Information Security & Data Protection Object Lessons from PP250 A Fault-tolerant Multi-processor Kenneth Hamer-Hodges

Information Security & Data Protection

Object Lessons from PP250

A Fault-tolerant Multi-processor

Kenneth Hamer-Hodges

http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 2

Objects & Capability Based Architecture Taplow Court - 1967 to 1977

Plessey Telecommunication Research PP 250

Other Research (http://citeseer.nj.nec.com/context/22829/0)

Dennis and Van Horn M.V. Wilkes Bob Fabry Bill Wolf Butler Lampson


Director of the Cambridge Computer Laboratory starting with EDSAC; inventor of labels, macros and microprogramming; with David Wheeler and Stanley Gill, the inventor of a programming system based on subroutines.

Maurice Vincent Wilkes

Quotation (Regarding developing programs) “... It would be more logical first to choose a data structure appropriate to the problem, and then to look around for, or construct with a kit of tools provided, a language suitable for manipulating the structure.”


PP250 – System Objectives

Communication Switching Public & Military

Application MTBF +50 years

Fault Tolerant Architecture Multiprocessor for

Growth in service Capability Based for

Memory Protection


Multiprocessor Concerns

Scalable Shared Memory Distributed Protected from ALL Single

Failures

PP250CPU

PP250CPU

RAMRAM I/O I/ORAM

PP250CPU


Modular Objectives & the Enter Capability Mode Ability to Extend, Grow & Evolve in Service

Add new unknown ‘types’ of behavior over time Availability 0.99995%

Prevent error migration through the system Detect any & all single errors (H/W or S/W)

Including ‘undetected’ & ‘dynamic’ software errors Unattended operation

Fault Isolation with Rapid Automatic recovery Networking & Scalability

Information sharing but with constraints


A Privacy & Security Architecture

Evaluate some Examples Identify Natural Characteristics Define Necessary Requirements Introduce a Total Solution (PP250) Review & Conclusions


Security & Privacy Examples

An Historical Solution An Eccentric Solution A Traditional Solution

Physical & Logical Security Static & Dynamic Principals


An Historical Example

Privacy in Death Security of Slumber

State of the Art 2500 bc Not Future Safe Privileged use

Limited service Static Limitation Single Application


A Contrived Solution

Eccentric Depends upon

‘privileged modes’ Requires Special

Skills Not ‘real time’ Easily ‘Hacked’


A Traditional Solution

Domains of Protection

Physical Enclosure Limited Access Controlled Levels

of Protection Dynamic Objective


Common Characteristics

Guarded Lock & Key - Binding Encapsulation – Insulation &

Isolation Limited Access - Implementation

Hiding Inherited Behavior - Precedence


Encapsulation

Locked Enclosures Hidden content Physical Boundary Various Strengths Multiple Purposes Individual Size &

Scope


Shared MemoryA Program (CPU)

Basic Capability Encapsulation

Access Key

Type• Data BlockAccess Rights• Read (data)• Write (data)• Execute (program)

SystemCapability

Table

Base Address

Limit Address

Sum Check

Base Address

EncapsulatedComponent

Limit Address

The “Data” Object


Controlled Access Ports

Few well defined Ports Need to know

Locations Actively Guarded Key & Password

checks Entry is challenged Exit is taxed Context is critical


Dynamic Checks

Permission toRead or Write

Reference to a Data Block

Access

Type• Data BlockAccess Rights• Read• Write• Read & Write

Base fromCapabilityRegister

+Offset

Key

The Object in memory

CR x


Enter Key

Type•Capability ListAccess Rights• Enter (Call Instruction)

A Key to an‘Extended Type’

New Context

A Subroutine domain

A Context Change

Execute Key

Enter Key

RW Key

Execute Key

AccessGuard

ProgramCall

Rtn


Dynamically Guarded

Active Checking Real-time, on-line

No Privileged Modes Recursive

Application Two machines in

one Capability vs.. Data


PP250 PP250

DedicatedCPU Bus

Guarded CPU Checking

Protect Memory from Code errors Logic errors Data errors CPU errors Capability errors

Multi-port System Memory

8+8 B&LCapabilityRegisters

Mico-Code

R 0-7Mico-Code

Program


Instance & Class Context Management Program Registers (Two types – Data & Capability)

Load & Save Data Values D0 to D7 Load a “Capability’ Address (C0-C7) Save a Token into a Capability Segment Jump to a new Program Block (CR 7)

Call (Enter) a Subroutine (save/load C6&7 Context) Instance Context ‘Entered’ in CR 6 Class Access Method Loaded in CR 7 Push Context onto Stack with Call Pop Context on Return from Subroutine

Instruction R (0-7) CR (0-7) Offset


Thread & System Context

Thread Context CR 8-11 Swap Instruction or Interrupt Change - Stack, Time Value, Interrupt,

Registers, Full Context System Context CR 12-15

Swap on Error & Re-Boot System Capability Table Diagnostic Capabilities


Inherited - Rules of Behavior

Built in To every Instance of

every Class Real-time Enforcement

• Early Error Detection Fault Isolation

• Remove the Capability

System recovery• Self test• Reconfiguration


The CPU

The Jump Instruction

Access

A CapabilityKey

Load CodeInto CR-7

The ProgramModule

Jump

Type• Data BlockAccess Rights• Execute

Permission toExecute


Capability

Data

Capability Summary

Access through ‘Minted’ Tokens Boundaries are Fenced & Maintained Confidence from Check & Balance Freedoms are Managed (limited)

Read, Write Execute Save, Load Enter


Access through Tokens

No alternative currency, no workarounds Capabilities have a ‘Minted’

Integrity Transparent vs.. Secret

methods Need to know limitations

(private) Copyright protection

(security) Access modes can be limited


A Capability to a Capability List

Load

Access

Type•Capability ListAccess Rights• Load• Save (add to ring)• Load & Save• Enter (Call)

Permission toLoad, Save or Enter

Key

A Capability

A Key Ring Object


Abstractions are Guaranteed

Tokens are also Objects! Trade in token is very

powerful A Token is an

Abstraction Polymorphic

Abstractions are electrifying

Type checking must be on-line Smalltalk vs. C++


PP250 CPU &The “Thread”

ownData Registers 8-15

& Capability Registers 8-15

An Instance of aProtected Domain

Push

The CallingDomain

C 6, C 7 &Ins Add

Pop

A Structure for Reliability

EX Key

ClassProgram

C7

Call Context C6

RWD Key

InstanceDataEnter Key Common

ClassSubroutine[e.g. CreateMessage Q]

Enter Key

Instanceof a Q…

Return

Enter Key


Trust but Verify

Translate ‘rights’ into ‘reality’ Fail safe protection

Forgery protection ‘Single Failure’ Deliberate attack

Immediate error discovery Contained to one & only

one error Instance


Freedoms are Managed

Laws are ‘Transparent’ Rights are Inherited Application must be uniform & universal No exception – No privileged modes


Recapping the Essentials

Needs are Open Customs are Inherited Bounded Privacy & Security Guaranteed Abstraction Closed Access Rights No Privileged Modes Independent Accountability Fail Safe Implementation


Constraints are Inherited with Behaviors ‘Capabilities’ are not

‘data’ (for PP250) Access (some object) Copy (some Token) Enter (some context)

A Token has some Right to an Object Read (some data) Write (some data) Execute (some code)

Problem Where do Capabilities

come from?

Access Key

An ObjectInstance


Encapsulation must be Validated Security

Implementation is hidden Access is ‘methodical’

Privacy User permissions are checked

• On Access• On Entry• On Exit

Problem What about ‘Virtual Memory’ or

backup recovery on tape or disk


Access is Uniform & Universal Only as strong as the

weakest link Thus Implement in

Hardware Transparent

Implementation Applies to the

Operating System No Privileged Mode

Problem How does the PP250

join (enter) the real world?


Maintaining Check & Balance Two CPUs

One for Data One for Capabilities

Protection from Abuse or Misuse by Oneself or Others Corruption or Failure Miss-operation Miscalculation Incompatible Update

Fail Safe Problem What if the Capability is

corrupt?


Closing Remarks PP250 was designed in 1969-1970

Limited use in Public Telecommunication Adopted by UK Department of Defense

Ptarmigan Mobile Switch Use in Gulf War Second generation hardware

Architecture had a bigger impact OOP, Distributed Computing Brad Cox & Objective-C Distributed Systems like ITT System 12 Simple Object Access Protocol is a next step

• http://discuss.develop.com/soap.html

Thank you!

Ken Hamer Hodges can be contacted [email protected]

Documents

Information Security & Data Protection Object Lessons from PP250 A Fault-tolerant Multi-processor Kenneth Hamer-Hodges