HYDRA: Kernel of a Microprocessor System

  • C.mmp: Computer.multi-mini-processor
    • up to 16 PDP-11 processor
    • up to 32 MB shared memory

Main Point

  • Capability-based operating system nucleus
  • High-level, interesting design principles?
    • seperate mechanism and policy (what are the difference?)
      • protection is a mechanism, security is a policy
    • Rejects hierarchy -- which limit flexibility

Terminologies

  • What's the difference between Hydra's procedure from what we know?
    • The protection is procedure-based

Objects

  • Everything is an object.
    • unique name: 64 bits
    • Type
    • Data
    • Capability

Three object types

Local Name Space(LNS)

  • What's it?
    • Represents an "execution domain"
    • LNS is the record of the execution environment of a procedure when that procedure is invoked (called).
    • It is like a call stack.
    • (It is a run-time concept).
  • What does it include?
    • List of object pointers (capabilities) that the current execution domain can access.
    • Local variables, parameters, etc.
    • Transitive closure of all capabilities (limited by "walk" rights)

Procedure

  • Procedure is an static entity

    • Procedure = code + operations + data + capability (also an object)
    • Capability
      • 2 main types of rights: kernel rights(read, write, exe) and auxiliary rights(user defined)
      • Capabilities themselves are manipulated only by the kernel

  • Templates: define type and capability signatures

  • Parameters: must match the type as well as the signature
    • "check-rights" field used to match capabilites in dynamic parameters signature
    • This is how we check for "delete" right on the file
  • LNS for the procedure has a pointer to the parameter, but a right list defined by template

process

  • a stack of LNS’s -> represents the cumulative state of a single sequential task
    • interprocess communication:
      • message buffering
      • semaphore operation -> shared memory

Right Amplification

  • Called procedure may have more rights than caller. however, caller cannot use those rights after returning from the procedure.
  • OS have this today in a monolithic form
    • invoke a system call, take on privileges of kernel

Protection mechanism

  • protection is a mechanism and security is a policy
  • discard the notion of “ownership” -> it’s a security policy
  • rejection of hierarchical structure -> avoid the “most privileged” layer gain all power
  • Hydra provides a protection mechanism for the application of operations (procedure) to instances of resources (objects)

Discussion

  • Program with capabilities?
  • Does Linux or Windows have capabilities?
    • open file -- capabilities check
  • Why do you think we don't have capability sytem today? Windows has a very rich ACL model for files, much more than UNIX. What's your take on this?
    • Flexibility vs. Easy-to-use
      • Hydra gives large flexibility to user, but it makes programming not easy-to-use.

Summary

  • Capability-based protection mechanism
  • An example of "nucleus" system (primitives for building OS subsystems on top, microkernel, RC4000)

results matching ""

    No results matching ""