Effects on Isolation and Throughput

 Streamline can offer data isolation on par with Unix. Even though security perimeters protect entire buffers instead of individual blocks, it can enforce protection of arbitrarily small data sets by creating a buffer for each unique access control group and user. Pathological behavior, whereby each block has a different user, reverts to per-block allocation because each block will have a private buffer. Compared to raw blocks, the shared buffers in Streamline are heavyweight structures and thus more costly to allocate. Therefore a coarse-grain policy is only practical in situations with few security groups. We have seen that this is the common case.

Stream sanitization is needed to offer the combination of data separation and functionality of Posix operating systems. As a result of using shared buffers, Streamline can directly map buffers containing, e.g., raw network traffic packets into processes belonging to unprivileged users. Operating systems normally copy data between kernel and userspace in small blocks to maintain isolation between spaces. Strict export policies can trigger this (functionally superfluous) copy in Streamline by enforcing safe templates that embed ``copy'' filters in the pipeline. If sharing is deemed safe, instead, the copy is avoided. Application developers do not have to be aware of these policy details.

false