Capability Concept Mechanisms and Structure in System 250

1
Capability Concept Mechanisms and Structure in
System 250

• Presented by Hua Zhang
• COP6614, Fall 2005

2
Outline

• Introduction
• Capability
• Program
• Resource
• Process
• Additional Features
• Conclusion
• Reference

3
Introduction

• The idea of Capability was introduced in 1966 by
  J.B. Dennis and E.C. Van Horn
• System 250
• Developed by Plessey Company Limited
• First Capability machine realized in hardware

4
System 250

• Multi-processor system
• Any CPU can access any store word
• Storage space is allocated dynamically in
  segments of arbitrary sizes
• A single address space is employed
• A segment is addressed by a unique reference
  called Capability

5
(No Transcript)
6
Capability
7
Capability Registers

• The CPU contains 8 Data Registers, and 8
  Capability Registers
• A Capability is used to address fast store
• A Store Module address
• The base and limit addresses
• Access field
• CPU instructions access words within a segment by
  a refrence to a Capability Register which defines
  it

8
Access Field

• 6 bits
• Data Types
• Read Data
• Write Data
• Execute
• Capability Types
• Read Capability
• Write Capability
• Enter
• Certain combinations, e.g. write data and read
  capability, are not allowed

9
Functions of Capability Register

• Provide an addressing base for segments in fast
  store
• Protect segments against illicit operations
• Limit the scope of a program and thus protected
  the data outside this scope from illicit access

10
Load Capability Instruction

• Make Capability Registers different from
  conventional base/limit registers
• No way to alter base/limit registers
• Program can access as many segments as needed
  during execution, while bounded by the set of
  Capability values which its Capability segments
  contain

11
System Capability Table

• Why use SCT
• Physical address changes when a segment is moved
• Contents in SCT
• Physical addresses of segments
• Capability value
• Access field and offset in SCT
• Stored in the Capability Segment of each program
• Different programs can have different rights on
  one SCT entry

12
System Capability Table

• Load Capability
• Use CR6 plus offset to locate the capability
  value
• Use SCT OFFSET to locate the entry in SCT
• ACCESS field is copied from capability value
• The rest is copied from SCT entry

13
Capability as Access Right

• To develop the concept of Capability further
• Disassociate it from addressing physical
  locations in fast store
• Addressing any device in the system
• Virtual Capability Register
• Access field
• Segment identity field

14
Concept of Capability

• A Capability is an access right for a segment of
  store
• The segment may be operated upon by suitable CPU
  instructions when the capability is loaded into a
  Capability register
• No segment may be accessed excepted by means of a
  Capability

15
Program
16
Structure of Program Package

• Central Capability Segment
• Defines a number of satellite segments
• One code segment
• One data structure
• CR7 - code segment
• CR6 central code segment

17
Structure of Program

• Consists of a number of program packages
• Enter access type
• Needed for one program package to call another
• On the central capability segment of the callee
• Protect the data structure of callee

18
Resource
19
Dynamic Allocation of Resource

• No privileged mode is needed
• Operating system consists of a set of program
  packages called by Enter access type
• Package Store Allocator
• Called during execution of a program
• Allocate a segment and create a Capability for it
• The ONLY place where Capabilities can be
  manufactured
• Complex program packages can be build upon to
  allocate arbitrary complex resources

20
Structure of Resource

• Same structure as a program package
• Data structures are protected
• Resource can be arbitrary complex

21
Process
22
Structure of Process

• Created by a Process Allocator package
• Called process data structure
• CR7 - the first segment of process data structure
• New segments created can be added using Store
  Capability Instruction

23
Call, Return and Store Capability

• Call
• Store CR6, CR7 and IAR to stack
• Load Execute type Capability to CR7
• Load Enter type Capability to CR6
• Give Read type Capability of CR6 to CR7
• Return
• Restore CR6, CR7 and IAR from stack
• Store and restore CR6 provide mutual protection.

24
Process Dump Stack

• Defined by a special Dump Stack Capability
  Register
• The stack area
• Preserve CR6, CR7 and IAR values during a Call
  instruction
• A dump Area
• Remaining register values can be preserved on
  interrupt or context change

25
Additional Features
26
Additional Features

• Mixed segments
• Can include both data and capability values
• Removes the rigid distinction between data and
  capability segments
• Provides greater flexibility
• To keep the protection, the distinction between
  data and capability types attaches to the values
  themselves.

27
Additional Features

• Process Workspace Stack
• Supply a package automatically with working space
  when called during called during the execution of
  a process
• Referenced relative to the stack pointer
• Preserve and protect a packages working data
  when a further package is called, by incrementing
  the stack pointer by a suitable value

28
Conclusion

• Using capability in System 250 provides a uniform
  addressing and protection mechanism to all
  resources in the system
• Facilitate information sharing and protection
  between processes
• No privileged mode is needed, thus saving the
  time of switching between kernel and user levels
  as in many other systems

29
Reference

• England, D.M., The Capability Concept Mechanism
  and Structure in System 250, IRIA International
  Workshop on Protection in Operating Systems,
  Rocquencourt, (1974), pp. 63-82.
• H. Levy, Capability-based Computer Systems.
  Digital Press, 1984.