From: Sellakumaran Kanagarathnam (sellak_at_windows.microsoft.com)
Date: Mon Jan 12 2004 - 12:25:12 PST
The paper describes the design philosophy of the kernel of an operating
system for C.mmp, overview of the HYDRA environment, the protection
mechanism in the system and the system and subsystem.
The authors start with 2 design goals that HYDRA had: 1) to provide an
environment for effective utilization of the hardware resources and 2)
to facilitate such construction. The C.mmp can have up to 16 processors
and 32 MB of shared primary memory.
The central goal of the system is to build a collection of highly
applicable and reliable facilities from which an arbitrary set of
operating system facilities and policies can be conveniently, flexibly,
efficiently and reliably constructed. The collection of such facilities
is the kernel or nucleus of an operating system. The authors put more
emphasis on flexibility of the kernel so that future extensions are
permitted. The authors list six specific considerations for the design:
1) Multiprocessor environment
2) Separation of mechanism and policy - In authors' words, such
separation contributes to the flexibility of the system, for it leaves
the complex decisions in the hands of the person who should make them -
the higher-level systems designer.
3) Integration of the design with implementation methodology - the
authors incline towards a hybrid of structured programming as advocated
by Dijkstra and the modularization philosophy of Parnas
4) Rejection of strict hierarchical layering - The authors reject
the popular notion of strict layering proposed by Dijkstra.
5) Protection: Protection should be applicable to all entities in
an uniform way, in addition to traditional r/w/x capabilities, arbitrary
protection conditions should be allowed
6) Reliability: In addition to the system being correct, it should
be able to detect and recover from errors
Next the authors talk on what belongs to kernel and what does not. The
mechanisms provided are intended to support the abstracted notion of
resources, creation of new types of resources and operations defined on
them, protected access to the instances. The key aspect would be the
generalized notion of resource, definition of an execution domain and
the protection mechanism.
The authors describe the three primitive object types: procedure, LNS
and process. The procedure object is an abstraction of procedure or
subroutine with protection facilities. While a procedure is a static
entry, a Local Name Space is the record of the execution environment of
a procedure when that procedure is invoked (called). A process is the
smallest entity that can be scheduled for execution. A capability
consists of a reference to an object together with a collection of
access rights to that object.
In authors' view protection is a mechanism and security is a policy and
this makes good sense. The authors boldly state that their intention
is to provide only mechanisms and no policies will be provided
inherently. I think that even though flexibility and extensibility
should be the key, they system should inherently support some basic
security which can be turned off is needed by some people.
HYDRA provides a protection mechanism for the application of operations
to instances of resources. With this mechanism, the familiar security
for files, memory (resources, the operations being read, write,) can be
conveniently modeled.
They explain how capabilities and its derivation is the key for their
protection mechanisms. The caller's capabilities and the procedure's
capabilities are merged to get final protection. There are two types of
rights in the list: kernel (type independent) and auxiliary rights
(type-dependent).
Given the core kernel, all the other facilities of the OS like file
system or command interpreters can be constructed as subsystems by
creating new objects-types and a collection of operations (procedures)
for those objects. These subsystems can effectively take use of the
protection mechanisms by adding security policies. This offers great
flexibility, which is one of the successes of this design.
The paper clearly defines the goals, concepts and focuses in on the
protection and flexibility part of kernel, substantiates it with an
example. Since the subsystems are not built at that time, there is no
info on the actual user experience of the OS (HYDRA + sub systems).
Overall, this paper seems to convincingly detail the flexibility offered
with the separation of protection and security and uniform abstraction
of resources and operations.
This archive was generated by hypermail 2.1.6 : Mon Jan 12 2004 - 12:25:08 PST