From: manish (manish_mittal_at_hotmail.com)
Date: Mon Jan 12 2004 - 08:46:37 PST
The paper talks about the design principles and protection mechanism of an experimental kernel of a multi-processor operating system named HYDRA. The primary goals of HYDRA includes providing a reliable, flexible and well protected operating system that could provide mechanisms for managing the resources of the computer. Hydra (kernel) is a collection of facilities (or objects) from which an arbitrary set of operating system facilities and policies can be conveniently, flexibly, efficiently, and reliably constructed.
Author emphasizes on flexibility through out the paper. Some of the key considerations in designing this system are:
· Separation of mechanism and policy-
As per author, implementation of robust mechanism is the task for the kernel, whereas the complex decisions on policy and security are left in the hands of the person who should make them. The higher level OS component will finally pick these up.
· Rejection of strict hierarchical layering-
The notion of hierarchical layering is simply rejected as a global design criterion. Author thinks this will limit the flexibility to high level users.
· Protection-
HYDRA provides protection capabilities which are more complex than the traditional read, write and execute capabilities. The kernel provides a protection facility for all entities in the system.
Hydra protection mechanism is built with an object oriented approach where each object in the HYDRA system has a unique name, a type part and a representation, which has the capability part, and the data part. The HYDRA kernel provides three object types: a procedure, a local name space, and a process. Procedure is just like a subroutine or function that has a data and code associated with it. LNS is the record of an execution environment for procedure (sort of like stack frames). But the main component of interest is the capability - a reference to an object along with the access rights to that object. Capabilities provide a mechanism for protection without requiring adherence to any kind of hierarchical structure. The capability part lists permissions for an object to access other objects. Each object can also contain capabilities referencing other objects.
One of the ways the Hydra design veers from standard protection and security techniques lies in its conspicuous lack of ownership. No one can "own" an object though it's possible that no other users can reference it if they don't have it in their capability list. I wonder if this might be a disadvantage, though. After all, finding out who has sole access to a file is significantly more complicated than looking up the owner.
The things that I liked about the paper are the general idea of a shift from the hierarchy structure towards a more flexible system. It's interesting to think that an operating system is purely object-oriented in a sense. Some of the kernel primitives like CALL, RETURN, CREATE etc are described in great detail. Author has made significant effort in explaining the working of these primitives with procedures, LNS, capabilities and procedure templates.
On the flip side, this paper covers a lot of abstract concepts which makes it a difficult read. The implementation details are not covered extensively. Author has specifically mentioned numerous times in this paper that they are more concerned with philosophy than the implementation details. I did not quite understand the working of the 'Walk' primitive and its significance. The example of the man with the bibliography seems silly. Not because of the problems it brings up, but because the example doesn't explain how HYDRA actually solves these problems.
This archive was generated by hypermail 2.1.6 : Mon Jan 12 2004 - 08:40:22 PST