The Walnut Kernel
A Password Capability Based Op erating System
Thesis submitted for examination
for the Degree of
of Philosophy Do ctor
Department of Computer Science
Monash University
Jan uary
Maurice David Castro
B Sc Hons Monash University
i
Abstract
This thesis describ es b oth a capability based kernel the Walnut Kernel and
hardware designed to supp ort that kernel The kernel provides an environment in
which programs written and op erated by mutually antagonistic users can co exist
securely A Password Capability mechanism is used to provide access control to
ob jects The hardware is designed to supp ort cost e cient expansion of the numb er
of pro cessors within a multipro cessor
The Walnut Kernel was designed to b e p ortable to a wide range of micropro ces
features sors and memory architectures The kernel avoids using pro cessor sp eci c
where there are more widely available mechanisms Paged memory management
was adopted as the basic access control mechanism b ecause of the large numb er
of pro cessors which supp ort it This resulted in a page sized protection granular
ity The architecture of the kernel was designed to scale from unipro cessors to large
multipro cessors To accommo date this design requirement device drivers on unipro
cessor systems use a shared memory page to communicate with the kernel This is
equivalent to sp ecial purp ose pro cessors sharing memory with a master pro cessor on
a multipro cessor The e ciency of multipro cessor implementations was increased
by decreasing interpro cessor communication Page tables and other system data are
p erio dically expired and new tables constructed This practice of timing out data
ensures that lo cal data is kept up to date and only a minimal amount of lo cal state
urthermore this practice eliminates the need to inform other pro cessors is retained F
of changes in lo cal information
version Two implementations of the Walnut Kernel are currently in service One
op erates in an emulated environment under a host op erating system The other
version op erates on i based IBM PCs The p erformance of the latter version
compares well with contemp orary op erating systems
from earlier password capability based systems in that it intro The kernel di ers
duces op erators for the selective removal of rights from a capability and mechanisms
which restrict the use of a capability to a sp eci c pro cess Message passing and sub
pro cess mechanisms have b een intro duced to enhance the handling of asynchronous
events The changes were motivated by the requirements of programmers using the
ii
system
Application programs have b een written to demonstrate the features of the ker
y diskette nel Included among these user level programs are managers for opp
drives and for the screen and keyb oard The programs and the programming
techniques used are describ ed
The prop osed hardware has eliminated centralised switching devices in favor of
distributing the pro cessor interconnection hardware across the no des of the mul
h pro cessor no de has its own clo ck which removes the physical tipro cessor Eac
constraints asso ciated with a centralised clo ck
Archi The kernel and the prop osed hardware are b oth part of the Secure RISC
tecture pro ject of the Department of Computer Science Monash University
iii
knowledgments Ac
I would like to thank Professor Chris Wallace for sup ervising the work describ ed
assistance suggestions and guidance throughout the pro ject is in this thesis His
gratefully acknowledged
Many of the sta and p ostgraduate students of the Department of Computer
Science have contributed to work related to the Walnut Kernel and the prop osed
hardware In particular I would like to acknowledge Mr Glen Pringle for program
Mr Carlo ming work conducted on b oth the Walnut Kernel and user level programs
Kopp for his work on user level libraries Dr Ronald Pose for work relating to the
prop osed hardware and a constant stream of suggestions for kernel features and Mr
Gerhard Fries and Mr David Duke for their technical assistance in areas relating to
hardware
The nancial assistance provided by an Australian Postgraduate Research Award
has b een appreciated
RISC Architecture pro ject was supp orted by a grant from the Aus The Secure
tralian Research Council A
iv
Declaration
This thesis contains no material which has b een accepted for the award of any
other degree or diploma in any university or other institution
To the b est of my knowledge this thesis contains no material previously pub
lished or written by another p erson except where due reference is made in the text
of the thesis
Where the work in this thesis is based up on joint research this thesis discloses
the relative contributions of the resp ective authors
Maurice D Castro
Department of Computer Science
Monash University