Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Apr 19, 2009
Process Isolation for NetBSD and OpenBSD, Kristaps Dzonsons
In NetBSD and OpenBSD, user-land process and process-context isolation is limited to credential cross-checks, file-system chroot and explicit systrace/kauth applications. I'll demonstrate a working mechanism of isolated process trees in branched OpenBSD-4.4 and NetBSD-5.0-beta kernels where an isolated process is started by a system call similar to fork; following that, the child process and its descendants execute in a context isolated from the caller. This system is the continued work of "mult" -- first prototyped in a branched NetBSD-3.1 kernel and isolating all system resources -- pared down to a lightweight, auditable patch of process-only separation for both OpenBSD and NetBSD. I specifically address solutions to performance issues and mechanism design with an eye toward more resources being isolated in the future.