Hydra: The Kernel of a Multiprocessor Operating System

Notes by Thorsten von Eicken, Jan 27, 1998, updated Jan 28 1999.

Goals

• flexible operating system kernel for an experimental multiprocessor time-sharing system
• kernel base for a collection of operating systems designed to exploit and explore multiprocessor
  computer systems
• support non-hierarchical layering
• separation of mechanism and policy, it does not use hierarchical structure since it
  limits flexibility and one hierarchical relation does not hold throughout the system
• uniform protection mechanism throughout the system through the use of capabilities

Capability system

• System built out of objects
• Capabilities are object references, plus bit vector of access rights
• Set of generic access rights, and type-specific access rights
• Capabilities are stores in LNSs (local name spaces) and referred to by a small index into the LNS
• Processes have a stack of LNSs
• Through capabilities, one can invoke procedures

Call mechanism

• check access rights to call capability as well as parameter capbilities
• create new LNS, using template which is part of procedure type
• add capabilities passed as parameters, by merging caller's and callee's rights
• pop LNS upon return

Features & misfeatures

• Relatively simple implementation, even LNSs are objects with capabilities
• LNS relatively small, because capabilities can named using paths from a capability in the LNS
• Supports capability confinement
• Rights augmentation
• Not clear how to do capability revocation
• Bit vectors don't allow all access modes to be readily expressed

Comparison to object oriented systems

• Hydra obviously predates OO languages
• procedures = methods, types = classes
• hydra provides protection and dynamic class creation
• clearly Hydra's "objects" are at a much larger level of granularity than in OO languages

Discussion points

• implementation cost
• alternative implementations for capabilities
• problems with capability systems