Proceedings of

the Eighth Symposium

on

Operating Systems Principles

14-16 December 1981 Asilomar Conference Grounds Pacific Grove, California

Special Interest Group on Operating Systems (SIGOPS) Association for Computing Machinery (ACM)

Vol. 15 No. 5 December 1981

ACM ORDER NO. 534810 The Association for Computing Machinery, Inc. 1133 Avenue of the Americas New York, New York 10036

Copyright © 1981 by the Association for Computing Machinery, Inc. Copying without fee is permitted provided that the copies are not made or distributed for direct commercial advantage and credit to the source is given. Abstracting with credit is permitted. For other copying of articles that carry a code at the bottom of the first page, copying is permitted provided that the per-copy fee indicated in the code is paid through the Copyright Clearance Center, P.O. Box 765, Schenectady, N.Y. 12301. For permission to republish write to: Director of Publications, Association for Computing Machinery. To copy otherwise, or republish, requires a fee and/or specific permission.

ISBN

0-89791-062-1

Additional copies may be ordered prepaid from:

ACM Order Department Price: P.O. Box 64145 Members $13.00 Baltimore, MD 21264 Non-Members $17.00 ACM Order No. 534810

'ii Eighth Symposium on Operating Systems Principles

General Chairperson

John Howard - IBM Research, San Jose

Program Chairperson

David P. Reed - MIT

Program Committee

David Cheriton - University of British Columbia

Dorothy Denning - Purdue University

Jim Gray- Tandem Computers

John Howard - IBM Research, San Jose

Anita Jones - Carnegie-Mellon University

Butler Lampson - Xerox PARC

Edward Lazowska- University of Washington

Alan Smith - University of California, Berkeley

Local A rrangements

Sara Dake - Registration

Jim Gray - Catering

Gene McDaniel - Wine

iii 8SOSP Referees

Sten Andler Thomas H. Hinke Loretta Reid Greg Andrews Warren Jessop Glenn Ricart J.L. Baer Paul Johnson William Riddle Joel Bartlett Dennis Kafura David Russell A. Bernstein Stephen Kent Jerome Saltzer Andrew Birrell R.B. Kieburtz M. Satyanarayanan Russ Blake Walter Kohler Ashok Saxena Toby Bloom S. Krakowiak Donald Scelza J.C. Browne David Lamb Richard Schantz Roy Campbell Gerard Le Lann Robert Scheifler David Clark Keith Lantz Roger Schell Robert Cook Richard Leblanc Fred Schneider Geoffrey Cooper Roy Levin Michael Schroeder George Cox Henry Levy Karsten Schwans Doug Currie Bruce Lindsay Peter Schwarz Yogen Dalai Steven Lipner A. Shaw Roger Dannenberg Barbara Liskov Mark Sherman J. Demco John Livesey J.F. Shoch Ivor Durham David Lomet A. Silberschatz Malcolm Easton Allen Luniewski Barbara Simons P.H. Enslow Udi Manber Karen Sollins Robert Filman Paul McJones Marvin Solomon Michael Fischer John Metzner Eugene Stark Brett Fleisch Philip Mills Eric Stephenson Harry Forsdick M.F. Mitoma B. Stroustrup Robert Fowler R.M. Needham T.J. Teixeira James Frankel Peter Neumann Doug Terry W.D. Frazer Jerre D, Noe David Gifford John Ousterhout William E. Weihl R.L. Gordon J. Peterson Maurice Wilkes Wayne Gramlich Wil Plouffe Robin Williams Po Harter Michael Powell Jim Wyllie Andrew Herbert Ram Rao John Zahorjan Maurice Herlihy

iv Foreword

Like its predecessors of the past 14 years, the Eighth Symposium on Operating Systems Principles represents the diversity and vigor of the field. The program speaks for itself. I know that I found that reading the papers was fun -- hardly a tedious task at all.

All in all, 103 papers were submitted. The competition was strong -- only 23 papers were accepted m less than one in four. Of these, six were nominated to be considered for inclusion in a special issue of Communications of the ACM; five of these were accepted by a second refereeing process managed by Anita Jones. Only extended abstracts for those papers appear here.

The refereeing process, conducted under tight timing constraints, went well. Unlike other conferences, SOSP tries to maintain a high standard of refereeing. Most papers were read by four of the program committee members, myself, and two outside referees. Each outside referee who volunteered was given from one to four papers in his/her area. The outside referees often perform a special service that I value highly. They usually provide many helpful comments to the author(s) to aid in revision. However, I have the general impression that the average quality of outside referee reports is decreasing somewhat. This time a larger fraction of the reports received seemed to concentrate on rating the papers only. I hope this is not indicative of a general trend.

Like many conferences, this one could not have been put together without a lot of help. In addition to the referees, I'd like to thank Debra Fagin, whose help has been invaluable.

David P. Reed Program Chairperson October, 1981 Conference Program

14 December 1981 Session I: Verifying Systems Properties Session Leader: John Howard Proving Real-Time Properties of Programs with Temporal Logic 1 Arthur Bernstein, Paul Harter Design and Verification of Secure Systems 12 John Rushby Session I1" Systems Session Leader: Edward Lazowska A NonStop TM Kernel 22 Joel Bartlett Observations on the Development of an Operating System 30 Hugh Lauer Session II1: Remote Data Storage Session Leader: Butler Lampson The FELIX File Server 37 Marek Fridrich, W, Older A Comparison of Two Network-Based File Servers 45 James Mitchell, Jeremy Dion A Reliable Ob/ect-Oriented Repository for a Distributed Computer System 47 Liba Svobodova Session IV: Computer-Computer Communication Session Leader: David Reed Sequencing Computation Steps in a Network 59 Andrew Herbert, Accent: A Communication Oriented Network Operating System Kernel 64 Richard Rashid, George Robertson Performing Remote Operations Efficiently on a Local Computer Network 76 Alfred Specter

vi 15 December 1981 Session V" Memory Management Session Leader: Alan Smith Converting a Swap-Based System to do Paging in an Architecture Lacking Page-Referenced Bits 78 Ozalp Babaoglu, William Joy WSClock -- A Simple and Effective Algorithm for Virtual Memory Management 87 Richard Carr, John Hennessy A Study of File Sizes and Functional Lifetimes £6 M. Satyanarayanan Session Vl: Protection Techniques Session Leader: Dorothy Denning Hierarchical Take-Grant Protection Systems 109 Matt Bishop Cryptographic Sealing for Information Secrecy and Authentication 123 David Gifford Session VII: The iMAX-432 Operating System

Session Leader: Anita Jones A Unified Model and Implementation for Interprocess Communication in a Multiprocessor Environment 125 G. Cox, W. Corwin, K. Lai, F. Pollack iMAX: A Multiprocessor Operating System for an Object- Based Computer 127 K.C. Kahn, W.M. Corwin, T.D. Dennis, H. D'Hooge, D.E. Hubka, L.A. Hutehins, J.T. Montague, F.J. Pollack, M.R. Gifldns The iMAX-432 Object Filing System 137 F. Pollack, K. Kahn, R. Wilkinson

vii 16 December 1981 Session VIII" Distributed Systems Session Leader: David Cheriton The Architecture of the Eden System 148 E. Lazowska, H. Levy, G. Almes, M. Fischer, R. Fowler, S. Vestal A Distributed UNIX System Based on a Virtual Circuit Switch 160 G.W.R. Luderer, H. Che, J.P. Haggerty, P.A. Kirslis, W.T. Marshall LOCUS: A Network Transparent, High Reliability Distributed System 169 G. Popek, B. Walker, J. Chow, D. Edwards, C. Kline, G. Rudisin, G. Thiel Session IX: User-Oriented Systems Session Leader: Jim Gray Grapevine. An Exercise in Distributed Computing 178 Andrew Birrell, Roger Levin, Roger Needham, Michael Schroeder BRUWIN: An Adaptable Design Strategy for Window Manager/Virtual Terminal Systems 180 Norman Meyrowitz, Margaret Moser

viii