping from offsets to values is defined by the memory's manager. As described in Section 4.9.2, the kernel becomes aware of pieces of this mapping as data is cached in resident pages. The types OFFSET and WORD denote, respectively, the sets of memory offsets and memory values. The kernel maintains a copy strategy for each memory object. This strategy is one of the following: $\blacksquare$ $Memory\_copy\_none$ — ``` Review Note: We need to figure out the meaning of each strategy. ``` - Memory\_copy\_call — - Memory\_copy\_delay — - Memory\_copy\_temporary — These values comprise the elements of the type $MEMORY\_COPY\_STRATEGY$ . The expression $copy\_strategy(memory)$ denotes the copy strategy recorded for memory. The kernel cannot request access permissions and data from a memory object until it has received a **memory\_object\_ready** command (normally in reply to a **memory\_object\_init** request). The set <u>initialized</u> denotes the set of memory objects for which this has occurred. The kernel records which memory objects may be cached; the set $\underline{m}$ $ay\_eache$ denotes the set of such memory objects. The memory performance for a memory object is influenced by its copy strategy and whether it can be cached. A memory can be either managed or unmanaged. The set $\underline{m}$ anaged denotes the set of memories that are managed. Corresponding to each such memory there is a task acting as the memory's manager. The manager for memory is denoted by $\underline{m}$ anager (memory). Each memory having an object port is managed. Similarly, memories can be temporary or non-temporary. The set $\underline{t}$ $emporary\_rel$ denotes the set of memories that are temporary. If the page of data corresponding to a given memory-offset pair is not resident when a thread attempts access, then the thread is blocked on a page fault. The expression $\underline{memory\_fault(memory, offset)}$ indicates the set of threads that are currently blocked on a page fault generated by access to a given memory-offset pair. Temporary memory is backed by the default memory manager. The kernel records a port identifying the current default memory manager. This port is denoted by $\underline{d}$ $efault\_mem\_manager$ . A null value is used to indicate the lack of a memory filling a particular function in a virtual memory map entry. ``` Review Note: Need to figure out how <u>d</u>efault_mem_manager relates to <u>m</u>anaged and <u>m</u>anager. ``` #### **Mach Definition 54** [WORD, OFFSET] ``` \begin{split} \mathit{MEMORY\_COPY\_STRATEGY} &::= \mathit{Memory\_copy\_none} \mid \mathit{Memory\_copy\_call} \\ \mid \mathit{Memory\_copy\_delay} \mid \mathit{Memory\_copy\_temporary} \end{split} ``` ``` Memory ___ Memories And Ports PortExist copy\_strategy: MEMORY \rightarrow MEMORY\_COPY\_STRATEGY \underline{i} nitialized : \mathbb{P} \ MEMORY may\_cache : \mathbb{P} MEMORY \underline{m} anaged : \mathbb{P} MEMORY manager: MEMORY \rightarrow TASK temporary\_rel : \mathbb{P} MEMORY memory\_fault: MEMORY \times OFFSET \longrightarrow \mathbb{P} THREAD \underline{d} efault_mem_manager : PORT \underline{d}\mathit{efault\_mem\_manager} \in \mathit{port\_exists} \underline{m} anaged = dom object_po\overline{r}t dom \ object\_port \subseteq dom \ \underline{m} \ a \ nager \underline{initialized} \subseteq \text{dom } object\_port \underline{m} ay\_cache \subseteq \underline{i} nitialized initialized = dom copy\_strategy \forall memory : MEMORY; offset : OFFSET \mid (memory, offset) \in dom \underline{memory\_fault} \land memory\_fault(memory, offset) \neq \emptyset • memory \in managed ``` #### 4.9.2 Pages At the physical level, pages relate page offsets and values in much the same way as memories relate memory offsets and values. The relation $\underline{p} \, age\_word\_rel$ identifies the binding between page-offset pairs and words of data. Since at most one value can be stored at a given page offset, $p \, age\_word\_rel$ is actually a function mapping page-offset pairs to values. For convenience, $page\_word\_fun(page)(page\_offset)$ is used to denote the word of data at offset $page\_offset$ of page page. Each page represents some area of memory. The relation $\underline{represents\_rel}$ indicates the binding between pages and memory-offset pairs. This relation should be interpreted as indicating the memory and offset within that memory of the beginning of the data that a page represents. Since each area of memory is represented by at most one page, the function $\underline{representing\_page}$ denoting the page representing an area of memory can be defined. Each page in the range of this function represents some area of memory. For convenience: - The set represents\_memory is used to denote the set of pages that represent some area of memory. - The set represented is used to denote the set of memory-offset pairs that are represented by some page. - The expressions $represented\_memory(page)$ and $represented\_offset(page)$ denote, respectively, the memory and offset that page represents. When a page is modified, it becomes dirty. The set $\underline{d}$ $irty\_rel$ denotes the set of dirty pages. Upon evicting a page, the kernel checks whether the page is dirty. If it is, then the contents of the page are sent to the appropriate memory manager for it to record the updates. A memory manager may instruct the kernel that it will not retain a copy of a page that it has provided to the kernel by indicating that the page is precious. Whenever the kernel evicts a precious page, it sends the contents of the page to the appropriate memory manager regardless of whether the page is dirty. By instructing the kernel that a page is precious, a memory manager can relieve itself of the responsibility of retaining a copy of a page while the page is resident; the memory manager can rely on the kernel to inform it of the page's current contents whenever the page is evicted. The set $\underline{p}$ recious is used to denote the set of precious pages. ## **Mach Definition 55** $[PAGE\_OFFSET]$ ``` PageAndMemory \_ page\_word\_rel : \mathbb{P}((PAGE \times PAGE\_OFFSET) \times WORD) page\_word\_fun: PAGE \longrightarrow PAGE\_OFFSET \longrightarrow WORD \underline{represents\_rel}: PAGE \longleftrightarrow (MEMORY \times OFFSET) representing\_page: MEMORY \times OFFSET \longrightarrow PAGE represents\_memory: \mathbb{P}\ PAGE represented: \mathbb{P}(MEMORY \times OFFSET) represented\_memory: PAGE \longrightarrow MEMORY represented\_offset: PAGE \longrightarrow OFFSET \underline{d}irty\_rel : \mathbb{P} PAGE precious : \mathbb{P} PAGE (\forall page : PAGE; page\_offset : PAGE\_OFFSET; word : WORD • page\_word\_fun(page)(page\_offset) = word \Leftrightarrow ((page, page\_offset), word) \in page\_word\_rel) represents\_memory \subset dom page\_word\_fun representing\_page = \underline{r}epresents\_rel^{\sim} \underline{d}irty\_rel \subseteq represents\_memory = ran representing\_page represented = dom representing\_page represented\_memory = \{memory : MEMORY ; offset : OFFSET ; page : PAGE \} |(page, (memory, offset)) \in \underline{r}epresents\_rel \bullet (page, memory)| represented\_offset = \{memory : MEMORY ; offset : OFFSET ; page : PAGE \} | (page, (memory, offset)) \in \underline{r}epresents\_rel \bullet (page, offset) | precious \subset represents\_memory ``` Mach allows pages to be locked against particular types of accesses. This is represented by associating a set of protections with each page. The protections are of type PROTECTION which is comprised of the elements Read, Write, and Execute. The relation $\underline{p}$ $age\_lock\_rel$ indicates the access modes against which a page is locked. For convenience $page\_locks(page)$ is defined to be the set of access modes against which page is locked. ## **Mach Definition 56** $PROTECTION ::= Read \mid Write \mid Execute$ ``` \begin{array}{c} Lock \\ \underline{p\,age\_lock\_rel} : PAGE \longleftrightarrow \mathbb{P}\ PROTECTION \\ \underline{p\,age\_locks} : PAGE \longleftrightarrow \mathbb{P}\ PROTECTION \\ \\ \underline{p\,age\_lock\_rel} = page\_locks \end{array} ``` # 4.9.3 Address Space The set $\underline{a}$ llocated is used to denote the set of $TASK\text{-}PAGE\_INDEX$ pairs that have been allocated in a task's address space. A task-index pair may be mapped to a memory area. Using the previously defined state components, these memory areas can be related to the physical pages used to contain the data when it is paged out. Thus, a task's address space completes the picture of mapping virtual addresses to physical pages and values. Note, however, that not all allocated addresses need be mapped to memory. The relation $\underline{map}\_rel$ associates task-index pairs with memory-offset pairs. There is at most one memory-offset pair associated with each task-index pair. For convenience: - The expressions $mapped\_memory(task, index)$ and $mapped\_offset(task, index)$ are used to denote the memory and offset corresponding to a given task-index pair. - The set mapped is used to denote the set of memories to which some task-index pair maps. # **Mach Definition 57** $[PAGE\_INDEX]$ ``` \begin{array}{l} \underline{\textit{Map\_rel}} : (\textit{TASK} \times \textit{PAGE\_INDEX}) \leftrightarrow (\textit{MEMORY} \times \textit{OFFSET}) \\ mapped\_memory : \textit{TASK} \times \textit{PAGE\_INDEX} \leftrightarrow \textit{MEMORY} \\ mapped\_offset : \textit{TASK} \times \textit{PAGE\_INDEX} \leftrightarrow \textit{OFFSET} \\ \underline{\textit{a}} \textit{llocated} : \mathbb{P}(\textit{TASK} \times \textit{PAGE\_INDEX}) \\ mapped : \mathbb{P}(\textit{MEMORY}) \\ \\ dom \, \underline{\textit{map\_rel}} = dom \, mapped\_memory = dom \, mapped\_offset \\ dom \, \underline{\textit{map\_rel}} \subseteq \underline{\textit{a}} \textit{llocated} \\ mapped = ran \, mapped\_memory \\ \forall \, \textit{task\_va\_pair} : \textit{TASK} \times \textit{PAGE\_INDEX} ; \, memory : \textit{MEMORY} ; \, offset : \textit{OFFSET} \\ \bullet \, (\textit{task\_va\_pair}, (\textit{memory}, \textit{offset})) \in \underline{\textit{map\_rel}} \\ \Leftrightarrow (\textit{mapped\_memory}(\textit{task\_va\_pair}) = \textit{memory} \\ \wedge \, mapped\_offset(\textit{task\_va\_pair}) = \textit{offset}) \\ \end{array} ``` #### 4.9.4 Memory Protection Mach protects memory objects by assigning protections to each page in a task's address space. Three sets of protections are associated with each page in a task's address space. The Mach protection holds currently applicable protection limits as indicated by users. The maximum protection limits the allowable values for the Mach protection. The third set, the current protections, is what actually limits a task's access to a page. This is a DTOS addition and will be further defined in Section 5.9.5 We use $\underline{m}$ $ach\_protection$ to denote the relation between tasks, pages, and Mach protection sets. The pair $((task,page\_index),protection\_set)$ is an element of $\underline{m}$ $ach\_protection$ if $protection\_set$ is the set of protections most recently established by a user request to set the Mach protections for $page\_index$ . We model maximum protections similarly by defining $\underline{m}$ $ax\_protection(task,page\_index)$ to denote the maximum protection that task is permitted to the memory it has mapped at $page\_index$ . <sup>&</sup>lt;sup>5</sup>The Mach protection in DTOS is called the current protection in Mach and is used in Mach to control a task's access of pages. The terminology has been changed here to remain consistent with the prototype which must take into account the decisions of the security server when determining the current protections. # 4.9.5 Memory Inheritance For each memory region within a task's address space, Mach records an inheritance attribute that indicates the manner in which child tasks inherit the memory. The possible options are: - $\blacksquare$ Inheritance\_option\_share indicates the region should be shared by the parent and child - *Inheritance\_option\_copy* indicates the region should be shared by the parent and child until one of them writes to the region; once a modification occurs, a copy-on-write is performed - Inheritance\_option\_none indicates the region should not be made accessible to the child These values comprise the elements of the type $INHERITANCE\_OPTION$ . The expression $\underline{i}$ $nheritance(task, page\_index)$ indicate the inheritance option associated with the region indicated by $page\_index$ in task's address space. #### **Mach Definition 59** ``` INHERITANCE\_OPTION ::= Inheritance\_option\_share \mid Inheritance\_option\_copy \mid Inheritance\_option\_none Inheritance = \underbrace{Inheritance : TASK \times PAGE\_INDEX \implies INHERITANCE\_OPTION} ``` ## 4.9.6 Shadow Memories A memory, $memory_1$ , is said to back a second memory, $memory_2$ , if $memory_1$ 's manager takes responsibility for pages of $memory_2$ that are not handled by $memory_2$ 's manager. The relation $\underline{b}$ acking\_rel indicates when $memory_1$ backs $memory_2$ at a given offset within $memory_1$ . Each memory is backed by at most one memory-offset pair. Furthermore, a memory may back at most one other memory. For convenience, $backing\_memory(memory)$ and $backing\_offset(memory)$ are used to denote, respectively, the memory and offset backing memory. Whenever $memory_1$ backs $memory_2$ , $memory_2$ is said to shadow $memory_1$ . For convenience: - The expression $shadow\_memories(memory)$ indicates the singleton set of memories backed by memory. $shadow\_memories$ is defined only for those memories that back another memory. - The expression $backing\_chain(memory)$ indicates the sequence of memories backing memory. If a memory is not backed by any memories, then its backing chain is empty. If $memory_1$ is backed by $memory_2$ then the backing chain for $memory_1$ consists of $memory_2$ followed by the backing chain for $memory_2$ . For example, suppose $memory_2$ backs $memory_1$ , $memory_3$ backs $memory_2$ , and no memory backs $memory_3$ . Then, the backing chains for $memory_3$ , $memory_2$ , and $memory_1$ are, respectively, $\langle \rangle$ , $\langle memory_3 \rangle$ , and $\langle memory_2, memory_3 \rangle$ . Mach does not permit cycles to occur in the sequence of memories backing a memory. Thus, we require that no memory be present in its backing chain. ``` Shadow Memories backing\_rel : \mathbb{P}(MEMORY \times MEMORY \times OFFSET) backing\_memory: MEMORY \longrightarrow MEMORY backing\_offset: MEMORY \longrightarrow OFFSET shadow\_memories: MEMORY \longrightarrow \mathbb{P} \ MEMORY backing\_chain : MEMORY \longrightarrow seq MEMORY \forall memory_1, memory_2 : MEMORY; offset : OFFSET • (memory_1, memory_2, offset) \in \underline{b} acking\_rel \Leftrightarrow ((memory_2, memory_1) \in backing\_memory \land (memory_2, offset) \in backing\_offset) dom shadow\_memories = ran backing\_memory \forall memory_1 : MEMORY \mid memory_1 \in dom shadow\_memories \bullet shadow_memories(memory<sub>1</sub>) = \{memory_2 : MEMORY\} \{\exists offset : OFFSET \bullet (memory_1, memory_2, offset) \in \underline{b} acking\_rel)\} \forall memory_1 : MEMORY \mid memory_1 \in \text{dom } shadow\_memories • \#(shadow\_memories(memory_1)) = 1 \forall memory : MEMORY • memory \notin dom\ backing\_memory \Rightarrow \#(backing\_chain(memory)) = 0 \land (memory \in dom backing_memory \Rightarrow backing\_chain(memory) = \langle backing\_memory(memory) \rangle backing\_chain(backing\_memory(memory))) \forall memory : MEMORY \bullet memory \notin ran(backing\_chain(memory)) ``` #### 4.9.7 Page Wiring To prevent critical pages from being evicted, Mach allows tasks to wire pages. For each page allocated in a task, a count is maintained of the number of times that the task has wired the page. The expression $\underline{w}ire\_count(task,page\_index)$ denotes the number of times that task has wired the page indicated by $page\_index$ in its address space. As long as a task's count for $page\_index$ remains nonzero, the physical page associated with $page\_index$ must be retained in memory. In other words, a physical page may only be evicted when no task has the page wired. The set wired denotes the set of physical pages that are wired by some task. ``` Wired \\ AddressSpace \\ PageAndMemory \\ \underline{w}ire\_count: (TASK \times PAGE\_INDEX) \rightarrow \mathbb{N} \\ wired\_locations: \mathbb{P}(TASK \times PAGE\_INDEX) \\ wired: \mathbb{P}\ PAGE \\ \\ dom \underline{w}ire\_count = \underline{a}llocated \\ wired\_locations = \{\ task: TASK; page\_index: PAGE\_INDEX \\ |\ \underline{w}ire\_count(task, page\_index) > 0 \ \} \\ wired\_locations \subseteq dom(representing\_page \circ \underline{m}ap\_rel) \\ wired = (representing\_page \circ \underline{m}ap\_rel) \ \{wired\_locations\} \\ ``` Review Note: The $\underline{w}ire-count$ component corresponds to the VM entry wire count. A page is wired if any VM entry that is mapped to it is wired. For efficiency the prototype maintains two wire counts, one on VM entries and another on pages. The latter denotes the number of VM entries that have the page wired ignoring multiple wirings by a single VM entry. We do not model the page wire count. # 4.9.8 Summary The memory system is comprised of memory objects, address spaces, pages, and backing chains. ## **Mach Definition 62** ``` .MemorySystem \_ Memory AddressSpace PageAndMemory MachProtection Lock Shadow Memories Inheritance Wired allocated = dom mach\_protection ran represented\_memory \subseteq dom \ object\_port \forall task\_va\_pair : TASK \times PAGE\_INDEX | task\_va\_pair \in dom \ map\_rel \land \underline{m} ap\_rel(task\_va\_pair) \in dom representing\_page • mach\_protection(task\_va\_pair) \subseteq PROTECTION \setminus page\_locks(representing\_page(\underline{map\_rel(task\_va\_pair))}) dom \underline{i} nheritance = \underline{a} llocated mapped \subseteq dom \ object\_port ``` # 4.10 Messages This section discusses the structure of messages. ## 4.10.1 Message Options The type MACH\_MSG\_OPTION denotes the base values of the options parameter of mach\_msg. The recognized values of this type are Mach\_send\_msg, Mach\_rcv\_msg, Mach\_send\_cancel, Mach\_send\_notify, Mach\_rcv\_notify, Mach\_rcv\_large, Mach\_send\_timeout, and Mach\_rcv\_timeout. The options parameter is set to some set of the base values. # **Mach Definition 63** $[MACH\_MSG\_OPTION]$ ``` Mach\_send\_msg: MACH\_MSG\_OPTION\\ Mach\_rcv\_msg: MACH\_MSG\_OPTION\\ Mach\_send\_cancel: MACH\_MSG\_OPTION\\ Mach\_send\_notify: MACH\_MSG\_OPTION\\ Mach\_rcv\_notify: MACH\_MSG\_OPTION\\ Mach\_rcv\_large: MACH\_MSG\_OPTION\\ Mach\_send\_timeout: MACH\_MSG\_OPTION\\ Mach\_send\_timeout: MACH\_MSG\_OPTION\\ Mach\_rcv\_timeout: MACH\_MSG\_OPTION\\ Mach\_rcv\_timeout: MACH\_MSG\_OPTION\\ Mach\_rcv\_timeout: MACH\_MSG\_OPTION\\ Mach\_rcv\_timeout: MACH\_MSG\_OPTION\\ Mach\_rcv\_timeout: MACH\_MSG\_OPTION\\ Mach\_rcv\_timeout: MACH\_msg\}, \{Mach\_rcv\_timeout\}, \{Mach\_rcv\_timeout\}, \{Mach\_rcv\_timeout\}, \{Mach\_rcv\_timeout\}\} ``` # 4.10.2 Complex Messages In addition to simply carrying data, a message can also carry port rights and memory regions. A message carrying port rights or memory regions is called a complex message. Each message carries a flag indicating whether the message contains port rights or memory regions. The type $COMPLEX\_OPTION$ consists of the elements $Co\_carries\_rights$ and $Co\_carries\_memory$ ; the flag carried in each message is a set of these values. Note that a flag containing both elements indicates that the message contains both port rights and memory regions. ## **Mach Definition 64** ## 4.10.3 Data Types Each element in the body of a message is typed. The set $MACH\_MSG\_TYPE$ denotes the set of data types recognized by the system. #### **Mach Definition 65** ``` [MACH\_MSG\_TYPE] ``` Whenever a port right is sent in a message, the client indicates a transfer option for the port right. The collection of acceptable transfer options is denoted by $Recognized\_transfer\_options$ and contain the values $Mmt\_make\_send$ , $Mmt\_copy\_send$ , $Mmt\_move\_send$ , $Mmt\_make\_send\_once$ , $Mmt\_move\_send\_once$ , and $Mmt\_move\_receive$ . An element of type $Mmt\_make\_send$ indicates a receive right held by the sender from which a send right is to be created for the receiver. Similarly, an element of type $Mmt\_make\_send\_once$ indicates a receive right held by the sender from which a send-once right is to be created for the receiver. An element of type $Mmt\_copy\_send$ indicates a send right that should be copied from the sender's port name space into the receiver's port name space. In other words, the sender retains the existing port right while passing the right to the receiver. An element of type $Mmt\_move\_send$ indicates a send right that should be moved from the sender's port name space into the receiver's port name space. In other words, the sender's reference count is decremented by one and the receiver's reference count is incremented by one. If the sender's reference count was one, then the sender loses the capability associated with the right. If the receiver's reference count was zero, then the receiver gains the capability associated with the right. Similarly, $Mmt\_move\_send\_once$ and $Mmt\_move\_receive$ allow send-once and receive rights to be moved from the sender's name space to the receiver's name space. ## **Mach Definition 66** ``` \begin{array}{c} Mmt\_make\_send : MACH\_MSG\_TYPE \\ Mmt\_copy\_send : MACH\_MSG\_TYPE \\ Mmt\_move\_send : MACH\_MSG\_TYPE \\ Mmt\_make\_send\_once : MACH\_MSG\_TYPE \\ Mmt\_move\_send\_once : MACH\_MSG\_TYPE \\ Mmt\_move\_receive : MACH\_MSG\_TYPE \\ Recognized\_transfer\_options : \mathbb{P}\ MACH\_MSG\_TYPE \\ Recognized\_transfer\_options : \mathbb{P}\ MACH\_MSG\_TYPE \\ \\ \{Mmt\_make\_send\}, \{Mmt\_copy\_send\}, \{Mmt\_move\_send\}, \{Mmt\_make\_send\_once\}, \{Mmt\_move\_send\_once\}, \{Mmt\_move\_receive\}\} \\ \\ partition \ Recognized\_transfer\_options \\ \end{array} ``` After the kernel translates the port rights to an internal representation, it is no longer relevant whether the right was moved, copied or made and the kernel simply records the type of right, $Mach\_msg\_type\_port\_receive$ , $Mach\_msg\_type\_port\_send$ , or $Mach\_msg\_type\_port\_send\_once$ . These values of $MACH\_MSG\_TYPE$ comprise the set $Mach\_msg\_type\_port\_rights$ . #### Mach Definition 67 ``` \begin{tabular}{llll} Mach\_msg\_type\_port\_receive: MACH\_MSG\_TYPE \\ Mach\_msg\_type\_port\_send: MACH\_MSG\_TYPE \\ Mach\_msg\_type\_port\_send\_once: MACH\_MSG\_TYPE \\ Mach\_msg\_type\_port\_rights: \mathbb{P} \begin{tabular}{lll} Mach\_msg\_type\_port\_send \end{tabular}, & \{Mach\_msg\_type\_port\_send\_once \} \\ & \{Mach\_msg\_type\_port\_rights \end{tabular}, & \{Mach\_msg\_type\_port\_send\_once \} \\ & \{Mach\_msg\_type\_port\_rights \end{tabular} \end{tabular} ``` # 4.10.4 Message Headers The header for a message residing in user-space memory or kernel-space memory contains the following data: - *local\_port* specifies the reply port when sending a message (*Mach\_port\_null* indicates no reply port is specified) - local\_rights the port rights for the local port (if one is specified) - remote\_port specifies the destination port when sending a message - remote\_rights the port rights for the remote port - *size* specifies the size, in bytes, of a message when receiving - *msg\_sequence\_no* specifies the sequence number when receiving a message - lacktriangledown operation or function id set by message sender In addition, a message header in kernel space contains a value complex which indicates whether the message carries port rights or memory regions or both. This value is a set of elements of type $COMPLEX\_OPTION$ . In place of complex, a message header in user space contains a single value $complex\_boolean$ indicating whether the message carries port rights and/or memory regions. The possible values are $Co\_carries\_rights\_and\_or\_memory$ and $Co\_carries\_neither\_rights\_nor\_memory$ . If $complex\_boolean$ has value $Co\_carries\_neither\_rights\_nor\_memory$ , then the message contains no port rights nor memory regions regardless of what is indicated by the individual data elements of the message. ## **Mach Definition 68** ``` [OPERATION] \\ COMPLEX\_OPTION\_BOOLEAN \\ ::= Co\_carries\_rights\_and\_or\_memory \\ | Co\_carries\_neither\_rights\_nor\_memory \\ \\ \hline \\ -MachMsgHeader \\ \hline \\ local\_port: NAME \\ local\_rights: \mathbb{P}\ MACH\_MSG\_TYPE \\ remote\_port: NAME \\ remote\_rights: MACH\_MSG\_TYPE \\ size: \mathbb{N} \\ msg\_sequence\_no: \mathbb{N} \\ operation: OPERATION \\ complex\_boolean: COMPLEX\_OPTION\_BOOLEAN \\ \hline \\ \#local\_rights < 1 \\ \\ \end{array} ``` Messages residing in kernel space contain ports rather than names. Thus, the $remote\_port$ and $local\_port$ fields contain ports instead of names when a message is in transit. If $Mach\_port\_null$ was specified as the name of the local port in the MachMsgHeader, then $local\_port$ is empty in the corresponding MachInternalHeader. #### **Mach Definition 69** ``` \begin{tabular}{l} Mach Internal Header \\ local\_port: \mathbb{P}\ PORT \\ local\_rights: \mathbb{P}\ MACH\_MSG\_TYPE \\ remote\_port: PORT \\ remote\_rights: MACH\_MSG\_TYPE \\ size: \mathbb{N} \\ msg\_sequence\_no: \mathbb{N} \\ operation: OPERATION \\ complex: \mathbb{P}\ COMPLEX\_OPTION \\ \\ \#local\_rights = \#local\_port \leq 1 \\ \end{tabular} ``` ## 4.10.5 Outcall Operations There are several sets of operation identifiers used in messages to external servers (e.g., the security server) and user tasks. Some of these identifiers are used by the kernel when sending outcalls. We use - *Exception\_ids* to denote the set of operations used by the kernel when sending an exception message, The only element of this set is *Mach\_exception\_id*. - Kernel\_service\_reply\_ids to denote the set of operations used by the kernel in reply messages to kernel service requests, - Security\_server\_ids to denote the set of security server operations, - $Audit\_ids$ to denote the set of audit operations, - *Mem\_obj\_confirmation\_ids* to denote the set of operations used by the kernel when sending confirmations of memory operations to a pager, - Pager\_request\_ids to denote the set of pager operations, - Mach\_notify\_ids to denote the set of operations used by the kernel in notification messages, and - Network\_packet\_ids to denote the set of operations used by the kernel when forwarding network packets. We give a partial description of the identifiers in these sets. #### **Mach Definition 70** ``` Exception\_ids: POPERATION \\ Mach\_exception\_id: OPERATION \\ \hline Exception\_ids = \{Mach\_exception\_id\} ``` ## **Mach Definition 71** ``` Kernel\_service\_reply\_ids : POPERATION ``` # **Mach Definition 72** ``` Security\_server\_ids : \mathbb{P} \ OPERATION SSI\_compute\_av\_id : OPERATION \{SSI\_compute\_av\_id\} \subseteq Security\_server\_ids ``` #### **Mach Definition 73** ``` Audit\_ids : \mathbb{P} \ OPERATION \\ Audit\_batch\_id, Audit\_id : \\ OPERATION \\ \hline \left\{ Audit\_batch\_id, Audit\_id \right\} \\ \subseteq Audit\_ids ``` ## **Mach Definition 75** ``` Pager\_request\_ids: POPERATION \\ Memory\_object\_copy\_id, Memory\_object\_create\_id, Memory\_object\_data\_initialize\_id, \\ Memory\_object\_data\_request\_id, Memory\_object\_data\_return\_id, \\ Memory\_object\_data\_unlock\_id, Memory\_object\_data\_write\_id, \\ Memory\_object\_init\_id, Memory\_object\_terminate\_id: \\ OPERATION \\ \{Memory\_object\_copy\_id, Memory\_object\_create\_id, Memory\_object\_data\_initialize\_id, \\ Memory\_object\_data\_request\_id, Memory\_object\_data\_return\_id, \\ Memory\_object\_data\_unlock\_id, Memory\_object\_data\_write\_id, \\ Memory\_object\_init\_id, Memory\_object\_terminate\_id\} \\ \subset Pager\_request\_ids ``` ## **Mach Definition 76** ``` \begin{aligned} & \textit{Mach\_notify\_ids} : \mathbb{P} \ \textit{OPERATION} \\ & \textit{Ipc\_notify\_dead\_name\_id}, \textit{Ipc\_notify\_msg\_accepted\_id}, \textit{Ipc\_notify\_no\_senders\_id}, \\ & \textit{Ipc\_notify\_port\_deleted\_id}, \textit{Ipc\_notify\_port\_destroyed\_id}, \\ & \textit{Ipc\_notify\_send\_once\_id} : \\ & \textit{OPERATION} \end{aligned} \\ & \{ \begin{aligned} & \textit{Ipc\_notify\_dead\_name\_id}, \textit{Ipc\_notify\_msg\_accepted\_id}, \textit{Ipc\_notify\_no\_senders\_id}, \\ & \textit{Ipc\_notify\_port\_deleted\_id}, \textit{Ipc\_notify\_port\_destroyed\_id}, \\ & \textit{Ipc\_notify\_send\_once\_id} \} \\ & \subseteq \textit{Mach\_notify\_ids} \end{aligned} ``` #### **Mach Definition 77** ``` Network\_packet\_ids : \mathbb{P} OPERATION Forward\_net\_packet\_id : OPERATION \{Forward\_net\_packet\_id\} \subset Network\_packet\_ids ``` # 4.10.6 Message Bodies The body of a message consists of a sequence of message elements. Each element contains the following: - the number of data elements contained in the message element - a data type - a collection of data elements or a single address A triple that contains a collection of data elements represents in-line data. The number of data elements in the collection is the same as the specified number of data elements, and each such element is of the specified type. A triple that contains a single address represents out-of-line data. The address specifies the start of the area of memory containing the data. The data in that area is interpreted as being a collection of the specified number of data elements of the specified data type. Each out-of-line element contains a flag indicating whether the memory should be deallocated from the sender's address space. The possible values of this flag are $Msg\_deallocate$ and $Msg\_dont\_deallocate$ . ## **Mach Definition 78** ``` [MSG\_DATA] OLSD ::= Msg\_deallocate \mid Msg\_dont\_deallocate BASE\_MSG\_ELEMENT ::= In\_line \langle \langle \mathbb{N} \times MACH\_MSG\_TYPE \times \text{seq } MSG\_DATA \rangle \rangle \mid Out\_of\_line \langle \langle \mathbb{N} \times MACH\_MSG\_TYPE \times VIRTUAL\_ADDRESS \times OLSD \rangle \rangle ``` Thus, an in-line message element is denoted by: ``` In\_line(n, mach\_msg\_type, data\_seq) ``` and an out-of-line message element is denoted by: ``` Out\_of\_line(n, mach\_msg\_type, va, olsd) ``` The number of entries specified in a triple representing in-line data must be the same as the number of entries in the specified sequence of data elements. The set $Msg\_element$ denotes the set of valid message elements, and the set $MESSAGE\_BODY$ denotes the set of sequences of valid message elements. In other words, $MESSAGE\_BODY$ denotes the set of valid message bodies. #### Mach Definition 79 #### **Mach Definition 80** ``` MESSAGE\_BODY == seq Msg\_element ``` When a message is moved into kernel space, the port names appearing in the message are transformed into port identifiers and the virtual addresses indicating out-of-line data are transformed into memory-offset pairs. In other words, the client specific names for kernel entities are transformed into the appropriate global names used internal to the kernel. Thus, an element in a message body in kernel space is of one of the following forms: ■ $Msg\_value(n, mach\_msg\_type, (task, value\_seq))$ — an in-line element; if $mach\_msg\_type$ is an element of $Recognized\_transfer\_options$ and some elements of $value\_seq$ have not yet been resolved to ports then further processing is required to transform the sequence of data into a sequence of ports. Note that there are two forms for elements of $value\_seq$ . An entry of the form $V\_data(msg\_data, v\_data\_l)$ denotes the data $msg\_data$ while an entry of the form $V\_port(port, v\_data\_l)$ denotes a port name that has been resolved into a port. In either case, $v\_data\_l$ indicates whether the element came from an in-line data element or an out-of-line data element. The only time $v\_data\_l$ will indicate an out-of-line data element is when the element is a port name from an out-of-line data element that has been resolved into a port. - $Transit\_right(n, mach\_msg\_type, (task, port\_seq, v\_data\_l))$ a sequence of port rights in transit; task indicates the task that sent the message and $v\_data\_l$ indicates whether the port right was sent in-line or out-of-line - $Msg\_region(n, mach\_msg\_type, (task, va, olsd))$ an out-of-line element that requires further processing to transform the task-address pair into a memory-offset pair; task indicates the task that sent the message and olsd indicates whether the region should be deallocated from task's address space - $Transit\_memory(n, mach\_msg\_type, (task, memory, offset))$ an out-of-line element that has been transformed from a task-address pair to a memory-offset pair; task indicates the task that sent the message The number of entries specified in a triple representing in-line data must be the same as the number of entries in the specified sequence of data elements. The type $Internal\_element$ denotes the set of valid message elements internal to the kernel, and the type $INTERNAL\_BODY$ denotes the set of sequences of these elements. Thus, $INTERNAL\_BODY$ denotes the set of message bodies that can be stored in the kernel. ## **Mach Definition 81** ``` \begin{array}{l} V\_DATA\_LOCATION ::= V\_data\_in \mid V\_data\_out \\ MSG\_VALUE ::= V\_data \langle \langle MSG\_DATA \times V\_DATA\_LOCATION \rangle \\ \mid V\_port \langle \langle PORT \times V\_DATA\_LOCATION \rangle \\ BASE\_INTERNAL\_ELEMENT \\ ::= Msg\_value \langle \langle \mathbb{N} \times MACH\_MSG\_TYPE \times (TASK \times seq MSG\_VALUE) \rangle \rangle \\ \mid Transit\_right \langle \langle \mathbb{N} \times MACH\_MSG\_TYPE \\ \quad \times (TASK \times seq PORT \times V\_DATA\_LOCATION) \rangle \\ \mid Msg\_region \langle \langle \mathbb{N} \times MACH\_MSG\_TYPE \times (TASK \times VIRTUAL\_ADDRESS \times OLSD) \rangle \\ \mid Transit\_memory \langle \langle \mathbb{N} \times MACH\_MSG\_TYPE \times (TASK \times MEMORY \times OFFSET) \rangle \rangle \end{array} ``` #### **Editorial Note:** $\mathit{Transit\_right}$ probably needs to be considered in the following. ``` Internal\_element: \mathbb{P}\ BASE\_INTERNAL\_ELEMENT Internal\_element = \{ msg\_element: BASE\_INTERNAL\_ELEMENT \\ | (\exists n : \mathbb{N}; mach\_msg\_type : MACH\_MSG\_TYPE; task : TASK; value\_seq : seq MSG\_VALUE; port\_seq : seq PORT; memory : MEMORY; offset : OFFSET; va : VIRTUAL\_ADDRESS; olsd : OLSD; v\_data\_l : V\_DATA\_LOCATION \bullet \ (msg\_element = Msg\_value(n, mach\_msg\_type, (task, value\_seq)) \\ \land \# value\_seq = n) \lor msg\_element = Msg\_region(n, mach\_msg\_type, (task, va, olsd)) \lor msg\_element = Transit\_memory(n, mach\_msg\_type, (task, memory, offset))) \} ``` ``` INTERNAL\_BODY == \{body : seq Internal\_element \\ | (\exists task : TASK) \\ \bullet (\forall n : \mathbb{N}; mach\_msg\_type : MACH\_MSG\_TYPE; \\ value\_seq : seq MSG\_VALUE; \\ olsd : OLSD; task_1 : TASK; va : VIRTUAL\_ADDRESS \\ | Msg\_value(n, mach\_msg\_type, (task_1, value\_seq)) \in ran body \\ \lor Msg\_region(n, mach\_msg\_type, (task_1, va, olsd)) \in ran body \\ \bullet task = task_1))\} Review Note: Should Transit\_memory be added to the above? ``` Note that all of the elements in a single message body must contain the same task identifier. It is intended that this task identifier unambiguously defines the identity of the task that sent the message. # 4.10.7 Message Status Once a message enters the kernel, it can be in one of three states: - $Msg\_stat\_send$ indicates that the kernel is performing processing to send the message - $Msg\_stat\_pseudo$ indicates that the kernel is performing processing to return the message to the message sender as part of a failed send request - $Msg\_stat\_rcv$ indicates that the kernel is performing processing to receive the message These elements comprise the values of the type $MSG\_STATUS$ . The following error conditions can arise during the processing of a message: $Msg\_error\_invalid\_memory$ , $Msg\_error\_invalid\_right$ , $Msg\_error\_invalid\_type$ , $Msg\_error\_msg\_too\_small$ , $Msg\_error\_notify\_in\_progress$ , and $Msg\_error\_timed\_out$ . These values comprise the set $MSG\_ERROR$ . ## **Mach Definition 82** ``` MSG\_STATUS ::= Msg\_stat\_send \mid Msg\_stat\_pseudo \mid Msg\_stat\_rcv MSG\_ERROR ::= Msg\_error\_invalid\_memory \mid Msg\_error\_invalid\_right \mid Msg\_error\_invalid\_type \mid Msg\_error\_msg\_too\_small \mid Msg\_error\_notify\_in\_progress \mid Msg\_error\_timed\_out ``` #### 4.10.8 Message Structure Each message is modeled as containing fields header and body. The type Message denotes the set of user space messages. In addition to the header and body, messages in transit also contain the following fields: - option indicates the options specified by the client - $time\_out\_at$ indicates when a given send or receive request will time out If the set contained in this field is empty, then the message will not time out. Otherwise, the set contains exactly one value and this value defines the earliest time at which the associated send or receive request can time out. - *status* indicates future processing the kernel must perform on the message - $\bullet$ error indicates the first error (if any) that occurred during the processing of the message. The type *InternalMessage* denotes the possible values of messages in transit. ## **Mach Definition 84** ``` InternalMessage \\ header: MachInternalHeader \\ body: INTERNAL\_BODY \\ option: \mathbb{P} \ MACH\_MSG\_OPTION \\ time\_out\_at: \mathbb{P} \ \mathbb{N} \\ status: MSG\_STATUS \\ error: \mathbb{P} \ MSG\_ERROR \\ \\ \#time\_out\_at \leq 1 \\ \#error \leq 1 ``` # 4.10.9 Pending Receives Each port can have clients blocked on message receive requests waiting for messages to arrive at the port. Each pending receive request has the following associated information: - *notify* the notify port name specified by the receiving task - option the options specified by the receiving task - $\blacksquare$ $rcv\_size$ the receive size specified by the receiving task - $time\_out\_at$ the time at which the request will time out; this has the same format as the $time\_out\_at$ component of InternalMessage. # **Mach Definition 85** # 4.10.10 Reply Ports The sender of a message can specify a reply port for the receiver to use to reply to the message. The sender does so by setting the $local\_port$ field to its name for the port. For convenience, the relation $\underline{reply\_port\_rel}$ is used to denote the reply port and transferred right in a message specifying a reply port. The interpretation of: ``` (message, (port, right)) ``` being an element of $\underline{r}eply\_port\_rel$ is that message transfers the type of right specified by right (send or send-once) for port to the receiver of message. The intent is that the receiver use the transferred right to send a reply message to port. Each message contains at most one reply port and right for that port. For convenience, the expressions $reply\_port(message)$ and $reply\_port\_right(message)$ are used to denote the reply port and transferred right contained in a given message. #### **Mach Definition 86** ``` \begin{array}{|c|c|c|c|}\hline ReplyPorts \\\hline \underline{reply\_port\_rel}: MESSAGE &\longleftrightarrow (PORT \times \{Send, Send\_once\})\\ reply\_port: MESSAGE &\longleftrightarrow PORT\\ reply\_port\_right: MESSAGE &\longleftrightarrow \{Send, Send\_once\}\\ \hline \\ reply\_port &= \{message: MESSAGE; port: PORT; right: RIGHT\\ &\mid (message, (port, right)) \in \underline{reply\_port\_rel} \bullet (message, port)\}\\ reply\_port\_right &= \{message: MESSAGE; port: PORT; right: RIGHT\\ &\mid (message, (port, right)) \in \underline{reply\_port\_rel} \bullet (message, right)\}\\ \hline \end{array} ``` ## 4.10.11 Summary This section has defined the data structures used to model messages. The expression $\underline{msg\_contents}(message)$ is used to denote the internal message structure associated with each message identifier, and the expression $\underline{pending\_receives}(task,name)$ indicates the receive requests currently pending for threads in task that attempted to receive through the port named by name. The expression $\underline{t}ask\_received\_msgs(task)$ denotes the set of user-space messages that have been received by task. For convenience, the expression $msg\_operation(message)$ is used to denote the type of operation requested by message. In other words, the returned value is the operation field of the message identified by message. #### **Mach Definition 87** ``` Messages. TaskExist MessageExist Operations ReplyPorts \underline{msg\_contents}: MESSAGE \longrightarrow InternalMessage pending\_receives : TASK \times NAME \longrightarrow seq\ PendingReceive \underline{t} ask_received_msgs: TASK \longrightarrow \mathbb{P} MESSA GE dom \ reply\_port \subseteq \underline{m} \ essage\_exists dom msg\_operation = dom msg\_contents = message\_exists \forall message : MESSAGE \mid message \in \underline{m}essage \underline{-}exists • msg\_operation(message) = (\underline{m}sg\_contents(message)).header.operation \forall message : MESSAGE; port : PORT \mid message \in \underline{message} = exists • (message, (port, Send)) \in \underline{reply\_port\_rel} \Leftrightarrow ((\underline{m} sg\_contents(message)).header.local\_port = \{port\} \land (\underline{m} sg\_contents(message)).header.local\_rights \cap \{ Mmt\_make\_send, Mmt\_move\_send, Mmt\_copy\_send \} \neq \emptyset \} \forall message : MESSAGE; port : PORT \mid message \in \underline{message\_exists} • (message, (port, Send\_once)) \in \underline{reply\_port\_rel} \Leftrightarrow ((\underline{msg\_contents}(message)).header.local\_port = \{port\} \land (\underline{msg\_contents}(message)).header.local\_rights \cap \{ Mmt\_make\_send\_once, Mmt\_move\_send\_once \} \neq \emptyset \} \forall task : TASK | task \notin task\_exists • task\_received\_msgs(task) = \emptyset ``` # 4.11 Processors and Processor Sets Must figure out what the axioms are on pending\_receives. Each host has a default processor set denoted by $\underline{d}$ efault. Furthermore, each host has a master processor denoted by $\underline{m}$ aster $\underline{proc}$ . # **Mach Definition 89** Review Note: ``` HostsAndProcessors \\ ProcessorsAndPorts \\ \underline{d} e fault : PROCESSOR\_SET \\ \underline{m} aster\_proc : PROCESSOR \\ \\ \underline{d} e fault \in \text{dom } \underline{p} s\_control\_port\_rel \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc \in \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc = \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc = \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc = \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc = \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc = \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc = \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc = \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc = \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc = \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc = \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc = \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc = \text{dom } \underline{p} rocessor\_port\_rel \\ \\ \underline{m} aster\_proc = \text{dom } \underline{p} rocess ``` Each processor is a member of a single processor set. The relation $\underline{m} ember\_rel$ indicates which processors belong to each processor set. For convenience, the expressions processors(procset) and $proc\_assigned\_procset(proc)$ are used to denote, respectively, the set of processors that belong to procset and the processor set to which proc belongs. # Mach Definition 90 ``` \begin{array}{c} ProcessorAndProcessorSet \\ \hline ProcessorsAndPorts \\ \underline{m}ember\_rel: PROCESSOR \leftrightarrow PROCESSOR\_SET \\ processors: PROCESSOR\_SET \rightarrow \mathbb{P}\ PROCESSOR \\ proc\_assigned\_procset: PROCESSOR \leftrightarrow PROCESSOR\_SET \\ \hline \\ \text{dom}\ \underline{m}ember\_rel \subseteq \text{dom}\ \underline{p}\ rocessor\_port\_rel \\ \text{ran}\ \underline{m}ember\_rel \subseteq \text{dom}\ \underline{p}\ s\_control\_port\_rel \\ proc\_assigned\_procset = \underline{m}ember\_rel \\ processors = (\lambda\ procset: PROCESSOR\_SET \bullet \underline{m}ember\_rel^{\sim}\ (\{procset\}\}) \end{array} ``` Each task is assigned to a single processor set. The relation $\underline{t}$ ask\_assignment\_rel indicates the association between tasks and processor sets. For convenience, the expressions $have\_assigned\_tasks(procset)$ and $task\_assigned\_to(task)$ are used to denote, respectively, the set of tasks assigned to procset and processor set to which task is assigned. #### **Mach Definition 91** ``` TaskAndProcessorSet \\ SpecialTaskPorts \\ ProcessorsAndPorts \\ \underline{t}ask\_assignment\_rel: TASK \leftrightarrow PROCESSOR\_SET \\ have\_assigned\_tasks: PROCESSOR\_SET \rightarrow \mathbb{P}\ TASK \\ task\_assigned\_to: TASK \rightarrow PROCESSOR\_SET \\ \hline \\ dom\ \underline{t}ask\_assignment\_rel = ran\ self\_task \\ ran\ \underline{t}ask\_assignment\_rel \subseteq dom\ \underline{p}s\_control\_port\_rel \\ \underline{t}ask\_assignment\_rel = task\_assigned\_to \\ have\_assigned\_tasks = (\lambda\ procset: PROCESSOR\_SET \\ \hline \\ \bullet\ \underline{t}ask\_assignment\_rel^{\sim}\ (\{procset\}\})) ``` Similarly, Each thread is assigned to a single processor set. The relation $\underline{t}hread\_assignment\_rel$ associates threads with processor sets. For convenience, the expressions $have\_assigned\_threads(procset)$ and $thread\_assigned\_to(thread)$ are used to denote, respectively, the set of threads assigned to procset and processor set to which thread is assigned. Each processor set has a set of enabled scheduling policies, denoted by $\underline{e}$ $nabled\_sp(procset)$ and a maximum priority for assigned threads, denoted by $\underline{p}$ $s\_max\_priority(procset)$ . The set of enabled scheduling policies for a thread's processor set is used to constrain the policies that can be assigned to that thread. The maximum scheduling priority for a processor set constrains the priorities that can be assigned to a newly created thread associated with that processor set. ``` . Th\, readA\, ndProcessorSet \_ ProcessorSetExist Processors And Ports Special Thread Ports ThreadSchedPolicy thread\_assignment\_rel: THREAD \longleftrightarrow PROCESSOR\_SET have\_assigned\_threads: PROCESSOR\_SET \longrightarrow \mathbb{P} \ THREAD thread\_assigned\_to: THREAD \longrightarrow PROCESSOR\_SET enabled\_sp: PROCESSOR\_SET \longrightarrow \mathbb{P} \ SCHED\_POLICY ps\_max\_priority : PROCESSOR\_SET \longrightarrow \mathbb{Z} \underline{t}hread\_assignment\_rel = thread\_assigned\_to have\_assigned\_threads = (\lambda \ procset : PROCESSOR\_SET • \underline{t}hread\_assignment\_rel^{\sim}(\{procset\})) dom \underline{t}hread\_assignment\_rel = dom thread\_self ran \underline{t}hread\_assignment\_rel \subseteq dom \underline{ps\_control\_port\_rel} dom \underline{e} \ nabled\_sp = dom \ ps\_max\_priority = procset\_exists \bigcup (\operatorname{ran} \underline{e} \, nabled\_sp) \subseteq \underline{supported}\_sp ran ps\_max\_priority \subseteq Priority\_levels ``` Each processor may have an active thread. The expression $\underline{a}$ $ctive\_thread(proc)$ indicates the thread (if any) that is active on proc. ## **Mach Definition 93** ``` Threads And Processors Thread Exist Exist \underline{active\_thread}: PROCESSOR \rightarrowtail THREAD dom \underline{active\_thread} \subseteq \underline{proc\_exists} ran \underline{active\_thread} \subseteq \underline{thread\_exists} ``` ## 4.12 Time Each host provides a system clock. The current system time is denoted by $host\_time$ . #### **Mach Definition 94** # 4.13 Devices Each device has an associated count indicating how many times the device has been opened and not closed. We use $\underline{d}\,evice\_open\_count(dev)$ to indicate the count associated with dev. This count is incremented each time dev is opened and decremented each time dev is closed. Each device with a positive creation count has an associated device port that represents the device. ``` \begin{array}{c} DeviceOpenCount \\ \hline DevicesAndPorts \\ \underline{d}\,evice\_open\_count:DEVICE \longrightarrow \mathbb{N} \\ \hline \\ \text{dom}\,device\_port = \{\,dev:DEVICE \mid \underline{d}\,evice\_open\_count(dev) > 0\,\} \end{array} ``` A kernel-space device driver may supply event counters for use by user-space device drivers. An event counter is used as a semaphore for events produced by kernel-space drivers. The counter is incremented when a relevant event occurs and decremented when a thread (e.g., a user-space device driver) indicates via the **evc\_wait** trap that it wishes to process an event. Each task refers to an event by referencing its event counter. The appropriate event counter is communicated to a thread in a driver-specific way. The expression $EVENT\_COUNTER$ denotes the set of all event counters. #### **Mach Definition 96** ``` [EVENT\_COUNTER] ``` Each event counter may have at most one thread, denoted by $\underline{t}hread\_waiting(evc)$ , waiting for it. Furthermore, each thread may be waiting on at most one event counter. The number of event that are queued and waiting to be processed by a thread is denoted by $\underline{e}vent\_count(evc)$ . The expression $\underline{s}upplying\_device$ denotes the kernel-space device driver that supplied the event counter. ## **Mach Definition 97** Devices can be associated with memory objects that can then be mapped into address spaces. We use $\underline{mapped\_devices}$ to denote the set of devices that have been associated with memory objects. # **Mach Definition 98** ``` \underline{\underline{m}apped\_devices} \underline{\underline{m}apped\_devices} : \mathbb{P} \underline{DEVICE} ``` Each device has two associated queues of data records. We use $\underline{d}\,evice\_in(dev)$ and $\underline{d}\,evice\_out(dev)$ to denote, respectively, data input and output through the device. Data read from dev is dequeued from $\underline{d}\,evice\_in(dev)$ , and data written to dev is enqueued to $\underline{d}\,evice\_out(dev)$ . $<sup>^6</sup>$ Threads may also wait for events that occur while the system is operating in kernel space (e.g., another thread becomes suspended). This is handled through a separate waiting mechanism that is not modeled in the FTLS. # **Mach Definition 99** $[DEVICE\_RECORD]$ #### **Mach Definition 100** ``` \begin{array}{l} \_DeviceData = \\ \underline{d}\,evice\_in: DEVICE \longrightarrow \operatorname{seq}\,DEVICE\_RECORD \\ \underline{d}\,evice\_out: DEVICE \longrightarrow \operatorname{seq}\,DEVICE\_RECORD \end{array} ``` Each device can have associated filters that are used to route data received through the device. Each filter has an associated port to which data accepted by the filter is delivered. Furthermore, a priority can be associated with each port to indicate the ordering when there are multiple ports associated with the filter. We use $\underline{device\_filter\_info(dev)}$ to indicate the set of $(device\_filter\_priority)$ triples associated with dev. # **Mach Definition 101** ``` [DEVICE\_FILTER, FILTER\_PRIORITY] \\ DEVICE\_FILTER\_INFO == DEVICE\_FILTER \times PORT \times FILTER\_PRIORITY ``` # **Mach Definition 102** Each device has an associated status. We use $d \ evice\_status(d \ ev)$ to denote $d \ ev$ 's status. ## **Mach Definition 103** ``` [DEVICE_STATUS] ``` #### **Mach Definition 104** ## **Mach Definition 105** # 4.14 Summary The data structures defined in the previous sections comprise the Mach system state. The type Mach is used to denote the set of Mach system states. # **Mach Definition 106** $Process \triangleq Threads \land TaskPriority \land TaskSuspendCount \\ \land EmulationVector \\ Ipc \triangleq PortNameSpace \land RegisteredRights \land Notifications \\ \land PortSummary \land PortClasses \land Messages \\ Processor \triangleq HostsAndProcessors \land ProcessorAndProcessorSet \land TaskAndProcessorSet \\ \land ThreadAndProcessorSet \land ThreadsAndProcessors$ # **Mach Definition 107** -Mach Exist Process Ipc Processor MemorySystem HostTime Devices $\underline{manager} = receiver \circ object\_port$ # Section 5 DTOS State Extensions This section describes extensions to the base Mach microkernel state that are needed to support the DTOS kernel. The DTOS kernel is intended to support a wide range of policies. Thus, the state components described in this section are independent of any specific access control policy. In general, an access control policy consists of three components. First, security attributes must be associated with the subjects accessing entities in the system. Second, security attributes must be associated with the entities in the system that subjects access. Finally, a rule must be defined that indicates the set of accesses that a subject with a given attribute can make to an entity with a given attribute. To provide policy flexibility, the DTOS kernel abstracts the security attributes associated with specific policies into sets of *security identifiers*. Although the kernel relies upon a security server to define the policy to be enforced, the kernel maintains a cache of accesses previously authorized by the security server. In addition to providing a framework for access control policies, the DTOS kernel also enhances the security of the Mach IPC mechanism. The organization of this section is as follows: - Section 5.1, Subject Security Information, describes the security information recorded for subjects. - Section 5.2, **Object Security Information**, describes the security information recorded for objects. - Section 5.3, **Security Identifiers for Access Computations**, describes some security identifiers used only in access computations. - Section 5.4, **Permissions**, describes the permissions enforced in DTOS. - Section 5.5, **Access Vector Cache**, describes the DTOS kernel's access vector cache. - Section 5.6, **Message Security Information**, describes the security information associated with messages to enhance the security of the Mach IPC mechanism. - Section 5.7, **Task Creation Information**, describes information associated with tasks to enhance the security of the Mach approach for process initiation. - Section 5.8, **Server Ports**, describes ports used by the kernel for communication with other servers. - Section 5.9, **Memory Region Protections**, describes information associated with regions to allow the DTOS kernel to enforce access. # 5.1 Subject Security Information Subjects in DTOS are threads executing within tasks. Each task has a subject security identifier (SSI). The set SSI denotes the set of all SSIs. We will occasionally need to identify two distinct components of each SID, a mandatory security identifier (MID) and an authentication identifier (AID). We use the types MID and AID to denote, respectively, MIDs and AIDs. The functions $Ssi\_to\_mid$ and $Ssi\_to\_aid$ are used to map SSIs to MIDs and AIDs. # **DTOS Kernel Definition 1** ``` [SSI] [MID, AID] Ssi\_to\_mid : SSI \longrightarrow MID Ssi\_to\_aid : SSI \longrightarrow AID ``` The expressions $\underline{t}$ $ask\_sid(task)$ , $task\_mid(task)$ and $task\_aid(task)$ are used to denote the SSI, MID and AID associated with a task. The expression $thread\_sid(thread)$ denotes the SSI associated with a thread. It is defined to be the SSI of its parent task. #### **DTOS Kernel Definition 2** ``` SubjectSid \\ TaskExist \\ ThreadExist \\ TasksAndThreads \\ \underline{t}ask\_sid: TASK \rightarrow SSI \\ task\_mid: TASK \rightarrow MID \\ task\_aid: TASK \rightarrow AID \\ thread\_sid: THREAD \rightarrow SSI \\ \\ dom \underline{t}ask\_sid = dom task\_mid = dom task\_aid = \underline{t}ask\_exists \\ dom thread\_sid = \underline{t}hread\_exists \\ task\_mid = Ssi\_to\_mid \circ \underline{t}ask\_sid \\ task\_aid = Ssi\_to\_aid \circ \underline{t}ask\_sid \\ thread\_sid = \underline{t}ask\_sid \circ owning\_task \\ \\ ``` # 5.2 Object Security Information Each port has an associated *object security identifier* (OSI) that represents the security attributes associated with the port. Similarly, each memory region has an associated OSI. The set *OSI* denotes the set of all OSIs. The functions $Osi\_to\_mid$ and $Osi\_to\_aid$ are used to map OSIs to MIDs and AIDs. #### **DTOS Kernel Definition 3** The expressions $\underline{port\_sid(port)}$ , $\underline{port\_mid(port)}$ and $\underline{port\_aid(port)}$ are used to denote the OSI, MID and AID associated with a port. ``` \begin{array}{l} PortSid \\ \hline PortExist \\ \underline{port\_sid}: PORT \rightarrow OSI \\ port\_mid: PORT \rightarrow MID \\ port\_aid: PORT \rightarrow AID \\ \hline \\ \text{dom } \underline{port\_sid} = \text{dom } port\_mid = \text{dom } port\_aid = \underline{port\_exists} \\ port\_mid = Osi\_to\_mid \circ \underline{port\_sid} \\ port\_aid = Osi\_to\_aid \circ \underline{port\_sid} \\ \hline \end{array} ``` Each task and thread has a self port on which the kernel receives requests to perform an action on the task or thread. The OSI of the self ports is derived from the SSI of the corresponding task. The expressions $Task\_port\_sid(ssi)$ and $Thread\_port\_sid(ssi)$ indicate the corresponding OSIs. When memory is allocated, it is labeled with an OSI that is derived from the SSI of the owning task. The expression $Default\_vm\_port\_sid(ssi)$ indicates the derived OSI. Similarly, when a port is created, it is labeled with an OSI derived from the SSI of the task in whose IPC name space it is allocated. The expression $Default\_port\_sid(ssi)$ indicates the derived OSI. ## **DTOS Kernel Definition 5** ``` Task\_port\_sid: SSI \longrightarrow OSI Thread\_port\_sid: SSI \longrightarrow OSI Default\_vm\_port\_sid: SSI \longrightarrow OSI Default\_port\_sid: SSI \longrightarrow OSI disjoint \langle ran Task\_port\_sid, ran Thread\_port\_sid, ran Default\_vm\_port\_sid \rangle ``` ``` KernelPortSid \_ TasksAndThreads SpecialPurposePorts SubjectSid PortSid \forall task: \underline{t}ask\_exists \bullet \underline{p}ort\_sid(task\_self(task)) = Task\_port\_sid(\underline{t}ask\_sid(task)) \forall thread: \underline{t}hread\_exists \bullet \underline{p}ort\_sid(thread\_exists) \bullet \underline{p}ort\_sid(thread\_self(thread)) = Thread\_port\_sid(\underline{t}ask\_sid(owning\_task(thread))) ``` The expressions $\underline{p}$ $age\_sid(task, page\_index)$ , $page\_mid(task, page\_index)$ and $page\_aid(task, page\_index)$ are used to denote the OSI, MID and AID associated with a page. Note that $\underline{p}$ $age\_sid$ effectively associates an OSI with each allocated address in a task's address space. If a page is managed and the manager is not the default memory manager, then the SID of the page is derived from the SID of the pager port of the object containing the page. The derivation of page SIDs from pager port SIDs is modeled by the function $Pp\_to\_page\_sid$ . # **DTOS Kernel Definition 6** ``` Pp\_to\_page\_sid : OSI \longrightarrow OSI ``` ``` PageSid. AddressSpace Memory TasksAndPorts PortSid page\_sid: TASK \times PAGE\_INDEX \longrightarrow OSI page\_mid: TASK \times PAGE\_INDEX \longrightarrow MID page\_aid: TASK \times PAGE\_INDEX \longrightarrow AID \operatorname{dom} p \, age\_sid = \operatorname{dom} page\_mid = \operatorname{dom} page\_aid = \underline{a} \, llocated page\_mid = Osi\_to\_mid \circ page\_sid page\_aid = Osi\_to\_aid \circ page\_sid (\forall task\_va\_pair : TASK \times PAGE\_INDEX; memory : MEMORY; port: PORT |(task\_va\_pair, memory) \in mapped\_memory| \land (memory, port) \in object\_port \land receiver(port) \neq receiver(default\_mem\_manager) • page\_sid(task\_va\_pair) = Pp\_to\_page\_sid(port\_sid(port))) ``` Editorial Note: Need to figure out if their is a better way to check that the memory is not being paged by the default memory manager. ## **DTOS Kernel Definition 8** ``` \begin{array}{c} ObjectSid \\ PortSid \\ KernelPortSid \\ PageSid \\ \hline \\ dom Pp\_to\_page\_sid \subseteq \operatorname{ran} \underline{port\_sid} \\ \operatorname{ran} Pp\_to\_page\_sid \subseteq \operatorname{ran} \underline{page\_sid} \end{array} ``` # 5.3 Security Identifiers for Access Computations Access computations in the DTOS kernel are generally made based upon the SSI of the task accessing an object and the OSI of the accessed object. This section discusses a few special cases in which other security identifiers are used. Sometimes kernel requests can have side effects resulting in outcalls from the kernel, for instance, to deliver dead name notifications. For fine grained control over such operations it is desirable to distinguish between the kernel sending such a message to a port as a side effect of another request and the client directly sending a message to the port. To provide for this, such side effects are sometimes controlled based not upon the SSI of the client but upon an SSI derived from the client's SSI and indicating that it is the kernel acting on behalf of a client with the given SSI. The function $Derive\_kernel\_as$ maps an SSI $s_1$ to the derived SSI $s_2$ representing the kernel acting on behalf of a task with SSI $s_1$ . We use $kernel\_as(task)$ to denote the derived SSI indicating the kernel acting on behalf of a task task. ``` Derive\_kernel\_as : SSI \longrightarrow SSI ``` One of the features of Mach is that it allows tasks to perform operations on other tasks that have not traditionally been provided by operating systems. For example, Mach allows tasks to access memory regions in other tasks while one of the features of traditional operating systems is the separation of address spaces. To provide finer control over task accesses, we define $Task\_self\_sid$ to be a value to be used in access computations governing accesses a task makes to itself. Similarly, we use $Thread\_self\_sid$ to be a value to be used in access computations governing accesses a task makes to threads that it owns. The security policy should normally be defined in such a way as to prevent any kernel entities from being assigned $Task\_self\_sid$ or $Thread\_self\_sid$ as their SID. Instead, these SIDs indicate to security servers that the kernel requires an access computation to be performed between a task and the task itself or between a task and one of the task's threads. One potential use of this finer control would be to contain a faulty task by preventing it from corrupting other tasks having the same SID. We define $task\_target(task_1, task_2)$ to be the OSI of $task_2$ 's self port if $task_1$ and $task_2$ are different and $Task\_self\_sid$ , otherwise. Analogously, we define $thread\_target(task, thread)$ to be the OSI of thread's self port if thread does not belong to task and $Thread\_self\_sid$ , otherwise. When $task_1$ attempts to operate on $task_2$ , the kernel enforces accesses on the pair $(\underline{t}ask\_sid(task_1), task\_target(task_1, task_2))$ . Analogously, operations that task performs on thread are governed by the accesses recorded for $(\underline{t}ask\_sid(task), thread\_target(task, thread))$ . This allows separate permissions sets to be applied when a task operates on itself versus operating on another process with the same SSI. #### **DTOS Kernel Definition 10** ``` \begin{array}{c} Task\_self\_sid : OSI \\ \hline Thread\_self\_sid : OSI \\ \hline \hline Task\_self\_sid \neq Thread\_self\_sid \end{array} ``` <sup>&</sup>lt;sup>7</sup>This property is not guaranteed by the kernel. For example, a **mach\_port\_allocate\_secure** request may specify a self SID as the SID for the newly created port. If the security server allows the client to add a name to the target task and allows the target task to hold a receive right for a port with the specified SID, the request will succeed and the port will be labeled with a self SID. ``` TargetSids PortSid Tasks And\ Th\ reads Special Purpose Ports task\_target : TASK \times TASK \longrightarrow OSI thread\_target : TASK \times THREAD \longrightarrow OSI \{ Task\_self\_sid, Thread\_self\_sid \} \cap ran \ port\_sid = \emptyset dom task\_target = TASK \times task\_exists dom thread\_target = TASK \times thread\_exists \forall task_1, task_2 : TASK • task\_target(task_1, task_2) = if task_1 = task_2 then Task\_self\_sid else port\_sid(task\_self(task_2)) \forall task : TASK; thread : THREAD • thread_target(task, thread) = if task = owning\_task(thread) then Thread\_self\_sid else port\_sid(thread\_self(thread)) ``` #### Editorial Note: In the prototype $Task\_self\_sid$ and $Thread\_self\_sid$ are not implemented as constants. Rather, they are derived from the corresponding subject SID in the same way as the derived SIDs $Task\_port\_sid$ , $Thread\_port\_sid$ , $Default\_vm\_port\_sid$ and $Default\_port\_sid$ which are described above. Given the way the self SIDs are used the two approaches are equivalent. # 5.4 Permissions The DTOS security policy constrains when clients may obtain *services*. The security policy is enforced by: - associating a set of allowed permissions<sup>8</sup> with each SSI-OSI pair, - associating a set of required permissions with each service, and - granting service only when the required permissions are contained in the allowed permissions for the client to the target for the operation. The set *PERMISSION* denotes the set of all permissions. This set contains permissions governing kernel services as well as permissions governing services provided by user space servers. The set Kernel\_permission is used to denote the subset of PERMISSION that governs kernel services. ## **DTOS Kernel Definition 12** ``` [PERMISSION] ``` $Kernel\_permission : \mathbb{P}\ PERMISSION$ <sup>&</sup>lt;sup>8</sup> Note that the terms *access vector*, *service vector*, and *permission set* are used somewhat interchangeably. The elements of $Kernel\_permission$ are enumerated in subsections 5.4.1-5.4.14. The operator $Values\_partition$ is formally defined in Appendix C. Informally, the expression $\langle val_1, \ldots, val_n \rangle$ $Values\_partition$ S denotes that the values $val_1, \ldots, val_n$ are unique values that together comprise the set $val\_set$ . #### 5.4.1 IPC Permissions The DTOS kernel enforces the following "IPC" permissions: Can\_receive, Can\_send, Hold\_receive, Hold\_send, Hold\_send\_once, Interpose, Map\_vm\_region, Set\_reply, Specify, Transfer\_ool, Transfer\_receive, Transfer\_rights, Transfer\_send, Transfer\_send\_once. We use Ipc\_permissions to denote this set of permissions. #### **DTOS Kernel Definition 13** ``` Ipc\_permissions: \mathbb{P}\ PERMISSION\\ Can\_receive,\ Can\_send,\ Hold\_receive,\\ Hold\_send,\ Hold\_send\_once,\ Interpose,\\ Map\_vm\_region,\ Set\_reply,\ Specify,\\ Transfer\_ool,\ Transfer\_receive,\ Transfer\_rights,\\ Transfer\_send,\ Transfer\_send\_once:\\ PERMISSION\\ \hline{\langle Can\_receive,\ Can\_send,\ Hold\_receive,\ Hold\_send,\ Hold\_send\_once,\ Interpose,\\ Map\_vm\_region,\ Set\_reply,\ Specify,\ Transfer\_ool,\ Transfer\_receive,\\ Transfer\_rights,\ Transfer\_send,\ Transfer\_send\_once \rangle\\ Values\_partition\ Ipc\_permissions ``` # 5.4.2 Port Permissions The DTOS kernel enforces the following permissions on port requests: $Add\_name$ , $Alter\_pns\_info$ , $Extract\_right$ , $Lookup\_ports$ , $Manipulate\_port\_set$ , $Observe\_pns\_info$ , $Port\_rename$ , $Register\_notification$ , $Register\_ports$ , $Remove\_name$ . We use $Port\_permissions$ to denote this set of permissions. ``` Port\_permissions: \mathbb{P}\ PERMISSION\\ Add\_name, Alter\_pns\_info, Extract\_right,\\ Lookup\_ports, Manipulate\_port\_set, Observe\_pns\_info,\\ Port\_rename, Register\_notification, Register\_ports,\\ Remove\_name:\\ PERMISSION\\ \hline $\langle Add\_name, Alter\_pns\_info, Extract\_right, Lookup\_ports,\\ Manipulate\_port\_set, Observe\_pns\_info, Port\_rename,\\ Register\_notification, Register\_ports, Remove\_name $\rangle $\\ Values\_partition\ Port\_permissions ``` #### 5.4.3 VM Permissions ## The DTOS kernel enforces the following permissions on VM requests: Access\_machine\_attribute, Allocate\_vm\_region, Chg\_vm\_region\_prot, Copy\_vm, Deallocate\_vm\_region, Get\_vm\_region\_info, Get\_vm\_statistics, Read\_vm\_region, Set\_vm\_region\_inherit, Wire\_vm\_for\_task, Write\_vm\_region. We use Vm\_permissions to denote this set of permissions. ## **DTOS Kernel Definition 15** ``` Vm\_permissions: \mathbb{P}\ PERMISSION\\ Access\_machine\_attribute, Allocate\_vm\_region, Chg\_vm\_region\_prot,\\ Copy\_vm, Deallocate\_vm\_region, Get\_vm\_region\_info,\\ Get\_vm\_statistics, Read\_vm\_region, Set\_vm\_region\_inherit,\\ Wire\_vm\_for\_task, Write\_vm\_region:\\ PERMISSION\\ \hline \langle Access\_machine\_attribute, Allocate\_vm\_region, Chg\_vm\_region\_prot,\\ Copy\_vm, Deallocate\_vm\_region, Get\_vm\_region\_info, Get\_vm\_statistics,\\ Read\_vm\_region, Set\_vm\_region\_inherit, Wire\_vm\_for\_task,\\ Write\_vm\_region \rangle\\ Values\_partition\ Vm\_permissions ``` #### 5.4.4 Memory Object Permissions The DTOS kernel enforces the following permissions on memory requests: $Have\_execute$ , $Have\_read$ , $Have\_write$ , $Page\_vm\_region$ . We use $Memory\_object\_permissions$ to denote this set of permissions. #### **DTOS Kernel Definition 16** #### 5.4.5 Pager Permissions The DTOS kernel enforces the following permissions on pager requests: Change\_page\_locks, Destroy\_object, Get\_attributes, Invoke\_lock\_request, Make\_page\_precious, Provide\_data, Remove\_page, Revoke\_ibac, Save\_page, Set\_attributes, Set\_ibac\_port, Supply\_ibac. We use Pager\_permissions to denote this set of permissions. #### **DTOS Kernel Definition 17** ``` Pager\_permissions: \mathbb{P}\ PERMISSION\\ Change\_page\_locks, Destroy\_object, Get\_attributes,\\ Invoke\_lock\_request, Make\_page\_precious, Provide\_data,\\ Remove\_page, Revoke\_ibac, Save\_page,\\ Set\_attributes, Set\_ibac\_port, Supply\_ibac:\\ PERMISSION\\ \hline $\langle Change\_page\_locks, Destroy\_object, Get\_attributes, Invoke\_lock\_request,\\ Make\_page\_precious, Provide\_data, Remove\_page, Revoke\_ibac, Save\_page,\\ Set\_attributes, Set\_ibac\_port, Supply\_ibac $\rangle \\ Values\_partition\ Pager\_permissions ``` #### 5.4.6 Thread Permissions The DTOS kernel enforces the following permissions on thread requests: Abort\_thread, Abort\_thread\_depress, Assign\_thread\_to\_pset, Can\_swtch, Can\_swtch\_pri, Depress\_pri, Get\_thread\_assignment, Get\_thread\_exception\_port, Get\_thread\_info, Get\_thread\_kernel\_port, Get\_thread\_state, Initiate\_secure, Raise\_exception, Resume\_thread, Sample\_thread, Set\_max\_thread\_priority, Set\_thread\_exception\_port, Set\_thread\_kernel\_port, Set\_thread\_policy, Set\_thread\_priority, Set\_thread\_state, Suspend\_thread, Switch\_thread, Terminate\_thread, Wait\_evc, Wire\_thread\_into\_memory. We use Thread\_permissions to denote this set of permissions. #### **DTOS Kernel Definition 18** ``` Thread\_permissions: \mathbb{P}\ PERMISSION Abort_thread, Abort_thread_depress, Assign_thread_to_pset, Can_swtch, Can_swtch_pri, Depress_pri, Get\_thread\_assignment, Get\_thread\_exception\_port, Get\_thread\_info, Get_thread_kernel_port, Get_thread_state, Initiate_secure, Raise_exception, Resume_thread, Sample_thread, Set\_max\_thread\_priority, Set\_thread\_exception\_port, Set\_thread\_kernel\_port, Set_thread_policy, Set_thread_priority, Set_thread_state, Suspend_thread, Switch_thread, Terminate_thread, Wait\_evc, Wire\_thread\_into\_memory: PERMISSION \langle Abort\_thread, Abort\_thread\_depress, Assign\_thread\_to\_pset, Can\_swtch, Can_swtch_pri, Depress_pri, Get_thread_assignment, Get\_thread\_exception\_port, Get\_thread\_info, Get\_thread\_kernel\_port, Get_thread_state, Initiate_secure, Raise_exception, Resume_thread, Sample_thread, Set_max_thread_priority, Set_thread_exception_port, Set_thread_kernel_port, Set_thread_policy, Set_thread_priority, Set_thread_state, Suspend_thread, Switch_thread, Terminate_thread, Wait_evc, Wire_thread_into_memory Values_partition Thread_permissions ``` #### 5.4.7 Task Permissions The DTOS kernel enforces the following permissions on task requests: $Add\_thread$ , $Add\_thread\_secure$ , $Assign\_task\_to\_pset$ , $Change\_sid$ , $Chg\_task\_priority$ , $Create\_task$ , $Create\_task\_secure$ , $Cross\_context\_create$ , $Cross\_context\_inherit$ , $Get\_emulation$ , $Get\_task\_assignment$ , $Get\_task\_boot\_port$ , $Get\_task\_exception\_port$ , $Get\_task\_info$ , $Get\_task\_kernel\_port$ , $Get\_task\_threads$ , $Make\_sid$ , $Resume\_task$ , $Sample\_task$ , $Set\_emulation$ , $Set\_ras$ , $Set\_task\_boot\_port$ , $Set\_task\_exception\_port$ , $Set\_task\_kernel\_port$ , $Suspend\_task$ , $Terminate\_task$ , $Transition\_sid$ . We use $Task\_task\_permissions$ to denote this set of permissions. #### **DTOS Kernel Definition 19** ``` Task\_task\_permissions: \mathbb{P}\ PERMISSION Add\_thread, Add\_thread\_secure, Assign\_task\_to\_pset, Change_sid, Chg_task_priority, Create_task, Create_task_secure, Cross_context_create, Cross_context_inherit, Get_emulation, Get_task_assignment, Get_task_boot_port, Get\_task\_exception\_port, Get\_task\_info, Get\_task\_kernel\_port, Get\_task\_threads, Make\_sid, Resume\_task, Sample_task, Set_emulation, Set_ras, Set_task_boot_port, Set_task_exception_port, Set_task_kernel_port, Suspend_task, Terminate_task, Transition_sid: PERMISSION \langle Add\_thread\_secure, Assign\_task\_to\_pset, Change\_sid, Chg_task_priority, Create_task, Create_task_secure, Cross_context_create, Cross_context_inherit, Get_emulation, Get\_task\_assignment, Get\_task\_boot\_port, Get\_task\_exception\_port, Get_task_info, Get_task_kernel_port, Get_task_threads, Make_sid, Resume\_task, Sample\_task, Set\_emulation, Set\_ras, Set\_task\_boot\_port, Set_task_exception_port, Set_task_kernel_port, Suspend_task, Terminate_task, Transition_sid Values_partition Task_task_permissions ``` We use $Task\_permissions$ to denote the union of $Task\_task\_permissions$ , $Port\_permissions$ , and $Vm\_permissions$ . #### **DTOS Kernel Definition 20** #### 5.4.8 Host Name Port Permissions The DTOS kernel enforces the following permissions on host name port requests: Create\_pset, Flush\_permission, Get\_audit\_port, Get\_authentication\_port, Get\_crypto\_port, Get\_default\_pset\_name, Get\_host\_control\_port, Get\_host\_info, Get\_host\_name, Get\_host\_version, Get\_negotiation\_port, Get\_network\_ss\_port, Get\_security\_master\_port, Get\_security\_client\_port, Get\_special\_port, Get\_time, Pset\_names, Set\_audit\_port, Set\_authentication\_port, Set\_crypto\_port, Set\_negotiation\_port, Set\_network\_ss\_port, Set\_security\_master\_port, Set\_security\_client\_port, Set\_special\_port. We use Host\_name\_port\_permissions to denote this set of permissions. #### **DTOS Kernel Definition 21** ``` Host\_name\_port\_permissions : \mathbb{P} \ PERMISSION Create_pset, Flush_permission, Get_audit_port, Get\_authentication\_port, Get\_crypto\_port, Get\_default\_pset\_name, Get\_host\_control\_port, Get\_host\_info, Get\_host\_name, Get_host_version, Get_negotiation_port, Get_network_ss_port, Get\_security\_master\_port, \ Get\_security\_client\_port, \ Get\_special\_port, Get\_time, Pset\_names, Set\_audit\_port, Set\_authentication\_port, Set\_crypto\_port, Set\_negotiation\_port, Set_network_ss_port, Set_security_master_port, Set_security_client_port, Set_special_port: PERMISSION \langle Create\_pset, Flush\_permission, Get\_audit\_port, Get\_authentication\_port, Get\_crypto\_port, Get\_default\_pset\_name, Get_host_control_port, Get_host_info, Get_host_name, Get_host_version, Get_negotiation_port, Get_network_ss_port, Get_security_master_port, Get\_security\_client\_port, \ Get\_special\_port, \ Get\_time, Pset\_names, Set\_audit\_port, Set\_authentication\_port, Set\_crypto\_port, Set\_negotiation\_port, Set\_network\_ss\_port, Set_security_master_port, Set_security_client_port, Set_special_port) Values\_partition\ Host\_name\_port\_permissions ``` #### 5.4.9 Host Control Port Permissions #### The DTOS kernel enforces the following permissions on host control port requests: Get\_boot\_info, Get\_host\_processors, Pset\_ctrl\_port, Reboot\_host, Set\_default\_memory\_mgr, Set\_time, Wire\_thread, Wire\_vm. We use Host\_control\_port\_permissions to denote this set of permissions. #### **DTOS Kernel Definition 22** ``` Host\_control\_port\_permissions: \mathbb{P}\ PERMISSION Get\_boot\_info,\ Get\_host\_processors,\ Pset\_ctrl\_port, Reboot\_host,\ Set\_default\_memory\_mgr,\ Set\_time, Wire\_thread,\ Wire\_vm: PERMISSION \langle Get\_boot\_info,\ Get\_host\_processors,\ Pset\_ctrl\_port,\ Reboot\_host, Set\_default\_memory\_mgr,\ Set\_time,\ Wire\_thread,\ Wire\_vm\rangle Values\_partition\ Host\_control\_port\_permissions ``` #### 5.4.10 Processor Permissions #### The DTOS kernel enforces the following permissions on processor requests: Assign\_processor\_to\_set, Get\_processor\_assignment, Get\_processor\_info, May\_control\_processor. We use Processor\_permissions to denote this set of permissions. #### **DTOS Kernel Definition 23** ``` Processor\_permissions: \mathbb{P}\ PERMISSION \\ Assign\_processor\_to\_set, Get\_processor\_assignment, Get\_processor\_info, \\ May\_control\_processor: \\ PERMISSION \\ \hline \langle Assign\_processor\_to\_set, Get\_processor\_assignment, Get\_processor\_info, \\ May\_control\_processor \rangle \\ Values\_partition\ Processor\_permissions ``` #### 5.4.11 Processor Set Name Port Permissions The DTOS kernel enforces the following permissions on processor set name port requests: $Get\_pset\_info$ . We use $Procset\_name\_port\_permissions$ to denote this set of permissions. #### **DTOS Kernel Definition 24** ``` Procset_name_port_permissions : ℙ PERMISSION Get_pset_info : PERMISSION ⟨Get_pset_info⟩ Values_partition Procset_name_port_permissions ``` #### 5.4.12 Processor Set Control Port Permissions The DTOS kernel enforces the following permissions on processor set control port requests: $Assign\_processor$ , $Assign\_task$ , $Assign\_thread$ , $Chg\_pset\_max\_pri$ , $Define\_new\_scheduling\_policy$ , $Destroy\_pset$ , $Invalidate\_scheduling\_policy$ , $Observe\_pset\_processes$ . We use $Procest\_control\_port\_permissions$ to denote this set of permissions. ## **DTOS Kernel Definition 25** ``` Procset\_control\_port\_permissions: \mathbb{P}\ PERMISSION Assign\_processor, Assign\_task, Assign\_thread, Chg\_pset\_max\_pri, Define\_new\_scheduling\_policy, Destroy\_pset, Invalidate\_scheduling\_policy, Observe\_pset\_processes: PERMISSION \langle Assign\_processor, Assign\_task, Assign\_thread, Chg\_pset\_max\_pri, Define\_new\_scheduling\_policy, Destroy\_pset, Invalidate\_scheduling\_policy, Observe\_pset\_processes \rangle Values\_partition\ Procset\_control\_port\_permissions ``` We use Procset\_permissions to denote the union of Procset\_name\_port\_permissions and Procset\_control\_port\_permissions. ## **DTOS Kernel Definition 26** ``` \frac{Procset\_permissions: \mathbb{P}\ PERMISSION}{\langle Procset\_name\_port\_permissions, Procset\_control\_port\_permissions \rangle} \mathsf{partition}\ Procset\_permissions ``` #### 5.4.13 Device Permissions The DTOS kernel enforces the following permissions on device requests: $Close\_device$ , $Control\_pager$ , $Get\_device\_status$ , $Map\_device$ , $Open\_device$ , $Read\_device$ , $Set\_device\_filter$ , $Set\_device\_status$ , $Write\_device$ . We use $Device\_permissions$ to denote this set of permissions. #### **DTOS Kernel Definition 27** ``` Device_permissions: P PERMISSION Close_device, Control_pager, Get_device_status, Map_device, Open_device, Read_device, Set_device_filter, Set_device_status, Write_device: PERMISSION (Close_device, Control_pager, Get_device_status, Map_device, Open_device, Read_device, Set_device_filter, Set_device_status, Write_device) Values_partition Device_permissions ``` ## 5.4.14 Kernel Reply Port Permissions The DTOS kernel enforces the following permissions on requests sent to kernel reply ports: $Provide\_permission$ . We use $Kernel\_reply\_permissions$ to denote this set of permissions. #### **DTOS Kernel Definition 28** ``` Kernel_reply_permissions : P PERMISSION Provide_permission : PERMISSION (Provide_permission) Values_partition Kernel_reply_permissions ``` We do not require that all of the above sets of permissions be non-overlapping. The only such requirement is that the $Ipc\_permissions$ do not overlap with any of the other sets. This is consistent with the current prototype in which permissions are simply integers specifying positions in access vectors. Because there are different types of access vector depending upon the type of target object, multiple permissions may specify the same access vector position. Every vector contains the IPC permissions stored at the same positions. ## **DTOS Kernel Definition 29** ``` \begin{split} Ipc\_permissions \\ &\cap (Memory\_object\_permissions \cup Pager\_permissions \\ &\cup Thread\_permissions \cup Task\_permissions \\ &\cup Host\_name\_port\_permissions \cup Host\_control\_port\_permissions \\ &\cup Processor\_permissions \cup Procset\_permissions \\ &\cup Device\_permissions \cup Kernel\_reply\_permissions) \\ &= \varnothing \end{split} ``` ## 5.5 Access Vector Cache The kernel receives an access decision from the security server as a Ruling. Each ruling consists of: - ssi a subject security identifier - osi an object security identifier - access\_vector a set of granted permissions between the ssi and osi - control\_vector the set of granted permissions which are allowed to be cached in the kernel for later access - *expiration\_value* the time at which the cached permissions expire #### **DTOS Kernel Definition 30** ``` Ruling ssi: SSI osi: OSI access\_vector: PPERMISSION control\_vector: PPERMISSION expiration\_value: N ``` Review Note: We need to be careful not to get bit by using ssi and osi in Ruling, since they are often used as "variables" also. Or else we could rename them here. A ruling is usable for a given ssi and osi if the ssi and osi match those in the ruling and the ruling has not expired. The expression $Usable\_ruling(ssi, osi, time)$ denotes the set of all such rulings with respect to ssi, osi and time, the time at which the ruling is consulted. When a ruling is initially received by the kernel, the kernel need only check the access vector and expiration time to see if a permission is granted. This is reflected by the function $Ruling\_allows(ruling, ssi, osi)$ which returns the set of permissions in the access vector of ruling if ssi and osi are the same as in ruling. Editorial Note: The prototype does not currently check the expiration time in these cases, but we plan to correct this. ## **DTOS Kernel Definition 31** ``` Usable\_ruling: SSI \times OSI \times \mathbb{N} \longrightarrow \mathbb{P} \ Ruling \\ Ruling\_allows: Ruling \times SSI \times OSI \times \mathbb{N} \longrightarrow \mathbb{P} \ PERMISSION \\ \forall ruling: Ruling; ssi: SSI; osi: OSI; time: \mathbb{N}; permission: PERMISSION \\ \bullet (ruling \in Usable\_ruling(ssi, osi, time) \\ \Leftrightarrow (ssi = ruling.ssi \\ \land osi = ruling.osi \\ \land time < ruling.expiration\_value)) \\ \land permission \in Ruling\_allows(ruling, ssi, osi, time) \\ \Leftrightarrow (ruling \in Usable\_ruling(ssi, osi, time) \\ \land permission \in ruling.access\_vector) \\ ``` To enhance performance, the kernel is permitted to cache the rulings provided by security servers. A cached ruling is usable for a given ssi, osi and permission if the ssi and osi match those in the ruling, the permission is in the $control\_vector$ and the ruling has not expired. The expression $Usable\_cached\_ruling(ssi, osi, permission, time)$ denotes the set of all such rulings. Once cached, a ruling grants a particular permission from ssi to osi if the ruling is usable and the permission is included in the $access\_vector$ . This is reflected by the function $Cached\_ruling\_allows(ruling, ssi, osi, time)$ , where time is the time at which the ruling is consulted. ## **DTOS Kernel Definition 32** The kernel cache is a set of rulings, represented by $\underline{c}$ ache. There may only be one unexpired ruling in the cache for each (ssi, osi) pair. The function $cache\_allows(ssi, osi)$ returns the set of permissions granted to the (ssi, osi) pair by the rulings in the cache according to the function $Cached\_ruling\_allows$ . The quadruple (ssi, osi, permission, ruling) is in $cached\_ruling\_avail$ if and only if ruling is in the cache and it is usable for ssi, osi and permission at the current time. #### **DTOS Kernel Definition 33** ``` .KernelCache _ cache: \mathbb{P} Ruling cache\_allows: SSI \times OSI \longrightarrow \mathbb{P}\ PERMISSION cached\_ruling\_avail : \mathbb{P}(SSI \times OSI \times PERMISSION \times Ruling) HostTime \forall \ ruling_1, ruling_2 : Ruling | \{ ruling_1, ruling_2 \} \subseteq \underline{c} ache \land ruling_1.ssi = ruling_2.ssi \land ruling_1.osi = ruling_2.osi \land ruling_1.expiration\_value > host\_time \land ruling_2.expiration\_value > \underline{h}ost\_time • ruling_1 = ruling_2 \forall ssi: SSI; osi: OSI • cache\_allows(ssi, osi) = \bigcup \{ruling : Ruling \mid ruling \in \underline{c}ache\} • Cached_ruling_allows(ruling, ssi, osi, host_time)} \forall ssi: SSI; osi: OSI; permission: PERMISSION; ruling: Ruling • (ssi, osi, permission, ruling) \in cached\_ruling\_avail \Leftrightarrow (ruling \in cache \cap Usable\_cached\_ruling(ssi, osi, permission, host\_time)) ``` # 5.6 Message Security Information Each existing message has an SSI associated with it that indicates the SSI of the task that sent the message. The expression $\underline{msg\_sending\_sid}$ (message) indicates the SSI of the task that sent message. In addition, certain messages have an associated SSI that indicates which tasks may receive the message. The set $msg\_receiver\_specified$ indicates the set of messages that have a receiving SID specified, and $\underline{m}sg\_receiving\_sid(message)$ indicates the receiving SSI for each message in this set. As part of the processing of a message, the sender's permissions to the destination port are computed and attached to the message. The set $msg\_ruling\_computed$ denotes the set of messages for which the permissions have already been computed, and $\underline{m}sg\_ruling(message)$ indicates the associated set of permissions for each such message. A ruling must be computed for each message before the message can be enqueued at a port. An "effective" sending SID and access vector may optionally be specified by the sender of a message. The expressions $\underline{m}sg\_specified\_sid(message)$ and $\underline{m}sg\_specified\_vector(message)$ indicate, respectively, the "effective" SID and access vector specified by the sender. Editorial Note: Need to think about how to model the specified vectors. The current specification ignores the cache control and notification vectors. The prototype currently has all three vectors represented explicitly. It has been implemented to allow the number of vectors to be easily changed. #### **DTOS Kernel Definition 34** ``` DtosMessages. MessageExist MessageQueues msq\_sending\_sid : MESSAGE \longrightarrow SSI msg\_receiver\_specified: \mathbb{P}\ MESSA\ GE \underline{m}sg\_receiving\_sid: MESSAGE \longrightarrow SSI msg\_ruling\_computed: \mathbb{P} MESSAGE msq\_ruling : MESSAGE \longrightarrow Ruling msg\_specified\_sid : MESSAGE \longrightarrow SSI msg\_specified\_vector: MESSAGE \longrightarrow \mathbb{P}\ PERMISSION dom msg\_sending\_sid = message\_exists dom \underline{msg\_receiving\_sid} = msg\_receiver\_specified \subseteq \underline{message\_exists} dom msq\_ruling = msq\_ruling\_computed \subset message\_exists dom\ containing\_port \subseteq msg\_ruling\_computed dom \underline{msg\_specified\_sid} \subseteq \underline{message\_exists} dom \underline{msg\_specified\_vector} \subseteq \underline{message\_exists} ``` #### 5.7 Task Creation Information Each task has a state used in controlling the secure initiation of threads within that task. The type $TASK\_CREATION\_STATE$ is comprised of the possible values of this state. The recognized values of this type are: - $Tcs\_task\_empty$ indicates a task that was created using task\_create\_secure and does not yet have any threads. - Tcs\_thread\_created indicates a task created using task\_create\_secure for which a thread has been created using thread\_create\_secure but has not had its initial state set. - Tcs\_thread\_state\_set indicates a task created using task\_create\_secure for which a thread has been created using thread\_create\_secure that has had its initial state set using thread\_set\_state\_secure but has not been resumed (i.e., started). - Tcs\_task\_ready —- indicates either a task that was not created using task\_create\_secure or a task that was created using task\_create\_secure and which has a thread that was created using thread\_create\_secure, has had its state set using thread\_set\_state\_secure, and has been resumed using thread\_resume\_secure. These states are used to ensure that processes initiated using **task\_create\_secure** follow the normal process initiation sequence of: - 1. Create the task. - 2. Create a thread within the task. - 3. Set the state of the thread. - 4. Resume the thread. ``` Review Note: The above, particularly the description of Tcs\_task\_ready, must be checked against the prototype ``` This allows an untrusted process to create a trusted process using **task\_create\_secure** while prohibiting the untrusted process from (for example) changing the state of threads in the trusted process after the trusted process has started execution. The expression $task\_creation\_state(task)$ denotes the creation state of task. $TASK\_CREATION\_STATE ::= Tcs\_task\_empty \mid Tcs\_thread\_created$ ## **DTOS Kernel Definition 35** ``` | Tcs\_thread\_state\_set | Tcs\_task\_ready \_ TaskCreationState \_ \_ TaskExist \_ task\_creation\_state : TASK <math>\rightarrow TASK\_CREATION\_STATE \_ task\_creation\_state = task\_exists ``` The Mach model of process creation uses an existing task to serve as a "template" for each new task. This task is the parent\_task parameter to **task\_create**. A newly created task inherits parts of its environment, such as portions of its address space, from the "parent" task. To simplify the statement of the security requirements on task creation, we introduce $parent\_task(task)$ to denote task's parent.<sup>9</sup> #### **DTOS Kernel Definition 36** <sup>&</sup>lt;sup>9</sup>Note that this information is not actually recorded in the current design. Since we only use this information for stating requirements on task creation and this information is available at this point in the processing in the implementation, this deviation between the model and the implementation is tolerable. ## 5.8 Server Ports The kernel records the ports to be used for communications with certain servers: - <u>security\_server\_master\_port</u> denotes the port used by the kernel to make requests of the security server. - $\blacksquare$ <u>security\_server\_client\_port</u> denotes the port used by non-kernel clients to make requests of the security server. - <u>a</u>uthentication\_server\_port denotes the port used to make requests of the authentication server. - $\underline{a}udit\_server\_port$ denotes the port used to make requests of the audit server. - $\blacksquare$ <u>crypto\_server\_port</u> denotes the port used to make requests of the crypto server. - $\blacksquare$ <u>negotiation\_server\_port</u> denotes the port used to make requests of the negotiation server. - $\underline{n}etwork\_ss\_port$ denotes the port used to make security requests over the network. #### **DTOS Kernel Definition 37** ``` ServerPorts = \underbrace{security\_server\_master\_port:PORT}_{security\_server\_client\_port:PORT} = \underbrace{authentication\_server\_port:PORT}_{audit\_server\_port:PORT} = \underbrace{avdit\_server\_port:PORT}_{crypto\_server\_port:PORT} = \underbrace{crypto\_server\_port:PORT}_{negotiation\_server\_port:PORT} = \underbrace{negotiation\_server\_port:PORT}_{network\_ss\_port:PORT} ``` When the kernel requests an access computation from the Security Server, it specifies a reply port to which the computed accesses should be sent. We use $\underline{k} ernel\_reply\_ports$ to denote the set of ports that the kernel has specified as reply ports for requests to the Security Server. ## **DTOS Kernel Definition 38** ``` KernelReplyPorts = \\ PortExist \\ \underline{k}_{ernel\_reply\_ports} : \mathbb{P}\ PORT \\ \underline{k}_{ernel\_reply\_ports} \subseteq \underline{p}_{ort\_exists} ``` # 5.9 Memory Region Protections The current protection of a region limits a task's access to that region. It is calculated as the intersection of the Mach protection together with the accesses allowed for a task to a memory region by the relevant access vector. We use protection(task,index) to denote current protections of the region denoted by a given task-index pair.<sup>10</sup> #### **Mach Definition 108** <sup>&</sup>lt;sup>10</sup>The prototype does not currently implement the enforcement of read-only access. The low-level memory routines in the prototype treat read and execute interchangeably. $Protection = \\ Mach Protection \\ protection : (TASK \times PAGE\_INDEX) \rightarrow \\ \mathbb{P}\ PROTECTION \\ \\ dom\ protection = dom\ \underline{m}\ ach\_protection \\ \forall\ task\_page\_index : TASK \times PAGE\_INDEX \\ |\ task\_page\_index \in dom\ protection \\ \bullet\ protection(task\_page\_index) \subseteq \underline{m}\ ach\_protection(task\_page\_index)$ # 5.10 Summary of DTOS Kernel State The DTOS kernel state is the Mach kernel state augmented with the access vector cache and the security information associated with subjects, objects, and messages. # **DTOS Kernel Definition 39** ## **DTOS Kernel Definition 40** # Section 6 DTOS Services This section describes the services provided by DTOS. The organization of this section is as follows: - Section 6.1 presents a simple execution model for DTOS. - Sections 6.2–6.13 define the abstract services relevant to IPC, ports, VM, pagers, threads, tasks, hosts, processors, processor sets, the permissions cache, and devices. Each abstract service is described informally in the context of the model provided in the preceding sections and then formally defined in Z. Each abstract service is assigned a name to facilitate references to the service. The tables in Section 7 use these service names to define the association between services and permissions. - Section 6.14 defines the abstract services of initiating a kernel outcall. These abstract services are used to state the requirements on kernel outcall services in Section 7. - Section 6.15 defines the abstract service of initiating an implementation service. This abstract service is used to state the requirements on implementation services in Section 7. In addition to describing the DTOS services, we also describe security threats that suggest the desirability of controlling the services. Our goal in describing these threats is to provide motivation for our selection of services rather than provide a complete description of all security threats to DTOS. In this document we follow the Z convention of using unprimed variables to denote values in the system state before a transition occurs and primed variables to denote values in the system state following the transition. For example, $\underline{t}ask\_exists$ and $\underline{t}ask\_exists'$ denote, respectively, the set of tasks existing before the transition and the set of tasks existing after the transition. # 6.1 Kernel Requests and State Transitions Editorial Note: This section provides a very brief execution model for DTOS. Much more detail can be found by consulting the FTLS. In the simplest model, DTOS kernel state transitions occur as the result of client requests. Requests include the following information: - $\blacksquare$ request\_op The identifier of the operation (such as **mach\_port\_allocate**) in the request. - $\bullet$ *eff\_client* The client task making the request. - *service\_port* The port through which the request is received. - $initial\_ruling$ As part of the initial processing of a request, the kernel associates a ruling with the request. #### **DTOS Kernel Definition 41** \_Request \_\_\_ $request\_op: OPERATION$ $eff\_client: TASK \\ service\_port: PORT \\ initial\_ruling: Ruling$ #### Editorial Note: When $initial\_ruling$ is computed, the SSI associated with the ruling is the SID of $eff\_client$ and the OSI associated with the ruling is the SID of the port through which the request was received (modulo the $Task\_self\_sid$ and $Thread\_self\_sid$ computations). In later processing of the request, the kernel sometimes assumes that - $\blacksquare$ the SID of *eff\_client* is the same as when the request was received, - the SID of the port through which the request was received is the same as when the request was received, and - lacktriangledown the permissions in $initial\_ruling$ are still valid. This lack of support for non-tranquility is not reflected in the model. Editorial Note: In the current execution model, Request refers to service requests sent through **mach\_msg** as well as traps; the fields $request\_op$ and $service\_port$ only apply in the case of a **mach\_msg** request. During the initial processing of a newly received request, the DTOS kernel performs some integrity validation and permission checks. We use $validated\_requests$ to model the collection of requests that have successfully passed these checks. Note that it is possible that some of the requests in $validated\_requests$ are identical. #### **DTOS Kernel Definition 42** \_\_\_\_ ValidatedRequests \_\_\_\_\_\_ validated\_requests : bag Request We use DtosExec to model the execution state of the DTOS kernel, consisting of Dtos and the collection ValidatedRequests. ## **DTOS Kernel Definition 43** \_\_ DtosExec \_\_\_\_\_\_ ValidatedRequests Dtos Each DTOS kernel state transition is associated with the following: - *client* The task responsible for the transition occurring. If the transition is a direct response to a kernel request, then *client* is the task which made the request (*eff\_client*). Otherwise, *client* is the kernel task. - *client\_sid* The current SID of *client*. If *client* no longer exists when its request is being processed, then this is the SID of *client* when it was destroyed. #### Editorial Note: This used to say that it was the SID of client when the request was made, but I do not believe that is true. The spec-to-code analysis should make the determination. We also may need to make the determination of what it should be. Editorial Note: This also needs to get fixed to reflect the possibility of a specified SID when the prototype is updated. - rulings Zero or more rulings may be retrieved from the security server during the transition. The <code>initial\_ruling</code> contained in the request might be included in this set, or it might come from the cache. These rulings need not be part of the initial or final state of the transition. - $kernel\_allows(ssi, osi)$ This function returns the set of permissions which are allowed either by the kernel's cache or by a ruling associated with the transition. In addition, transitions are often associated with a particular kernel request. #### **DTOS Kernel Definition 44** ``` \begin{array}{c} \textit{Base Transition} \\ \textit{client} : \textit{TASK} \\ \textit{client\_sid} : \textit{SSI} \\ \textit{rulings} : \mathbb{P} \; \textit{Ruling} \\ \textit{kernel\_allows} : \textit{SSI} \times \textit{OSI} \longrightarrow \mathbb{P} \; \textit{PERMISSION} \\ \textit{Request} \\ \Delta \; \textit{DtosExec} \\ \\ \textit{eff\_client} \neq \textit{client} \Rightarrow \textit{client} = \underline{\textit{k}} \textit{ernel} \\ \textit{client} \in \underline{\textit{t}} \textit{ask\_exists} \Rightarrow \textit{client\_sid} = \underline{\textit{t}} \textit{ask\_sid} (\textit{client}) \\ \textit{initial\_ruling} \in \textit{rulings} \cup \underline{\textit{c}} \textit{ache} \\ \\ \forall \textit{ssi} : \textit{SSI}; \; \textit{osi} : \textit{OSI} \\ \bullet \; \textit{kernel\_allows} (\textit{ssi}, \textit{osi}) = \textit{cache\_allows} (\textit{ssi}, \textit{osi}) \\ \cup \bigcup \{\textit{ruling} : \textit{Ruling} \mid \textit{ruling} \in \textit{rulings} \\ \bullet \; \textit{Ruling\_allows} (\textit{ruling}, \textit{ssi}, \textit{osi}, \underline{\textit{h}} \textit{ost\_time}) \} \\ \end{array} ``` Editorial Note: Using $\underline{h}$ ost\_time for $Ruling\_allows$ above is probably not correct. Each ruling might be checked at a different time. We use the set $Valid\_transitions$ to denote the set of transitions that are possible on the DTOS system. $^{11}$ ## **DTOS Kernel Definition 45** ``` Valid\_transitions: \mathbb{P}\ Base\ Transition ``` We define the schema Transition to be the schema BaseTransition restricted by the set $Valid\_transitions$ . <sup>11</sup> One of the purposes of the FTLS is to define this set of Valid\_transitions. #### **DTOS Kernel Definition 46** | Transition | | |------------------------------------------------|--| | Base Transition | | | $\theta BaseTransition \in Valid\_transitions$ | | In the following sections each service is denoted by a schema having a signature referencing *Transition* and some set of parameters. The parameters listed in the signature indicate the kernel entities upon which permission checking is performed. ## 6.2 IPC Services Mach IPC consists of sending messages to and receiving messages from ports. Although the Mach capability mechanisms (port rights) provide control over which tasks can send messages to each port, the mechanisms are relatively weak. For example, any task that holds a right may pass the right to any other task. Thus, a "trusted" task that holds a right for a "privileged" port might accidentally transfer the right to a malicious task. The DTOS policy addresses this threat by controlling the transferring of rights and the ability to hold rights (permissions $Transfer\_rights$ , $Hold\_receive$ , $Hold\_send$ , $Hold\_send\_once$ , $Transfer\_receive$ , $Transfer\_send$ , and $Transfer\_send\_once$ ). Another weakness of capabilities is that the holding of a right implies the ability to use the right. Tasks such as name servers will need to hold rights to many entities that they do not need to access themselves. This is a violation of "least privilege." The DTOS policy addresses this threat by making a distinction between the ability to hold a right versus use a right (permissions <code>Hold\_receive</code>, <code>Hold\_send</code>, and <code>Hold\_send\_once</code> versus <code>Can\_receive</code> and <code>Can\_send</code>). In addition to being able to pass port rights in messages, tasks may also pass regions of memory. Since these memory regions can be backed by untrusted pagers and may consume a lot of space in the receiver's address space, there are integrity and denial of service threats related to such data transfers. The DTOS policy addresses these threats by controlling which tasks can transfer memory regions through messages sent to ports. For example, the policy could be used to prohibit the transfer of memory regions through a service port for a trusted server that provides an interface using only in-line data transfer (permission $Transfer\_ool$ ). As noted in Section 5, DTOS tags messages with a sending SSI and (potentially) a receiving SSI. Although the kernel protects the tags while the message is in transit, certain tasks must be trusted to override the normal use of these tags. For example, a user space network server interposing on user ports needs to receive messages for which it is not the ultimate receiver and copy the original sender's SSI onto the forwarded message. However, the overriding must be controlled for the tags to serve their purpose. The DTOS policy addresses threats to the correctness of the tags by controlling which tasks are permitted to override the normal processing (permissions *Specify* and *Interpose*). **Service Definition 1** (Initiates MsgSend) A state transition initiates the sending of a message to port if the client is not the $\underline{k}$ ernel, there exists a new msg sent to port, and port is not destroyed. When the $\underline{k}$ ernel sends a message, it is considered an outcall. Outcall services are defined in Section 6.14. ``` InitiatesMsgSend \\ port: PORT \\ Transition \\ \hline client \neq \underline{k}ernel \\ port \in \underline{p}ort\_exists \cap \underline{p}ort\_exists' \\ \exists msg: MESSAGE \\ \bullet msg \in \underline{m}essage\_exists' \setminus \underline{m}essage\_exists \\ \land ((\underline{m}sg\_contents'(msg)).header).remote\_port = port ``` #### Editorial Note: In the current model, there does not appear to be any way to identify the port to which is a message is sent simply by looking at the message. Upon sending the message, the $remote\_port$ field in the message header indicates the destination port, and the $local\_port$ field indicates the reply port. However, at some point in the processing these fields are reversed, and the state model does not specify when this is done. Perhaps it could be specified by considering the status field of the message. In the current service definitions (1 through 7), when the destination port is needed it is assumed to be identified in the $remote\_port$ field. As long as our specification of message sending is granular enough, this will always be the case at the conclusion of a state transition in which the message is sent. #### Editorial Note: Currently, outcall messages are only distinguished from other messages when computing the Send permission. We need to decide if this is appropriate. **Service Definition 2** (Initiates Rights Transfer) A state transition initiates the sending of a message to port and the transfer of port rights in the body of the message if there exists amsg such that: - msg is a new message, - msg's destination is port, and - some element of the body of msg carries a port right. ``` Initiates Rights Transfer \\ port: PORT \\ Transition \\ \hline port \in \underline{port\_exists} \cap \underline{port\_exists'} \\ \exists \ msg: MESSAGE \\ \bullet \ msg \in \underline{message\_exists'} \setminus \underline{message\_exists} \\ \land ((\underline{msg\_contents'(msg)}).header).remote\_port = port \\ \land (\exists \ i: \mathbb{N}; mach\_msg\_type: MACH\_MSG\_TYPE; task: TASK; \\ port\_seq: seq \ PORT; \ v\_data\_l: V\_DATA\_LOCATION \\ \bullet \ Transit\_right(i, mach\_msg\_type, (task, port\_seq, v\_data\_l)) \\ \in \operatorname{ran}((\underline{m}sg\_contents'(msg)).body) \\ \land \ mach\_msg\_type \in Recognized\_transfer\_options) \\ \hline \end{tabular} ``` Note that this service involves the transferring of port rights in the bodies of messages sent to port while the following three services involve the transferring of port rights for port. **Service Definition 3** (Initiates Receive Transfer) A state transition initiates the transfer of a receive right for port if there exists a msg such that: - msg is a new message, and - some element of the body of msg carries a receive right for port. ``` Initiates Receive Transfer \\ port: PORT \\ Transition \\ \\ port \in \underline{port\_exists} \cap \underline{port\_exists'} \\ \exists \ msg: MESSA \ GE \\ \bullet \ msg \in \underline{message\_exists'} \setminus \underline{message\_exists} \\ \land (\exists \ i : \mathbb{N}; \ mach\_msg\_type : MACH\_MSG\_TYPE; \ task : TASK; \\ port\_seq: seq \ PORT; \ v\_data\_l: \ V\_DATA\_LOCATION \\ \bullet \ Transit\_right(i, mach\_msg\_type, (task, port\_seq, v\_data\_l)) \\ \in \operatorname{ran}((\underline{m} sg\_contents'(msg)).body) \\ \land \ port \in \operatorname{ran} \ port\_seq \\ \land \ mach\_msg\_type = Mmt\_move\_receive) \\ \\ ``` **Service Definition 4** (Initiates Send Transfer) A state transition initiates the transfer of a send right for port if there exists a msg such that: - msq is a new message, and - the reply port field in the header of msg or some element of the body of msg carries a send right for port. ``` InitiatesSendTransfer \\ port: PORT \\ Transition \\ \\ port \in \underline{port\_exists} \cap \underline{port\_exists'} \\ \exists msg: MESSAGE \\ \bullet msg \in \underline{message\_exists'} \setminus \underline{message\_exists} \\ \land ((\exists i : \mathbb{N}; mach\_msg\_type : MACH\_MSG\_TYPE; task : TASK; \\ port\_seq: seq PORT; v\_data\_l: V\_DATA\_LOCATION \\ \bullet Transit\_right(i, mach\_msg\_type, (task, port\_seq, v\_data\_l)) \\ \in \operatorname{ran}((\underline{m}sg\_contents'(msg)).body) \\ \land port \in \operatorname{ran} port\_seq \\ \land mach\_msg\_type \\ \in \{Mmt\_make\_send, Mmt\_move\_send, Mmt\_copy\_send \}) \\ \lor (msg, (port, Send)) \in \underline{reply\_port\_rel'}) \\ \end{aligned} ``` **Service Definition 5** (Initiates Send Once Transfer) A state transition initiates the transfer of a send-once right for port if there exists a msq such that: - msg is a new message, and - the reply port field in the header of msg or some element of the body of msg carries a send-once right for port. ``` InitiatesSendOnceTransfer \_\\ port: PORT \\ Transition \\ \hline\\ port \in \underline{port\_exists} \cap \underline{port\_exists'} \\ \exists \ msg: MESSAGE \\ \bullet \ msg \in \underline{message\_exists'} \setminus \underline{message\_exists} \\ \land ((\exists \ i \ \ \ \ ); \ mach\_msg\_type: MACH\_MSG\_TYPE; \ task: TASK; \\ port\_seq: seq PORT; \ v\_data\_l: \ V\_DATA\_LOCATION \\ \bullet \ Transit\_right(i, \ mach\_msg\_type, (task, \ port\_seq, \ v\_data\_l)) \\ \in \operatorname{ran}((\underline{m}sg\_contents'(msg)).body) \\ \land \ port \in \operatorname{ran} \ port\_seq \\ \land \ mach\_msg\_type \in \{\ Mmt\_make\_send\_once, \ Mmt\_move\_send\_once \}) \\ \lor (msg, (port, Send\_once)) \in \underline{reply\_port\_rel'}) \\ \hline ``` **Service Definition 6** (Initiates OolData Transfer) A state transition initiates the transfer of outof-line data through port if there exists a msg such that: - msg is a new message, - msq's destination is port, and - some element of the body of msg carries an out-of-line region. ``` InitiatesOolData\ Transfer \\ port: PORT \\ Transition \\ \hline port \in \underline{port\_exists} \cap \underline{port\_exists'} \\ \exists \ msg: MESSA\ GE \\ \bullet \ msg \in \underline{message\_exists'} \setminus \underline{message\_exists} \\ \land \ ((\underline{msg\_contents'(msg)}).header).remote\_port = port \\ \land \ (\exists \ i: \mathbb{N}; \ mach\_msg\_type: MACH\_MSG\_TYPE; \ task: TASK; \\ memory: MEMORY; offset: OFFSET \\ \bullet \ Transit\_memory(i, mach\_msg\_type, (task, memory, offset)) \\ \in \operatorname{ran}((\underline{m}sg\_contents'(msg)).body)) \\ \hline ``` **Service Definition 7** (Sets Reply) A state transition sets the reply port to which a reply message will be sent to port if there exists a msg such that: - msg is a new message, - msg's local\_port is port. ``` SetsReply \\ port : PORT \\ Transition \\ port \in \underline{port\_exists} \cap \underline{port\_exists'} \\ \exists \ msg : MESSAGE \\ \bullet \ msg \in \underline{message\_exists'} \setminus \underline{message\_exists} \\ \land ((\underline{msg\_contents'(msg)}).header).local\_port = \{port\} \\ ``` **Service Definition 8** (*SpecifiesSsi*) A state transition initiates the sending of a message toport with a sending SID specified if there exists amsg such that: - msg is a new message, - msg's destination is port, and - msg is in the domain of the function msg\_specified\_sid'. ``` SpecifiesSsi \\ port : PORT \\ Transition \\ \\ port \in \underline{port\_exists} \cap \underline{port\_exists'} \\ \exists \ msg : MESSAGE \\ \bullet \ msg \in \underline{message\_exists'} \setminus \underline{message\_exists} \\ \land \ ((\underline{msg\_contents'(msg)}).header).remote\_port = port \\ \land \ msg \in \mathrm{dom} \ \underline{msg\_specified\_sid'} \\ \\ ``` **Service Definition 9** (*SpecifiesAV*) A state transition initiates the sending of a message toport with an access vector specified if there exists amsg such that: - msg is a new message, - msg's destination is port, and - msg is in the domain of the function $msg\_specified\_vector'$ . The remaining IPC services consider the receiving of messages. **Service Definition 10** (Initiates Msg Receive) A state transition initiates the receiving or removal of a message from port if there exists msg such that: - msg is removed from the queue associated with port, and - port is not destroyed ``` InitiatesMsgReceive \\ port : PORT \\ Transition \\ port \in \underline{port\_exists} \cap \underline{port\_exists'} \\ \exists \ msg : MESSAGE \bullet (msg, port) \in containing\_port \setminus containing\_port' ``` **Service Definition 11** (Interposes) A state transition receives a message with a specified receiving SID other than the client's SID from port if there exists a msg such that: - in the initial state, msg is enqueued at port, - msg is added to the set of messages received by client, - a receiving SID is specified for msg, and - $msg\_receiving\_sid(msg) \neq client\_sid$ . ``` Interposes port : PORT Transition port \in \underline{port\_exists} \cap \underline{port\_exists'} \exists msg : MESSAGE \bullet (msg, port) \in containing\_port \land msg \in \underline{t}ask\_received\_msgs'(client) \setminus \underline{t}ask\_received\_msgs(client) \land msg \in msg\_receiver\_specified \land \underline{m}sg\_receiving\_sid(msg) \neq client\_sid ``` Note that the services <code>InitiatesMsgReceive</code> and <code>Interposes</code> present different definitions of "receiving" a message. This is because the <code>InitiatesMsgReceive</code> considers the more general case of receiving or removing a message from the queue, while <code>Interposes</code> only considers the case of receiving a message from the queue. This distinction is important since it may be necessary for a client to remove a message from a queue when it is not allowed to receive the message because it is not the specified receiver. #### 6.3 Port Services All kernel entities are represented by ports. Consequently, the security of a task rests on the ability to protect the task's port name space. Mach allows any task holding a send right to a second task's self port to modify the second task's port name space. By allocating rights in a second task's port name space, a malicious task can consume resources in that task. This could lead to a denial of service. The DTOS policy addresses this by controlling the adding of names to port name spaces (permission $Add\_name$ ). If a malicious task can deallocate rights in a second task's port name space, then it can make resources the second task is using unavailable. This can lead to a denial of service, too. The DTOS policy addresses this by controlling the removal of names from port name spaces (permission $Remove\_name$ ). A related threat is the moving of a port right in a port name space. For example, if a malicious task renames a port right or changes the members of a port set in a second task, the second task might fail as the result of port rights no longer being where they should be. The DTOS policy addresses this threat by controlling the moving of names within a port name space (permissions $Port\_rename$ , $Manipulate\_port\_set$ , $Register\_ports$ ). A more subtle type of threat is the modification of the notifications registered for a task. If a task has a thread waiting to receive a notification and the notification is canceled by a second task, then the thread will never receive the notification. The DTOS policy addresses this by controlling the registering of notifications (permission <code>Register\_notification</code>). Other threats include modifying the make-send count, queue limit, or sequence number for a port. For example, if the queue limit for a server's service port is decreased, messages sent to the server might start to time out. This could result in a denial of service. The DTOS policy addresses such threats by controlling the setting of these port attributes (permission $Alter\_pns\_info$ ). The DTOS policy with respect to MIDs is tranquil in that once the kernel associates a MID with an entity, the entity remains bound to the same MID. For ports, we represent this by defining a service, ChangesPortMid, that characterizes the changing of a port's MID and then prohibiting this service in Section 7. However, the AID of some entities is allowed to change. The AID of a port is allowed to change only in the case of a task or thread port for a task whose AID also changes. We represent this by defining a service, ChangesPortAid, that characterizes the changing of a port's AID under all other circumstances, and prohibiting this service in Section 7. **Service Definition 12** (Adds Receive) A state transition adds a receive right for port to task's port name space if task obtains a receive right for port and task did not previously hold a receive right for port.<sup>12</sup> ``` \begin{array}{l} AddsReceive \\ task: TASK \\ port: PORT \\ Transition \\ \\ port \in \underline{port\_exists'} \\ (port, task) \in receiver' \setminus receiver \end{array} ``` **Service Definition 13** (AddsSendRight) A state transition adds a send to port right to task's port name space if task obtains a send to port right and task did not previously hold a send to portright. $<sup>^{12}</sup>$ Note that this service does not define the SID that is associated with the port. The expression $\underline{p} ort\_sid'(port)$ denotes this SID. The requirements in Section 7 require that the client have permission to add ports with this SID to task's port name space and that task have permission to hold ports with this SID. No other restrictions are placed on the SID assigned to the new port. ``` AddsSendRight \\ task: TASK \\ port: PORT \\ Transition \\ \hline port \in \underline{port\_exists'} \\ port \in \{name: NAME \mid (task, name) \in s\_right' \bullet named\_port'(task, name) \} \\ \setminus \{name: NAME \mid (task, name) \in s\_right \bullet named\_port(task, name) \} \\ \hline ``` **Service Definition 14** (AddsSendReference) A state transition adds a send to port reference to task's port name space if task has a send to port right and task obtains an additional reference to a send to port right. ``` \begin{array}{l} AddsSendReference \\ \hline task: TASK \\ port: PORT \\ \hline Transition \\ \hline \\ port \in \underline{port\_exists} \cap \underline{port\_exists'} \\ (\exists \ name_1, name_2: NAME \\ \bullet \ ((task, name_1) \in s\_right \wedge named\_port(task, name_1) = port) \\ \wedge \ ((task, name_2) \in s\_right' \wedge named\_port'(task, name_2) = port) \\ \wedge \ s\_right\_ref\_count'(task, name_2) > s\_right\_ref\_count(task, name_1)) \\ \end{array} ``` **Composite Service Definition 1** We refer to the service in which either a send right is created or a reference count for a send right is incremented as the service AddsSend. ``` AddsSend \triangleq AddsSendRight \lor AddsSendReference ``` **Service Definition 15** (AddsSendOnce) A state transition adds a sendonce to port right to task's port name space if task obtains a sendonce to port right and task did not previously hold a sendonce to port right. ``` \begin{array}{l} AddsSendOnce \\ \hline task: TASK \\ port: PORT \\ \hline Transition \\ \hline \\ port \in \underline{port\_exists'} \\ \# \{ name: NAME; i: \mathbb{N} \\ \quad \mid (task, port, name, Send\_once, i) \in \underline{port\_right\_rel'} \bullet name \} \\ > \# \{ name: NAME; i: \mathbb{N} \\ \quad \mid (task, port, name, Send\_once, i) \in \underline{port\_right\_rel} \bullet name \} \\ \end{array} ``` **Service Definition 16** (Adds Dead Name Right) A state transition adds a dead name right to task's port name space if the number of names which are dead and not previously intask's port name space is greater than the number of names which were dead and are not currently intask's port name space. ``` \begin{array}{c} A \, dds Dead Name Right \\ \hline task : TASK \\ \hline Transition \\ \hline \# \{ \, name : NAME \mid (task, name) \in dead\_namep' \setminus local\_namep \bullet name \, \} \\ \hline > \# \{ \, name : NAME \mid (task, name) \in dead\_namep \setminus local\_namep' \bullet name \, \} \\ \hline \end{array} ``` Editorial Note: This service ignores the case where a dead name is created when the corresponding port dies (such a name is not in either of the set comprehensions) as well as the case where a dead name is renamed (the first set contains the new dead name but not the old, while the second set contains the old dead name but not the new.) **Service Definition 17** (Adds Dead Name Reference) A state transition adds a dead name reference to task's port name space if task obtains an additional reference to a dead name right that it previously held. ``` \begin{array}{l} -A\, dds Dead Name Reference \\ task: TASK \\ Transition \\ \hline \exists \ name: NAME \\ \bullet \ (task, name) \in dead\_namep' \cap dead\_namep \\ \land \ dead\_right\_ref\_count'(task, name) > dead\_right\_ref\_count(task, name) \end{array} ``` **Composite Service Definition 2** We refer to the service in which either a dead name is created or a reference count for a dead name is incremented as the service Adds Dead Name. $AddsDeadName \triangleq AddsDeadNameRight \lor AddsDeadNameReference$ **Service Definition 18** (CreatesPortSet) A state transition creates a new port set in task's port name space if the number of entries for task in $port\_set\_namep$ , the set of (task, name) pairs that denote port sets, is increased. ``` Creates PortSet \_ task : TASK Transition \#\{ name : NAME \mid (task, name) \in port\_set\_namep' \} > \#\{ name : NAME \mid (task, name) \in port\_set\_namep \} ``` **Composite Service Definition 3** We refer to the service in which either a receive, send, send-once right, a dead name, or a port set is added to task's port name space as the service AddsName. ``` AddsName \triangleq (\exists \ port : PORT \bullet AddsReceive \lor AddsSend \lor AddsSendOnce) \lor AddsDeadName \lor CreatesPortSet ``` #### Editorial Note: The next four service definitions are intended to refer to services which explicitly remove rights from a name space. As stated, they are much too broad. For instance, - They don't consider the possibility that a send or send-once right disappears because it is used to send a message. - They don't consider the possibility that a right disappears because it is sent in a message. As a general rule, side effects of destroying a port aren't handled well in these abstract service definitions. There is a long chain of possible consequences to simply removing one port. #### Editorial Note: It is not clear that we can identify rights that are being removed as a result of being transferred in a message or expiring due to use. At first glance it seems that we can check for the existence of an appropriate message as in the definition of the IPC services InitiatesRightsTransfer, InitiatesReceiveTransfer, etc. According to the specification of $Transit\_right$ (see the definition of $BASE\_INTERNAL\_ELEMENT$ ) we can recover the name of the task initiating the transfer of rights from the message contents, but we do not believe that this is carried out in the prototype. An alternative is to compare Request's $eff\_client$ with task, but the complexity of the execution model makes it difficult to determine if this handles all cases accurately. **Service Definition 19** (Removes Receive) A state transition removes a receive right forport from task's port name space if task loses a receive right for port that it previously held, and task is not destroyed. ``` Removes Receive task : TASK port : PORT Transition task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' port \in \underline{p}ort\_exists (port, task) \in receiver \setminus receiver' ``` **Service Definition 20** (RemovesSendRight) A state transition removes a send to port right from task's port name space if task loses a send to port right that it previously held, and task and port are not destroyed. ``` \begin{array}{c} RemovesSendRight \\ task: TASK \\ port: PORT \\ Transition \\ \\ task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \\ port \in \underline{p}ort\_exists \cap \underline{p}ort\_exists' \\ \textbf{let} \ old\_ports == \{ \ name : NAME \mid (task, name) \in s\_right \\ & \bullet \ named\_port(task, name) \}; \\ new\_ports == \{ \ name : NAME \mid (task, name) \in s\_right' \\ & \bullet \ named\_port'(task, name) \} \\ \\ \bullet \ port \in old\_ports \setminus new\_ports \\ \end{array} ``` **Service Definition 21** (RemovesSendReference) A state transition removes a send to port reference from task's port name space if task's reference count for a send right forport is decreased, and task and port are not destroyed. ``` RemovesSendReference \\ task: TASK \\ port: PORT \\ Transition \\ task \in \underline{task\_exists} \cap \underline{task\_exists'} \\ port \in \underline{port\_exists} \cap \underline{port\_exists'} \\ \exists \ name_1, \ name_2: NAME \\ \bullet \ ((task, name_1) \in s\_right \wedge named\_port(task, name_1) = port) \\ \wedge \ ((task, name_2) \in s\_right' \wedge named\_port'(task, name_2) = port) \\ \wedge \ s\_right\_ref\_count(task, name_2) > s\_right\_ref\_count'(task, name_1) \\ \end{cases} ``` **Composite Service Definition 4** We refer to the service in which either a send right is removed or a reference count for a send right is decremented as the serviceRemovesSend. $RemovesSend \triangleq RemovesSendRight \lor RemovesSendReference$ **Service Definition 22** (RemovesSendOnce) A state transition removes a sendonce to port right from task's port name space if task loses a sendonce to port right that it previously held, and task and port are not destroyed. ``` RemovesSendOnce \_ task : TASK port : PORT Transition task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' port \in \underline{p}ort\_exists \cap \underline{p}ort\_exists' \#\{name : NAME \mid (task, port, name, Send\_once, 1) \in \underline{p}ort\_right\_rel \bullet name \} > \#\{name : NAME \mid (task, port, name, Send\_once, 1) \in \underline{p}ort\_right\_rel' \bullet name \} ``` **Service Definition 23** (Removes Dead Name Right) A state transition removes a dead name right from task's port name space if the number of dead names intask's port name space is decreased, and task is not destroyed. ``` Removes Dead Name Right \_ task : TASK Transition task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \#\{ name : NAME \mid (task, name) \in dead\_namep \bullet name \} > \#\{ name : NAME \mid (task, name) \in dead\_namep' \bullet name \} ``` **Service Definition 24** (Removes Dead Name Reference) A state transition removes a dead name reference from task's port name space if task loses a reference to a dead name right that it previously held, and task is not destroyed. ``` Removes Dead Name Reference \\ task: TASK \\ Transition \\ task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \\ \exists name: NAME \\ \bullet (task, name) \in dead\_namep' \cap dead\_namep \\ \land dead\_right\_ref\_count(task, name) > dead\_right\_ref\_count'(task, name) ``` **Composite Service Definition 5** We refer to the service in which either a dead name is destroyed or a reference count for a dead name is decremented as the serviceRemovesDeadName. $RemovesDeadName \triangleq RemovesDeadNameRight \lor RemovesDeadNameReference$ **Service Definition 25** (DestroysPortSet) A state transition destroys a port set in task's port name space if the number of names intask's port name space that are port set names decreases, and task is not destroyed. **Composite Service Definition 6** We refer to the service in which either a receive, send, send-once right, a dead name, or a port set is removed from task's port name space as the service RemovesName. ``` RemovesName \triangleq (\exists port : PORT \bullet RemovesReceive \lor RemovesSend \lor RemovesSendOnce) \lor RemovesDeadName \lor DestroysPortSet ``` **Service Definition 26** (RenamesInPortNameSpace) A state transition renames a port, dead name, or port set in task's port name space if an entry is removed from the name space and an identical entry is added under a different name. ``` RenamesInPortNameSpace \\ task: TASK \\ Transition \\ \exists \ name_1, \ name_2: NAME \\ \bullet \ (\exists \ port: PORT; \ right: RIGHT; \ i: \mathbb{N} \\ \bullet \ (task, port, name_1, right, i) \in \underline{port\_right\_rel} \setminus \underline{port\_right\_rel'} \\ \land \ (task, port, name_2, right, i) \in \underline{port\_right\_rel'} \setminus \underline{port\_right\_rel}) \\ \lor \ (\exists \ set\_of\_ports: \mathbb{P} \ PORT \\ \bullet \ (task, name_1, set\_of\_ports) \in \underline{port\_set\_rel} \setminus \underline{port\_set\_rel'} \\ \land \ (task, name_2, set\_of\_ports) \in \underline{port\_set\_rel'} \setminus \underline{port\_set\_rel}) \\ \lor \ (\exists \ i: \mathbb{N} \\ \bullet \ (task, name_1, i) \in \underline{d} \ ead\_right\_rel \setminus \underline{d} \ ead\_right\_rel'} \\ \land \ (task, name_2, i) \in \underline{d} \ ead\_right\_rel' \setminus \underline{d} \ ead\_right\_rel) ``` **Service Definition 27** (Manipulates PortSet) A state transition manipulates a port set in task's port name space if there is some port set name such that the set of ports associated with name is altered in a manner other than by simply removing ports for which task is no longer the receiver. In other words, there exists name and port such that: - name represents a port set in task's port name space in both the initial and final states of the transition, and - port is added to port\_set(task, name), or - port is removed from port\_set(task, name) and task remains the receiver from port. ``` \begin{array}{l} \textit{ManipulatesPortSet} \\ \textit{task}: \textit{TASK} \\ \textit{Transition} \\ \\ \exists \; \textit{name}: \textit{NAME}; \; \textit{port}: \textit{PORT} \\ \bullet \; (\textit{task}, \textit{name}) \in \textit{port\_set\_namep} \cap \textit{port\_set\_namep'} \\ \land \; (\textit{port} \in \textit{port\_set'}(\textit{task}, \textit{name}) \setminus \textit{port\_set'}(\textit{task}, \textit{name}) \\ \lor \; (\textit{port} \in \textit{port\_set}(\textit{task}, \textit{name}) \setminus \textit{port\_set'}(\textit{task}, \textit{name}) \\ \land \; (\textit{port}, \textit{task}) \in \textit{receiver'})) \\ \end{array} ``` **Service Definition 28** (Registers Port) A state transition registers a port or removes a previously registered port associated with a task if there exists port which - $\blacksquare$ is added to <u>registered\_rights(task)</u>, or - *is* removed from $\underline{r}$ egistered\_rights(task) without being destroyed. ``` RegistersPort task : TASK Transition task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \exists port : PORT \bullet port \in ran(\underline{r}egistered\_rights'(task)) \setminus ran(\underline{r}egistered\_rights(task)) \lor (port \in ran(\underline{r}egistered\_rights(task)) \setminus ran(\underline{r}egistered\_rights'(task)) \land port \in \underline{p}ort\_exists') ``` **Service Definition 29** (Registers Port Destroyed Notification) A state transition registers a portdestroyed notification request for a port in task's name space or removes a previously registered request if there exists $port_1$ and $port_2$ such that - $\blacksquare$ task is the receiver for port<sub>1</sub> in both the initial and final states of the transition, and - port<sub>2</sub> is added to port\_notify\_destroyed(port<sub>1</sub>), or - $port_2$ is removed from $port\_notify\_destroyed(port_1)$ without being destroyed. ``` Registers Port Destroyed Notification \\ task: TASK \\ Transition \\ \hline \exists \ port_1, \ port_2: PORT \\ \bullet \ (port_1, task) \in receiver \cap receiver' \\ \land \ ((port_1, port_2) \in port\_notify\_destroyed' \setminus port\_notify\_destroyed \\ \lor \ ((port_1, port_2) \in port\_notify\_destroyed \setminus port\_notify\_destroyed' \\ \land \ port_2 \in \underline{p} \ ort\_exists')) ``` **Service Definition 30** (Registers No More Senders Notification) A state transition registers a nomore-senders notification request for a port in task's name space or removes a previously registered request if there exists $port_1$ and $port_2$ such that - task is the receiver for $port_1$ in both the initial and final states of the transition, and - port<sub>2</sub> is added to port\_notify\_no\_more\_senders(port<sub>1</sub>), or - $\ port_2 \ \textit{is removed from } port\_notify\_no\_more\_senders(port_1) \ \textit{without being destroyed}.$ ``` RegistersNoMoreSendersNotification \\ task: TASK \\ Transition \\ \exists \ port_1, port_2: PORT \\ \bullet \ (port_1, task) \in receiver \cap receiver' \\ \land \ ((port_1, port_2) \in port\_notify\_no\_more\_senders' \setminus port\_notify\_no\_more\_senders \\ \lor \ ((port_1, port_2) \in port\_notify\_no\_more\_senders' \\ \land \ port\_notify\_no\_more\_senders' \\ \land \ port_2 \in port\_exist')) ``` **Service Definition 31** (Registers Dead Name Notification) A state transition registers a deadname notification request for a port in task's name space or removes a previously registered request if there exists name and port such that - name represents some port right intask's name space in both the initial and final states of the transition, and - port is added to port\_notify\_dead(task, name), or - port is removed from port\_notify\_dead(task, name) without being destroyed. ``` Registers Dead Name Notification \\ task: TASK \\ Transition \\ \exists \ name: NAME; \ port: PORT \\ \bullet \ (task, name) \in port\_right\_namep \cap port\_right\_namep' \\ \land \ (((task, name), port) \in port\_notify\_dead' \setminus port\_notify\_dead \\ \lor \ (((task, name), port) \in port\_notify\_dead \setminus port\_notify\_dead' \\ \land \ port \in \underline{p} \ ort\_exists')) ``` **Composite Service Definition 7** We refer to the service in which either a port-destroyed, no-more-senders, or dead-name notification is registered or removed from task's port name space as the service RegistersNotification. ``` Registers Notification \ \widehat{=} \ Registers PortDestroyed Notification \\ \lor \ Registers No More Senders Notification \\ \lor \ Registers Dead Name Notification ``` **Service Definition 32** (SetsMakeSendCount) A state transition modifies the make-send count for a port in task's port name space if there is some port for which task is the receiver and $\underline{make\_send\_count(port)}$ is altered. ``` SetsMakeSendCount \\ task : TASK \\ Transition \\ \exists port : PORT \\ \bullet (port, task) \in receiver \cap receiver' \\ \land \underline{m}ake\_send\_count'(port) \neq \underline{m}ake\_send\_count(port) ``` **Service Definition 33** (SetsQueueLimit) A state transition modifies the queue limit for a port in task's port name space if there is some port for which task is the receiver and $\underline{q}$ \_limit(port) is altered. ``` Sets Queue Limit \\ task : TASK \\ Transition \\ \hline \exists port : PORT \\ \bullet (port, task) \in receiver \cap receiver' \\ \land \underline{q\_limit'(port)} \neq \underline{q\_limit(port)} ``` **Service Definition 34** (SetsSeqNo) A state transition modifies the sequence number for a port in task's port name space if there is some port for which task is the receiver and $\underline{s}$ equence\_no(port) is altered. Editorial Note: Each of the previous three service definitions need to be checked (and changed) for possible side effects. For instance, the make-send count changes as a side effect of creating new rights. I don't believe there are side effect with the queue limit. The sequence number can change whenever a message is removed from a message queue. **Composite Service Definition 8** We refer to the service in which either the make-send count, queue limit, or sequence number for a port is altered as the service Modifies PortInfo. $ModifiesPortInfo \triangleq SetsMakeSendCount \lor SetsQueueLimit \lor SetsSeqNo$ **Service Definition 35 (**ChangesPortMid**)** A state transition changes a port's MID if it alters $port\_mid(port)$ . **Service Definition 36** (Changes PortAid) A state transition changes a port's AID if it alters $port\_aid(port)$ , except in the case of the AID of a task or thread port changing due to a similar change in the task AID. #### 6.4 VM Services An interesting feature of the Mach Virtual Memory (VM) system is that it allows a task holding a send right to a second task's self port to access the address space of the second task. By allocating memory in a second task's address space, a malicious task can consume resources in that task. This could lead to a denial of service. The DTOS policy addresses this by controlling the allocation of memory (permission $Allocate\_vm\_region$ ). If a malicious task can deallocate memory in a second task's address space, then it can make memory the second task is using unavailable. This can lead to a denial of service, too. The DTOS policy addresses this by controlling the deallocation of memory (permission $Deallocate\_vm\_region$ ). To protect the integrity and confidentiality of data, it is necessary to control the Mach, current and maximum protections for memory allocated to a task. The DTOS policy addresses these concerns by requiring the permissions cache be consulted whenever protections are set (permissions $Have\_read$ , $Have\_write$ , $Have\_execute$ , $Chg\_vm\_region\_prot$ ). A more subtle way in which data integrity or confidentiality can be compromised is through the modification of inheritance attributes. For example, a malicious task might change the inheritance attribute of a memory object that a second task wants to keep private so that the object is shared with children of the second task. The DTOS policy addresses this by controlling the modification of inheritance attributes (permission $Set\_vm\_region\_inherit$ ). **Service Definition 37 (**Allocates Region**)** A state transition allocates a region at page\_index in task's virtual address space if page\_index is allocated for task in the final state but not in the initial state. ``` Allocates Region \\ task: TASK \\ page\_index: PAGE\_INDEX \\ Transition \\ task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \\ page\_index \in \{ page\_index: PAGE\_INDEX \mid (task, page\_index) \in \underline{a} llocated' \} \\ \setminus \{ page\_index: PAGE\_INDEX \mid (task, page\_index) \in \underline{a} llocated \} \\ ``` **Service Definition 38** (Allocates Read Region) A state transition allocates a readable region at page\_index in task's virtual address space if page\_index is allocated for task with read access in the final state but not in the initial state. ``` Allocates Read Region \\ task: TASK \\ page\_index: PAGE\_INDEX \\ Transition \\ task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \\ page\_index \in \{ page\_index: PAGE\_INDEX \mid (task, page\_index) \in \underline{a} llocated' \\ \land Read \in protection'(task, page\_index) \} \\ \setminus \{ page\_index: PAGE\_INDEX \mid (task, page\_index) \in \underline{a} llocated \\ \land Read \in protection(task, page\_index) \} ``` **Service Definition 39** (Allocates Write Region) A state transition allocates a writable region at page\_index in task's virtual address space if page\_index is allocated for task with write access in the final state but not in the initial state. ``` Allocates Write Region \\ task: TASK \\ page\_index: PAGE\_INDEX \\ Transition \\ task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \\ page\_index \in \{page\_index: PAGE\_INDEX \mid (task, page\_index) \in \underline{a}llocated' \\ \land Write \in protection'(task, page\_index) \} \\ \setminus \{page\_index: PAGE\_INDEX \mid (task, page\_index) \in \underline{a}llocated \\ \land Write \in protection(task, page\_index) \} ``` **Service Definition 40** (Allocates Execute Region) A state transition allocates an executable region at page\_index in task's virtual address space if page\_index is allocated for task with execute access in the final state but not in the initial state. ``` \begin{array}{l} Allocates Execute Region \\ \hline task : TASK \\ page\_index : PAGE\_INDEX \\ \hline Transition \\ \hline task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \\ page\_index \in \{ page\_index : PAGE\_INDEX \mid (task, page\_index) \in \underline{a}llocated' \\ & \land Execute \in protection'(task, page\_index) \} \\ & \land Execute \in protection(task, page\_index) \} \\ & \land Execute \in protection(task, page\_index) \} \end{array} ``` Editorial Note: The preceding four services are all performed by the **vm\_allocate**, **vm\_allocate\_secure** and **vm\_map** requests. It was realized recently that the FSPM and the prototype contained different checks related to these requests/services and that neither was "correct". This draft of the FSPM contains corrected requirements for these services. The prototype will be modified at a later date to implement these new requirements. These services are also performed by **mach\_msg**. We need to consider what permission checks are required in this case. (It appears that the prototype is checking read, write and execute permissions, but not $Allocate\_vm\_region$ and $Map\_vm\_region$ .) **Service Definition 41** (Deallocates Region) A state transition deallocates a region in task's virtual address space if it decreases the number of pages intask's virtual address space. ``` \begin{array}{l} Deallocates Region \\ task: TASK \\ Transition \\ \\ task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \\ \#\{\ page\_index: PAGE\_INDEX \mid (task, page\_index) \in \underline{a}\,llocated'\ \} \\ < \#\{\ page\_index: PAGE\_INDEX \mid (task, page\_index) \in \underline{a}\,llocated\ \} \end{array} ``` **Service Definition 42** (SetsProtection) A state transition changes the protection of a region in task's virtual address space if there is some page\_index for which either mach\_protection(task, page\_index) or max\_protection(task, page\_index) is altered. ``` Sets Protection \_ task : TASK Transition \exists page\_index : PAGE\_INDEX \bullet (task, page\_index) \in \underline{a} \ llocated \cap \underline{a} \ llocated' \land (\underline{m} \ ach\_protection'(task, page\_index) \neq \underline{m} \ ach\_protection(task, page\_index) \lor (\underline{m} \ ax\_protection'(task, page\_index) \neq \underline{m} \ ax\_protection(task, page\_index))) ``` **Service Definition 43** (SetsInheritance) A state transition changes the inheritance attributes of a region in task's virtual address space if there is some $page\_index$ for which $\underline{i}$ nheritance(task, $page\_index$ ) is altered. **Service Definition 44** (Modifies Region) A state transition modifies a memory region in task's virtual address space if there exists memory, page, and page\_offset such that page is associated with memory and page\_word\_rel(page, page\_offset) is altered. ## 6.5 Pager Services Mach's support for user pagers introduces threats that are not usually a concern. If a malicious task can act as the pager for an object, it can provide incorrect data for the object or make the object unavailable. The DTOS policy controls which tasks can page a memory (permission $Provide\_data$ ) and which tasks can make an object unavailable (permissions $Destroy\_object$ , $Change\_page\_locks$ , $Remove\_page$ ). Examples of more subtle threats are changing the set of precious pages and flushing dirty pages. In both cases, the kernel could fail to make the pager aware of modifications that have been made to the pages. The DTOS policy addresses these threats by controlling which tasks may change the set of precious pages or flush dirty pages (permissions $Make\_page\_precious$ , $Save\_page$ ). **Service Definition 45** (Changes Memory Object Attr) A state transition changes the attributes of memory if it alters copy\_strateqy(memory) or adds or removes memory from may\_cache. ``` Changes Memory Object Attr \\ memory: MEMORY \\ Transition \\ memory \in \underline{m}emory\_exists \cap \underline{m}emory\_exists' \\ (\neg (memory \in \underline{i}nitialized' \Leftrightarrow memory \in \underline{i}nitialized) \\ \lor \underline{c}opy\_strategy'(memory) \neq \underline{c}opy\_strategy(memory) \\ \lor \neg (memory \in \underline{m}ay\_cache' \Leftrightarrow memory \in \underline{m}ay\_cache)) \\ \end{cases} ``` **Service Definition 46** (Services Page Fault) A state transition services a page fault for memory if it removes a thread from the set of threads that memory\_fault indicates are waiting on a page from memory. **Service Definition 47 (**MakesPagePrecious**)** A state transition makes a page representing memory precious if there is a page representing memory that is added to or removed from precious. ``` \begin{array}{l} \textit{MakesPagePrecious} \\ \textit{memory} : \textit{MEMORY} \\ \textit{Transition} \\ \\ \exists \textit{page} : \textit{PAGE} \\ \bullet (\textit{page}, \textit{memory}) \in \textit{represented\_memory}' \\ \land \neg (\textit{page} \in \underline{\textit{precious}'} \Leftrightarrow \textit{page} \in \underline{\textit{precious}}) \end{array} ``` **Service Definition 48** (Changes Page Locks) A state transition modifies the locks on a page representing memory if there exists a page representing memory such that $\underline{p}$ age\_lock\_rel(page) is altered. $-ChangesPageLocks \\ memory: MEMORY \\ Transition \\ \exists page: PAGE \\ \bullet (page, memory) \in represented\_memory' \\ \land (\neg (page \in \text{dom } \underline{p} \, age\_lock\_rel' \Leftrightarrow page \in \text{dom } \underline{p} \, age\_lock\_rel) \\ \lor \underline{p} \, age\_lock\_rel'(page) \neq \underline{p} \, age\_lock\_rel(page))$ Editorial Note: The preceding two services (as well as SavesPage and RemovesPage below) do not currently have any associated policy requirements. We are considering whether the 12 permissions currently defined for memory control services can actually be reduced to a single permission indicating that the subject can serve as the pager for a given memory object. The case for doing this is that any usable pager probably needs to be allowed to use the entire paging protocol. Thus, the ability to page for a memory object may well be an all-or-nothing proposition. If so, nothing is gained by having 12 permissions. **Service Definition 49** (Destroys Memory) A state transition destroys memory if it removes memory from control\_port. $DestroysMemory \_$ memory : MEMORY Transition $memory \in dom control\_port \setminus dom control\_port'$ **Service Definition 50** (Saves Page) A state transition saves a dirty page representing memory if there exists a page representing memory such that page is removed from <u>dirty\_rel</u>. $SavesPage \_$ memory : MEMORY Transition $\exists page : PAGE$ $\bullet (page, memory) \in represented\_memory$ $\land page \in \underline{d}irty\_rel \setminus \underline{d}irty\_rel'$ **Service Definition 51** (Removes Page) A state transition removes a page representing memory if there exists a page representing memory such that page is removed from represented\_memory. $Removes Page \\ memory: MEMORY \\ Transition \\ \exists \ page: PAGE \\ \bullet \ (page, memory) \in represented\_memory \setminus represented\_memory'$ #### 6.6 Thread Services The attributes associated with a thread determine if and when a thread may execute. Modification of these attributes can lead to denial of service conditions. For example, if a malicious task depresses the priority of a thread, that thread might be prevented from executing. As another example, a malicious task could prevent a thread from executing by incrementing the thread's suspend count. The DTOS policy addresses such threats by controlling modifications to thread attributes ( $Assign\_thread\_to\_pset$ , $Set\_max\_thread\_priority$ , $Set\_thread\_policy$ , $Terminate\_thread$ , $Set\_thread\_priority$ , $Depress\_pri$ ). The resumption of a thread is also a concern. For example, if a thread is resumed before an event that it is waiting on has completed, then the thread might fail to operate correctly. The DTOS policy addresses this threat by controlling which tasks can decrement a thread's suspend count (permissions $Initiate\_secure$ , $Resume\_thread$ ). Another threat to threads is that a malicious task can change the thread's sself or exception port. If the sself port is changed before the thread gets a send right to it, then when the thread requests a send right to its kernel port, it is given a right to the sself port instead. When the thread later attempts to send kernel requests to its kernel port, the requests will actually be sent to other ports. If the exception port is changed, then the thread will not receive exception messages and might fail to operate properly. The DTOS policy addresses these threats by controlling the changing of a thread special port (permissions $Set\_thread\_kernel\_port$ , $Set\_thread\_exception\_port$ ). A more subtle threat is the changing of a thread's program counter. Doing so will change the location in memory from which the thread is reading instructions. Problems that could occur include the thread attempting an illegal instruction and failing or the thread skipping over a section of its code that performs some security check. The DTOS policy addresses this threat by controlling which tasks have access to a thread's register set (permission Set\_thread\_state). **Service Definition 52** (Depresses Priority) A state transition depresses thread's priority if it adds thread to depressed\_threads, the set of depressed threads. ``` \begin{array}{c} \_DepressesPriority \_\_\\ thread: THREAD\\ Transition \\ \hline\\ thread \in \underline{d}epressed\_threads' \setminus \underline{d}epressed\_threads \end{array} ``` **Service Definition 53** (AbortsPriorityDepression) A state transition aborts the depression of thread's priority if it removes thread from <u>depressed\_threads</u>, the set of depressed threads. ``` \_AbortsPriorityDepression\_\_ thread: THREAD Transition thread \in \underline{t}hread\_exists' \cap (\underline{d}epressed\_threads \setminus \underline{d}epressed\_threads') ``` **Service Definition 54** (Assigns Thread) A state transition assigns thread to proceet if it adds thread to have\_assigned\_threads(proceet), the set of threads assigned to proceet. ``` Assigns Thread \\ thread: THREAD \\ procset: PROCESSOR\_SET \\ Transition \\ procset \in \underline{procset\_exists} \cap \underline{procset\_exists'} \\ thread \in \underline{t}hread\_exists \cap (have\_assigned\_threads'(procset) \\ \land have\_assigned\_threads(procset)) ``` **Service Definition 55** (Resumes Thread) A state transition resumes thread in the normal Mach paradigm if it decrements $\underline{t}$ hread\_suspend\_count(thread) without changing the task create state of the associated task. ``` Resumes Thread \_ thread: THREAD \_ Transition thread \in \underline{t}hread_exists \cap \underline{t}hread_exists' \underline{t}hread_suspend_count'(thread) < \underline{t}hread_suspend_count(thread) \underline{t}ask_creation_state'(owning_task(thread)) = \underline{t}ask_creation_state(owning_task(thread)) ``` **Service Definition 56** (Makes TaskReady) A state transition resumes thread in the DTOS cross-context-create paradigm if it decrements $\underline{t}hread\_suspend\_count(thread)$ and changes the task create state of the associated task to $Tcs\_task\_ready$ . Note that this service is a DTOS enhancement. ``` \begin{array}{l} \textit{MakesTaskReady} \\ \textit{thread}: \textit{THREAD} \\ \textit{Transition} \\ \\ \textit{thread} \in \underline{\textit{thread\_exists}'} \cap \underline{\textit{thread\_exists}} \\ \underline{\textit{thread\_suspend\_count}'(\textit{thread})} < \underline{\textit{thread\_suspend\_count}(\textit{thread})} \\ \underline{\textit{task\_creation\_state}(\textit{owning\_task}(\textit{thread}))} \neq \textit{Tcs\_task\_ready} \\ \underline{\textit{task\_creation\_state}'(\textit{owning\_task}(\textit{thread}))} = \textit{Tcs\_task\_ready} \\ \\ \end{array} ``` **Service Definition 57** (Increments Thread MaxPriority) A state transition increments thread's maximum priority if $\underline{t}$ hread\_max\_priority(thread) is incremented and thread assignments do not change. ``` Increments Thread Max Priority \\ thread: THR EAD \\ Transition \\ thread \in \underline{t}hread\_exists \cap \underline{t}hread\_exists' \\ \underline{t}hread\_max\_priority'(thread) > \underline{t}hread\_max\_priority(thread) \\ have\_assigned\_threads' = have\_assigned\_threads ``` **Service Definition 58** (Decrements Thread Max Priority) A state transition decrements thread's maximum priority if $\underline{t}hread\_max\_priority(thread)$ is decremented and thread assignments do not change. ``` \begin{array}{l} Decrements Thread Max Priority \_\\ \hline thread: THREAD \\ Transition \\ \hline thread \in \underline{t}hread\_exists \cap \underline{t}hread\_exists' \\ \underline{t}hread\_max\_priority'(thread) < \underline{t}hread\_max\_priority(thread) \\ have\_assigned\_threads' = have\_assigned\_threads \\ \end{array} ``` Editorial Note: Care must be taken in mapping the prior two services to the implementation. The higher the numeric value of a priority, the lower the priority. Thus, incrementing a priority is a decrease in priority while decrementing a priority is an increase in priority. **Service Definition 59** (Sets Thread Priority) A state transition sets thread's priority if $\underline{t}hread\_priority(thread)$ is altered, $\underline{t}hread\_max\_priority(thread)$ does not change, the depression status of no thread changes and thread assignments do not change. ``` Sets Thread Priority \_ thread : THREAD Transition thread \in \underline{t}hread\_exists \cap \underline{t}hread\_exists' \underline{t}hread\_priority'(thread) \neq \underline{t}hread\_priority(thread) \underline{t}hread\_max\_priority'(thread) = \underline{t}hread\_max\_priority(thread) \underline{d}epressed\_threads' = \underline{d}epressed\_threads have\_assigned\_threads' = have\_assigned\_threads ``` **Service Definition 60** (Sets Thread Policy) A state transition sets thread's policy if $\underline{t}$ hread\_sched\_policy(thread) is altered and thread assignments have not changed. ``` Sets Thread Policy \_ thread : THR EAD Transition thread \in \underline{t}hread\_exists \cap \underline{t}hread\_exists' \underline{t}hread\_sched\_policy'(thread) \neq \underline{t}hread\_sched\_policy(thread) have\_assigned\_threads' = have\_assigned\_threads ``` **Service Definition 61 (**Sets Thread Kernel Port**)** A state transition sets thread's kernel port if it alters thread\_sself(thread), thread's kernel port. Note that thread\_sself(thread) may be undefined in either the current or new state. <sup>13</sup> <sup>&</sup>lt;sup>13</sup>The expression R(S) denotes the relational image of the set S under relation R (i.e., the set of all values to which an element of S is mapped by R). ``` Sets Thread Kernel Port \\ thread: THR EAD \\ Transition \\ thread \in \underline{t}hread\_exists \cap \underline{t}hread\_exists' \\ thread\_sself' (\{thread\}) \neq thread\_sself (\{thread\}) ``` **Service Definition 62** (Sets Thread Exception Port) A state transition sets thread's exception port if it alters thread\_eport(thread), thread's exception port. Note that thread\_eport(thread) may be undefined in either the current or new state. ``` Sets Thread Exception Port \\ thread: THREAD \\ Transition \\ thread \in \underline{t}hread\_exists \cap \underline{t}hread\_exists' \\ thread\_eport'(\{thread\}) \neq thread\_eport(\{thread\}) ``` **Service Definition 63** (Makes Thread Owner Ready) A state transition sets thread's machine state in the DTOS cross-context-create paradigm if thread\_state(thread) is altered and the task creation state of the associated task is set to Tcs\_thread\_state\_set. Note that this service is a DTOS enhancement. **Service Definition 64** (SuspendsThread) A state transition suspends thread if it increments $\underline{t}hread\_suspend\_count(thread)$ . ``` Suspends\ Thread = thread : THREAD Transition thread \in \underline{t}hread\_exists \cap \underline{t}hread\_exists' \underline{t}hread\_suspend\_count'(thread) > \underline{t}hread\_suspend\_count(thread) ``` **Service Definition 65** (Terminates Thread) A state transition terminates thread if it removes thread from $\underline{t}$ hread\_exists, the set of existing threads without removing its parent task from $\underline{t}$ ask\_exists. ``` -Terminates Thread \\ thread: THR EAD \\ Transition \\ \exists \ task: TASK \\ \bullet \ task \in \underline{t} ask\_exists \cap \underline{t} ask\_exists' \\ \land \ owning\_task(thread) = task \\ thread \in \underline{t} hread\_exists \setminus \underline{t} hread\_exists' ``` **Service Definition 66** (Enables Thread Sampling) A state transition enables sampling for thread if thread is added to sampled\_threads, the set of threads currently being sampled. ``` \_EnablesThreadSampling \_\_ thread: THREAD Transition thread \in \underline{s}ampled\_threads' \setminus \underline{s}ampled\_threads ``` **Service Definition 67** (Disables ThreadSampling) A state transition disables sampling for thread if thread is removed from <u>sampled\_threads</u>, the set of threads currently being sampled. #### 6.7 Task Services Many of the task services are analogous to thread services. For example, there is a task suspend service that is analogous to the thread suspend service. Due to the similarity of the requests, there are similar threats to be addressed and the DTOS policy addresses those threats using task permissions analogous to the thread permissions used to address the thread services. An example of a threat that is specific to tasks is the manipulation of emulation vectors. If correct operation of a task requires it use some emulation library, then the task can be caused to fail by modifying its emulation vector. The DTOS policy addresses this threat by controlling which tasks are allowed to modify each task's emulation vector (permission $Set\_emulation$ ). The DTOS policy with respect to MIDs is tranquil in that once the kernel associates a MID with an entity, the entity remains bound to the same MID. For tasks, we represent this by defining a service, Changes TaskMid, that characterizes the changing of a task's MID and then prohibiting this service in Section 7. However, the AID of a task may be allowed to change. A service, $Changes\ TaskAid$ , is defined to characterize the changing of a task's AID. **Service Definition 68** (AddsThread) A state transition adds a thread to task in the normal Mach paradigm if it adds a thread to threads(task), the set of threads belonging to task, and does not change the task creation state of task. ``` \begin{array}{l} AddsThread \\ task: TASK \\ Transition \\ \\ task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \\ \underline{t}ask\_creation\_state'(task) = \underline{t}ask\_creation\_state(task) \\ \exists \ thread: THREAD \bullet \ thread \in threads'(task) \setminus threads(task) \\ \end{array} ``` **Service Definition 69** (Adds Thread Secure) A state transition adds a thread to task in the DTOS cross-context-create paradigm if it adds a thread to threads(task), the set of threads belonging to task, and changes the task creation state of task to Tcs\_thread\_created. Note that this service is a DTOS enhancement. ``` -AddsThreadSecure \\ task: TASK \\ Transition \\ task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \\ \underline{t}ask\_creation\_state'(task) \neq \underline{t}ask\_creation\_state(task) \\ \underline{t}ask\_creation\_state'(task) = Tcs\_thread\_created \\ \exists thread: THREAD \bullet thread \in threads'(task) \setminus threads(task) ``` **Service Definition 70** (Assigns Task) A state transition assigns an existing task to procset if it adds task to the set have\_assigned\_tasks (procset). ``` \begin{array}{l} Assigns\,Task \\ task:\,TASK \\ procset:\,PROCESSOR\_SET \\ Transition \\ \\ task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \\ procset \in \underline{p}rocset\_exists \cap \underline{p}rocset\_exists' \\ task \in have\_assigned\_tasks'(procset) \setminus have\_assigned\_tasks(procset) \end{array} ``` **Service Definition 71** (Sets TaskPriority) A state transition sets task's priority if it changes the value of $\underline{t}$ ask\_priority (task). ``` Sets Task Priority \_ task : TASK Transition task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \underline{t}ask\_priority'(task) \neq \underline{t}ask\_priority(task) ``` **Service Definition 72** (*Creates Task*) A state transition creates child in the normal Mach paradigm if it adds child to <u>task\_exists</u> and sets child's task creation state to Tcs\_task\_ready. **Service Definition 73** (Creates Task Secure) A state transition creates child in the DTOS cross-context-create paradigm if it adds child to <u>task\_exists</u> and sets child's task creation state to Tcs\_task\_empty. Note that this service is a DTOS enhancement. ``` Creates Task Secure \_ child : TASK Transition child \in \underline{t}ask\_exists' \setminus \underline{t}ask\_exists \underline{t}ask\_creation\_state'(child) = Tcs\_task\_empty ``` **Service Definition 74** (InvTaskCreationStateTrans) A state transition changes task's creation state inappropriately if it does not follow the pattern non-existent $\rightarrow Tcs\_task\_ready$ or the pattern non-existent $\rightarrow Tcs\_task\_empty \rightarrow Tcs\_thread\_created \rightarrow Tcs\_thread\_state\_set \rightarrow Tcs\_task\_ready$ . ``` Inv Task Creation State Trans \\ task : TASK \\ Transition \\ (task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \\ \land (\textbf{let } tcs_1 == \underline{t}ask\_creation\_state(task); tcs_2 == \underline{t}ask\_creation\_state'(task) \\ \bullet tcs_1 \neq tcs_2 \\ \land (tcs_1, tcs_2) \notin \{ (Tcs\_task\_empty, Tcs\_thread\_created), \\ (Tcs\_thread\_created, Tcs\_thread\_state\_set), \\ (Tcs\_thread\_state\_set, Tcs\_task\_ready) \})) \\ \lor (task \in \underline{t}ask\_exists' \setminus \underline{t}ask\_exists \\ \land \underline{t}ask\_creation\_state'(task) \notin \{ Tcs\_task\_empty, Tcs\_task\_ready \}) ``` **Service Definition 75** (Resumes Task) A state transition resumes task if it decrements $\underline{t}$ ask\_suspend\_count(task). ``` Resumes Task \_ task : TASK Transition task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \underline{t}ask\_suspend\_count'(task) < \underline{t}ask\_suspend\_count(task) ``` **Service Definition 76** (SetsEmulationVector) A state transition sets an emulation vector for task if it alters $\underline{e}$ mulation\_vector(task). ``` SetsEmulationVector \\ task: TASK \\ Transition \\ task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \\ \underline{e}mulation\_vector(task) \neq \underline{e}mulation\_vector'(task) ``` **Service Definition 77** (Suspends Task) A state transition suspends task if it increments $task\_suspend\_count(task)$ . ``` Suspends Task \\ task : TASK \\ Transition \\ task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \\ \underline{t}ask\_suspend\_count'(task) > \underline{t}ask\_suspend\_count(task) ``` **Service Definition 78** (SetsTaskKernelPort) A state transition sets task's kernel port if $task\_sself(task)$ is altered. Note that $task\_sself(task)$ may be undefined in either the current or new state. 14 ``` Sets Task Kernel Port \\ task : TASK \\ Transition \\ task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \\ task\_sself'(\{task\}) \neq task\_sself(\{task\}) ``` **Service Definition 79** (SetsTaskExceptionPort) A state transition sets task's exception port if $task\_eport(task)$ is altered. Note that $task\_eport(task)$ may be undefined in either the current or new state. ``` Sets Task Exception Port \\ task : TASK \\ Transition \\ task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \\ task\_eport'(\{task\}) \neq task\_eport(\{task\}) ``` **Service Definition 80** (SetsTaskBootPort) A state transition sets task's boot port if $task\_bport(task)$ is altered. Note that $task\_bport(task)$ may be undefined in either the current or new state. <sup>&</sup>lt;sup>14</sup>The expression R(S) denotes the relational image of the set S under relation R (i.e., the set of all values to which an element of S is mapped by R). ``` Sets Task BootPort \\ task : TASK \\ Transition \\ task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' \\ task\_bport'(\{task\}) \neq task\_bport(\{task\}) ``` **Service Definition 81** (Terminates Task) A state transition terminates task if it removes task from $\underline{t}ask\_exists$ . ``` \begin{array}{c} Terminates Task \\ \hline task : TASK \\ \hline Transition \\ \hline task \in \underline{t}ask\_exists \setminus \underline{t}ask\_exists' \\ \end{array} ``` **Service Definition 82** (*Enables TaskSampling*) A state transition enables sampling for task if task is added to <u>sampled\_tasks</u>, the set of tasks currently being sampled. ``` \_EnablesTaskSampling \_ task: TASK Transition task \in \underline{sampled\_tasks'} \setminus \underline{sampled\_tasks} ``` **Service Definition 83** (Disables TaskSampling) A state transition disables sampling for task if task is removed from <u>sampled\_tasks</u>, the set of tasks currently being sampled, and task still exists. ``` \_Disables Task Sampling \_ task : TASK Transition task \in \underline{task\_exists'} task \in \underline{sampled\_tasks} \setminus \underline{sampled\_tasks'} ``` **Service Definition 84** (Changes TaskMid) A state transition changes a task's MID if it alters $task\_mid(task)$ . **Service Definition 85** (Changes TaskAid) A state transition changes a task's AID if it alters $task\_aid(task)$ . ``` Changes TaskAid \_ task : TASK Transition task \in \underline{t}ask\_exists \cap \underline{t}ask\_exists' task\_aid'(task) \neq task\_aid(task) ``` #### 6.8 Host Name Port Services Mach allows tasks holding a send right to the host name port to create new processor sets. Such tasks might be able to cause a resource exhaustion condition by creating a large number of processor sets. The DTOS policy addresses this threat by controlling which tasks are allowed to create processor sets (permission $Create\_pset$ ). The DTOS prototype services requests to remove permission sets from the permissions cache through the host name port. Tasks that can remove entries from the cache can deny service by revoking access to resources. The DTOS policy addresses this threat by controlling which tasks can remove entries from the permissions cache (permission $Flush\_permission$ ). The DTOS prototype also services requests to change the Security Server Port through the host name port. Since this is the port that indicates where the kernel should send requests for access computations, the security of the system can be compromised if it is set inappropriately. The DTOS policy addresses this threat by controlling which tasks can alter the Security Server Port (permission Set\_security\_master\_port). **Service Definition 86** (Creates Procset) A state transition creates a processor set procset if procset is added to procset\_exists. **Service Definition 87** (Flushes Cache) A state transition flushes an entry from the kernel's permission cache if it removes a ruling from <u>cache</u> that has not yet expired. **Service Definition 88** (SetsSecServerMasterPort) A state transition changes the Security Server master port if it alters the value of security\_server\_master\_port. | SetsSecServerMasterPort | |------------------------------------------------------------------------------------------| | Transition | | Transition | | $\overline{security\_server\_master\_port'} \neq security\_server\_master\_port$ | | $\underline{s}$ ecuruy_server_muster_port $\neq \underline{s}$ ecuruy_server_muster_port | **Service Definition 89** (SetsSecServerClientPort) A state transition changes the Security Server client port if it alters the value of security\_server\_client\_port. ``` SetsSecServerClientPort\_ Transition \underline{s}ecurity\_server\_client\_port' \neq \underline{s}ecurity\_server\_client\_port} ``` **Service Definition 90** (SetsAuthenticationServer) A state transition changes the Authentication Server Port if it alters the value of <u>a</u>uthentication\_server\_port. ``` Sets Authentication Server \_ Transition \underline{authentication\_server\_port'} \neq \underline{authentication\_server\_port} ``` **Service Definition 91** (SetsAuditServer) A state transition changes the Audit Server Port if it alters the value of $\underline{a}udit\_server\_port$ . ``` SetsAuditServer \_ Transition \underline{audit\_server\_port'} \neq \underline{audit\_server\_port} ``` **Service Definition 92** (Sets Crypto Server) A state transition changes the Crypto Server Port if it alters the value of <u>crypto\_server\_port</u>. **Service Definition 93** (SetsNegotiationServer) A state transition changes the Negotiation Server Port if it alters the value of negotiation\_server\_port. ``` Sets Negotiation Server \_ Transition \underline{n}_{egotiation} \_ server \_ port' \neq \underline{n}_{egotiation} \_ server \_ port ``` **Service Definition 94** (SetsNetworkSecurityServer) A state transition changes the Network Security Server Port if it alters the value of <u>network\_ss\_port</u>. ``` Sets Network Security Server \\ \hline Transition \\ \underline{n}etwork\_ss\_port' \neq \underline{n}etwork\_ss\_port ``` Composite Service Definition 9 A state transition sets a special port if it performs one of the services SetsAuditServer, SetsAuthenticationServer, SetsSecServerClientPort, SetsSecServerMasterPort, SetsCryptoServer, SetsNegotiationServer or SetsNetworkSecurityServer. $SetsSpecialPort \triangleq SetsAuditServer \lor SetsAuthenticationServer \\ \lor SetsSecServerClientPort \lor SetsSecServerMasterPort \lor SetsCryptoServer \\ \lor SetsNegotiationServer \lor SetsNetworkSecurityServer$ #### 6.9 Host Control Port Services Mach allows tasks holding a send right to the host control port to change the value of the system clock. For applications that use time stamps to ensure consistency, the changing of time can lead to integrity concerns. The DTOS policy addresses this threat by controlling which tasks can change the value of the system clock (permission $Set\_time$ ). The host control port can also be used to change the default memory manager port recorded by the kernel. If the receiver for the new port does not provide the same functionality as the "real" default manager, then temporary objects would no longer be paged properly. The DTOS policy addresses this threat by controlling which tasks can change the default manager port (permission $Set\_default\_memory\_mgr$ ). Another privileged operation that can be performed through the host control port is the wiring of threads into memory. If arbitrary tasks are permitted to wire threads, then the kernel resources can easily be exhausted. The DTOS policy addresses this threat by controlling which tasks are permitted to wire threads (permission $Wire\_thread$ ). Note that the Mach approach to controlling privileged host operations is to limit the tasks that hold a send right to the host control port. However, there is always the possibility that a task that holds such a right might accidentally transfer it to an inappropriate task. Furthermore, it is not necessarily true that every task that needs to execute a privileged host operation needs to execute all privileged host operations. The DTOS approach addresses the first problem by separating the holding of a right from the ability to use the right. For example, a task must have $Set\_time$ permission in addition to holding a send right to the host control port to set the system clock. The DTOS approach addresses the second problem by using a separate permission to control each service. For example, a task might be permitted to wire threads while not being permitted to load entries into the permissions cache. **Service Definition 95** (Changes Wiring) A state transition wires or unwires memory in task's address space if there exists a page\_index such that This permission is enforced on an implementation service rather than an abstract service since the time may change during virtually any system transition. The prototype prevents any change (increasing or decreasing) via the request **host\_set\_time** if $Set\_time$ permission is not held. - $\blacksquare$ <u>w</u>ire\_count(task, page\_index) is altered, and - the portions of memory that are allocated do not change. Note that this might have no effect on the wiring of the page to which the page\_index is mapped since the page might be wired for a different memory region or it might be wired multiple times for the region affected by this transition. **Service Definition 96** (SetsDefaultManager) A state transition sets the system's default manager if it alters <u>d</u>efault\_mem\_manager. ``` SetsDefaultManager \_ Transition \underline{d}efault\_mem\_manager' \neq \underline{d}efault\_mem\_manager} ``` **Service Definition 97** (Wires Thread) A state transition wires or unwires thread if it adds or removes thread from threads\_wired. ``` - Wires Th read \\ thread : THR EAD \\ Transition \\ thread \in \underline{t}hread\_exists \cap \underline{t}hread\_exists' \\ thread \in \underline{t}hreads\_wired' \setminus \underline{t}hreads\_wired \\ \lor thread \in \underline{t}hreads\_wired \setminus \underline{t}hreads\_wired' ``` #### 6.10 Processor Services Mach allows tasks to change the execution status of a processor. For example, processing on a processor can be stopped by "exiting" the processor. As another example, a processor can be moved into a different processor set that schedules threads differently than the processor's initial processor set. The DTOS policy addresses these threats by controlling which tasks can perform operations on processors (permissions $Assign\_processor\_to\_set$ , $May\_control\_processor$ ). As with privileged host operations, Mach controls these operations through the use of capabilities. Once again, the DTOS control mechanisms are much stronger and more flexible (see the discussion in Section 6.9). **Service Definition 98** (Assigns Processor) A state transition assigns a processor proc to a processor set process if proc is added to processors (process). ``` Assigns Processor \\ proc : PROCESSOR \\ procset : PROCESSOR\_SET \\ Transition \\ \hline procset \in \underline{p}rocset\_exists' \cap \underline{p}rocset\_exists \\ proc \in processors'(procset) \setminus processors(procset) ``` **Service Definition 99** (Exits Processor) A state transition causes a processor proc to be exited if it removes it from the processor set specified by proc\_assigned\_procset(proc) and does not add proc to any other processor set. ``` \_ExitsProcessor\_\\proc: PROCESSOR\\Transition\_\\proc \in (\text{dom }proc\_assigned\_procset) \setminus (\text{dom }proc\_assigned\_procset') ``` #### 6.11 Processor Set Control Port Services Mach allows a task holding a send right to a processor set control port to destroy the processor set. This can adversely impact the scheduling of threads executing on the processor set. Similar effects can also be achieved by changing the scheduling policies supported by the processor set or the maximum priority allowed for threads assigned to the processor set. The DTOS policy addresses these threats by controlling which tasks may operate on a processor set (permissions <code>Destroy\_pset, Chg\_pset\_max\_pri, Invalidate\_scheduling\_policy, Define\_new\_scheduling\_policy)</code>. As with privileged host operations, Mach controls these operations through the use of capabilities. Once again, the DTOS control mechanisms are much stronger and more flexible (see the discussion in Section 6.9). **Service Definition 100 (**DestroysProcset**)** A state transition destroys a processor set procset if procset is removed from procset\_exists. ``` \begin{array}{c} DestroysProcset \\ procset : PROCESSOR\_SET \\ Transition \\ \hline procset \in \underline{p} rocset\_exists \setminus \underline{p} rocset\_exists' \end{array} ``` **Service Definition 101** (SetsProcsetMaxPriority) A state transition sets the maximum scheduling priority for the processor set procset if it alters $ps\_max\_priority(procset)$ . ``` SetsProcsetMaxPriority\_\\procset: PROCESSOR\_SET\\Transition\\procset \in \underline{p}rocset\_exists \cap \underline{p}rocset\_exists'\\\underline{p}s\_max\_priority'(procset) \neq \underline{p}s\_max\_priority(procset) ``` **Service Definition 102** (Disables Policy) A state transition disables a scheduling policy for the processor set proceed if it removes an element from enabled\_sp(proceet). ``` Disables Policy \_ procset : PROCESSOR\_SET Transition procset \in \underline{p}rocset\_exists \cap \underline{p}rocset\_exists' \underline{e}nabled\_sp(procset) \setminus \underline{e}nabled\_sp'(procset) \neq \varnothing ``` **Service Definition 103** (EnablesPolicy) A state transition enables a scheduling policy for the processor set proceset if it adds an element to $enabled\_sp(procest)$ . #### 6.12 Kernel Reply Services The prototype uses kernel reply ports as the service ports for requests to add permission sets to the permissions cache. Tasks that can add entries to the cache can circumvent the DTOS policy. Tasks that can remove entries from the cache can deny service by revoking access to resources. The DTOS policy addresses this threat by controlling which tasks can add entries to the permissions cache (permissions $Provide\_permission$ ). **Service Definition 104** (Loads Cache) A state transition loads an entry into the kernel's permission cache if it adds a ruling to $\underline{e}$ ache. ``` Loads Cache = \\ kernel\_reply\_port : PORT \\ Transition \\ kernel\_reply\_port \in \underline{k}ernel\_reply\_ports \\ \exists ruling : Ruling \\ \bullet ruling \in \underline{c}ache' \setminus \underline{c}ache \\ \\ \end{bmatrix} ``` Editorial Note: We need to consider how to relate the ruling to kernel-reply-port in the above. #### 6.13 Device Services Tasks in Mach must first open or map a device before accessing the device. Confidentiality can be compromised if a task can open devices that are being used to input data that is inappropriate for the task. Integrity can be compromised if a task can output data through a device that a user believes is being controlled by a trusted task. Availability can be compromised if a task opens a device that only allows a single connection at a time. DTOS protects against these threats by controlling which tasks can open and map each device (permissions $Open\_device$ , $Map\_device$ ). Since service can also be denied by inappropriately closing a device, DTOS controls the closing of devices (permission $Close\_device$ ). Further protection is provided by controlling the transfer of data through open devices (permissions $Read\_device$ , $Write\_device$ ). More subtle attacks could be mounted by inappropriately setting the status of a device or the filter associated with a device. For example: - Packets received through a device could be routed to an inappropriate port as a result of that port being specified as the destination for a filter. - Packets might not be delivered as they should be due to a filter being changed. DTOS protects against these threats by controlling the setting of device status and device filters (permissions $Set\_device\_filter$ , $Set\_device\_status$ ). **Service Definition 105** (ClosesDevice) A state transition closes dev if it decrements $\underline{d}evice\_open\_count(dev)$ , the count of the number of times that dev has been opened and not closed. ``` \begin{array}{c} ClosesDevice \\ \hline dev:DEVICE \\ Transition \\ \hline \underline{device\_open\_count(dev)} > \underline{device\_open\_count'(dev)} \end{array} ``` **Service Definition 106** (Decreases Event Counter) A state transition decreases an event counter eve supplied by dev if eve is supplied by dev before and after the transition and the count associated with eve decreases. ``` Decreases Event Counter \_ dev: DEVICE Transition \exists evc: EVENT\_COUNTER \bullet evc \in \text{dom } \underline{e}vent\_count' \cap \text{dom } \underline{e}vent\_count \land dev = \underline{s} upplying\_device'(evc) = \underline{s} upplying\_device(evc) \land \underline{e}vent\_count'(evc) < \underline{e}vent\_count(evc) ``` Editorial Note: The service DecreasesEventCounter is not currently controlled in DTOS, but the addition of controls on this service as indicated in Section 7 are planned. **Service Definition 107** (MapsDevice) A state transition maps dev if it adds dev to $\underline{mapped\_devices}$ , the set of mapped devices. ``` \begin{array}{c} \textit{MapsDevice} \\ \textit{dev} : \textit{DEVICE} \\ \textit{Transition} \\ \\ \textit{dev} \in \underline{\textit{mapped\_devices}'} \setminus \underline{\textit{mapped\_devices}} \end{array} ``` **Service Definition 108 (**OpensDevice**)** A state transition opens dev if it increments $\underline{d}evice\_open\_count(dev)$ , the count of the number of times that dev has been opened and not closed. ``` \begin{array}{l} -OpensDevice \\ \hline dev: DEVICE \\ \hline Transition \\ \hline \underline{device\_open\_count(dev)} < \underline{device\_open\_count'(dev)} \end{array} ``` **Service Definition 109** (ReadsDevice) A state transition reads dev if it removes a record from $device\_in(dev)$ , the set of data records input through dev and not yet received. ``` ReadsDevice \\ dev: DEVICE \\ Transition \\ \exists \ device\_record: DEVICE\_RECORD \bullet \\ \underline{d}evice\_in(dev) = \langle device\_record \rangle \cap \underline{d}evice\_in'(dev) ``` **Service Definition 110 (**SetsDeviceFilter**)** A state transition "sets" a filter associated with dev if it changes device=filter=info(dev), the filter information associated with dev. ``` SetsDeviceFilter \_ dev: DEVICE Transition \underline{device\_filter\_info(dev) \neq \underline{d}evice\_filter\_info'(dev)} ``` **Service Definition 111 (**SetsDeviceStatus**)** A state transition changes the status associated with dev if it changes $\underline{d}evice\_status(dev)$ , the status information associated with dev. ``` SetsDeviceStatus = \\ dev: DEVICE \\ Transition \\ \underline{device\_status(dev)} \neq \underline{device\_status'(dev)} ``` **Service Definition 112 (**WritesDevice**)** A state transition writes dev if it adds a record to device\_out(dev), the set of data records output through dev and not yet delivered. #### 6.14 Outcall Services A kernel outcall occurs when the kernel sends a message to a port. We define abstract services for the outcalls that the kernel may make. These outcall services must be controlled since a task may cause an outcall to occur by making requests to the kernel. For example, when a task makes a kernel request it may direct the reply message to a given port. When the kernel processing of the request is finished, the kernel will perform an outcall, sending the reply message to the designated reply port. Thus, the task that made the original request has caused a message to be sent to the port. Even though the kernel is sending the message, we want to make sure the task that made the request has permission to send a message to the reply port. From the kernel's perspective, all of the outcalls require a check of permission $Can\_send.^{16}$ For outcalls that send reply messages to kernel requests, send exception messages or send a port notification, a non-kernel task must have the permission to send to the destination port of the outcall. There are several other types of outcall: **security fault** — The kernel sends a message to the security server requesting an access vector computation. page fault — The kernel sends a message to a pager via a memory object's pager port. pageout — The kernel's pageout daemon determines that a page must be paged out. send audit information — The kernel sends audit information to an audit port. forward network packet — The kernel forwards a network packet to a port for the UNIX server. In contrast to the outcalls described earlier, we require for these types of outcall that the kernel itself have $Can\_send$ permission to the destination port of the outcall message. Any effective client on whose behalf the kernel is executing need not have any permission to the destination $<sup>^{16}</sup>$ For several of the outcalls the server to which the outcall is sent should check additional permissions. As an example, when the security server receives a request to compute an access vector, it checks that the client has permission to make that request. These checks are server-dependent and we do not specify them at this time. port. This allows us to restrict the set of tasks that have $Can\_send$ permission for important ports such as the security server port. In the case of a page out outcall, the kernel is in fact acting on its own behalf and therefore needs $Can\_send$ permission. **Service Definition 113 (**MakesSecurityOutcall**)** A state transition makes a security outcall if the kernel sends a request to the security server port with operationSSI\_compute\_av\_id. **Service Definition 114** (Sends Pager Outcall) A state transition sends a pager outcall if the kernel sends a request with an operation in the set Pager\_request\_ids to the object (pager) port of a memory. **Service Definition 115** (Confirms Kernel Mem Op) A state transition confirms a memory operation by the kernel if the kernel sends a message with an operation in the set Mem\_obj\_confirmation\_ids. This message is sent to a reply port provided by the memory manager in an earlier kernel request to which this outcall is the reply. ``` ConfirmsKernelMemOp\_\\port: PORT\\Transition client = \underline{k}ernel\\\exists msg: MESSAGE\\ \bullet msg \in \underline{m}essage\_exists' \setminus \underline{m}essage\_exists\\ \land ((\underline{m}sg\_contents'(msg)).header).remote\_port = port\\ \land msg\_operation(msg) \in Mem\_obj\_confirmation\_ids ``` **Service Definition 116** (RaisesExceptionToThread) A state transition raises an exception to a thread if the kernel sends a message to the exception port of the thread with operation $Mach\_exception\_id$ . ``` Raises Exception To Thread thread: THREAD Transition client = \underline{k} ernel \exists msg: MESSAGE; port: PORT • (thread, port) \in thread\_eport \land msg \in \underline{m} essage_exists' \backslash \underline{m} essage_exists \land ((\underline{m}sg\_contents'(msg)).header).remote\_port = port \land msg\_operation(msg) = Mach\_exception\_id ``` **Service Definition 117** (Raises Exception To Task) A state transition raises an exception to a task if the kernel sends a message to the exception port of the task with operation Mach\_exception\_id. ``` Raises Exception To Task task : TASK Transition client = \underbrace{kernel} \exists msg : MESSAGE; port : PORT \bullet (task, port) \in task\_eport \land msg \in \underline{message\_exists'} \setminus \underline{message\_exists} \land ((\underline{msg\_contents'(msg)}).header).remote\_port = port \land msg\_operation(msg) = Mach\_exception\_id ``` **Service Definition 118** (SendsKernelReply) A state transition sends a reply from a kernel service request to a reply port if the kernel sends a message to the reply port with an operation in the set Kernel\_service\_reply\_ids. ``` Sends KernelReply \_ port : PORT Transition client = \underline{k}ernel \exists msg : MESSAGE \bullet msg \in \underline{m}essage\_exists' \setminus \underline{m}essage\_exists \land ((\underline{m}sg\_contents'(msg)).header).remote\_port = port \land msg\_operation(msg) \in Kernel\_service\_reply\_ids ``` **Service Definition 119** (Sends Notification) A state transition sends a notification message to a port if the kernel sends a message to the port with an operation in the setMach\_notify\_ids. ``` Sends Notification \\ port: PORT \\ Transition \\ \hline client = \underline{k}ernel \\ \exists \ msg: MESSAGE \\ \bullet \ msg \in \underline{m}essage\_exists' \setminus \underline{m}essage\_exists \\ \land ((\underline{m}sg\_contents'(msg)).header).remote\_port = port \\ \land \ msg\_operation(msg) \in Mach\_notify\_ids ``` **Service Definition 120** (SendsAuditData) A state transition sends audit data if the kernel sends a message to the $\underline{a}udit\_server\_port$ with an operation in the set $Audit\_ids$ . **Service Definition 121** (ForwardsNetworkPacket) A state transition forwards a network packet to port if the kernel sends a message to a port with the operation set to Forward\_net\_packet\_id. #### 6.15 Implementation Services **Service Definition 122** (Initiates Operation) A state transition initiates op if there is a request for op which is added to validated\_requests. service\_port is used to identify the port through which the request was received. ``` Initiates Operation op: OPERATION service_port: PORT Transition ∃ request: Request | request.request_op = op • request ∈ validated_requests' ⊎ validated_requests ``` The set of requests that are treated as implementation services and the permissions associated with these requests are identified in the implementation service tables in Section 7. The DTOS policy addresses each implementation service by only allowing it to be executed when the client holds the permission that the table identifies for the service. The DTOS request $task\_get\_special\_port$ can perform any one of three services — getting the kernel, exception or bootstrap port of the task — depending upon the value of one of its parameters. We identify each of these services separately. Similar statements apply to the $thread\_get\_special\_port$ and $thost\_get\_special\_port$ requests. We use the following Z identifiers to denote these services. ``` Implementation\_services : \mathbb{P} OPERATION Device_qet_status_id, Host_adjust_time_id, Host_qet_audit_port_id, Host\_get\_authentication\_port\_id\,,\,Host\_get\_boot\_info\_id\,, Host_get_crypto_port_id, Host_get_host_control_port_id, Host\_get\_negotiation\_port\_id, Host\_get\_network\_ss\_port\_id, Host_get_sec_server_client_port_id, Host_get_sec_server_port_id, Host_get_special_port_id, Host_get_time_id, Host_info_id, Host_kernel_version_id. Host_processor_set_priv_id. Host_processor_sets_id. Host_processors_id, Host_reboot_id, Host_set_time_id, Mach_host_self_id, Mach_port_extract_right_id, Mach_port_get_receive_status_id, Mach\_port\_get\_refs\_id, Mach\_port\_get\_set\_status\_id, Mach\_port\_names\_id, Mach_ports_lookup_id, Mach_port_type_id, Mach_port_type_secure_id, Mach\_task\_self\_id, Mach\_thread\_self\_id, Memory\_object\_get\_attributes\_id, Memory_object_lock_request_id, Processor_control_id, Processor_get_assignment_id, Processor_info_id, Processor_set_default_id, Processor_set_info_id, Processor_set_tasks_id, Processor_set_threads_id, Processor_start_id, Swtch_id, Swtch_pri_id, Task_get_assignment_id, Task_get_bootstrap_port_id, Task_get_emulation_vector_id, Task\_qet\_exception\_port\_id, Task\_qet\_kernel\_port\_id, Task\_qet\_sampled\_pcs\_id, Task_info_id, Task_ras_control_id, Task_threads_id, Thread_abort_id, Thread_get_assignment_id, Thread_get_exception_port_id, Thread\_get\_kernel\_port\_id, Thread\_get\_sampled\_pcs\_id, Thread\_get\_state\_id, Thread_info_id, Thread_set_state_id, Thread_set_state_secure_id, Thread_switch_id, Vm_copy_id, Vm_machine_attribute_id, Vm_read_id, Vm_region_id, Vm_region_secure_id, Vm_statistics_id: OPERATION ``` ``` \langle Device\_get\_status\_id, Host\_adjust\_time\_id, Host\_get\_audit\_port\_id, Host\_get\_authentication\_port\_id, Host\_get\_boot\_info\_id, Host\_get\_crypto\_port\_id, Host\_get\_host\_control\_port\_id, Host\_get\_negotiation\_port\_id, Host\_get\_network\_ss\_port\_id, Host_get_sec_server_client_port_id, Host_get_sec_server_port_id, Host_get_special_port_id, Host_get_time_id, Host_info_id, Host\_kernel\_version\_id, Host\_processor\_set\_priv\_id, Host_processor_sets_id, Host_processors_id, Host_reboot_id, Host_set_time_id, Mach_host_self_id, Mach_port_extract_right_id, Mach\_port\_get\_receive\_status\_id, Mach\_port\_get\_refs\_id, Mach\_port\_get\_set\_status\_id, Mach\_port\_names\_id, Mach\_ports\_lookup\_id, Mach_port_type_id, Mach_port_type_secure_id, Mach_task_self_id, Mach_thread_self_id, Memory_object_get_attributes_id, Memory_object_lock_request_id, Processor_control_id, Processor_get_assignment_id, Processor_info_id, Processor_set_default_id, Processor_set_info_id, Processor_set_tasks_id, Processor_set_threads_id, Processor_start_id, Swtch_id, Swtch_pri_id, Task\_get\_assignment\_id, Task\_get\_bootstrap\_port\_id, Task\_get\_emulation\_vector\_id, Task\_get\_exception\_port\_id, Task_get_kernel_port_id, Task_get_sampled_pcs_id, Task_info_id, Task_ras_control_id, Task_threads_id, Thread_abort_id, Thread\_get\_assignment\_id, Thread\_get\_exception\_port\_id, Thread\_get\_kernel\_port\_id, Thread\_get\_sampled\_pcs\_id, Thread\_get\_state\_id, Thread_info_id, Thread_set_state_id, Thread_set_state_secure_id, Thread_switch_id, Vm_copy_id, Vm_machine_attribute_id, Vm_read_id, Vm\_region\_id, Vm\_region\_secure\_id, Vm\_statistics\_id Values\_partition\ Implementation\_services ``` Section 7 # **Base Kernel Policy** This section identifies which permission governs each service and which SSI and OSI are used to perform the permissions check. The security policy is simply that a service is only permitted when the permission associated with the service is recorded as being appropriate for the identified SSI and OSI. This section is organized by SSI-OSI pairs. For each SSI-OSI pair, we provide a table identifying the relevant services and their associated permissions. Each table entry is also formalized in Z. Note that primed terms are used to indicate values in the state following a transition. For example, $\underline{port\_sid'(port)}$ denotes the SID that port will have after the transition rather than port's SID before the transition. This notation is used to state requirements on the creation of entities. For example, when a port is being created, it has no SID in the initial state. Specifying a check on $\underline{port\_sid'(port)}$ indicates that a check should be performed on the SID that port will have after it is created. 7.1 Requirements on client to $port\_sid'(device\_port'(dev))$ Accesses | Abstract Service | Required Permission | |------------------|---------------------| | OpensDevice(dev) | Open_device | $\forall Transition; dev : DEVICE$ - $\bullet \ (\mathbf{let} \ \mathit{perm\_set} == \mathit{kernel\_allows}(\mathit{client\_sid}, \mathit{port\_sid'}(\mathit{device\_port'}(\mathit{dev})))$ - $(OpensDevice \Rightarrow Open\_device \in perm\_set))$ - 7.2 Requirements on client to port\_sid'(task\_self'(child)) Accesses | Abstract Service | Required Permission | |-----------------------------|----------------------| | Creates Task Secure (child) | Cross_context_create | $\forall Transition; child : TASK$ - (let $perm\_set == kernel\_allows(client\_sid, port\_sid'(task\_self'(child)))$ - $(CreatesTaskSecure \Rightarrow Cross\_context\_create \in perm\_set))$ - 7.3 Requirements on client to $\underline{p}$ $ort\_sid'(task\_self'(task))$ Accesses | Abstract Service | Required Permission | |-------------------------|---------------------| | Changes Task Aid (task) | Make_sid | ``` \forall \ Transition; \ task : TASK \\ \bullet \ (\textbf{let} \ perm\_set == \ kernel\_allows(client\_sid, port\_sid'(task\_self'(task))) ``` • $(ChangesTaskAid \Rightarrow Make\_sid \in perm\_set))$ ### 7.4 Requirements on client to $port\_sid(device\_port(dev))$ Accesses | Abstract Service | Required Permission | |-------------------------------|---------------------| | ClosesDevice(dev) | Close_device | | Decreases Event Counter (dev) | Wait_evc | | MapsDevice(dev) | $Map\_device$ | | ReadsDevice (dev) | Read_device | | SetsDeviceFilter(dev) | Set_device_filter | | SetsDeviceStatus(dev) | Set_device_status | | WritesDevice(dev) | $Write\_device$ | $\forall Transition; dev : DEVICE$ - (let $perm\_set == kernel\_allows(client\_sid, port\_sid(device\_port(dev)))$ - $(ClosesDevice \Rightarrow Close\_device \in perm\_\overline{set})$ - $\land (DecreasesEventCounter \Rightarrow Wait\_evc \in perm\_set)$ - $\land (MapsDevice \Rightarrow Map\_device \in perm\_set)$ - $\land (ReadsDevice \Rightarrow Read\_device \in perm\_set)$ - $\land (SetsDeviceFilter \Rightarrow Set\_device\_filter \in perm\_set)$ - $\land (SetsDeviceStatus \Rightarrow Set\_device\_status \in perm\_set)$ - $\land (WritesDevice \Rightarrow Write\_device \in perm\_set))$ ### 7.5 Requirements on client to $port\_sid(\underline{h}ost\_control\_port)$ Accesses | | Abstract Service | Required Permission | |---|-------------------------|-----------------------------| | ſ | Changes Wiring (task) | $Wire\_vm$ | | ſ | SetsDefaultManager | $Set\_default\_memory\_mgr$ | | Ī | Wires Th read (th read) | $Wire\_th read$ | #### $\forall Transition$ - (let $perm\_set == kernel\_allows(client\_sid, port\_sid(\underline{h}ost\_control\_port))$ - $\bullet \ (SetsDefaultManager \Rightarrow Set\_default\_memory\_mgr \in perm\_set))$ $\forall$ Transition; task: TASK - $\bullet \ (\mathbf{let} \ \mathit{perm\_set} == \ \mathit{kernel\_allows}(\mathit{client\_sid} \ , \mathit{port\_sid}(\underline{\mathit{h}} \ \mathit{ost\_control\_port}))$ - $(ChangesWiring \Rightarrow Wire\_vm \in perm\_s\overline{et}))$ ``` \forall \ \mathit{Transition}; \ \mathit{thread} \ : \ \mathit{THREAD} ``` - (let $perm\_set == kernel\_allows(client\_sid, port\_sid(\underline{h}ost\_control\_port))$ - $\bullet \; ( \, Wires \, Th \, read \, \Rightarrow \, Wire\_th \, read \, \in \, perm\_set))$ ### 7.6 Requirements on client to $port\_sid(\underline{h}ost\_name\_port)$ Accesses | Abstract Service | Required Permission | |-----------------------------|-----------------------------| | CreatesProcset(procset) | Create_pset | | Flushes Cache | Flush_permission | | SetsAuditServer | Set_audit_port | | Sets Authentication Server | $Set\_authentication\_port$ | | SetsCryptoServer | Set_crypto_port | | SetsNegotiationServer | Set_negotiation_port | | SetsNetworkSecurityServer | Set_network_ss_port | | Sets Sec Server Client Port | Set_security_client_port | | SetsSecServerMasterPort | Set_security_master_port | | SetsSpecialPort | Set_special_port | #### $\forall Transition$ - (let $perm\_set == kernel\_allows(client\_sid, port\_sid(\underline{h}ost\_name\_port))$ - $(FlushesCache \Rightarrow Flush\_permission \in perm\_set)$ - $\land (SetsAuditServer \Rightarrow Set\_audit\_port \in perm\_set)$ - $\land (SetsAuthenticationServer \Rightarrow Set\_authentication\_port \in perm\_set)$ - $\land (SetsCryptoServer \Rightarrow Set\_crypto\_port \in perm\_set)$ - $\land (SetsNegotiationServer \Rightarrow Set\_negotiation\_port \in perm\_set)$ - $\land (SetsNetworkSecurityServer \Rightarrow Set\_network\_ss\_port \in perm\_set)$ - $\land (SetsSecServerClientPort \Rightarrow Set\_security\_client\_port \in perm\_set)$ - $\land (SetsSecServerMasterPort \Rightarrow Set\_security\_master\_port \in perm\_set)$ - $\land (SetsSpecialPort \Rightarrow Set\_special\_port \in perm\_set))$ #### $\forall Transition; procset : PROCESSOR\_SET$ - (let $perm\_set == kernel\_allows(client\_sid, port\_sid(\underline{h}ost\_name\_port))$ - $(CreatesProcset \Rightarrow Create\_pset \in perm\_set))$ ### 7.7 Requirements on client to <u>port\_sid(kernel\_reply\_port)</u> Accesses | Abstract Service | Required Permission | |---------------------------------|---------------------| | Loads Cache (kernel_reply_port) | Provide_permission | $\forall Transition; kernel\_reply\_port : PORT$ - (let $perm\_set == kernel\_allows(client\_sid, port\_sid(kernel\_reply\_port))$ - $(LoadsCache \Rightarrow Provide\_permission \in \overline{perm\_set}))$ ### 7.8 Requirements on client to $port\_sid(control\_port(memory))$ Accesses | Abstract Service | Required Permission | |-------------------------------------|---------------------| | Changes Memory Object Attr (memory) | Set_attributes | | Destroys Memory (memory) | $Destroy\_object$ | | ServicesPageFault(memory) | $Provide\_data$ | $\forall$ Transition; memory: MEMORY - $\bullet \; (\mathbf{let} \; \mathit{perm\_set} == \; \mathit{kernel\_allows}(\mathit{client\_sid} \,, \mathit{port\_sid}(\mathit{control\_port}(\mathit{memory})))$ - $(ChangesMemoryObjectAttr \Rightarrow Set\_attributes \in perm\_set)$ - $\land (DestroysMemory \Rightarrow Destroy\_object \in perm\_set)$ - $\land (ServicesPageFault \Rightarrow Provide\_data \in perm\_set))$ ### 7.9 Requirements on client to port\_sid(port) Accesses | Abstract Service | Required Permission | |-------------------------------------|------------------------| | InitiatesMsgReceive(port) | Can_receive | | InitiatesMsgSend (port) | Can_send | | Initiates OolData Transfer (port) | Transfer_ool | | Initiates Receive Transfer (port) | Transfer_receive | | Initiates Rights Transfer (port) | $Transfer\_rights$ | | Initiates Send Once Transfer (port) | $Transfer\_send\_once$ | | InitiatesSend Transfer (port) | Transfer_send | | Interposes(port) | Interpose | | SetsReply(port) | Set_reply | | Specifies AV (port) | Specify | | SpecifiesSsi(port) | Specify | $\forall Transition; port : PORT$ - (let $perm\_set == kernel\_allows(client\_sid, port\_sid(port))$ - $(InitiatesMsgReceive \Rightarrow Can\_receive \in \overline{perm\_set})$ - $\land (InitiatesMsgSend \Rightarrow Can\_send \in perm\_set)$ - $\land \; (\mathit{InitiatesOolDataTransfer} \Rightarrow \; \mathit{Transfer\_ool} \in \mathit{perm\_set})$ - $\land (InitiatesReceiveTransfer \Rightarrow Transfer\_receive \in perm\_set)$ - $\land$ (Initiates Rights Transfer $\Rightarrow$ Transfer\_rights $\in$ perm\_set) - $\land (InitiatesSendOnceTransfer \Rightarrow Transfer\_send\_once \in perm\_set)$ - $\land$ (InitiatesSendTransfer $\Rightarrow$ Transfer\_send $\in$ perm\_set) - $\land (Interposes \Rightarrow Interpose \in perm\_set)$ - $\land (SetsReply \Rightarrow Set\_reply \in perm\_set)$ - $\land (SpecifiesAV \Rightarrow Specify \in perm\_set)$ - $\land (SpecifiesSsi \Rightarrow Specify \in perm\_set))$ ### 7.10 Requirements on client to port\_sid(proc\_self(proc)) Accesses | Abstract Service | Required Permission | |--------------------------------|------------------------------| | AssignsProcessor(proc,procset) | $Assign\_processor\_to\_set$ | | ExitsProcessor(proc) | $May\_control\_processor$ | $\forall Transition; proc: PROCESSOR$ - (let $perm\_set == kernel\_allows(client\_sid, port\_sid(proc\_self(proc)))$ - $(ExitsProcessor \Rightarrow May\_control\_processor \in perm\_set))$ $\forall$ Transition; proc : PROCESSOR; procset : PROCESSOR\_SET - (let $perm\_set == kernel\_allows(client\_sid, port\_sid(proc\_self(proc)))$ - $\bullet \; (AssignsProcessor \Rightarrow Assign\_processor\_to\_set \in perm\_set)$ $\land (AssignsProcessor \Rightarrow Assign\_processor \in perm\_set))$ ### 7.11 Requirements on client to $port\_sid(procset\_self(procset))$ Accesses | Abstract Service | Required Permission | |----------------------------------|-----------------------------------| | AssignsProcessor(proc,procset) | $Assign\_processor$ | | Assigns Task (task, procset) | $Assign\_task$ | | Assigns Thread (thread, procset) | Assign_thread | | DestroysProcset(procset) | Destroy_pset | | Disables Policy (procset) | $Invalidate\_scheduling\_policy$ | | EnablesPolicy(procset) | $Define\_new\_scheduling\_policy$ | | SetsProcsetMaxPriority(procset) | $Chg\_pset\_max\_pri$ | $\forall Transition; procset : PROCESSOR\_SET$ - (let $perm\_set == kernel\_allows(client\_sid, port\_sid(procset\_self(procset)))$ - $(DestroysProcset \Rightarrow Destroy\_pset \in perm\_set)$ - $\land (DisablesPolicy \Rightarrow Invalidate\_scheduling\_policy \in perm\_set)$ - $\land (EnablesPolicy \Rightarrow Define\_new\_scheduling\_policy \in perm\_set)$ - $\land (SetsProcsetMaxPriority \Rightarrow Chg\_pset\_max\_pri \in perm\_set))$ $\forall Transition; task : TASK; procset : PROCESSOR\_SET$ - (let $perm\_set == kernel\_allows(client\_sid, port\_sid(procset\_self(procset)))$ - $(AssignsTask \Rightarrow Assign\_task \in perm\_set))$ ∀ Transition; thread: THREAD; procset: PROCESSOR\_SET - (let $perm\_set == kernel\_allows(client\_sid, port\_sid(procset\_self(procset)))$ - $(AssignsThread \Rightarrow Assign\_thread \in perm\_set))$ ## 7.12 Requirements on $\mathit{client}$ to $\mathit{task\_target}(\mathit{client}, \underline{\mathit{p}}\mathit{arent\_task}'(\mathit{child}))$ Accesses | Abstract Service | Required Permission | |-----------------------------|---------------------| | Creates Task (child) | Create_task | | Creates Task Secure (child) | Create_task_secure | ∀ Transition; child: TASK - $\bullet \; (\mathbf{let} \; \mathit{perm\_set} == \; \mathit{kernel\_allows}(\mathit{client\_sid}, \mathit{task\_target}(\mathit{client}, \mathit{parent\_task'}(\mathit{child})))$ - $(CreatesTask \Rightarrow Create\_task \in perm\_set)$ $\land (CreatesTaskSecure \Rightarrow Create\_task\_secure \in perm\_set))$ ### 7.13 Requirements on client to $task\_target(client, task)$ Accesses | Abstract Service | Required Permission | |-------------------------------------|------------------------------| | AddsName (task, port) | $Add\_name$ | | AddsThread(task) | $Add\_thread$ | | AddsThreadSecure(task) | Add_thread_secure | | $AllocatesRegion(task,page\_index)$ | Allocate_vm_region | | Assigns Task (task, procset) | $Assign\_task\_to\_pset$ | | Changes Wiring (task) | $Wire\_vm\_for\_task$ | | Changes TaskAid (task) | Change_sid | | Deallocates Region (task) | $Deallocate\_vm\_region$ | | Disables Task Sampling (task) | $Sample\_task$ | | Enables Task Sampling (task) | Sample_task | | ManipulatesPortSet(task) | Manipulate_port_set | | Modifies PortInfo(task) | Alter_pns_info | | ModifiesRegion(task) | Write_vm_region | | Registers Notification (task) | $Register\_notification$ | | RegistersPort(task) | Register_ports | | RemovesName(task, port) | Remove_name | | Renames In Port Name Space (task) | Port_rename | | Resumes Task(task) | $Resume\_task$ | | SetsEmulationVector(task) | Set_emulation | | SetsInheritance(task) | Set_vm_region_inherit | | SetsProtection(task) | $Chg\_vm\_region\_prot$ | | SetsTaskBootPort(task) | Set_task_boot_port | | Sets Task Exception Port (task) | $Set\_task\_exception\_port$ | | SetsTaskKernelPort(task) | Set_task_kernel_port | | Sets Task Priority (task) | Chg_task_priority | | Suspends Task (task) | $Suspend\_task$ | | Terminates Task(task) | Terminate_task | ``` ∀ Transition; task : TASK • (let perm_set == kernel_allows(client_sid, task_target(client, task)) • (AddsThread \Rightarrow Add\_thread \in perm\_set) \land (AddsThreadSecure \Rightarrow Add\_thread\_secure \in perm\_set) \land (Changes Wiring \Rightarrow Wire_vm_for_task \in perm_set) \land (ChangesTaskAid \Rightarrow Change\_sid \in perm\_set) \land (DeallocatesRegion \Rightarrow Deallocate\_vm\_region \in perm\_set) \land (DisablesTaskSampling \Rightarrow Sample\_task \in perm\_set) \land (EnablesTaskSampling \Rightarrow Sample\_task \in perm\_set) \land (ManipulatesPortSet \Rightarrow Manipulate\_port\_set \in perm\_set) \land (ModifiesPortInfo \Rightarrow Alter\_pns\_info \in perm\_set) \land (ModifiesRegion \Rightarrow Write\_vm\_region \in perm\_set) \land (RegistersNotification \Rightarrow Register\_notification \in perm\_set) \land (RegistersPort \Rightarrow Register\_ports \in perm\_set) \land (RenamesInPortNameSpace \Rightarrow Port_rename \in perm_set) \land (ResumesTask \Rightarrow Resume\_task \in perm\_set) \land (SetsEmulationVector \Rightarrow Set\_emulation \in perm\_set) \land (SetsInheritance \Rightarrow Set\_vm\_region\_inherit \in perm\_set) \land (SetsProtection \Rightarrow Chg\_vm\_region\_prot \in perm\_set) \land (SetsTaskBootPort \Rightarrow Set\_task\_boot\_port \in perm\_set) \land (SetsTaskExceptionPort \Rightarrow Set\_task\_exception\_port \in perm\_set) \land (SetsTaskKernelPort \Rightarrow Set\_task\_kernel\_port \in perm\_set) \land (SetsTaskPriority \Rightarrow Chg\_task\_priority \in perm\_set) \land (SuspendsTask \Rightarrow Suspend\_task \in perm\_set) \land (TerminatesTask \Rightarrow Terminate\_task \in perm\_set)) ∀ Transition; task : TASK; page_index : PAGE_INDEX • (let perm\_set == kernel\_allows(client\_sid, task\_target(client, task)) • (AllocatesRegion \Rightarrow Allocate\_vm\_region \in perm\_set)) \forall Transition; task : TASK; port : PORT • (let perm\_set == kernel\_allows(client\_sid, task\_target(client, task))) • (AddsName \Rightarrow Add\_name \in perm\_set) \land (RemovesName \Rightarrow Remove\_name \in perm\_set)) \forall Transition; task: TASK; procset: PROCESSOR_SET • (let perm\_set == kernel\_allows(client\_sid, task\_target(client, task))) • (AssignsTask \Rightarrow Assign\_task\_to\_pset \in perm\_set)) ``` #### 7.14 Requirements on client to thread\_target(client, thread) Accesses | Abstract Service | Required Permission | |---------------------------------------------|----------------------------------| | Aborts Priority Depression (thread) | $A bo rt\_threa d\_de press$ | | AssignsThread(thread,procset) | $Assign\_thread\_to\_pset$ | | Decrements Thread Max Priority (thread) | Set_max_thread_priority | | DepressesPriority(thread) | Depress_pri | | $Disables\ Th\ read\ Sampling\ (th\ read)$ | Sample_thread | | EnablesThreadSampling(thread) | Sample_th read | | Increments Thread Max Priority (thread) | Set_max_thread_priority | | Makes Task Ready (thread) | Initiate_secure | | $Makes\ Th\ read\ Owner Read\ y (th\ read)$ | Initiate_secure | | Resumes Thread (thread) | Resume_th read | | Sets Thread Exception Port (thread) | Set_thread_exception_port | | Sets Thread Kernel Port (thread) | Set_thread_kernel_port | | Sets Thread Policy (thread) | Set_thread_policy | | Sets Thread Priority (thread) | Set_thread_priority | | Suspends Thread (thread) | $Suspend\_thread$ | | Terminates Thread (thread) | Terminate_thread | | Wires Thread (thread) | Wire_thread_into_memory | $\forall$ Transition; thread: THREAD - (let perm\_set == kernel\_allows(client\_sid, thread\_target(client, thread)) - $(AbortsPriorityDepression \Rightarrow Abort\_thread\_depress \in perm\_set)$ - $\land (DecrementsThreadMaxPriority \Rightarrow Set\_max\_thread\_priority \in perm\_set)$ - $\land (DepressesPriority \Rightarrow Depress\_pri \in perm\_set)$ - $\land (DisablesThreadSampling \Rightarrow Sample\_thread \in perm\_set)$ - $\land (EnablesThreadSampling \Rightarrow Sample\_thread \in perm\_set)$ - $\land$ (Increments Thread MaxPriority $\Rightarrow$ Set\_max\_thread\_priority $\in$ perm\_set) - $\land (MakesTaskReady \Rightarrow Initiate\_secure \in perm\_set)$ - $\land (MakesThreadOwnerReady \Rightarrow Initiate\_secure \in perm\_set)$ - $\land \; (\mathit{ResumesThread} \Rightarrow \mathit{Resume\_thread} \in \mathit{perm\_set})$ - $\land \ (SetsThreadExceptionPort \Rightarrow Set\_thread\_exception\_port \in perm\_set)$ - $\land (SetsThreadKernelPort \Rightarrow Set\_thread\_kernel\_port \in perm\_set)$ - $\land (SetsThreadPolicy \Rightarrow Set\_thread\_policy \in perm\_set)$ - $\land (SetsThreadPriority \Rightarrow Set\_thread\_priority \in perm\_set)$ - $\land (SuspendsThread \Rightarrow Suspend\_thread \in perm\_set)$ - $\land (\mathit{TerminatesThread} \Rightarrow \mathit{Terminate\_thread} \in \mathit{perm\_set})$ - $\land (WiresThread \Rightarrow Wire\_thread\_into\_memory \in perm\_set))$ $\forall$ Transition; thread: THREAD; procset: PROCESSOR\_SET - (let $perm\_set == kernel\_allows(client\_sid, thread\_target(client, thread))$ - $(AssignsThread \Rightarrow Assign\_thread\_to\_pset \in perm\_set))$ 7.15 Requirements on $\underline{k}$ ernel to p $ort\_sid(\underline{a}$ $udit\_server\_port)$ Accesses | Abstract Service | Required Permission | |------------------|---------------------| | SendsAuditData | Can_send | $\forall Transition$ - $\bullet \ (\mathbf{let} \ perm\_set == \ kernel\_allows(\underline{t} \ ask\_sid(\underline{k} \ ernel), \\ port\_sid(\underline{a} \ udit\_server\_port))$ - $(SendsAuditData \Rightarrow Can\_send \in perm\_set))$ - 7.16 Requirements on $\underline{k}$ ernel to p ort $\underline{sid}(object\_port(memory))$ Accesses | Abstract Service | Required Permission | |----------------------------|---------------------| | SendsPagerOutcall (memory) | Can_send | $\forall$ Transition; memory: MEMORY - (let $perm\_set == kernel\_allows(\underline{t}ask\_sid(\underline{k}ernel), port\_sid(object\_port(memory)))$ - $(SendsPagerOutcall \Rightarrow Can\_send \in perm\_set))$ - 7.17 Requirements on $\underline{k}$ ernel to p ort $\underline{s}$ id(p ort) Accesses | Abstract Service | Required Permission | |-------------------------------|---------------------| | Confirms Kernel Mem Op (port) | Can_send | | ForwardsNetworkPacket(port) | Can_send | $\forall Transition; port : PORT$ - (let $perm\_set == kernel\_allows(\underline{t} ask\_sid(\underline{k} ernel), port\_sid(port))$ - $(ConfirmsKernelMemOp \Rightarrow Can\_send \in perm\_set)$ $\land (ForwardsNetworkPacket \Rightarrow Can\_send \in perm\_set))$ - 7.18 Requirements on $\underline{k}$ ernel to p or t\_sid ( $\underline{s}$ ecurity\_server\_master\_port) Accesses | Abstract Service | Required Permission | |-------------------------|---------------------| | Makes Security Out call | Can_send | $\forall Transition$ - (let $perm\_set == kernel\_allows(\underline{t} ask\_sid(\underline{k} ernel), port\_sid(\underline{s} ecurity\_server\_master\_port)$ ) - $(MakesSecurityOutcall \Rightarrow Can\_send \in perm\_set))$ 7.19 Requirements on $kernel\_as(eff\_client)$ to $port\_sid(port)$ Accesses | Abstract Service | Required Permission | |-------------------------|---------------------| | SendsKernelReply(port) | Can_send | | SendsNotification(port) | Ca n_se nd | $\forall Transition; port : PORT$ - (let $perm\_set == kernel\_allows(kernel\_as(eff\_client), port\_sid(port))$ - $(SendsKernelReply \Rightarrow Can\_send \in perm\_set)$ $\land (SendsNotification \Rightarrow Can\_send \in perm\_set))$ - 7.20 Requirements on $kernel\_as(eff\_client)$ to $\underline{p}ort\_sid(task\_eport(task))$ Accesses | Abstract Service | Required Permission | |------------------------------------|---------------------| | Raises Exception To Task (task) | Can_send | $\forall Transition; task : TASK$ - $\bullet \; (\mathbf{let} \; perm\_set == \; kernel\_allows(kernel\_as(eff\_client), port\_sid(task\_eport(task)))$ - $(RaisesExceptionToTask \Rightarrow Can\_send \in perm\_set)$ - 7.21 Requirements on $kernel\_as(eff\_client)$ to $\underline{p}$ $ort\_sid(thread\_eport(thread))$ Accesses | Abstract Service | Required Permission | |----------------------------------------------------------|---------------------| | $\begin{tabular}{ c c c c c c c c c c c c c c c c c c c$ | Can_send | $\forall$ Transition; thread: THREAD - (let $perm\_set == kernel\_allows(kernel\_as(eff\_client), port\_sid(thread\_eport(thread)))$ - $(RaisesExceptionToThread \Rightarrow Can\_send \in perm\_set))$ - 7.22 Requirements on $\underline{p}$ $arent\_task'(child)$ to $\underline{p}$ $ort\_sid'(task\_self'(child))$ Accesses | Abstract Service | Required Permission | |-----------------------------|-----------------------| | Creates Task Secure (child) | Cross_context_inherit | ∀ Transition; child: TASK - (let $perm\_set == kernel\_allows(\underline{t}ask\_sid(\underline{p}arent\_task'(child)), port\_sid'(task\_self'(child)))$ - $(CreatesTaskSecure \Rightarrow Cross\_context\_inherit \in perm\_set))$ ### 7.23 Requirements on task to $page\_sid(task, page\_index)$ Accesses | Abstract Service | Required Permission | |------------------------------------------------|---------------------| | $Allocates Execute Region (task, page\_index)$ | Have_execute | | $AllocatesReadRegion(task,page\_index)$ | Have_read | | $AllocatesRegion(task,page\_index)$ | $Map\_vm\_region$ | | $Allocates Write Region (task, page\_index)$ | Have_write | $\forall \ Transition; \ task : TASK; \ page\_index : PAGE\_INDEX \\ \bullet \ (\mathbf{let} \ perm\_set == kernel\_allows(\underline{t} \ ask\_sid(task), \\ \underline{p} \ age\_sid(task, page\_index)) \\ \bullet \ (A \ llocatesExecuteRegion \Rightarrow Have\_execute \in perm\_set) \\ \land \ (A \ llocatesReadRegion \Rightarrow Have\_read \in perm\_set)$ $\land (AllocatesRegion \Rightarrow Map\_vm\_region \in perm\_set)$ $\land (AllocatesWriteRegion \Rightarrow Have\_write \in perm\_set))$ ### 7.24 Requirements on task to $port\_sid'(port)$ Accesses | Abstract Service | Required Permission | |-------------------------|---------------------| | AddsReceive(task, port) | Hold_receive | $\forall \ Transition; \ task : TASK; \ port : PORT$ $\bullet \ (\mathbf{let} \ perm\_set == kernel\_allows(\underline{t} \ ask\_sid(task), \\ \underline{port\_sid'(port)})$ $\bullet \ (AddsReceive \Rightarrow Hold\_receive \in perm\_set))$ ### 7.25 Requirements on task to $port\_sid'(task\_self'(task))$ Accesses | Abstract Service | Required Permission | |-------------------------|---------------------| | Changes Task Aid (task) | Transition_sid | $\forall \ Transition; \ task : TASK \\ \bullet \ (\mathbf{let} \ perm\_set == \ kernel\_allows(\underline{t} \ ask\_sid(task), \\ \underline{port\_sid'(task\_self'(task))})$ • $(ChangesTaskAid \Rightarrow Transition\_sid \in perm\_set))$ ### 7.26 Requirements on task to $\underline{p}ort\_sid(port)$ Accesses | | Abstract Service | Required Permission | |---|--------------------------|---------------------| | ĺ | AddsReceive (task, port) | Hold_receive | | | AddsSend (task, port) | $Hold\_send$ | | ſ | AddsSendOnce(task, port) | $Hold\_send\_once$ | ``` \forall \ Transition; \ task : TASK; \ port : PORT \bullet \ (\textbf{let} \ perm\_set == kernel\_allows(\underline{t}ask\_sid(task), \\ \underline{port\_sid(port)}) \bullet \ (AddsReceive \Rightarrow Hold\_receive \in perm\_set) \\ \land \ (AddsSend \Rightarrow Hold\_send \in perm\_set) \land \ (AddsSendOnce \Rightarrow Hold\_send\_once \in perm\_set)) ``` #### 7.27 Prohibited Actions on *port* No transition may perform any of the following services: ChangesPortAid, ChangesPortMid. ∀ Transition; port : PORT • ¬ ChangesPortAid ∧ ¬ ChangesPortMid #### 7.28 Prohibited Actions on task No transition may perform any of the following services: Changes TaskMid, Inv Task Creation State Trans. $\forall Transition; task : TASK$ $\bullet \neg ChangesTaskMid$ $\land \neg InvTaskCreationStateTrans$ ### 7.29 Requirements on client to dev Implementation Accesses | Request | Required Permission | |-------------------|---------------------| | device_get_status | Get_device_status | ``` \forall Initiates Operation; \ dev: DEVICE \\ | \ (dev, service\_port) \in device\_port \\ \bullet \ \textbf{let} \ perm\_set == kernel\_allows(client\_sid, \underline{port\_sid}(device\_port(dev))) \\ \bullet \ (op = Device\_get\_status\_id \Rightarrow Get\_device\_status \in perm\_set) ``` ### 7.30 Requirements on client to $\underline{host\_control\_port}$ Implementation Accesses | Request | Required Permission | |-------------------------|---------------------| | host_adjust_time | Set_time | | host_get_boot_info | Get_boot_info | | host_processor_set_priv | Pset_ctrl_port | | host_processors | Get_host_processors | | host_reboot | Reboot_host | | host_set_time | Set_time | ``` \forall \ Initiates \ Operation \mid service\_port = \underline{h} \ ost\_control\_port \\ \bullet \ \mathbf{let} \ perm\_set == kernel\_allows(client\_sid, \underline{p} \ ort\_sid(\underline{h} \ ost\_control\_port)) \\ \bullet \ (op = Host\_adjust\_time\_id \Rightarrow Set\_time \in perm\_set) \\ \land \ (op = Host\_get\_boot\_info\_id \Rightarrow Get\_boot\_info \in perm\_set) \\ \land \ (op = Host\_processor\_set\_priv\_id \Rightarrow Pset\_ctrl\_port \in perm\_set) \\ \land \ (op = Host\_processors\_id \Rightarrow Get\_host\_processors \in perm\_set) \\ \land \ (op = Host\_reboot\_id \Rightarrow Reboot\_host \in perm\_set) \\ \land \ (op = Host\_set\_time\_id \Rightarrow Set\_time \in perm\_set) \\ \end{aligned} ``` #### 7.31 Requirements on client to host\_name\_port Implementation Accesses | Request | Required Permission | |---------------------------------|----------------------------| | host_get_audit_port | Get_audit_port | | host_get_authentication_port | Get_authentication_port | | host_get_crypto_port | Get_crypto_port | | host_get_host_control_port | $Get\_host\_control\_port$ | | host_get_negotiation_port | Get_negotiation_port | | host_get_network_ss_port | $Get\_network\_ss\_port$ | | host_get_sec_server_client_port | Get_security_client_port | | host_get_sec_server_port | Get_security_master_port | | host_get_special_port | Get_special_port | | host_get_time | Get_time | | host_info | Get_host_info | | host_kernel_version | Get_host_version | | host_processor_sets | Pset_names | | mach_host_self | Get_host_name | | processor_set_default | $Get\_default\_pset\_name$ | ``` \forall InitiatesOperation \mid service\_port = \underline{h}ost\_name\_port • let perm\_set == kernel\_allows(client\_sid, port\_sid(\underline{h}ost\_name\_port)) • (op = Host\_get\_audit\_port\_id \Rightarrow Get\_audit\_port \in perm\_set) \land (op = Host\_get\_authentication\_port\_id \Rightarrow Get\_authentication\_port \in perm\_set) \land (op = Host\_get\_crypto\_port\_id \Rightarrow Get\_crypto\_port \in perm\_set) \land (op = Host\_get\_host\_control\_port\_id \Rightarrow Get\_host\_control\_port \in perm\_set) \land (op = Host\_get\_negotiation\_port\_id \Rightarrow Get\_negotiation\_port \in perm\_set) \land (op = Host\_get\_network\_ss\_port\_id \Rightarrow Get\_network\_ss\_port \in perm\_set) \land (op = Host\_get\_sec\_server\_client\_port\_id \Rightarrow Get\_security\_client\_port \in perm\_set) \land (op = Host\_qet\_sec\_server\_port\_id \Rightarrow Get\_security\_master\_port \in perm\_set) \land (op = Host\_get\_special\_port\_id \Rightarrow Get\_special\_port \in perm\_set) \land (op = Host\_get\_time\_id \Rightarrow Get\_time \in perm\_set) \land (op = Host\_info\_id \Rightarrow Get\_host\_info \in perm\_set) \land (op = Host\_kernel\_version\_id \Rightarrow Get\_host\_version \in perm\_set) \land (op = Host\_processor\_sets\_id \Rightarrow Pset\_names \in perm\_set) \land (op = Mach\_host\_self\_id \Rightarrow Get\_host\_name \in perm\_set) \land (op = Processor\_set\_default\_id \Rightarrow Get\_default\_pset\_name \in perm\_set) ``` #### 7.32 Requirements on *client* to *memory* Implementation Accesses | Request | Required Permission | |------------------------------|-------------------------| | memory_object_get_attributes | $Get\_attributes$ | | memory_object_lock_request | $Invoke\_lock\_request$ | ``` \forall \ Initiates Operation; \ memory: MEMORY \\ | \ (memory, service\_port) \in control\_port \\ \bullet \ \ let \ perm\_set == kernel\_allows(client\_sid, \underline{port\_sid}(control\_port(memory))) \\ \bullet \ (op = Memory\_object\_get\_attributes\_id \Rightarrow Get\_attributes \in perm\_set) \\ \land \ (op = Memory\_object\_lock\_request\_id \Rightarrow Invoke\_lock\_request \in perm\_set) ``` #### 7.33 Requirements on *client* to *proc* Implementation Accesses | Request | Required Permission | |--------------------------|---------------------------------| | processor_control | ${\it May\_control\_processor}$ | | processor_get_assignment | $Get\_processor\_assignment$ | | processor_info | Get_processor_info | | processor_start | ${\it May\_control\_processor}$ | ``` \forall \ Initiates Operation; \ proc: PROCESSOR \\ | \ (proc, service\_port) \in proc\_self \\ \bullet \ \textbf{let} \ perm\_set == kernel\_allows(client\_sid, \underline{port\_sid}(proc\_self(proc))) \\ \bullet \ (op = Processor\_control\_id \Rightarrow May\_control\_processor \in perm\_set) \\ \land \ (op = Processor\_get\_assignment\_id \Rightarrow Get\_processor\_assignment \in perm\_set) \\ \land \ (op = Processor\_info\_id \Rightarrow Get\_processor\_info \in perm\_set) \\ \land \ (op = Processor\_start\_id \Rightarrow May\_control\_processor \in perm\_set) \\ ``` #### 7.34 Requirements on client to $ps\_name\_port$ Implementation Accesses | Request | Required Permission | |--------------------|---------------------| | processor_set_info | Get_pset_info | ``` \forall InitiatesOperation; procset : PROCESSOR\_SET \\ | (procset, service\_port) \in procset\_name\_port \\ \bullet \text{ let } perm\_set == kernel\_allows(client\_sid, \underline{port\_sid}(procset\_name\_port(procset))) \\ \bullet (op = Processor\_set\_info\_id \Rightarrow Get\_pset\_info \in perm\_set) ``` #### 7.35 Requirements on client to ps\_control\_port Implementation Accesses | Request | Required Permission | |-----------------------|------------------------| | processor_set_tasks | Observe_pset_processes | | processor_set_threads | Observe_pset_processes | #### 7.36 Requirements on *client* to *task* Implementation Accesses | Request | Required Permission | |------------------------------|------------------------------| | mach_port_extract_right | $Extract\_right$ | | mach_port_get_receive_status | Observe_pns_info | | mach_port_get_refs | Observe_pns_info | | mach_port_get_set_status | Observe_pns_info | | mach_port_names | Observe_pns_info | | mach_ports_lookup | Lookup_ports | | mach_port_type | Observe_pns_info | | mach_port_type_secure | Observe_pns_info | | mach_task_self | Get_task_kernel_port | | task_get_assignment | Get_task_assignment | | task_get_bootstrap_port | Get_task_boot_port | | task_get_emulation_vector | Get_e mulation | | task_get_exception_port | Get_task_exception_port | | task_get_kernel_port | Get_task_kernel_port | | task_get_sampled_pcs | $Sample\_task$ | | task_info | Get_task_info | | task_ras_control | Set_ras | | task_threads | Get_task_threads | | vm_copy | $Copy\_vm$ | | vm_machine_attribute | $Access\_machine\_attribute$ | | vm_read | $Read\_vm\_region$ | | vm_region | $Get\_vm\_region\_info$ | | vm_region_secure | $Get\_vm\_region\_info$ | | vm_statistics | Get_vm_statistics | ``` \forall Initiates Operation; task: TASK |(task, service\_port) \in task\_self| • let perm\_set == kernel\_allows(client\_sid, task\_target(client, task)) • (op = Mach\_port\_extract\_right\_id \Rightarrow Extract\_right \in perm\_set) \land (op = Mach\_port\_get\_receive\_status\_id \Rightarrow Observe\_pns\_info \in perm\_set) \land (op = Mach\_port\_get\_refs\_id \Rightarrow Observe\_pns\_info \in perm\_set) \land (op = Mach\_port\_get\_set\_status\_id \Rightarrow Observe\_pns\_info \in perm\_set) \land (op = Mach\_port\_names\_id \Rightarrow Observe\_pns\_info \in perm\_set) \land (op = Mach\_ports\_lookup\_id \Rightarrow Lookup\_ports \in perm\_set) \land (op = Mach\_port\_type\_id \Rightarrow Observe\_pns\_info \in perm\_set) \land (op = Mach\_port\_type\_secure\_id \Rightarrow Observe\_pns\_info \in perm\_set) \land (op = Mach\_task\_self\_id \Rightarrow Get\_task\_kernel\_port \in perm\_set) \land (op = Task\_get\_assignment\_id \Rightarrow Get\_task\_assignment \in perm\_set) \land (op = Task\_get\_bootstrap\_port\_id \Rightarrow Get\_task\_boot\_port \in perm\_set) \land (op = Task\_get\_emulation\_vector\_id \Rightarrow Get\_emulation \in perm\_set) \land (op = Task\_get\_exception\_port\_id \Rightarrow Get\_task\_exception\_port \in perm\_set) \land (op = Task\_get\_kernel\_port\_id \Rightarrow Get\_task\_kernel\_port \in perm\_set) \land (op = Task\_get\_sampled\_pcs\_id \Rightarrow Sample\_task \in perm\_set) \land (op = Task\_info\_id \Rightarrow Get\_task\_info \in perm\_set) \land (op = Task\_ras\_control\_id \Rightarrow Set\_ras \in perm\_set) \land (op = Task\_threads\_id \Rightarrow Get\_task\_threads \in perm\_set) \land (op = Vm\_copy\_id \Rightarrow Copy\_vm \in perm\_set) \land (op = Vm\_machine\_attribute\_id \Rightarrow Access\_machine\_attribute \in perm\_set) \land (op = Vm\_read\_id \Rightarrow Read\_vm\_region \in perm\_set) \land (op = Vm\_region\_id \Rightarrow Get\_vm\_region\_info \in perm\_set) \land (op = Vm\_region\_secure\_id \Rightarrow Get\_vm\_region\_info \in perm\_set) \land (op = Vm\_statistics\_id \Rightarrow Get\_vm\_statistics \in perm\_set) ``` #### 7.37 Requirements on *client* to *thread* Implementation Accesses | Request | Required Permission | |---------------------------|--------------------------------| | mach_thread_self | $Get\_thread\_kernel\_port$ | | swtch | Can_swtch | | swtch_pri | $Can\_swtch\_pri$ | | thread_abort | Abort_th read | | thread_get_assignment | $Get\_thread\_assignment$ | | thread_get_exception_port | $Get\_thread\_exception\_port$ | | thread_get_kernel_port | $Get\_thread\_kernel\_port$ | | thread_get_sampled_pcs | $Sample\_thread$ | | thread_get_state | Get_thread_state | | thread_info | Get_thread_info | | thread_set_state | Set_thread_state | | thread_set_state_secure | Set_thread_state | | thread_switch | Switch_th read | ``` \forall Initiates Operation; thread: THREAD |(thread, service\_port) \in thread\_self • let perm\_set == kernel\_allows(client\_sid, thread\_target(client, thread)) • (op = Mach\_thread\_self\_id \Rightarrow Get\_thread\_kernel\_port \in perm\_set) \land (op = Swtch\_id \Rightarrow Can\_swtch \in perm\_set) \land (op = Swtch\_pri\_id \Rightarrow Can\_swtch\_pri \in perm\_set) \land (op = Thread\_abort\_id \Rightarrow Abort\_thread \in perm\_set) \land (op = Thread\_get\_assignment\_id \Rightarrow Get\_thread\_assignment \in perm\_set) \land (op = Thread\_get\_exception\_port\_id \Rightarrow Get\_thread\_exception\_port \in perm\_set) \land (op = Thread\_get\_kernel\_port\_id \Rightarrow Get\_thread\_kernel\_port \in perm\_set) \land (op = Thread\_get\_sampled\_pcs\_id \Rightarrow Sample\_thread \in perm\_set) \land (op = Thread\_get\_state\_id \Rightarrow Get\_thread\_state \in perm\_set) \land (op = Thread\_info\_id \Rightarrow Get\_thread\_info \in perm\_set) \land (op = Thread\_set\_state\_id \Rightarrow Set\_thread\_state \in perm\_set) \land (op = Thread\_set\_state\_secure\_id \Rightarrow Set\_thread\_state \in perm\_set) \land (op = Thread\_switch\_id \Rightarrow Switch\_thread \in perm\_set) ``` Section 8 ## **Generic Security Server Requirements** This section describes the data structures and security requirements on security servers in general. The material in this section is applicable to all DTOS security servers that define policy for the DTOS kernel. This includes those security servers that define policy on exclusively kernel entities and those that define policy on higher level entities as well as kernel entities. Note, however, that security servers that define policy on only entities above the kernel level are not considered here. The Z formalization of the specification given in this section is generic. This allows the specification to be instantiated for each specific security server. Editorial Note: The interface between the kernel and the security server described in this section is incomplete. Notification vectors have been omitted. Each DTOS security server makes security policy decisions on a subject security context (SSC) to object security context (OSC) basis. For example, a security server implementing an MLS policy might define subject and object security contexts to consist of a single level. If the MLS policy required limiting subjects to operate in ranges of levels, then another alternative for the subject security context would be a pair of levels specifying the minimum level at which the subject may write and the maximum level at which the subject may read. In the following, we use SSC and OSC to denote, respectively, the sets of subject and object security contexts. Note that these sets can be different for each security server. This is addressed in the Z specifications by treating SSC and OSC as generic parameters. Each security server recognizes certain sets of SSCs and OSCs. We use $\underline{r}ecognized\_sscs$ and $\underline{r}ecognized\_oscs$ to denote the SSCs and OSCs recognized by a given security server. #### **Generic Security Server Definition 1** To hide the structure of security contexts from other system components, security servers use *security identifiers* (SIDs) to represent security contexts. Each security server recognizes certain sets of *subject SIDs* (SSIs) and *object SIDs* (OSIs). We use <u>recognized\_ssis</u> and <u>recognized\_osis</u> to denote the SSIs and OSIs recognized by a given security server. The OSIs <u>Task\_self\_sid</u> and Thread\_self\_sid defined in the formalization of the microkernel requirements are two special OSIs that must be recognized by all security servers. The kernel specifies one of these SIDs as a target to indicate that the security server should compute access for the client to the client itself. #### **Generic Security Server Definition 2** Each security server processes access queries containing an SSI-OSI pair by mapping the pair to an SSC-OSC pair and performing an access computation. We use: - $\underline{s}id\_ssc(ssi)$ to denote the SSC associated with ssi. This function is defined only for recognized SSIs. - $\underline{s}id\_osc(osi)$ to denote the OSC associated with osi. This function is defined only for OSI other than $Task\_self\_sid$ and $Thread\_self\_sid$ . - $\underline{t}$ ask\_self\_osc(ssi) to denote the OSC representing that a task with SID ssi is accessing itself. This function is defined only for recognized SSIs. - $\underline{thread\_self\_osc(ssi)}$ to denote the OSC representing that a thread with SIDssi is accessing another thread within the same task. This function is defined only for recognized SSIs. - target\_osc(ssi, osi) to denote the OSC that is to be used for computing ssi-osi access. This function is defined only for recognized SSIs and OSIs. This function is defined as follows: - If osi is $Task\_self\_sid$ , then the result is $\underline{t}ask\_self\_osc(ssi)$ . - If osi is $Thread\_self\_sid$ , then the result is $\underline{t}hread\_self\_osc(ssi)$ . - If osi is neither Task\_self\_sid nor Thread\_self\_sid, then the result is sid\_osc(osi). ``` Sid To Context[SSC, OSC] = Recognized Sids Recognized Contexts[SSC, OSC] sid\_ssc:SSI \longrightarrow SSC sid\_osc:OSI \longrightarrow OSC task\_self\_osc : SSI \longrightarrow OSC thread\_self\_osc:SSI \longrightarrow OSC target\_osc: SSI \times OSI \longrightarrow OSC \operatorname{dom} t \operatorname{ask\_self\_osc} = \operatorname{dom} t \operatorname{hread\_self\_osc} = \operatorname{dom} s \operatorname{id\_ssc} = \operatorname{recognized\_ssis} dom \underline{s}id\_osc = \underline{r}ecognized\_osis \setminus \{ Task\_self\_sid, Thread\_self\_sid \} dom target\_osc = \underline{r}ecognized\_ssis \times \underline{r}ecognized\_osis ran \underline{s}id\_ssc \subseteq \underline{r}ecognized\_sscs \operatorname{ran} \underline{s}id\_osc \subseteq \underline{r}ecognized\_oscs ran \underline{t} ask\_self\_osc \subseteq \underline{r}ecognized\_oscs \operatorname{ran} \underline{t} h \operatorname{read\_self\_osc} \subseteq \underline{r} \operatorname{ecognized\_oscs} \forall ssi : SSI; osi : OSI \mid (ssi, osi) \in dom target\_osc • target_osc(ssi, osi) = if osi = Task\_self\_sid then task\_self\_osc(ssi) else if osi = Thread\_self\_sid then \underline{t}hread\_self\_osc(ssi) else sid\_osc(osi) ``` Each security server distinguishes between OSCs for communication ports, tasks, default pagers, pagers, threads, host name ports, host control ports, processors, processor set name ports, processor set control ports, kernel reply ports, and device ports. We use the following sets to denote the recognized OSCs for each class: $\underline{communication\_oscs}$ , $\underline{task\_oscs}$ , $\underline{default\_pager\_oscs}$ , $\underline{pager\_oscs}$ , $\underline{thread\_oscs}$ , $\underline{host\_name\_oscs}$ , $\underline{host\_control\_oscs}$ , $\underline{processor\_oscs}$ , $\underline{processor\_oscs}$ , $\underline{mame\_oscs}$ , $\underline{mame\_oscs}$ , $\underline{processor\_oscs}$ , $\underline{mame\_oscs}$ , $\underline{mame\_oscs}$ , $\underline{processor\_oscs}$ , $\underline{mame\_oscs}$ We use $xss\ Sets\_partition\ xx\_set$ to denote that a collection of sets $xss\ partition\ xx\_set$ . In other words, $xss\ Sets\_partition\ xx\_set$ holds exactly when each element of $xx\_set$ belongs to exactly one set from the collection of sets xss. ``` OscPartitions[OSC] RecognizedOscs[OSC] recognized\_osc\_classes : \mathbb{P}(\mathbb{P}|OSC) communication_oscs, task\_oscs, \underline{d} efault_pager_oscs, pager_oscs, thread\_oscs, host_name_oscs, host_control_oscs, processor_oscs, procset_name_oscs, \overline{p} rocset_control_oscs, \overline{\underline{k}}ernel\_reply\_oscs, device\_oscs : \mathbb{P} OSC \{ communication\_oscs, task\_oscs, default\_pager\_oscs, pager\_oscs, \} \underline{t}hread\_oscs, \underline{h}ost\_name\_oscs, \underline{h}ost\_control\_oscs, processor\_oscs, procset_name_oscs, procset_control_oscs, \overline{k} ernel\_reply\_oscs, d\overline{e}vice\_oscs } \subseteq \underline{r}ecognized\_osc\_classes recognized\_osc\_classes\ Sets\_partition\ recognized\_oscs ``` Each security server associates a set of permissions with each OSC class. This set of permissions consists of those that are relevant to the type of entity represented by the class. For example, the set of permissions associated with $\underline{t}hread\_oscs$ must be $Thread\_permissions$ . We use $\underline{o}sc\_class\_permissions(osc\_class)$ to denote the permissions a security server associates with $osc\_class$ . We require that the appropriate kernel permissions are associated with each kernel OSC class. #### **Generic Security Server Definition 5** ``` Osc\,ClassPermissions[\,OSC] ____ OscPartitions[OSC] osc\_class\_permissions : (\mathbb{P}\ OSC) \longrightarrow \mathbb{P}\ PERMISSION dom \underline{o}sc\_class\_permissions = \underline{r}ecognized\_osc\_classes \underline{osc\_class\_permissions}(\underline{communication\_oscs}) = \emptyset \underline{osc\_class\_permissions}(\underline{t}ask\_oscs) = Task\_permissions \underline{osc\_class\_permissions}(\underline{default\_pager\_oscs}) = Pager\_permissions \underline{o}sc\_class\_permissions(pager\_oscs) = Pager\_permissions \underline{o} sc_class_permissions(\underline{t} hread_oscs) = Thread_permissions \underline{o} sc_class_permissions (\underline{h} ost_name_oscs) = Host_name_port_permissions \underline{osc\_class\_permissions}(\underline{host\_control\_oscs}) = \underline{Host\_control\_port\_permissions} \underline{\mathit{osc\_class\_permissions}}(\mathit{processor\_oscs}) = \mathit{Processor\_permissions} osc\_class\_permissions(procset\_name\_oscs) = Procset\_name\_port\_permissions osc\_class\_permissions(procset\_control\_oscs) = Procset\_control\_pert\_permissions osc\_class\_permissions(\overline{k}ernel\_reply\_oscs) = Kernel\_reply\_permissions \underline{osc\_class\_permissions}(\underline{d\ evice\_oscs}) = Device\_permissions ``` ``` Editorial Note: Need to determine whether Pager\_permissions is really the correct value for \underline{osc\_class\_permissions}(\underline{d}\_efault\_pager\_oscs). ``` Each security server has an associated rule indicating which permissions are permitted on a context-to-context basis. We use $\underline{policy\_allows}(ssc,osc)$ to denote the set of permissions that a subject with context ssc is permitted to an object with context osc. Each permission set consists of a set of IPC permissions and a set of permissions specific to osc's class. We require that the latter set of permissions be contained in the set of permissions identified by $\underline{osc\_class\_permissions}$ . For example, when osc is the context of a thread port, the permissions returned by $\underline{policy\_allows}$ consist of IPC and thread permissions. Typically, a security server will manage a database that defines $\underline{policy\_allows}$ . For example, a security server supporting an MLS policy will manage a database that defines the existing security levels and a partial ordering of those levels. We use $\underline{policy\_database}$ to denote this database. Since the structure of the database will vary from security server to security server, we introduce the generic parameter $\underline{PoLICY\_DB}$ for use as the type of $\underline{policy\_database}$ . ``` PolicyAllows[SSC, OSC, POLICY\_DB] \\ RecognizedContexts[SSC, OSC] \\ OscPartitions[OSC] \\ OscClassPermissions[OSC] \\ \underline{policy\_allows}: SSC \times OSC \longrightarrow \mathbb{P} \ PERMISSION \\ \underline{policy\_database}: POLICY\_DB \\ \\ \forall ssc: SSC; osc: OSC \mid \underline{policy\_allows}(ssc, osc) \neq \varnothing \\ \bullet ssc \in \underline{recognized\_sscs} \\ \land \ osc \in \underline{recognized\_oscs} \\ \land \ (\forall \ osc\_class: \mathbb{P} \ OSC \\ \mid \ osc \in \ osc\_class \land \ osc\_class \in \underline{recognized\_osc\_classes} \\ \bullet \ \underline{policy\_allows}(ssc, osc) \\ \subseteq \underline{osc\_class\_permissions}(osc\_class) \cup Ipc\_permissions) \\ \end{cases} ``` Each security server has an associated rule indicating which permission decisions are cacheable on a context-to-context basis. We use $\underline{c}$ acheable(ssc, osc) to denote the set of permission decisions that are cacheable for a subject with context ssc to an object with context osc. Each permission decision set consists of a set of IPC permissions and a set of permissions specific to osc's class. We require that the latter set of permissions be contained in the set of permissions identified by $\underline{osc\_class\_permissions}$ . For example, when osc is the context of a thread port, the permissions returned by $\underline{c}$ acheable consist of IPC and thread permissions. Typically, a security server will manage a database that defines $\underline{c}$ acheable. We use $\underline{c}$ $acheablity\_database$ to denote this database. Since the structure of the database will vary from security server to security server, we introduce the generic parameter $CACHE\_DB$ for use as the type of $\underline{c}$ $acheablity\_database$ . #### **Generic Security Server Definition 7** ``` \begin{array}{c} Cacheable[SSC,OSC,CACHE\_DB] \\ RecognizedContexts[SSC,OSC] \\ Osc\ Partitions[OSC] \\ Osc\ Class\ Permissions[OSC] \\ \underline{c}\ acheable:\ SSC\times OSC \longrightarrow \mathbb{P}\ PERMISSION \\ \underline{c}\ acheablity\_database:\ CACHE\_DB \\ \hline \\ \forall\ ssc:\ SSC;\ osc:\ OSC\mid\underline{c}\ acheable(ssc,osc) \neq \varnothing \\ \bullet\ ssc\in\underline{r}\ ecognized\_sscs \\ \land\ osc\in\underline{r}\ ecognized\_oscs \\ \land\ (\forall\ osc\_class:\mathbb{P}\ OSC \\ \mid\ osc\in\ osc\_class\wedge\ osc\_class\in\underline{r}\ ecognized\_osc\_classes \\ \bullet\ \underline{c}\ acheable(ssc,osc) \\ \subseteq\ \underline{o}\ sc\_class\_permissions(osc\_class) \cup Ipc\_permissions) \\ \end{array} ``` Each security server has an associated rule indicating the period of validity of access computations on a context-to-context basis. We use $\underline{v}$ alidity\_duration(ssc, osc) to denote the period of time for which an access computation on ssc to osc is valid. Typically, a security server will manage a database that defines $\underline{v}$ alidity\_duration. We use $\underline{d}$ uration\_database to denote this database. Since the structure of the database will vary from security server to security server, we introduce the generic parameter $DUR\_DB$ for use as the type of $\underline{d}$ uration\_database. ``` \begin{array}{l} \_ \ ValidityDuration[SSC,OSC,DUR\_DB] \\ \hline \ RecognizedContexts[SSC,OSC] \\ \hline \ \underline{v}alidity\_duration:SSC\times OSC \longrightarrow \mathbb{N} \\ \hline \ \underline{d}uration\_database:DUR\_DB \\ \hline \ \mathrm{dom}\ \underline{v}alidity\_duration \subseteq \underline{r}ecognized\_sscs \times \underline{r}ecognized\_oscs \\ \end{array} ``` In summary, a generic security server consists of: - sets of recognized SSCs, OSCs, SSIs, and OSIs, - mappings from SSIs to SSCs and OSIs to OSCs, - a partitioning of the recognized OSCs into recognized OSC classes, - a mapping from recognized OSC classes to associated permission sets, - a policy database and rule defining permission sets on an SSI-to-OSI basis, - a cacheability database and rule defining sets of cacheable permission decisions on an SSI-to-OSI basis, and - a duration database and rule defining validity durations on an SSI-to-OSI basis. #### **Generic Security Server Definition 9** Each security server accepts requests specifying a pair of SIDs and a reply port. Each request is received through a message and each message has an attached sending ssi. Thus, a request can be viewed as a record having fields $client\_ssi$ , $source\_ssi$ , $target\_osi$ , and $ar\_reply\_name$ . In response to an access request, a security server sends a $Sec\_access\_provided\_id$ message containing the pair of SIDs, set of permissions, cacheability information (denoted by $control\_vector$ ) and validity duration. The set of permissions, cacheability and validity duration must be consistent with the pair of SIDs. If either of $source\_ssi$ or $target\_osi$ are unrecognized SIDs, then an empty set of permissions and duration of 0 must be returned. We allow the possibility of a non-empty set of cacheable permission decisions being returned. This provides the security server with a mechanism to avoid additional requests with the same pair of SIDs. Given a current security server state of $ss\_state$ , we use $Valid\_ss\_responses(ss\_state)$ to denote the set of messages which are consistent with the policy, cacheability and duration databases contained in $ss\_state$ . In the Z formalization, we use ProvidedAccess to denote a schema containing fields $client\_ssi$ , $source\_ssi$ , $target\_osi$ , $ar\_reply\_name$ , $access\_vector$ , $control\_vector$ , and duration. The set of valid responses is a set of elements of this type. ``` \_ProvidedAccess \_ client\_ssi: SSI source\_ssi: SSI target\_osi: OSI ar\_reply\_name: NAME access\_vector: \mathbb{P}\ PERMISSION control\_vector: \mathbb{P}\ PERMISSION duration: \mathbb{N} ``` ``` =[SSC, OSC, POLICY\_DB, CACHE\_DB, DUR\_DB] Valid_ss_responses: GenericSecurityServer[SSC, OSC, POLICY\_DB, CACHE\_DB, DUR\_DB] \longrightarrow \mathbb{P} ProvidedAccess \forall ss\_state : GenericSecurityServer[SSC, OSC, POLICY\_DB, CACHE\_DB, DUR\_DB]; prov\_acc: ProvidedAccess prov\_acc \in Valid\_ss\_responses(ss\_state) • (let ssi == prov\_acc.source\_ssi; osi == prov\_acc.target\_osi; vec == prov\_acc.access\_vector; cv == prov\_acc.control\_vector; dur == prov\_acc.duration • ((ssi, osi) \in ss\_state.\underline{r}ecognized\_ssis \times ss\_state.\underline{r}ecognized\_osis \Rightarrow (let ssc == ss\_state.sid\_ssc(ssi); osc == ss\_state.target\_osc(ssi, osi) • vec \subseteq ss\_state.policy\_allows(ssc, osc) \land cv \subseteq ss\_state.\underline{c}acheable(ssc, osc) \land \ dur \leq ss\_state.\underline{v}alidity\_duration(ssc, osc))) \land ((ssi, osi) \notin ss\_state.\underline{r}ecognized\_ssis \times ss\_state.\underline{r}ecognized\_osis \Rightarrow vec = \emptyset \land dur = 0) ``` Editorial Note: Consideration needs to be given as to whether this should be a generic schema rather than a generic definition. The specification of a specific security server requires defining: - The structure of SSC, OSC, $POLICY\_DB$ , $CACHE\_DB$ , and $DUR\_DB$ . - The rule for defining $policy\_allows$ . - The rule for defining $\overline{\underline{c}}$ a cheable. - The rule for defining $validity\_duration$ . - The definition of any OSC classes beyond those representing kernel entities. - The permissions associated with each OSC class beyond those representing kernel entities. ## Section 9 Notes #### 9.1 Acronyms CMU Carnegie Mellon University **DTOS** Distributed Trusted Operating System FSPM Formal Security Policy Model IBAC Identity Based Access Control **IPC** Interprocess Communication **KID** Kernel Interface Document MLS Multi-Level Secure **OSC** Object Security Context **OSF** Open Software Foundation **OSI** Object Security Identifier SID Security Identifier SSC Subject Security Context **SSI** Subject Security Identifier VM Virtual Memory #### 9.2 Glossary **abstract service** An abstract service is characterized by a relation on pairs of system states that specifies a change to a kernel data structure. For example, the service that creates a new task is characterized by a relation that specifies that the new system state contains a task that was not present in the old system state. **control point** A control point is a point in the processing of a request where the kernel must enforce an access decision. **dirty page** A page in kernel memory is dirty if the pager associated with the page has not yet been made aware of modifications that have been made to the page. **IBAC Server** An IBAC server is a user space task that defines an IBAC policy on a memory object. The kernel interacts with an IBAC server in much the same manner as it interacts with security servers. **implementation service** An implementation service is a Mach request for which the set of provided abstract services is difficult to formally define. **permission** A permission is an access mode enforced by the kernel. The kernel ensures that a service is provided only when the client of the service has the appropriate permission. **precious page** A page in kernel memory is precious if the pager associated with the page has indicated that it is not maintaining a copy of the page. Regardless of whether the page is dirty, the kernel must send the contents of the page to the pager before removing the page from memory. **security server** A security server is a user space task that provides access computations to the kernel. #### 9.3 Open Issues - This document does not currently address i386 and debugger requests. - The original system design specified that each memory object would be labeled with IBAC protections and have an associated port used by the kernel to request IBAC decisions for the memory. These features have not been implemented and no policy requirements are stated regarding the IBAC protections and IBAC ports. However, permissions have been defined in the access vectors to control the use of these IBAC components should they ever be implemented. - The specification of the interface between the kernel and the security server is not complete. In particular, requests to the security server include the permission being requested, and responses from the security server include a notification vector. - Side effects need to be taken into account in some of the service definitions. This has been done for the thread services but might still need to be done for some of the other services. - The prototype does not currently implement the enforcement of read-only access. The low-level memory routines in the prototype treat read and execute interchangeably. - We need to consider whether the 12 permissions currently defined for memory control services can actually be reduced to a single permission indicating that the subject can serve as the pager for a given memory object. The case for doing this is that any usable pager probably needs to be allowed to use the entire paging protocol. Thus, the ability to page for a memory object may well be an all-or-nothing proposition. If so, nothing is gained by having 12 permissions. - Checks on SID triples rather than SID pairs might be required to obtain the degree of control that we would like over some services. For example, checking permissions on the basis of the client, port, and receiver might be necessary when transferring a port right instead of checking on the basis of only the client and the port. - The current prototype does not provide support for identity based policies in which each task and memory object might need a different SID. Enhancements to support such policies are under consideration. Few if any changes would be required in this documents to address such an enhancement. - This control policy does not require complete tranquility of SIDs (the AID of a task, task port, or thread port may change) or tranquility of the set of accesses permitted between two SIDs. This may lead to inconsistencies between the prototype and this policy, because of possible concurrency in the system. In general, the requirements in this document state that a permission check is based upon the SID of the source and target in the state when the service is provided, though this cannot always be guaranteed in the prototype. One way to lessen the scope of this problem with respect to nontranquility of SIDs is to limit those permissions which can depend upon the AID field of the SID. This will likely be addressed in future drafts of this document. It is currently expected that the prototype will only use the AID fields for determining permissions to perform the services Changes TaskAid and Creates TaskSecure. ■ The service *Initiates Operation* should also state that the request was received through an appropriate port (e.g., a task request through a task port). This requires that the list of implementation services at the end of Section 6 be divided into separate lists for each type of port. Appendix A ## **Bibliography** - [1] William R. Bevier and Lawrence M. Smith. A Mathematical Model of the Mach Kernel: Entities and Relations (Draft). Technical report, Computational Logic, Incorporated, April 1993. - [2] Todd Fine, Carol Muehrcke, and Edward A. Schneider. Formal Top Level Specification for Distributed Trusted Mach. Technical report, Secure Computing Corporation, 2675 Long Lake Road, Roseville, Minnesota 55113-2536, April 1993. DTMach CDRL A012. - [3] Keith Loepere. *Mach 3 Kernel Interfaces* Open Software Foundation and Carnegie Mellon University, November 1992. - [4] Keith Loepere. *OSF Mach Kernel Principles* Open Software Foundation and Carnegie Mellon University, final draft edition, May 1993. - [5] NCSC. Trusted Computer Systems Evaluation Criteria. Standard, DOD 5200.28-STD, US National Computer Security Center, Fort George G. Meade, Maryland 20755-6000, December 1985. - [6] Secure Computing Corporation. DTOS Formal Top-Level Specification (FTLS). Technical report, Secure Computing Corporation, 2675 Long Lake Road, Roseville, Minnesota 55113-2536, December 1994. DTOS CDRL A005. - [7] Secure Computing Corporation. DTOS Kernel and Security Server Software Design Document. Technical report, Secure Computing Corporation, 2675 Long Lake Road, Roseville, Minnesota 55113-2536, January 1994. DTOS CDRL A002. - [8] Secure Computing Corporation. DTOS Formal Security Policy Model (Non-Z Version). Technical report, Secure Computing Corporation, 2675 Long Lake Road, Roseville, Minnesota 55113-2536, June 1995. - [9] Secure Computing Corporation. DTOS Generalized Security Policy Specification. Technical report, Secure Computing Corporation, 2675 Long Lake Road, Roseville, Minnesota 55113-2536, January 1995. DTOS CDRL A019. - [10] Secure Computing Corporation. DTOS Kernel Interfaces Document. Technical report, Secure Computing Corporation, 2675 Long Lake Road, Roseville, Minnesota 55113-2536, April 1995. DTOS CDRL A003. - [11] J.M. Spivey. *The Z Notation: A Reference Manual.* Prentice Hall International, 1992. Appendix B # **Prototype Security Server Requirements** This section describes the data structures and security requirements relevant to the prototype security server. This security server enforces accesses using both a Multilevel Secure (MLS) Policy and a Type Enforcement Policy. The MLS Policy provides confidentiality in the DoD sense. The Type Enforcement Policy provides a mechanism for constructing protected subsystems. #### **B.1** Security Contexts Each user of the system is represented by a user identifier. We use USER to denote the set of all user identifiers. Each subject and object has an associated level. We use LEVEL to denote the set of all levels. Each subject operates in some domain. We use DOMAIN to denote the set of all domains. Each object has an associated type. We use TYPE to denote the set of all types. #### **Prototype Security Server Definition 1** [USER, LEVEL, DOMAIN, TYPE] The subject security context of a process consists of the following: - *user* the user in whose name the process is executing, - lvl the level at which the process is executing, - *domain* the domain in which the process is executing. #### **Prototype Security Server Definition 2** PrototypeSSC user: USER lvl: LEVEL domain: DOMAIN The object security context of an object consists of the following: - user the user associated with the object. This is $null\_user$ except for those OSCs that are derived from an SSC (e.g., the OSCs in $\underline{t}ask\_oscs$ ). - *lvl* the object's level, - type the object's type. #### **Prototype Security Server Definition 3** | NullUser | | | |-----------------|--|--| | null_user: USER | | | #### B.2 Policy Database There are six components of the policy database. First, the policy database records the set of recognized security attributes. We use $\underline{r}ecognized\_users$ , $\underline{r}ecognized\_levels$ , $\underline{r}ecognized\_domains$ , and $\underline{r}ecognized\_types$ to denote the sets of recognized security attributes. #### **Prototype Security Server Definition 4** | Recognized Users | |------------------------------------------------| | NullUser | | $recognized\_users: PUSER$ | | $null\_user \in \underline{r}ecognized\_users$ | | $nuit\_user \in \underline{r}ecoyntzeu\_users$ | | | | | | RecognizedLevels | | $recognized\_levels: PLEVEL$ | | | | | | | | Recognized Domains | | $\underline{r}ecognized\_domains: P \ DOMAIN$ | | | | | | Recognized Types | | $recognized\_types: P TYPE$ | | | | | | | | RecognizedAttributes | | Recognized Users | | Recognized Levels | | Recognized Domains | | Recognized Types | | | Second, the policy database records the ordering of the recognized levels. We use $lvl_1 \preceq lvl_2$ to denote that $lvl_1$ and $lvl_2$ are recognized levels and that $lvl_1$ is at or below $lvl_2$ . For convenience, we introduce $dominated\_by\_rel$ as a prefix form of the relation $\preceq$ . In other words, $dominated\_by\_rel(lvl_1, lvl_2)$ holds exactly when $lvl_1 \preceq lvl_2$ . We require that $\preceq$ is a partial ordering of the levels. #### **Prototype Security Server Definition 5** ``` \begin{array}{l} \textit{Dominates} \\ \textit{RecognizedLevels} \\ - \preceq _: \textit{LEVEL} \leftrightarrow \textit{LEVEL} \\ \textit{dominated\_by\_rel} : \textit{LEVEL} \leftrightarrow \textit{LEVEL} \\ \\ \forall \textit{lvl} : \textit{LEVEL} \mid \textit{lvl} \in \underline{\textit{recognized\_levels}} \\ \bullet \textit{lvl} \preceq \textit{lvl} \\ \forall \textit{lvl_1}, \textit{lvl_2} : \textit{LEVEL} \mid \{ \textit{lvl_1}, \textit{lvl_2} \} \subseteq \underline{\textit{recognized\_levels}} \\ \bullet (\textit{lvl_1} \preceq \textit{lvl_2} \land \textit{lvl_2} \preceq \textit{lvl_1} \\ \Rightarrow \textit{lvl_1} = \textit{lvl_2}) \\ \forall \textit{lvl_1}, \textit{lvl_2}, \textit{lvl_3} : \textit{LEVEL} \mid \{ \textit{lvl_1}, \textit{lvl_2}, \textit{lvl_3} \} \subseteq \underline{\textit{recognized\_levels}} \\ \bullet (\textit{lvl_1} \preceq \textit{lvl_2} \land \textit{lvl_2} \preceq \textit{lvl_3} \\ \Rightarrow \textit{lvl_1} \preceq \textit{lvl_3}) \\ \forall \textit{lvl_1}, \textit{lvl_2} : \textit{LEVEL} \mid \textit{lvl_1} \preceq \textit{lvl_2} \\ \bullet \{ \textit{lvl_1}, \textit{lvl_2} \} \subseteq \underline{\textit{recognized\_levels}} \\ \textit{dominated\_by\_rel} = (\_ \preceq \_) \\ \end{array} ``` Third, the policy database records a group of four permission sets for each domain-type pair. We use $\underline{t}e\_vectors(domain, type)$ to denote the group of permission sets associated with the pair (domain, type). We view each group of permission sets as a record having the following fields: - $\blacksquare$ same the permissions for the case in which the source subject and target object are at the same level, - source\_higher the permissions for the case in which the source subject is at a level strictly dominating that of the target object, - target\_higher the permissions for the case in which the target object is at a level strictly dominating that of the source subject, - lacktriangle in comparable the permissions for the case in which the levels of the source subject and target object are incomparable In the Z specification, we use the schema TEVectors to denote a record containing these four fields. We require that no permissions be allowed if the domain or type is unrecognized. #### **Prototype Security Server Definition 6** $\_TEVectors = \\ same : \mathbb{P}\ PERMISSION \\ source\_higher : \mathbb{P}\ PERMISSION \\ target\_higher : \mathbb{P}\ PERMISSION \\ incomparable : \mathbb{P}\ PERMISSION \\$ ``` \begin{array}{c} \textit{TEPermissions} \\ \textit{RecognizedDomains} \\ \textit{RecognizedTypes} \\ \underline{te\_vectors} : \textit{DOMAIN} \times \textit{TYPE} \longrightarrow \textit{TEVectors} \\ \hline \\ \forall \textit{domain} : \textit{DOMAIN}; \textit{type} : \textit{TYPE}; \textit{v} : \textit{TEVectors} \\ | \textit{v} = \underline{te\_vectors}(\textit{domain}, \textit{type}) \\ \land (\textit{domain}, \textit{type}) \notin \underline{recognized\_domains} \times \underline{recognized\_types} \\ \bullet \textit{v.same} = \varnothing \\ \land \textit{v.source\_higher} = \varnothing \\ \land \textit{v.target\_higher} = \varnothing \\ \land \textit{v.incomparable} = \varnothing \\ \hline \end{aligned} ``` Fourth, the policy database records the set of levels for which each user is authorized. We use $\underline{a} \, uthorized \_levels(user)$ to denote the set of levels for which user is authorized and require that unrecognized users are not cleared to any levels and recognized users are cleared to only recognized levels. #### **Prototype Security Server Definition 7** Fifth, the policy database records the set of domains for which each user is authorized. We use $\underline{a} \, uthorized \, \underline{domains} \, (user)$ to denote the set of domains for which user is authorized and require that unrecognized users are not authorized for any domains and recognized users are authorized for only recognized domains. #### **Prototype Security Server Definition 8** Finally, for each OSC class the policy database records a set of permissions that are AID-relevant. We use $\underline{a} i d\_relevant(osc\_class)$ to denote this set. We will require that $osc\_class$ be an element of $\underline{r}ecognized\_osc\_classes$ . However, this requirement will not be formally stated until we instantiate GenericSecurityServer in the definition of PrototypeSecurityServerPolicy. In addition, the policy database records a set of domains $\underline{m} ay\_change\_user$ such that a context with a domain in the set may be granted AID-relevant permissions to contexts with a different user. A context with a domain not in this set will be granted an AID-relevant permission only to a context with the same user. #### **Prototype Security Server Definition 9** Together, these six components comprise the prototype security server policy database. #### **Prototype Security Server Definition 10** ``` PrototypePolicyDatabase RecognizedAttributes Dominates TEPermissions AuthorizedLevels AuthorizedDomains AidRelevance ``` #### B.3 Cacheability Database In the prototype Security Server there is no cacheability database since every permission sent in an access vector, whether granted or denied, is cacheable. We define the type $NULL\_DATABASE$ to denote an empty database. #### **Prototype Security Server Definition 11** ``` [NULL\_DATABASE] ``` #### B.4 Duration Database The duration database has the same structure as the type enforcement component of the policy database. For each domain-type pair, there is a separate duration value associated with each of the possible relations between the source and target levels. In the Z specification, we use the schema TEDurations to denote a record containing the four possible duration values associated with each domain-type pair. We require that non-zero durations only be permitted for recognized domains and types. #### **Prototype Security Server Definition 12** ``` TEDurations same: N source_higher: N target_higher: N incomparable: N ``` ``` \begin{array}{c} PrototypeDurationDatabase \\ RecognizedDomains \\ RecognizedTypes \\ \underline{t}e\_durations: DOMAIN \times TYPE \longrightarrow TEDurations \\ \\ \forall \ domain: DOMAIN; \ type: TYPE \\ |\ (domain, type) \notin \underline{r}ecognized\_domains \times \underline{r}ecognized\_types \\ \bullet \ (\underline{t}e\_durations(domain, type)).same = 0 \\ \land \ (\underline{t}e\_durations(domain, type)).source\_higher = 0 \\ \land \ (\underline{t}e\_durations(domain, type)).target\_higher = 0 \\ \land \ (\underline{t}e\_durations(domain, type)).incomparable = 0 \\ \end{array} ``` #### B.5 Prototype Security Server State The prototype security server state is the generic security server state instantiated with the types PrototypeSSC, PrototypeOSC, PrototypePolicyDatabase, $NULL\_DATABASE$ and PrototypeDurationDatabase. The set of recognized SSCs is defined to be those for which the user field is a recognized user and the level and domain fields are appropriate for the user field. The set of recognized OSCs is defined to be those for which the user field is a recognized user, the level field is appropriate for the user field, and the type field is recognized. The functions $\underline{policy\_allows}$ , and $\underline{validity\_duration}$ are defined in terms of the policy and duration databases. Both use $\underline{\leq}$ to determine the relation between the source and target levels and then return the appropriate value of the four values associated with the source domain and target type. The function $\underline{cacheable}$ always returns the full set of possible permissions for the given OSC class. The policy database is indexed by domain and type. For AID-relevant permissions the user fields of the contexts must also be considered when making the permission decision. For these permissions the policy database may be overridden. For example, in order for a task $task_1$ to create a task $task_2$ in a context with a different user, $task_1$ must be in a domain that is an element of the set of privileged domains $\underline{m}ay\_change\_user$ . If the contexts of $task_1$ and $task_2$ have the same user, then permission is based entirely upon the domain and type. The set of AID-relevant permissions is defined for each recognized OSC class. At a minimum the permissions $Cross\_context\_create$ , $Change\_sid$ , $Make\_sid$ and $Transition\_sid$ are AID-relevant for task OSCs. #### **Prototype Security Server Definition 13** ``` PrototypeSecurityServerRecognizedContexts \\ GenericSecurityServer[PrototypeSSC, PrototypeOSC, PrototypePolicyDatabase, \\ NULL\_DATABASE, PrototypeDurationDatabase] \\ \hline \underline{recognized\_sscs} = \{ssc: PrototypeSSC \\ | ssc.lvl \in \underline{p}olicy\_database.\underline{a}uthorized\_levels(ssc.user) \\ \wedge ssc.domain \in \underline{p}olicy\_database.\underline{a}uthorized\_domains(ssc.user) \} \\ \underline{recognized\_oscs} = \{osc: PrototypeOSC \\ | osc.lvl \in \underline{p}olicy\_database.\underline{a}uthorized\_levels(osc.user) \\ \wedge osc.type \in \underline{p}olicy\_database.\underline{r}ecognized\_types \} ``` ``` \_Prototype Security Server Cacheability \_ Generic Security Server[Prototype SSC, Prototype OSC, Prototype Policy Database, Da NULL\_DATABASE, PrototypeDurationDatabase \forall ssc: PrototypeSSC; osc: PrototypeOSC; osc\_class: recognized\_osc\_classes | osc \in osc\_class • \underline{c} acheable(ssc, osc) = Ipc\_permissions \cup \underline{o} sc\_class\_permissions(osc\_class) \_PrototypeSecurityServerPolicy\_ Generic Security Server[Prototype SSC, Prototype OSC, Prototype Policy Database, NULL\_DATABASE, PrototypeDurationDatabase dom \ policy\_database . \underline{aid\_relevant} = \underline{recognized\_osc\_classes} \{Cross\_context\_create, Change\_sid, Make\_sid, Transition\_sid\} \subseteq policy\_database.aid\_relevant(task\_oscs) \forall ssc: PrototypeSSC; osc: PrototypeOSC • policy_allows(ssc, osc) = (let tev == policy\_database.\underline{t}e\_vectors(ssc.domain, osc.type); (\_ \preceq_p \_) == (policy\_database.dominated\_by\_rel) • if ssc.lvl = osc.lvl then tev.same else if ssc.lvl \preceq_p osc.lvl then tev.target\_higher else if osc.lvl \leq_p ssc.lvl then tev.source\_higher else tev.incomparable) losc \in osc\_class \land perm \in policy\_database.\underline{a}id\_relevant(osc\_class) \land ssc.domain \notin policy\_database.\underline{m}ay\_change\_user \land ssc.user \neq osc.user \bullet perm } \_PrototypeSecurityServerDuration \_ Generic Security Server[Prototype SSC, Prototype OSC, Prototype Policy Database, Da NULL\_DATABASE, PrototypeDurationDatabase \forall ssc: PrototypeSSC; osc: PrototypeOSC • validity\_duration(ssc, osc) = (let ted == \underline{d} uration\_database.\underline{t}e\_durations(ssc.domain, osc.type); (\underline{\prec}_p \underline{\ }) == (policy\_database.dominated\_by\_rel) • if ssc.lvl = osc.lvl then ted.same else if ssc.lvl \preceq_p osc.lvl then ted.target\_higher else if osc.lvl \leq_p ssc.lvl then ted.source\_higher else ted.incomparable) PrototypeSecurityServer\_ Prototype Security Server Recognized Contexts PrototypeSecurityServerPolicy PrototypeSecurityServerCacheability PrototypeSecurityServerDuration ``` #### Editorial Note: We need to consider whether we want the prototype security policy to control which clients may check each task's permissions to each target. # Appendix C Z Extensions This section describes "extensions" to the Z specification language that are used in the DTOS FTLS. All of these extensions are defined in terms of constructs in the Z specification language, so they are not technically extensions to the language. #### C.1 Disjointness and Partitions It is often necessary to indicate that each element of a collection of values is unique. For example, consider specifying that $val_1, \ldots, val_n$ are unique values. Since n might be relatively large, it is undesirable to enumerate each pair: $$val_1 \neq val_2 \wedge val_1 \neq val_3 \wedge val_1 \neq val_4 \dots$$ Although disjoint is part of the Z mathematical toolkit, it addresses disjointness of sets instead of disjointness of values. While we could convert values to singleton sets of values as follows: disjoint $$\langle \{ val_1 \}, \ldots, \{ val_n \} \rangle$$ this is somewhat inconvenient. Another possibility would be to specify that: $$\langle val_1, \ldots, val_n \rangle$$ is, when viewed as a function, injective. However, the expression: $$\langle val_1, \ldots, val_n \rangle \in \mathbb{N} \rightarrowtail X$$ is a rather unintuitive way to express disjointness. Instead, the generic predicate $Values\_disjoint$ is defined to state such disjointness properties. The expression $Values\_disjoint(val_1, ..., val_n)$ denotes that $val_1, ..., val_n$ are unique values. #### **Mach Definition 109** ``` [X] = Values\_disjoint\_: \mathbb{P}(\text{seq } X) \forall val\_seq : \text{seq } X \bullet \ Values\_disjoint \ val\_seq \Leftrightarrow (\forall i_1, i_2 : \mathbb{N} \mid i_1 \in \text{dom } val\_seq \land i_2 \in \text{dom } val\_seq \land i_1 \neq i_2 \bullet \ val\_seq(i_1) \neq val\_seq(i_2)) ``` Similarly, the expression $\langle val_1, \ldots, val_n \rangle$ $Values\_partition\ S$ denotes that the values $val_1, \ldots, val_n$ are unique values that together comprise the set $val\_set$ . #### **Mach Definition 110** #### C.2 Partial Orders A partial ordering is a relation that is reflexive, antisymmetric, and transitive. A reflexive relation is one that relates each element to itself; in other words, the identity relation is contained in every reflexive relation. An antisymmetric relation is a relation containing no cycles of the form $(val_1, val_2) \in R \land (val_2, val_1) \in R$ for distinct $val_1$ and $val_2$ . Since $(val_2, val_1) \in R$ is equivalent to $(val_1, val_2) \in R^{\sim}$ , a relation is antisymmetric exactly when $(val_1, val_2) \in R \land (val_1, val_2) \in R^{\sim}$ only holds for $val_1 = val_2$ . In other words, a relation is antisymmetric when its intersection with its inverse is contained in id. A relation is transitive when: ``` (val_1, val_2) \in R \land (val_2, val_3) \in R \Rightarrow (val_1, val_3) \in R ``` In other words, whenever it is possible to get from $val_1$ to $val_3$ through repeated iteration of R, R relates $val_1$ to $val_3$ directly. This is equivalent to $R^2$ being contained in R. For each type X, the following sets of relations are defined: - Reflexive[X] the set of all reflexive relations on X - $Anti\_symmetric[X]$ the set of all antisymmetric relations on X - Transitive[X] the set of all transitive relations on X - Poset[X] the set of all relations on X that are posets; this is simply the intersection of Reflexive[X], $Anti\_symmetric[X]$ , and Transitive[X] #### **Mach Definition 111** ``` [X] \\ Poset : \mathbb{P}(X \leftrightarrow X) \\ Reflexive : \mathbb{P}(X \leftrightarrow X) \\ Anti\_symmetric : \mathbb{P}(X \leftrightarrow X) \\ Transitive : \mathbb{P}(X \leftrightarrow X) \\ \\ Poset = Reflexive \cap Anti\_symmetric \cap Transitive \\ Reflexive = \{R : X \leftrightarrow X \mid \text{id } X \subseteq R\} \\ Anti\_symmetric = \{R : X \leftrightarrow X \mid R \cap R^{\sim} \subseteq \text{id } X\} \\ Transitive = \{R : X \leftrightarrow X \mid R^2 \subseteq R\} \\ \\ \end{cases} ``` #### C.3 Sequences The expression $val\_seq\ Add\_value\ val$ is used to denote the sequence resulting from adding the element val to the end of the sequence $val\_seq$ . The expression $s\ Wrap\_value\ val$ is used to denote the sequence resulting from replacing the first element of $val\_seq$ with val. #### **Mach Definition 112** The expression $Seq\_plus(S)$ where S is a sequence of numbers returns the sum of the numbers in S. #### **Mach Definition 113** ``` Seq\_plus : seq \mathbb{Z} \longrightarrow \mathbb{Z} Seq\_plus(\langle \rangle) = 0 \forall S : seq_1 \mathbb{Z} \bullet Seq\_plus(S) = head(S) + Seq\_plus(tail(S)) ``` ### **Index** The italic numbers denote the pages where the corresponding entry is described, numbers underlined point to the definition, all others indicate the places where it is used. | Symbols | $\underline{b}acking\_rel$ | | |----------------------------------------------|-----------------------------------------------------------------------------|------------| | $AbortsPriorityDepression \dots 101$ | BASE_MSG_ELEMENT | 47 | | Abort_thread | Base Transition | 79 | | $Abort\_thread\_depress$ | Base_user_priority | | | Access_machine_attribute | $\underline{c}$ acheability_database | | | a ctive_thread | CACHE_DB | 145 | | $\overline{A}dd\_name$ $\overline{64}$ | $\underline{c}$ acheable | 145 | | AddressSpace | $\overline{Cacheable}$ | 145 | | AddsDeadName | cache_allows | 72 | | AddsDeadNameReference | Cached_ruling_allows | 72 | | $AddsDeadNameRight \dots \overline{87}$ | Cached_ruling_allows | 72 | | AddsName | cached_ruling_avail | 72 | | $AddsReceive \dots \underline{86}$ | Can_receive | 64 | | $AddsSend \dots \overline{87}$ | Can_send | | | AddsSendOnce | $Can\_swtch$ | | | AddsSendReference | $Can\_swtch\_pri$ | <u>66</u> | | AddsSendRight | Capability | 19 | | Adds Thread <u>105</u> | Change_page_locks | 65 | | Adds Thread Secure | $Chg\_pset\_max\_pri$ | <u>69</u> | | Add_thread | $Chg\_vm\_region\_prot$ | | | Add_thread_secure | Change_sid | <u>67</u> | | Add_value <u>162</u> | $Changes Memory Object Attr \dots \dots$ | 99 | | <i>AID</i> | ChangesPageLocks | <u>99</u> | | $Allocates Execute Region \dots 97$ | Changes Wiring | 112 | | $Allocates Read Region \dots \underline{96}$ | ChangesPortAid | <u>95</u> | | Allocates Region | ChangesPortMid | 95 | | Allocates Write Region | $Changes TaskAid \dots \dots$ | 109 | | Allocate_vm_region <u>65</u> | $Changes TaskMid \dots \dots$ | 109 | | <u>a</u> llocated | $Chg\_task\_priority$ | <u>67</u> | | Alter_pns_info | $Close\_device$ | <u>70</u> | | Anti_symmetric | ClosesDevice | 116 | | Assign_processor <u>69</u> | Co_carries_memory | | | Assign_processor_to_set | Co_carries_rights | <u>42</u> | | Assigns Processor | $\underline{c}$ ommunication $\underline{-}$ oscs $\dots \dots \dots \dots$ | 143 | | A ssigns Task | COMPLEX_OPTION_BOOLEAN | | | Assigns Thread | COMPLEX_OPTION | | | Assign_task | $ConfirmsKernelMemOp \dots \dots$ | <u>119</u> | | Assign_task_to_pset | containing_port | 24 | | Assign_thread | $containing\_set$ | | | Assign_thread_to_pset | control_memory | | | Audit_ids | Control_pager | | | <u>a</u> udit_server_port | controlled_proc_set | | | <u>a</u> uthentication_server_port <u>75</u> | $\underline{c}opy\_strategy$ | | | backing_chain | $Copy\_vm$ | | | backing_memory <u>39</u> | <u>c</u> pu_time | | | backing_offset | Create_pset | 67 | | CreatesPortSet 88 | <u> </u> | 115 | |--------------------------------------------------------|------------------------------------|-------------| | CreatesProcset | $Disables Task Sampling \dots $ | <u>109</u> | | Creates Task | $Disables Thread Sampling \dots $ | | | Creates Task Secure <u>107</u> | Dtos | | | Create_task | D tos Additions | | | Create_task_secure <u>67</u> | DtosExec | | | Cross_context_create | DtosMessages | | | Cross_context_inherit | DUR_DB | | | $\underline{c}$ rypto_server_port | $\underline{e}$ $mulation\_vector$ | <u>14</u> | | dead_namep | Emulation Vector | _ | | dead_right_ref_count | $\underline{e}$ $nabled\_sp$ | | | $\underline{d}$ ead_right_rel $\underline{22}$ | Enables Policy | 115 | | DeadRights | Enables Task Sampling | <u> 109</u> | | $Deallocates Region \dots \underline{97}$ | $Enables\ Th\ readSampling$ | | | $Deallocate\_vm\_region$ | Environment_slot | | | DecreasesEventCounter | $\underline{e}vent\_count$ | | | $Decrements Thread Max Priority \dots \underline{102}$ | EVENT_COUNTER | | | $\underline{d}$ efault_mem_manager | Events | _ | | <u>d</u> efault_pager_oscs | Exception_ids | | | Default_port_sid | Exist | 9 | | Default_vm_port_sid | ExitsProcessor | <u>114</u> | | Define_new_scheduling_policy <u>69</u> | Extract_right | | | <u>d</u> epressed_threads | FILTER_PRIORITY | <u>56</u> | | <i>Depresses Priority</i> | Fixedpri | 13 | | Depress_pri | Flushes Cache | 110 | | priority_before_depression <u>12</u> | Flush_permission | | | | <u>f</u> orcibly_queued | <u>20</u> | | Destroy_object | $\overline{ForwardsNetworkPacket}$ | 121 | | Destroy_pset | GenericSecurityServer | 146 | | DestroysMemory | Get_attributes | 65 | | DestroysPortSet | $Get\_audit\_port$ | | | DestroysProcset | Get_authentication_port | 67 | | DeviceData | Get_boot_info | 68 | | DeviceExist | $Get\_crypto\_port$ | 67 | | <u>d</u> evice_exists | $Get\_default\_pset\_name$ | | | <u>d</u> evice_filter_info | Get_device_status | 70 | | $\overline{D}$ evice Filter Info | Get_emulation | 67 | | $DEVICE\_FILTER\_INFO$ | $Get\_host\_control\_port$ | 67 | | DEVICE_FILTER | Get_host_info | 67 | | $\underline{d}$ evice_in | Get_host_name | 67 | | $\overline{d}$ evice_open_count | Get_host_processors | 68 | | $\overline{D}eviceOpenCount \dots \underline{54}$ | Get_host_version | 67 | | <u>d</u> evice_oscs | $Get\_negotiation\_port$ | <u>67</u> | | <u>d</u> evice_out | $Get\_network\_ss\_port$ | <u>67</u> | | Device_permissions | $Get\_processor\_assignment$ | 68 | | $device\_port \dots \overline{30}$ | Get_processor_info | 68 | | $\underline{d}$ evice_port_rel | Get_pset_info | 69 | | $\overline{D}EVICE\_RECORD$ | Get_security_master_port | 67 | | DEVICE | Get_security_client_port | 67 | | Devices | Get_special_port | 67 | | $DevicesAndPorts$ $\overline{31}$ | Get_task_assignment | 67 | | $\underline{d}$ evice_status | Get_task_boot_port | 67 | | $\overline{D}$ eviceStatus | Get_task_exception_port | 67 | | $DEVICE\_STATUS$ | Get_task_info | 67 | | $\underline{d}irty\_rel$ $\underline{\overline{36}}$ | Get_task_kernel_port | 67 | | | 7 . | |---------------------------------------------------|------------------------------------------------| | Get_task_threads | | | Get_thread_assignment | <u> </u> | | Get_thread_exception_port 66 | · · · · · · · · · · · · · · · · · · · | | Get_thread_info | <del>-</del> | | Get_thread_kernel_port | | | Get_thread_state | <del>-</del> | | Get_time | - · | | Get_vm_region_info | | | Get_vm_statistics | | | Halted | <del></del> - | | have_assigned_tasks | | | have_assigned_threads 53 | | | Have_execute | | | Have_read | <del></del> - | | Have_write | <b>-</b> • • • • • • • • • • • • • • • • • • • | | Higher_priority | Kernel_reply_permissions | | Highest_possible_priority | $\underline{\underline{k}}$ ernel_reply_ports | | Hold_receive | <del>-</del> | | Hold_send | | | Hold_send_once | | | <u>h</u> ost_control_port | | | <u>h</u> ost_name_port | —————————————————————————————————————— | | <u>h</u> ost_control_oscs | | | Host_control_port_permissions 68 | | | HOST | · · · · · · · · · · · · · · · · · · · | | HostsAndPorts | · · · · · · · · · · · · · · · · · · · | | HostsAndProcessors | | | <u>h</u> ost_time | | | HostTime | <del>-</del> | | <u>h</u> ost_name_oscs | | | Host_name_port_permissions <u>67</u> | $MACH\_MSG\_TYPE$ <u>42</u> | | $\underline{i}$ dle_threads | | | $Increments Thread Max Priority \dots 102$ | <i>Mach_port_dead</i> | | <u>i</u> nheritance | | | <i>Inheritance</i> | | | $Inheritance\_option\_copy \dots \underline{39}$ | $Mach\_port\_q\_limit\_max$ | | Inheritance_option_none <u>39</u> | $\underline{m}$ ach_protection | | INHERITANCE_OPTION 39 | <i>MachProtection</i> | | Inheritance_option_share 39 | <i>Mach_rcv_large</i> | | <u>i</u> nitialized <u>34</u> | <del>-</del> | | <i>Initiate_secure</i> | Mach_rcv_notify | | InitiatesMsgReceive | <i>Mach_rcv_timeout</i> | | InitiatesMsgSend | Mach_send_cancel | | $Initiates OolData Transfer \dots 83$ | Mach_send_msg | | Initiates Operation <u>121</u> | $Mach\_send\_notify$ | | $Initiates Receive Transfer \dots \underline{82}$ | <i>Mach_send_timeout</i> | | $Initiates Rights Transfer \dots 81$ | <i>Make_page_precious</i> <u>65</u> | | $Initiates Send Once Transfer \dots 82$ | $\underline{m}$ $ake\_send\_count$ | | InitiatesSendTransfer | <i>Make_sid</i> <u>67</u> | | <i>In_line</i> | MakesPagePrecious <u>99</u> | | <u>i</u> nstruction_pointer | MakesSecurityOutcall | | INTERNAL_BODY <u>48</u> | Makes TaskReady | | Internal_element | $MakesThreadOwnerReady \dots 104$ | | $Internal Message \dots \underline{50}$ | | | Interpose | $\overline{m}$ an ager $\overline{34}$ | | Manipulate_port_set | <u>64</u> | $Mach\_msg\_type\_port\_rights$ | | |----------------------------------------------------------------------------------|------------|---------------------------------------------------------------------------------------|-----------| | ManipulatesPortSet | <u>92</u> | $Mach\_msg\_type\_port\_send$ | <u>43</u> | | $\underline{m}$ ap_rel | <u>37</u> | $Mach\_msg\_type\_port\_send\_once$ | <u>43</u> | | $Map\_device$ | <u>70</u> | Modifies PortInfo | | | mapped | 38 | Modifies Region | 98 | | $\underline{m}$ apped_devices | <u>55</u> | MESSAGE_BODY | 47 | | MappedDevices | 55 | $\underline{msg}$ _contents | 51 | | mapped_memory | | $\overline{M}SG\_DATA$ | | | mapped_offset | | Msg_deallocate | 46 | | Maps Device | | $Msg\_dont\_deallocate \dots \dots \dots$ | 46 | | Map_vm_region | | Msg_error_invalid_memory | 49 | | $\underline{m}$ aster_device_port | | $Msg\_error\_invalid\_right$ | | | $\overline{M}$ aster $\overline{D}$ evice $\overline{P}$ or $\overline{T}$ | | $Msg\_error\_invalid\_type$ | | | <u>m</u> aster_proc | | $Msg\_error\_msg\_too\_small$ | | | Highest_priority | | Msg_error_notify_in_progress | | | $\underline{m}$ $ax\_protection$ | | MSG_ERROR | | | <u>Max_right_refs</u> | | Msg_error_timed_out | | | Max_samples | | msg_operation | | | may_cache | | Operations | | | $\frac{m}{May\_control\_processor}$ | | $\underline{m}$ $\underline{sg}$ _receiving_sid | | | $\underline{m}$ ember_rel | | Msg_region | | | control_port | | msg_ruling | | | | | msg_sending_sid | | | <u>c</u> ontrol_port_rel | | <del></del> | | | Memory_copy_call | | $\underline{m} sg\_specified\_sid$ | | | Memory_copy_delay | | $\underline{m}$ $\underline{sg}$ $\underline{specified}$ $\underline{vector}$ $\dots$ | | | Memory_copy_none | | Msg_stat_pseudo | | | MEMORY_COPY_STRATEGY | | Msg_stat_rcv | | | Memory_copy_temporary | | Msg_stat_send | | | name_port | | MSG_STATUS | | | name_port_rel | | Msg_value | | | MEMORY | | MSG_VALUE | | | Memories And Ports | | named_port | | | Memory | | named_proc_set | | | MemoryExist | _ | NAME | | | $\underline{m} emory\_exists$ | _ | $Name\_server\_slot$ | | | $Mem\_obj\_confirmation\_ids$ | | $\underline{n} egotiation\_server\_port \dots \dots$ | | | Memory_object_permissions | | $Network\_packet\_ids$ | | | MemorySystem | 41 | $\underline{n}$ etwork_ss_port | | | Message | | Notifications | | | Msg_element | | $number\_of\_rights$ | | | MessageExist | . <u>8</u> | object_memory | <u>28</u> | | $\underline{m} essage \underline{-} exists \dots \dots \dots \dots \dots \dots$ | | object_port | <u>28</u> | | $\underline{m} essage\_in\_port\_rel$ | <u>24</u> | <u>o</u> bject_port_rel | <u>28</u> | | Message Queues | 25 | ObjectSid | 61 | | MESSAGE | . <u>8</u> | Observe_pns_info | <u>64</u> | | <i>Messages</i> | <u>52</u> | Observe_pset_processes | 69 | | <i>MID</i> | 58 | OFFSET | 34 | | Lowest_priority | 12 | OLSD | 47 | | $Mmt\_copy\_send$ | | Open_device | 70 | | Mmt_make_send | | OpensDevice | | | Mmt_make_send_once | | OPERATION | | | Mmt_move_receive | | osc_class_permissions | _ | | Mmt_move_send | | | 144 | | Mmt_move_send_once | | OscPartitions | | | | | OSC | 141 | | <i>OSI</i> <u>5</u> 9 | | |--------------------------------------------------|-------------------------------------------------------------| | Osi_to_aid | <u>p</u> ort_notify_dead_rel <u>25</u> | | Osi_to_mid | port_notify_destroyed 25 | | Out_of_line | $port\_notify\_destroyed\_rel$ | | <i>WORD</i> <u>34</u> | port_notify_no_more_senders | | th reads | $port\_notify\_no\_more\_senders\_rel$ $25$ | | owning_task9 | Port_permissions | | PageAndMemory 37 | port_pointer | | page_aid | Port_rename | | PageExist | p ort_right_rel | | page_exists | $\frac{p}{port\_right\_namep}$ | | | $port\_right\_seq$ | | PAGE_INDEX | PORT | | $page\_lock\_rel$ | port_set | | | port_set_namep | | page_mid | port_set_namep 21 port_set_rel 21 | | PAGE_OFFSET 36 | <del>_</del> | | pager_oscs | PortSets | | $Pager\_permissions$ | <u>port_sid</u> <u>59</u> | | $Pager\_request\_ids$ | PortSid | | PAGE | port_size | | page_sid | PortSummary | | $\frac{p}{PageSid}$ | Poset | | | $Pp\_to\_page\_sid$ | | Page_vm_region | <u>p</u> recious | | <u>p</u> age_word_rel | <i>Priority_levels</i> | | page_word_fun | proc_assigned_procset | | SCHED_POLICY_DATA 13 | <i>Process</i> <u>57</u> | | <u>p</u> arent_task | <i>ProcessorExist</i> | | Parent Task | <u>p</u> roc_exists <u>8</u> | | Pc_device | <u>p</u> rocessor_oscs | | Pc_host_control | Processor_permissions <u>68</u> | | Pc_host_name | <u>p</u> rocessor_port_rel <u>29</u> | | Pc_memory | PROCESSOR | | Pc_processor <u>32</u> | Pset_ctrl_port | | $Pc\_ps\_control$ | Pset_names | | Pc_ps_name | processors <u>52</u> | | Pc_task | ProcessorsAndPorts | | Pc_thread | ProcessorAndProcessorSet | | PendingReceive | proc_self | | $\underline{p}$ ending_receives $\underline{51}$ | ProcessorSetExist | | PERMISSION | procset_exists | | $\underline{p}$ olicy_allows | | | PolicyAllows <u>144</u> | procset_control_oscs | | <u>p</u> olicy_database | $\overline{P}_{rocset\_control\_port\_permissions}$ 69 | | POLICY_DB | PROCESSOR_SET | | port_aid | procset_self | | $port\_class$ | procset_name_oscs | | | $\frac{p}{Procset\_name\_port\_permissions}$ | | PortClasses 32 | Protection | | port_device 30 | Execute | | PortExist | $ rac{SR}{Read}$ | | p ort_exists | $\frac{37}{PROTECTION}$ | | port_mid | Write | | PortNameSpace | | | <i>Provide_permission</i> | represented_offset | |---------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | $ps\_control\_port\_rel$ | representing_page $\overline{36}$ | | $ps\_max\_priority$ | <u>represents_rel</u> <u>36</u> | | ps_name_port_rel 30 | represents_memory | | <u>q_limit</u> | Request | | <del>_</del> | Resumes Task | | Raise_exception | Resumes Thread | | Raises Exception To Task | Resume_task | | Raises Exception To Thread | Resume_thread | | Read_device | Revoke_ibac | | Reads Device | <i>RIGHT</i> <u>18</u> | | Read_vm_region | $r\_right$ | | Reboot_host | Ruling | | Receive | Ruling_allows | | receiver | Ruling_allows | | receiver_name | Running | | Recognized Contexts | $\underline{r}$ $\underline{u}$ $\underline{n}$ $\underline{s}$ $\underline{t}$ | | $\underline{r}$ ecognized_osc_classes | RUN_STATES | | <u>r</u> ecognized_oscs | $\underline{s}$ ampled_tasks | | <i>RecognizedOscs</i> | | | <u>r</u> ecognized_osis | <u>s</u> ampled_threads | | Recognized_sample_types | Sample_periodic | | <i>RecognizedSids</i> | SAMPLE | | <u>r</u> ecognized_sscs | Sample_task | | <i>RecognizedSscs</i> | Sample_thread | | <u>r</u> ecognized_ssis | SAMPLE_TYPES | | $Recognized\_transfer\_options$ | Sample_vm_cow_faults | | <i>Reflexive</i> | SAMPLE_VM_FAULTS 15 | | <u>r</u> egistered_rights | Sample_vm_faults_any 15 | | <i>RegisteredRights</i> | $Sample\_vm\_pagein\_faults$ | | Register_notification | Sample_vm_reactivation_faults <u>15</u> | | Register_ports | $Sample\_vm\_zfill\_faults$ | | RegistersDeadNameNotification 93 | Save_page <u>65</u> | | $Registers No More Senders Notification \dots \underline{93}$ | Saves Page <u>100</u> | | Registers Notification | SCHED_POLICY <u>13</u> | | RegistersPort | $\underline{s}$ ecurity_server_client_port $\underline{75}$ | | $RegistersPortDestroyedNotification \dots \overline{93}$ | Security_server_ids | | <i>Remove_name</i> 64 | <u>security_server_master_port</u> <u>75</u> | | $Remove\_page \dots \underline{65}$ | self_task | | RemovesDeadName $91$ | self_thread <u>27</u> | | $RemovesDeadNameReference$ $\overline{90}$ | Send | | RemovesDeadNameRight | sender | | $RemovesName$ $\overline{91}$ | Send_once <u>18</u> | | $RemovesPage \dots \underline{100}$ | SendRightsCount | | <i>RemovesReceive</i> | SendsAuditData | | <i>RemovesSend</i> | SendsKernelReply | | RemovesSendOnce | SendsNotification | | RemovesSendReference | $SendsPagerOutcall \dots 119$ | | RemovesSendRight | $\underline{\underline{s}}$ equence_no | | RenamesInPortNameSpace | Seq_plus | | reply_port 51 | ServerPorts | | <u>reply_port_rel</u> | Service_slot | | $reply\_port\_right$ | $ServicesPageFault \dots 99$ | | ReplyPorts 51 | Set_attributes 65 | | represented | Set_audit_port 67 | | represented_memory | Set_authentication_port 67 | | Set_crypto_port | Sid To Context | |------------------------------------------------------------|-------------------------------------------------| | Set_ibac_port | $\underline{s}leep\_time$ | | Set_default_memory_mgr | so_right | | Set_device_filter | SpecialPurposePorts | | Set_device_status | Special Task Ports | | Set_emulation | Special Thread Ports | | Set_vm_region_inherit | Specifies AV | | Set_max_thread_priority | SpecifiesSsi | | Set_negotiation_port | Specify | | Set_network_ss_port | s_right | | Set_ras | s_right_ref_count | | Set_reply 64 SetsAuditServer 111 | s_r_right 20 SSC 141 | | <del></del> | ——· | | SetsAuthenticationServer | SSI <u>58</u> | | Sets Crypto Server | Ssi_to_aid | | SetsDefaultManager | Ssi_to_mid | | SetsDeviceFilter | State_info_avail | | SetsDeviceStatus | Stopped | | Set_security_master_port | SubjectSid | | Set_security_client_port | Supply_ibac | | SetsEmulationVector | supplying_device | | SetsInheritance | $SUPP\_MACHINE\_ARCH$ $\underline{17}$ | | SetsMakeSendCount | $\underline{s}upported\_sp$ | | SetsNegotiationServer | Suspends Task | | SetsNetworkSecurityServer | Suspends Thread | | Set_special_port | Suspend_task | | SetsProcsetMaxPriority | Suspend_thread | | Sets Protection | $\underline{s}$ wapped_threads | | Sets Queue Limit | Switch_thread | | SetsReply | $\underline{s}ystem\_time \dots \underline{16}$ | | SetsSecServerClientPort | target_osc | | SetsSecServerMasterPort 110 | TargetSids | | SetsSeqNo | task_aid | | SetsSpecialPort <u>112</u> | TaskAndProcessorSet | | Sets TaskBootPort | task_assigned_to | | Sets Task Exception Port 108 | <u>task_assignment_rel</u> | | Sets Task Kernel Port | task_bport | | Sets Task Priority | $\underline{t}$ ask_bport_rel | | Sets Thread Exception Port 104 | $\underline{t}$ ask_creation_state | | Sets Thread Kernel Port 103 | Task Creation State | | Sets Thread Policy 103 103 103 | TASK_CREATION_STATE 73 | | Sets Thread Priority | task_eport | | Set_task_boot_port | <u>task_eport_rel</u> <u>27</u> | | Set_task_exception_port | TaskExist | | Set_task_kernel_port 67 | <u>task_exists</u> | | Set_thread_exception_port <u>66</u> | task_mid | | Set_thread_kernel_port | <u>task_oscs</u> <u>143</u> | | Set_thread_policy | $Task\_port\_register\_max$ 33 | | Set_thread_priority | Task_port_sid | | Set_thread_state | <u>task_priority</u> <u>13</u> | | Set_time | TaskPriority | | shadow_memories | $\underline{t}$ as $k$ _received_msgs | | $Shadow Memories \dots \underline{40}$ | TASK | | <u>sid_osc</u> | $\underline{t}$ ask_samples $\underline{16}$ | | <u>s</u> id_ssc | $task\_sample\_sequence\_number \dots 16$ | | $\underline{t}$ ask $\_sample\_types$ | | | |---------------------------------------------------------------|-------------------------------|------| | <i>TaskSampling</i> | | | | $TasksAndPorts \dots \underline{1}$ | <u>9</u> Thread_self_sid | . 62 | | TasksAndRights 2 | | | | TasksAndThreads | $\underline{0}$ thread_sself | . 27 | | task_s elf | <u> </u> | . 27 | | <u>t</u> ask_self_osc | <u>2</u> <u>t</u> hread_state | . 17 | | <u>t</u> ask_self_rel | 6 THREAD_STATE_INFO | . 17 | | Task_self_sid | 2 THREAD_STATE_INFO_TYPES | . 17 | | <u>t</u> ask_sid | <b>9</b> ThreadStatistics | . 17 | | | | . 10 | | $\underline{t}$ ask $\_sself\_rel$ | | | | $task\_suspend\_count$ | | | | TaskSuspendCount | | | | task_target | | | | $Task\_task\_permissions$ | | | | task_thread_rel | | | | $Tcs\_task\_empty$ | | | | Tcs_task_ready | | . 33 | | Tcs_thread_created 7 | | | | Tcs_thread_state_set | | | | $\underline{\underline{t}emporary\_rel}$ | | | | $\underline{\underline{c}}$ Terminates Task | | | | Terminates Thread | | | | Terminate_task | | | | Terminate_thread 6 | | | | the_processor | | | | ThreadAndProcessorSet | | | | $\frac{9}{5}$ thread_assigned_to | | | | $\underline{\underline{b}}$ thread_assignment_rel | | | | $\frac{1}{2}$ thread_eport | | | | thread_eport_rel | | | | $\frac{L}{L}$ Thread Exec Status | | | | ThreadExist | | | | thread_exists | <del>-</del> - | | | ThreadInstruction | | | | ThreadMachineState | = | | | $\frac{1}{t}$ thread_max_priority | <b></b> * | | | $\frac{1}{thread\_oscs}$ | | | | Thread_permissions | | | | Thread_permissions | | | | ThreadPri | | | | $\frac{1}{thread\_priority}$ | = | | | | | | | THREAD | | | | <del></del> | _ | | | $\underline{t}hread\_samples$ $\underline{1}$ | | | | $\underline{t}$ hread_sample_sequence_number $\underline{1}$ | | | | $\underline{t}$ hread_sample_types | | | | Threads And Processors | <del>_</del> | | | ThreadsAndProcessors | = - | | | $\underline{t}hread\_sched\_policy$ $\underline{1}$ | | | | ThreadSchedPolicy | | | | $\underline{t}hread\_sched\_policy\_data \dots \underline{1}$ | <del>-</del> | | | $\underline{t}hread\_sched\_priority \dots \underline{1}$ | | | | thread self | 27 Wired | . 40 | | <i>Wires Th read</i> | DisablesPolicy | 115 | |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------|-----------| | Wire_thread | $Disables Task Sampling \dots$ | | | $Wire\_thread\_into\_memory \dots \underline{66}$ | $Disables Thread Sampling \dots \dots$ | | | $Wire\_vm$ | Enables Policy | | | $Wire\_vm\_for\_task$ | | 109 | | $Wrap\_value$ | $Enables Thread Sampling \dots \dots$ | | | Write_device | | 114 | | $\overline{WritesDevice}$ | Flushes Cache | | | $Write\_vm\_region$ | ForwardsNetworkPacket | | | $\underline{\underline{d}} \underline{e} f \underline{u} \underline{l} \underline{t} \dots $ | Increments ThreadMaxPriority | | | $\frac{-1}{protection}$ | Initiates MsgReceive | | | <u> </u> | Initiates Msg Send | | | C | Initiates OolData Transfer | | | Cacheable | Initiates Receive Transfer | | | | Initiates Rights Transfer | | | D | Initiates Send Once Transfer | | | DTOS Services: | Initiates Send Transfer | | | $A borts Priority Depression \dots 101$ | Interposes | | | AddsDeadName | InvTaskCreationStateTrans | | | $AddsDeadNameReference \dots \overline{88}$ | • | | | $AddsDeadNameRight \dots \overline{87}$ | Loads Cache | | | AddsName | MakesPagePrecious | | | AddsReceive | MakesSecurityOutcall | | | AddsSend | Makes Task Ready | | | AddsSendOnce | Makes Thread Owner Ready | | | $AddsSendReference \dots \overline{87}$ | ManipulatesPortSet | | | $AddsSendRight \dots \underline{86}$ | Maps Device | | | AddsThread | ModifiesPortInfo | | | $AddsThreadSecure \dots \underline{106}$ | Modifies Region | | | $AllocatesExecuteRegion \dots 97$ | OpensDevice | | | $AllocatesReadRegion \dots \underline{96}$ | RaisesExceptionToTask | | | $AllocatesRegion \dots \underline{96}$ | RaisesExceptionToThread | | | $Allocates Write Region \dots \underline{96}$ | ReadsDevice | | | AssignsProcessor | RegistersDeadNameNotification | | | $Assigns Task \dots \underline{106}$ | RegistersNoMoreSendersNotification | | | Assigns Thread | Registers Notification | | | ChangesMemoryObjectAttr <u>99</u> | RegistersPort | | | ChangesPageLocks <u>99</u> | RegistersPortDestroyedNotification | | | Changes Wiring | RemovesDeadName | | | ChangesPortAid <u>95</u> | RemovesDeadNameReference | | | ChangesPortMid <u>95</u> | $RemovesDeadNameRight \dots$ | | | Changes Task Aid <u>109</u> | RemovesName | 91 | | Changes Task Mid <u>109</u> | | 100 | | ClosesDevice | RemovesReceive | | | $ConfirmsKernelMemOp \dots 1119$ | RemovesSend | | | CreatesPortSet | RemovesSendOnce | | | CreatesProcset | RemovesSendReference | 89 | | Creates Task | RemovesSendRight | 89 | | CreatesTaskSecure | RenamesInPortNameSpace | <u>91</u> | | $Deallocates Region \dots \underline{97}$ | | 107 | | $DecreasesEventCounter \dots \underline{116}$ | · | 102 | | $Decrements ThreadMaxPriority \dots 102$ | • | 100 | | DepressesPriority | · | 121 | | DestroysMemory <u>100</u> | · | 120 | | DestroysPortSet <u>91</u> | • | 120 | | DestroysProcset | SendsPagerOutcall | 119 | | ServicesPageFault 99 | Osi_to_mid <u>59</u> | |----------------------------------------------------------------------------------|----------------------------------------------------------| | SetsAuditServer <u>111</u> | page_aid | | SetsAuthenticationServer <u>111</u> | page_mid | | SetsCryptoServer <u>111</u> | <u>p</u> age_sid | | $SetsDefaultManager \dots 113$ | | | SetsDeviceFilter | | | SetsDeviceStatus | port_mid | | $SetsEmulationVector \dots \underline{107}$ | port_sid | | SetsInheritance | $\frac{P}{P} to\_page\_sid \qquad \qquad \underline{60}$ | | SetsMakeSendCount | Ruling_allows | | $SetsNegotiationServer \dots 1111$ | $rac{rat}{security\_server\_client\_port}$ | | SetsNetworkSecurityServer | <del>-</del> | | $SetsProcsetMaxPriority \dots 114$ | <del>-</del> | | SetsProtection | Ssi_to_aid | | SetsQueueLimit | Dst_10_mta <u>56</u> | | SetsReply | сизк <u>а</u> ни | | SetsSecServerClientPort 111 | <u>task_creation_state</u> <u>14</u> | | SetsSecServerMasterPort | task_mid | | SetsSeqNo | $Task\_port\_sid$ | | SetsSpecialPort 112 | 100%_500y_500 | | Sets Task Boot Port | <u></u> | | Sets Task Exception Port | tash_target | | Sets Task Exception 1 or 100 Sets Task Kernel Port 108 | Thread_port_sid | | Sets Task Priority | 1117 ca a = 200 j = 20 a | | | | | | thread_target | | Sets Thread Kernel Port | c subscitting | | Sets Thread Policy | = = = = = = = = = = = = = = = = = = = | | Sets Thread Priority | | | Specifies AV | 2 1 0 2 1 pes. | | SpecifiesSsi | <u> </u> | | Suspends Task | · · · · · · · · · · · · · · · · · | | Suspends Thread 104 | <u> </u> | | Terminates $Task$ 109 | | | Terminates Thread | BB1 <u>00</u> | | Wires Thread | | | Writes Device <u>118</u> | | | DTOS Structures: | G | | <u>audit_server_port</u> | | | $\underline{a}$ uthen tication_server_port | <i>CACHE_DB</i> <u>145</u> | | cache_allows | | | $Cached\_ruling\_allows$ | OSC <u>141</u> | | cached_ruling_avail | 1 0E101 = EE | | $\underline{c}$ rypto $\_server\_port$ | | | Default_port_sid | | | Default_vm_port_sid <u>60</u> | | | kernel_as | $A bort\_th read\_depress$ | | $\underline{k} ernel\_reply\_ports$ | | | $\underline{m} sg\_receiving\_sid$ | Add_name | | $\underline{m}sg\_ruling$ | | | $\underline{m} sg\_sending\_sid$ | | | $\underline{m} sg\_specified\_sid$ | Add_value <u>162</u> | | $\overline{\underline{m}}$ sg_specified_vector | $Allocate\_vm\_region \dots \underline{65}$ | | $\overline{n}$ egotiation_server_port | Alter_pns_info | | $\underline{\underline{n}} etwork\_ss\_port \dots \underline{\underline{75}}$ | | | Osi_to_aid | · · · · · · · · · · · · · · · · · · · | | | | | Assign_processor_to_set | <u>68</u> | | | |------------------------------------------|-------------|------------------------------------------|-----------------| | $Assign\_task$ | <u>69</u> | $Get\_pset\_info$ | | | $Assign\_task\_to\_pset$ | <u>67</u> | $Get\_security\_master\_port$ | <u>67</u> | | $Assign\_thread$ | <u>69</u> | $Get\_security\_client\_port$ | <u>67</u> | | $Assign\_thread\_to\_pset$ | <u>66</u> | $Get\_special\_port$ | 67 | | $Audit\_ids$ | <u>45</u> | $Get\_task\_assignment$ | <u>67</u> | | $Base\_user\_priority \dots \dots \dots$ | 12 | $Get\_task\_boot\_port$ | 67 | | $Cached\_ruling\_allows$ | <u>72</u> | $Get\_task\_exception\_port$ | <u>67</u> | | Can_receive | | $Get\_task\_info$ | | | Can_send | | Get_task_kernel_port | | | $Can\_swtch$ | | $Get\_task\_threads$ | | | $Can\_swtch\_pri$ | | $Get\_thread\_assignment \dots \dots$ | | | Change_page_locks | | | 66 | | $Chg\_pset\_max\_pri$ | | | | | $Chg\_vm\_region\_prot$ | | | 66 | | Change_sid | | Get_thread_state | | | Chg_task_priority | | Get_time | | | Close_device | | Get_vm_region_info | | | Co_carries_memory | | Get_vm_statistics | | | Co_carries_rights | | Halted | | | Control_pager | | Have_execute | _ | | Copy_vm | _ | Have_read | _ | | Create_pset | | $Have\_veite$ | | | Create_task | | | | | | _ | Higher_priority | | | Create_task_secure | <del></del> | Highest_possible_priority | | | Cross_context_create | | Hold_receive | | | Cross_context_inherit | | Hold_send | | | Deallocate_vm_region | | | 64 | | Define_new_scheduling_policy | | Host_control_port_permissions | <u>68</u> | | Depress_pri | | Host_name_port_permissions | <u>67</u> | | Derive_kernel_as | | Inheritance_option_copy | <u>39</u> | | Destroy_object | | Inheritance_option_none | <u>39</u> | | Destroy_pset | | | <u>39</u> | | Device_permissions | | Initiate_secure | | | $Environment\_slot$ | | $In\_line$ | | | $Exception\_ids$ | | Interpose | | | $Extract\_right$ | | | <u>69</u> | | Fixedpri | <u>13</u> | $Invoke\_lock\_request$ | <u>65</u> | | Flush_permission | | Ipc_permissions | | | $Get\_attributes$ | | $Ip\_dead$ | | | $Get\_audit\_port$ | <u>67</u> | $Ip\_null$ | . <u>8</u> | | $Get\_authentication\_port$ | <u>67</u> | $Kernel\_permission$ | 63 | | $Get\_boot\_info$ | <u>68</u> | | <u>70</u> | | Get_crypto_port | <u>67</u> | $Kernel\_service\_reply\_ids$ | <u>45</u> | | $Get\_default\_pset\_name \dots \dots$ | <u>67</u> | $Lookup\_ports$ | 64 | | Get_device_status | <u>70</u> | $Lower\_priority \dots \dots \dots$ | 11 | | Get_emulation | 67 | $Lowest\_possible\_priority \dots \dots$ | 11 | | Get_host_control_port | | Mach_exception_id | 45 | | Get_host_info | | $Mach\_notify\_ids$ | 45 | | Get_host_name | <del></del> | $Mach\_port\_dead$ | 18 | | Get_host_processors | | Mach_port_null | 18 | | $Get\_host\_version$ | | | 24 | | Get_negotiation_port | <del></del> | | $\frac{24}{24}$ | | Get_network_ss_port | | Mach_rcv_large | _ | | Get_processor_assignment | | Mach_rcv_msg | | | | <u> </u> | 111 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 | | | $Mach\_rcv\_notify$ | 11 | $Pc\_device$ | 32 | |------------------------------|----|----------------------------------|----| | Mach_rcv_timeout | | Pc_host_control | | | Mach_send_cancel | | Pc_host_name | | | $Mach\_send\_msg$ | | Pc_memory | | | Mach_send_notify | | Pc_processor | | | Mach_send_timeout | | Pc_ps_control | | | Make_page_precious | | $Pc\_ps\_name$ | | | $Make\_sid$ | | Pc_task | | | Manipulate_port_set | | Pc_thread | | | $Map\_device$ | | Port_permissions | | | $Map\_vm\_region$ | | Port_rename | | | Highest_priority | | Poset | | | $Max\_right\_refs$ | | Priority_levels | | | Max = samples | | Processor_permissions | | | May_control_processor | | Pset_ctrl_port | | | Memory_copy_call | | Pset_names | | | Memory_copy_delay | | Procset_control_port_permissions | | | Memory_copy_none | | Proceet_name_port_permissions | | | Memory_copy_temporary | | Execute | | | Mem_obj_confirmation_ids | | Read | | | Memory_object_permissions | | Write | | | Msg_element | | Provide_data | | | Lowest_priority | | Provide_permission | | | $Mmt\_copy\_send$ | | Raise_exception | | | Mmt_make_send | | Read_device | | | Mmt_make_send_once | | Read_vm_region | | | Mmt_move_receive | | Reboot_host | | | $Mmt\_move\_send$ | | Receive | | | $Mmt\_move\_send\_once$ | | Recognized_sample_types | | | Mach_msg_type_port_receive | | Recognized_transfer_options | 42 | | Mach_msg_type_port_rights | | Reflexive | | | Mach_msg_type_port_send | | Register_notification | | | Mach_msg_type_port_send_once | | Register_ports | | | Msg_deallocate | | Remove_name | | | Msg_dont_deallocate | | Remove_page | | | Msg_error_invalid_memory | | Resume_task | | | Msg_error_invalid_right | | Resume_thread | | | Msg_error_invalid_type | | Revoke_ibac | | | Msg_error_msg_too_small | _ | Ruling_allows | | | Msg_error_notify_in_progress | | Running | | | Msg_error_timed_out | | Sample_periodic | 15 | | Msg_region | | Sample_task | 67 | | Msg_stat_pseudo | | Sample_thread | 66 | | $Msg\_stat\_rcv$ | | Sample_vm_cow_faults | 15 | | $Msg\_stat\_send$ | | SAMPLE_VM_FAULTS | 15 | | $Msg\_value$ | | Sample_vm_faults_any | 15 | | Name_server_slot | _ | Sample_vm_pagein_faults | 15 | | Network_packet_ids | | Sample_vm_reactivation_faults | 15 | | Observe_pns_info | | $Sample\_vm\_zfill\_faults$ | 15 | | Observe_pset_processes | | Save_page | 65 | | Open_device | | Security_server_ids | 45 | | Out_of_line | | Send | | | Pager_permissions | | Send_once | 18 | | Pager_request_ids | | Seq_plus | _ | | $Page\_vm\_region$ | | Service_slot | | | Set_attributes | <u>65</u> | $Values\_disjoint$ | | |---------------------------|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------| | $Set\_audit\_port$ | <u>67</u> | Values_partition | <u> 160</u> | | Set_authentication_port | <u>67</u> | $V\_data$ | 47 | | Set_crypto_port | <u>67</u> | $V\_data\_in$ | 48 | | Set_ibac_port | 65 | $V\_data\_out$ | 48 | | Set_default_memory_mgr | 68 | $Vm\_end$ | 14 | | Set_device_filter | | $Vm\_permissions \dots \dots$ | <u>65</u> | | Set_device_status | | $Vm\_start$ | 14 | | Set_emulation | 67 | $V\_port$ | 48 | | Set_vm_region_inherit | 65 | $Wait\_evc$ | <u>66</u> | | Set_max_thread_priority | | Waiting | | | Set_negotiation_port | | Wire_thread | <u>68</u> | | Set_network_ss_port | | | <u>66</u> | | Set_ras | | $Wire\_vm$ | 68 | | Set_reply | | Wire_vm_for_task | <u>65</u> | | Set_security_master_port | | $Wrap\_value$ | | | Set_security_client_port | | $Write\_device$ | | | Set_special_port | | $Write\_vm\_region$ | 65 | | Set_task_boot_port | | W | | | Set_task_exception_port | | M | | | Set_task_kernel_port | | Mach Structures: | ~ 4 | | Set_thread_exception_port | | <u>a</u> ctive_thread | _ | | Set_thread_kernel_port | | $\frac{a}{l}$ located | | | Set_thread_policy | | backing_chain | | | Set_thread_priority | | backing_memory | | | Set_thread_state | | backing_offset | | | Set_time | | $\underline{b}acking\_rel$ | | | Specify | | containing_port | | | State_info_avail | | containing_set | | | Stopped | | control_memory | | | Supply_ibac | | controlled_proc_set | | | $Suspend\_task$ | | <u>c</u> opy_strategy | | | Suspend_thread | | <u>cpu_time</u> | | | Switch_thread | | $egin{aligned} dead\_namep & \dots $ | | | Task_port_register_max | _ | dead_right_rel | | | Task_task_permissions | | <u>a</u> eaa_rignt_ret<br><u>d</u> efault_mem_manager | | | Tcs_task_empty | | $\underline{a}$ epaction in the mean $\underline{a}$ epressed_threads | | | Tcs_task_ready | | priority_before_depression | | | Tcs_thread_created | | $\underline{\underline{b}}$ rowing_before_depression $\underline{\underline{d}}$ evice_exists $\underline{\underline{d}}$ | | | Tcs_thread_state_set | | <del></del> | | | Terminate_task | | $\underline{d}$ evice_filter_info | | | Terminate_thread | 66 | $\frac{d}{d}evice\_in$ | | | Thread_permissions | | | <u>55</u> | | Timeshare | | | 30 | | Transfer_ool | | | 30 | | Transfer_receive | | <del>_</del> | 56 | | Transfer_rights | | <del>_</del> | 36 | | Transfer_send | | $\underline{\underline{u}}_{ireg\_ite}$ | 14 | | Transfer_send_once | 64 | $enabled\_sp$ | 53 | | Transition_sid | | $\frac{e}{nuoieu}$ $\frac{e}$ | <u>55</u> | | Transitive | _ | f orcibly_queued | <u>20</u> | | Transit_memory | | <del>-</del> | <u>53</u> | | Transit_right | | have_assigned_tasks | 53<br>53 | | Uninterruptible | | | <u>29</u> | | Valid_transitions | | | | | vanu_transmons | <u> 19</u> | $\underline{h} ost\_name\_port \dots \dots \dots \dots$ | <u> 23</u> | | $\underline{h} ost\_time \dots \dots \dots \underline{54}$ | port_pointer | . 8 | |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------|------------| | <u>i</u> dle_threads | port_right_rel | | | inheritance | port_right_namep | | | $\overline{i}$ nitialized | port_right_seq | | | $\overline{i}$ instruction_pointer | port_set | | | $\frac{1}{k ernel} \dots \frac{9}{9}$ | port_set_namep | | | | port_set_rel | | | $\underline{mach\_protection}$ | port_size | | | $\underline{\underline{m}}$ ake_send_count | precious | | | $\overline{m}$ anaged $\overline{34}$ | <del>-</del> | | | $\overline{m}$ an ager | proc_assigned_procset | | | $\overline{m}$ $ap\_rel$ $\overline{37}$ | <u>proc_exists</u> | | | mapped | $\underline{p}$ rocessor_port_rel | | | $\underline{\underline{m}} apped\_devices \dots \underline{\underline{55}}$ | processors | | | $\frac{1}{mapped\_memory}$ | proc_self | | | mapped_offset | $\underline{p} rocset\_exists$ | . <u>8</u> | | $\underline{m}$ $\underline{aster\_device\_port}$ | procset_name_port | <u>30</u> | | | procset_self | <u>30</u> | | $\underline{\underline{m}}$ $\underline{ax\_protection}$ | $ps\_control\_port\_rel$ | <u>30</u> | | $\underline{\underline{m}}$ $\underline{ay}$ $\underline{cache}$ | | 53 | | $\underline{\underline{m}} \underline{q} \underline{g} \underline{e} \underline{u} \underline{u} \underline{e} \underline{u} \underline{e} \underline{u} \underline{e} \underline{u} \underline{u} \underline{e} \underline{u} \underline{u} \underline{u} \underline{u} \underline{u} \underline{u} \underline{u} u$ | ps_name_port_rel | | | control_port | <i>q_limit</i> | | | <u>control_port_rel</u> | | | | name_port | receiver | | | n ame_port_rel | receiver_name | <u>19</u> | | memory_exists | registered_rights | | | <u>m</u> essage_exists | | | | $\underline{\underline{m}}_{essage\_in\_port\_rel} \dots \underline{\underline{5}}$ | <u>r</u> eply_port_rel | | | $message = mepore = rec$ $mesog_contents$ | reply_port_right | 51 | | $msg\_operation$ | represented | | | named_port | represented_memory | <u>36</u> | | named_proc_set | represented_offset | <u>36</u> | | $number\_of\_rights$ | representing_page | | | object_memory | <u>r</u> epresents_rel | 36 | | object_port | represents_memory | <u>36</u> | | $\underline{o}$ bject_port_rel | r_right | 20 | | threads | $\underline{r}un\_state$ | 10 | | owning_task 9 | $\underline{s}$ ampled_tasks | <u>16</u> | | page_exists | | | | <del>-</del> | self_task | | | $\underline{m} e mory fault \dots \underline{35}$ | self_thread | | | <u>p</u> age_lock_rel | sender | 19 | | page_locks | sequence_no | 24 | | $\underline{p}$ age_word_rel $\underline{35}$ | shadow_memories | <u>39</u> | | page_word_fun | <u>s</u> leep_time | <u>17</u> | | $\underline{p}$ ending $\underline{receives}$ | so_right | <u>20</u> | | port_class | s_right | <u>20</u> | | port_device | s_right_ref_count | <u>19</u> | | port_exists | s_r_right | 20 | | | supplying_device | <u>55</u> | | $port\_notify\_dead\_rel$ | $\underline{supported\_sp}$ | 13 | | <del>_</del> | $\underline{s}$ wapped_threads | 10 | | port_notify_destroyed 25 port_notify_destroyed_rel 25 | <u>system_time</u> | <u>16</u> | | <del>_</del> | task_assigned_to | | | port_notify_no_more_senders 25 | task_assignment_rel | | | $port\_notify\_no\_more\_senders\_rel \dots 25$ | $task\_bport$ | 21 | | $\underline{t} ask\_bport\_rel \dots \dots \dots$ | | EVENT_COUNTER | <u>55</u> | |--------------------------------------------------------|------------|------------------------------|-----------| | $task\_eport$ | 27 | FILTER_PRIORITY | <u>56</u> | | $\underline{t}$ ask_eport_rel | <u>27</u> | HOST | 8 | | $\underline{t}$ $ask\_exists$ | . <u>8</u> | INHERITANCE_OPTION | 39 | | $\underline{t}$ ask_priority | <u>13</u> | INTERNAL_BODY | 48 | | $\underline{t}$ ask_received_msgs | <u>51</u> | Internal_element | 48 | | $\underline{t}$ as $k$ = samples | 16 | $MACH\_MSG\_OPTION$ | 41 | | <u>t</u> ask_sample_sequence_number | 16 | $MACH\_MSG\_TYPE$ | | | $\underline{t}$ as $k$ _s ample_ $types$ | <u>16</u> | $MEMORY\_COPY\_STRATEGY$ | | | task_self | 27 | MEMORY | | | $\underline{t}$ as $k$ _self_rel | 26 | MESSAGE | | | task_sself | 27 | MESSAGE_BODY | | | <u>t</u> ask_sself_rel | 26 | MSG_DATA | | | $\underline{t}$ ask_suspend_count | | MSG_ERROR | | | $\underline{t}$ $ask\_th$ $read\_rel$ | | MSG_STATUS | | | <u>t</u> emporary_rel | | MSG_VALUE | | | $the\_processor$ | | | | | $th\ read\_assigned\_to$ | | NAME | | | thread_assignment_rel | | OFFSETOLSD | | | thread_eport | | | | | $\underline{t}$ hread_eport_rel | | OPERATION | | | $\underline{t}hread\_exists$ | | WORD | | | $thread\_max\_priority$ | | PAGE_INDEX | | | $\frac{1}{t}$ hread_priority | | PAGE_OFFSET | | | $\underline{t}$ hread_samples | | PAGE | | | $thread\_sample\_sequence\_number \dots \dots$ | | SCHED_POLICY_DATA | | | $\underline{t}$ hread_sample_types | | PORT_CLASS | | | $thread\_sched\_policy$ | | PORT | | | $\underline{t}hread\_sched\_policy\_data$ | | PROCESSOR | | | $\frac{t}{t}$ thread_sched_priority | | PROCESSOR_SET | | | thread_self | | PROTECTION | | | $thread\_self\_rel$ | | RIGHT | | | thread_sself | | $RUN\_STATES$ | <u>10</u> | | $\underline{t}hread\_sself\_rel$ | | SAMPLE | <u>15</u> | | $thread\_state$ | | $SAMPLE\_TYPES$ | <u>15</u> | | $\underline{t}hread\_suspend\_count \dots \dots \dots$ | | SCHED_POLICY | <u>13</u> | | threads_wired | | SUPP_MACHINE_ARCH | 17 | | $\frac{t}{t}$ | _ | TASK | . 8 | | $total\_naked\_srights$ | | THREAD | . 8 | | total_name_space_srights | | THREAD_STATE_INFO | 17 | | total_srights | | $THREAD\_STATE\_INFO\_TYPES$ | | | $user\_time$ | | V_DATA_LOCATION | | | wire_count | | VIRTUAL_ADDRESS | | | wired | | | | | d efault | | 0 | | | protection | | OscClassPermissions | 145 | | Mach Types: | <u> </u> | OscPartitions | 145 | | BASE_MSG_ELEMENT | 47 | | | | COMPLEX_OPTION_BOOLEAN | | P | | | COMPLEX_OPTION | | | 146 | | DEVICE_FILTER_INFO | | <b>,</b> | | | DEVICE_FILTER | | R | | | DEVICE_RECORD | | RecognizedContexts 142, 145, | 146 | | DEVICE | | RecognizedOscs | | | DEVICE STATUS | | | 142 | | S | PageSid | . <u>61</u> | |---------------------------------------------------------|--------------------------------------------------|-----------------------| | Schemas: | ParentTask | . 74 | | AddressSpace | $PendingReceive \dots \dots \dots \dots$ | . 50 | | $Base Transition \dots 79$ | PolicyAllows | | | Cacheable | PortClasses | | | Capability | PortExist | | | DeadRights | PortNameSpace | _ | | $DeviceData \dots \underline{56}$ | PortSets | | | DeviceExist | PortSid | | | DeviceFilterInfo | PortSummary | | | $DeviceOpenCount \dots \underline{54}$ | Process | | | Devices | ProcessorExist | | | DevicesAndPorts | ProcessorsAndPorts | _ | | $DeviceStatus \dots \underline{56}$ | ProcessorAndProcessorSet | | | Dtos | ProcessorSetExist | | | DtosAdditions | Protection | | | DtosExec | Recognized Contexts | | | DtosMessages | RecognizedOscs | | | Emulation Vector 14 | RecognizedSids | | | Events | RecognizedSscs | | | Exist | Registered Rights | | | GenericSecurityServer <u>146</u> | ReplyPorts | | | Hosts And Ports | Request | | | HostsAndProcessors | Ruling | | | Host Time | SendRightsCount | | | Inheritance | ServerPorts | | | $Initiates Operation \dots \underline{\underline{121}}$ | ShadowMemories | | | Internal Message | Sid To Context | | | Kernel | Special Purpose Ports | | | $KernelAs$ $\underline{\underline{62}}$ | $SpecialTaskPorts \dots \dots \dots \dots \dots$ | | | $KernelCache \dots \overline{72}$ | $Special Thread Ports \dots \dots \dots$ | | | KernelPortSid | SubjectSid | | | KernelReplyPorts | TargetSids | | | Lock | TaskAndProcessorSet | | | $Mach \dots \overline{57}$ | $TaskCreationState \dots \dots \dots$ | | | $MachInternalHeader \dots $ $\overline{44}$ | TaskExist | | | MachMsgHeader | $TaskPriority \dots \dots \dots \dots$ | | | MachProtection | TaskSampling | | | $MappedDevices \dots \underline{55}$ | TasksAndPorts | . 19 | | $Master Device Port \dots \overline{31}$ | TasksAndRights | $. \ \ \overline{21}$ | | $MemoriesAndPorts \dots 29$ | TasksAndThreads | | | Memory | TaskSuspendCount | . <u>11</u> | | MemoryExist | ThreadAndProcessorSet | . 54 | | $MemorySystem \dots \underline{41}$ | ThreadExecStatus | . 11 | | Message | ThreadExist | 8 | | MessageExist | $ThreadInstruction \dots \dots \dots$ | . 14 | | $MessageQueues \dots 25$ | ThreadMachineState | . <u>17</u> | | Messages | $ThreadPri \dots \dots \dots \dots$ | . <u>13</u> | | <i>Operations</i> | Threads | . <u>18</u> | | Notifications | $ThreadSampling \dots \dots$ | . <u>16</u> | | ObjectSid | ThreadsAndProcessors | . <u>54</u> | | Osc Class Permissions | ThreadSchedPolicy | . <u>14</u> | | OscPartitions | ThreadStatistics | | | PageAndMemory <u>37</u> | Total Send Rights | . <u>33</u> | | PageExist | Transition | . <u>80</u> | | $UserReferenceCount \dots \dots \dots$ | 20 | osc_class_permissions | 144 | |----------------------------------------------------------------------------|-------------|----------------------------------------------------|-----| | $ValidatedRequests \dots \dots \dots \dots$ | . <u>78</u> | pager_oscs | 143 | | $ValidityDuration \dots \dots$ | 145 | $policy\_allows$ | 144 | | Wired | . <u>40</u> | $policy\_database$ | | | Cacheable | 146 | processor_oscs | | | OscClassPermissions | 145 | procset_control_oscs | | | OscPartitions | 145 | <del>_</del> | | | PolicyAllows | 146 | <u>procset_name_oscs</u> | | | RecognizedContexts 142, 145, | , 146 | $recognized\_osc\_classes$ | | | RecognizedOscs | 143 | $\underline{r}$ ecognized_oscs | | | RecognizedSids | 142 | recognized_osis | | | SidToContext | 146 | <u>r</u> ecognized_sscs<br><u>r</u> ecognized_ssis | | | ValidityDuration | 146 | sid_osc | | | SidToContext | 146 | sid_ssc | | | SS Structures: | | $target\_osc$ | | | $\underline{c}$ a cheability $\underline{d}$ at a base $\dots \dots \dots$ | <u>145</u> | $\underline{t}$ $ask\_oscs$ | | | $\underline{c}$ a cheable | <u>145</u> | $\underline{t}$ $ask\_self\_osc$ | | | $\underline{c}ommunication\_oscs$ | 143 | $\frac{-}{thread\_oscs}$ | | | $\underline{d}efault\_pager\_oscs$ | 143 | $thread\_self\_osc$ | 142 | | $\underline{d}evice\_oscs$ | <u>143</u> | $\frac{\overline{v}}{v}$ alidity_duration | 145 | | $\underline{h}$ $ost\_control\_oscs$ | 143 | | | | $\underline{h} ost\_name\_oscs \dots \dots \dots \dots$ | | V | | | kernel renly occe | 143 | ValidityDuration | 146 |