Trustworthy Systems

Capability-based protection in the Mungi operating system


Jerry Vochteloo, Stephen Russell and Gernot Heiser

    School of Computer Science and Engineering
    Sydney 2052, Australia


A single address space operating system is an excellent environment for the implementation of distributed object-based systems. The issue of providing effective and efficient protection of objects in such an environment has, however, not been addressed satisfactorily. This paper presents the protection mechanism of Mungi, which is based on password capabilities. A system-maintained data structure called the capability tree is used for the long-term storage of capabilities, and reflects the hierarchical structure of object privacy. A second system data structure, the active protection domain, allows the system to find capabilities quickly when validating memory accesses. The model supports inheritance of protection domains, as well as temporary extension of protection domains to support privileged procedures. Untrusted programs can be confined to run in a restricted protection domain. The protection system performs efficiently on conventional architectures, and is simple enough that most programs do not need to be aware of its operation.

BibTeX Entry

    address          = {Asheville, NC, USA},
    author           = {Jerry Vochteloo and Stephen Russell and Gernot Heiser},
    booktitle        = {IEEE International Workshop on Object Orientation in Operating Systems (IWOOOS)},
    month            = dec,
    noeditor         = {Luis-Felipe Cabrera and Norman Hutchinson},
    pages            = {108--15},
    paperurl         = {},
    title            = {Capability-Based Protection in the {Mungi} Operating System},
    year             = {1993}