Upload
easter-stafford
View
220
Download
2
Tags:
Embed Size (px)
Citation preview
Information Security & Data Protection
Object Lessons from PP250
A Fault-tolerant Multi-processor
Kenneth Hamer-Hodges
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 2
Objects & Capability Based Architecture Taplow Court - 1967 to 1977
Plessey Telecommunication Research PP 250
Other Research (http://citeseer.nj.nec.com/context/22829/0)
Dennis and Van Horn M.V. Wilkes Bob Fabry Bill Wolf Butler Lampson
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 3
Director of the Cambridge Computer Laboratory starting with EDSAC; inventor of labels, macros and microprogramming; with David Wheeler and Stanley Gill, the inventor of a programming system based on subroutines.
Maurice Vincent Wilkes
Quotation (Regarding developing programs) “... It would be more logical first to choose a data structure appropriate to the problem, and then to look around for, or construct with a kit of tools provided, a language suitable for manipulating the structure.”
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 4
PP250 – System Objectives
Communication Switching Public & Military
Application MTBF +50 years
Fault Tolerant Architecture Multiprocessor for
Growth in service Capability Based for
Memory Protection
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 5
Multiprocessor Concerns
Scalable Shared Memory Distributed Protected from ALL Single
Failures
PP250CPU
PP250CPU
RAMRAM I/O I/ORAM
PP250CPU
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 6
Modular Objectives & the Enter Capability Mode Ability to Extend, Grow & Evolve in Service
Add new unknown ‘types’ of behavior over time Availability 0.99995%
Prevent error migration through the system Detect any & all single errors (H/W or S/W)
Including ‘undetected’ & ‘dynamic’ software errors Unattended operation
Fault Isolation with Rapid Automatic recovery Networking & Scalability
Information sharing but with constraints
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 7
A Privacy & Security Architecture
Evaluate some Examples Identify Natural Characteristics Define Necessary Requirements Introduce a Total Solution (PP250) Review & Conclusions
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 8
Security & Privacy Examples
An Historical Solution An Eccentric Solution A Traditional Solution
Physical & Logical Security Static & Dynamic Principals
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 9
An Historical Example
Privacy in Death Security of Slumber
State of the Art 2500 bc Not Future Safe Privileged use
Limited service Static Limitation Single Application
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 10
A Contrived Solution
Eccentric Depends upon
‘privileged modes’ Requires Special
Skills Not ‘real time’ Easily ‘Hacked’
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 11
A Traditional Solution
Domains of Protection
Physical Enclosure Limited Access Controlled Levels
of Protection Dynamic Objective
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 12
Common Characteristics
Guarded Lock & Key - Binding Encapsulation – Insulation &
Isolation Limited Access - Implementation
Hiding Inherited Behavior - Precedence
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 13
Encapsulation
Locked Enclosures Hidden content Physical Boundary Various Strengths Multiple Purposes Individual Size &
Scope
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 14
Shared MemoryA Program (CPU)
Basic Capability Encapsulation
Access Key
Type• Data BlockAccess Rights• Read (data)• Write (data)• Execute (program)
SystemCapability
Table
Base Address
Limit Address
Sum Check
Base Address
EncapsulatedComponent
Limit Address
The “Data” Object
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 15
Controlled Access Ports
Few well defined Ports Need to know
Locations Actively Guarded Key & Password
checks Entry is challenged Exit is taxed Context is critical
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 16
Dynamic Checks
Permission toRead or Write
Reference to a Data Block
Access
Type• Data BlockAccess Rights• Read• Write• Read & Write
Base fromCapabilityRegister
+Offset
Key
The Object in memory
CR x
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 17
Enter Key
Type•Capability ListAccess Rights• Enter (Call Instruction)
A Key to an‘Extended Type’
New Context
A Subroutine domain
A Context Change
Execute Key
Enter Key
RW Key
Execute Key
AccessGuard
ProgramCall
Rtn
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 18
Dynamically Guarded
Active Checking Real-time, on-line
No Privileged Modes Recursive
Application Two machines in
one Capability vs.. Data
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 19
PP250 PP250
DedicatedCPU Bus
Guarded CPU Checking
Protect Memory from Code errors Logic errors Data errors CPU errors Capability errors
Multi-port System Memory
8+8 B&LCapabilityRegisters
Mico-Code
R 0-7Mico-Code
Program
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 20
Instance & Class Context Management Program Registers (Two types – Data & Capability)
Load & Save Data Values D0 to D7 Load a “Capability’ Address (C0-C7) Save a Token into a Capability Segment Jump to a new Program Block (CR 7)
Call (Enter) a Subroutine (save/load C6&7 Context) Instance Context ‘Entered’ in CR 6 Class Access Method Loaded in CR 7 Push Context onto Stack with Call Pop Context on Return from Subroutine
Instruction R (0-7) CR (0-7) Offset
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 21
Thread & System Context
Thread Context CR 8-11 Swap Instruction or Interrupt Change - Stack, Time Value, Interrupt,
Registers, Full Context System Context CR 12-15
Swap on Error & Re-Boot System Capability Table Diagnostic Capabilities
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 22
Inherited - Rules of Behavior
Built in To every Instance of
every Class Real-time Enforcement
• Early Error Detection Fault Isolation
• Remove the Capability
System recovery• Self test• Reconfiguration
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 23
The CPU
The Jump Instruction
Access
A CapabilityKey
Load CodeInto CR-7
The ProgramModule
Jump
Type• Data BlockAccess Rights• Execute
Permission toExecute
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 24
Capability
Data
Capability Summary
Access through ‘Minted’ Tokens Boundaries are Fenced & Maintained Confidence from Check & Balance Freedoms are Managed (limited)
Read, Write Execute Save, Load Enter
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 25
Access through Tokens
No alternative currency, no workarounds Capabilities have a ‘Minted’
Integrity Transparent vs.. Secret
methods Need to know limitations
(private) Copyright protection
(security) Access modes can be limited
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 26
A Capability to a Capability List
Load
Access
Type•Capability ListAccess Rights• Load• Save (add to ring)• Load & Save• Enter (Call)
Permission toLoad, Save or Enter
Key
A Capability
A Key Ring Object
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 27
Abstractions are Guaranteed
Tokens are also Objects! Trade in token is very
powerful A Token is an
Abstraction Polymorphic
Abstractions are electrifying
Type checking must be on-line Smalltalk vs. C++
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 28
PP250 CPU &The “Thread”
ownData Registers 8-15
& Capability Registers 8-15
An Instance of aProtected Domain
Push
The CallingDomain
C 6, C 7 &Ins Add
Pop
A Structure for Reliability
EX Key
ClassProgram
C7
Call Context C6
RWD Key
InstanceDataEnter Key Common
ClassSubroutine[e.g. CreateMessage Q]
Enter Key
Instanceof a Q…
Return
Enter Key
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 29
Trust but Verify
Translate ‘rights’ into ‘reality’ Fail safe protection
Forgery protection ‘Single Failure’ Deliberate attack
Immediate error discovery Contained to one & only
one error Instance
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 30
Freedoms are Managed
Laws are ‘Transparent’ Rights are Inherited Application must be uniform & universal No exception – No privileged modes
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 31
Recapping the Essentials
Needs are Open Customs are Inherited Bounded Privacy & Security Guaranteed Abstraction Closed Access Rights No Privileged Modes Independent Accountability Fail Safe Implementation
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 32
Constraints are Inherited with Behaviors ‘Capabilities’ are not
‘data’ (for PP250) Access (some object) Copy (some Token) Enter (some context)
A Token has some Right to an Object Read (some data) Write (some data) Execute (some code)
Problem Where do Capabilities
come from?
Access Key
An ObjectInstance
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 33
Encapsulation must be Validated Security
Implementation is hidden Access is ‘methodical’
Privacy User permissions are checked
• On Access• On Entry• On Exit
Problem What about ‘Virtual Memory’ or
backup recovery on tape or disk
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 34
Access is Uniform & Universal Only as strong as the
weakest link Thus Implement in
Hardware Transparent
Implementation Applies to the
Operating System No Privileged Mode
Problem How does the PP250
join (enter) the real world?
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 35
Maintaining Check & Balance Two CPUs
One for Data One for Capabilities
Protection from Abuse or Misuse by Oneself or Others Corruption or Failure Miss-operation Miscalculation Incompatible Update
Fail Safe Problem What if the Capability is
corrupt?
http://members.telocity.com/khodges/PP250.htm Ken Hamer-Hodges 1975-2002 36
Closing Remarks PP250 was designed in 1969-1970
Limited use in Public Telecommunication Adopted by UK Department of Defense
Ptarmigan Mobile Switch Use in Gulf War Second generation hardware
Architecture had a bigger impact OOP, Distributed Computing Brad Cox & Objective-C Distributed Systems like ITT System 12 Simple Object Access Protocol is a next step
• http://discuss.develop.com/soap.html
Thank you!
Ken Hamer Hodges can be contacted [email protected]