Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security & Data Protection Object Lessons from PP250 A Fault-tolerant Multi-processor Kenneth Hamer-Hodges.

Similar presentations

Presentation on theme: "Information Security & Data Protection Object Lessons from PP250 A Fault-tolerant Multi-processor Kenneth Hamer-Hodges."— Presentation transcript:

1 Information Security & Data Protection Object Lessons from PP250 A Fault-tolerant Multi-processor Kenneth Hamer-Hodges

2 Ken Hamer-Hodges 1975-20022 Objects & Capability Based Architecture Taplow Court - 1967 to 1977 Plessey Telecommunication Research PP 250 Other Research ( Other Research ( Dennis and Van Horn M.V. Wilkes Bob Fabry Bill Wolf Butler Lampson

3 Ken Hamer-Hodges 1975-20023 Director of the Cambridge Computer Laboratory starting with EDSAC; inventor of labels, macros and microprogramming; with David Wheeler and Stanley Gill, the inventor of a programming system based on subroutines. Maurice Vincent Wilkes Quotation (Regarding developing programs) “... It would be more logical first to choose a data structure appropriate to the problem, and then to look around for, or construct with a kit of tools provided, a language suitable for manipulating the structure.”

4 Ken Hamer-Hodges 1975-20024 PP250 – System Objectives Communication Switching Public & Military Application MTBF +50 years Fault Tolerant Architecture Multiprocessor for Growth in service Capability Based for Memory Protection

5 Ken Hamer-Hodges 1975-20025 Multiprocessor Concerns Scalable Shared Memory Distributed Protected from ALL Single Failures PP250 CPU PP250 CPU RAM I/O RAM PP250 CPU

6 Ken Hamer-Hodges 1975-20026 Modular Objectives & the Enter Capability Mode Ability to Extend, Grow & Evolve in Service Add new unknown ‘types’ of behavior over time Availability 0.99995% Prevent error migration through the system Detect any & all single errors (H/W or S/W) Including ‘undetected’ & ‘dynamic’ software errors Unattended operation Fault Isolation with Rapid Automatic recovery Networking & Scalability Information sharing but with constraints

7 Ken Hamer-Hodges 1975-20027 A Privacy & Security Architecture Evaluate some Examples Identify Natural Characteristics Define Necessary Requirements Introduce a Total Solution (PP250) Review & Conclusions

8 Ken Hamer-Hodges 1975-20028 Security & Privacy Examples An Historical Solution An Eccentric Solution A Traditional Solution Physical & Logical Security Static & Dynamic Principals

9 Ken Hamer-Hodges 1975-20029 An Historical Example Privacy in Death Security of Slumber State of the Art 2500 bc Not Future Safe Privileged use Limited service Static Limitation Single Application

10 Ken Hamer-Hodges 1975-200210 A Contrived Solution Eccentric Depends upon ‘privileged modes’ Requires Special Skills Not ‘real time’ Easily ‘Hacked’

11 Ken Hamer-Hodges 1975-200211 A Traditional Solution Domains of Protection Physical Enclosure Limited Access Controlled Levels of Protection Dynamic Objective

12 Ken Hamer-Hodges 1975-200212 Common Characteristics Guarded Lock & Key - Binding Encapsulation – Insulation & Isolation Limited Access - Implementation Hiding Inherited Behavior - Precedence

13 Ken Hamer-Hodges 1975-200213 Encapsulation Locked Enclosures Hidden content Physical Boundary Various Strengths Multiple Purposes Individual Size & Scope

14 Ken Hamer-Hodges 1975-200214 Shared Memory A Program (CPU) Basic Capability Encapsulation Access Key Type Data Block Access Rights Read (data) Write (data) Execute (program) System Capability Table Base Address Limit Address Sum Check Base Address Encapsulated Component Limit Address The “Data” Object

15 Ken Hamer-Hodges 1975-200215 Controlled Access Ports Few well defined Ports Need to know Locations Actively Guarded Key & Password checks Entry is challenged Exit is taxed Context is critical

16 Ken Hamer-Hodges 1975-200216 Dynamic Checks Permission to Read or Write Reference to a Data Block Access Type Data Block Access Rights Read Write Read & Write Base from Capability Register + Offset Key The Object in memory CR x

17 Ken Hamer-Hodges 1975-200217 Enter Key Type Capability List Access Rights Enter (Call Instruction) A Key to an ‘Extended Type’ New Context A Subroutine domain A Context Change Execute Key Enter Key RW Key Execute Key Access Guard Program Call Rtn

18 Ken Hamer-Hodges 1975-200218 Dynamically Guarded Active Checking Real-time, on-line No Privileged Modes Recursive Application Two machines in one Capability vs.. Data

19 Ken Hamer-Hodges 1975-200219 PP250 Dedicated CPU Bus Guarded CPU Checking Protect Memory from Code errors Logic errors Data errors CPU errors Capability errors Multi-port System Memory 8+8 B&L Capability Registers Mico- Code R 0-7 Mico- Code Program

20 Ken Hamer-Hodges 1975-200220 Instance & Class Context Management Program Registers (Two types – Data & Capability) Load & Save Data Values D0 to D7 Load a “Capability’ Address (C0-C7) Save a Token into a Capability Segment Jump to a new Program Block (CR 7) Call (Enter) a Subroutine (save/load C6&7 Context) Instance Context ‘Entered’ in CR 6 Class Access Method Loaded in CR 7 Push Context onto Stack with Call Pop Context on Return from Subroutine InstructionR (0-7)CR (0-7)Offset

21 Ken Hamer-Hodges 1975-200221 Thread & System Context Thread Context CR 8-11 Swap Instruction or Interrupt Change - Stack, Time Value, Interrupt, Registers, Full Context System Context CR 12-15 Swap on Error & Re-Boot System Capability Table Diagnostic Capabilities

22 Ken Hamer-Hodges 1975-200222 Inherited - Rules of Behavior Built in To every Instance of every Class Real-time Enforcement Early Error Detection Fault Isolation Remove the Capability System recovery Self test Reconfiguration

23 Ken Hamer-Hodges 1975-200223 The CPU The Jump Instruction Access A Capability Key Load Code Into CR-7 The Program Module Jump Type Data Block Access Rights Execute Permission to Execute

24 Ken Hamer-Hodges 1975-200224 Capability Data Capability Summary Access through ‘Minted’ Tokens Boundaries are Fenced & Maintained Confidence from Check & Balance Freedoms are Managed (limited) Read, Write Execute Save, Load Enter

25 Ken Hamer-Hodges 1975-200225 Access through Tokens No alternative currency, no workarounds Capabilities have a ‘Minted’ Integrity Transparent vs.. Secret methods Need to know limitations (private) Copyright protection (security) Access modes can be limited

26 Ken Hamer-Hodges 1975-200226 A Capability to a Capability List Load Access Type Capability List Access Rights Load Save (add to ring) Load & Save Enter (Call) Permission to Load, Save or Enter Key A Capability A Key Ring Object

27 Ken Hamer-Hodges 1975-200227 Abstractions are Guaranteed Tokens are also Objects! Trade in token is very powerful A Token is an Abstraction Polymorphic Abstractions are electrifying Type checking must be on-line Smalltalk vs. C++

28 Ken Hamer-Hodges 1975-200228 PP250 CPU & The “Thread” own Data Registers 8-15 & Capability Registers 8-15 An Instance of a Protected Domain Push The Calling Domain C 6, C 7 & Ins Add Pop A Structure for Reliability EX Key Class Program C7 Call Context C6 RWD Key Instance Data Enter Key Common Class Subroutine [e.g. Create Message Q] Enter Key Instance of a Q… Return Enter Key

29 Ken Hamer-Hodges 1975-200229 Trust but Verify Translate ‘rights’ into ‘reality’ Fail safe protection Forgery protection ‘Single Failure’ Deliberate attack Immediate error discovery Contained to one & only one error Instance

30 Ken Hamer-Hodges 1975-200230 Freedoms are Managed Laws are ‘Transparent’ Rights are Inherited Application must be uniform & universal No exception – No privileged modes

31 Ken Hamer-Hodges 1975-200231 Recapping the Essentials Needs are Open Customs are Inherited Bounded Privacy & Security Guaranteed Abstraction Closed Access Rights No Privileged Modes Independent Accountability Fail Safe Implementation

32 Ken Hamer-Hodges 1975-200232 Constraints are Inherited with Behaviors ‘Capabilities’ are not ‘data’ (for PP250) Access (some object) Copy (some Token) Enter (some context) A Token has some Right to an Object Read (some data) Write (some data) Execute (some code) Problem Where do Capabilities come from? Access Key An Object Instance

33 Ken Hamer-Hodges 1975-200233 Encapsulation must be Validated Security Implementation is hidden Access is ‘methodical’ Privacy User permissions are checked On Access On Entry On Exit Problem What about ‘Virtual Memory’ or backup recovery on tape or disk

34 Ken Hamer-Hodges 1975-200234 Access is Uniform & Universal Only as strong as the weakest link Thus Implement in Hardware Transparent Implementation Applies to the Operating System No Privileged Mode Problem How does the PP250 join (enter) the real world?

35 Ken Hamer-Hodges 1975-200235 Maintaining Check & Balance Two CPUs One for Data One for Capabilities Protection from Abuse or Misuse by Oneself or Others Corruption or Failure Miss-operation Miscalculation Incompatible Update Fail Safe Problem What if the Capability is corrupt?

36 Ken Hamer-Hodges 1975-200236 Closing Remarks PP250 was designed in 1969-1970 Limited use in Public Telecommunication Adopted by UK Department of Defense Ptarmigan Mobile Switch Use in Gulf War Second generation hardware Architecture had a bigger impact OOP, Distributed Computing Brad Cox & Objective-C Distributed Systems like ITT System 12 Simple Object Access Protocol is a next step

37 Thank you! Ken Hamer Hodges can be contacted at

Download ppt "Information Security & Data Protection Object Lessons from PP250 A Fault-tolerant Multi-processor Kenneth Hamer-Hodges."

Similar presentations

Ads by Google