Screen Version

next up previous
Next: Partitioned Capabilities Up: 03-caps Previous: Capabilities

Subsections

• Protected procedure call (AS/400)
• Tagged capabilities outside RAM
• Tagged capabilities summary

---

Tagged Capabilities

• Tag bit(s) with every (group of) memory word(s):
  • Tags identify capabilities.
  • Capabilities are used like ``normal'' pointers.
  • Hardware checks permissions on dereferencing capability.
  • User code can copy capabilities.
  • Modifications turn tags off.
  • Only privileged instructions (kernel) can turn tags on.
    • Propagation easy.
    • Restriction requires kernel to make new capability.
    • Revocation virtually impossible (memory scan!)
    • Amplification possible (see below).
    • Accessibility impossible to determine.
    • Protection domain difficult to establish.
• IBM System/38[Ber80], AS/400[Sol97], many historical systems.
  

Protected procedure call (AS/400)

• AS/400 has a segmented memory architecture.
• Capabilities confer rights over segments.
• Capabilities can confer invocation rights.
• Each user has a profile, which is essentially a capability list.
• Capabilities can be of profile adoption type:
  • On invocation, segment owner's profile is added to caller's protection domain.
  • Normal pointers can be dereferenced if the profile contains appropriate capabilities.
  • On return, profile adoption is cancelled.
  • User can denote subset of their profile to be used in adoption (profile propagation).

Tagged capabilities outside RAM

• Disk has no tags.
• AS/400 page size is 4kB.
• Physical disk blocks are 520B, logical blocks 512B.
• Extra 64B per page store tag bits (among others).
  • On page-out page must be scanned and all tags collected.
  • On page-in all tags must be reconsituted.
  • Significant processing overhead with all I/O.

Tagged capabilities summary

• Secure through hardware protection.
• Convenient for applications (appear as ``normal'' pointers).
• Checked by hardware ==> fast validation.
• Hardware solution is not for everyone.
• Capability hardware is complex (and slow?)
• Separate mechanisms required for I/O and distribution.

---

next up previous
Next: Partitioned Capabilities Up: 03-caps Previous: Capabilities

Gernot Heiser 2002年08月15日

[an error occurred while processing this directive]