[cap-talk] kernel object knowledge

Charles Landau clandau at macslab.com
Wed May 30 13:09:16 EDT 2007 

At 1:53 PM -0400 5/29/07, Jonathan S. Shapiro wrote:
>On Tue, 2007-05-29 at 00:04 -0700, Jed Donnelley wrote:
>
>>  Any capability system worthy of the name must include an extension
>>  mechanism capable that can implement what we have referred to as
>>  invisible membranes - able to "membrane" or proxy any other capability,
>>  including presumably any sort of 'kernel' known or supported
>>  capability.
>
>I do not agree, but I think that my disagreement may be a matter of
>"fine print". I would like to find out.
>
>There are two readings that I could take of your statement above:
>
>1. It must be possible to front-end a capability at the "transport"
>    (i.e. bare invocation) layer without knowledge of the capability's
>    protocol. From a transport perspective I believe this is possible in
>    KeyKOS and EROS. It is *technically* possible in Coyotos, but the
>    storage cost involved is prohibitive (because messages can be very
>    long).
>
>    I refer to this as an "oblivious front end".
>
>2. It must be possible for an interposing agent to ask the target
>    object what it's alleged interface is, and based on knowledge of
>    the interface specification (possibly obtained from the target
>    object), forward all messages to the target that the target
>    alleges to accept.
>
>    However, it is acceptable for such an agent to drop, ignore,
>    mutilate, or fail messages that do not comply with the alleged
>    protocol.
>
>There are two difficulties with oblivious membranes in OS
>implementations:
>
>   1. Messages are multidirectional. A correct implementation must
>      understand the protocol well enough to know which capabilities
>      to wrap.
>
>   2. Naive (and even sophisticated) membranes must perform
>      storage allocation on every invocation

to wrap every capability passed

>, except where
>      they are able to recognize a capability as EQ to some
>      capability that they have already wrapped.

Don't these difficulties apply also to non-oblivious membranes, 
though to a lesser degree? A non-oblivious membrane may know that 
some capabilities do not need to be wrapped, but there may still be 
some that do need to be wrapped. At best, a non-oblivious membrane 
simply lowers the bound of storage required (possibly lowering it 
from infinite to finite).

More information about the cap-talk mailing list