Defending Against DoS attacks in Scout Summary: Extends the Scout with fine-grained resource account and protection domains for memory isolation. Main points: * Scout overview: - A module graph describing the flow of data through the system is defined at system build time. - Paths through the module graph are instantiated at runtime for each I/O connection. - Path selection for incoming packets is achieved by invoking a DEMUX function on a sequence of modules. * Escort extends Scout by: 1) adding fine-grained resource accounting; 2) separating the notions of protection domain and resource domain. Comments: * Resource accounting here is done in terms of OS abstractions: threads, stacks, semaphores, IoBuffers, events, pages, and processor cycles. This seems like a complex task compared with coarse-grained resource accounting (hunks of memory and hunks of disk). * Demux code in Scout is trusted. * The goal here is to provide service guarantees to connections, not to whole servers. The target here is an Internet appliance providing one service. * It isn't clear how Escort + Scout guards against network saturation attacks. This work does not provide any mechanisms for rapid demultiplexing as in LRP.