Secure computing systems require the implementation of protectiondomains and a safe way of transferring control across such domains.Isolating the contexts (activation stacks) of the caller and the callee,to avoid unintended information flow, is a fundamental requirement forimplementing cross-domain transfers. We present and evaluate twoapproaches for implementing contexts for cross-domain calls in aconventional pipelined architecture retrofitted with a simple capabilitymechanism. The first and the more traditional approach is to useseparate context segments for the caller and the callee. The second isto use a unified context segment supported by some modest hardware foravoiding unintended information flow. Simulation results indicate thatthe unified context solution performs markedly better than the separatecontext solution. Also, the overall overhead of the protected callmechanism using the unified context is about 10-30%-a price that may beworth paying for the resulting security
展开▼
