From: Richard Jackson (richja_at_expedia.com)
Date: Mon Jan 12 2004 - 10:51:46 PST
Wolf, et al wrote this 1974 paper to describe an actual kernel for a
multiprocessor operating system called HYDRA. Though the paper was
based on a real system, most of the paper described fundamental design
concepts rather than specific implementation details.
First, the authors of this paper carefully explained their design
philosophy and enumerated the following key principles that embody their
kernel: 1) multiprocessor environment, 2) separation of mechanism and
policy, 3) integration of the design with implementation methodology, 4)
rejection of strict hierarchical layering(contrary to the design
proposed in THE paper), 5) protection, 6) reliability. Of these, I
think the paper focused mainly on #2 and #5; most of the paper was a
discussion of protection. While I appreciate the importance of these
areas, I think the paper could include more information about other
kernel issues.
The main notion of this paper is that the HYDRA kernel is managing a set
of objects/resources that are used by various subsystems outside of the
kernel(such as the file system). The design of HYDRA permits a resource
to be defined arbitrarily, along with a set of access routines,
capabilities, etc. I found this somewhat similar to object-oriented
design, where one defines an object and the various methods that act on
that object. As an example, the paper made a clear distinction between
a basic file object and something that looks like a file object but
should not be treated exactly like a file object (a bibliography). In
this case, they created specific methods for accessing the bibliography,
based on the necessary requirements.
The main portion of the paper discusses the execution environment within
HYRDA. Here, they describe three key entities: a procedure(code + data
+ protection capabilities), a LNS(local name space, a record of the
execution environment of a procedure), and a process(context of a
procedure call, described as a stack of LNS's). There was also a
discussion of various types of parameters that may be passed to a
procedure. They described two distinct classes of parameters:
caller-dependent and caller-independent, based on whether or not
knowledge of the parameter values exists at procedure-creation time.
Also introduced was a concept called templates, which is a placeholder
for caller-dependent parameters.
The second main section described the protection mechanism. It went
into detail about how the protection scheme uses objects(a resource) and
capabilities(reference to an object, including the access rights), and
it gave information about the specific data structures used to describe
each of these. One key concept was that a callee may have more rights on
an object than the caller. This concept was hard to understand until I
read the telephone-repair example at the very end of the paper.
The paper is concluded with a great example based on a shared
bibliography system. This example really demonstrates the power and
flexibility of the HYDRA system.
The major strengths of this paper are:
1) Well-designed method for supporting a flexible protection
environment, for any type of object.
2) Excellent real-world example showing how the generic concepts can be
applied
The weaknesses of this paper are:
1) Focuses too much on protection. Based on the title, I expected a
broader discussion of kernel issues.
Overall, I found this paper to be very interesting, though quite
abstract. I think that such a system has potential to be very powerful,
but it is so generic that it is difficult to predict exactly how it can
be used. Perhaps this is now an accepted method of building a kernel,
but it seems to me that this system is too generic. In fact, the
authors noted at the end of the paper that the lack of subsystems made
the kernel mostly unusable, until such subsystems were created.
This archive was generated by hypermail 2.1.6 : Mon Jan 12 2004 - 10:51:58 PST