We introduce some nearly conventional terminology here with which to contrast three styles of kernel architecture:
Any of these kernels:
The last few decades have seen a substantial body of software function, such as data base software, that is outside the kernel but also outside the application. We refer to that as middleware here. Middleware runs in its own environment and too often these environments require universal authority to do their job.
The most familiar programming context is provided by standard libraries that run in the address space of the environment. These libraries run with the environment’s authority and invoke the conventional kernel to perform the actions on files.
Just as real machines communicate by features such as Ethernet or shared disks, so may virtual machines. Virtual machine kernels often allow some special virtual machine to control what other connections are permitted between the other virtual machines. Software in the special machine can thus institute security policies.
Virtual machine systems, by them selves, do not provide a “civilized” programming environment. On the other hand they allow any other sort of environment to be used.
The capability style kernel provides environments which are able to efficiently invoke programs in other environments by sending messages. Many of the functions of a Unix style kernel are thus provided by programs that run in these environments and the capability kernel is thus much smaller than a Unix style kernel.
An environment in a capability system has a list of capabilities that the program therein can use as it pleases. These capabilities are used primarily as addresses for these messages. Some capabilities locate other environments and a message addressed by such a capability is delivered to the program in that environment. Messages to other capabilities are interpreted by kernel code. To send a message to a capability is to invoke that capability. Such a message can include other capabilities from the sender’s list, whereupon the message recipient receives that capability into its own capability list. Capabilities can be thought of as references to objects.
There are capabilities to produce new environments and introduce code to be executed therein. To invoke a capability is the sole means of acting.
Collections of environments without capabilities between them remain isolated from each other for no messages can flow between them. This is a trivial way to provide the isolation that is so natural to the virtual machine system.
The programming context in a capability system depends on the available objects. Middleware lives in its own environments just as do the apps and most OS functions found in conventional kernels.
Keykos, in contrast to Mach, emphasizes multiply instantiated objects. In Keykos the sorted list function will be provided as one object per list, in its own environment. In Mach the pattern is to put all sorted lists in one environment.