Arvind,; Gostelow, Kim P.; Plouffe, Wil

doi: N/Apmid: N/A

Cheriton, David R.; Malcolm, Michael A.; Melen, Lawrence S.; Sager, Gary R.

doi: N/Apmid: N/A

Montgomery, Warren A.

doi: N/Apmid: N/A

Arvind,; Gostelow, Kim P.; Plouffe, Wil

doi: N/Apmid: N/A

Montgomery, Warren A.

doi: N/Apmid: N/A

Cheriton, David R.; Malcolm, Michael A.; Melen, Lawrence S.; Sager, Gary R.

doi: N/Apmid: N/A

Needham, R. M.; Walker, R. D.H.

doi: 10.1145/1067625.806541pmid: N/A

This paper gives an outline of the architecture of the CAP computer as it concerns capability-based protection and then gives an account of how protected procedures are used in the construction of an operating system.

Needham, R. M.; Birrell, A. D.

doi: 10.1145/1067625.806542pmid: N/A

The filing system for the CAP is based on the idea of preservation of capabilities: if a program has been able to obtain some capability then it has an absolute right to preserve it for subsequent use. The pursuit of this principle, using capability-oriented mechanisms in preference to access control lists, has led to a filing system in which a preserved capability may be retrieved from different directories to achieve different access statuses, in which the significance of a text name depends on the directory to which it is presented, and in which filing system 'privilege' is expressed by possession of directory capabilities.

Needham, R. M.

doi: 10.1145/1067625.806543pmid: N/A

The CAP project has included the design and construction of a computer with an unusual and very detailed structure of memory protection, and subsequently the development of an operating system which fully exploits the protection facilities. The present paper passes the work in review and draws conclusions about good and bad aspects of the system. The basic architecture of the CAP machine is described in 1 and a largely prospective description of the protection system is given in 2. The project was started as an experiment in hardware memory protection. A computer was to be designed in which operating system development was easy, in which ruggedness was produced by a much more fine-grained network of firewalls than was (or is) usual, and in which the full range of protection facilities was available to the writers of subsystems. Simplicity of mechanism was a very important goal, although some emphasis was placed on flexibility of protection policy.

Baskett, Forest; Howard, John H.; Montague, John T.

doi: 10.1145/1067625.806544pmid: N/A

This paper describes the fundamentals and some of the details of task communication in DEMOS, the operating system for the CRAY-1 computer being developed at the Los Alamos Scientific Laboratory. The communication mechanism is a message system with several novel features. Messages are sent from one task to another over links . Links are the primary protected objects in the system; they provide both message paths and optional data sharing between tasks. They can be used to represent other objects with capability-like access controls. Links point to the tasks that created them. A task that creates a link determines its contents and possibly restricts its use. A link may be passed from one task to another along with a message sent over some other link subject to the restrictions imposed by the creator of the link being passed. The link based message and data sharing system is an attractive alternative to the semaphore or monitor type of shared variable based operating system on machines with only very simple memory protection mechanisms or on machines connected together in a network.