S. J. Mullender and A. S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29(4):289--299, Aug. 1986.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....On the one hand, disk space is usually managed with a quota system which limits the amount of space a user can occupy. Alternatively, economic models can be used, which associate a price with a resource, and users buy or rent space, involving some form of payment [Anderson et al. 1986, Mullender and Tanenbaum, 1986, Drexler and Miller, 1988, Heiser et al. 1998b] On the other hand, processor time is allocated according to some priority scheme. Priorities can be hard, meaning that a process will only execute if no higher priority process is runnable, or soft, meaning that a process priority in uences the ....

.... Secondary Storage Management Mungi has a secondary storage management model designed to control the proliferation of objects in the system [Heiser et al. 1998b] This model is based on the rent scheme in the Monash Password Capability System [Anderson et al. 1986] and bank accounts from Amoeba [Mullender and Tanenbaum, 1986]. Its main objective is to ensure users do not starve or exploit others through excessive use. 2.2.1 Bank Accounts Secondary storage is managed by charging rent for backing store usage through special objects called bank accounts. Accounts with money available for rent charging have a nancial ....

[Article contains additional citation context not shown here]

Mullender, S. J. and Tanenbaum, A. S. (1986). The design of a capability-based distributed operating system. The Computer Journal, 29:289-299.

....On the one hand, disk space is usually managed with a quota system which limits the amount of space a user can occupy. Alternatively, economic models can be used, which associate a price with a resource, and users buy or rent space, involving some form of payment [Anderson et al. 1986, Mullender and Tanenbaum, 1986, Drexler and Miller, 1988, Heiser et al. 1998b. On the other hand, processor time is allocated according to some priority scheme. Priorities can be hard, meaning that a process will only execute if no higher priority process is runnable, or soft, meaning that a process priority influences the ....

.... Storage Management Mungi has a secondary storage management mode] designed to control the proliferation of objects in the system [Heiser et al. 1998b] This model is based on the rent scheme in the Monash Password Capabil ity System [Anderson et al. 1986] and bank accounts from Amoeba [Mullender and Tanenbaum, 1986]. Its main objective is to ensure users do not starve or exploit others through excessive use. 2.2.1 Bank Accounts Secondary storage is managed by charging rent for backing store usage through special objects called bank accounts. Accounts with money available for rent charging have a financial ....

[Article contains additional citation context not shown here]

Mullender, S. J. and Tanenbaum, A. S. (1986). The design of a capability-based distributed operating system. The Computer Journal, 29(4):289-299.

....que, sur un certain nombre de sites au moins, on puisse avoir confiance dans le systme chargt. Ainsi dans le systme Andrew, le systme global est il vu comme un ensemble de stations non stires appeltes Virtue connecttes hun ensemble de serveur stirs appelts Vice [Satyanarayanan 89] Dans Amoeba [Mullender 86] Tanenbaum 90] certains serveurs sont stirs et on peut disposer d un mattriel, appel6 F Box, qui contrtle l accs au rtseau TM. Une seconde mesure [Ingels 90] consiste d une part h limiter ce qu un utilisateur peut faire h partir d une station non stire (ainsi dans Andrew, un fichier global ne ....

S. J. Mullender, A. S. Tananbaum, The design of a capability-based distributed operating system, Computer Journal, vol. 29, n 8, Aug. 86, pp. 289-299 57

....CAS server to keep track of its membership and fine grained access control policies. A user wishing to access community resources contacts the CAS server, which delegates rights to the user based on the request and the user s role within the community. These rights are in the form of capabilities [4], which users can present at a resource to gain access on behalf of the community. The user effectively gets the intersection of the set of rights granted to the community by the resource provider and the set of rights defined by the capability granted to the user by the community. The CAS ....

Mullender, S.J. and A.S. Tanenbaum, The Design of a Capability-Based Distributed Operating System. The Computer Journal. 29: p. 289-99.

....[16] into the area of distributed and massively parallel systems. In the following subsection, the basic abstractions employed to build the PEACE distributed operating family are described. 2. 1 Threads and Teams Following state of the art distributed operating systems, above all V [5] and Amoeba [27], the PEACE process model distinguishes between heavyweight pro cess and lightweight process . Heavyweight processes are teams of lightweight processes, i.e. shells for one or more instances of threads. The term process is used as a synonym for either thread or team. Teams define a global ....

S. J. Mullender, A. S. Tanenbaum, "The Design of a Capability-Based Distributed Operating System," The Computer Journal, Vol. 29, No. 4, pp. 77 100, March, 1986.

....this is formalized in Lemma 6.5. 3. Access Judgment: A subject s can access right r on o iff it possesses at least one of the tickets (capabilities) for that object right pair. Formally, WS s (o; r) def = W (s) T (o; r) 6= As an example application, we model capabilities in Amoeba [20] in Example C.2 (Appendix C) 5.2. Lampson matrix capabilities (MC row ) For purposes of comparison, we define a model for capabilities based on the rows of the Lampson access matrix. Our analysis will show that this view is not the same as capabilities as unforgeable bit strings. We model this ....

S. J. Mullender and A. S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29(4):289--299, Aug. 1986.

....RESTCLK does not seek to set policies for security. It merely provides mechanisms at its lowest level that make security enforcement possible. It is instructive here to examine a bit the analogy with well known resource management systems, like database management systems [9] or operating systems [36]. These systems also do not set security policies. Instead provide abstractions in terms of which an application system designer may define security policies. They also provide mechanism which may be used to enforce security policies defined in terms of the said abstractions. Taking analogy from ....

S. J. Mullender and A. S. Tanenbaum. The design of a capability-based distributed operating system. Computer Journal, 29(3), 1986.

....more difficult. In the context of persistent objects in a distributed system, we neglect the third problem since we want objects to be explicitly deleted. A number of possible alternatives have been suggested for protecting capabilities 4 . These include special architectures [22] encryption [20] and sparse (or password) capabilities [1] We base our mechanism on sparse capabilities since these require no special architecture or costly encryption algorithms and also because they alleviate the revocation problem. A sparse capability generally consists of an object identifier (for locating ....

Mullender, S.J., Tanenbaum, A.S. The Design of a Capability-Based Distributed Operating System, Computer Journal, 29,4, pp.289-299, 1986.

....examples include SPIN [3] and VINO [22] Providing a trusted path [24, 17] mechanism, such as a protected procedure call [8] or IPC. Extensions execute as user tasks, using the standard system protection mechanisms for safety. Clients invoke extensions via the trusted path. For example, Amoeba [18] used a client server model with an IPC based trusted path. An extensibility mechanism requires flexibility, safety and performance. It is now widely accepted that flexibility and safety can be provided in user space. Kernelmodule based systems are therefore motivated solely by performance, which ....

S. J. Mullender and A. S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29:289--299, 1986.

....are connected via a wide area network. Contact: Sape J. Mullender, CWI Amsterdam, Netherlands or Andy Tanenbaum, Dept. of Mathematics and Computer Science, Vrije Universiteit, Postbus 7161, 1007 MC Amsterdam, Netherlands. References: 10] 11] 12] 13] 14] 15] 16] 17] 18] 19] [20], 21] 22] 23] 24] 25] 26] 27] 28] 29] 30] 31] 32] 2.4 Andrew Main Goal Andrew is a distributed computing environment being developed at the Carnegie Mellon University, Pittsburg in a workstation server principle. The goals of the Andrew file system are to support growth ....

S.J. Mullender and A.S. Tanenbaum, "The Design of a Capability-Based Distributed Operating System", The Computer Journal, 29(4):289--300, March 1986.

....comes from the fact that no user check is performed at the system level. Hardware based capability systems have had limited use because they only run on specific hardware. Capability based systems now running on classical hardware provide capability protection with encryption based algorithms [Mullender86]. 2.2 Multics Multics [Organick72] is a system developed at Massachussetts Institute of Technology that also runs on a specific hardware. Protection in Multics is based on access lists. The basic unit of shared data is the segment, and an access list is associated with each segment and registers ....

S.J. Mullender and A.S. Tananbaum, The design of a capability-based distributed operating system , Computer Journal, 29 (8 ), pp. 289-299, August 1986.

....protected. 2.3 Derived Capabilities As well as owner capabilities, the system provides capabilities with more restricted access rights, such as read only. A scheme is provided which allows users to derive less powerful capabilities as required. This method is similar to one proposed for Amoeba [9]. From the owner capability, C rwxd , a new capability C rwx = f(C rwxd ) where f is a well known one way function, can be derived which only gives permission to read, write and execute the object. That capability can be further restricted to C x = f x (C rwx ) which allows only execution, and ....

....on the implementation of higher software layers. We also do not want to impose limitations on the storage of capabilities, whereas MONADS uses partitioned capabilities which are kept in user inaccessible system areas. 6. 2 Amoeba Althoughnot a distributed virtual memory system, Amoeba [9] uses sparse capabilities, consistingof the port number of the server responsible for the object, an object id, access rights, and a signature. The signature is computed by applying a one way function to the access rights and a random number which is stored with the object. Capabilities are always ....

S. J. Mullender and A. S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29:289--99, 1986.

....what is garbage, this system has the significant advantage that all accounting is done off line (by a background process) so, unlike a quota system, user operations on objects are not slowed down by the need to perform accounting. Amoeba s bank accounts Amoeba s resource management system [Mullender and Tanenbaum, 1986] is also based on the idea that money is used to pay for resources. Amoeba achieves this by introducing bank accounts as objects in their own right, rather than associating a monetary value with each object. Accounts are maintained by a bank account server, which is contacted for transactions on ....

Mullender, S. J and Tanenbaum, A. S (1986). The design of a capability-based distributed operating system. Computer J., 29:289--299.

....an extension of Concurrent Euclid; the design of Emerald [Black 86a, Black 86b, Jul 88] was based on the Eden experience. The olus language [Wilkes 86] was developed for the Clouds distributed system [LeBlanc 85] The Orca language [Bal 88b] is being implemented to program applications in Amoeba [Tanenbaum 86, Mullender 87] Finally, the Comandos project is currently developing its own programming language, called Oscar [Comandos 88] Guide may be viewed as an exploratory implementation of some of the features being developed in Oscar. The object model implemented in Guide is characterized by the ....

Tanenbaum A.S., Mullender S.J., The design of a capability-based distributed operating system, The Computer Journal, vol. 29, 4 (1986) pp. 289-300

....in a SASOS [12] Angel has no explicit protection system. Instead, it relies on the ability of an object to be accessed or a service to be named in order to protect it protection is effectively left in the hands of servers. This approach is similar to that taken in the Amoeba distributed system [13], where servers use sparse capabilities for naming and protecting objects. While the design is aimed at 64 bit architectures, the Angel prototype was implemented on i486 hardware. It therefore has not considered issues resulting from a huge, sparsely used address space. Opal [14] in contrast uses ....

....storage. In Mungi no directory services are provided by the system itself. To assist users in managing their storage, we instead use a different, and more flexible scheme, derived from the rent model used in Monash University s Password Capability System [15] and the bank accounts used in Amoeba [13]. Whenever an object is created, a bank account must be supplied, and the bank account reference is recorded in the object s OT entry. A rent collector periodically charges the account for the disk storage used by the object. A paymaster periodically deposits funds into each account. An empty or ....

S. J. Mullender and A. S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29:289--299, 1986.

....and testing that the OID exists. Amoeba: Amoeba suggested a system where the rights and a random number are encrypted together. On presentation, the encrypted word is decrypted and if the random number matches that associated with the object, the access rights are assumed to be correct [TM84] CHAPTER 2. SECURITY AND PROTECTION 15 Password: A capability consists of an OID and a large random number. This number and the associated access rights are stored with the object. The validity of a capability is determined by matching the password with the list of valid passwords for that ....

....of aliasing. ffl Capabilities can be copied within a program just like other variables. CHAPTER 2. SECURITY AND PROTECTION 22 2.4. 7 Amoeba The dropping price of hardware, which allowed the building of large interconnected distributed systems, prompted the design of the Amoeba operating system [TM84, TMvR86] Amoeba is an exclusively client server operating system. All interaction between clients and servers is by means of IPC, which is based on unreliable datagrams (i.e. no acknowledgement, no guarantee of delivery) Messages are sent to ports, and knowledge of a port number is taken as ....

Andrew S. Tanenbaum and Sape Mullender. The design of a capabilitybased distributed operating system. Technical Report IR-88, Vrije Universiteit, November 1984.

....record capabilities in arbitrary data structures. The lack of kernel control of sparse capabilities does have a few disadvantages. Operations such as confinement and garbage collection become more difficult; although solutions such as lockwords [APW86] for confinement, and economic models [APW86] MT86] HLR98] for garbage collection, have been suggested. 2.3.3 Reference monitors Reference Monitors [AGS83] actively control access from subjects to objects. When a subject wants to access an object in the system, the reference monitor is invoked. The CHAPTER 2. SECURITY AND PROTECTION 16 ....

....and putrep (put reply) Trans is used by the client to request a service. Getreq and putrep are used by the server to get a service request and to post a reply respectively. To prevent programs from issuing getreqs on arbitrary ports, a novel authentication scheme based on one way hashing is used [MT86] This scheme can either be implemented in hardware or in software. It is believed that there are no implementations of the hardware version. Service Object Rights Random Figure 2.8: A typical Amoeba capability 2.4.8 The Monash Password Capability System Anderson, Pose and Wallace [APW86, ....

[Article contains additional citation context not shown here]

Sape J. Mullender and Andrew S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29:289--299, 1986.

....[7] is used. This approach grants object access only if a thread (i.e. subject) is in the possession of that object or one of its proxies. An object must be created and bound to a system wide unique identifier before it can be used. It is assumed that a unique identifier cannot be deduced [23]. In order to achieve this, the nucleus generates a random number which, combined with a global hash key, is used to make identifiers system wide unique. Note that this procedure works autonomously and needs not be controlled by a central system component. The creator implicitly possesses the ....

S. J. Mullender and A. S. Tanenbaum. The Design of a Capability-Based Distributed Operating System. The Computer Journal, 29(4):289--299, 1986.

....group certificates are not invalidated when group membership changes, there may be incorrect grant or denial. Similarly, an unexpired authorization certificate should be invalidated when the particular authorization has been revoked. These issues are similar to those in the use of capabilities [8, 13], and are beyond the scope of this paper. 7 This is commonly known as the push model. A pull model is one in which A itself gathers the relevant certificates from the group servers. However, it appears to be more desirable to reduce the load of A so that it does not become a bottleneck, even at ....

S.J. Mullender and A.S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29(4):289--299, 1986.

....for unification of the address space and distribution of the functionality. A well known case is the Newcastle Connection or UNIXes Unite [Brownbridge,82] which provided one of the early distributed file systems. A distributed operating system which was built with distribution as a goal is AMOEBA [Mullender,86] Amoeba consists of four components: 1) Workstations that are used to provide higher level user interface. The workstations are expected to have a processor, a bit mapped display, and several megabytes of memory. 2) A processor pool, consisting of a number of processors and multiprocessors ....

Mullender, S. J. and Tanenbaum, A. S., "The Design of a Capability-Based Distributed Operating System," The Computer Journal, 29(4), pp. 289-300, (1986).

....constructed a working prototype system. We will cover most of the traditional operating system design issues, including communication, protection, the file system, and process management. We will not only explain what we did, but also why we did it. 2 Overview of Amoeba The Amoeba Project [Mullender and Tanenbaum, 1986] is a joint effort of groups at the Free University (VU) and the Centre for Mathematics and Computer Science (CWI) both in Amsterdam. The VU group is led by Andrew S. Tanenbaum, the CWI group by Sape J. Mullender. The project has been underway now for nearly ten years and has gone through ....

Mullender and Tanenbaum [1986] S. J. Mullender and A. S. Tanenbaum, The Design of a Capability-Based Distributed Operating System, The Computer Journal 29(4), 1986, 289--300.

No context found.

Mullender, S.J., and Tanenbaum, A.S.: "The Design of a Capability-Based Distributed Operating System," Computer Journal, vol. 29, pp. 289-299, Aug. 1986.

No context found.

S. J. Mullender and A. S. Tanenbaum. The design of a capability-based distributed operating system. The Computer Journal, 29(4):289--299, Aug. 1986.

No context found.

Mullender, S.J., Tanenbaum, A.S. The Design of a Capability-Based Distributed Operating System, Computer Journal, 29,4, pp.289-299, 1986.

No context found.

. S. Mullender and A. Tanenbaum, "The Design of a Capability-based Distributed Operating System", The Computer Journal, 29(4):289-299, 1986.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC