HYDRA: Kernel of a Microprocessor System

  • C.mmp: Computer.multi-mini-processor
    • up to 16 PDP-11 processor
    • up to 32 MB shared memory

Main Point

  • Capability-based operating system nucleus
  • High-level, interesting design principles?
    • Multiprocessor: 合理的时间分配,但却可以灵活调调度策略
    • Separation of mechanism and policy
      • protection is a mechanism (what is to be protected)
      • security is a policy (against what)
    • Rejection of strict hierarchical layering (拒绝了THE提出的层级结构)
      • limit flexibility
      • Good for control, not good for resources
    • Protection
      • 在HYDRA里,任何实体(entity/object)都会受到kernel的保护,既包括常规读写,也包括任意软件层面的保护
      • Capability is the most important in the DYDRA design
    • Reliability
  • 什么功能应该在OS里?答:(1)抽象硬件(2)管理资源

Terminologies

  • What's the difference between Hydra's procedure from what we know?
    • The protection is procedure-based

Objects

  • Everything is an object.
    • unique name: 64 bits
    • Type
    • Data
    • Capability

Three object types

Capability

  • Consists of:
    • Reference to an object
    • A collection of “access right” to that object
    • Include information about operations may be performed by the referenced objects
  • Manipulate only by the kernel

  • 1) Procedure

  • Procedure is an static entity

    • = code + operations + data + capability (also an object)
    • = code + data + protection facilities(list of references = capabilities = actions to other objects)
    • = instructions + environment
    • Capability include
      • 2 main types of rights: kernel rights(read, write, exe) and auxiliary rights(user defined)
      • Capabilities themselves are manipulated only by the kernel
      • caller independent cap: can be specified when procedure is created
      • caller dependent cap: can only be characterized in the procedure object, as param are unknown until execution time

Templates

  • "procedure may contain a template in addition to the caller independent capability"
  • define type and capability signatures
  • Characterize the actual parameters expected by the procedure(参数列表?)
  • 在process被called的时候,parameter template会被从caller的参数衍生(derive)出来的capacity填满。
  • Callee’s right contains:
    • Caller’s right + template ‘s right
    • Expansion of rights
  • 可以理解为参数列表?通过caller传给参数可以衍生(derive)出权限。Derivation过程会执行template所定义的权限检查。Callee拥有caller的权限+template指明的权限(这就是right augment / expansion of rights) , callee might have greater freedom to operate on an object , but the caller can in no way obtain the freedom for himself

  • "This potential expansion of rights across environment domains is a key factor in achieving the flexibility goals of the kernel and in allowing us to reject enforced hier structures without introducing chaos."(P339)

  • Parameters: must match the type as well as the signature

    • "check-rights" field used to match capabilites in dynamic parameters signature
    • This is how we check for "delete" right on the file
  • LNS for the procedure has a pointer to the parameter, but a right list defined by template

2) Local Name Space(LNS)

  • What's it?
    • Represents an "execution domain"
    • LNS is the record of the execution environment of a procedure when that procedure is invoked (called).
    • It is like a call stack. (It is a run-time concept).
  • What does it include?
    • capability part of LNS contains : list of object pointers (capabilities) that the current execution domain can access. Objects referenced by objects referenced in its LNS.
    • Local variables, parameters, etc.
    • Transitive closure of all capabilities (limited by "walk" rights)
CALL mechanism
  • procedure wants to create a new procedure, create an LNS for its execution domain, transfer control
  • capability part of the new procedure contains:
    • caller-independent part
    • parameter templates for capabilities which will be passed as actual parameters when the procedure is called
  • check type: template contains a type attributes, check the type of the actual parameter
  • check rights: template contains "special check rights field" will need to operate on. Rights contained in the actual parameter's capability must include the rights specified in the check-rights field of the template
  • New capability contains references the object passed by the caller, contains the "regular right fields" specified by the templates.
  • (special check rights field: rights by caller, regular right fields: right the callee need to operate)
Return Mechanism
  • return to the current procedure's caller

Major actions of the CALL mechanism

  • Code notify kernel that is wishes to call
  • Kernel examines the parameter capabilities (by caller)
  • Kernel creates a new LNS superseded caller’s old LNS
  • Code related with callee receives control from kernel and begins executing
  • Complete, return control to caller
  • Kernel deletes callee’s LNS, restore the LNS for the caller

3) process

  • the smallest entity which can be independently scheduled for execution(我觉得更像thread)
  • A stack of LNS’s which represents the cumulative state of a single sequential task 一个process就是一组(a stack of)执行这一个任务序列的LNS(感觉其实就是进程的概念,一组调用
  • interprocess communication
  • message buffering
  • semaphore operation
  • shared memory

Right Amplification

  • Called procedure may have more rights than caller. however, caller cannot use those rights after returning from the procedure.
  • OS have this today in a monolithic form
    • invoke a system call, take on privileges of kernel

Protection mechanism

  • protection is a mechanism (protect what) and security is a policy ( against what)
    • discard the notion of “ownership” -> it’s a security policy
    • rejection of hierarchical structure -> avoid the “most privileged” layer gain all power
  • Hydra provides a protection mechanism for the application of operations (procedure) to instances of resources (objects)
  • candidates for protection: objects (abstract notion of an arbitrary resource)
    • Have a unique name
    • May contain capabilities referencing other objects ( a significant difference from other capability based systems, satisfying the flexibility goal)
  • procedure: abstraction of an operation
  • capability: reference to an object = pointer + derivation of the CALL mechanism
    • Key to protection mechanism
    • Directly manipulated only by the kernel
    • Include information about operations may be performed by the referenced objects

Discussion

  • Program with capabilities?
  • Does Linux or Windows have capabilities?
    • open file -- capabilities check
  • Why do you think we don't have capability sytem today? Windows has a very rich ACL model for files, much more than UNIX. What's your take on this?
    • Flexibility vs. Easy-to-use
      • Hydra gives large flexibility to user, but it makes programming not easy-to-use.

Summary

  • Capability-based protection mechanism
  • An example of "nucleus" system (primitives for building OS subsystems on top, microkernel, RC4000)

results matching ""

    No results matching ""