news.addm/cap'based/minix vs Amoeba:
amoeba was started by the creator of minix
(minix features high security via a microkernel);
but, amoeba is languishing while minix thrives ?
. amoeba is a research project for a distributed os
(for doing supercomputing with networked computers)
while MINIX 3 is more important to the masses:
. well suited for Single-chip, small-RAM, low-power,
$100 laptops for Third-World children
and Embedded systems (e.g., cameras, DVD recorders, cell phones)
--. the lang that amoeba now supports is Orca,
. why is cap'based security not an advertized feature of minix?
. the author of minix, Tanenbaum, wrote in 1990
that the use of cap'based security
was one of the things that amoeba did right .
. however, if small mem'size is key,
then it becomes significant that cap'based security
can be implemented as an optional add-on
using a cap'based programming language .
. another priority that minix excels at is being unix:
amoeba's UNIX emulation will never provide 100% compatibility.For example, the whole concept of user-ids and group-idsis very hard to get right in a capability-based system.Our view of protection is totally different.Furthermore, Amoeba is essentially a stateless system.This means that various subtle properties of UNIXrelating to how files are shared between parent and childare virtually impossible to get right.In practice we can live with this,but for someone who demanded binary compatibility,our approach has some shortcomings.
. nevertheless, the cap'based OS has advantages,
. There are no other mechanisms adding complexityto the ideas or to the implementation .It is worthwhile to contrast this approachwith the ring-structured security model of the Intel 80x86 family .. The capability model is intrinsically more secure.A ring-structured security policy is not powerful enoughto allow a subsystem to depend on the services ofa subsystem with lesser access rights.Ring policies intrinsically violate the principle of least privilege.In addition, ring-based security mechanisms conveycategorical authority:any code running in a given layerhas access to all of the data in that layer.Capability systems allow authority to be minimized to just thatrequired to do the job at hand.Using a capability model offers significant simplifications in the nanokernel.Among the questions that the nanokernel does not have to answer are:* Does this user have the authority to perform this operation?(Yes - if you hold the key you can send the message.)