{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:49:23Z","timestamp":1750308563269,"version":"3.41.0"},"reference-count":53,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2016,1,20]],"date-time":"2016-01-20T00:00:00Z","timestamp":1453248000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["SIGOPS Oper. Syst. Rev."],"published-print":{"date-parts":[[2016,1,20]]},"abstract":"<jats:p>Despite a number of radical changes in how computer systems are used, the design principles behind the very core of the systems stack--an operating system kernel--has remained unchanged for decades.We run monolithic kernels developed with a combination ofan unsafe programming language, global sharing of data structures, opaque interfaces, and no explicit knowledge of kernel protocols. Today, the monolithic architecture of a kernel is the main factor undermining its security, and even worse, limiting its evolution towards a safer, more secure environment. Lack of isolation across kernel subsystems allows attackers to take control over the entire machine with a single kernel vulnerability. Furthermore, complex, semantically rich monolithic code with globally shared data structures and no explicit interfaces is not amenable to formal analysis and verification tools. Even after decades of work to make monolithic kernels more secure, over a hundred serious kernel vulnerabilities are still reported every year.<\/jats:p>\n          <jats:p>Modern kernels need decomposition as a practical means of confining the effects of individual attacks. Historically, decomposed kernels were prohibitively slow. Today, the complexity of a modern kernel prevents a trivial decomposition effort. We argue, however, that despite all odds modern kernels can be decomposed. Careful choice of communication abstractions and execution model, a general approach to decomposition, a path for incremental adoption, and automation through proper language tools can address complexity of decomposition and performance overheads of decomposed kernels. Our work on lightweight capability domains (LCDs) develops principles, mechanisms, and tools that enable incremental, practical decomposition of a modern operating system kerne.<\/jats:p>","DOI":"10.1145\/2883591.2883601","type":"journal-article","created":{"date-parts":[[2016,1,26]],"date-time":"2016-01-26T13:25:01Z","timestamp":1453814701000},"page":"44-50","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":8,"title":["Lightweight Capability Domains"],"prefix":"10.1145","volume":"49","author":[{"given":"Charles","family":"Jacobsen","sequence":"first","affiliation":[{"name":"University of Utah, Salt Lake City, UT"}]},{"given":"Muktesh","family":"Khole","sequence":"additional","affiliation":[{"name":"Microsoft Corporation, Redmond, WA"}]},{"given":"Sarah","family":"Spall","sequence":"additional","affiliation":[{"name":"University of Utah, Salt Lake City, UT"}]},{"given":"Scotty","family":"Bauer","sequence":"additional","affiliation":[{"name":"University of Utah, Salt Lake City, UT"}]},{"given":"Anton","family":"Burtsev","sequence":"additional","affiliation":[{"name":"University of Utah, Salt Lake City, UT"}]}],"member":"320","published-online":{"date-parts":[[2016,1,20]]},"reference":[{"doi-asserted-by":"publisher","key":"e_1_2_1_1_1","DOI":"10.1145\/1102120.1102165"},{"doi-asserted-by":"publisher","key":"e_1_2_1_2_1","DOI":"10.5555\/829514.830533"},{"volume-title":"OSDI","year":"2014","author":"Belay A.","key":"e_1_2_1_3_1"},{"key":"e_1_2_1_4_1","doi-asserted-by":"crossref","DOI":"10.1145\/2349896.2349909","volume-title":"Correct, fast, maintainable: choose any three! In APSys, page 13","author":"Blackham B.","year":"2012"},{"key":"e_1_2_1_5_1","first-page":"95","volume-title":"Proceedings of the USENIX Workshop on Micro-Kernels and Other Kernel Architectures","author":"Frantz A.C.","year":"1992"},{"key":"e_1_2_1_6_1","first-page":"9","volume-title":"USENIX ATC","author":"Boyd-Wickizer S.","year":"2010"},{"volume-title":"Bromium micro-virtualization","year":"2010","key":"e_1_2_1_7_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_8_1","DOI":"10.1145\/2103799.2103805"},{"doi-asserted-by":"publisher","key":"e_1_2_1_9_1","DOI":"10.1109\/THS.2013.6699066"},{"unstructured":"Coverity Inc. Coverity SAVE 2012. http:\/\/www.coverity.com\/products\/coverity-save.html.  Coverity Inc. Coverity SAVE 2012. http:\/\/www.coverity.com\/products\/coverity-save.html.","key":"e_1_2_1_10_1"},{"volume-title":"StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In USENIX Security Symposium","year":"1998","author":"Cowan C.","key":"e_1_2_1_11_1"},{"unstructured":"CVE Details. Vulnerabilities in the Linux kernel by year. http:\/\/www.cvedetails.com\/product\/47\/Linux-Linux-Kernel.html?vendor_id=33.  CVE Details. Vulnerabilities in the Linux kernel by year. http:\/\/www.cvedetails.com\/product\/47\/Linux-Linux-Kernel.html?vendor_id=33.","key":"e_1_2_1_12_1"},{"volume-title":"Vulnerabilities in the Linux kernel","year":"2014","author":"Details CVE","key":"e_1_2_1_13_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_14_1","DOI":"10.1109\/INFOCOM.2008.36"},{"unstructured":"P. Derrin D. Elkaduwe and K. Elphinstone. seL4 reference manual. Technical report ERTOS NICTA. http:\/\/www.ertos.nicta.com\/research\/sel4\/sel4-refman.pdf.  P. Derrin D. Elkaduwe and K. Elphinstone. seL4 reference manual. Technical report ERTOS NICTA. http:\/\/www.ertos.nicta.com\/research\/sel4\/sel4-refman.pdf.","key":"e_1_2_1_15_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_17_1","DOI":"10.1145\/2517349.2522720"},{"doi-asserted-by":"publisher","key":"e_1_2_1_18_1","DOI":"10.5555\/1251229.1251230"},{"key":"e_1_2_1_19_1","first-page":"75","volume-title":"OSDI","author":"Erlingsson U.","year":"2006"},{"volume-title":"Techn","year":"2007","author":"Helmuth N.","key":"e_1_2_1_20_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_21_1","DOI":"10.1145\/268998.266642"},{"doi-asserted-by":"publisher","key":"e_1_2_1_22_1","DOI":"10.1145\/945445.945464"},{"doi-asserted-by":"publisher","key":"e_1_2_1_23_1","DOI":"10.1145\/566726.566751"},{"doi-asserted-by":"publisher","key":"e_1_2_1_24_1","DOI":"10.1145\/1345206.1345215"},{"doi-asserted-by":"publisher","key":"e_1_2_1_25_1","DOI":"10.1145\/2103799.2103803"},{"doi-asserted-by":"publisher","key":"e_1_2_1_26_1","DOI":"10.1145\/2076021.2048134"},{"doi-asserted-by":"publisher","key":"e_1_2_1_27_1","DOI":"10.1145\/1133373.1133376"},{"volume-title":"OSDI","year":"2014","author":"Hawblitzel C.","key":"e_1_2_1_28_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_29_1","DOI":"10.1145\/1278901.1278904"},{"doi-asserted-by":"publisher","key":"e_1_2_1_30_1","DOI":"10.1145\/1151374.1151391"},{"doi-asserted-by":"publisher","key":"e_1_2_1_31_1","DOI":"10.1145\/1133572.1133615"},{"doi-asserted-by":"publisher","key":"e_1_2_1_32_1","DOI":"10.1145\/1030083.1030124"},{"unstructured":"INTEGRITY Real-Time Operating System. http:\/\/www.ghs.com\/products\/rtos\/integrity.html.  INTEGRITY Real-Time Operating System. http:\/\/www.ghs.com\/products\/rtos\/integrity.html.","key":"e_1_2_1_33_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_34_1","DOI":"10.1145\/1629575.1629596"},{"key":"e_1_2_1_35_1","first-page":"1","volume-title":"USENIX ATC","author":"Krohn M.","year":"2007"},{"volume-title":"WIOV","year":"2011","author":"Landau A.","key":"e_1_2_1_36_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_37_1","DOI":"10.1007\/s10766-009-0109-6"},{"key":"e_1_2_1_38_1","first-page":"429","volume-title":"NSDI","author":"Lim H.","year":"2014"},{"unstructured":"LynuxWorks. Desktop virtualization and secure client virtualization based on military-grade technology.  LynuxWorks. Desktop virtualization and secure client virtualization based on military-grade technology.","key":"e_1_2_1_39_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_40_1","DOI":"10.1145\/2618128.2618129"},{"doi-asserted-by":"publisher","key":"e_1_2_1_41_1","DOI":"10.1109\/PACT.2009.22"},{"doi-asserted-by":"publisher","key":"e_1_2_1_42_1","DOI":"10.1109\/EC2ND.2010.16"},{"volume-title":"Virtualised USB fuzzing for vulnerabilities","year":"2010","author":"Mueller T.","key":"e_1_2_1_43_1"},{"volume-title":"OSDI","year":"2014","author":"Peter S.","key":"e_1_2_1_44_1"},{"unstructured":"Bypassing StackGuard and StackShield. Phrack Magazine. Volume 0xa. Issue 0x38.  Bypassing StackGuard and StackShield. Phrack Magazine. Volume 0xa. Issue 0x38.","key":"e_1_2_1_45_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_46_1","DOI":"10.1145\/2133375.2133377"},{"volume-title":"Invisible Things Lab Tech Rep","year":"2010","author":"Wojtczuk J.","key":"e_1_2_1_47_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_48_1","DOI":"10.1145\/1294261.1294294"},{"doi-asserted-by":"publisher","key":"e_1_2_1_49_1","DOI":"10.1145\/1315245.1315313"},{"key":"e_1_2_1_50_1","first-page":"1","volume-title":"OSDI","author":"Soares L.","year":"2010"},{"volume-title":"The E language in a walnut","year":"2000","author":"Stiegler M.","key":"e_1_2_1_51_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_52_1","DOI":"10.1145\/1133373.1133393"},{"unstructured":"XenClient. http:\/\/www.citrix.com\/products\/xenclient\/ how-it-works.html.  XenClient. http:\/\/www.citrix.com\/products\/xenclient\/ how-it-works.html.","key":"e_1_2_1_53_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_54_1","DOI":"10.1145\/1809028.1806610"}],"container-title":["ACM SIGOPS Operating Systems Review"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2883591.2883601","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2883591.2883601","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T19:04:11Z","timestamp":1750273451000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2883591.2883601"}},"subtitle":["Towards Decomposing the Linux Kernel"],"short-title":[],"issued":{"date-parts":[[2016,1,20]]},"references-count":53,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2016,1,20]]}},"alternative-id":["10.1145\/2883591.2883601"],"URL":"https:\/\/doi.org\/10.1145\/2883591.2883601","relation":{},"ISSN":["0163-5980"],"issn-type":[{"type":"print","value":"0163-5980"}],"subject":[],"published":{"date-parts":[[2016,1,20]]},"assertion":[{"value":"2016-01-20","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}