S. J. Mullender and A. S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29(4):289--299, Aug. 1986.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....On the one hand, disk space is usually managed with a quota system which limits the amount of space a user can occupy. Alternatively, economic models can be used, which associate a price with a resource, and users buy or rent space, involving some form of payment [Anderson et al. 1986, Mullender and Tanenbaum, 1986, Drexler and Miller, 1988, Heiser et al. 1998b] On the other hand, processor time is allocated according to some priority scheme. Priorities can be hard, meaning that a process will only execute if no higher priority process is runnable, or soft, meaning that a process priority in uences the ....

.... Secondary Storage Management Mungi has a secondary storage management model designed to control the proliferation of objects in the system [Heiser et al. 1998b] This model is based on the rent scheme in the Monash Password Capability System [Anderson et al. 1986] and bank accounts from Amoeba [Mullender and Tanenbaum, 1986]. Its main objective is to ensure users do not starve or exploit others through excessive use. 2.2.1 Bank Accounts Secondary storage is managed by charging rent for backing store usage through special objects called bank accounts. Accounts with money available for rent charging have a nancial ....

[Article contains additional citation context not shown here]

Mullender, S. J. and Tanenbaum, A. S. (1986). The design of a capability-based distributed operating system. The Computer Journal, 29:289-299.

....On the one hand, disk space is usually managed with a quota system which limits the amount of space a user can occupy. Alternatively, economic models can be used, which associate a price with a resource, and users buy or rent space, involving some form of payment [Anderson et al. 1986, Mullender and Tanenbaum, 1986, Drexler and Miller, 1988, Heiser et al. 1998b. On the other hand, processor time is allocated according to some priority scheme. Priorities can be hard, meaning that a process will only execute if no higher priority process is runnable, or soft, meaning that a process priority influences the ....

.... Storage Management Mungi has a secondary storage management mode] designed to control the proliferation of objects in the system [Heiser et al. 1998b] This model is based on the rent scheme in the Monash Password Capabil ity System [Anderson et al. 1986] and bank accounts from Amoeba [Mullender and Tanenbaum, 1986]. Its main objective is to ensure users do not starve or exploit others through excessive use. 2.2.1 Bank Accounts Secondary storage is managed by charging rent for backing store usage through special objects called bank accounts. Accounts with money available for rent charging have a financial ....

[Article contains additional citation context not shown here]

Mullender, S. J. and Tanenbaum, A. S. (1986). The design of a capability-based distributed operating system. The Computer Journal, 29(4):289-299.

....que, sur un certain nombre de sites au moins, on puisse avoir confiance dans le systme chargt. Ainsi dans le systme Andrew, le systme global est il vu comme un ensemble de stations non stires appeltes Virtue connecttes hun ensemble de serveur stirs appelts Vice [Satyanarayanan 89] Dans Amoeba [Mullender 86] Tanenbaum 90] certains serveurs sont stirs et on peut disposer d un mattriel, appel6 F Box, qui contrtle l accs au rtseau TM. Une seconde mesure [Ingels 90] consiste d une part h limiter ce qu un utilisateur peut faire h partir d une station non stire (ainsi dans Andrew, un fichier global ne ....

S. J. Mullender, A. S. Tananbaum, The design of a capability-based distributed operating system, Computer Journal, vol. 29, n 8, Aug. 86, pp. 289-299 57

....CAS server to keep track of its membership and fine grained access control policies. A user wishing to access community resources contacts the CAS server, which delegates rights to the user based on the request and the user s role within the community. These rights are in the form of capabilities [4], which users can present at a resource to gain access on behalf of the community. The user effectively gets the intersection of the set of rights granted to the community by the resource provider and the set of rights defined by the capability granted to the user by the community. The CAS ....

Mullender, S.J. and A.S. Tanenbaum, The Design of a Capability-Based Distributed Operating System. The Computer Journal. 29: p. 289-99.

....[16] into the area of distributed and massively parallel systems. In the following subsection, the basic abstractions employed to build the PEACE distributed operating family are described. 2. 1 Threads and Teams Following state of the art distributed operating systems, above all V [5] and Amoeba [27], the PEACE process model distinguishes between heavyweight pro cess and lightweight process . Heavyweight processes are teams of lightweight processes, i.e. shells for one or more instances of threads. The term process is used as a synonym for either thread or team. Teams define a global ....

S. J. Mullender, A. S. Tanenbaum, "The Design of a Capability-Based Distributed Operating System," The Computer Journal, Vol. 29, No. 4, pp. 77 100, March, 1986.

....this is formalized in Lemma 6.5. 3. Access Judgment: A subject s can access right r on o iff it possesses at least one of the tickets (capabilities) for that object right pair. Formally, WS s (o; r) def = W (s) T (o; r) 6= As an example application, we model capabilities in Amoeba [20] in Example C.2 (Appendix C) 5.2. Lampson matrix capabilities (MC row ) For purposes of comparison, we define a model for capabilities based on the rows of the Lampson access matrix. Our analysis will show that this view is not the same as capabilities as unforgeable bit strings. We model this ....

S. J. Mullender and A. S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29(4):289--299, Aug. 1986.

....RESTCLK does not seek to set policies for security. It merely provides mechanisms at its lowest level that make security enforcement possible. It is instructive here to examine a bit the analogy with well known resource management systems, like database management systems [9] or operating systems [36]. These systems also do not set security policies. Instead provide abstractions in terms of which an application system designer may define security policies. They also provide mechanism which may be used to enforce security policies defined in terms of the said abstractions. Taking analogy from ....

S. J. Mullender and A. S. Tanenbaum. The design of a capability-based distributed operating system. Computer Journal, 29(3), 1986.

....more difficult. In the context of persistent objects in a distributed system, we neglect the third problem since we want objects to be explicitly deleted. A number of possible alternatives have been suggested for protecting capabilities 4 . These include special architectures [22] encryption [20] and sparse (or password) capabilities [1] We base our mechanism on sparse capabilities since these require no special architecture or costly encryption algorithms and also because they alleviate the revocation problem. A sparse capability generally consists of an object identifier (for locating ....

Mullender, S.J., Tanenbaum, A.S. The Design of a Capability-Based Distributed Operating System, Computer Journal, 29,4, pp.289-299, 1986.

....examples include SPIN [3] and VINO [22] Providing a trusted path [24, 17] mechanism, such as a protected procedure call [8] or IPC. Extensions execute as user tasks, using the standard system protection mechanisms for safety. Clients invoke extensions via the trusted path. For example, Amoeba [18] used a client server model with an IPC based trusted path. An extensibility mechanism requires flexibility, safety and performance. It is now widely accepted that flexibility and safety can be provided in user space. Kernelmodule based systems are therefore motivated solely by performance, which ....

S. J. Mullender and A. S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29:289--299, 1986.

....are connected via a wide area network. Contact: Sape J. Mullender, CWI Amsterdam, Netherlands or Andy Tanenbaum, Dept. of Mathematics and Computer Science, Vrije Universiteit, Postbus 7161, 1007 MC Amsterdam, Netherlands. References: 10] 11] 12] 13] 14] 15] 16] 17] 18] 19] [20], 21] 22] 23] 24] 25] 26] 27] 28] 29] 30] 31] 32] 2.4 Andrew Main Goal Andrew is a distributed computing environment being developed at the Carnegie Mellon University, Pittsburg in a workstation server principle. The goals of the Andrew file system are to support growth ....

S.J. Mullender and A.S. Tanenbaum, "The Design of a Capability-Based Distributed Operating System", The Computer Journal, 29(4):289--300, March 1986.

....comes from the fact that no user check is performed at the system level. Hardware based capability systems have had limited use because they only run on specific hardware. Capability based systems now running on classical hardware provide capability protection with encryption based algorithms [Mullender86]. 2.2 Multics Multics [Organick72] is a system developed at Massachussetts Institute of Technology that also runs on a specific hardware. Protection in Multics is based on access lists. The basic unit of shared data is the segment, and an access list is associated with each segment and registers ....

S.J. Mullender and A.S. Tananbaum, The design of a capability-based distributed operating system , Computer Journal, 29 (8 ), pp. 289-299, August 1986.

....protected. 2.3 Derived Capabilities As well as owner capabilities, the system provides capabilities with more restricted access rights, such as read only. A scheme is provided which allows users to derive less powerful capabilities as required. This method is similar to one proposed for Amoeba [9]. From the owner capability, C rwxd , a new capability C rwx = f(C rwxd ) where f is a well known one way function, can be derived which only gives permission to read, write and execute the object. That capability can be further restricted to C x = f x (C rwx ) which allows only execution, and ....

....on the implementation of higher software layers. We also do not want to impose limitations on the storage of capabilities, whereas MONADS uses partitioned capabilities which are kept in user inaccessible system areas. 6. 2 Amoeba Althoughnot a distributed virtual memory system, Amoeba [9] uses sparse capabilities, consistingof the port number of the server responsible for the object, an object id, access rights, and a signature. The signature is computed by applying a one way function to the access rights and a random number which is stored with the object. Capabilities are always ....

S. J. Mullender and A. S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29:289--99, 1986.

....what is garbage, this system has the significant advantage that all accounting is done off line (by a background process) so, unlike a quota system, user operations on objects are not slowed down by the need to perform accounting. Amoeba s bank accounts Amoeba s resource management system [Mullender and Tanenbaum, 1986] is also based on the idea that money is used to pay for resources. Amoeba achieves this by introducing bank accounts as objects in their own right, rather than associating a monetary value with each object. Accounts are maintained by a bank account server, which is contacted for transactions on ....

Mullender, S. J and Tanenbaum, A. S (1986). The design of a capability-based distributed operating system. Computer J., 29:289--299.

....an extension of Concurrent Euclid; the design of Emerald [Black 86a, Black 86b, Jul 88] was based on the Eden experience. The olus language [Wilkes 86] was developed for the Clouds distributed system [LeBlanc 85] The Orca language [Bal 88b] is being implemented to program applications in Amoeba [Tanenbaum 86, Mullender 87] Finally, the Comandos project is currently developing its own programming language, called Oscar [Comandos 88] Guide may be viewed as an exploratory implementation of some of the features being developed in Oscar. The object model implemented in Guide is characterized by the ....

Tanenbaum A.S., Mullender S.J., The design of a capability-based distributed operating system, The Computer Journal, vol. 29, 4 (1986) pp. 289-300

....in a SASOS [12] Angel has no explicit protection system. Instead, it relies on the ability of an object to be accessed or a service to be named in order to protect it protection is effectively left in the hands of servers. This approach is similar to that taken in the Amoeba distributed system [13], where servers use sparse capabilities for naming and protecting objects. While the design is aimed at 64 bit architectures, the Angel prototype was implemented on i486 hardware. It therefore has not considered issues resulting from a huge, sparsely used address space. Opal [14] in contrast uses ....

....storage. In Mungi no directory services are provided by the system itself. To assist users in managing their storage, we instead use a different, and more flexible scheme, derived from the rent model used in Monash University s Password Capability System [15] and the bank accounts used in Amoeba [13]. Whenever an object is created, a bank account must be supplied, and the bank account reference is recorded in the object s OT entry. A rent collector periodically charges the account for the disk storage used by the object. A paymaster periodically deposits funds into each account. An empty or ....

S. J. Mullender and A. S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29:289--299, 1986.

....and testing that the OID exists. Amoeba: Amoeba suggested a system where the rights and a random number are encrypted together. On presentation, the encrypted word is decrypted and if the random number matches that associated with the object, the access rights are assumed to be correct [TM84] CHAPTER 2. SECURITY AND PROTECTION 15 Password: A capability consists of an OID and a large random number. This number and the associated access rights are stored with the object. The validity of a capability is determined by matching the password with the list of valid passwords for that ....

....of aliasing. ffl Capabilities can be copied within a program just like other variables. CHAPTER 2. SECURITY AND PROTECTION 22 2.4. 7 Amoeba The dropping price of hardware, which allowed the building of large interconnected distributed systems, prompted the design of the Amoeba operating system [TM84, TMvR86] Amoeba is an exclusively client server operating system. All interaction between clients and servers is by means of IPC, which is based on unreliable datagrams (i.e. no acknowledgement, no guarantee of delivery) Messages are sent to ports, and knowledge of a port number is taken as ....

Andrew S. Tanenbaum and Sape Mullender. The design of a capabilitybased distributed operating system. Technical Report IR-88, Vrije Universiteit, November 1984.

....record capabilities in arbitrary data structures. The lack of kernel control of sparse capabilities does have a few disadvantages. Operations such as confinement and garbage collection become more difficult; although solutions such as lockwords [APW86] for confinement, and economic models [APW86] MT86] HLR98] for garbage collection, have been suggested. 2.3.3 Reference monitors Reference Monitors [AGS83] actively control access from subjects to objects. When a subject wants to access an object in the system, the reference monitor is invoked. The CHAPTER 2. SECURITY AND PROTECTION 16 ....

....and putrep (put reply) Trans is used by the client to request a service. Getreq and putrep are used by the server to get a service request and to post a reply respectively. To prevent programs from issuing getreqs on arbitrary ports, a novel authentication scheme based on one way hashing is used [MT86] This scheme can either be implemented in hardware or in software. It is believed that there are no implementations of the hardware version. Service Object Rights Random Figure 2.8: A typical Amoeba capability 2.4.8 The Monash Password Capability System Anderson, Pose and Wallace [APW86, ....

[Article contains additional citation context not shown here]

Sape J. Mullender and Andrew S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29:289--299, 1986.

....[7] is used. This approach grants object access only if a thread (i.e. subject) is in the possession of that object or one of its proxies. An object must be created and bound to a system wide unique identifier before it can be used. It is assumed that a unique identifier cannot be deduced [23]. In order to achieve this, the nucleus generates a random number which, combined with a global hash key, is used to make identifiers system wide unique. Note that this procedure works autonomously and needs not be controlled by a central system component. The creator implicitly possesses the ....

S. J. Mullender and A. S. Tanenbaum. The Design of a Capability-Based Distributed Operating System. The Computer Journal, 29(4):289--299, 1986.

....group certificates are not invalidated when group membership changes, there may be incorrect grant or denial. Similarly, an unexpired authorization certificate should be invalidated when the particular authorization has been revoked. These issues are similar to those in the use of capabilities [8, 13], and are beyond the scope of this paper. 7 This is commonly known as the push model. A pull model is one in which A itself gathers the relevant certificates from the group servers. However, it appears to be more desirable to reduce the load of A so that it does not become a bottleneck, even at ....

S.J. Mullender and A.S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29(4):289--299, 1986.

....for unification of the address space and distribution of the functionality. A well known case is the Newcastle Connection or UNIXes Unite [Brownbridge,82] which provided one of the early distributed file systems. A distributed operating system which was built with distribution as a goal is AMOEBA [Mullender,86] Amoeba consists of four components: 1) Workstations that are used to provide higher level user interface. The workstations are expected to have a processor, a bit mapped display, and several megabytes of memory. 2) A processor pool, consisting of a number of processors and multiprocessors ....

Mullender, S. J. and Tanenbaum, A. S., "The Design of a Capability-Based Distributed Operating System," The Computer Journal, 29(4), pp. 289-300, (1986).

....protected. 2.3 Derived Capabilities As well as owner capabilities, the system provides capabilities with more restricted access rights, such as read only. A scheme is provided which allows users to derive less powerful capabilities as required. This method is similar to one proposed for Amoeba [9]. From the owner capability, C rwxd , a new capability C rwx = f(C rwxd ) where f is a wellknown one way function, can be derived which only gives permission to read, write and execute the object. That capability can be further restricted to C x = f x (C rwx ) which allows only execution, and C ....

....on the implementation of higher software layers. We also do not want to impose limitations on the storage of capabilities, whereas MONADS uses partitioned capabilities which are kept in user inaccessible system areas. 9 6. 2 Amoeba Although not a distributed virtual memory system, Amoeba [9] uses sparse capabilities, consisting of the port number of the server responsible for the object, an object id, access rights, and a signature. The signature is computed by applying a one way function to the access rights and a random number which is stored with the object. Capabilities are ....

S. J. Mullender and A. S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29:289--99, 1986. 11

....multiple data stream (SIMD) machines is in the tens of thousands. 4 Hybrids of approaches are also appearing, such as architectures that combine both the MIMD and SIMD approach [Dun90] and the use of a pool of processors by a system of workstations to perform tasks requiring multiple processors [MT86]. Even a wide area network of heterogeneous workstations may be viewed as a single distributed computing system [BST89] A paramount question is how such diverse computers, and computers resulting from additional evolution, should be programmed. As always with software, program correctness is a ....

Mullender, S. J. and Tanenbaum, A. S. The design of a capabilitybased distributed operating system. Computer J., 29, 4 (1986), 289-300.

....some local processing of the message at reception. It is the counterpart of invoke, for end to end protocols. The receiveInvoke of a receiving channel is called before the stub of the receiver object. 2 The opaque attribute of a channel is similar to the rights field of a capability in Amoeba [Mullender and Tanenbaum 1986]. 3 This is modeled after the V System RPC [Cheriton 1984] 4 FRAGMENTED OBJECTS, OR GROUPS 12 4.4 Fragmented Objects: assessment 4.4.1 Cross context communication This is our second design for the cross context communication interface. Our previous one (see for instance [Shapiro 1989] was ....

S. J. Mullender and A. S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29(4):289--299, 1986.

....that the underlying operating system has a smart processor allocation strategy; that multiple processors (say, at least 8) are available; and that commands can be executed on any processor in the network without loosing efficiency. A distributed operating system that serves our needs is Amoeba [15, 16, 17]. 4. PARALLELIZING DESCRIPTION FILES In this section we consider various naive approaches in making make run commands in parallel by adapting description files. Apart from the conclusion that correct parallelization of make is not achieved by naively altering the description files, and that it ....

S. J. Mullender and A. S. Tanenbaum, "The Design of a Capability-Based Distributed Operating System," The Computer Journal, vol. 29, no. 4, pp. 289-300, March 1986.

....common network operation, performed in the same configuration, are included to give an indication of the overhead. 2. AMOEBA AND THE AMOEBA CONNECTION Amoeba is a distributed operating system developed at the Vrije Universiteit [Tanenbaum81 ] The Amoeba communication primitives are described in [Tanenbaum84]. Amoeba uses a request reply or transaction style of communication, in which the basic primitive is the client sending a request to a server and the server sending a reply back to the client. Such a pair of request and reply messages is henceforth called a transaction . The implementation ....

A.S. Tanenbaum and S.J. Mullender, "The Design of a Capability-Based Distributed Operating System," Rapport nr. IR-88, Vrije Universiteit, Amsterdam, The Netherlands (November 1984).

....Furthermore, several weather centrals exchange weather information in order to achieve a higher degree of accuracy. This kind of problem conducts the basis for StormCast. Initially, a prototype weather monitoring application (Johansen, 1988) was designed to be run on the Amoeba distributed system (Mullender and Tanenbaum, 1986) connected through a wide area network (Renesse et al. 1988) This concept was further developed in a previous version of StormCast (Hartvigsen and Johansen, 1988) This paper presents the StormCast distributed artificial intelligence application, the motivation for the chosen architecture and ....

Mullender, S.J., and A.S. Tanenbaum (1986). The design of a capability-based distributed operating system. The Computer Journal, 29, 289-299.

....Message passing, Remote Procedure Call (RPC) and Distributed Shared Memory (DSM) are a few of the programming abstractions commonly supported by distributed operating systems. The early distributed systems were built with message passing as the underlying model for distributed computation. Amoeba [47] and the V system [18] are examples of message based distributed systems. Message based operating systems support processes that communicate via explicit message send and receive calls. Message based systems require the programmer to pack data into a buffer which is given to the send call. The ....

S. J. Mullender and A. S. Tanenbaum. The design of a capability based distributed operating system. The Computer Journal, 29(4), March 1986.

....the appropriate solution. This approach grants object access only if a thread (i.e. subject) has possession of that object or one of its proxies. An object must be created and bound to a systemwide unique identifier before it can be used. It is assumed that a unique identifier cannot be deduced [15]. In order to achieve this, the nucleus generates a random number which, combined with a global hash key, is used to make identifiers systemwide unique. Note that this procedure works autonomously and need not be controlled by a central system component. Once instantiated, the creator implicitly ....

S. J. Mullender and A. S. Tanenbaum. The Design of a Capability-Based Distributed Operating System. The Computer Journal, 29(4):289--299, 1986.

....model to construct family members was taken from Thoth [3] Peace is the evolutionary successor of Ax. The design strongly followed the idea of Moose and relied on an extremely efficient microkernel as minimal basis for the operating system family. Important influences came from V [4] Amoeba [11], and Mach [21] Compared to its ancestors , the Peace microkernel was of significantly less complexity and higher performance. 1982) 1984) 1986) 1990) Choices Mach UNIX MOOSE AX PEACE objective PEACE FAMOS DAS operating system family Amoeba QNX V Thoth Figure 1: History of ....

S. J. Mullender and A. S. Tanenbaum. The Design of a Capability-Based Distributed Operating System. The Computer Journal, 29(4):289--299, 1986.

....authentication and authorization server. Although they share a common mechanism, it seems apparent now that there is little to be gained by requiring all three services to be co located. Like the accounting mechanism described here, Sentry pointed out the need to support multiple currencies. Amoeba[6] supports a distributed bank server identical in purpose to the accounting server based on restricted proxies. The protocol used by Amoeba s bank server is significantly different, however. In Amoeba, a client must contact the bank and transfer funds into the server s account before it contacts ....

S. J. Mullender and A. S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29(4):289--299, 1986.

....group certificates are not invalidated when group membership changes, there may be incorrect grant or denial. Similarly, an unexpired authorization certificate should be invalidated when the particular authorization has been revoked. These issues are similar to those in the use of capabilities [8, 13], and are beyond the scope of this paper. Lastly, a secure update protocol is needed for E to notify A of any changes in spec. 4 The GACL Language Terminology. To differentiate between our language of generalized access control list from a particular generalized access control list, we will ....

S.J. Mullender and A.S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29(4):289--299, 1986.

....in these types of environments, events such as host failures, host recoveries, and network partitions can be frequent and must be tolerated by the access control protocol. The problem of access control in distributed environments has been explored in a number of systems. For example, Amoeba [16] and the Andrew file system [24] use capabilities and access lists, respectively. Capability based access control is also explored in [11] while [18] and [30] describe solutions based on access lists. Access control in This work supported in part by the Office of Naval Research under grant ....

S. Mullender and A. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29(4):289--299, Mar 1986.

.... representations of a global access control matrix [Lam74] An access control matrix can be viewed either from the point of view of an accessing subject (the rows of the matrix) or from the point of view of an accessed object (the columns of the matrix) Capabilities implement the subject view [CJ75, MT86, WN85], ACLs implement the object view [Org85] While formally both matrix representations are equivalent, the implementations of both concepts nevertheless have quite different properties with respect to delegation or revocation. The paper shows that there is in much the same way a similar duality ....

S.J. Mullender and A.S. Tanenbaum. The Design of a Capability-Based Distributed Operating System. The Computer Journal, 29(4):289--299, 1986.

....constructed a working prototype system. We will cover most of the traditional operating system design issues, including communication, protection, the file system, and process management. We will not only explain what we did, but also why we did it. 2 Overview of Amoeba The Amoeba Project [Mullender and Tanenbaum, 1986] is a joint effort of groups at the Free University (VU) and the Centre for Mathematics and Computer Science (CWI) both in Amsterdam. The VU group is led by Andrew S. Tanenbaum, the CWI group by Sape J. Mullender. The project has been underway now for nearly ten years and has gone through ....

Mullender and Tanenbaum [1986] S. J. Mullender and A. S. Tanenbaum, The Design of a Capability-Based Distributed Operating System, The Computer Journal 29(4), 1986, 289--300.

No context found.

Mullender, S.J., and Tanenbaum, A.S.: "The Design of a Capability-Based Distributed Operating System," Computer Journal, vol. 29, pp. 289-299, Aug. 1986.

....inherently slow, for example, because it has to provide a high degree of fault tolerance, or because it was built on top of another operating system, such as the UNIX operating system, to facilitate development. In this paper we describe the performance of the Amoeba distributed operating system [2, 3]. This system was designed to be used, and therefore we have devoted considerable energy to performance. The system uses the popular object oriented model for distributed computing, in connection with remote procedure calls and lightweight processes. ################## This research was ....

....same time by having a thread per transaction. To avoid race conditions and simplify programming, the threads are only rescheduled when the currently running thread blocks, that is, threads are nonpre emptive. 2.2. Capabilities All objects in Amoeba are named and protected by capabilities . [2, 12] Capabilities, combined with transactions, provide a uniform interface to all objects in the Amoeba system. A capability has 128 bits, and is composed of four fields, as shown in Fig. 2. 1) The server port : a 48 bit sparse address identifying the server process that manages the object. A server ....

Mullender, S. J. and Tanenbaum, A. S., "The Design of a Capability-Based Distributed Operating System," The Computer Journal: , Vol. 29, No. 4, pp. 289-300, March 1986.

....availability of AC. We have presented a technique for calculating the availability of replicated data from any point in an internetwork, to allow designing an optimal configuration. Using VWG we are currently designing a replicated directory service for the Amoeba distributed operating system [13]. A directory maps ASCII names to object identifiers in the form of capabilities [14] We will support atomic lookup, install, and delete operations on directory entries of multiple directories. In a version based system this will allow installing a new version of a set of objects atomically. ....

S. J. Mullender and A. S. Tanenbaum, "The Design of a Capability-Based Distributed Operating System," The Computer Journal, vol. 29, no. 4, pp. 289-300, March 1986.

....Laboratories. 76 Files are still subdivided into blocks. To take some advantage of new technology, the size of blocks has been increased, and the memory caches have been enlarged. This has led to a marginal performance improvement. As part of the Amoeba distributed operating system project [2] we have designed and implemented a file server that is intended for current and future computer and disk technology. We have devoted considerable energy to making the file server fast. Since we believe we have achieved this goal, we have named it the Bullet file server . Among its features are ....

....a section to Amoeba. In this section we will also describe the naming service of Amoeba, which plays a role in how data structures, especially large ones, may be stored efficiently on immutable files [7] In the following section we will describe the Bullet file interface. 2.1. Amoeba Amoeba [2,3] is a distributed operating system that was designed and implemented at the Vrije Universiteit in Amsterdam, and is now being further developed there and at the Centre for Mathematics and Computer Science, also in Amsterdam. It is based on the object model. An object is an abstract data type, and ....

Mullender, S. J. and Tanenbaum, A. S., "The Design of a Capability-Based Distributed Operating System," The Computer Journal, Vol. 29, No. 4, pp. 289-300 (March 1986).

....limited functionality and additional functionality provided by application level services. Distributed operating systems typically implement the mechanisms for process managemment and interprocess communication. In most of the important distributed operating systems kernels [Cheriton et al. 1986; Mullender and Tanenbaum, 1986; Rozier et al. 1988] the interprocess communication is usually blocking and parallelism is achived through leightweigth threads of ontrol sharing an address space. Semaphores or something similar usually provide synchronization between these threads. This particular system structure is one of ....

....efficient highspeed protocols can be used locally, tailored to the applications for which they are used, and standardised efficient long haul protocols can be used in the wide area network. Distributed systems will mostly be object oriented [Lazowska et al. 1981] and based on the service model [Mullender and Tanenbaum, 1986], that is, objects will be managed by services, and clients will do operations on those objects through the mediation of server processes. The system will support a name space for services and objects. Application programs will never have to use network addresses directly. Workstations will have ....

S. J. Mullender and A. S. Tanenbaum [1986]. The Design of a Capability-Based Distributed Operating System. The Computer Journal 29 (4) : 289-300, 1986.

....The measurements show that significant speedups can be obtained for all three applications. 1. INTRODUCTION As communication in loosely coupled distributed computing systems is getting faster, such systems become more and more attractive for running parallel applications. In the Amoeba system [Mullender and Tanenbaum 1986], for example, the cost of sending a short message between Sun workstations over an Ethernet is 1.4 milliseconds [Van Renesse et al. 1989] Although this is still slower than communication in most multicomputers (e.g. Hypercubes and transputer grids) it is fast enough for many coarse grained ....

....shared data object model, using the layered approach described in the previous section. The prototype runs on the bare hardware, rather than on top of an operating system. In effect, it is a new kind of operating system designed specifically for parallel applications. It uses the Amoeba protocols [Mullender and Tanenbaum 1986] to communicate with our local UNIX and Amoeba systems. The prototype runs on two different systems. One implementation runs on a multiprocessor with 10 16 Mhz MC68020 CPUs. The system contains 8Mb of shared memory, which is accessible through a VME bus. This implementation uses the shared ....

Mullender, S. J. and Tanenbaum, A. S., The Design of a Capability-Based Distributed Operating System, The Computer Journal, Vol. 29, No. 4, pp. 289-300, Mar. 1986.

....use the same hardware: a collection of 10 MC68020 CPUs connected by a 10 Mbit sec Ethernet , but use different communication primitives and consistency protocols. 3. AN IMPLEMENTATION USING POINT TO POINT COMMUNICATION The first run time system we have implemented for Orca runs on top of Amoeba [Mullender and Tanenbaum 1986]. It uses point to point messages (RPC) for interprocess communication. Below, we will look at each of the three design issues discussed in Section 2 and motivate our choices. In Section 5.1 we will describe the performance of this system. 3.1. Invalidation versus Updating The first issue is the ....

Mullender, S. J. and Tanenbaum, A. S., The Design of a Capability-Based Distributed Operating System, The Computer Journal, Vol. 29, No. 4, pp. 289-300, Mar. 1986.

No context found.

Mullender, S.J., and Tanenbaum, A.S. "The Design of a Capability-Based Distributed Operating System," Computer Journal, vol. 29, pp. 289-299, Aug. 1986.

....fairly complex distributed algorithms can be implemented on such a system using RPC. Measurements on the performances of these algorithms are presented in the last section. 2. THE AMOEBA SYSTEM The Amoeba Distributed Operating System [Mullender and Tanenbaum 1985; Tanenbaum and Mullender 1981; Mullender and Tanenbaum 1984, 1986; Tanenbaum et al. 1986] consists of a collection of (possibly different) processors, each with its own local memory, which communicate over a local network. Currently, we use mainly Motorola 68010 processors connected by a 10 Mbps token ring (Pronet) although Amoeba also runs on the VAX, ....

Mullender, S. J. and Tanenbaum, A. S., "Design of a Capability-Based Distributed Operating System," Computer Journal, Vol. 29, No. 4, pp. 289-299, Aug. 1986.

....Descriptors: Network operating systems, Distributed applications, Distributed systems, Measurements General terms: Design, Experimentation, Performance 1. INTRODUCTION The Amoeba project is a research effort aimed at understanding how to connect multiple computers together in a seamless way (Mullender and Tanenbaum, 1986; Tanenbaum et al. 1986; Tanenbaum and van Renesse, 1985) The basic idea is to provide the users with the ################## 1. This research was supported in part by the Netherlands Organization for Scientific Research (N.W.O. under grant 12530 10. 29 illusion of a single powerful ....

Mullender, S.J., and Tanenbaum, A.S. The Design of a Capability-Based Distributed Operating System, Computer Journal 29, (Aug. 1986), pp. 289-299.

....runs on a distributed system containing 10 nodes that are connected by a 10Mbit sec Ethernet. Each node consists of a CPU board, identical to the ones used in the multiprocessor, and an Ethernet controller board using the Lance chip. This RTS runs on top of the Amoeba distributed operating system [Mullender and Tanenbaum 1986]. It uses Amoeba s Remote Procedure Call for interprocess communication. The third RTS, which is used for this paper, also runs on the distributed system. Unlike the Amoeba RTS, it runs on top of the bare hardware. It uses the reliable broadcast protocol described in [Kaashoek et al. 1989b] for ....

Mullender, S. J. and Tanenbaum, A. S., Design of a Capability-Based Distributed Operating System, Computer J., Vol. 29, No. 4, pp. 289-299, Aug. 1986.

....thus allow for access control, authentication, and accounting. By implementing these checks in the gateway, instead of at every site, local performance is not affected, nor are the local security policies. 4.3. The Amoeba Distributed Operating System The Amoeba Distributed Operating System [11, 12, 13] is a research project being carried out at the Vrije Universiteit and the Centrum voor Wiskunde en Informatica, both in Amsterdam. Amoeba is also based on the client server model. Server processes provide services like file and directory service. Amoeba runs on a collection of Motorola 68010 and ....

S. J. Mullender and A. S. Tanenbaum, "The Design of a Capability-Based Distributed Operating System," Report CS-R8418, Centre for Mathematics and Computer Science, Amsterdam, October 1984.

No context found.

S. J. Mullender and A. S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29(4):289--299, Aug. 1986.

No context found.

Mullender, S.J., Tanenbaum, A.S. The Design of a Capability-Based Distributed Operating System, Computer Journal, 29,4, pp.289-299, 1986.

No context found.

. S. Mullender and A. Tanenbaum, "The Design of a Capability-based Distributed Operating System", The Computer Journal, 29(4):289-299, 1986.

No context found.

Tanenbaum, A.S., and S.J. Mullender. "The Design of a Capability-Based Distributed OperatingSystem"# The Computer Journal Vol: 29 No.: 4, August 1986.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC