[cap-talk] short circuiting revokable proxy chains at the price of cascaded revocation?
digitale at digitaleric.net
Sun Jan 14 08:56:49 CST 2007
Rob Meijer wrote:
> While working on the design of dgatefs, I am running into an important
> design issue. If a resource is used through a large set of proxies
> (revocable delegations), access to the resource will normaly require all
> the proxies
> to be used.
> As a possible alternative, that is as a major performance boost on regular
> access, each proxy could get short-cuircuited to directly access the
> The price of this alternative would however be that revocation that would
> normaly be a cheap operation would get realy expensive. That is we would
> end up with a cascaded revocation.
KeyKOS and its descendants do cache delegations, when they take the form
of wrapped Segments (memory regions). Address translations are cached
into page tables and the CPU TLBs, but they can be de-cached at any
time. They *must* be de-cached when objects along the access path are
A nice consequence of the view of the short-circuited path as a cache of
the longer path is that only the set of active / hot paths are cached.
If you bound the size of the cache (in particular, the maximum number of
cached access paths which depend on any particular intermediate object),
then you can bound the expense of the revocation cascades.
> Would such expensive cascaded revocation be a reasonable price to pay for
> the performance boost for regular access, or is this a realy bad concept?
Answering that question requires data on the depths of proxy chains
encountered, how expensive the naive follow-each-link is, and the
expense of revocation.
More information about the cap-talk