[cap-talk] kernel object knowledge

Jonathan S. Shapiro shap at eros-os.com
Tue May 29 13:53:15 EDT 2007 

On Tue, 2007-05-29 at 00:04 -0700, Jed Donnelley wrote:

> Any capability system worthy of the name must include an extension
> mechanism capable that can implement what we have referred to as
> invisible membranes - able to "membrane" or proxy any other capability,
> including presumably any sort of 'kernel' known or supported
> capability.

I do not agree, but I think that my disagreement may be a matter of
"fine print". I would like to find out.

There are two readings that I could take of your statement above:

1. It must be possible to front-end a capability at the "transport"
   (i.e. bare invocation) layer without knowledge of the capability's
   protocol. From a transport perspective I believe this is possible in
   KeyKOS and EROS. It is *technically* possible in Coyotos, but the
   storage cost involved is prohibitive (because messages can be very
   long).

   I refer to this as an "oblivious front end".

2. It must be possible for an interposing agent to ask the target
   object what it's alleged interface is, and based on knowledge of
   the interface specification (possibly obtained from the target
   object), forward all messages to the target that the target
   alleges to accept.

   However, it is acceptable for such an agent to drop, ignore,
   mutilate, or fail messages that do not comply with the alleged
   protocol.

   That is: it is not required to be complicit in lies told by
   the target.


There are two difficulties with oblivious membranes in OS
implementations:

  1. Messages are multidirectional. A correct implementation must
     understand the protocol well enough to know which capabilities
     to wrap. The specific concern is the need to understand the
     any session setup protocol that may be in effect.

  2. Naive (and even sophisticated) membranes must perform
     storage allocation on every invocation, except where
     they are able to recognize a capability as EQ to some
     capability that they have already wrapped. Unfortunately,
     there is no way to notify a membrane that all downstream
     membranes have released their capabilities unless the
     membranes conspire.

     This is an instance of a more general form of storage
     leaks that is sometimes used to motivate a "notify on last
     capability drop" message.


shap

More information about the cap-talk mailing list