Access control for the SPIN extensible operating system

Summary form only given. In the SPIN operating system (B.N. Bershad et al., 1995; Przemyslaw Pardyak and B.N. Bershad, 1996) built at the University of Washington, we are experimenting with a version of domain and type enforcement (DTE) (L. Badger et al., 1995) that has been extended to address the security concerns of extensible systems. The SPIN operating system defines an extension infrastructure, together with a core set of extensible services, that allows for the fine grained and safe composition of extensions within the operating system kernel. Extensions are written in Modula-3, a type-safe programming language, and execute within the same address space. They interact by calling other parts of the system and by extending existing interfaces to provide new services. A central event dispatcher supports both mechanisms: to call on a service, an extension raises an event, and, to extend an existing interface, an extension registers a handler for that event. The invocation mechanism for events is simply a procedure call, and no context switches are required for the interaction between subsystems (since all extensions are co-located in the same address space)