I've begun a set of small, introductory essays on various aspects of the EROS design. These notes are intended to be more explanatory than the design notes.

Norm Hardy has also written a number of essays, which you can find here. Norm's tend more toward pondering of serious issues in capability systems and security, while these notes tend to be more introductory in nature.

Introductory Material

These essays are intended for a beginning audience. Their purpose is to define terms or explain concepts so that people can join the discussion on capability security and capability systems.

• What is a Capability, Anyway?

  Provides a layman's introduction to capabilities, describing what they are, what they do, and why they result in better security than today's computer systems.

• Where Capabilities Come From

  One source of confusion about capability systems is where capabilities come from. How does my program get one? Where does the system get them from? This note tries to answer such questions.

• EROS: A Platform for Reliable Applications

  Describes why EROS provides a better platform for building reliable applications than POSIX-based systems. Identifies some of the reasons that EROS-based applications tend to be both more reliable and more testable than their POSIX equivalents.

Notes on Specific Issues

These essays address some specific topics about the design of the EROS system, often with an eye toward explaining why EROS is structured in a particular way. My hope is that documenting these thoughts will make it easier to translate these ideas to other systems, or make it clear why such translation is difficult.

• Persistence

  Explains why EROS uses transparent checkpointing as its basic approach to persistence, and what issues are raised by this choice. This note also discusses some of the implications of this choice for the structure of the operating system, which may be helpful to people contemplating persistence designs for other systems.

• Comparing ACLs and Capabiliies

  Many people seem to think that capabilities and access control lists are simply two ways of looking at the same thing. They are not. This note provides a description of how capabilities and access control lists actually work, and why the two are not equivalent.

Other Sources of Interest

• The Protection of Information in Computer Systems

  One of the classic papers on the entire subject of protection.

• Electronic Communities has a well-written Introduction to Capability Based Security.