"We describe a high-assurance framework for networked clients and servers. Called Roundhouse consists of the following elements: (1) Pinkerton, a comprehensive model for the implementation of distributed protection domains that provide for robust protection in a networked environment; (2) Iron Horse: Functional and security design of a kernelized host providing essential ring-based protection, packet authentication, and cryptography services for higher layers. (3) DEPOT: Specification, design, and prototype implementation on a PC base of the framework and initial content of dynamically modifiable servers. The intent is that DEPOT clients and servers would take advantage of platform protected modes where available (e.g., Windows NT, Iron Horse) leading to client-server computing in a network of heterogeneously trusted hosts. As a general facility for installing and managing application 'hooks' DEPOT incorporates the following key new ideas: (1) the division of sets of hooks by module, (2) the partial ordering of modules, (3) binding hooks to network names, and (4) provision of a run-time model of module behavior with a visible state machine model that abstracts and externalizes the dynamic behavior of that module. The architecture is unique as it composes strong and weak systems securely and permits the dynamic retooling of executing software."
Naval Postgraduate School Computer Science Report No. NPS-CS-98-002
Defense Technical Information Center (DTIC): http://www.dtic.mil/dtic/