[cap-talk] short circuiting revokable proxy chains at the price of cascaded revocation?

[Eric Northup]

Rob Meijer wrote:
> While working on the design of dgatefs, I am running into an important
> design issue. If a resource is used through a large set of proxies
> (revocable delegations), access to the resource will normaly require all
> the proxies
> to be used.
> As a possible alternative, that is as a major performance boost on regular
> access, each proxy could get short-cuircuited to directly access the
> resource.
> The price of this alternative would however be that revocation that would
> normaly be a cheap operation would get realy expensive. That is we would
> end up with a cascaded revocation.

KeyKOS and its descendants do cache delegations, when they take the form 
of wrapped Segments (memory regions).  Address translations are cached 
into page tables and the CPU TLBs, but they can be de-cached at any 
time.  They *must* be de-cached when objects along the access path are 
modified.

A nice consequence of the view of the short-circuited path as a cache of 
the longer path is that only the set of active / hot paths are cached. 
If you bound the size of the cache (in particular, the maximum number of 
cached access paths which depend on any particular intermediate object), 
then you can bound the expense of the revocation cascades.

> Would such expensive cascaded revocation be a reasonable price to pay for
> the performance boost for regular access, or is this a realy bad concept?

Answering that question requires data on the depths of proxy chains 
encountered, how expensive the naive follow-each-link is, and the 
expense of revocation.

-Eric