300 likes | 397 Views
Capability Concept Mechanisms and Structure in System 250 . Presented by: Hua Zhang COP6614, Fall 2005. Outline. Introduction Capability Program Resource Process Additional Features Conclusion Reference. Introduction.
E N D
Capability Concept Mechanisms and Structure in System 250 Presented by: Hua Zhang COP6614, Fall 2005
Outline • Introduction • Capability • Program • Resource • Process • Additional Features • Conclusion • Reference
Introduction • The idea of Capability was introduced in 1966 by J.B. Dennis and E.C. Van Horn • System 250 • Developed by Plessey Company Limited • First Capability machine realized in hardware
System 250 • Multi-processor system • Any CPU can access any store word • Storage space is allocated dynamically in segments of arbitrary sizes • A single address space is employed • A segment is addressed by a unique reference called “Capability”
Capability Registers • The CPU contains 8 Data Registers, and 8 Capability Registers • A Capability is used to address fast store • A Store Module address • The base and limit addresses • Access field • CPU instructions access words within a segment by a refrence to a Capability Register which defines it
Access Field • 6 bits • Data Types • Read Data • Write Data • Execute • Capability Types • Read Capability • Write Capability • Enter • Certain combinations, e.g. write data and read capability, are not allowed
Functions of Capability Register • Provide an addressing base for segments in fast store • Protect segments against illicit operations • Limit the scope of a program and thus protected the data outside this scope from illicit access
Load Capability Instruction • Make Capability Registers different from conventional base/limit registers • No way to alter base/limit registers • Program can access as many segments as needed during execution, while bounded by the set of Capability values which its Capability segments contain
System Capability Table • Why use SCT • Physical address changes when a segment is moved • Contents in SCT • Physical addresses of segments • Capability value • Access field and offset in SCT • Stored in the Capability Segment of each program • Different programs can have different rights on one SCT entry
System Capability Table • Load Capability • Use CR6 plus offset to locate the capability value • Use SCT OFFSET to locate the entry in SCT • ACCESS field is copied from capability value • The rest is copied from SCT entry
Capability as Access Right • To develop the concept of Capability further • Disassociate it from addressing physical locations in fast store • Addressing any device in the system • Virtual Capability Register • Access field • Segment identity field
Concept of Capability • A Capability is an access right for a segment of store • The segment may be operated upon by suitable CPU instructions when the capability is loaded into a Capability register • No segment may be accessed excepted by means of a Capability
Structure of Program Package • Central Capability Segment • Defines a number of satellite segments • One code segment • One data structure • CR7 - code segment • CR6 – central code segment
Structure of Program • Consists of a number of program packages • Enter access type • Needed for one program package to call another • On the central capability segment of the callee • Protect the data structure of callee
Dynamic Allocation of Resource • No privileged mode is needed • Operating system consists of a set of program packages called by Enter access type • Package Store Allocator • Called during execution of a program • Allocate a segment and create a Capability for it • The ONLY place where Capabilities can be manufactured • Complex program packages can be build upon to allocate arbitrary complex resources
Structure of Resource • Same structure as a program package • Data structures are protected • Resource can be arbitrary complex
Structure of Process • Created by a Process Allocator package • Called “process data structure” • CR7 - the first segment of process data structure • New segments created can be added using Store Capability Instruction
Call, Return and Store Capability • Call • Store CR6, CR7 and IAR to stack • Load Execute type Capability to CR7 • Load Enter type Capability to CR6 • Give Read type Capability of CR6 to CR7 • Return • Restore CR6, CR7 and IAR from stack Store and restore CR6 provide mutual protection.
Process Dump Stack • Defined by a special Dump Stack Capability Register • The stack area • Preserve CR6, CR7 and IAR values during a Call instruction • A dump Area • Remaining register values can be preserved on interrupt or context change
Additional Features • Mixed segments • Can include both data and capability values • Removes the rigid distinction between data and capability segments • Provides greater flexibility • To keep the protection, the distinction between data and capability types attaches to the values themselves.
Additional Features • Process Workspace Stack • Supply a package automatically with working space when called during called during the execution of a process • Referenced relative to the stack pointer • Preserve and protect a package’s working data when a further package is called, by incrementing the stack pointer by a suitable value
Conclusion • Using capability in System 250 provides a uniform addressing and protection mechanism to all resources in the system • Facilitate information sharing and protection between processes • No privileged mode is needed, thus saving the time of switching between kernel and user levels as in many other systems
Reference • England, D.M., The Capability Concept Mechanism and Structure in System 250, IRIA International Workshop on Protection in Operating Systems, Rocquencourt, (1974), pp. 63-82. • H. Levy, Capability-based Computer Systems. Digital Press, 1984.