At 12:12 PM 4/26/99 -0400, shapj@us.ibm.com wrote:
>All that said, checkpoints are something I'm not sure I would do the same way
>again.
The reason Norm, Charlie and I originally implemented persistence is to solve what is called, The Secure Restart problem. We saw a system where the security tokens (capabilities) needed to be transferred with very high performance. We needed a way to ensure that after a system restart, there was no chance of the system, or the security sensitive programs running in the system, passing the wrong capability. We thought that having this property was worth the large amount of pain caused by the new paradigm.
One of the very early designs had a more traditional, what's on disk is permanent, what's in main storage is lost paradigm. It was called the "shared key table" and required publishing in the shared key table every capability that you wanted to share. (This design predated full appreciation of the value of very small protection domains.
I am interested in different solutions to the secure restart problem.