Protection
All security features on the Mill revolve around permissions on address space. There are no privileged instructions or protection rings. All processes are equal in the sense that they can share the permission they have, but only those they have, with whoever they choose, to the degree they choose.
Using the Mill security primitives in practice is not any different from calling normal a normal function in most cases, and also not much more expensive.
Contents
Regions and Turfs
Well Known Regions
Portals
Protecting Control Stacks
Services
Interrupts
Implementation
Granting and Revoking
Stacklets
Rationale
On conventional architectures context switches are incredibly expensive. They can run into hundreds of cycles just to change the processor core state. And on top of that comes the cache threashing and all the memory accesses to switch the working data sets. Context switches used to be used to hide memory latencies on single core machines. But over time, with improved caching and reduced memory latencies, exploding internal processor state and increasing core counts context switches increasingly become the main cause of memory stalls on conventional architectures.
As a result operating system architectures increasingly revolve around avoiding context switches, even in places where they would actually be needed from a security and stability standpoint. As a result it is still common for buggy device drivers to take down whole systems. And where the security features are absulutely unavoidable systems often spend a third and more of their cycles on context switches and related management like TLB and cache shuffling.[1]
To avoid all this, the goal should be to just pass the needed parameters back and forth between the protection domains with mutually protected code, but don't switch out all the surrounding context with it each time. This is of course an ideal and not fully attainable. But the closer you get to this ideal, the cheaper and cleaner the protection primitives become. And this is what drove the design.
All the context that needs to be switched to safely cross a protection barrier can be contained in one cache line. And in this clean and simple and cheap definition and execution of a security domain switch lies the basis of a flexible and reliable and efficient security framework. You define the gateways between the protection areas yourself and contain those definitions in small protected packages.
The protection domains, the regions and turfs, can be counted in the thousands or tens of thousands on a system. This is relative coarsely grained security. Having true capabilites, and protecting on the level of single objects and functions would be even better and cheaper from the security perspective, with even less or no context to switch and so forth. But implementing this requires non-commodity memory, and it also conflicts with the memory model of the most common languages like C, as they are used.
Media
Presentation on Security Features by Ivan Godard - Slides
