The following document is copyright of Key Logic. Here is a PostScript version. If you would like further information about these documents, please contact Agorics, Inc. at (415)941-8224.

Agorics, Inc.
300 Third Street
Los Altos, CA 94022
info@agorics.com

KL067-04

Fourth Edition (April 1988)

Key Logic
5200 Great America Parkway
Santa Clara, CA 95054-1108
(408) 496-1090

Copyright © 1985, 1986, 1988 Key Logic. All rights reserved.

KeyKOS(tm) is a trademark of Key Logic.

IBM(tm), IBM System/360 Operating System(tm), and OS/360(tm) are trademarks of International Business Machines Corporation.

Introduction

This glossary defines some of the most common terms used in the KeyKOS operating system and development environments. General data processing terms are not defined, except for a few cases pertaining to KeyKOS design.

This publication is intended to introduce the reader to terms used throughout the KeyKOS system and Key Logic documents.

Publications specific to KeyKOS which provide a background understanding appropriate to reading this document include the Key Logic publications Introduction to KeyKOS Concepts (KL004) and KeyKOS Architecture (KL028).

If you would like further information about Key Logic or its products, please feel free to contact your local Key Logic representative or contact us directly at (408) 496-1090.

Glossary

Address segment
The virtual address space of a domain, used for code and data.
Atomic object
The most basic objects implemented by the kernel: pages, nodes, and wait objects. Atomic objects are used to construct other objects, including fundamental objects. An atomic object is just like any other object in that it may be invoked by a domain holding a key to it. See also "Fundamental object" and "Primary object".
Available
One of the three possible states of a domain, specifically the state in which domain code can be activated by a start key. See also "Domain states".
Brand
An identifier, unique to each domain creator, with which it marks the domains it creates. The domain creator can use the brand to verify that the object is a domain and that it created that domain.
Builder's key
A key designating a factory which conveys the authority to modify the factory.
Busy
The state of a domain that is not available, but is either running or waiting. See also "Domain states".
Call
A type of invocation where the calling domain enters the waiting state, and the kernel generates a resume key designating the caller and places this key in the fourth key position of the message for the called object. Compare to return and to fork.
Capability
Synonymous with key. "Key" is preferred in Key Logic documentation.
Capability-based
A computer system which exclusively employs capabilities (keys) to authorize access to entities (objects) within the system.
Checkpoint
A consistent snapshot of a system state (the state of all pages and nodes, and therefore of data and keys) from which a restart can occur. Checkpoints are insurance in case of system (hardware or software) failure. See "Journaling" and "Persistent virtual memory".
Co-routine
Two objects are in a co-routine relationship when each calls the other in succession. See "Extended invocation" for an example of a co-routine relationship.
Data key
A key which contains a non-negative integer value; does not actually designate an object, but may be thought of as designating an immutable number object.
Data key zero
Synonymous with Zero data key. A data key with value zero.
Device key
A key that conveys authority to access an Input/Output device (e.g., terminal, printer, tape).
DK(0)
An abbreviation or symbol for a zero data key.
DK(n)
An abbreviation or symbol for a Data key designating value n.
Domain
A domain is a fundamental object which executes some code (program) and contains some data and some keys the program can reference. Domains are durable; they remain in existence until explicitly destroyed. A programmer can construct an object from one or more domains. A domain can be thought of as a stylized virtual machine having its own memory and registers and exerting authority over various resources.

In KeyKOS for the S/370, a domain consists of three nodes: a root node, a registers node, and a keys node.
Domain code
The code resident on the pages of a domain's address segment; the code which the domain executes. Execution of domain code is started by a gate key.
Domain creator
A domain which produces domains. The domains produced have no address segment or resources installed.
Domain keeper
A domain which is implicitly invoked by the kernel when an exceptional event (a trap or fault) occurs in a domain; different domains may have different keepers. Exceptional events in code execution include illegal instructions, overflow, underflow, divide check and privileged instructions. An exceptional event pertaining to space is when no segment keeper exists at the time of a memory fault.
Domain keeper key
A key within a domain which is implicitly invoked by the kernel when an exceptional event (trap or fault) occurs. See "Domain keeper".
Domain key
A key that designates the root node of a domain and gives the holder the authority to manipulate some contents of that node. The domain key is a primary key.
Domain states
A domain may be in the running, waiting, or available state. When not in the available state, it is busy.
Explicit invocation
An invocation performed within the domain by domain code; (implicit invocations are performed by the kernel).
Extended invocation
A form of invocation used to pass information (keys or data) longer than one message can hold. The invoking object and the invoked object enter into a co-routine relationship until the full information has been transmitted.
Factory
Factories are the standard mechanism by which domains are initiated. They are also a patented facility used to implement access control policies within KeyKOS. Factories produce sealed domains that have algorithms, address segments, and specific keys already installed. The security facility supported for factory-built domains allows communication channels (keys) of an object to be compared against reference sets to insure that no additional channels have been added. (These channels are also called holes.) The use of factories solves the problem of mutually suspicious users. See also "Builder's key" and "Requestor's key".
Fault key
A resume key produced during an implicit invocation of a segment keeper. A fault key may be used to restart the domain it designates, or to trap it (by offering a non-zero parameter word), but not to pass any other parameters.
Fetch key
A read-only key to a node which conveys authority to fetch a key from any slot in that node. A key that is fetched retains all its authority. Compare to the action of a sense key and sensory version of a key.
Fork
A type of invocation wherein the invoking domain sends a message and remains in the running state. Compare to call and return.
Fundamental object
The kernel implements these fundamental objects: domains, segments, and meters. Domains provide processing resources, segments provide memory resources, and meters provide CPU time resources. A key to a fundamental object is a primary key. Each fundamental object has a keeper which is invoked to handle exceptional conditions.

Outside the kernel, other objects are built using these objects. See "Objects" and "Atomic objects".

Gate key
A key which designates a domain and restricts the holder to invoking the domain and sending a message to be interpreted by the domain code of the domain. Gate keys are either start keys or resume keys. All keys are either gate keys or primary keys.
High ordinal
A range of values from 65,536 through 2^31-1. The term refers to a distinction made when adapting a program to run under an OS/360 environment in KeyKOS. A high ordinal value is used to determine which prologue and epilogue to use with the program to be adapted. High ordinal domains typically invoke KeyKOS capabilities explicitly, and do not require a terminal. Compare to Low ordinal. See "OS/360 environment".
Hole
A hole is a communications channel (key) through which data can flow out of a domain; a key that is not sensory and not a factory requestor key. See "Mutually suspicious users".
Hold
The keys in a domain's keys node are the keys the domain is said to hold. Held keys are directly referenceable by domain code.
Implicit invocation
Implicit invocations are performed by the kernel on keeper keys when faults or traps occur. They mimic call invocations.
Instance, Instantiation
The act of creating one or more objects that are all isolated and separate from one another, but all obey the same algorithm. The term "object instance" refers to one of these objects.
Invocation
The basic operation performed on keys, explicitly when a domain program executes one of the three KeyKOS-implemented instructions (call, fork, and return), and implicitly (invocation by the kernel) when certain exceptional events occur.
Journal, Journaling
An optional extension to supplement the checkpointing facility. Transactions after a checkpoint can be journaled (saved), and if a restart from that checkpoint is required the journaled transactions are automatically rerun to update the system state as close as possible to the moment of failure.
Keeper
A keeper is a domain that serves as a guardian of resources (code, space, and time). A keeper serves as an exception handler for domains, segments, and meters. The appropriate keeper is invoked by the kernel when traps or faults occur. See "Keeper key".
Keeper key
The key to a keeper found inside a fundamental object and implicitly invoked by the kernel upon an exceptional occurence. They are the meter keeper key, the domain keeper key, and the segment keeper key.
Kernel
When used alone or as "KeyKOS Kernel" (as opposed to "security kernel"), refers to the privileged-mode code of the KeyKOS operating system. The kernel does not provide all of the function conventionally associated with an operating system, rather, it provides a set of tools which allow the majority of such function to be implemented by problem-mode (unprivileged) programs in domains. Specifically, the kernel provides the following:
Key
A key designates an object and specifies access rights to that object. Invocation is the basic operation performed on keys. A key granting a particular form of access is the same for any user. A key is uncounterfeitable and inscrutable; there is no way to tell by examination of a key what authority it has or how its capabilites are implemented. All keys are either gate keys or primary keys.

Keys can be invoked explictly or implicitly, or they can be passed in a message.

KeyKOS
The System/370 implementation of Key Logic's proprietary operating system utilizing the KeyTECH base.
Keys node
One of the three nodes which implement a domain (in KeyKOS for the S/370), specifically the node that contains keys held by the domain code.
KeyTECH
The Key Logic proprietary operating systems platform designed to run on a wide range of hardware. The KeyTECH system is object-based, uses keys to invoke the capabilities of these objects, has a kernelized operating system (see kernel), and uses a single-level store.
KeyTXF(tm)
The KeyTXF transaction processing subsystem, developed by Key Logic, is a proprietary program product that runs on the KeyKOS system. The KeyTXF system provides transaction handling, database maintenance services and system monitoring, and supports user-written application programs.
Low ordinal
A range of values from 0 through 32,767. The term refers to a distinction made when adapting source to run under an OS/360 environment in KeyKOS. A low ordinal value is used to determine which prologue and epilogue to use with the program to be adapted. Low ordinal domains typically do not invoke KeyKOS capabilities explicity, and always require a terminal. Compare to High ordinal. See "OS/360 environment".
Memory key
A page or segmode key.
Message
Information passed during invocation; contains a parameter word, four keys, and an optional string of data up to 4096 bytes. When more information must be transferred, extended invocation is commonly used.
Meter
A fundamental object which measures and limits resources, currently only CPU time. A domain with a valid meter can consume the metered resources as long as the meter has positive values. A meter key conveys no authority to alter the meter other than decrementing the value of the resource. Meters are arranged hierarchically and decrement in lock-step.
Meter keeper
A domain designated by a meter keeper key, implicity invoked when an exception occurs (the meter counter goes to zero).
Meter keeper key
The key found inside a meter and implicitly invoked by the kernel when the meter counter goes to zero.
Meter key
A key to a meter which, when installed as the meter key of a domain, conveys rights to use the resources represented by the meter.
Mutually suspicious users
A classic problem in data processing which is solved by the KeyKOS factory.The problem involves two users who need each other's services but cannot trust each other; for example, a user who has a proprietary algorithm and another user who has proprietary data. The algorithm owner would like to run his algorithm against the data, but is afraid that the data owner could steel the algorithm or get some information based on the inquiries the algorithm makes against the data. The data owner is afraid that the algorithm owner might steal the data or the result, or corrupt the data. Traditionally, these users could never do business together without sacrificing one or more of their security requirements. The factory allows them to get together without any sacrifice whatsoever.
Node
An atomic object, which consists of 16 slots. Keys reside only in slots (one key to each slot). A newly-created node holds 16 zero data keys. Nodes exist in large numbers. See also "Super node".
Node key
A key to a node, with read/write authority. This is the most "powerful" key one can hold to a node. Compare with fetch key and sense key.
Null key
A zero data key.
Object
An object is a combination of data and algorithm into a fully independent and self-contained component capable of carrying out a well defined set of functions. These functions can only be executed via key invocation. Objects may be constructed from other objects. See "Instantiation", "Primary object", "Atomic object", "Fundamental object", and "Invocation".
Object-based
A computer system which primarily employs objects to implement the system.
Object-oriented
A system which supports and uses objects as the primary programming paradigm.
Order code
The part of a message used to request a particular function or action from the invoked object.
Ordinal
A 32-bit integer, ranging in value from 0 through 2^31-1. Low ordinal and high ordinal values are used in adapting source programs to run under an OS/360 environment in KeyKOS on System/370 hardware.
OS environment, OS/360 environment
The KeyKOS system for the S/370 also provides support facilities for running programs developed to run under the IBM System/360 Operating System (OS/360). Programs running under these KeyKOS support facilities are said to be in an OS/360 environment, or OS environment for short. See "Ordinal".
Page
An atomic object which consists of 4096 bytes, the working unit of data storage. Pages are available in large numbers. Since KeyKOS implements a single level store, all data (including code) exist on pages.
Page key
A key which designates a page. The page key may convey read-only or read/write authority over the page.
Parameter word
The part of a message which is used as an order code to request a particular function or action from the invoked object, or as a return code to return information about the result of an invocation. On KeyKOS for the S/370, this is a 32 bit field.
Persistent virtual memory
Virtual memories are persistent in KeyKOS; they exist until explicitly destroyed. This is accomplished by the combination of the single level store and checkpoint/restart features of KeyKOS.
Primary key
A primary key designate an object that is implemented within the kernel. See "Gate key".
Primary object
An object implemented by code within the kernel rather than domain code. A primary object is invoked via a primary key.
Principle of least privilege
One of the fundamental design principles of KeyKOS, which states that keys given to objects shall convey no more authority (privileges) than required by the object to perform its task.
Record collection
An object which serves the same function as a file or directory in a conventional system. Record collections can be used to implement the behavior of IBM access methods. Record collections associate a name (index), a string, and a key (capability) into a record.
Registers node
A node containing the contents of general purpose and floating point registers; one of the three principle nodes making up a domain in KeyKOS for the S/370.
Requestor's key
A key to a factory which conveys minimal authority. A requestor's key may be used to certify the discretion of a factory, and may be invoked to initiate a particular domain.
Restart
The act of restoring system operation after an outage, such as a power failure. Restarts occur from the most recent checkpoint. See "Persistent virtual memory."
Restart key
A resume key produced during an implicit invocation of a meter keeper or domain keeper. A restart key may be used to invoke the domain it designates, but no parameters may be passed.
Resume key
A resume key to a domain can resume domain code execution of a domain when it is in the waiting state. There are three types of resume keys: return, fault, and restart. Resume keys are created by the kernel and are always stored in the fourth key position of a message. All resume keys to a given domain become empty (contain zero data keys) once any copy of that resume key is invoked.
Return
A type of invocation where the invoking domain sends a message and becomes available. Compare to Fork and Call.
Return code
The part of a message used to return information about the result of an invocation. See "Parameter word".
Return key
A resume key implicitly generated when one domain invokes another with a call invocation. The return key designates a domain in the waiting state. A return key may be used to send a message and resume domain code execution in the waiting domain.
Rights amplification
Rights amplification involves creating a new key with increased authority over an object. Rights amplification can only be done if the algorithm within the invoked object supports that function. Rights amplification always involves at least two keys: the key being invoked and another key passed in the message which is used by the invoked object to verify that the invoker has the authority to amplify rights. By design, rights amplification always involves returning a new key (with amplified rights) to someone who, by virtue of the keys used to amplify rights, could have had the amplified key originally.
Rights attenuation
Rights attentuation involves creating a new key with decreased authority over an object. Rights attenuation can only be done if the algorithm within the invoked object supports that function. Rights attenuation is done by invoking a key with a particular order code that is interpreted as a request to create and return a new key with specific rights removed.
Rights diminution
Same as Rights attenuation.
Root node
One of the three principle nodes making up a domain (in KeyKOS for the S/370); specifically, the node which contains such keys as the address segment key and meter key. See "Domain key".
Running
The domain state during which the domain code executes. One of two busy domain states. See "Domain states".
Segment
A fundamental object constructed from pages and nodes, and used to define space resources. The minimum segment is a single page. The term is used recursively, and a segment can be made up of segments. A segment defines a virtual address space or portion thereof.
Segment keeper
An object designated by a segment keeper key, which handles exceptional occurences such as an invalid address or a write protection violation.
Segment keeper key
A key found inside of a segment, which is invoked implicitly (by the kernel) when a memory fault occurs, such as an invalid address or a write protection violation.
Segment key
A key which designates a segment. The holder of a segment key has no authority to view or modify the actual construction of the segment. A segment key only grants authority to read and perhaps write the data stored on the segment.
Segmode key
A segmode key is a segment, node, fetch, or sense key residing in a node that has been authorized by the kernel to be part of a segment. A segmode key is a memory key.
Sense key
A sense key is the sensory version of a node key, fetch key, or sense key. A sense key grants authority to fetch the sensory version of a key from any slot in a designated node. Compare to Fetch key.
Sensory version
The sensory version of a key allows only one-way communication in the direction of the holder of the sensory key. It is not possible to send information out via a sensory key. Different keys have different sensory versions. For example, the sensory version of a read-write page key is a read-only page key to the same page.
Single level store
The KeyKOS system implements a single level store that combines main memory and disk memory into one large, flat, and persistent storage space. With a single level store there are no files in the sense of having to be aware of the distinction between permanent storage (such as disks) and main memory. All that is perceived are arrays of bytes in main memory. There are however objects that provide the functionality of files. See "Record collection".
Slot
One of the 16 key storage locations within a node. Keys exist only in slots. All slots contain keys, which may be null (zero data) keys.
Space bank
An object which is the source of space resources (pages and nodes). All space management in KeyKOS is done via space banks.
Stalled
A stalled domain is running, but cannot presently continue to execute its domain code. When a running domain invokes a key to a busy domain, the running domain becomes stalled until the busy domain becomes available.
Start key
A type of gate key used to invoke an available domain. A start key starts execution of the domain code designated by the start key.
Super node
A simulated node with a large number of slots for keys; the limit is 2^32 slots.
Wait object
A wait object is an atomic object. The kernel contains a small number of wait objects, which are the mechanism provided to allow domains to delay.
Waiting
The domain state resulting from a call. When a domain issues a call, it remains in the wait state, not executing any code, until the resume key to it is invoked. One of two busy domain states.
Zero data key
A data key designating a zero value; by convention, used as a null key. One such use is when an object is destroyed; at that time all keys to that object become zero data keys.