[cap-talk] Backwater: some small progress

Matej Kosik kosik at fiit.stuba.sk
Sat Apr 28 20:55:04 EDT 2007 

Hi,

There is a lot of work to be done, but I have made small progress with my Backwater project. Earlier:
http://www.eros-os.org/pipermail/cap-talk/2007-January/007291.html
I have pointed out the potential using language-based capabilities and powerboxes within monolithic kernels. No big surprises here.

I have mentioned that
<cite>
- I need to turn hardware interrupts into Pict messages
  (this will require careful reading and understanding the Pict runtime)
</cite>

This is now solved. That gave me the possibility to add (very simple versions of) device drivers for
- the keyboard (8741/8742 chips)
- the timer (8253/54 chips)
E.g. the Timer driver is given the authority to
- reset the observer of IRQ 0 to any channel
- write to the I/O port 43
- write to the I/O port 40
Nothing more. That is enough authority for it.

With powerbox scheme it is possible to impose arbitrary (describable) security policy over untrusted modules. This scheme is both:
- more powerful
- equally easily usable
as traditional techniques as ACL-like systems. I have talk about these possibilities at our local "conference"
http://altair.dcs.elf.stuba.sk:60001/mediawiki/upload/0/01/Iitsrc2007-poster.pdf

I have only two demos. With one I have partially realized what the hell Hewitt and Agha meant by defining recursively defined actors. It works *very* well.
http://altair.dcs.elf.stuba.sk:60001/mediawiki/index.php/Pict%27s_support_for_tail_recursive_processes

In the other demo I tried to use the "drivers" I have implemented and run an "application".
http://altair.dcs.elf.stuba.sk:60001/mediawiki/index.php/Powerboxed_ClockMorph
it is given the authority to:
- put 8 consecutive characters on the screen (where we decide)
- receive periodic ticks generated by the 8253/54 chip (indirectly via the Timer driver) 

I like the idea that applications (in my case untrusted modules) should declare the authority they need in order to be able to what is expected from them. I would like to evaluate SCOLL, whether it can be used for these purposes, if it can bring something that is not obvious. I am far from that now yet, because the two problems I mentioned in my previous mail
<cite>
- I need to modify the Pict runtime in a way that untrusted modules
  will not be able to consume arbitrary amount of free heap of memory
- I need to modify the Pict runtime so that untrusted modules
  will not be able to consume arbirary "CPU bandwidth"
</cite>
These problems are immediate.

Of course, the source code of Backwater is publicly available
http://altair.dcs.elf.stuba.sk:60001/mediawiki/upload/f/fb/Backh2o.pdf
Section 1.6 describes how can powerboxes be realized in Pict.

While there is not much work done and many things to do it does not mean that it has sense. So critique/warnings is very welcome. Take it as an effort of one capability fan.

Regards
-- 
Matej Kosik

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20070429/6f3fe1bb/attachment.bin

More information about the cap-talk mailing list