2009-07-08

the intel`Ada.chip was also cap'based!

. when I was learning assembly programming in the 80's,
the textbook's author spoke of this fantastic new intel chip:
the iAPX 432, having an instruction set that was so high-level
it mirrored the semantics of the Ada programming language .
. after hearing that it also included cap'based security
I did another search for more news about it .
. specifically, it features capability-based addressing,
where pointers are replaced by protected objects (called capabilities)
that can only be created through the use of privileged instructions
which may only be executed by the kernel
(or some other privileged process authorized to do so).
This effectively allows the kernel to control which processes
may access which objects in memory
without the need to use separate address spaces
thereby avoiding a lot of context switching .
and allowing an efficient implementation of capability-based security .


6.21:
Object-oriented memory and capabilities

The iAPX 432 has hardware and microcode support for
oop and capability-based addressing
. all pointers are (seg, offset) pairs;
Segments are referenced by Access Descriptors (ADs),
which provide
an index into the system object table
and a set of rights (capabilities) governing accesses to that segment
The hardware and microcode rigidly enforce
the distinction between data and access segments .

Each system object has a type field which is checked by microcode,
such that a Port Object cannot be used where a Carrier Object is needed.
User program can define new object types which will get the full benefit of
the hardware type checking, through the use of Type Control Objects (TCO).

In Release 1 of the iAPX 432 architecture,
a system-defined object typically consisted of
an access segment,
and optionally (depending on the object type)
a data segment specified by an access descriptor
at a fixed offset within the access segment.
By Release 3 of the architecture, in order to improve performance,
access segments and data segments were combined into
single segments of up to 128 kb,
split into an access part and a data part of 0–64 KiB each
. This reduced the number of object table lookups dramatically,
and doubled the maximum virtual address space.

Fred J. Pollack, Kevin C. Kahn, Roy M. Wilkinsom,
"The iMAX-432 Object Filing System,"
Proceedings of the Eighth Symposium on Operating System Principles,
14-16 December 1981, pp. 137-147


Levy, Henry M.,
Capability-Based Computer Systems, Digital Press, 1984/
Intel iAPX-432 Micromainframe/software/
Native - written in Ada: iMAX-432 Operating System
-- thorough survey and description of early capability-based
and object-based hardware and software systems.
(out of print book now free to download)


scrambled for 8086 after the iAPX-432 lost it

. after the 432, the engineering team came up with
a new architecture (P7/Gemini)
that was still object-oriented, but with a RISC-like ISA
instead of the 432 "VCISC" [very large instruction set computing] .
The object-oriented features were implmented with a tag bit
(so in a sense it was a 33-bit processor)
and an on-chip microcode ROM .
They had 56 bit segments and 32 bit offsets.
. The goal was to have the software reliability features of the 432
but better performance than the 68000 .
. As they increased the speed,
the extra "object Oriented" microcode got in the way .
. the [legendary] 8086 was the 16-bit stopgap measure
that was hastily designed when the 8800 project (which became the 432)
was years behind schedule.

Elliott I. Organick, A Programmer's View of The Intel 432 System, 1983.

G. Cox et al.
Interprocess Communication and Processor Dispatching on The Intel 432,
ACM TOCS, Vol. 1, No. 1, Feb 1983, pp 45-66.