[cap-talk] Ambient authority in DVH, PDP-1 supervisor, Multics, mutual suspicion
Charles Landau
clandau at macslab.com
Tue Aug 1 18:30:54 EDT 2006
At 2:59 PM -0700 8/1/06, Jed Donnelley wrote:
>It seems clear that by
>the time of the RATS system at LLL in 1972-1973,
>object capabilities were available full blown. I
>had always thought that since the RATS system was
>nominally considered a port of the PDP-1
>supervisor,
that's largely true
>then the PDP-1 supervisor must have
>had a basis in object capabilities (communicable
>permission tokens, no ambient authority).
>
>I would like to know if that was true,
Yes
>and if so when and what happened to the:
>
>"The meta-instruction
>i := link <principal name>;
>
>and this design principle:
>
>"When the supervisor creates a computation on behalf of
>a principal, it always places in the C-list of such a computation
>a directory capability with an O indicator that
>points to the principal's root directory. The principal is
>then said to own this computation and each of its processes.
>These processes are then permitted to exercise powers of
>ownership with respect to objects owned by the principal."
>
>from DVH?
They were not part of the PDP-1 system.
>There's quite a bit of time between the DVH paper in March of 1966
>and where I heard about anything with the RATS system in 1973.
>Was there somebody at MIT that picked up the "object capability"
>thread - e.g. from DVH, from the early supervisor implementation,
>etc. and purified it in some way to separate it from ambient authority
>access control bases on principals (users - people)?
>
>I notice that even in this implementation paper by Ackerman and Plummer
>in 1967:
>
>http://www.webstart.com/projects/pdp-1/plummer-ackerman.pdf
>
>there's no mention of a "principal": They do provide the "entry" mechanism:
>...
>
>The notion in the above that the entered process may
>"examine and modify" the registers of the calling
>process seems to suggest that this isn't quite
>communication between mutually suspicious processes.
Yes, I think the PDP-1 system didn't distinguish between suspended
process capabilities generated by faults and calls, where of course
you want different authorities.
More information about the cap-talk
mailing list