There is a meme floating about that capability systems can’t do security because capabilities are not selectively rescindable. It has only recently (2006) come to my attention that most, perhaps all, historic hardware capability systems lack indirect segment capabilities which provide rescindable memory access in Keykos. The hardware that has been available may justify that meme. Keykos and Capros have promptly rescindable segments. There are costs but rescindable access to RAM by applications is native (full speed) as there is no other way. When a program acts to rescind access we promptly unmap the segment and purge the TLB.
Some capability systems include capabilities to memory which can be disseminated, but not revoked, except perhaps by deleting the memory. We describe how access to memory segments is created and rescinded in Keykos leaving the memory intact for other users. The content of this note is implicit in the description of prepared segments but is harder to discover there.
Most segment capabilities, segment keys here, can be used to produced a rescindable segment to the same memory. To do this one buys a new node N and puts the segment key into slot 0 of N, puts an appropriate format key in slot 15 of N, and requests from N, a new segment key to N. The new segment key is now rescindable even if it is disseminated in an uncontrolled fashion.
Keykos achieves prompt selective rescinding even while programs access rescindable memory at standard hardware speed. There is a cost however which we try to expose here.
When a program accesses such memory that is defined by a node, to which someone may be holding a key by which he could rescind the memory, that node is pinned in memory. (Actually it is pinned even if he has lost the key—but we are setting the scene.) Slots 0 and 15 of N are registered in a depend relation as contributing to the definition of memory mapping tables which contribute to the accessibility of the rescindable memory. (In the 370 version some simple node patterns in the memory tree avoided using depend because those patterns allowed simple fast searches.) Slots 0 and 15 are also involved and marked “don’t write”. If the node key to N is used to destroy N or even modify the slots 0 or 15 then the kernel will notice that the slots are marked don’t write and take special action. Since the node is prepared as a segment node, the depend relation is consulted which leads to invalidating the memory mapping table entry that depended on the modified slot. The TLB is then flushed, selectively if hardware permits. Before returning to the rescinder, access has been denied to whoever had gained access to the segment directly or indirectly via the rescinded key.