 Printer-Friendly
Version
|
Next: Partitioned Capabilities
Up: 03-caps
Previous: Capabilities
Subsections
- Tag bit(s) with every (group of) memory word(s):
- Tags identify capabilities.
- Capabilities are used like ``normal'' pointers.
- Hardware checks permissions on dereferencing capability.
- User code can copy capabilities.
- Modifications turn tags off.
- Only privileged instructions (kernel) can turn tags on.
- Propagation easy.
- Restriction requires kernel to make new capability.
- Revocation virtually impossible (memory scan!)
- Amplification possible (see below).
- Accessibility impossible to determine.
- Protection domain difficult to establish.
- IBM System/38[Ber80], AS/400[Sol97], many historical systems.
- AS/400 has a segmented memory architecture.
- Capabilities confer rights over segments.
- Capabilities can confer invocation rights.
- Each user has a profile, which is essentially a capability
list.
- Capabilities can be of profile adoption type:
- On invocation, segment owner's profile is added to caller's
protection domain.
- Normal pointers can be dereferenced if the profile contains
appropriate capabilities.
- On return, profile adoption is cancelled.
- User can denote subset of their profile to be used in adoption
(profile propagation).
- Disk has no tags.
- AS/400 page size is 4kB.
- Physical disk blocks are 520B, logical blocks 512B.
- Extra 64B per page store tag bits (among others).
- On page-out page must be scanned and all tags collected.
- On page-in all tags must be reconsituted.
- Significant processing overhead with all I/O.
- Secure through hardware protection.
- Convenient for applications (appear as ``normal'' pointers).
- Checked by hardware
==> fast validation.
- Hardware solution is not for everyone.
- Capability hardware is complex (and slow?)
- Separate mechanisms required for I/O and distribution.
Next: Partitioned Capabilities
Up: 03-caps
Previous: Capabilities
Gernot Heiser
2002-08-15
|
![[CSE]](images/cse.gif)