Modernizing operating system interfaces to improve application security and performance

Operating system interfaces for access control and stable storage have not changed much in the last twenty years, despite dramatic change from above in the form of new application requirements, and change from below in the form of technological evolution. As a result, some modern applications are constrained, not by the capabilities of the underlying system, but by the interfaces they must use to access it. For these applications, stagnant interfaces have become a major barrier to fully realizing all their design goals. This work develops two new interfaces that improve application performance and security. The first, developed in Asbestos, allows applications to define and enforce the security policies that are needed by modern applications but have been untenable due to poor performance. The other is a new application interface that dramatically improves the disk performance of applications with nonsequential access patterns.;Asbestos is an experimental operating system that provides a new access control interface. The kernel uses labels to coordinate and enforce application-defined security policies. A new event process abstraction provides lightweight, isolated contexts within a single process, allowing an application to protect data at a fine granularity. These new interfaces support a Web server demonstration application that isolates private user data and achieves connection rates similar to Apache even with 145,000 isolated users. Thus, judiciously chosen interfaces can address the change from above typified by modern server security requirements.;The second interface, developed in libprefetch, shows that new interfaces can also address technology-driven change from below. Libprefetch is a user space library that provides a new prefetching interface to applications. Using the information provided with this interface and an analysis of performance characteristics of modern disks, libprefetch can use prefetching to improve the performance of nonsequential access patterns by as much as 20x for a real application. A contention controller built into libprefetch automatically adjusts prefetching memory usage, preserving the benefits of prefetching while sharing memory with other applications.