From: Greg Green (ggreen_at_cs.washington.edu)
Date: Mon Jan 12 2004 - 11:01:16 PST
This paper covers a design of operating system that introduces the
concept of capability lists as a fundamental unit of protection. The
capability lists are attached to segments, which is an ordered set of
words identified by a name. All objects in the os are referenced via a
word name, which is a segment id, and an index into that segment.
Each segment has a capability attached to it, with various access
indicators composed of combinations of read, write, execute. Each
capability has an ownership indicator, either owned or not-owned.
A basic unit of operation is called a computation, which is a group of
one or more processes running in a sphere of protection provided by a
list of capabilities, or a C-List. A computation is under the control
of a principal or user.
The paper then introduces meta instructions, which are basic
instructions that interact with the concepts listed above. They allow
the os to implement parallel programming and various protection
concepts.
Parallel programming is done by the fork, quit and join
instructions. Fork is similar to the modern concept of a thread, in
that it sees the same data, but can have it's own set of private data
as well. Join is a conditional jump if all processes, recorded by a
count, have completed. Locking critical sections or shared data is
provided using the instructions lock and unlock.
A concept of Inferior spheres of protection is introduced, where
another context of C-list can be provided in the course of
execution. This is done with the create sphere, grant, and start
instructions. Another important concept is Protected entry points,
where another sphere of protection can be created when using a
protected procedure. Here the calling process calls the entry point,
the supervisor modifies the C-list and runs the procedure in another
process under the new sphere of protection.
The final section of the paper talks about naming. A namespace for
each principle is created. The namespace is a root directory that
contains capabilities that point at segments, i/o functions, or other
directories. This root directory is owned by the principle. The
sub-directories can be created by the principle or linked directories
of other principles. The directory entries can be flagged as private
or globally accessible. Examples of how principles can share or
protect capabilities are then presented.
I thought the paper was quite interesting. I don't know of any system
that has all of these features, such as the sphere of protection and
protected entry points. Do these exist in some system? It seems that the
java virtual machine security provisions are somewhat similar to the
sphere of protection.
Another interesting bit was the lock and unlock instructions. This
predates the Dijkstra appendix that talks about semaphores. Was this
idea implemented and used at the time? If so, why is Dijkstra
considered the inventor of this?
The paper has a fork instruction that is very similar to the fork
implemented in UNIX. Is that where the idea came from? The idea of
every object and resource having a name is also quite
interesting. This seems like a very good idea. It simplifies the
association of C-lists with the various resources and the logic of
protecting them. It is easy to understand as well.
--Greg Green
This archive was generated by hypermail 2.1.6 : Mon Jan 12 2004 - 11:02:43 PST