HYDRA: The Kernel of a Multiprocessor Operating System
Design Philosophy
HYDRA implements a micro-kernel, on which a system can be built, with customized protection policy, like privileges and who is the privileged. The philosophy lies in here is that protection is the mechanism; security is a policy. HYDRA only implements the mechanism, and leave the remaining up to the upper-system designer.
It rejects hierarchy, which is not flexible enough for protection. So it introduces the concept of capability to offer protections applied to not only specific entities (e.g. files). Thus, in HYDRA, there is no "ownership".
1. Protection domain
The protection domain in Multics is the "local name space" (LNS). At any instant, the execution environment (domain) of a program is defined by an LNS object associated with it. The capability part of the LNS contains references to objects which may be accessed by the program at that instant(Hydra p.341).
2. Protected control transfer
When call, get rights.
3. Rights augmentation
When return, remove rights.
USER -> Gain privileges by Sys CALL
OS -> (THE MAN) Have Full Privileges.
Capability
Capability = Pointer + Rights
That is which objects the procedure may reference and actions it may perform on those objects.
Two types of Capability
- Caller-independent
- Caller-dependent
Not like today's system, a system call will have full set rights, in HYDRA, when a procedure is called, the callee get certain right bits set. The philosophy is to add rights only when needed.
Procedure = code + data + capability
LNS is the record of the execution environment. It is like a call stack. It is a run-time concept.
HYDRA only checks the bit of the passed capability. It does not need to interpret it actually. All the protections are defined by the higher-level system. HYDRA only offers the basic mechanism.