[cap-talk] Sensory entry points (start keys) in Gnosis like systems

Bill Frantz frantz at pwpconsult.com
Sun Jul 18 16:17:20 PDT 2010 

Last Friday a number of us were discussing computer architecture 
issues when Mark Miller said, "I really wish you could pass 
start keys[1] through sense keys[2].

For those who aren't familiar with Gnosis and similar systems 
such as KeyKOS, EROS, CapROS, and Coyotos; a start Key is like 
an object reference in that it lets you invoke the objects 
methods, without being able to access the object's internals. A 
sense key forces any keys fetched through it to be "sensory", 
which means essentially that they my not be used to send 
information, only to fetch it. The current version of Sensory 
keys are most useful for use with memory segments, where they 
give a read-only view of the memory.

I made the observation that no-hole[3] factory requestor keys[4] 
could be passed through the sensory filter without changing any 
of the important Gnosis security assertions. (Please, if you are 
even a bit nervous about this contention, speak up.) Changing 
Gnosis to pass no-hold requestor's keys would allow at least one 
type of start key, and perhaps provide useful function.

A fruitful discussion ensued with active input from Norm Hardy, 
Brian Werner, Chip Morningstar, Keven Reed and Alan Karp among 
others. This email is meant to document and extend these ideas.

Lets define, for the sake of exposition, two objects, the active 
object A which was built by factory FA and the observer object O 
which can access the internal state of A and is built by factory 
FO. Also note that when building FO, one can install a sense key 
to a running domain's memory as a component of a new factory 
without adding to the hole count.[5]

In theory, we could also install a sense key to the "_general 
key node"[6] of A, but in the current Gnosis implementation, the 
_general key node is closely held. Such a sensory key would 
allow O to fetch sensory versions of any of A's keys.

Even without access to A's keys, O can read A's memory and 
implement most "getter" functions.

It was noted that to be truly useful, this facility would need 
to be usable in cascade, so O can access the observer domains 
for the objects that A uses. "Fetcher" factories[4] provide 
similar function.

It was also noted that writing code to implement O would be 
quite difficult as A can change the invariants of its state 
while O is running since A and O are separate domains.


So, let me see if I can sketch a solution to these problems, at 
least well enough so Mark can try to apply the ideas in the 
language design area.

The problem of changing invariants can be addressed by allowing 
a running process in only one of A and O at a time. I can think 
of two ways off the top of my head to implement this feature, 
one is to have two views of a single domain, and the is to do 
some magic with the scheduler. Both of these approaches seem to 
introduce significant timing channels.

Another approach uses a virtual copy object with commit for A's 
memory. Before A changes its memory, it makes a virtual copy. 
When the invariants again hold, A can commit the changes. O only 
sees the most recently committed changes. This reduces the 
timing channel to the one that is always present when two 
objects share memory. However it incurs the cost of the commit operation.

If we define a new version of the sense key that can locate (by 
convention) the sensory version of a domain and make the change 
alluded to above allowing O sensory access to A's _general keys 
node, then we can solve the cascade problem. From my memory of 
the implementation of the Gnosis kernel, I don't think allowing 
such sensory access would be too difficult.

Implementing the new sense key probably has many solutions. Off 
the top of my head, one is to have a slot in the domain which is 
defined to hold FO. When fetching a start key to A through the 
new sensory key, if that slot holds a no-hole factory, that 
factory is returned. A specific return code can specify whether 
the caller needs to get the yield of the factory, or can use the 
sensory result directly.

Comments are more than welcome.


[1] <http://www.cis.upenn.edu/~KeyKOS/agorics/KeyKos/Gnosis/18.html#entry>
[2] <http://www.cis.upenn.edu/~KeyKOS/agorics/KeyKos/Gnosis/34.html#sense-int>
[3] <http://www.cis.upenn.edu/~KeyKOS/agorics/KeyKos/Gnosis/73.html#hole>
[4] <http://www.cis.upenn.edu/~KeyKOS/agorics/KeyKos/Gnosis/68.html>
[5] To build FB, it is sufficient to have a start key to A and 
the builder's key for FA.
[6] <http://www.cis.upenn.edu/~KeyKOS/agorics/KeyKos/Gnosis/15.html#realdom>

-- 
Text by me above is hereby placed in the public domain

Cheers - Bill

-------------------------------------------------------------------------
Bill Frantz        | When it comes to the world     | Periwinkle
(408)356-8506      | around us, is there any choice | 16345 
Englewood Ave
www.pwpconsult.com | but to explore? - Lisa Randall | Los Gatos, 
CA 95032

More information about the cap-talk mailing list