From: Cliff Schmidt (cliff_at_bea.com)
Date: Mon Jan 12 2004 - 01:03:49 PST
The HYDRA paper describes a system for constructing operating systems,
such that "at the heart of the system, one should build a collection of
facilities of 'universal applicability' and 'absolute reliability'." It
was especially interesting to read this 1974 paper shortly after reading
the 1966 Dennis/Van Horn paper and the 1968 Dijkstra paper, each of which
was referred to (and criticized) in this paper.
Much of this paper is about philosophy of kernel design. In fact, it begins
by enumerating a set of design principles, which are evident in the
remainder of the paper as well. These principles include separation of
mechanism and policy (only later properly explained during the discussion
of protection and security), rejection of strict hierarchical layering (as
supported by Dijkstra's THE paper), and protection (borrowing concepts from
the Dennis/Van Horn paper such as capabilities that apply to more than just
files, although the authors later take issue with the ownership concept).
The paper describes the relationship of procedures, local name spaces (LNS),
and processes. The discussion of caller dependent and independent
capabilities sounded like compile-time and execution-time differences, which
come together during execution as parts of the LNS. I find myself
interested in how each paper defines a process; this one defines it as a
"stack of LNS's which represents the cumulative state of a single sequential
task", since LNS's are created and destroyed as the kernel moves the process
through varying circumstances.
The authors recognize the benefits of a hierarchical system, they
believe that it is not practical. They, instead, see their problem as
maintaining order in a real-world environment without the restrictions
imposed by a hierarchy. Then they describe objects as abstractions of
resources. Capabilities are borrowed from the Dennis/Van Horn paper;
however this notion of capabilities appears to be expanded so that all
objects may contain capabilities that reference other objects. Objects
and capabilities are core concepts that enable a process CALL to correctly
setup the appropriate LNS environment.
The paper concludes with an example that does a good job of defending
their design philosophies. For example, they point out the problem with
ownership using an example where one principle creates a bibliography
application to share with others, but things get tricky when others want
to add their own references into the same database. It appears to me that
the authors have taken the concept of capabilities and expanded it so that
ownership is unnecessary. In fact, their use of capabilities allows for
a very fine level of protection, often found only at the application tier.
This archive was generated by hypermail 2.1.6 : Mon Jan 12 2004 - 01:03:51 PST