The following document is copyright of Key Logic. Here is a PostScript version. If you would like further information about these documents, please contact Agorics, Inc. at (415)941-8224.
300 Third Street
Los Altos, CA 94022
Fourth Edition (April 1988)
5200 Great America Parkway
Santa Clara, CA 95054-1108
Copyright © 1985, 1986, 1988 Key Logic. All rights reserved.
KeyKOS(tm) is a trademark of Key Logic.
IBM(tm), IBM System/360 Operating System(tm), and OS/360(tm) are trademarks of
International Business Machines Corporation.
This glossary defines some of the most common terms used in the KeyKOS operating
system and development environments. General data processing terms are not defined,
except for a few cases pertaining to KeyKOS design.
This publication is intended to introduce the reader to terms used throughout the KeyKOS
system and Key Logic documents.
Publications specific to KeyKOS which provide a background understanding appropriate to
reading this document include the Key Logic publications Introduction to KeyKOS
Concepts (KL004) and KeyKOS Architecture (KL028).
If you would like further information about Key Logic or its products, please feel free to
contact your local Key Logic representative or contact us directly at (408) 496-1090.
- Address segment
- The virtual address space of a domain, used for code and data.
- Atomic object
- The most basic objects implemented by the kernel: pages, nodes, and wait
objects. Atomic objects are used to construct other objects, including fundamental
objects. An atomic object is just like any other object in that it may be invoked by a
domain holding a key to it. See also "Fundamental object" and "Primary object".
- One of the three possible states of a domain, specifically the state in which
domain code can be activated by a start key. See also "Domain states".
- An identifier, unique to each domain creator, with which it marks the
domains it creates. The domain creator can use the brand to verify that the object is
a domain and that it created that domain.
- Builder's key
- A key designating a factory which conveys the authority to modify the
- The state of a domain that is not available, but is either running or waiting.
See also "Domain states".
- A type of invocation where the calling domain enters the waiting state, and
the kernel generates a resume key designating the caller and places this key in the
fourth key position of the message for the called object. Compare to return and to
- Synonymous with key. "Key" is preferred in Key Logic documentation.
- A computer system which exclusively employs capabilities (keys) to
authorize access to entities (objects) within the system.
- A consistent snapshot of a system state (the state of all pages and nodes, and
therefore of data and keys) from which a restart can occur. Checkpoints are
insurance in case of system (hardware or software) failure. See "Journaling" and
"Persistent virtual memory".
- Two objects are in a co-routine relationship when each calls the other in
succession. See "Extended invocation" for an example of a co-routine relationship.
- Data key
- A key which contains a non-negative integer value; does not actually
designate an object, but may be thought of as designating an immutable number
- Data key zero
- Synonymous with Zero data key. A data key with value zero.
- Device key
- A key that conveys authority to access an Input/Output device (e.g., terminal,
- An abbreviation or symbol for a zero data key.
- An abbreviation or symbol for a Data key designating value n.
- A domain is a fundamental object which executes some code (program) and
contains some data and some keys the program can reference. Domains are durable;
they remain in existence until explicitly destroyed. A programmer can construct an
object from one or more domains. A domain can be thought of as a stylized virtual
machine having its own memory and registers and exerting authority over various
- In KeyKOS for the S/370, a domain consists of three nodes: a root node, a
registers node, and a keys node.
- Domain code
- The code resident on the pages of a domain's address segment; the code
which the domain executes. Execution of domain code is started by a gate key.
- Domain creator
- A domain which produces domains. The domains produced have no address
segment or resources installed.
- Domain keeper
- A domain which is implicitly invoked by the kernel when an exceptional
event (a trap or fault) occurs in a domain; different domains may have different
keepers. Exceptional events in code execution include illegal instructions, overflow,
underflow, divide check and privileged instructions. An exceptional event
pertaining to space is when no segment keeper exists at the time of a memory fault.
- Domain keeper key
- A key within a domain which is implicitly invoked by the kernel when an
exceptional event (trap or fault) occurs. See "Domain keeper".
- Domain key
- A key that designates the root node of a domain and gives the holder the
authority to manipulate some contents of that node. The domain key is a primary
- Domain states
- A domain may be in the running, waiting, or available state. When not in the
available state, it is busy.
- Explicit invocation
- An invocation performed within the domain by domain code; (implicit
invocations are performed by the kernel).
- Extended invocation
- A form of invocation used to pass information (keys or data) longer than one
message can hold. The invoking object and the invoked object enter into a co-routine relationship until the full information has been transmitted.
- Factories are the standard mechanism by which domains are initiated. They
are also a patented facility used to implement access control policies within
KeyKOS. Factories produce sealed domains that have algorithms, address
segments, and specific keys already installed. The security facility supported for
factory-built domains allows communication channels (keys) of an object to be
compared against reference sets to insure that no additional channels have been
added. (These channels are also called holes.)
The use of factories solves the problem of mutually suspicious users. See also
"Builder's key" and "Requestor's key".
- Fault key
- A resume key produced during an implicit invocation of a segment keeper. A
fault key may be used to restart the domain it designates, or to trap it (by offering a
non-zero parameter word), but not to pass any other parameters.
- Fetch key
- A read-only key to a node which conveys authority to fetch a key from any
slot in that node. A key that is fetched retains all its authority. Compare to the action
of a sense key and sensory version of a key.
- A type of invocation wherein the invoking domain sends a message and
remains in the running state. Compare to call and return.
- Fundamental object
- The kernel implements these fundamental objects: domains, segments, and
meters. Domains provide processing resources, segments provide memory
resources, and meters provide CPU time resources. A key to a fundamental object
is a primary key. Each fundamental object has a keeper which is invoked to handle
Outside the kernel, other objects are built using these objects. See "Objects" and
- Gate key
- A key which designates a domain and restricts the holder to invoking the
domain and sending a message to be interpreted by the domain code of the domain.
Gate keys are either start keys or resume keys. All keys are either gate keys or
- High ordinal
- A range of values from 65,536 through 2^31-1. The term refers to a
distinction made when adapting a program to run under an OS/360 environment in
KeyKOS. A high ordinal value is used to determine which prologue and epilogue to
use with the program to be adapted. High ordinal domains typically invoke
KeyKOS capabilities explicitly, and do not require a terminal. Compare to Low
ordinal. See "OS/360 environment".
- A hole is a communications channel (key) through which data can flow out of
a domain; a key that is not sensory and not a factory requestor key. See "Mutually
- The keys in a domain's keys node are the keys the domain is said to hold.
Held keys are directly referenceable by domain code.
- Implicit invocation
- Implicit invocations are performed by the kernel on keeper keys when faults
or traps occur. They mimic call invocations.
- Instance, Instantiation
- The act of creating one or more objects that are all isolated and separate from
one another, but all obey the same algorithm. The term "object instance" refers to
one of these objects.
- The basic operation performed on keys, explicitly when a domain program
executes one of the three KeyKOS-implemented instructions (call, fork, and
return), and implicitly (invocation by the kernel) when certain exceptional events
- Journal, Journaling
- An optional extension to supplement the checkpointing facility. Transactions
after a checkpoint can be journaled (saved), and if a restart from that checkpoint is
required the journaled transactions are automatically rerun to update the system state
as close as possible to the moment of failure.
- A keeper is a domain that serves as a guardian of resources (code, space, and
time). A keeper serves as an exception handler for domains, segments, and meters.
The appropriate keeper is invoked by the kernel when traps or faults occur. See
- Keeper key
- The key to a keeper found inside a fundamental object and implicitly invoked
by the kernel upon an exceptional occurence. They are the meter keeper key, the
domain keeper key, and the segment keeper key.
- When used alone or as "KeyKOS Kernel" (as opposed to "security kernel"),
refers to the privileged-mode code of the KeyKOS operating system. The kernel
does not provide all of the function conventionally associated with an operating
system, rather, it provides a set of tools which allow the majority of such function
to be implemented by problem-mode (unprivileged) programs in
domains. Specifically, the kernel provides the following:
- Primary objects.
- Multiprogramming support, primitive scheduling and hooks for more
sophisticated schedulers running in domains.
- Single-level store.
- Virtual Memories for domains based upon the address
segment using the Dynamic Address Translation hardware.
- Redundant disk storage for selected information (to provide reliability and
improve read performance).
- A system-wide checkpoint-restart feature.
- Special pages exempt from checkpoint.
- Gate keys by which messages are sent between domains.
- Restricted access to individual I/O devices.
- An invariant interpretation of keys (independent of the location of the
designated objects - whether on disk or in main storage). One of the single-level store facilities.
- A key designates an object and specifies access rights to that object.
Invocation is the basic operation performed on keys. A key granting a particular
form of access is the same for any user. A key is uncounterfeitable and inscrutable;
there is no way to tell by examination of a key what authority it has or how its
capabilites are implemented. All keys are either gate keys or primary keys.
Keys can be invoked explictly or implicitly, or they can be passed in a message.
- The System/370 implementation of Key Logic's proprietary operating system
utilizing the KeyTECH base.
- Keys node
- One of the three nodes which implement a domain (in KeyKOS for the
S/370), specifically the node that contains keys held by the domain code.
- The Key Logic proprietary operating systems platform designed to run on a
wide range of hardware. The KeyTECH system is object-based, uses keys to
invoke the capabilities of these objects, has a kernelized operating system (see
kernel), and uses a single-level store.
- The KeyTXF transaction processing subsystem, developed by Key Logic, is
a proprietary program product that runs on the KeyKOS system. The KeyTXF
system provides transaction handling, database maintenance services and system
monitoring, and supports user-written application programs.
- Low ordinal
- A range of values from 0 through 32,767. The term refers to a distinction
made when adapting source to run under an OS/360 environment in KeyKOS. A
low ordinal value is used to determine which prologue and epilogue to use with the
program to be adapted. Low ordinal domains typically do not invoke KeyKOS
capabilities explicity, and always require a terminal. Compare to High ordinal. See
- Memory key
- A page or segmode key.
- Information passed during invocation; contains a parameter word, four keys,
and an optional string of data up to 4096 bytes. When more information must be
transferred, extended invocation is commonly used.
- A fundamental object which measures and limits resources, currently only
CPU time. A domain with a valid meter can consume the metered resources as long
as the meter has positive values. A meter key conveys no authority to alter the meter
other than decrementing the value of the resource. Meters are arranged
hierarchically and decrement in lock-step.
- Meter keeper
- A domain designated by a meter keeper key, implicity invoked when an
exception occurs (the meter counter goes to zero).
- Meter keeper key
- The key found inside a meter and implicitly invoked by the kernel when the
meter counter goes to zero.
- Meter key
- A key to a meter which, when installed as the meter key of a domain,
conveys rights to use the resources represented by the meter.
- Mutually suspicious users
- A classic problem in data processing which is solved by the KeyKOS
factory.The problem involves two users who need each other's services but cannot
trust each other; for example, a user who has a proprietary algorithm and another
user who has proprietary data. The algorithm owner would like to run his algorithm
against the data, but is afraid that the data owner could steel the algorithm or get
some information based on the inquiries the algorithm makes against the data. The
data owner is afraid that the algorithm owner might steal the data or the result, or
corrupt the data. Traditionally, these users could never do business together without
sacrificing one or more of their security requirements. The factory allows them to
get together without any sacrifice whatsoever.
- An atomic object, which consists of 16 slots. Keys reside only in slots (one
key to each slot). A newly-created node holds 16 zero data keys. Nodes exist in
large numbers. See also "Super node".
- Node key
- A key to a node, with read/write authority. This is the most "powerful" key
one can hold to a node. Compare with fetch key and sense key.
- Null key
- A zero data key.
- An object is a combination of data and algorithm into a fully independent and
self-contained component capable of carrying out a well defined set of functions.
These functions can only be executed via key invocation. Objects may be
constructed from other objects. See "Instantiation", "Primary object", "Atomic
object", "Fundamental object", and "Invocation".
- A computer system which primarily employs objects to implement the
- A system which supports and uses objects as the primary programming
- Order code
- The part of a message used to request a particular function or action from the
- A 32-bit integer, ranging in value from 0 through 2^31-1. Low ordinal and
high ordinal values are used in adapting source programs to run under an OS/360
environment in KeyKOS on System/370 hardware.
- OS environment, OS/360 environment
- The KeyKOS system for the S/370 also provides support facilities for
running programs developed to run under the IBM System/360 Operating System
(OS/360). Programs running under these KeyKOS support facilities are said to be
in an OS/360 environment, or OS environment for short. See "Ordinal".
- An atomic object which consists of 4096 bytes, the working unit of data
storage. Pages are available in large numbers. Since KeyKOS implements a single
level store, all data (including code) exist on pages.
- Page key
- A key which designates a page. The page key may convey read-only or
read/write authority over the page.
- Parameter word
- The part of a message which is used as an order code to request a particular
function or action from the invoked object, or as a return code to return information
about the result of an invocation. On KeyKOS for the S/370, this is a 32 bit field.
- Persistent virtual memory
- Virtual memories are persistent in KeyKOS; they exist until explicitly
destroyed. This is accomplished by the combination of the single level store and
checkpoint/restart features of KeyKOS.
- Primary key
- A primary key designate an object that is implemented within the kernel. See
- Primary object
- An object implemented by code within the kernel rather than domain code. A
primary object is invoked via a primary key.
- Principle of least privilege
- One of the fundamental design principles of KeyKOS, which states that keys
given to objects shall convey no more authority (privileges) than required by the
object to perform its task.
- Record collection
- An object which serves the same function as a file or directory in a
conventional system. Record collections can be used to implement the behavior of
IBM access methods. Record collections associate a name (index), a string, and a
key (capability) into a record.
- Registers node
- A node containing the contents of general purpose and floating point
registers; one of the three principle nodes making up a domain in KeyKOS for the
- Requestor's key
- A key to a factory which conveys minimal authority. A requestor's key may
be used to certify the discretion of a factory, and may be invoked to initiate a
- The act of restoring system operation after an outage, such as a power
failure. Restarts occur from the most recent checkpoint. See "Persistent virtual
- Restart key
- A resume key produced during an implicit invocation of a meter keeper or
domain keeper. A restart key may be used to invoke the domain it designates, but
no parameters may be passed.
- Resume key
- A resume key to a domain can resume domain code execution of a domain
when it is in the waiting state. There are three types of resume keys: return, fault,
and restart. Resume keys are created by the kernel and are always stored in the
fourth key position of a message. All resume keys to a given domain become empty
(contain zero data keys) once any copy of that resume key is invoked.
- A type of invocation where the invoking domain sends a message and
becomes available. Compare to Fork and Call.
- Return code
- The part of a message used to return information about the result of an
invocation. See "Parameter word".
- Return key
- A resume key implicitly generated when one domain invokes another with a
call invocation. The return key designates a domain in the waiting state. A return
key may be used to send a message and resume domain code execution in the
- Rights amplification
- Rights amplification involves creating a new key with increased authority
over an object. Rights amplification can only be done if the algorithm within the
invoked object supports that function. Rights amplification always involves at least
two keys: the key being invoked and another key passed in the message which is
used by the invoked object to verify that the invoker has the authority to amplify
rights. By design, rights amplification always involves returning a new key (with
amplified rights) to someone who, by virtue of the keys used to amplify rights,
could have had the amplified key originally.
- Rights attenuation
- Rights attentuation involves creating a new key with decreased authority over
an object. Rights attenuation can only be done if the algorithm within the invoked
object supports that function. Rights attenuation is done by invoking a key with a
particular order code that is interpreted as a request to create and return a new key
with specific rights removed.
- Rights diminution
- Same as Rights attenuation.
- Root node
- One of the three principle nodes making up a domain (in KeyKOS for the
S/370); specifically, the node which contains such keys as the address segment key
and meter key. See "Domain key".
- The domain state during which the domain code executes. One of two busy
domain states. See "Domain states".
- A fundamental object constructed from pages and nodes, and used to define
space resources. The minimum segment is a single page. The term is used
recursively, and a segment can be made up of segments. A segment defines a
virtual address space or portion thereof.
- Segment keeper
- An object designated by a segment keeper key, which handles exceptional
occurences such as an invalid address or a write protection violation.
- Segment keeper key
- A key found inside of a segment, which is invoked implicitly (by the kernel)
when a memory fault occurs, such as an invalid address or a write protection
- Segment key
- A key which designates a segment. The holder of a segment key has no
authority to view or modify the actual construction of the segment. A segment key
only grants authority to read and perhaps write the data stored on the segment.
- Segmode key
- A segmode key is a segment, node, fetch, or sense key residing in a node
that has been authorized by the kernel to be part of a segment. A segmode key is a
- Sense key
- A sense key is the sensory version of a node key, fetch key, or sense key. A
sense key grants authority to fetch the sensory version of a key from any slot in a
designated node. Compare to Fetch key.
- Sensory version
- The sensory version of a key allows only one-way communication in the
direction of the holder of the sensory key. It is not possible to send information out
via a sensory key. Different keys have different sensory versions. For example, the
sensory version of a read-write page key is a read-only page key to the same page.
- Single level store
- The KeyKOS system implements a single level store that combines main
memory and disk memory into one large, flat, and persistent storage space. With a
single level store there are no files in the sense of having to be aware of the
distinction between permanent storage (such as disks) and main memory. All that is
perceived are arrays of bytes in main memory. There are however objects that
provide the functionality of files. See "Record collection".
- One of the 16 key storage locations within a node. Keys exist only in slots.
All slots contain keys, which may be null (zero data) keys.
- Space bank
- An object which is the source of space resources (pages and nodes). All
space management in KeyKOS is done via space banks.
- A stalled domain is running, but cannot presently continue to execute its
domain code. When a running domain invokes a key to a busy domain, the running
domain becomes stalled until the busy domain becomes available.
- Start key
- A type of gate key used to invoke an available domain. A start key starts
execution of the domain code designated by the start key.
- Super node
- A simulated node with a large number of slots for keys; the limit is 2^32 slots.
- Wait object
- A wait object is an atomic object. The kernel contains a small number of wait
objects, which are the mechanism provided to allow domains to delay.
- The domain state resulting from a call. When a domain issues a call, it
remains in the wait state, not executing any code, until the resume key to it is
invoked. One of two busy domain states.
- Zero data key
- A data key designating a zero value; by convention, used as a null key. One
such use is when an object is destroyed; at that time all keys to that object become
zero data keys.