The Asbestos Operating System

Asbestos, a new prototype operating system, provides novel labeling and isolation mechanisms that help contain the effects of exploitable software flaws. Applications can express a wide range of policies with Asbestos’s kernel-enforced label mechanism, including controls on inter-process communication and system-wide information flow. A new event process abstraction provides lightweight, isolated contexts within a single process, allowing the same process to act on behalf of multiple users while preventing it from leaking any single user’s data to any other user. A Web server that uses Asbestos labels to isolate user data requires about one and half memory pages per user, demonstrating that additional security can come at an acceptable cost.

• Manageable Fine-Grained Information Flow [ pdf ]
  Petros Efstathopoulos and Eddie Kohler
  Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, (Eurosys 2008)
  Glasgow, April 2008, pages 301-314.
  

• Labels and Event Processes in the Asbestos Operating System [ pdf ]
  Steve VanDeBogart, Petros Efstathopoulos, Eddie Kohler, Maxwell Krohn, Cliff Frey, David Ziegler, Frans Kaashoek, Robert Morris, and David Mazières
  ACM Transactions on Computer Systems (TOCS Vol. 25, No. 4)
  

• Labels and Event Processes in the Asbestos Operating System
  Petros Efstathopoulos, Maxwell Krohn, Steve VanDeBogart, Cliff Frey, David Ziegler, Eddie Kohler, David Mazières, Frans Kaashoek and Robert Morris
  Proceedings of the 20th Symposium on Operating Systems Principles (SOSP 2005)
  Brighton, United Kingdom, October 2005. [ ps, ps.gz, pdf ]
  Slides [ odp, ppt, pdf (requires a pdf viewer that supports transparent images) ]
  

• Make Least Privilege a Right (Not a Privilege)
  Maxwell Krohn, Petros Efstathopoulos, Cliff Frey, Frans Kaashoek, Eddie Kohler, David Mazières, Robert Morris, Michelle Osborne, Steve VanDeBogart and David Ziegler
  Proceedings of the 10th Workshop on Hot Topics in Operating Systems (HotOS 2005)
  Santa Fe, NM, June 2005. [ ps, ps.gz, pdf ].

You can download the current version of asbestos by anonymous cvs. Use the command

cvs -d :pserver:anonymous@asbestos.cs.ucla.edu:/cvs co jos

Some info on benchmarking OKWS on Asbestos.

• Petros Efstathopoulos
• Cliff Frey
• M. Frans Kaashoek
• Eddie Kohler
• Maxwell Krohn
• David Mazières
• Robert Morris
• Steve VanDeBogart
• David Ziegler

Asbestos development has been supported by DARPA grants MDA972-03-P-0015 and FA8750-04-1-0090, and by joint NSF CyberTrust/DARPA grant CNS-0430425.