From 5876a9f012898f8b1e5e60f53fb8b026c8d351e9 Mon Sep 17 00:00:00 2001 From: Jeremie Koenig Date: Fri, 8 Apr 2011 15:51:55 +0200 Subject: gsoc2011 (java): split the appendix into another page --- user/jkoenig/gsoc2011_proposal.mdwn | 94 ++++--------------------------------- user/jkoenig/objcap.mdwn | 85 +++++++++++++++++++++++++++++++++ 2 files changed, 93 insertions(+), 86 deletions(-) create mode 100644 user/jkoenig/objcap.mdwn (limited to 'user/jkoenig') diff --git a/user/jkoenig/gsoc2011_proposal.mdwn b/user/jkoenig/gsoc2011_proposal.mdwn index 620ac95b..d53c094f 100644 --- a/user/jkoenig/gsoc2011_proposal.mdwn +++ b/user/jkoenig/gsoc2011_proposal.mdwn @@ -62,6 +62,14 @@ My knowledge of the Hurd and Debian GNU/Hurd is reasonable, as the Debian-Installer and procfs projects gave me the opportunity to fiddle with many parts of the system. +Initially, +I started working on this project because I wanted to use Joe-E +(a subset of Java) +to investigate the potential +[[applications of object-capability languages|objcap]] +in a Hurd context. +I also believe that imrpoving Java support on Hurd +would be an important milestone. ## Improve Java support @@ -495,89 +503,3 @@ The dates listed are deadlines for the associated tasks. ## Conclusion - - - -## Appendix: potential applications of object-capability languages - -The work discussed is this last part would have -fewer immediate benefits for the Hurd project -and has more of a research orientation. -It is also unlikely that there would be any time remaining -to work on it at the end of the summer. -(Though it could work as some kind of reward -if I somehow managed to do a prefect job of all the rest -within the allocated time :-) ). -As a consequence, -I don't really consider this a part of my application. - -This being said, -to some extent the project discussed here -will informed the way I design the Java bindings, -since it depends on them -and I intend to work on this at some point in the future. -I also believe it touches on some interesting ideas, -and a Summer of Code application is probably -as good an occasion as any to discuss them. - -### Justification - -The primary advantage of multi-server operating systems is the ability to -break what used to be the kernel into small pieces which can be isolated -from each others. This makes sense from an engineering perspective, as -smaller components can be swapped with different implementations and reduce -the impact of bugs. -A capability-based approach also ensures that the -authority wielded by components is clear and reduced to the minimum required -for them to function. -These properties are crucial to the Hurd's agenda of user freedom, -since in order to allow them to plug their own code into the system -[FIXME: développer] - -However, this flexibility has a cost. In a system where the isolation of -components relies on running them inside different address spaces, -communication between them must be done through IPC calls. -This introduces a trade-off between the size of the modules -and performance as well as practicality, -which imposes a limit to the granularity with which the system -can be decomposed and the principle of least authority applied -(to the code within a given process, a Mach port is ambient authority). - -Another issue is that of the threading structure of the system as a whole. -In systems based on a monolithic kernel, user threads execute the kernel -code themselves, which is then intrinsically concurrent. By contrast, in a -system based on a “client-server” paradigm, each server must be explicitly -multi-threaded if it is to serve requests concurrently. - -### Object-capability languages - -An object-capability language is an object-oriented language which is -restricted enough so that object references are themselves capabilities. - -One such language is Joe-E (FIXME: lien), -which is an object-capability subset of Java: -global state and static methods are mostly forbidden; -careful white-listing of the objects and methods -provided by the Java standard library -ensures that compliant code cannot not access ambient autority. -Ways in which object references can be transferred -are restricted to the most obvious ones -(for instance, exceptions are carefully restricted). - -As a result, untrusted Joe-E code can be executed without any further -isolation and its autority can be controlled by carefully limiting the -object references which are passed to it. -This would allow to load and execute translators written in Joe-E -in a single address space. - -### Bundling translators into a single process - -[mechanisme pour transmettre le code Joe-E -et les port initiaux au serveur] -[émulation des différentes tâches] - -### Challenges and further work - -[proof-carrying code / typed assembly, -resource accounting (passer en revue la conception de Viengoos?)] - diff --git a/user/jkoenig/objcap.mdwn b/user/jkoenig/objcap.mdwn new file mode 100644 index 00000000..e4cd20e8 --- /dev/null +++ b/user/jkoenig/objcap.mdwn @@ -0,0 +1,85 @@ + +# Potential applications of object-capability languages + +The work discussed is this last part would have +fewer immediate benefits for the Hurd project +and has more of a research orientation. +It is also unlikely that there would be any time remaining +to work on it at the end of the summer. +(Though it could work as some kind of reward +if I somehow managed to do a prefect job of all the rest +within the allocated time :-) ). +As a consequence, +I don't really consider this a part of my application. + +This being said, +to some extent the project discussed here +will informed the way I design the Java bindings, +since it depends on them +and I intend to work on this at some point in the future. +I also believe it touches on some interesting ideas, +and a Summer of Code application is probably +as good an occasion as any to discuss them. + +### Justification + +The primary advantage of multi-server operating systems is the ability to +break what used to be the kernel into small pieces which can be isolated +from each others. This makes sense from an engineering perspective, as +smaller components can be swapped with different implementations and reduce +the impact of bugs. +A capability-based approach also ensures that the +authority wielded by components is clear and reduced to the minimum required +for them to function. +These properties are crucial to the Hurd's agenda of user freedom, +since in order to allow them to plug their own code into the system +[FIXME: développer] + +However, this flexibility has a cost. In a system where the isolation of +components relies on running them inside different address spaces, +communication between them must be done through IPC calls. +This introduces a trade-off between the size of the modules +and performance as well as practicality, +which imposes a limit to the granularity with which the system +can be decomposed and the principle of least authority applied +(to the code within a given process, a Mach port is ambient authority). + +Another issue is that of the threading structure of the system as a whole. +In systems based on a monolithic kernel, user threads execute the kernel +code themselves, which is then intrinsically concurrent. By contrast, in a +system based on a “client-server” paradigm, each server must be explicitly +multi-threaded if it is to serve requests concurrently. + +### Object-capability languages + +An object-capability language is an object-oriented language which is +restricted enough so that object references are themselves capabilities. + +One such language is Joe-E (FIXME: lien), +which is an object-capability subset of Java: +global state and static methods are mostly forbidden; +careful white-listing of the objects and methods +provided by the Java standard library +ensures that compliant code cannot not access ambient autority. +Ways in which object references can be transferred +are restricted to the most obvious ones +(for instance, exceptions are carefully restricted). + +As a result, untrusted Joe-E code can be executed without any further +isolation and its autority can be controlled by carefully limiting the +object references which are passed to it. +This would allow to load and execute translators written in Joe-E +in a single address space. + +### Bundling translators into a single process + +[mechanisme pour transmettre le code Joe-E +et les port initiaux au serveur] +[émulation des différentes tâches] + +### Challenges and further work + +[proof-carrying code / typed assembly, +resource accounting (passer en revue la conception de Viengoos?)] + + -- cgit v1.2.3