HYDRA: The Kernel of a Multiprocessor Operating System

Wulf, et. al.

 

One-line summary: The bulk of this paper discusses the author’s design philosophies regarding how to build a flexible capability-based protection system for an operating system kernel.

 

Important points:

• Separation of mechanism from policy.  OS Kernel should provide mechanism, not policy.  Policy should be set by software components that run on top of the kernel, and policy can be implemented using the mechanisms provided by the OS kernel.  This should guide what functionality should be added to the kernel vs. what should be left out.  (Mechanisms should be included in the kernel, while policies should not.)
• Rejection of strict hierarchical layering.  Authors argue that hierarchy limits flexibility.  (More on this later…)
• Protection is central to OS.  HYDRA makes significant use of capabilities to provide a security model much more flexible than traditional “hard-coded” read/write/execute privileges.  Capabilities can ONLY be manipulated by the kernel.  An object may have type-independent rights, and type-independent rights.  Type-independent rights are “kernel-checked” rights (read/write/execute).  Type-independent rights are “auxiliary/application-checked” rights; they can be checked for in capability templates in procedures.  Hence, applications (collections of procedures) can assign their own semantics to these auxiliary capabilities.

 

What is an operating system supposed to do?  Manage resources (both physical and virtual).  HYDRA allows OS developers to define an object of a specified type for each resource the OS is expected to manage.

 

Authors expect HYDRA to be used as a core kernel, and for OS developers to potentially build multiple operating environments above it.

 

Three concepts core to HYDRA:

• Procedure: has a name, formal parameters, output(s), and a capability “template” for the formal parameters (check rights), “regular” rights, and a list of caller-independent capabilities.  If actual parameter check rights match those expected by the template, then the procedure can execute with its “regular rights.”  This allows the procedure to execute with extended rights without giving the caller any way to explicitly use those rights without calling the procedure.
• LNS (local name space): dynamic set of capabilities that a running procedure may use at run-time.  Whenever a procedure CALL is made, a new LNS is created with the sum of the capabilities that the caller has, plus those that can be “derived” via the regular rights of the procedure.  The LNS is part of the execution environment of the procedure, and is destroyed upon a RETURN.
• Process: smallest unit that can be scheduled for execution.  a run-time stack of LNSes. 

 

Protection = mechanism, Security = policy.  HYDRA provides mechanism/protection.  Higher-level OS components provide security.

 

Author’s believe the concept of “ownership” in an OS is vague, and not appropriate to implement security.  Hence, there is no concept of “ownership” in HYDRA.  In addition, they argue there is a better way to structure systems than for there to be a hierarchy of least trusted to most trusted components/users/etc.  Inadequacy of the “ownership” model of system security is made apparent in a straightforward example presented in the paper.  For example, just because a developer creates a program and “owns” it doesn’t mean that people who use the program are OK with that developer having access to databases that they create with the program.  Capabilities are an elegant way of defining fine-grained protection tokens that can be checked for during different types of accesses for different objects.

 

Paper didn’t comment on how procedures should be “installed.”  For example, if I write a procedure that has “regular” rights to access “everything” that procedure should only be able to be linked into the system by someone that has those types of rights.