Keykos Glossary

Tentative conceit: I plan to name in square brackets the code that creates the named category. Unfinished!
Address segment
A keykos segment which serves as the virtual address space of a domain that holds the memory key to the segment in the address space slot of a domain. Used for code and usually data. [Kernel code defining domains]
Atomic object or ‘kernel object’
See kernel object. [object whose behavior is defined by kernel code]
One of the three possible states of a domain, specifically the state in which domain code can be activated by a start key. See also “Domain states”. [Gate code in kernel]
An identifier, unique to each domain creator, with which it marks the domains it creates. The domain creator can use the brand to verify that the object is a domain and that it created that domain. [Kernel code defining domain tool]
Builder’s key
A key designating a factory which conveys the authority to modify the factory. [Factory code]
The state of a domain that is not available, but is either running or waiting. See also “Domain states”. [scheduler and gate code in kernel]
A type of invocation where the calling domain enters the waiting state, and the kernel generates a resume key designating the caller and places this key in the fourth key position of the message for the called object. Compare to return and to fork. [gate code in kernel]
Synonymous with key. “Key” is preferred in Key Logic documentation.
A computer system which exclusively employs capabilities (keys) to authorize access to entities (objects) within the system.
Coded Disk Address (Kernel jargon)
A consistent snapshot of a system state (the state of all pages and nodes, and therefore of data and keys) from which a restart can occur. Checkpoints are insurance in case of system (hardware or software) failure. See “Journaling” and “Persistent virtual memory”. [kernel checkpoint code and a few sorts of domain programs]
Core Table
A structure in the kernel with an entry, called the page header, for each page frame in main memory (DRAM). Contiguous table entries go with contiguous DRAM page frames. The core table is a contiguous part of Item space. DRAM page frames and page headers are both indexed by real addresses. Core has long since been replaced by DRAM but kernels have had tables with that function and that name since the first virtual memories.
Two objects are in a co-routine relationship when each calls the other in succession. See “Extended invocation” for an example of a co-routine relationship.
Data Key (kernel key type)
A state of a slot in a node which effectively holds an 88 bit integer. It is a key which contains an integer value and does not actually designate a conventional object, but may be thought of as designating an immutable number object. A data key is an honorary capability. In documentation and some programming contexts a number key holding non negative integer n is denoted “DK(n)”.
Data key zero
Synonymous with Zero data key. A data key with value zero. (often written DK(0)) [wide spread conventions]
Device key (kernel key type)
A key that conveys authority to access some particular Input/Output device (e.g., terminal, printer, tape drive). [kernel I/O code and various drivers]
DISCRIM (miscellaneous object)
A broadly available kernel object that will tell you a few thing about a key that you show it, or the unique key thereto. Angst [kernel code]
An abbreviation or symbol for a zero data key.
An expression for a Data key designating integer n.
A domain is a fundamental object which obeys user mode code code (its program) and contains some data and keys that its program can reference. The domain thus becomes some sort of non kernel object. Domains are durable; they persist until explicitly deleted. A programmer constructs an object from one or more domains by providing the domain’s program. A domain can be thought of as a stylized virtual machine having its own memory and registers and exerting authority over various resources to which it holds keys.

In KeyKOS for the S/370, a domain consists of three nodes: a root node, a registers node, and a keys node. [Domains in general behave as defined by kernel code. Particular domains, as they run obey code found in their address segment.]
Domain code
The code resident on the pages of a domain’s address segment; the code which the domain executes. Execution of domain code is started by a gate key.
Domain creator
A domain which produces domains. The domains produced have no address segment or resources installed. [user mode code]
Domain keeper
The domain designated by the domain keeper key. A domain which is implicitly invoked by the kernel when an exceptional event (a trap or fault) occurs in a domain; different domains may have different keepers. Exceptional events in code execution include illegal instructions, overflow, underflow, divide check and privileged instructions. An exceptional event pertaining to space is when no segment keeper exists at the time of a memory fault. [kernel code that responds to machine traps in problem mode programs]
Domain keeper key
A key found in a domain’s keeper slot which is implicitly invoked by the kernel when an exceptional event (trap or fault) occurs. See “Domain keeper”. [kernel code that responds to machine traps in problem mode programs]
Domain service key (kernel key type)
A key that designates the root node of a domain and gives the holder the authority to manipulate some contents of that node. The domain service key is a primary key. [kernel code defining domains]
Domain states
A domain may be in the running, waiting, or available state. When not in the available state, it is busy.
Domain tool
Explicit invocation
An invocation performed within the domain by domain code; (implicit invocations are performed by the kernel).
Extended invocation
A form of invocation used to pass information (keys or data) longer than one message can hold. The invoking object and the invoked object enter into a co-routine relationship until the full information has been transmitted.
Factories are the standard mechanism by which domains are initiated. They is also a patented facility used to implement access control policies within KeyKOS. Factories produce sealed domains that have algorithms, address segments, and specific keys already installed. The security facility supported for factory-built domains allows communication channels (keys) of an object to be compared against reference sets to insure that no additional channels have been added. (These channels are also called holes.) The use of factories solves the problem of mutually suspicious users. See also “Builder’s key“ and “Requestor’s key”.
Fault key
A resume key produced during an implicit invocation of a segment keeper. A fault key may be used to restart the domain it designates, or to trap it (by offering a non-zero parameter word), but not to pass any other parameters.
Fetch key (kernel key type)
A read-only key to a node which conveys authority to fetch a key from any slot in that node. A key that is fetched retains all its authority. Compare to the action of a sense key and sensory version of a key.
A type of invocation wherein the invoking domain sends a message and remains in the running state. Compare to call and return.
Fundamental object
The kernel implements these fundamental objects: domains, segments, and meters. Domains provide processing resources, segments provide memory resources, and meters provide CPU time resources. A key to a fundamental object is a primary key. Each fundamental object has a keeper which is invoked to handle exceptional conditions.

Outside the kernel, other objects are built using these objects. See “Objects“ and “Atomic objects”.

Gate key (Kernel Category)
A key which designates a domain but restricts the holder to invoking the domain and sending a message to be interpreted by the domain code of the domain. Gate keys are either start keys or resume keys. All keys are either gate keys or primary keys.
General keys node (Kernel Category)
A node that is part of a domain that holds the 16 keys that domain code can directly reference. Analogous to the data residing in registers that is immediately available to the program.
High ordinal
A range of values from 216 through 231–1. The term refers to a distinction made when adapting a program to run under an OS/360 environment in KeyKOS. A high ordinal value is used to determine which prologue and epilogue to use with the program to be adapted. High ordinal domains typically invoke KeyKOS capabilities explicitly, and do not require a terminal. Compare to Low ordinal. See “OS/360 environment”.
A hole is a communications channel (key) through which data can flow out of a domain; a key that is not sensory and not a factory requestor key. See “Mutually suspicious users”.
The keys in a domain’s keys node are the keys the domain is said to hold. Held keys are directly referenceable by domain code.
Implicit invocation
Implicit invocations are performed by the kernel on keeper keys when faults or traps occur. They mimic call invocations.
Instance, Instantiation
The act of creating one or more objects that are all isolated and separate from one another, but all obey the same algorithm. The term “object instance” refers to one of these objects.
The basic operation performed on keys, explicitly when a domain program executes one of the three KeyKOS-implemented instructions (call, fork, and return), and implicitly (invocation by the kernel) when certain exceptional events occur.
Item Space
A structure known only to the kernel that is occupied mainly by nodes and a few miscellaneous things that keys must designate.
Journal, Journaling
An optional extension to supplement the checkpointing facility. Transactions after a checkpoint can be journaled (saved), and if a restart from that checkpoint is required the journaled transactions are automatically rerun to update the system state as close as possible to the moment of failure.
A keeper is a domain that serves as a guardian of resources (code, space, and time). A keeper serves as an exception handler for domains, segments, and meters. The appropriate keeper is invoked by the kernel when traps or faults occur. See “Keeper key”.
Keeper key
The key to a keeper found inside a fundamental object and implicitly invoked by the kernel upon an exceptional occurrence. They are the meter keeper key, the domain keeper key, and the segment keeper key.
When used alone or as “KeyKOS Kernel” (as opposed to “security kernel”), refers to the privileged-mode code of the KeyKOS operating system. The kernel does not provide all of the function conventionally associated with an operating system, rather, it provides a set of tools which allow the majority of such function to be implemented by problem-mode (unprivileged) programs in domains. Specifically, the kernel provides the following:
Kernel Category
A property of a key that the kernel, with its access to the bits of a key, can detect in just a few instructions. Kernel categories are not disjoint. The ‘type’ of a key is a kernel category. A start key is a sub category of a gate key.
Kernel Object
The most basic objects implemented by the kernel: pages, nodes, and miscellaneous objects. Kernel objects are used to construct other objects, including fundamental objects. A kernel object is like other objects in that it may be invoked by domain code holding a key to it. See also “Fundamental object” and “Primary object”.
A key designates an object and specifies access rights to that object. Invocation is the basic operation performed on keys. A key granting a particular form of access is the same for any user. A key is uncounterfeitable and inscrutable; there is no way to tell by examination of a key what authority it has or how its capabilities are implemented. All keys are either gate keys or primary keys.

Keys can be invoked explicitly or implicitly, or they can be passed in a message.

The System/370 implementation of Key Logic’s proprietary operating system utilizing the KeyTECH base.
Keys node
One of the three nodes which implement a domain (in KeyKOS for the S/370), specifically the node that contains keys held by the domain code.
The Key Logic proprietary operating systems platform designed to run on a wide range of hardware. The KeyTECH system is object-based, uses keys to invoke the capabilities of these objects, has a kernelized operating system (see kernel), and uses a single-level store.
The KeyTXF transaction processing subsystem, developed by Key Logic, is a proprietary program product that runs on the KeyKOS system. The KeyTXF system provides transaction handling, database maintenance services and system monitoring, and supports user-written application programs.
Low ordinal
A range of values from 0 through 32,767. The term refers to a distinction made when adapting source to run under an OS/360 environment in KeyKOS. A low ordinal value is used to determine which prologue and epilogue to use with the program to be adapted. Low ordinal domains typically do not invoke KeyKOS capabilities explicitly, and always require a terminal. Compare to High ordinal. See “OS/360 environment”.
Memory key (Kernel Category)
A page or segmode key.
Information passed during invocation; contains a parameter word, four keys, and an optional string of data up to 4096 bytes. When more information must be transferred, extended invocation is commonly used.
A fundamental object which measures and limits resources, currently only CPU time. A domain with a valid meter can consume the metered resources as long as the meter has positive values. A meter key conveys no authority to alter the meter other than decrementing the value of the resource. Meters are arranged hierarchically and decrement in lock-step.
Meter keeper
A domain designated by a meter keeper key, implicitly invoked when an exception occurs (the meter counter goes to zero).
Meter keeper key
The key found inside a meter and implicitly invoked by the kernel when the meter counter goes to zero.
Meter key (kernel key type)
A key to a meter which, when installed as the meter key of a domain, conveys rights to use the resources represented by the meter.
miscellaneous key (kernel key type)
A key to a miscellaneous object.
miscellaneous object
A sort of kernel object not implemented in large numbers. There are a few wait objects and just one of each of the other miscellaneous objects.
Mutually suspicious users
A classic problem in data processing which is solved by the KeyKOS factory. The problem involves two users who need each other’s services but cannot trust each other; for example, a user who has a proprietary algorithm and another user who has proprietary data. The algorithm owner would like to run his algorithm against the data, but is afraid that the data owner could steel the algorithm or get some information based on the inquiries the algorithm makes against the data. The data owner is afraid that the algorithm owner might steal the data or the result, or corrupt the data. Traditionally, these users could never do business together without sacrificing one or more of their security requirements. The factory allows them to get together without any sacrifice whatsoever.
An atomic object, which consists of 16 slots. Keys reside only in slots (one key to each slot). A newly-created node holds 16 zero data keys. Nodes exist in large numbers. See also “Super node”.
Node key (kernel key type)
A key to a node, with read/write authority. This is the most “powerful” key one can hold to a node. Compare with fetch key and sense key.
Null key
A zero data key.
Number key
New name for data key
An object is a combination of data and algorithm into a fully independent and self-contained component capable of carrying out a well defined set of functions. These functions can only be executed via key invocation. Objects may be constructed from other objects. See “Instantiation”, “Primary object”, “Atomic object”, “Fundamental object”, and “Invocation”.
A computer system which primarily employs objects to implement the system.
A system which supports and uses objects as the primary programming paradigm.
Order code
The part of a message used to request a particular function or action from the invoked object.
A 32-bit integer, ranging in value from 0 through 231-1. Low ordinal and high ordinal values are used in adapting source programs to run under an OS/360 environment in KeyKOS on System/370 hardware.
OS environment, OS/360 environment
The KeyKOS system for the S/370 also provides support facilities for running programs developed to run under the IBM System/360 Operating System (OS/360). Programs running under these KeyKOS support facilities are said to be in an OS/360 environment, or OS environment for short. See “Ordinal”.
An atomic object which consists of 4096 bytes, the working unit of data storage. Pages are available in large numbers. Since KeyKOS implements a single level store, all data (including code) exist on pages.
Page key (kernel key type)
A key which designates a page. The page key may convey read-only or read/write authority over the page.
Page Table
A structure in the kernel defined by the hardware providing the real addresses of pages that appear consecutively in some segment or address space.
Parameter word
The part of a message which is conventionally used as an order code to request a particular function or action from the invoked object, or as a return code to return information about the result of an invocation. On KeyKOS for the S/370, this is a 32 bit field provided and received in register 1.
Persistent virtual memory
Virtual memories are persistent in KeyKOS; they exist until explicitly destroyed. This is accomplished by the combination of the single level store and checkpoint/restart features of KeyKOS.
Primary key (Kernel Category)
A primary key designate an object that is implemented within the kernel. See “Gate key”.
Primary object
An object implemented by code within the kernel rather than domain code. A primary object is invoked via a primary key.
Principle of least privilege
One of the fundamental design principles of KeyKOS, which states that keys given to objects shall convey no more authority (privileges) than required by the object to perform its task.
Range Key
A primary key conveying authority to use some contiguous portion of a disk. Most (usually all) range keys are held by space banks. There are orders on range keys to create a page or node key to a frame in the range.
Record collection
An object which serves the same function as a file or directory in a conventional system. Record collections can be used to implement the behavior of IBM access methods. Record collections associate a name (index), a string, and a key (capability) into a record.
Registers node
A node containing the contents of general purpose and floating point registers; one of the three principle nodes making up a domain in KeyKOS for the S/370.
Requestor’s key
A key to a factory which conveys minimal authority. A requestor’s key may be used to certify the discretion of a factory, and may be invoked to initiate a particular domain.
The act of restoring system operation after an outage, such as a power failure. Restarts occur from the most recent checkpoint. See “Persistent virtual memory.”
Restart key (Kernel Category)
A resume key produced during an implicit invocation of a meter keeper or domain keeper. A restart key may be used to invoke the domain it designates, but all parameters are discarded.
Resume key (kernel key type)
A resume key to a domain can resume domain code execution of a domain when it is in the waiting state. There are three types of resume keys: return, fault, and restart. Resume keys are created by the kernel and are always stored in the fourth key position of a message. All resume keys to a given domain become empty (contain zero data keys) once any copy of that resume key is invoked.
A type of invocation where the invoking domain sends a message and becomes available. Compare to Fork and Call.
Return code
The part of a message used to return information about the result of an invocation. See “Parameter word”.
Return key (Kernel Category)
A resume key implicitly generated when one domain invokes another with a call invocation. The return key designates a domain in the waiting state. A return key may be used to send a message and resume domain code execution in the waiting domain.
Rights amplification
Rights amplification involves creating a new key with increased authority over an object. Rights amplification can only be done if the algorithm within the invoked object supports that function. Rights amplification always involves at least two keys: the key being invoked and another key passed in the message which is used by the invoked object to verify that the invoker has the authority to amplify rights. By design, rights amplification always involves returning a new key (with amplified rights) to someone who, by virtue of the keys used to amplify rights, could have had the amplified key originally.
Rights attenuation
Rights attenuation involves creating a new key with decreased authority over an object. Rights attenuation can only be done if the algorithm within the invoked object supports that function. Rights attenuation is done by invoking a key with a particular order code that is interpreted as a request to create and return a new key with specific rights removed.
Rights diminution
Same as Rights attenuation.
Root node
One of the three principle nodes making up a domain (in KeyKOS for the S/370); specifically, the node which contains such keys as the address segment key and meter key. See “Domain key”.
The domain state during which the domain code executes. One of two busy domain states. See “Domain states”.
A fundamental object constructed from pages and nodes, and used to define space resources. The minimum segment is a single page. The term is used recursively, and a segment can be made up of segments. A segment defines a virtual address space or portion thereof.
Segment keeper
An object designated by a segment keeper key, which handles exceptional occurrences such as an invalid address or a write protection violation.
Segment keeper key
A key found inside of a segment, which is invoked implicitly (by the kernel) when a memory fault occurs, such as an invalid address or a write protection violation.
Segment key (kernel key type)
A key which designates a segment. The holder of a segment key has no authority to view or modify the actual construction of the segment. A segment key only grants authority to read and perhaps write the data stored on the segment.
Segmode key (Kernel Category)
A segmode key is a segment, node, fetch, or sense key residing in a node that has been authorized by the kernel to be part of a segment. A segmode key is a memory key.
Sense key (kernel key type)
A sense key is the sensory version of a node key, fetch key, or sense key. A sense key grants authority to fetch the sensory version of a key from any slot in a designated node. Compare to Fetch key.
Sensory version
The sensory version of a key allows only one-way communication in the direction of the holder of the sensory key. It is not possible to send information out via a sensory key. Different keys have different sensory versions. For example, the sensory version of a read-write page key is a read-only page key to the same page.
Single level store
The KeyKOS system implements a single level store that combines main memory and disk memory into one large, flat, and persistent storage space. With a single level store there are no files in the sense of having to be aware of the distinction between permanent storage (such as disks) and main memory. All that is perceived are arrays of bytes in main memory. There are however objects that provide the functionality of files. See “Record collection”.
One of the 16 key storage locations within a node. Keys exist only in slots. All slots contain keys, which may be null (zero data key = DK(0)).
Space bank
An object which is the source of space resources (pages and nodes). All space management in KeyKOS is done via space banks.
A stalled domain is running, but cannot presently continue to execute its domain code. When a running domain invokes a key to a busy domain, the running domain becomes stalled until the busy domain becomes available.
Start key (kernel key type)
A type of gate key used to invoke an available domain. A start key starts execution of the domain code designated by the start key. The message is delivered to that code for interpretation.
Super node
A simulated node with a large number of slots for keys; the limit is 232 slots.
Type of key or ‘kernel key type’
A kernel category determined by the value of 5 particular bits in the key. Any key is of just one type.
Wait object
A wait object is a kernel object. The kernel contains a small number of wait objects, which are the mechanism provided to allow domains to delay. To each wait object there is a unique key.
The domain state resulting from a call. When a domain issues a call, it remains in the wait state, not executing any code, until the resume key to it is invoked. One of two busy domain states.
Zero data key
A data key designating a zero value; by convention, used as a null key. One such use is when an object is destroyed; at that time all keys to that object become zero data keys.