Protection Domain Extensions in Mungi Jerry Vochteloo, Kevin Elphinstone, Stephen Russell, and Gernot Heiser School of Computer Science and Engineering The University of New South Wales, Sydney, Australia 2052 Abstract The Mungi single address space operating system pro- vides a protected procedure call mechanism named protec- tion domain extension (PDX). The PDX call executes in a protection domain which is the union of (a subset of) the caller’s domain, and a fixed domain associated with the procedure. On return, the caller’s original protection do- main is re-established. Extensive caching of validation data allows amortisation of setup costs over a possibly large number of invocations. The PDX mechanism forms the ba- sis for object support in Mungi, particularly encapsulation. It is also used for accessing devices, and to implement user- level page fault handlers and other services. 1. Introduction One of the most attractive features of object-oriented op- erating systems is the ability of users to transparently extend the OS. Such extensibility is of particular interest if users can access methods provided by other users without com- promising security. Hence, the system should efficiently support object encapsulation and safe method invocation. Capability systems are particularly well-suited to sup- port extensibility [Lev84]. Safe method invocation in these systems is made possible by the provision of a protected procedure call mechanism, which allows the callee to per- form operations the system would not permit the caller to do directly. Mungi [HERV94] is a 64-bit single address space op- erating system (SASOS) based on password capabilities. Mungi’s protected procedure mechanism is called protec- tion domain extension (PDX). This paper describes Mungi’s PDX mechanism and its implementation. This work was supported by Australian Reseach Council grant A49330285. Phone: +61-2-9385-5156, fax: +61-2-9385-5995, e-mail: disy@cse.unsw.edu.au, www: http://www.cse.unsw.edu.au/ ˜disy 2. Protection Domains in Mungi Mungi’s basic protection model has been described in [VRH93]. In short, each task (which consists of one or more threads) has associated with it a protection domain, which is the set of objects accessible to the task. The pro- tection domain is implemented as a set of pointers to ca- pability lists, which are arrays of capabilities. Contrary to classical software-based capability systems, Mungi’s capa- bility lists are not system objects but are user-maintained. Object accesses are validated by matching the list of valid capabilities (and corresponding access rights) recorded in the central object table against the capabilities found in the protection domain. If the validation succeeds an entry is made in a per-task segment list, which caches validations. Capabilities in Mungi refer to “objects” which are con- tiguous ranges of virtual memory pages. No internal object structure is assumed by the system. The search of the pro- tection domain implies that capabilities need not be explic- itly presented to the system on the first (or any subsequent) access to an object. If, however, a capability is presented explicitly, it is immediately validated, and the segment list is updated as appropriate. On a page fault, the segment list is first consulted, and if a matching entry is found, the corresponding page is mapped, otherwise the access is validated as above. 3. Protection Domain Extension Validation of object access in the Mungi system requires the searching of two large data structures (object table and the capability lists). To amortize some of the validation costs much of the validation information is cached. Imple- menting protected procedure calls based on an extension of the caller’s protection domain has two main benefits: firstly we can re-use the cached validation information from the caller’s protection domain, and secondly the extension al- lows for the implicit sharing of large numbers of objects between the caller and the protected procedure. Mungi’s PDX mechanism allows the extension of a thread’s protection domain for the duration of a procedure 1