Agent Work: Final Exam

Claude Sonnet 4.6 · COMP 421: Advanced Operating Systems

COMP 421 Final Exam

Spring 2024

---

Question 1: Short Definitions

*10 Points*

Give a *one-sentence* definition of each of the following five terms as they apply to the material in this course. For each, please give a general definition that covers the use of the term in the course, rather than only describing the specific example or examples where we have used that term.

(a) capability *(2 points)*

(b) cylinder group *(2 points)*

(c) symbolic link *(2 points)*

(d) message digest *(2 points)*

(e) extent *(2 points)*

---

Question 2: LoadProgram and Yalnix Demand Paging

*25 Points*

In the Yalnix kernel in Lab 2, the LoadProgram function read into memory from disk (from the program file that is being loaded) the *entire* text and data for that program. However, as noted in the demand paging lectures, in an operating system that supports demand paging, it is common, after loading a new program in some process, to instead begin execution of that process with having read *none* of its text or data into memory yet.

Then, as the process executes, if it attempts to access a page of its text or data that has not yet been read into memory, then this causes a page fault, and the operating system only then reads that *single* new page into memory for the process. As the process executes and accesses other pages of its text and/or data, further page faults cause these other pages of the program's text or data to be read into memory, one at a time, only as needed; and ultimately, any text or data page that is never accessed by the process during its execution is never read into memory.

Show, using pseudo-code similar to that used in the book or in the lectures, an implementation for how this demand paging behavior could be added *as a part of a Yalnix kernel running on the RCS 421 hardware of Lab 2*. You do not need to describe any parts of the Yalnix kernel implementation other than where you need to modify the Lab 2 Yalnix kernel behavior (as defined for Lab 2) to support this new behavior. Be sure to clearly show how you modify any existing data structures as well as the definition of any new data structures that you introduce. Be sure to clearly show how you initialize things to cause these page faults to occur, how the kernel recognizes them when they do occur, and how the kernel handles them when they do occur.

In your answer, also be sure to clearly show all addresses used in your implementation, clearly indicating which addresses are treated as virtual addresses and which addresses are treated as physical addresses. Likewise, be sure to clearly show all page numbers used in your implementation, clearly indicating which page numbers are virtual page numbers and which page numbers are physical page numbers.

---

Question 3: Page Replacement Algorithms

*15 Points*

Assume that a program with the following page reference string executes on a computer with 4 pages of physical memory:

3,  5,  0,  1,  0,  2,  1,  0,  3,  2,  4,  2,  0,  5

Assume, when using each of the page replacement algorithms below, that physical memory is initially empty when this program begins execution.

For each of the three page replacement algorithms below (individually), clearly state the (1) total number of page faults that will occur during the execution of this program, and (2) for each page fault, *state which virtual page caused that page fault*. In other words, in considering each algorithm below, the four-page physical memory starts initially as empty; consider the execution of this program using that algorithm starting from that initial state:

3.1 Optimal replacement (5 points)

Using the above page reference string, with physical memory starting out empty.

3.2 FIFO replacement (5 points)

Using the above page reference string, with physical memory starting out empty.

3.3 LRU replacement (5 points)

Using the above page reference string, with physical memory starting out empty.

---

Question 4: Unix File System Extension

*25 Points*

In the *"classical" Unix file system format*, each file can have a variable number of data bytes stored "in" the file by storing those data bytes in one or more data blocks "hanging off of" the file's inode (either in direct blocks listed in the file's inode or in blocks pointed to through the single indirect, double indirect, or triple indirect block number in the file's inode).

A program can open this collection of data bytes and perform operations such as reading from and writing to those data bytes of the file. There may be any number of bytes in this collection of data bytes, up to some maximum file size supported by the file system's format.

Suppose you wanted to extend this file system design to also support a *second independent* collection of data bytes associated with a file, for any files in the file system. Such a second collection of data bytes associated with a file could be used, for example, to store a backup copy of the file's contents from some earlier time (do not be concerned here with the exact purpose for supporting this second independent collection of data bytes associated with a file).

Suppose further that in some way (not important for this question), a program that opens a file can specify not only the file's pathname *but also can indicate whether it wants to open the "main" collection of data of data bytes associated with that file* (the data that is represented by the unmodified classical Unix file system format) *or instead open this "alternate" collection of data bytes associated with the file* (the new, independent collection of data bytes associated with that file that will be supported by this extension to the file system).

Once open, the program can access that collection of data bytes (whichever one was opened) *exactly* in the same way as programs can do with the classical Unix file system. But these two collections of data bytes associated with the file are *entirely independent of each other*, other than that they are both associated with the same file. For example, bytes written to one collection of data bytes cannot be read from the other collection of data bytes; the data stored in one collection of data bytes are stored in *entirely independent* data blocks separate from the data stored in the other collection of data bytes; and each of the two collections of data bytes associated with the file has its own *independent size*.

Design the changes to the file system on-disk data structure format to support this file system extension. In your solution, you should try to fully support this new feature, but you should also try to do so **in a way that does *not* change the on-disk data structure format of a *directory entry* or an *inode* in the original classical Unix file system. For example, in the classical Unix file system, a directory entry consists of a 16-bit inode number and a 14-character field for storing that filename; you may not modify this directory entry format in any way. Likewise, you may not modify the existing inode format in any way. Your solution must also be *efficient in the space it uses on the disk*; for example, you may *not*** simply reserve a second inode for every file, since many files will not use an "alternate" collection of data bytes associated with them (i.e., *some* files may also have an "alternate" collection of data bytes associated with them, in addition to the "main" collection of data bytes, but *many* files will use only the "main" collection of data bytes).

In your answer, you do *not* need to show pseudo-code for the *execution* of this extension to the file system. Rather, you need only clearly describe how you make use of the on-disk data structures to represent both collections of data bytes associated with a file (the "main" and the "alternate" collection of data bytes) required by this extension. For example, be sure to clearly explain how you locate and how you store the new "alternate" collection of data bytes associated with any file that uses one.

Hint: Although you may not change the format of the **on-disk *directory entry* or *inode*** data structures, you may use some for specialized purposes, consistent with their existing format. In this, though, you should still try to retain the spirit of the meaning of these existing data structure formats.

---

Question 5: Cryptographic Message Protection

*20 Points*

Consider a system that allows a user process running on one computer to send a message to another user process running on some other computer, where these computers are connected by a computer network. Each user process is running on behalf of some real person who logged in to the computer on which that process is running and started the process in execution. You may assume that the sending process knows the identity of the person executing the process to which the sender is sending a message. The size of a message as sent by a process or as received by a process, or as the message exists in transit over the network, is not limited.

The computer network connecting these computers is possibly susceptible to attack by malicious users. In particular, such a malicious user could modify any existing message in transit over the network, or could inject new messages with any content and destined to any user process on any computer connected to the network.

For this question, you may assume that a sending process can send a message simply by asking the local kernel to send it to some specified destination process. You need not be concerned for this question with how the sending process specifies the intended destination process; you may assume something simple such as by specifying the identifier of the destination computer and the process identifier of the destination process on that computer. You may assume that, in normal circumstances, the message will be delivered to that destination process. But as noted above, malicious users may attempt to attack the network by modifying any message and/or by injecting additional messages. The kernel provides no support for protecting the message.

When a process receives a message, the receiving process gets nothing other than the contents of the received message. Any information such as which user process or which person sent the message must be determined by the receiving process from the contents of just the message as received.

Design a scheme by which some user process sending a message to another user process can cryptographically protect the message in such a way that the receiving process can verify the following two properties about the received message:

that the message was actually sent by the sending person that the message claims to have been sent by; and
that the contents of the message has not been modified since that sending process sent that message on behalf of that person.

Your solution must achieve these properties by one or more cryptographic operations that you perform as part of sending the message and/or as part of receiving and verifying the received message. In your solution, you may add any additional information to the message that you need to and/or may modify any part of the contents of the message as part of sending it and/or as part of receiving and checking it. You may not assume any special support for achieving these properties other than the cryptographic operations you use in your solution and what you do with them in your solution.

The computers and network of this system must support an arbitrary (potentially very large) set of different users (i.e., people), any of which can be running any number of user processes on any computer connected to this network. A sending process might send only a single message to some particular destination process, but it might instead be common for some sending process over time to send many messages to the same destination.

Each user process may be initialized with only **a small *limited total* amount of state such as cryptographic keys or other information needed to support its ability to send and receive messages in this way and to verify the above two properties for any message received. If any process in your solution requires additional cryptographic keys or other material, you must describe specifically how that process obtains that information**.

Show your solution using pseudocode similar to that used in the book or in class. In particular, you must show both how a user process sends a message and how a user process receives a message. As part of this, you must show explicitly how you check and verify the two properties above for any message received. You must, in addition, strive to make your solution computationally efficient.

writeup.md206 B

markdown

# COMP421 Final Exam

## Student Responses

<!-- Write your solutions below. Add sections for each problem as needed. -->
<!-- Use proper mathematical notation where applicable. -->

[Your solutions here]

COMP421 Final Exam

Student Responses

---

Question 1: Short Definitions

(a) capability *(2 points)*

A capability is an unforgeable token held by a process that grants specific, designated access rights (such as read, write, or execute) to a particular resource or object, where possessing the token is itself proof of authorization without requiring further identity checks.

(b) cylinder group *(2 points)*

A cylinder group is a cluster of consecutive disk cylinders in a Unix file system (e.g., BSD Fast File System) that contains its own local copies of the superblock, a free-block bitmap, a free-inode bitmap, and a set of inodes, enabling data and metadata for related files to be stored near each other on disk to improve I/O locality and performance.

(c) symbolic link *(2 points)*

A symbolic link is a special file system entry that stores a pathname string pointing to another file or directory, such that when the symbolic link is accessed the file system transparently redirects the access to the target named by that stored pathname.

(d) message digest *(2 points)*

A message digest is a fixed-size cryptographic hash value computed deterministically from a message's contents using a one-way hash function (such as SHA-256), such that any change to the message produces a different digest with overwhelming probability, thereby allowing verification of message integrity.

(e) extent *(2 points)*

An extent is a contiguous run of disk blocks described compactly as a (starting block number, length) pair, used in file systems to represent a sequence of consecutive data blocks belonging to a file more efficiently than listing each individual block number separately.

---

Question 2: LoadProgram and Yalnix Demand Paging

Overview of Changes

To implement demand paging in the Yalnix kernel on the RCS 421 hardware, we make two principal modifications:

1. LoadProgram is changed to *not* read any text/data pages into physical memory. Instead, it marks all of those virtual pages as invalid in the page table and records where each page's data lives in the program file. 2. TrapMemoryHandler is modified to detect when a fault is a demand-paging fault (a page that exists in the program but has not yet been loaded), and to respond by loading exactly that one page into a freshly allocated physical frame and updating the page table.

New / Modified Data Structures

We add the following per-process demand-paging table to the PCB. It has one entry per virtual page number (VPN) in Region 0.

/* Stored in program file, or -1 for BSS (zero-fill) pages */
struct DemandPageEntry {
    int    is_demand;    /* 1 = page is not yet loaded; 0 = already loaded or not demand */
    int    fd;           /* open file descriptor for the program file; -1 for BSS pages */
    off_t  file_offset;  /* byte offset in the program file where this page's data begins;
                            -1 for BSS (zero-fill) pages */
    int    prot;         /* protection bits (PROT_READ|PROT_EXEC for text,
                            PROT_READ|PROT_WRITE for data/BSS) */
};

/* Added to each process's PCB: */
struct DemandPageEntry demand_table[VMEM_REGION_SIZE / PAGESIZE];
int    prog_fd;  /* file descriptor for the program's executable, kept open */

No changes are made to the existing page table entry (PTE) format; we simply use the existing valid bit in each PTE to indicate whether the physical frame is present.

Modified LoadProgram: Initialization

Rather than allocating physical frames and reading program pages, LoadProgram marks each page table entry as invalid and records demand-paging information for each virtual page.

LoadProgram(char *name, char *args[], ExceptionInfo *ei, PCB *proc):

    fd = Open(name, O_RDONLY)      /* open the ELF executable */

    /* Read ELF header and program header table */
    Read ELF header → text_file_offset, text_vaddr, text_bytes
                     → data_file_offset, data_vaddr, data_bytes
                     → bss_vaddr, bss_bytes

    /*
     * All addresses below are VIRTUAL addresses.
     * All page numbers computed below are VIRTUAL page numbers (VPNs)
     * within Region 0.
     */

    /* ---- TEXT PAGES ---- */
    text_start_vpn = text_vaddr >> PAGESHIFT        /* virtual page number */
    text_num_pages = ROUND_UP(text_bytes, PAGESIZE) / PAGESIZE

    for vpn = text_start_vpn to text_start_vpn + text_num_pages - 1:
        page_idx = vpn - text_start_vpn

        /* Mark page table entry as INVALID (not in physical memory) */
        proc->region0_pt[vpn].valid = 0              /* page not present */
        proc->region0_pt[vpn].pfn   = 0              /* no physical page yet */
        /* (vpn is a VIRTUAL page number; pfn will be a PHYSICAL page number
           when the page is eventually loaded) */

        /* Record demand-paging info */
        proc->demand_table[vpn].is_demand   = 1
        proc->demand_table[vpn].fd          = fd
        proc->demand_table[vpn].file_offset = text_file_offset + page_idx * PAGESIZE
        proc->demand_table[vpn].prot        = PROT_READ | PROT_EXEC

    /* ---- DATA PAGES ---- */
    data_start_vpn = data_vaddr >> PAGESHIFT        /* virtual page number */
    data_num_pages = ROUND_UP(data_bytes, PAGESIZE) / PAGESIZE

    for vpn = data_start_vpn to data_start_vpn + data_num_pages - 1:
        page_idx = vpn - data_start_vpn

        proc->region0_pt[vpn].valid = 0
        proc->region0_pt[vpn].pfn   = 0

        proc->demand_table[vpn].is_demand   = 1
        proc->demand_table[vpn].fd          = fd
        proc->demand_table[vpn].file_offset = data_file_offset + page_idx * PAGESIZE
        proc->demand_table[vpn].prot        = PROT_READ | PROT_WRITE

    /* ---- BSS PAGES (zero-fill on demand) ---- */
    bss_start_vpn = bss_vaddr >> PAGESHIFT          /* virtual page number */
    bss_num_pages = ROUND_UP(bss_bytes, PAGESIZE) / PAGESIZE

    for vpn = bss_start_vpn to bss_start_vpn + bss_num_pages - 1:
        proc->region0_pt[vpn].valid = 0
        proc->region0_pt[vpn].pfn   = 0

        proc->demand_table[vpn].is_demand   = 1
        proc->demand_table[vpn].fd          = -1    /* no file: zero-fill */
        proc->demand_table[vpn].file_offset = -1
        proc->demand_table[vpn].prot        = PROT_READ | PROT_WRITE

    /* Save the open fd in the PCB for future demand-load use */
    proc->prog_fd = fd

    /* Flush Region 0 TLB to ensure hardware sees all the invalid PTEs */
    WriteRegister(REG_TLB_FLUSH, TLB_FLUSH_0)

    /*
     * Stack pages (Region 1) are allocated normally — at least the
     * initial stack page must be present to start execution.
     */
    pfn_stack = AllocatePhysicalPage()   /* returns a PHYSICAL page number */
    /* stack_vpn_r1 is a virtual page number within Region 1's page table */
    stack_vpn_r1 = (VMEM_1_LIMIT - PAGESIZE - VMEM_1_BASE) >> PAGESHIFT
    proc->region1_pt[stack_vpn_r1].valid = 1
    proc->region1_pt[stack_vpn_r1].prot  = PROT_READ | PROT_WRITE
    proc->region1_pt[stack_vpn_r1].pfn   = pfn_stack  /* PHYSICAL page number */
    WriteRegister(REG_TLB_FLUSH, VMEM_1_LIMIT - PAGESIZE)  /* virtual address */

    /* Set entry point and stack pointer in ExceptionInfo */
    ei->pc = (void *)text_vaddr          /* VIRTUAL address: program entry point */
    ei->sp = (void *)(VMEM_1_LIMIT - 8)  /* VIRTUAL address: initial stack pointer */

Because all text/data/BSS PTEs have valid = 0, the very first instruction fetch (from the entry point virtual address) will immediately trigger a page fault, and the handler will load that page on demand.

Modified TrapMemoryHandler: Recognizing and Handling Demand-Paging Faults

TrapMemoryHandler(ExceptionInfo *ei):

    /*
     * ei->addr is the VIRTUAL address whose access caused the fault.
     */
    faulting_vaddr = (unsigned int) ei->addr    /* VIRTUAL address */
    faulting_vpn   = faulting_vaddr >> PAGESHIFT /* VIRTUAL page number in Region 0 */

    proc = CurrentProcess()

    /* Only handle Region 0 demand-paging faults here */
    if faulting_vaddr >= VMEM_1_BASE:
        /* Region 1 fault or stack growth — handle separately */
        HandleStackGrowthOrKernelFault(ei)
        return

    if faulting_vpn >= (VMEM_REGION_SIZE / PAGESIZE):
        /* Out of bounds — kill process */
        KillProcess(proc)
        return

    if proc->demand_table[faulting_vpn].is_demand == 1:
        /*
         * DEMAND PAGING FAULT: this virtual page exists in the program
         * but has not yet been loaded into physical memory.
         */

        /* Allocate a free physical frame */
        pfn = AllocatePhysicalPage()
        /*
         * pfn is a PHYSICAL page number.
         * The corresponding PHYSICAL address of this frame is:
         *     phys_addr = pfn << PAGESHIFT
         * We cannot access this physical address directly from the kernel;
         * we must map it at a kernel VIRTUAL address first.
         */

        /*
         * Temporarily map the new physical frame at a reserved kernel
         * virtual page in Region 1 so we can write to it.
         * KERNEL_TEMP_PAGE_VADDR is a pre-reserved VIRTUAL address in Region 1.
         */
        kernel_temp_vaddr = KERNEL_TEMP_PAGE_VADDR       /* VIRTUAL address */
        kernel_temp_vpn   = (kernel_temp_vaddr - VMEM_1_BASE) >> PAGESHIFT
                                                          /* VIRTUAL page number in Region 1 */

        kernel_region1_pt[kernel_temp_vpn].valid = 1
        kernel_region1_pt[kernel_temp_vpn].prot  = PROT_READ | PROT_WRITE
        kernel_region1_pt[kernel_temp_vpn].pfn   = pfn   /* PHYSICAL page number */
        WriteRegister(REG_TLB_FLUSH, kernel_temp_vaddr)   /* flush by VIRTUAL address */

        if proc->demand_table[faulting_vpn].fd == -1:
            /*
             * BSS page: zero-fill the physical frame.
             * We access it through the kernel VIRTUAL address kernel_temp_vaddr.
             */
            memset((void *)kernel_temp_vaddr, 0, PAGESIZE)
            /* kernel_temp_vaddr is a VIRTUAL address → physical write goes to pfn frame */

        else:
            /*
             * Text or data page: read from the program file into the physical frame.
             */
            file_fd     = proc->demand_table[faulting_vpn].fd
            file_offset = proc->demand_table[faulting_vpn].file_offset

            lseek(file_fd, file_offset, SEEK_SET)
            n = read(file_fd, (void *)kernel_temp_vaddr, PAGESIZE)
            /* kernel_temp_vaddr is a VIRTUAL address; the data lands in physical frame pfn */

            /* Zero any partial remainder (e.g., last page of text/data) */
            if n < PAGESIZE:
                memset((void *)(kernel_temp_vaddr + n), 0, PAGESIZE - n)

        /* Remove the temporary kernel mapping */
        kernel_region1_pt[kernel_temp_vpn].valid = 0
        WriteRegister(REG_TLB_FLUSH, kernel_temp_vaddr)   /* VIRTUAL address */

        /*
         * Now make the page valid in the process's Region 0 page table.
         * faulting_vpn is a VIRTUAL page number.
         * pfn is the PHYSICAL page number of the newly loaded frame.
         */
        proc->region0_pt[faulting_vpn].valid = 1
        proc->region0_pt[faulting_vpn].pfn   = pfn     /* PHYSICAL page number */
        proc->region0_pt[faulting_vpn].prot  = proc->demand_table[faulting_vpn].prot

        /* Mark as loaded so we don't treat future faults on this page as demand faults */
        proc->demand_table[faulting_vpn].is_demand = 0

        /* Flush TLB for the now-valid virtual page */
        WriteRegister(REG_TLB_FLUSH, faulting_vpn << PAGESHIFT)  /* VIRTUAL address */

        /*
         * Return normally. The hardware will re-execute the faulting
         * instruction; now that the PTE is valid and pfn is set, the
         * hardware's address translation will succeed:
         *   VIRTUAL address faulting_vaddr
         *   → page table lookup → pfn (PHYSICAL page number)
         *   → PHYSICAL address: (pfn << PAGESHIFT) | (faulting_vaddr & PAGE_MASK)
         */
        return

    else:
        /*
         * This is a genuine protection violation (e.g., write to read-only
         * text page, or access to an unmapped address).  Kill the process.
         */
        printf("Segmentation fault: killing process %d\n", proc->pid)
        KillProcess(proc)

Summary of Address and Page Number Usage

Quantity	Kind	Where it appears
`faulting_vaddr`	Virtual address	`ei->addr`; used as TLB flush argument
`faulting_vpn`	Virtual page number	Index into `region0_pt[]` and `demand_table[]`
`kernel_temp_vaddr`	Virtual address	Pre-reserved Region 1 virtual addr for temp mapping
`kernel_temp_vpn`	Virtual page number (Region 1)	Index into `kernel_region1_pt[]`
`pfn`	Physical page number	Stored in PTE `.pfn`; physical frame index
`pfn << PAGESHIFT`	Physical address	The base physical address of the allocated frame
`file_offset`	Byte offset in file	Passed to `lseek`/`read`; not a memory address

---

Question 3: Page Replacement Algorithms

Page reference string: 3, 5, 0, 1, 0, 2, 1, 0, 3, 2, 4, 2, 0, 5 Physical memory: 4 frames, initially empty.

---

3.1 Optimal Replacement

Strategy: On a page fault, evict the page whose next use is furthest in the future (or that will never be used again).

Tracing through the reference string (positions 0–13):

Step	Ref	Fault?	Memory (set)	Action
0	3	FAULT	{3}	load 3
1	5	FAULT	{3,5}	load 5
2	0	FAULT	{3,5,0}	load 0
3	1	FAULT	{3,5,0,1}	load 1
4	0	hit	{3,5,0,1}	—
5	2	FAULT	{3,2,0,1}	future uses: 3→pos 8, 5→pos 13, 0→pos 7, 1→pos 6; evict 5 (furthest)
6	1	hit	{3,2,0,1}	—
7	0	hit	{3,2,0,1}	—
8	3	hit	{3,2,0,1}	—
9	2	hit	{3,2,0,1}	—
10	4	FAULT	{4,2,0,1}	future: 3→never, 2→pos 11, 0→pos 12, 1→never; evict 3 (never used again)
11	2	hit	{4,2,0,1}	—
12	0	hit	{4,2,0,1}	—
13	5	FAULT	{4,2,0,5}	no future uses for anyone; evict 1 (arbitrary among never-used pages)

Total page faults: 7

Pages causing each fault (in order): VPN 3, VPN 5, VPN 0, VPN 1, VPN 2, VPN 4, VPN 5

---

3.2 FIFO Replacement

Strategy: Evict the page that has been in physical memory the longest (i.e., the oldest resident page).

Queue notation: oldest ← [ ... ] → newest

Step	Ref	Fault?	Memory queue (oldest→newest)	Action
0	3	FAULT	[3]	load 3
1	5	FAULT	[3, 5]	load 5
2	0	FAULT	[3, 5, 0]	load 0
3	1	FAULT	[3, 5, 0, 1]	load 1
4	0	hit	[3, 5, 0, 1]	—
5	2	FAULT	[5, 0, 1, 2]	evict 3 (oldest); load 2
6	1	hit	[5, 0, 1, 2]	—
7	0	hit	[5, 0, 1, 2]	—
8	3	FAULT	[0, 1, 2, 3]	evict 5 (oldest); load 3
9	2	hit	[0, 1, 2, 3]	—
10	4	FAULT	[1, 2, 3, 4]	evict 0 (oldest); load 4
11	2	hit	[1, 2, 3, 4]	—
12	0	FAULT	[2, 3, 4, 0]	evict 1 (oldest); load 0
13	5	FAULT	[3, 4, 0, 5]	evict 2 (oldest); load 5

Total page faults: 9

Pages causing each fault (in order): VPN 3, VPN 5, VPN 0, VPN 1, VPN 2, VPN 3, VPN 4, VPN 0, VPN 5

---

3.3 LRU Replacement

Strategy: Evict the page that was least recently used (i.e., the page whose most recent reference is the oldest).

I track the last-use timestamp for each page in memory.

Step	Ref	Fault?	Memory contents	LRU victim	LRU order (MRU→LRU after step)
0	3	FAULT	{3}	—	[3]
1	5	FAULT	{3,5}	—	[5, 3]
2	0	FAULT	{3,5,0}	—	[0, 5, 3]
3	1	FAULT	{3,5,0,1}	—	[1, 0, 5, 3]
4	0	hit	{3,5,0,1}	—	[0, 1, 5, 3]
5	2	FAULT	{5,0,1,2}	evict 3 (last used step 0)	[2, 0, 1, 5]
6	1	hit	{5,0,1,2}	—	[1, 2, 0, 5]
7	0	hit	{5,0,1,2}	—	[0, 1, 2, 5]
8	3	FAULT	{0,1,2,3}	evict 5 (last used step 1)	[3, 0, 1, 2]
9	2	hit	{0,1,2,3}	—	[2, 3, 0, 1]
10	4	FAULT	{0,2,3,4}	evict 1 (last used step 6)	[4, 2, 3, 0]
11	2	hit	{0,2,3,4}	—	[2, 4, 3, 0]
12	0	hit	{0,2,3,4}	—	[0, 2, 4, 3]
13	5	FAULT	{0,2,4,5}	evict 3 (last used step 8)	[5, 0, 2, 4]

Total page faults: 8

Pages causing each fault (in order): VPN 3, VPN 5, VPN 0, VPN 1, VPN 2, VPN 3, VPN 4, VPN 5

---

Question 4: Unix File System Extension

Constraints

Cannot change the on-disk directory entry format (16-bit inode number + 14-character filename).
Cannot change the on-disk inode format.
Must be space-efficient: no second inode reserved for files that do not use the alternate data stream.

Design: Alternate Data Directory (ADD)

Key idea: Introduce a single special, hidden directory — the *Alternate Data Directory* (ADD) — stored in the file system using exactly the existing on-disk formats. The ADD is a regular directory (using the unchanged directory entry format) whose entries map a file's primary inode number to a second "shadow" inode that holds the alternate data. Only files that actually have an alternate data stream have entries in the ADD.

On-Disk Format Changes

1. Superblock extension: Reserve one field in the superblock (or use a well-known, constant inode number, e.g., inode 3) to record the inode number of the ADD itself. Call this alt_dir_ino. This single constant is the only addition to the superblock.

2. Alternate Data Directory (ADD): This is an ordinary directory stored on disk using the unchanged directory-entry format: - Each entry: { uint16_t inode_num; char name[14]; } - The name field stores the decimal ASCII string representation of the primary file's inode number (e.g., for inode 42, the name is "42\0..."). A 16-bit inode number is at most 65535, which fits easily in 14 characters. - The inode_num field stores the inode number of the shadow inode that holds the alternate data blocks for that file.

3. Shadow inode: A shadow inode is an ordinary inode (same unchanged format) allocated from the file system's free inode pool. It stores direct, single indirect, double indirect, and triple indirect block pointers exactly as a regular file inode does — except it represents the alternate data stream of the associated primary file rather than an independently named file. The shadow inode does not appear in any ordinary directory.

How the Alternate Data Stream is Located

To access the alternate data for a file whose primary inode number is N:

1. Look up inode number alt_dir_ino (from the superblock) to find the ADD. 2. Search the ADD for a directory entry whose name field equals the decimal string of N. 3. If found, retrieve the inode_num field of that entry; this is the shadow inode number M. 4. Read inode M and use its block pointers (direct, single indirect, double indirect, triple indirect) to access the alternate data blocks, exactly as with any regular file inode.

Space Efficiency

Files with no alternate data stream have no entry in the ADD and no shadow inode allocated. The only constant overhead is the alt_dir_ino field in the superblock.
Files with an alternate data stream consume exactly one ADD directory entry and one shadow inode (plus data blocks as needed) — no more.

Supporting Independent Size and Independent Data Blocks

The shadow inode has its own file_size field (existing inode format), so the alternate data stream has an independent size.
The shadow inode's block pointers point to entirely separate data blocks from those pointed to by the primary inode. No data blocks are shared.
Writing/reading through the shadow inode path only affects the shadow inode's blocks; the primary inode and its blocks are completely unaffected, satisfying the independence requirement.

Creating and Deleting Alternate Data Streams

Creating: Allocate a new inode M, add a directory entry (M, decimal_string(N)) to the ADD, and update the ADD directory inode's size/block pointers as needed.
Deleting: When a file with inode N that has an alternate stream is unlinked (link count drops to 0), look up and remove the ADD entry for N, free all data blocks pointed to by shadow inode M, and free inode M itself.

Retaining the Spirit of the Formats

The ADD is a genuine directory: its entries record meaningful associations (shadow inode ↔ primary inode name string).
Shadow inodes are genuine inodes representing a body of file data.
The existing inode and directory entry formats are used exactly as intended; only the interpretation of which files certain inodes and directory entries describe is extended.

---

Question 5: Cryptographic Message Protection

Goal

Ensure that a receiving process can verify: 1. Authenticity: The message was sent by the person who claims to have sent it. 2. Integrity: The message contents have not been modified since it was sent.

Cryptographic Primitives Used

Asymmetric key pair per user: each user U has a private signing key SK_U (kept secret) and a corresponding public verification key PK_U (publicly known).
Cryptographic hash function `H` (e.g., SHA-256): produces a fixed-size digest of any message.
Digital signature scheme `Sign`/`Verify` (e.g., ECDSA or RSA-PSS):

- σ = Sign(SK_U, d) — produces signature σ over digest d using private key SK_U. - Verify(PK_U, σ, d) → true/false — checks that σ was produced by Sign(SK_U, d).

Public Key Infrastructure (PKI) / key directory: a trusted store (e.g., a certificate authority or trusted key server) from which any process can look up PK_V for any user V.

Initial State of Each Process

Each user process is initialized with:

The private signing key SK_self of the person running it (obtained at login from a secure credential store on the local machine).
The identity string self_id of that person (e.g., a username or certificate).
Access to the PKI for public-key lookup (e.g., a trusted HTTPS endpoint or locally cached certificate bundle).

This is a small, bounded amount of initial state regardless of how many users exist in the system.

Sending a Message

send_message(plaintext_body M, destination_process D):

    /*
     * Step 1: Compute a cryptographic digest of the message body.
     * This digest uniquely represents the content of M.
     */
    digest = H(M)                       // fixed-size hash, e.g., 32 bytes for SHA-256

    /*
     * Step 2: Sign the digest with the sender's private key.
     * Only someone who possesses SK_self can produce a valid signature
     * that verifies under PK_self.
     */
    σ = Sign(SK_self, digest)           // digital signature over digest

    /*
     * Step 3: Construct the complete transmitted message.
     * Append sender identity and signature to the plaintext body.
     */
    transmitted_msg = { sender_id : self_id,
                        body      : M,
                        signature : σ }

    /*
     * Step 4: Ask the kernel to deliver the message to the destination.
     */
    kernel_send(transmitted_msg, D)

Receiving and Verifying a Message

receive_and_verify() → (verified_body, verified_sender_id):

    /*
     * Step 1: Receive the raw message from the kernel.
     */
    msg = kernel_receive()

    claimed_sender = msg.sender_id     // identity string claimed by sender
    M              = msg.body          // received message body
    σ              = msg.signature     // sender's digital signature

    /*
     * Step 2: Look up the claimed sender's public key from the PKI.
     * If the claimed sender is unknown or has no public key, reject.
     */
    PK_sender = PKI_lookup(claimed_sender)
    if PK_sender == NOT_FOUND:
        reject_message("Unknown sender")
        return

    /*
     * Step 3: Recompute the digest of the received message body.
     */
    digest_received = H(M)

    /*
     * Step 4: Verify the signature.
     * Verify checks that σ = Sign(SK_sender, H(M_original)).
     * If M was modified in transit, digest_received ≠ digest_original,
     *   so Verify returns false  →  Property 2 (integrity) caught.
     * If an attacker forged σ without SK_sender,
     *   Verify returns false     →  Property 1 (authenticity) caught.
     */
    if Verify(PK_sender, σ, digest_received):
        /*
         * Both properties satisfied:
         *   1. AUTHENTICITY: only the person holding SK_sender could
         *      have produced σ; if claimed_sender is who they say they
         *      are, the message is genuine.
         *   2. INTEGRITY: the digest we recomputed from M matches what
         *      the sender signed; M has not been altered in transit.
         */
        accept message M as authentically from claimed_sender
        return (M, claimed_sender)

    else:
        reject_message("Invalid signature: message forged or tampered")
        return

Why This Is Correct

Authenticity: A malicious user cannot forge a signature σ that passes Verify(PK_Alice, σ, d) without possessing Alice's private key SK_Alice. The sender_id field in the message can only be trusted when the corresponding signature verifies.
Integrity: H is a collision-resistant hash. If any bit of M changes in transit, H(M_modified) ≠ H(M_original) with overwhelming probability, so Verify returns false.
Injection resistance: A newly injected message from a malicious user M_evil will fail verification unless the attacker also possesses the private key of the claimed sender.

Computational Efficiency Optimization

For a sending process that sends many messages to the same destination, we avoid the cost of a full asymmetric signature on every message by establishing a symmetric session key once, then using a fast HMAC for subsequent messages.

/* --- Session establishment (one-time per sender-recipient pair) --- */

establish_session(destination_process D, recipient_identity R):

    /*
     * Generate a random symmetric session key (e.g., 256-bit AES key).
     */
    K_session = SecureRandom(256)

    /*
     * Encrypt K_session with the recipient's public key so only
     * the recipient can read it.
     */
    K_enc = AsymmetricEncrypt(PK_R, K_session)

    /*
     * Sign the key establishment payload to authenticate it.
     */
    σ_init = Sign(SK_self, H(K_enc || self_id || R))

    init_msg = { type      : SESSION_INIT,
                 sender_id : self_id,
                 K_enc     : K_enc,
                 signature : σ_init }
    kernel_send(init_msg, D)

    session_key_store[D] = K_session    // store for future use

/* --- Fast subsequent message sending --- */

fast_send(M, destination_process D):

    K = session_key_store[D]

    /*
     * HMAC is symmetric and orders of magnitude faster than asymmetric signing.
     * Include self_id in the MAC input to bind sender identity.
     */
    mac = HMAC(K, self_id || M)

    msg = { type      : DATA,
            sender_id : self_id,
            body      : M,
            mac       : mac }
    kernel_send(msg, D)

/* --- Fast receive and verify for session messages --- */

fast_receive_and_verify(session_key K, claimed_sender S):

    msg = kernel_receive()

    if msg.type == SESSION_INIT:
        K_session = AsymmetricDecrypt(SK_self, msg.K_enc)
        σ = msg.signature
        PK_sender = PKI_lookup(msg.sender_id)
        if Verify(PK_sender, σ, H(msg.K_enc || msg.sender_id || self_id)):
            session_key_store[msg.sender_id] = K_session
        else:
            reject_message("Bad session init")

    else: /* DATA */
        K = session_key_store[msg.sender_id]
        mac_expected = HMAC(K, msg.sender_id || msg.body)
        if mac_expected == msg.mac:
            accept message msg.body from msg.sender_id
        else:
            reject_message("MAC verification failed")

The session key approach reduces per-message cryptographic cost to a single HMAC (a few microseconds) after the one-time asymmetric session establishment, while still providing both authenticity and integrity for every message.

COMP 421 Final Exam — Grading Report

Question 1: Short Definitions

Score: 10/10 points

Assessment:

Approach: The student provides concise, technically accurate one-sentence definitions for all five terms.

Strengths:

All definitions capture the essential characteristics of each term
Definitions go beyond surface-level descriptions to explain *how* and *why* each concept works
Correct use of OS-specific terminology throughout

Detailed Feedback:

(a) Capability (2/2): Excellent. Captures the unforgeable nature, possession-based authorization, and specific access rights. Matches the reference well.

(b) Cylinder group (2/2): Thorough definition that correctly identifies all key components: consecutive cylinders, superblock copies, free-block/free-inode bitmaps, and local inodes. The mention of I/O locality is a nice addition beyond the reference.

(c) Symbolic link (2/2): Correctly identifies the key property — stores a pathname string and transparently redirects access to the target. Captures the essential contrast with hard links implicitly.

(d) Message digest (2/2): Correctly identifies: fixed-size output, one-way hash function, deterministic computation, and change detection. The reference emphasizes computational infeasibility of reversal; the student emphasizes integrity verification — both are valid perspectives on the same concept.

(e) Extent (2/2): Precise definition with the (starting block, length) pair representation and the efficiency advantage over individual block listing. Matches the reference closely.

Rubric Breakdown:

(a) capability: 2/2 — Complete and correct
(b) cylinder group: 2/2 — Complete and correct
(c) symbolic link: 2/2 — Complete and correct
(d) message digest: 2/2 — Complete and correct
(e) extent: 2/2 — Complete and correct

---

Question 2: LoadProgram and Yalnix Demand Paging

Score: 24/25 points

Assessment:

Approach: The student introduces a per-process demand_table data structure in the PCB to track demand-paging state, modifies LoadProgram to mark all text/data/BSS PTEs as invalid without allocating physical pages, and modifies the TRAP_MEMORY handler to detect demand-paging faults, allocate physical frames, read page data through a kernel temporary mapping, and update the PTE.

Strengths:

Extremely thorough and well-organized answer with clear pseudocode
Correctly initializes all text, data, AND BSS PTEs to valid = 0
Saves the file descriptor in the PCB for later use during page faults
Uses the demand_table[vpn].is_demand flag to clearly distinguish demand-paging faults from genuine protection violations
Correctly handles BSS pages as zero-fill (a detail the reference doesn't explicitly address)
Uses a kernel temporary mapping in Region 1 to write to the physical frame — this is arguably more careful than the reference's approach of reading directly into the user virtual address
Excellent summary table of all addresses and page numbers with their types (virtual vs. physical)
Correctly handles TLB flushes throughout
All addresses and page numbers are clearly labeled as virtual or physical

Errors/Gaps:

Uses a single .prot field on PTEs instead of the Lab 2 PTE's separate uprot and kprot fields. While the student's kernel temp mapping approach makes this less critical (the kernel doesn't need write access to user text pages during loading), the Lab 2 PTE format explicitly defines both fields, and the pseudocode should reflect this distinction.

Detailed Feedback:

The LoadProgram modifications are complete: PTEs are set to valid = 0, file descriptor is saved, no text/data is read from disk, and the TLB is flushed. The demand_table provides a clean mechanism for the TRAP_MEMORY handler to determine fault type.

The TRAP_MEMORY handler correctly: (1) determines if the fault is a demand-paging fault via is_demand, (2) allocates a physical page, (3) maps it through a kernel temp address for writing, (4) reads from the correct file offset or zero-fills for BSS, (5) sets up the PTE with valid=1 and the correct pfn, (6) marks the page as loaded, and (7) flushes the TLB. The approach of using a kernel temporary mapping is a valid and arguably safer alternative to the reference solution's approach.

The only notable gap is using a single prot field rather than the separate uprot/kprot fields defined in the Lab 2 PTE format. This is a minor issue in pseudocode representation (−1).

Rubric Breakdown:

Saves way to access file later (fd in PCB): 0 deducted — ✓
Initializes all text/data PTEs to valid=0: 0 deducted — ✓
Mechanism to determine reason for valid==0: 0 deducted — ✓ (demand_table.is_demand)
Determines if TRAP_MEMORY is a page fault: 0 deducted — ✓
Non-fault handling: 0 deducted — ✓ (kills process / handles stack growth)
Physical page allocation + pfn update: 0 deducted — ✓
Sets valid=1: 0 deducted — ✓
File location for reading: 0 deducted — ✓
Virtual address for read target: 0 deducted — ✓ (kernel_temp_vaddr)
Accesses correct file: 0 deducted — ✓
Actually reads page from file: 0 deducted — ✓
PTE format compliance: −1 — uses single prot instead of uprot/kprot

---

Question 3: Page Replacement Algorithms

Score: 15/15 points

Assessment:

Approach: The student traces through the full page reference string for each algorithm with detailed tables showing memory state at each step, eviction decisions, and justifications.

Strengths:

All three algorithms are traced correctly with the correct fault counts
Detailed step-by-step tables make the work easy to verify
Eviction decisions are justified (e.g., showing future use distances for Optimal, queue order for FIFO, LRU order for LRU)
Total fault counts are clearly stated for each algorithm

3.1 Optimal Replacement (5/5)

Verified trace:

7 total page faults ✓
Faults on: 3, 5, 0, 1, 2, 4, 5 ✓
Eviction at step 5: evicts page 5 (next use at pos 13, furthest) ✓
Eviction at step 10: evicts page 3 (never used again) ✓
Eviction at step 13: evicts page 1 (never used again) ✓

3.2 FIFO Replacement (5/5)

Verified trace:

9 total page faults ✓
Faults on: 3, 5, 0, 1, 2, 3, 4, 0, 5 ✓
All evictions follow correct FIFO ordering ✓

3.3 LRU Replacement (5/5)

Verified trace:

8 total page faults ✓
Faults on: 3, 5, 0, 1, 2, 3, 4, 5 ✓
All evictions follow correct LRU ordering ✓
LRU order tracking is accurate at each step ✓

Rubric Breakdown:

3.1 Optimal: 5/5 — Correct (7 faults, correct pages identified)
3.2 FIFO: 5/5 — Correct (9 faults, correct pages identified)
3.3 LRU: 5/5 — Correct (8 faults, correct pages identified)

---

Question 4: Unix File System Extension

Score: 25/25 points

Assessment:

Approach: The student introduces an *Alternate Data Directory (ADD)* — a special hidden directory stored using the unchanged directory entry format — that maps primary inode numbers (stored as decimal ASCII strings in the 14-char name field) to "shadow" inodes allocated from the normal inode pool. Shadow inodes hold the alternate data stream using the standard inode format with its own block pointers and file size.

Strengths:

Does NOT modify directory entry format (16-bit inode + 14-char name) ✓
Does NOT modify inode format ✓
Space-efficient: only files with alternate data get an ADD entry and shadow inode ✓
Correctly tied to file inode number, NOT filename — properly supports hard links ✓
Shadow inode has its own independent file_size and block pointers — fully independent data ✓
Shadow inode supports full file size (direct + indirect blocks) — no reduced maximum size ✓
ADD itself is stored as a regular directory using a well-known/reserved inode number ✓
Clearly describes location, storage allocation, internal structure, and usage ✓
Creating and deleting alternate data streams are described ✓
"Retains the spirit of the formats" — directories store associations, inodes store file data ✓

Detailed Feedback:

This is an excellent answer that closely parallels the reference solution's core idea (use a second inode with a mapping mechanism) while using a creative and valid alternative representation (directory entries instead of an array of shorts). The student's approach is arguably *more* space-efficient than the reference's indexed array for sparse usage: the reference's array of shorts uses 2 × (total inodes) bytes regardless of usage, while the student's directory uses only 16 bytes per file with alternate data.

The clever use of the 14-character name field to store decimal inode numbers (max 65535 = 5 digits, easily fits in 14 characters) is well-justified and consistent with the existing format. The approach fully satisfies the hint about using existing data structures "for specialized purposes, consistent with their existing format."

Rubric Breakdown:

On-disk location clearly described: 0 deducted — ✓ (well-known inode or superblock reference)
Storage allocation clearly described: 0 deducted — ✓ (normal inode/directory mechanisms)
Internal structure and usage clearly described: 0 deducted — ✓ (directory entries map inode→shadow inode)
Independent size of alternate collection: 0 deducted — ✓ (shadow inode has own file_size)
Space efficiency: 0 deducted — ✓ (only files with alternate data consume resources)
Primary data maximum size: 0 deducted — ✓ (unchanged)
Alternate data maximum size: 0 deducted — ✓ (full inode capacity)
Tied to file, not name: 0 deducted — ✓ (keyed by inode number)
Not reserving second inode for every file: 0 deducted — ✓ (on-demand allocation)
Does not modify inode/directory format: 0 deducted — ✓

---

Question 5: Cryptographic Message Protection

Score: 24/25 points

Assessment:

Approach: The student uses asymmetric digital signatures (e.g., ECDSA/RSA-PSS) over a hash of the message. The sender signs H(M) with their private key and sends {sender_id, M, σ}. The receiver looks up the sender's public key via PKI and verifies the signature. An optional session key optimization using HMAC is provided for repeated messages.

Strengths:

Correct use of hash-then-sign paradigm: asymmetric operation only on the fixed-size digest, not the full message ✓
Both properties (authenticity and integrity) are correctly verified ✓
Clear pseudocode for both sending and receiving ✓
Sender identity is included in the transmitted message ✓
Private key kept private ("obtained at login from a secure credential store") ✓
Small bounded initial state per process ✓
Explicit analysis of why the scheme is correct (authenticity, integrity, injection resistance) ✓
Session key optimization for computational efficiency with repeated messages — goes beyond what's required ✓
Message structure is clearly defined ✓

Errors/Gaps:

While the student mentions "certificate authority" and "certificate bundle," the pseudocode abstracts public key retrieval as PKI_lookup(claimed_sender) without explicitly showing certificate verification (i.e., verifying the CA's signature on the certificate). The reference solution is more explicit about how certificates are obtained and verified.

Detailed Feedback:

The core protocol is sound and well-implemented. The hash-then-sign approach ensures computational efficiency by applying the expensive asymmetric operation only to the small fixed-size digest. The verification logic correctly catches both forged sender identity (wrong public key → verification fails) and altered content (different hash → verification fails).

The session key optimization is a thoughtful addition that demonstrates understanding of the performance tradeoff between asymmetric and symmetric cryptography. The session establishment uses asymmetric encryption of the session key plus a signed payload for authentication, then subsequent messages use fast HMAC — this is essentially the pattern used in real protocols like TLS.

The one gap is in public key distribution: the student mentions CA and certificates in the description but doesn't explicitly show certificate verification in the pseudocode. The reference emphasizes that users "establish identity with a trusted CA, which generates a public key certificate signed by the CA," and that receivers verify this certificate. The student's PKI_lookup abstracts this away somewhat.

Rubric Breakdown:

Asymmetric crypto only on small data (hash): 0 deducted — ✓
Not vague about operations: 0 deducted — ✓ (Sign/Verify explicitly defined)
Receiver knows who sender is: 0 deducted — ✓ (sender_id in message)
Protects against forged sender: 0 deducted — ✓
Protects against altered/forged data: 0 deducted — ✓
Actually sends the message: 0 deducted — ✓
Explains how process gets public key: 0 deducted — ✓ (PKI_lookup, mentions CA)
Public key certificate from CA: −1 — mentions CA and certificate bundle but doesn't show explicit certificate verification step
Private key kept private: 0 deducted — ✓
Clear message structure: 0 deducted — ✓
No memory pointers sent: 0 deducted — ✓

---

Overall Summary

Problem	Score	Notes
1: Short Definitions	10/10	All five definitions complete and correct
2: Demand Paging	24/25	Excellent; minor issue with prot vs uprot/kprot
3: Page Replacement	15/15	All three algorithms traced perfectly
4: File System Extension	25/25	Creative ADD approach; fully correct and space-efficient
5: Crypto Protection	24/25	Sound protocol; minor gap in certificate verification detail
Total	98/100

General Comments:

This is an outstanding submission that demonstrates deep understanding across all areas of the course. The answers are thorough, well-organized, and technically rigorous. Particular strengths include:

Q2: The demand paging solution is more detailed than the reference in several ways (handling BSS pages, using kernel temp mappings, comprehensive address/page number labeling). The demand_table data structure is a clean design choice.
Q3: Perfect execution on all three page replacement algorithms with clear, verifiable traces.
Q4: The Alternate Data Directory design is elegant — using existing directory entry format to store inode-to-shadow-inode mappings is creative and potentially more space-efficient than the reference's array approach.
Q5: The basic protocol is correct and efficient, and the session key optimization demonstrates sophisticated understanding of cryptographic performance tradeoffs.

The two minor deductions are for small pseudocode-level gaps (PTE field naming, certificate verification detail) rather than conceptual errors.

Total: 98/100

writeup.md

diff --git a/writeup.md b/writeup.md
index 32843a1..cb7951f 100644
--- a/writeup.md
+++ b/writeup.md
@@ -2,8 +2,624 @@
 
 ## Student Responses
 
-<!-- Write your solutions below. Add sections for each problem as needed. -->
-<!-- Use proper mathematical notation where applicable. -->
+---
 
-[Your solutions here]
+## Question 1: Short Definitions
 
+**(a) capability** *(2 points)*
+
+A capability is an unforgeable token held by a process that grants specific, designated access rights (such as read, write, or execute) to a particular resource or object, where possessing the token is itself proof of authorization without requiring further identity checks.
+
+**(b) cylinder group** *(2 points)*
+
+A cylinder group is a cluster of consecutive disk cylinders in a Unix file system (e.g., BSD Fast File System) that contains its own local copies of the superblock, a free-block bitmap, a free-inode bitmap, and a set of inodes, enabling data and metadata for related files to be stored near each other on disk to improve I/O locality and performance.
+
+**(c) symbolic link** *(2 points)*
+
+A symbolic link is a special file system entry that stores a pathname string pointing to another file or directory, such that when the symbolic link is accessed the file system transparently redirects the access to the target named by that stored pathname.
+
+**(d) message digest** *(2 points)*
+
+A message digest is a fixed-size cryptographic hash value computed deterministically from a message's contents using a one-way hash function (such as SHA-256), such that any change to the message produces a different digest with overwhelming probability, thereby allowing verification of message integrity.
+
+**(e) extent** *(2 points)*
+
+An extent is a contiguous run of disk blocks described compactly as a (starting block number, length) pair, used in file systems to represent a sequence of consecutive data blocks belonging to a file more efficiently than listing each individual block number separately.
+
+---
+
+## Question 2: LoadProgram and Yalnix Demand Paging
+
+### Overview of Changes
+
+To implement demand paging in the Yalnix kernel on the RCS 421 hardware, we make two principal modifications:
+
+1. **LoadProgram** is changed to *not* read any text/data pages into physical memory. Instead, it marks all of those virtual pages as invalid in the page table and records where each page's data lives in the program file.
+2. **TrapMemoryHandler** is modified to detect when a fault is a demand-paging fault (a page that exists in the program but has not yet been loaded), and to respond by loading exactly that one page into a freshly allocated physical frame and updating the page table.
+
+### New / Modified Data Structures
+
+We add the following per-process demand-paging table to the PCB. It has one entry per virtual page number (VPN) in Region 0.
+
+```c
+/* Stored in program file, or -1 for BSS (zero-fill) pages */
+struct DemandPageEntry {
+    int    is_demand;    /* 1 = page is not yet loaded; 0 = already loaded or not demand */
+    int    fd;           /* open file descriptor for the program file; -1 for BSS pages */
+    off_t  file_offset;  /* byte offset in the program file where this page's data begins;
+                            -1 for BSS (zero-fill) pages */
+    int    prot;         /* protection bits (PROT_READ|PROT_EXEC for text,
+                            PROT_READ|PROT_WRITE for data/BSS) */
+};
+
+/* Added to each process's PCB: */
+struct DemandPageEntry demand_table[VMEM_REGION_SIZE / PAGESIZE];
+int    prog_fd;  /* file descriptor for the program's executable, kept open */
+```
+
+No changes are made to the existing page table entry (PTE) format; we simply use the existing `valid` bit in each PTE to indicate whether the physical frame is present.
+
+### Modified LoadProgram: Initialization
+
+Rather than allocating physical frames and reading program pages, LoadProgram marks each page table entry as invalid and records demand-paging information for each virtual page.
+
+```
+LoadProgram(char *name, char *args[], ExceptionInfo *ei, PCB *proc):
+
+    fd = Open(name, O_RDONLY)      /* open the ELF executable */
+
+    /* Read ELF header and program header table */
+    Read ELF header → text_file_offset, text_vaddr, text_bytes
+                     → data_file_offset, data_vaddr, data_bytes
+                     → bss_vaddr, bss_bytes
+
+    /*
+     * All addresses below are VIRTUAL addresses.
+     * All page numbers computed below are VIRTUAL page numbers (VPNs)
+     * within Region 0.
+     */
+
+    /* ---- TEXT PAGES ---- */
+    text_start_vpn = text_vaddr >> PAGESHIFT        /* virtual page number */
+    text_num_pages = ROUND_UP(text_bytes, PAGESIZE) / PAGESIZE
+
+    for vpn = text_start_vpn to text_start_vpn + text_num_pages - 1:
+        page_idx = vpn - text_start_vpn
+
+        /* Mark page table entry as INVALID (not in physical memory) */
+        proc->region0_pt[vpn].valid = 0              /* page not present */
+        proc->region0_pt[vpn].pfn   = 0              /* no physical page yet */
+        /* (vpn is a VIRTUAL page number; pfn will be a PHYSICAL page number
+           when the page is eventually loaded) */
+
+        /* Record demand-paging info */
+        proc->demand_table[vpn].is_demand   = 1
+        proc->demand_table[vpn].fd          = fd
+        proc->demand_table[vpn].file_offset = text_file_offset + page_idx * PAGESIZE
+        proc->demand_table[vpn].prot        = PROT_READ | PROT_EXEC
+
+    /* ---- DATA PAGES ---- */
+    data_start_vpn = data_vaddr >> PAGESHIFT        /* virtual page number */
+    data_num_pages = ROUND_UP(data_bytes, PAGESIZE) / PAGESIZE
+
+    for vpn = data_start_vpn to data_start_vpn + data_num_pages - 1:
+        page_idx = vpn - data_start_vpn
+
+        proc->region0_pt[vpn].valid = 0
+        proc->region0_pt[vpn].pfn   = 0
+
+        proc->demand_table[vpn].is_demand   = 1
+        proc->demand_table[vpn].fd          = fd
+        proc->demand_table[vpn].file_offset = data_file_offset + page_idx * PAGESIZE
+        proc->demand_table[vpn].prot        = PROT_READ | PROT_WRITE
+
+    /* ---- BSS PAGES (zero-fill on demand) ---- */
+    bss_start_vpn = bss_vaddr >> PAGESHIFT          /* virtual page number */
+    bss_num_pages = ROUND_UP(bss_bytes, PAGESIZE) / PAGESIZE
+
+    for vpn = bss_start_vpn to bss_start_vpn + bss_num_pages - 1:
+        proc->region0_pt[vpn].valid = 0
+        proc->region0_pt[vpn].pfn   = 0
+
+        proc->demand_table[vpn].is_demand   = 1
+        proc->demand_table[vpn].fd          = -1    /* no file: zero-fill */
+        proc->demand_table[vpn].file_offset = -1
+        proc->demand_table[vpn].prot        = PROT_READ | PROT_WRITE
+
+    /* Save the open fd in the PCB for future demand-load use */
+    proc->prog_fd = fd
+
+    /* Flush Region 0 TLB to ensure hardware sees all the invalid PTEs */
+    WriteRegister(REG_TLB_FLUSH, TLB_FLUSH_0)
+
+    /*
+     * Stack pages (Region 1) are allocated normally — at least the
+     * initial stack page must be present to start execution.
+     */
+    pfn_stack = AllocatePhysicalPage()   /* returns a PHYSICAL page number */
+    /* stack_vpn_r1 is a virtual page number within Region 1's page table */
+    stack_vpn_r1 = (VMEM_1_LIMIT - PAGESIZE - VMEM_1_BASE) >> PAGESHIFT
+    proc->region1_pt[stack_vpn_r1].valid = 1
+    proc->region1_pt[stack_vpn_r1].prot  = PROT_READ | PROT_WRITE
+    proc->region1_pt[stack_vpn_r1].pfn   = pfn_stack  /* PHYSICAL page number */
+    WriteRegister(REG_TLB_FLUSH, VMEM_1_LIMIT - PAGESIZE)  /* virtual address */
+
+    /* Set entry point and stack pointer in ExceptionInfo */
+    ei->pc = (void *)text_vaddr          /* VIRTUAL address: program entry point */
+    ei->sp = (void *)(VMEM_1_LIMIT - 8)  /* VIRTUAL address: initial stack pointer */
+```
+
+Because all text/data/BSS PTEs have `valid = 0`, the very first instruction fetch (from the entry point virtual address) will immediately trigger a page fault, and the handler will load that page on demand.
+
+### Modified TrapMemoryHandler: Recognizing and Handling Demand-Paging Faults
+
+```
+TrapMemoryHandler(ExceptionInfo *ei):
+
+    /*
+     * ei->addr is the VIRTUAL address whose access caused the fault.
+     */
+    faulting_vaddr = (unsigned int) ei->addr    /* VIRTUAL address */
+    faulting_vpn   = faulting_vaddr >> PAGESHIFT /* VIRTUAL page number in Region 0 */
+
+    proc = CurrentProcess()
+
+    /* Only handle Region 0 demand-paging faults here */
+    if faulting_vaddr >= VMEM_1_BASE:
+        /* Region 1 fault or stack growth — handle separately */
+        HandleStackGrowthOrKernelFault(ei)
+        return
+
+    if faulting_vpn >= (VMEM_REGION_SIZE / PAGESIZE):
+        /* Out of bounds — kill process */
+        KillProcess(proc)
+        return
+
+    if proc->demand_table[faulting_vpn].is_demand == 1:
+        /*
+         * DEMAND PAGING FAULT: this virtual page exists in the program
+         * but has not yet been loaded into physical memory.
+         */
+
+        /* Allocate a free physical frame */
+        pfn = AllocatePhysicalPage()
+        /*
+         * pfn is a PHYSICAL page number.
+         * The corresponding PHYSICAL address of this frame is:
+         *     phys_addr = pfn << PAGESHIFT
+         * We cannot access this physical address directly from the kernel;
+         * we must map it at a kernel VIRTUAL address first.
+         */
+
+        /*
+         * Temporarily map the new physical frame at a reserved kernel
+         * virtual page in Region 1 so we can write to it.
+         * KERNEL_TEMP_PAGE_VADDR is a pre-reserved VIRTUAL address in Region 1.
+         */
+        kernel_temp_vaddr = KERNEL_TEMP_PAGE_VADDR       /* VIRTUAL address */
+        kernel_temp_vpn   = (kernel_temp_vaddr - VMEM_1_BASE) >> PAGESHIFT
+                                                          /* VIRTUAL page number in Region 1 */
+
+        kernel_region1_pt[kernel_temp_vpn].valid = 1
+        kernel_region1_pt[kernel_temp_vpn].prot  = PROT_READ | PROT_WRITE
+        kernel_region1_pt[kernel_temp_vpn].pfn   = pfn   /* PHYSICAL page number */
+        WriteRegister(REG_TLB_FLUSH, kernel_temp_vaddr)   /* flush by VIRTUAL address */
+
+        if proc->demand_table[faulting_vpn].fd == -1:
+            /*
+             * BSS page: zero-fill the physical frame.
+             * We access it through the kernel VIRTUAL address kernel_temp_vaddr.
+             */
+            memset((void *)kernel_temp_vaddr, 0, PAGESIZE)
+            /* kernel_temp_vaddr is a VIRTUAL address → physical write goes to pfn frame */
+
+        else:
+            /*
+             * Text or data page: read from the program file into the physical frame.
+             */
+            file_fd     = proc->demand_table[faulting_vpn].fd
+            file_offset = proc->demand_table[faulting_vpn].file_offset
+
+            lseek(file_fd, file_offset, SEEK_SET)
+            n = read(file_fd, (void *)kernel_temp_vaddr, PAGESIZE)
+            /* kernel_temp_vaddr is a VIRTUAL address; the data lands in physical frame pfn */
+
+            /* Zero any partial remainder (e.g., last page of text/data) */
+            if n < PAGESIZE:
+                memset((void *)(kernel_temp_vaddr + n), 0, PAGESIZE - n)
+
+        /* Remove the temporary kernel mapping */
+        kernel_region1_pt[kernel_temp_vpn].valid = 0
+        WriteRegister(REG_TLB_FLUSH, kernel_temp_vaddr)   /* VIRTUAL address */
+
+        /*
+         * Now make the page valid in the process's Region 0 page table.
+         * faulting_vpn is a VIRTUAL page number.
+         * pfn is the PHYSICAL page number of the newly loaded frame.
+         */
+        proc->region0_pt[faulting_vpn].valid = 1
+        proc->region0_pt[faulting_vpn].pfn   = pfn     /* PHYSICAL page number */
+        proc->region0_pt[faulting_vpn].prot  = proc->demand_table[faulting_vpn].prot
+
+        /* Mark as loaded so we don't treat future faults on this page as demand faults */
+        proc->demand_table[faulting_vpn].is_demand = 0
+
+        /* Flush TLB for the now-valid virtual page */
+        WriteRegister(REG_TLB_FLUSH, faulting_vpn << PAGESHIFT)  /* VIRTUAL address */
+
+        /*
+         * Return normally. The hardware will re-execute the faulting
+         * instruction; now that the PTE is valid and pfn is set, the
+         * hardware's address translation will succeed:
+         *   VIRTUAL address faulting_vaddr
+         *   → page table lookup → pfn (PHYSICAL page number)
+         *   → PHYSICAL address: (pfn << PAGESHIFT) | (faulting_vaddr & PAGE_MASK)
+         */
+        return
+
+    else:
+        /*
+         * This is a genuine protection violation (e.g., write to read-only
+         * text page, or access to an unmapped address).  Kill the process.
+         */
+        printf("Segmentation fault: killing process %d\n", proc->pid)
+        KillProcess(proc)
+```
+
+### Summary of Address and Page Number Usage
+
+| Quantity | Kind | Where it appears |
+|---|---|---|
+| `faulting_vaddr` | **Virtual address** | `ei->addr`; used as TLB flush argument |
+| `faulting_vpn` | **Virtual page number** | Index into `region0_pt[]` and `demand_table[]` |
+| `kernel_temp_vaddr` | **Virtual address** | Pre-reserved Region 1 virtual addr for temp mapping |
+| `kernel_temp_vpn` | **Virtual page number** (Region 1) | Index into `kernel_region1_pt[]` |
+| `pfn` | **Physical page number** | Stored in PTE `.pfn`; physical frame index |
+| `pfn << PAGESHIFT` | **Physical address** | The base physical address of the allocated frame |
+| `file_offset` | Byte offset in file | Passed to `lseek`/`read`; not a memory address |
+
+---
+
+## Question 3: Page Replacement Algorithms
+
+Page reference string: **3, 5, 0, 1, 0, 2, 1, 0, 3, 2, 4, 2, 0, 5**
+Physical memory: **4 frames**, initially empty.
+
+---
+
+### 3.1 Optimal Replacement
+
+**Strategy:** On a page fault, evict the page whose next use is furthest in the future (or that will never be used again).
+
+Tracing through the reference string (positions 0–13):
+
+| Step | Ref | Fault? | Memory (set) | Action |
+|------|-----|--------|--------------|--------|
+| 0  | 3 | **FAULT** | {3} | load 3 |
+| 1  | 5 | **FAULT** | {3,5} | load 5 |
+| 2  | 0 | **FAULT** | {3,5,0} | load 0 |
+| 3  | 1 | **FAULT** | {3,5,0,1} | load 1 |
+| 4  | 0 | hit | {3,5,0,1} | — |
+| 5  | 2 | **FAULT** | {3,2,0,1} | future uses: 3→pos 8, 5→pos 13, 0→pos 7, 1→pos 6; evict **5** (furthest) |
+| 6  | 1 | hit | {3,2,0,1} | — |
+| 7  | 0 | hit | {3,2,0,1} | — |
+| 8  | 3 | hit | {3,2,0,1} | — |
+| 9  | 2 | hit | {3,2,0,1} | — |
+| 10 | 4 | **FAULT** | {4,2,0,1} | future: 3→never, 2→pos 11, 0→pos 12, 1→never; evict **3** (never used again) |
+| 11 | 2 | hit | {4,2,0,1} | — |
+| 12 | 0 | hit | {4,2,0,1} | — |
+| 13 | 5 | **FAULT** | {4,2,0,5} | no future uses for anyone; evict **1** (arbitrary among never-used pages) |
+
+**Total page faults: 7**
+
+**Pages causing each fault (in order):** VPN 3, VPN 5, VPN 0, VPN 1, VPN 2, VPN 4, VPN 5
+
+---
+
+### 3.2 FIFO Replacement
+
+**Strategy:** Evict the page that has been in physical memory the longest (i.e., the oldest resident page).
+
+Queue notation: oldest ← [ ... ] → newest
+
+| Step | Ref | Fault? | Memory queue (oldest→newest) | Action |
+|------|-----|--------|------------------------------|--------|
+| 0  | 3 | **FAULT** | [3] | load 3 |
+| 1  | 5 | **FAULT** | [3, 5] | load 5 |
+| 2  | 0 | **FAULT** | [3, 5, 0] | load 0 |
+| 3  | 1 | **FAULT** | [3, 5, 0, 1] | load 1 |
+| 4  | 0 | hit | [3, 5, 0, 1] | — |
+| 5  | 2 | **FAULT** | [5, 0, 1, 2] | evict **3** (oldest); load 2 |
+| 6  | 1 | hit | [5, 0, 1, 2] | — |
+| 7  | 0 | hit | [5, 0, 1, 2] | — |
+| 8  | 3 | **FAULT** | [0, 1, 2, 3] | evict **5** (oldest); load 3 |
+| 9  | 2 | hit | [0, 1, 2, 3] | — |
+| 10 | 4 | **FAULT** | [1, 2, 3, 4] | evict **0** (oldest); load 4 |
+| 11 | 2 | hit | [1, 2, 3, 4] | — |
+| 12 | 0 | **FAULT** | [2, 3, 4, 0] | evict **1** (oldest); load 0 |
+| 13 | 5 | **FAULT** | [3, 4, 0, 5] | evict **2** (oldest); load 5 |
+
+**Total page faults: 9**
+
+**Pages causing each fault (in order):** VPN 3, VPN 5, VPN 0, VPN 1, VPN 2, VPN 3, VPN 4, VPN 0, VPN 5
+
+---
+
+### 3.3 LRU Replacement
+
+**Strategy:** Evict the page that was least recently used (i.e., the page whose most recent reference is the oldest).
+
+I track the last-use timestamp for each page in memory.
+
+| Step | Ref | Fault? | Memory contents | LRU victim | LRU order (MRU→LRU after step) |
+|------|-----|--------|-----------------|------------|-------------------------------|
+| 0  | 3 | **FAULT** | {3} | — | [3] |
+| 1  | 5 | **FAULT** | {3,5} | — | [5, 3] |
+| 2  | 0 | **FAULT** | {3,5,0} | — | [0, 5, 3] |
+| 3  | 1 | **FAULT** | {3,5,0,1} | — | [1, 0, 5, 3] |
+| 4  | 0 | hit | {3,5,0,1} | — | [0, 1, 5, 3] |
+| 5  | 2 | **FAULT** | {5,0,1,2} | evict **3** (last used step 0) | [2, 0, 1, 5] |
+| 6  | 1 | hit | {5,0,1,2} | — | [1, 2, 0, 5] |
+| 7  | 0 | hit | {5,0,1,2} | — | [0, 1, 2, 5] |
+| 8  | 3 | **FAULT** | {0,1,2,3} | evict **5** (last used step 1) | [3, 0, 1, 2] |
+| 9  | 2 | hit | {0,1,2,3} | — | [2, 3, 0, 1] |
+| 10 | 4 | **FAULT** | {0,2,3,4} | evict **1** (last used step 6) | [4, 2, 3, 0] |
+| 11 | 2 | hit | {0,2,3,4} | — | [2, 4, 3, 0] |
+| 12 | 0 | hit | {0,2,3,4} | — | [0, 2, 4, 3] |
+| 13 | 5 | **FAULT** | {0,2,4,5} | evict **3** (last used step 8) | [5, 0, 2, 4] |
+
+**Total page faults: 8**
+
+**Pages causing each fault (in order):** VPN 3, VPN 5, VPN 0, VPN 1, VPN 2, VPN 3, VPN 4, VPN 5
+
+---
+
+## Question 4: Unix File System Extension
+
+### Constraints
+
+- **Cannot** change the on-disk directory entry format (16-bit inode number + 14-character filename).
+- **Cannot** change the on-disk inode format.
+- Must be **space-efficient**: no second inode reserved for files that do not use the alternate data stream.
+
+### Design: Alternate Data Directory (ADD)
+
+**Key idea:** Introduce a single special, hidden directory — the *Alternate Data Directory* (ADD) — stored in the file system using exactly the existing on-disk formats. The ADD is a regular directory (using the unchanged directory entry format) whose entries map a file's primary inode number to a second "shadow" inode that holds the alternate data. Only files that actually have an alternate data stream have entries in the ADD.
+
+#### On-Disk Format Changes
+
+1. **Superblock extension:** Reserve one field in the superblock (or use a well-known, constant inode number, e.g., inode 3) to record the inode number of the ADD itself. Call this `alt_dir_ino`. This single constant is the only addition to the superblock.
+
+2. **Alternate Data Directory (ADD):** This is an ordinary directory stored on disk using the unchanged directory-entry format:
+   - Each entry: `{ uint16_t inode_num; char name[14]; }`
+   - The `name` field stores the decimal ASCII string representation of the primary file's inode number (e.g., for inode 42, the name is `"42\0..."`). A 16-bit inode number is at most 65535, which fits easily in 14 characters.
+   - The `inode_num` field stores the inode number of the **shadow inode** that holds the alternate data blocks for that file.
+
+3. **Shadow inode:** A shadow inode is an ordinary inode (same unchanged format) allocated from the file system's free inode pool. It stores direct, single indirect, double indirect, and triple indirect block pointers exactly as a regular file inode does — except it represents the alternate data stream of the associated primary file rather than an independently named file. The shadow inode does **not** appear in any ordinary directory.
+
+#### How the Alternate Data Stream is Located
+
+To access the alternate data for a file whose primary inode number is N:
+
+1. Look up inode number `alt_dir_ino` (from the superblock) to find the ADD.
+2. Search the ADD for a directory entry whose `name` field equals the decimal string of N.
+3. If found, retrieve the `inode_num` field of that entry; this is the shadow inode number M.
+4. Read inode M and use its block pointers (direct, single indirect, double indirect, triple indirect) to access the alternate data blocks, exactly as with any regular file inode.
+
+#### Space Efficiency
+
+- Files with **no** alternate data stream have **no** entry in the ADD and **no** shadow inode allocated. The only constant overhead is the `alt_dir_ino` field in the superblock.
+- Files **with** an alternate data stream consume exactly one ADD directory entry and one shadow inode (plus data blocks as needed) — no more.
+
+#### Supporting Independent Size and Independent Data Blocks
+
+- The shadow inode has its own `file_size` field (existing inode format), so the alternate data stream has an independent size.
+- The shadow inode's block pointers point to entirely separate data blocks from those pointed to by the primary inode. No data blocks are shared.
+- Writing/reading through the shadow inode path only affects the shadow inode's blocks; the primary inode and its blocks are completely unaffected, satisfying the independence requirement.
+
+#### Creating and Deleting Alternate Data Streams
+
+- **Creating:** Allocate a new inode M, add a directory entry `(M, decimal_string(N))` to the ADD, and update the ADD directory inode's size/block pointers as needed.
+- **Deleting:** When a file with inode N that has an alternate stream is unlinked (link count drops to 0), look up and remove the ADD entry for N, free all data blocks pointed to by shadow inode M, and free inode M itself.
+
+#### Retaining the Spirit of the Formats
+
+- The ADD is a genuine directory: its entries record meaningful associations (shadow inode ↔ primary inode name string).
+- Shadow inodes are genuine inodes representing a body of file data.
+- The existing inode and directory entry formats are used exactly as intended; only the interpretation of which files certain inodes and directory entries describe is extended.
+
+---
+
+## Question 5: Cryptographic Message Protection
+
+### Goal
+
+Ensure that a receiving process can verify:
+1. **Authenticity:** The message was sent by the person who claims to have sent it.
+2. **Integrity:** The message contents have not been modified since it was sent.
+
+### Cryptographic Primitives Used
+
+- **Asymmetric key pair per user:** each user U has a private signing key `SK_U` (kept secret) and a corresponding public verification key `PK_U` (publicly known).
+- **Cryptographic hash function `H`** (e.g., SHA-256): produces a fixed-size digest of any message.
+- **Digital signature scheme `Sign`/`Verify`** (e.g., ECDSA or RSA-PSS):
+  - `σ = Sign(SK_U, d)` — produces signature σ over digest d using private key SK_U.
+  - `Verify(PK_U, σ, d)` → true/false — checks that σ was produced by Sign(SK_U, d).
+- **Public Key Infrastructure (PKI) / key directory:** a trusted store (e.g., a certificate authority or trusted key server) from which any process can look up `PK_V` for any user V.
+
+### Initial State of Each Process
+
+Each user process is initialized with:
+- The **private signing key** `SK_self` of the person running it (obtained at login from a secure credential store on the local machine).
+- The **identity string** `self_id` of that person (e.g., a username or certificate).
+- Access to the **PKI** for public-key lookup (e.g., a trusted HTTPS endpoint or locally cached certificate bundle).
+
+This is a small, bounded amount of initial state regardless of how many users exist in the system.
+
+### Sending a Message
+
+```
+send_message(plaintext_body M, destination_process D):
+
+    /*
+     * Step 1: Compute a cryptographic digest of the message body.
+     * This digest uniquely represents the content of M.
+     */
+    digest = H(M)                       // fixed-size hash, e.g., 32 bytes for SHA-256
+
+    /*
+     * Step 2: Sign the digest with the sender's private key.
+     * Only someone who possesses SK_self can produce a valid signature
+     * that verifies under PK_self.
+     */
+    σ = Sign(SK_self, digest)           // digital signature over digest
+
+    /*
+     * Step 3: Construct the complete transmitted message.
+     * Append sender identity and signature to the plaintext body.
+     */
+    transmitted_msg = { sender_id : self_id,
+                        body      : M,
+                        signature : σ }
+
+    /*
+     * Step 4: Ask the kernel to deliver the message to the destination.
+     */
+    kernel_send(transmitted_msg, D)
+```
+
+### Receiving and Verifying a Message
+
+```
+receive_and_verify() → (verified_body, verified_sender_id):
+
+    /*
+     * Step 1: Receive the raw message from the kernel.
+     */
+    msg = kernel_receive()
+
+    claimed_sender = msg.sender_id     // identity string claimed by sender
+    M              = msg.body          // received message body
+    σ              = msg.signature     // sender's digital signature
+
+    /*
+     * Step 2: Look up the claimed sender's public key from the PKI.
+     * If the claimed sender is unknown or has no public key, reject.
+     */
+    PK_sender = PKI_lookup(claimed_sender)
+    if PK_sender == NOT_FOUND:
+        reject_message("Unknown sender")
+        return
+
+    /*
+     * Step 3: Recompute the digest of the received message body.
+     */
+    digest_received = H(M)
+
+    /*
+     * Step 4: Verify the signature.
+     * Verify checks that σ = Sign(SK_sender, H(M_original)).
+     * If M was modified in transit, digest_received ≠ digest_original,
+     *   so Verify returns false  →  Property 2 (integrity) caught.
+     * If an attacker forged σ without SK_sender,
+     *   Verify returns false     →  Property 1 (authenticity) caught.
+     */
+    if Verify(PK_sender, σ, digest_received):
+        /*
+         * Both properties satisfied:
+         *   1. AUTHENTICITY: only the person holding SK_sender could
+         *      have produced σ; if claimed_sender is who they say they
+         *      are, the message is genuine.
+         *   2. INTEGRITY: the digest we recomputed from M matches what
+         *      the sender signed; M has not been altered in transit.
+         */
+        accept message M as authentically from claimed_sender
+        return (M, claimed_sender)
+
+    else:
+        reject_message("Invalid signature: message forged or tampered")
+        return
+```
+
+### Why This Is Correct
+
+- **Authenticity:** A malicious user cannot forge a signature σ that passes `Verify(PK_Alice, σ, d)` without possessing Alice's private key `SK_Alice`. The sender_id field in the message can only be trusted when the corresponding signature verifies.
+- **Integrity:** `H` is a collision-resistant hash. If any bit of `M` changes in transit, `H(M_modified) ≠ H(M_original)` with overwhelming probability, so `Verify` returns false.
+- **Injection resistance:** A newly injected message from a malicious user M_evil will fail verification unless the attacker also possesses the private key of the claimed sender.
+
+### Computational Efficiency Optimization
+
+For a sending process that sends **many messages to the same destination**, we avoid the cost of a full asymmetric signature on every message by establishing a **symmetric session key** once, then using a fast HMAC for subsequent messages.
+
+```
+/* --- Session establishment (one-time per sender-recipient pair) --- */
+
+establish_session(destination_process D, recipient_identity R):
+
+    /*
+     * Generate a random symmetric session key (e.g., 256-bit AES key).
+     */
+    K_session = SecureRandom(256)
+
+    /*
+     * Encrypt K_session with the recipient's public key so only
+     * the recipient can read it.
+     */
+    K_enc = AsymmetricEncrypt(PK_R, K_session)
+
+    /*
+     * Sign the key establishment payload to authenticate it.
+     */
+    σ_init = Sign(SK_self, H(K_enc || self_id || R))
+
+    init_msg = { type      : SESSION_INIT,
+                 sender_id : self_id,
+                 K_enc     : K_enc,
+                 signature : σ_init }
+    kernel_send(init_msg, D)
+
+    session_key_store[D] = K_session    // store for future use
+
+/* --- Fast subsequent message sending --- */
+
+fast_send(M, destination_process D):
+
+    K = session_key_store[D]
+
+    /*
+     * HMAC is symmetric and orders of magnitude faster than asymmetric signing.
+     * Include self_id in the MAC input to bind sender identity.
+     */
+    mac = HMAC(K, self_id || M)
+
+    msg = { type      : DATA,
+            sender_id : self_id,
+            body      : M,
+            mac       : mac }
+    kernel_send(msg, D)
+
+/* --- Fast receive and verify for session messages --- */
+
+fast_receive_and_verify(session_key K, claimed_sender S):
+
+    msg = kernel_receive()
+
+    if msg.type == SESSION_INIT:
+        K_session = AsymmetricDecrypt(SK_self, msg.K_enc)
+        σ = msg.signature
+        PK_sender = PKI_lookup(msg.sender_id)
+        if Verify(PK_sender, σ, H(msg.K_enc || msg.sender_id || self_id)):
+            session_key_store[msg.sender_id] = K_session
+        else:
+            reject_message("Bad session init")
+
+    else: /* DATA */
+        K = session_key_store[msg.sender_id]
+        mac_expected = HMAC(K, msg.sender_id || msg.body)
+        if mac_expected == msg.mac:
+            accept message msg.body from msg.sender_id
+        else:
+            reject_message("MAC verification failed")
+```
+
+The session key approach reduces per-message cryptographic cost to a single HMAC (a few microseconds) after the one-time asymmetric session establishment, while still providing both authenticity and integrity for every message.

Agent Work: Final Exam

COMP 421 Final Exam

Question 1: Short Definitions

Question 2: LoadProgram and Yalnix Demand Paging

Question 3: Page Replacement Algorithms

3.1 Optimal replacement *(5 points)*

3.2 FIFO replacement *(5 points)*

3.3 LRU replacement *(5 points)*

Question 4: Unix File System Extension

Question 5: Cryptographic Message Protection

COMP421 Final Exam

Student Responses

Question 1: Short Definitions

Question 2: LoadProgram and Yalnix Demand Paging

Overview of Changes

New / Modified Data Structures

Modified LoadProgram: Initialization

Modified TrapMemoryHandler: Recognizing and Handling Demand-Paging Faults

Summary of Address and Page Number Usage

Question 3: Page Replacement Algorithms

3.1 Optimal Replacement

3.2 FIFO Replacement

3.3 LRU Replacement

Question 4: Unix File System Extension

Constraints

Design: Alternate Data Directory (ADD)

On-Disk Format Changes

How the Alternate Data Stream is Located

Space Efficiency

Supporting Independent Size and Independent Data Blocks

Creating and Deleting Alternate Data Streams

Retaining the Spirit of the Formats

Question 5: Cryptographic Message Protection

Goal

Cryptographic Primitives Used

Initial State of Each Process

Sending a Message

Receiving and Verifying a Message

Why This Is Correct

Computational Efficiency Optimization

COMP 421 Final Exam — Grading Report

Question 1: Short Definitions

Score: 10/10 points

Assessment:

Rubric Breakdown:

Question 2: LoadProgram and Yalnix Demand Paging

Score: 24/25 points

Assessment:

Rubric Breakdown:

Question 3: Page Replacement Algorithms

Score: 15/15 points

Assessment:

3.1 Optimal Replacement (5/5)

3.2 FIFO Replacement (5/5)

3.3 LRU Replacement (5/5)

Rubric Breakdown:

Question 4: Unix File System Extension

Score: 25/25 points

Assessment:

Rubric Breakdown:

Question 5: Cryptographic Message Protection

Score: 24/25 points

Assessment:

Rubric Breakdown:

Overall Summary

General Comments:

Sub-Model Usage

3.1 Optimal replacement (5 points)

3.2 FIFO replacement (5 points)

3.3 LRU replacement (5 points)