Capability Concept Mechanisms and Structure in System 250

Capability Concept Mechanisms and Structure in System 250 Presented by: Hua Zhang COP 6614, Fall 2005

Outline • Introduction • Capability • Program • Resource • Process • Additional Features • Conclusion • Reference

Introduction System Developer Year Attributes Rice University Computer Rice University 1959 Segmented memory with “codeword” addressing Dennis and Van Horn Supervisor MIT 1966 Conceptual design for capability supervisor System 250 Plessey Corp, U. K. 1969 First industrial capability hardware and software system Hydra Carnegie. Mellon University 1971 Object-based multi -processor O. S. i. APX 432 Intel, Aloha, OR 1981 Highly-integrated object-based micro-processor system • The idea of Capability • was introduced in 1966 by J. B. Dennis and E. C. Van Horn System 250 – Developed by Plessey Company Limited – First Capability machine realized in hardware

System 250 • Multi-processor system • Any CPU can access any • • • store word Storage space is allocated dynamically in segments of arbitrary sizes A single address space is employed A segment is addressed by a unique reference called “Capability”

Capability

Capability Registers • The CPU contains 8 Data • • Registers, and 8 Capability Registers A Capability is used to address fast store – A Store Module address – The base and limit addresses – Access field CPU instructions access words within a segment by a refrence to a Capability Register which defines it

Access Field • 6 bits • Data Types – Read Data – Write Data – Execute • Capability Types – – – Read Capability Write Capability Enter • Certain combinations, e. g. write data and read capability, are not allowed

Functions of Capability Register • Provide an addressing base for segments in fast store • Protect segments against illicit operations • Limit the scope of a program and thus protected the data outside this scope from illicit access

Load Capability Instruction • Make Capability Registers different from conventional base/limit registers – No way to alter base/limit registers • Program can access as many segments as needed during execution, while bounded by the set of Capability values which its Capability segments contain

System Capability Table • Why use SCT – Physical address changes when a segment is moved • Contents in SCT – Physical addresses of segments • Capability value – – – Access field and offset in SCT Stored in the Capability Segment of each program Different programs can have different rights on one SCT entry

System Capability Table • Load Capability – Use CR 6 plus offset to locate the capability value – Use SCT OFFSET to locate the entry in SCT – ACCESS field is copied from capability value – The rest is copied from SCT entry

Capability as Access Right • To develop the concept of Capability further – Disassociate it from addressing physical locations in fast store – Addressing any device in the system – Virtual Capability Register • Access field • Segment identity field

Concept of Capability • A Capability is an access right for a segment of store • The segment may be operated upon by suitable CPU instructions when the capability is loaded into a Capability register • No segment may be accessed excepted by means of a Capability

Program

Structure of Program Package • Central Capability Segment – Defines a number of satellite segments – One code segment – One data structure • CR 7 - code segment • CR 6 – central code segment

Structure of Program • Consists of a number of • program packages Enter access type – Needed for one program package to call another – On the central capability segment of the callee – Protect the data structure of callee

Resource

Dynamic Allocation of Resource • No privileged mode is needed – Operating system consists of a set of program packages called by Enter access type • Package Store Allocator – Called during execution of a program – Allocate a segment and create a Capability for it – The ONLY place where Capabilities can be manufactured – Complex program packages can be build upon to allocate arbitrary complex resources

Structure of Resource • Same structure as a • • program package Data structures are protected Resource can be arbitrary complex

Process

Structure of Process • Created by a Process • • • Allocator package Called “process data structure” CR 7 - the first segment of process data structure New segments created can be added using Store Capability Instruction

Call, Return and Store Capability • Call – – Store CR 6, CR 7 and IAR to stack Load Execute type Capability to CR 7 Load Enter type Capability to CR 6 Give Read type Capability of CR 6 to CR 7 • Return – Restore CR 6, CR 7 and IAR from stack Store and restore CR 6 provide mutual protection.

Process Dump Stack • Defined by a special Dump Stack Capability Register • The stack area – Preserve CR 6, CR 7 and IAR values during a Call instruction • A dump Area – Remaining register values can be preserved on interrupt or context change

Additional Features

Additional Features • Mixed segments – Can include both data and capability values – Removes the rigid distinction between data and capability segments – Provides greater flexibility – To keep the protection, the distinction between data and capability types attaches to the values themselves.

Additional Features • Process Workspace Stack – Supply a package automatically with working space when called during the execution of a process – Referenced relative to the stack pointer – Preserve and protect a package’s working data when a further package is called, by incrementing the stack pointer by a suitable value

Conclusion • Using capability in System 250 provides a uniform addressing and protection mechanism to all resources in the system • Facilitate information sharing and protection between processes • No privileged mode is needed, thus saving the time of switching between kernel and user levels as in many other systems

Reference • England, D. M. , The Capability Concept Mechanism and Structure in System 250, IRIA International Workshop on Protection in Operating Systems, Rocquencourt, (1974), pp. 63 -82. • H. Levy, Capability-based Computer Systems. Digital Press, 1984.