Homework 12 Solutions

22C:116, Spring 1997

Ioana M. Lungeanu

        The protection bits for the 9 operations given can be
    assigned as follows:

        INFO - no need for protection since it has no effect
    upon the object inquired;

        GETPARAMS, STATUS - only one bit can be used for
    protection on both these operations; they return parameters
    or status information associated with the server and are
    usually used by the system administrator;

        SETPARAMS - may need a separate bit than the above two
    since it can modify the server's parameters and this needs
    to be restricted even if reading information is permitted;

        DESTROY, AGE - the former needs protection for obvious
    reasons; a malicious user repeatedly calling AGE on an object
    might be able to force it to grow old and die!  Since the risk
    is a risk of slow and unpredictable deletion, AGE and DELETE
    can share a right.

        RESTRICT - needs no protection, since the only thing
    restrict allows is for a user to obtain a capability that
    grants less access to an object than the user originally
    had, and a verbatim copy of a capability can be made with
    no rights at all, just by copying the bit pattern.

        COPY - note that this does not copy the capability, it
    makes a new copy of an object.   As such, it may need to be

        TOUCH - probably needs no protection, other than the
    standard server-side authentication check to see if the
    capability is indeed valid.  Most servers would probably
    touch objects when they perform any operation on them!


        The capabilities of Amoeba correspond to the links in
    DEMOS, and the ports of Amoeba are similar to the
    message-queues of DEMOS.
        The capabilities can be passed among processes as the
    links were in DEMOS. But ports are not bonded to a
    particular process; they are arbitrarily chosen by a
    process each time it needs to receive a message.


        A minimum of three messages must be exchanged by client
    and server, if the burden of detecting duplicates is left
    to the server side:
        - the request from the client;
        - the reply from the server;
        - the acknowledgment for the reply, from the client.
        A strategy with a fourth message can be used, making
    the server send an acknowledgment for the request, but this
    doesn't solve the problem since the acknowledgment can be
    lost. Protocols using sequence numbers for each message can
    be used.


        Messages are not queued in Amoeba. The put-ports are
    being queued in a table by the server. When the server
    performs a get-request it checks the table for the
    indicated port, and then data is copied from sender to


        The pseudo-codes for the three system calls are:

    get_request(&header, buffer, bytes) {
        if there is an unmatched get_request
            exit with error;
            receive(&header, buffer, bytes); /* blocking */
            extract information about request from header;
            call RPC procedure with this information;

    put_reply(&header, buffer, bytes) {
        if there is not the matching get_request
            exit with error;
            pack the reply from the RPC procedure;
            send(&header, buffer, bytes); /* blocking */

    trans(&header1, buffer1, bytes1, &header2, buffer2, bytes2) {
        send(&header1, buffer1, bytes1); /* send request */
        receive(&header2, buffer2, bytes2); /* wait for reply */


        The following operations can be implemented using a
    standard implementation:
        TOUCH, AGE - they simply reset or increment a counter
    representing the age or time since last use, which can be
    done in a uniform way for all the objects;
        GETPARAMS, SETPARAMS - they read or change a parameter
    block of information for the server, not for an object;
    while the format of this status block may depend on the
    server, the services for updating it need not depend on the
    server -- although a callback the server can use to add
    custom code when the parameters are changed would be useful.
        STATUS - could be implemented in a standard way,
    returning a copy of a status block to the user.
        RESTRICT - produces a new restricted capability, which
    consists of standard modifications to the access rights bits.
    All servers that use the standard server side authentication
    algorithm may use a standard implementation of this.

        The following operations need a implementation based on
    the object:
        COPY - it duplicates the object, not only returns a
    capability for the copy; as such, its implementation depends
    on the object implementation.
        DESTROY - reclaims the object's storage space;
        INFO - different kinds of information may be returned
    for different objects; if a string with a predetermined
    maximum size is used to store this information, this
    operation could be implemented in a standard way, but only
    for servers that use a standard object table format.