Vantage Points
I illustrate here, by example, that a capability system, such as Keykos,
provides vantage points at which to install meta programs to solve certain
problems, where conventional systems, such as Unix, provide no such vantage
points.
First some trivial cases which are easier to understand but perhaps
less strategic.
- A Keykos domain keeper K is able to intercept the program exceptions of
a machine language program P without finding space in the address space
of P to locate itself.
These exceptions include system calls and the keeper can thus provide
custom environments equivalent to other operating systems.
- The keepers of Keykos generally provide
vantage points outside the space of a kept program and policies may be thus
imposed on a program invented, coded, compiled and delivered
before the new policy was invented.
A more substantial vantage point is a place to observe which files a program accesses.
Consider a program to run a compiler as the Unix make utility,
which runs compilers so as to efficiently rebuild programs
when only part of the source has changed.
In the make world the user must say twice what depends
on what; once in the source files proper by including in main.c,
source lines such as #include "parse.h", and then again in the
makefile with lines such as main.o : main.c parse.h.
Saying things twice is a famous pit fall especially familiar to computer users.
Consequences of inconsistent information are not easy to diagnose.
There are tools to rebuild makefiles from sources but these ignore the issues of when to run them.
In Keykos it is easy for a meta program to provide an environment for
the unmodified compiler and its preprocessor to run so that the access
to file parse.h
while compiling main.c is noted as the preprocessor runs.
The meta program notes this and automatically knows to redo this compilation
whenever parse.h changes.
A segment keeper attached to the source files can signal initial modification of the source.
This signal can invalidate the compiled object.
Rebuilding from the modified source can once again trigger to watch for the next modification.
These tricks, by themselves, do not provide the other information in a Makefile such as as conveyed by cc -c main.c. within the definition of main.o.
It is clear that function like this can be added to Unix but it
seems most likely that this requires modifications to the kernel which potentially impacts other security designs.
Such vantage points are available in Keykos without modification to the
kernel or to anyone’s TCB that does not choose to use the new function.