[cap-talk] Language-based safety - MMP - reading

Jed at Webstart donnelley1 at webstart.com
Fri Nov 19 17:42:29 EST 2004

At 08:30 PM 11/18/2004, David Hopwood wrote:
>Jed at Webstart wrote:
>>At 01:37 PM 11/17/2004, Wes Felter wrote:
>>>On Nov 15, 2004, at 7:40 PM, Jed Donnelley wrote:
>>>>Of course it's an interesting question to ask whether there might be 
>>>>some instruction set architecture where Bob could still execute 
>>>>arbitrary code and still be able to execute in the same hardware domain 
>>>>as Alice.  It would seem that whatever mechanism is used for Java or E 
>>>>should suffice in hardware (I'm guessing here) if that were practical, 
>>>>so I guess the theoretical answer is "yes", but there may be some 
>>>>distance between the theoretical and the practical.
>>>Consider Mondriaan memory protection: 
>>I'm started down that investigative path, but haven't found anything yet 
>>to suggest that MMP would make the ability to execute arbitrary code 
>>possible within a process that includes separate protection domains in 
>>separate modules.
>I've only skimmed the papers, but it seems to me that MMP is a fairly
>straightforward segmented memory architecture with word-granularity
>segments. There have been several previous capability system designs
>based partly on segmentation; in principle, it's possible to implement
>a cap system using *only* segmentation. Implemented systems tended to
>be more complicated, but the nearest thing to a segmentation-only
>design I can find a reference to right now is the Chicago Magic Number
>Machine (http://www.cs.washington.edu/homes/levy/capabook/Chapter3.pdf).
>Is it that you don't see how those systems (would have) enforced the
>capability model, or is it something specific to MMP?

The former.  How does fine grained memory protection help to support
capability communication?

>In particular, "within a process" seems to be irrelevant in MMP, since
>process-level mechanisms are not what is being used to separate domains;
>the segment permissions are per-protection domain, not per-process.
>It's not critical what the mapping between processes and protection
>domains is.

I guess the above depends on how one (e.g. they) define what is
meant by a "process".  I typically think of a 'process' as being
identified essentially with a register set - including memory mapping
registers, program counter and stack pointer, system state (e.g.
monitor mode bit or the like), etc.  Specifically, it's that set of
environment that is set up in the hardware of a processor for
a resource sharing operating system to run an un trusted

Is that what you mean by "process" above?  If so then perhaps you
can explain to me how a "protection domain" differs from a "process".
Maybe that will help me to understand how MMP's implementation
would help to support capability communication.

More information about the cap-talk mailing list