Capability Concept Mechanisms and Structure in System 250

Capability Concept Capability Concept Mechanisms and Structure in Mechanisms and Structure in

System 250System 250

Presented by: Hua ZhangPresented by: Hua Zhang

COP6614, Fall 2005COP6614, Fall 2005

OutlineOutline

• IntroductionIntroduction

• CapabilityCapability

• ProgramProgram

• ResourceResource

• ProcessProcess

• Additional FeaturesAdditional Features

• ConclusionConclusion

• ReferenceReference

IntroductionIntroduction

• The idea of The idea of Capability was Capability was introduced in 1966 introduced in 1966 by J.B. Dennis and by J.B. Dennis and E.C. Van HornE.C. Van Horn

• System 250System 250– Developed by Plessey Developed by Plessey

Company LimitedCompany Limited– First Capability First Capability

machine realized in machine realized in hardwarehardware

SystemSystem DeveloperDeveloper YearYear AttributesAttributes

Rice Rice University University ComputerComputer

Rice Rice UniversityUniversity

19591959 Segmented Segmented memory with memory with “codeword” “codeword” addressingaddressing

Dennis Dennis and Van and Van Horn Horn SupervisorSupervisor

MITMIT 19661966 Conceptual Conceptual design for design for capability capability supervisorsupervisor

System System 250250

Plessey Plessey Corp, U.K.Corp, U.K.

19691969 First industrial First industrial capability capability hardware and hardware and software systemsoftware system

HydraHydra Carnegie-Carnegie-Mellon Mellon UniversityUniversity

19711971 Object-based Object-based multi-processor multi-processor O.S.O.S.

iAPX 432iAPX 432 Intel, Intel, Aloha, ORAloha, OR

19811981 Highly-Highly-integrated integrated object-based object-based micro-processor micro-processor systemsystem

System 250System 250

• Multi-processor systemMulti-processor system• Any CPU can access any Any CPU can access any

store wordstore word• Storage space is Storage space is

allocated dynamically in allocated dynamically in segments of arbitrary segments of arbitrary sizessizes

• A single address space A single address space is employedis employed

• A segment is addressed A segment is addressed by a unique reference by a unique reference called “Capability”called “Capability”

CapabilityCapability

Capability RegistersCapability Registers

• The CPU contains 8 Data The CPU contains 8 Data Registers, and 8 Capability Registers, and 8 Capability RegistersRegisters

• A Capability is used to A Capability is used to address fast storeaddress fast store– A Store Module addressA Store Module address– The base and limit The base and limit

addressesaddresses– Access fieldAccess field

• CPU instructions access CPU instructions access words within a segment by words within a segment by a refrence to a Capability a refrence to a Capability Register which defines itRegister which defines it

Access FieldAccess Field

• 6 bits6 bits• Data TypesData Types

– Read DataRead Data– Write DataWrite Data– ExecuteExecute

• Capability TypesCapability Types– Read CapabilityRead Capability– Write CapabilityWrite Capability– EnterEnter

• Certain combinations, e.g. Certain combinations, e.g. write data and read write data and read capability, are not allowedcapability, are not allowed

Functions of Capability Functions of Capability RegisterRegister

• Provide an addressing base for Provide an addressing base for segments in fast storesegments in fast store

• Protect segments against illicit Protect segments against illicit operationsoperations

• Limit the scope of a program and Limit the scope of a program and thus protected the data outside this thus protected the data outside this scope from illicit accessscope from illicit access

Load Capability InstructionLoad Capability Instruction

• Make Capability Registers different Make Capability Registers different from conventional base/limit registersfrom conventional base/limit registers– No way to alter base/limit registersNo way to alter base/limit registers

• Program can access as many segments Program can access as many segments as needed during execution, while as needed during execution, while bounded by the set of Capability values bounded by the set of Capability values which its Capability segments containwhich its Capability segments contain

System Capability TableSystem Capability Table

• Why use SCTWhy use SCT– Physical address changes when a segment is Physical address changes when a segment is

movedmoved

• Contents in SCTContents in SCT– Physical addresses of segmentsPhysical addresses of segments

• Capability valueCapability value– Access field and offset in SCTAccess field and offset in SCT– Stored in the Capability Segment of each programStored in the Capability Segment of each program– Different programs can have different rights on Different programs can have different rights on

one SCT entryone SCT entry

System Capability TableSystem Capability Table

• Load CapabilityLoad Capability– Use CR6 plus offset to Use CR6 plus offset to

locate the capability locate the capability valuevalue

– Use SCT OFFSET to Use SCT OFFSET to locate the entry in locate the entry in SCTSCT

– ACCESS field is copied ACCESS field is copied from capability valuefrom capability value

– The rest is copied The rest is copied from SCT entryfrom SCT entry

Capability as Access RightCapability as Access Right

• To develop the concept of Capability To develop the concept of Capability furtherfurther– Disassociate it from addressing physical Disassociate it from addressing physical

locations in fast storelocations in fast store– Addressing any device in the systemAddressing any device in the system– Virtual Capability RegisterVirtual Capability Register

•Access fieldAccess field

•Segment identity fieldSegment identity field

Concept of CapabilityConcept of Capability

• A Capability is an access right for a A Capability is an access right for a segment of storesegment of store

• The segment may be operated upon The segment may be operated upon by suitable CPU instructions when by suitable CPU instructions when the capability is loaded into a the capability is loaded into a Capability registerCapability register

• No segment may be accessed No segment may be accessed excepted by means of a Capabilityexcepted by means of a Capability

ProgramProgram

Structure of Program Structure of Program PackagePackage

• Central Capability Central Capability SegmentSegment– Defines a number of Defines a number of

satellite segmentssatellite segments– One code segmentOne code segment– One data structureOne data structure

• CR7 - code segmentCR7 - code segment

• CR6 – central code CR6 – central code segmentsegment

Structure of ProgramStructure of Program

• Consists of a number Consists of a number of program packagesof program packages

• Enter access typeEnter access type– Needed for one Needed for one

program package to call program package to call anotheranother

– On the central On the central capability segment of capability segment of the calleethe callee

– Protect the data Protect the data structure of calleestructure of callee

ResourceResource

Dynamic Allocation of Dynamic Allocation of ResourceResource• No privileged mode is neededNo privileged mode is needed

– Operating system consists of a set of program Operating system consists of a set of program packages called by Enter access typepackages called by Enter access type

• Package Store Allocator Package Store Allocator – Called during execution of a programCalled during execution of a program– Allocate a segment and create a Capability for itAllocate a segment and create a Capability for it– The ONLY place where Capabilities can be The ONLY place where Capabilities can be

manufacturedmanufactured– Complex program packages can be build upon Complex program packages can be build upon

to allocate arbitrary complex resourcesto allocate arbitrary complex resources

Structure of ResourceStructure of Resource

• Same structure as Same structure as a program packagea program package

• Data structures are Data structures are protectedprotected

• Resource can be Resource can be arbitrary complexarbitrary complex

ProcessProcess

Structure of ProcessStructure of Process

• Created by a Process Created by a Process Allocator packageAllocator package

• Called “process data Called “process data structure”structure”

• CR7 - the first segment CR7 - the first segment of process data of process data structurestructure

• New segments created New segments created can be added using can be added using Store Capability Store Capability InstructionInstruction

Call, Return and Store Call, Return and Store CapabilityCapability• CallCall

– Store CR6, CR7 and IAR to stackStore CR6, CR7 and IAR to stack– Load Execute type Capability to CR7Load Execute type Capability to CR7– Load Enter type Capability to CR6Load Enter type Capability to CR6– Give Read type Capability of CR6 to CR7Give Read type Capability of CR6 to CR7

• ReturnReturn– Restore CR6, CR7 and IAR from stackRestore CR6, CR7 and IAR from stack

Store and restore CR6 provide mutual Store and restore CR6 provide mutual protection.protection.

Process Dump StackProcess Dump Stack

• Defined by a special Dump Stack Defined by a special Dump Stack Capability RegisterCapability Register

• The stack areaThe stack area– Preserve CR6, CR7 and IAR values during Preserve CR6, CR7 and IAR values during

a Call instructiona Call instruction

• A dump AreaA dump Area– Remaining register values can be Remaining register values can be

preserved on interrupt or context changepreserved on interrupt or context change

Additional FeaturesAdditional Features


• Mixed segmentsMixed segments– Can include both data and capability Can include both data and capability

valuesvalues– Removes the rigid distinction between Removes the rigid distinction between

data and capability segmentsdata and capability segments– Provides greater flexibilityProvides greater flexibility– To keep the protection, the distinction To keep the protection, the distinction

between data and capability types between data and capability types attaches to the values themselves.attaches to the values themselves.


• Process Workspace StackProcess Workspace Stack– Supply a package automatically with Supply a package automatically with

working space when called during called working space when called during called during the execution of a processduring the execution of a process

– Referenced relative to the stack pointerReferenced relative to the stack pointer– Preserve and protect a package’s Preserve and protect a package’s

working data when a further package is working data when a further package is called, by incrementing the stack called, by incrementing the stack pointer by a suitable valuepointer by a suitable value

ConclusionConclusion

• Using capability in System 250 provides Using capability in System 250 provides a uniform addressing and protection a uniform addressing and protection mechanism to all resources in the systemmechanism to all resources in the system

• Facilitate information sharing and Facilitate information sharing and protection between processesprotection between processes

• No privileged mode is needed, thus No privileged mode is needed, thus saving the time of switching between saving the time of switching between kernel and user levels as in many other kernel and user levels as in many other systemssystems

ReferenceReference

• England, D.M., The Capability England, D.M., The Capability Concept Mechanism and Structure in Concept Mechanism and Structure in System 250, IRIA International System 250, IRIA International Workshop on Protection in Operating Workshop on Protection in Operating Systems, Rocquencourt, (1974), pp. Systems, Rocquencourt, (1974), pp. 63-82. 63-82.

• H. Levy, Capability-based Computer H. Levy, Capability-based Computer Systems. Digital Press, 1984.Systems. Digital Press, 1984.

Capability Concept Mechanisms and Structure in System 250

Documents

Transcript of Capability Concept Mechanisms and Structure in System 250