SECURITY IN KEYKOS S.A. RAJUNAS, N. HARDY, A.C. BOMBERGER, W.S. FRANTZ, C.R. LANDAU K.@A@, Cupertino, California ABSTRACT KeyKOS is a message-passing system. KeyKOS is also an object-oriented system, where certain primitive KeyKOSTM** is a capability-based system which was objects are supported by the kernel and application designed to meet the performance, reliability, and designers can build their own objects out of security goals of the commercial computer service system-defined objects. These user-defined objects marketplace, KeyKOSs architecture combines are much larger than Smalltalk4 objects. several unique features to achieve simple and effective protection mechanisms with a very small Like all capability systems, KeyKOS must prevent the amount of privileged code. Particular emphasis is forging of capabilities. This is accomplished not by placed here on the protection mechanisms which relying on tagged memory but rather by storing support security; while some general description of the capabilities separate from data. system is included, a.more com Iete description of the architecture is given elsewhere ? Capabilities in KeyKOS are called keys, and the reader may substitute “capability” anywhere the term “key” is used. However, in KeyKOS there are many KeyKOS consists of a kernel and supplementary code. different types of keys (see Table 1). Keys carry The KeyKOS kernel is currently implemented in several different types of authority, not merely software, but in concept it is an extension of the read-only and read/write, and designate objects of all machine architecture and as such could be types. implemented in firmware and/or hardware. The present implementation runs on IBM and Amdahl Some of the terminology used in KeyKOS is unique, hardware. Any virtualizable architecture with a large and the unfamiliar terms have been cited as a source virtual address space and demand paging would be a of confusion by individuals first learning about the suitable target. KeyKOS might also be ported to other system. There have been suggestions that we should architectures. use “more standard terminology,” but each system uses its own terminology. Capabilities are “access KeyKOS is not a traditional operating system; it bears descriptors” in the Intel 4325, and “pointers” in some resemblance to a control program (it manages System/386. (See Levy7 for a survey of implemented resources). In the current implementation, the kernel capability systems). It has also been suggested that is written in assembler, is unswappable, and runs in we use the terminology popularized by, say, Hydra8, supervisor mode with real addresses. The kernel and certainly the most published system. But KeyKOS is supplementary code present a different architecture to not a copy of Hydra. KeyKOS has different basic the programmer from that provided by the bare design concepts, described by different terms; the hardware. KeyKOS supports CMS3, and currently terms are different because the concepts are different. most software development is done using CMS as the development environment. KeyKOS provides an The convention used in this paper is that KeyKOS excellent run time environment for transaction-based terms are printed in bold type when they are first applications, and KeyKOS has been running in defined. support of commercial applications since 1983. The basic entities in KeyKOS are keys, pages, and nodes. Keys are capabilities, and designate pages, ●’ PatentPending. nodes, other primitive objects implemented by the 78 CH2292-1/86/0000/0078$01.0001986 IEEE kernel, or compound constructs made up of pages and In KeyKOS terminology, keys in the domain’s root nodes. Pages consist of 4096 bytes, may contain node are said to be elements of the domain. Keys in code or data, but cannot contain keys. Pages may be the keys node are said to be held by the domain, and regarded as permanent storage; KeyKOS implements their use is determined entirely by the program a single level store. A node consists of 16 slots (may obeyed by the domain. In fact, a program in a domain be thought of as capability registers), which contain does not actually handle any keys (it can only address keys, but not code or data. Nodes are also permanent the contents of pages); it refers to the keys it holds by storage. their slot numbers in the keys node and the kernel ,inteqxets the requests for access. The three fundamental objects in KeyKOS are domains, meters, and segments. Domains are Meters are nodes which represent resources that may roughly analogous to processes, meters represent be consumed by a domain. As a domain uses CPU resources (such as CPU time), and segments define time (currently the only metered resource) the meter ranges of virtual addresses. counts down. When it reaches zero, the domain stops, but no information is destroyed and the domain may A domain is a fundamental object which obeys some be restarted by adding more resources. There is a code (program) and holds some keys that the code primordial meter from which aii meters are descended, can reference. It is important to note that “process” is and in the hierarchy of meters, meters lower in the tree not a technical term in KeyKOS. While someone new (inferior) depend on meters higher in the tree to KeyKOS may analyze a KeyKOS scenario by (superior), so any use of CPU time is measured and envisioning processes, there are no such entities in constrained not oniy by the immediate meter but also the implementation. The closest concept to ‘process” by its superiors. in KeyKOS is the domain. We include what is commonly meant by “process”, along with address KeyKOS uses the concept of the single-level store. space and access rights, in the concept of domain. A No user written code needs any concept of secondary domain is not just a privilege state, as it is in some storage. Also, ali access to data is immediate. A systems. In KeyKOS one cannot speak of a process domain’s address space is implemented by a segment moving from domain to domain; the closest analogy is key; a segment consists of other segments or pages. a thread of control passing from one domain to One domain cannot access data in another domain -- another. it can only access data on pages in its own address space. Pages can be shared, and even shared with Programmers may create their own objects from one different authority, but only if prearranged. Either the or more domains. Each domain contains algorithms, domains’ address spaces must have been built with data, state information, and access rights. In the shared pages or the domains were set up to be able to current implementation, a domain is three nodes (the exchange page keys and insert them in their address root node, the registers node, and the keys node), and spaces. the keys found in the slots of the root node have special interpretations (see KeyKOS Principles of Because of the single-level store, KeyKOS has no Operationg for details). The slots in the root node “files,” but domains serve a similar roie. Domains are contain keys which designate the domain’s address as long-lived as files in traditional systems; they segment, the domain’s keeper and its meter continue to exist until deliberately deleted. Record (described below), status information (domains may collections are domains which perform the be available, running, or waiting), most of the specialized function of relating symbolic names to PSW, etc. The registers node contains the general keys. Some record collections function as directories; purpose registers and the floating point registers. The others serve to emulate the functionality of IBM file keys node contains keys accessible to the program in access methods. the domain. The keys in the domain’s root node in general are not accessible to the program the domain obeys, any more than a process header or task control Key lnvocati~ block is accessible to the processor task in a conventional operating system. They are data The basic operation in KeyKOS is key invocation. structures maintained on behalf of the domain or There are three ways to invoke a key: FORK, CALL, process or task by the operating system. The and RETURN (the traditional meanings apply). difference is that in KeyKOS, the domain couldbe Control is passed either to the kernei (if it was a key given a key to any root node (including its own), and it the kernei implements) or to another domain via the could affect only that node for which it had a key. In a kernel (if it was a gate key). The KeyKOS equivalent conventional system, the program would have to be to interprocess communication is a gate key privileged to access its own process header and it invocation between domains which passes a would have not merely that privilege but all privileges message consisting of up to four keys, a byte string, (the pervasive privilege problem). and a parameter word. 79 The key invocation mechanism unifies message implicitly invoked when the resource counter aoes to passing and procedure call functionality. An argument zero. The segment keeper is implicitly invok~d on has been madel 0 that operating systems fail into memory faults. Memory faults occur on encountering either the message passing categoty (characterized invalid addresses and write protection violation, not by a small, static number of processes with explicit page faults(which are handled by the kernel). The communication paths) or the procedure call category segment keeper receives, when CALLed, a node key (characterized by a large, rapidly changing number of to the segment so it can fetch from and store into slots small processes with process synchronization based containing memory keys (segment or page keys). The on shared data) and that these categories are duals of kernel builds a domain’s page tables based on the each other.