Advanced Operating Systems   COMP9242 2002/S2

UNSW

Printer-Friendly Version Administration                - Notices - Course Intro - Consultations # On-line Survey (closed) - Survey Results   Work - Lectures - Milestone 0 - Project Admin - Project Spec - Project FAQ - Exam   Documentation - ASysT Lab - L4 source browser - Sulima ISA Simulator - R4x00 ISA Summary  - MIPS R4700 Reference - MIPS R4000 User Manual  - Network Driver - GT64111   Related Info - Aurema OS Prize - OS Hall of Fame   History - 2000 - 1999 - 1998   Staff - Gernot Heiser (LiC)

Partitioned Capabilities System maintains capability list (clist) with each process (in PCB). User code uses indirect references to capabilities (clist index). System validates access via clist when mapping any page. Validation is implicit at page fault or explicit mapping time. Propagation: system intervention to copy between clists. Restriction: kernel to make new capability. Revocation: kernel to remove cap from all (or specific) clists. Accessibility can only be determined by scanning all clists. Protection domain is explicitly represented in clist. Hydra[CJ75], Mach[RTY$^+$88], KeyKOS[BFF$^+$92], Grasshopper[DdBF$^+$94], Eros[SSF99] and many others. Propagating partitioned capabilities (MACH): Capabilities can be propagated via IPC. User must insert capabilities (clist indices) into special field in message. Kernel looks up clists and inserts representation of ``real'' capability (marshaling). Receiver's kernel inserts capabilities into receiver's clist. Kernel replaces capability in message by clist index. Can be simplified if IPC is local. Amplification can be performed by schemes similar to AS/400. Partitioned capabilities summary Secure through kernel protection. Validation at mapping time ==> apps use ``normal'' pointers. Fast validation (clist check is simple, validation cached by MMU). Propagation requires marshaling and kernel intervention. Reference counting possible to detect unaccessible objects.