Split Capabilities: Making Capabilities Scale

Karp, Alan alan_karp@hp.com
Fri, 14 Jul 2000 09:06:39 -0700 

> -----Original Message-----
> From: Jonathan S. Shapiro [mailto:shap@eros-os.org]
> Sent: Thursday, July 13, 2000 6:08 PM
> To: Karp, Alan; e-lang@eros-os.org
> Subject: Re: Split Capabilities: Making Capabilities Scale
> 
> 
> > I love a hostile audience...
> 
> Oh dear. I hope not hostile.

Of course not, although I've had hostile (mostly inside HP), and I've
enjoyed that, too.

> 
> > Where do the directories get their capabilities from?
> 
> If you hold a read-write capability to a directory you can 
> install a (name,
> cap) pair in it. Common design patterns are:
> 
> 1. directory is given to you by administrator, e.g. at 
> account creation.
> 2. directory is private. you get back what you put in ("Life is like a
> sewer. What you get out of it depends on what you put into it." -- Tom
> Lehrer)
> 3. directory is mutably shared, in which case you might get 
> out what I put
> in if we are the sharers.
> 

The same as in e-speak.

> 
> > E-speak bounds the capabilities to the agents that use them across
> restarts.
> > In e-speak Beta 3.0, these capabilities can be kept in a 
> persistent place,
> > such as a file or a database.
> 
> Since agents are not persistent in E-speak, I take it that 
> you mean to say
> that E-speak binds the capabilities to the executable image 
> from which the
> agent will run when restarted. This is better than what we 
> have now, but for
> many applications it isn't good enough. There are cases where 
> I really want
> different capabilities for each instance. For example, your 
> wallet agent vs.
> my wallet agent.

The process the agent runs in is not persistent, nor is its execution state.
E-speak binds the capabilities to the agent's protection domain, not its
executable image.  The agent's protection domain can be persistent, so that
its security environment persists across restarts.  The first thing an agent
does when starting is attach to its protection domain.  

This approach means that capabilities are definitely not associated with an
executable image and not necessarily attached to an instance.  Instead, they
are attached to principals, each principal having its own protection domain.
Hence, your wallet has a different capability than mine, but I can have two
wallets controlled by the same capability.

> 
> > Well, I don't know about 3 years, but our VM/CMS IBM 
> mainframe only went
> > down for maintenance....  HP machines have a similar track record.
> 
> Our experience in the lab with our HP machines was dismal. I 
> think that much
> of perceived reliability is a function of load variance. If 
> you only run a
> couple of apps it's pretty easy to run them all for a long time.

Hmmm, strange.  HP is promising 4 9s (99.99%) uptime this year and 5 9s next
year.  That's only 5 minutes a year of unscheduled down time.  Reliability
is the main reason Amazon gave for replacing its Sun servers with HP
machines.  Probably, their environment is more controlled than the one you
work in.  I know my HP-UX desktop machine only goes down if there's a power
failure, but again, I don't know enough about operating systems to be
dangerous.

> 
> > One MP/E server was found walled up in a Longs Drug Store.  
> According to
> the
> > service rep, the walls had gone up 2 years before.  Is that 
> because these
> > OSes don't have dynamic structures, or for some other reason?
> 
> As I recall, MP/E had very very few dynamically allocatable 
> structures in
> the kernel once the system was initialized. Here again, though, my
> reliability experience with MP/E wasn't as good as this.

Since no one knew where the machine was, I bet the environment was extremely
stable.

> 
> > Ah, but non-selective revocation doesn't need preplanning 
> in e-speak Beta
> > 2.2.
> 
> Nor in EROS/KeyKOS. You simply bump the version number on the 
> object and all
> outstanding capabilities die quietly.

I think this form of strong revocation is important.  Relying on CRLs to
propagate is asking for trouble.

> 
> By the way, I am greatly enjoying this discussion.
> 

Me too.  I told Mark when he was here that I feel alive again.  I spent
almost 3 years banging my head against the wall trying to make people
understand the basic concepts of capabilities to little avail.  Talk about
frustration!  It's great to be talking to people who are way ahead of me in
this area.

_________________________
Alan Karp
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278