$B5 $L1 CM CHAPTER 0 $B5 $L1 CM INTRODUCTION. $N $P @THE HARDWARE OF A COMPUTER SYSTEM MUST BE CAPABLE OF ACCESSING AND TRANSFORMING THE TOTALITY OF INFORMATION STORED IN ALL OF THE SYSTEM'S PHYSICAL DEVICES. @THIS IS THE BASIC PROPERTY WHICH GIVES COMPUTERS THEIR ENORMOUS FLEXIBILITY. @HOWEVER, THIS UNBOUNDED FREEDOM HAS TO BE RESTRAINED IF IT IS DESIRED TO SUPPORT THE SHARING OF THE INFORMATION BY VARIOUS USERS. @THE APPARATUS THAT LIMIT THIS FREEDOM ARE KNOWN AS PROTECTION MECHANISMS. $P @THE ORIGINAL MOTIVATION OF PROTECTION MECHANISMS WAS TO DEFEND THE OPERATING SYSTEM FROM HARMFUL INTERFERENCE BY INCORRECT OR MALICIOUS USER PROGRAMS. @PRIVILEGED/USER MODES ARE SUFFICIENT TO ACHIEVE THIS SIMPLE FORM OF PROTECTION. @THE ADDRESS SPACE OF A PROGRAM EXECUTED IN USER MODE IS DELIMITED BY A REGISTER WHOSE VALUE CAN BE MODIFIED ONLY BY PROGRAMS OPERATING IN PRIVILEGED MODE. @THE REGISTER DEFINES A DIVISION OF THE MEMORY INTO TWO DISJOINT SECTIONS ONLY ONE OF WHICH CAN BE ACCESSED BY THE PROCESSOR. @A TRIVIAL EXTENSION TO PROTECT VARIOUS USERS FROM INTERFERING WITH ONE ANOTHER IS TO USE A PAIR (OR SET OF PAIRS) OF REGISTERS TO DEFINE SEVERAL DISJOINT SECTORS OF MEMORY. $P @PROTECTION HAS BEEN A MAJOR RESEARCH TOPIC DURING THE PAST FEW YEARS. @ONE OF THE MAIN REASONS FOR THIS TREND IS THAT THE UTILITY OF PROTECTION MECHANISMS IS NOT CONFINED TO PREVENTING USERS OF A MULTIPROGRAMMING SYSTEM FROM MUTUAL INTERFERENCE. @THE INCREASING POWER OF COMPUTER SYSTEMS HAS BROUGHT ABOUT THE POSSIBILITY OF SUPPORTING MORE STRINGENT DEMANDS. @A CORRESPONDING INCREASE IN THE COMPLEXITY OF OPERATING SYSTEMS NEEDED TO SATISFY THE DEMANDS HAS ARISEN AND OUR INABILITY TO COPE WITH THEIR CONSTRUCTION HAS BEEN POINTED OUT .[R072]. $P @THE ENORMOUS DIFFICULTY OF CONSTRUCTING OPERATING SYSTEMS AS MONOLITHIC COLLECTIONS OF PRIVILEGED PROGRAM MODULES IS NOW CLEAR. @IT IS NOT DIFFICULT, AT PRESENT, TO IDENTIFY THE FUNDAMENTAL CAUSE OF THE COMPLICATIONS OF SUCH AN APPROACH: @THE COMPLEXITY OF ANALYSING THE INTERACTIONS BETWEEN MODULES GROWS DISPROPORTIONATELY WITH THE INCREASE IN THE NUMBER OF MODULES. @THE TWO PRINCIPAL DISCIPLINES WHICH HAVE BEEN SUGGESTED TO HARNESS THE COMPLEXITY ARE: @THE DECOMPOSITION OF THE SYSTEM INTO A SEQUENCE OF LAYERS [@DI68B] AND THE FORMALISATION OF PROTECTION [@DE66,@LA69]. $P @HIERARCHICAL LAYERING IS BASED UPON THE ASSUMPTION THAT THE VARIOUS SYSTEM COMPONENTS DO NOT VIOLATE THE INTENTIONS OF THE DESIGN. @IN THIS CASE, PROTECTION MECHANISMS PROVIDE A CONTINUOUS DYNAMIC VERIFICATION OF THE INTEGRITY OF THE IMPLEMENTATION THE DESIGN. @ON THE OTHER HAND, THE ADEQUATE UTILISATION OF ADEQUATE PROTECTION MECHANISMS LEADS NATURALLY TO THE STRUCTURING OF THE SYSTEM'S RESOURCES AND OF THE MODULES WHICH MANIPULATE THOSE RESOURCES. @THESE STRUCTURES OFTEN RESULT IN A HIERARCHICAL LAYERING. @NEVERTHELESS, ONE OF THE MOTIVATIONS FOR THE DESIGN OF FLEXIBLE PROTECTION IS TO AVOID THE LIMITATIONS IMPOSED BY THE RIGIDITY OF LAYERED DESIGNS [@WU74]. $P @THE MAIN TOPIC OF THE PRESENT WORK IS THE STUDY OF PROTECTION IN OPERATING SYSTEMS. @SPECIFICALLY, WE ARE CONCERNED WITH CAPABILITY BASED PROTECTION. $P @A CRUCIAL ASPECT OF PROTECTION IS THE NOTION OF DOMAIN OF A COMPUTATION, ALSO REFERED TO AS ADDRESS SPACE OR PROTECTION REGIME. @A DOMAIN IS THE ENTITY WHICH DELIMITS THE SET OF RESOURCES WHICH A COMPUTATION IS CAPABLE OF ACCESSING. @IN A CAPABILITY BASED PROTECTION SYSTEM, BRIEFLY CAPABILITY SYSTEM, A DOMAIN IS CHARACTERISED BY THE LIST OF CAPABILITIES WHICH ARE VISIBLE TO A COMPUTATION BOUND TO THE DOMAIN. @A CAPABILITY, IN TURN, PROVIDES THE ONLY MEANS TO NAME AND LOCATE, HENCE ACCESS, A PARTICULAR RESOURCE. @IN ADDITION, A CAPABILITY CONTAINS A SET OF ACCESS RIGHTS WHICH ARE USED BY THE PROTECTION MECHANISM TO EXERT A FINER GRAIN OF CONTROL ON EVERY ATTEMPT TO ACCESS AN INDIVIDUAL RESOURCE. @IN ORDER TO REMOVE THE INTUITIVE ASSOCIATION OF THE TERM RESOURCE WITH SOMETHING PHYSICAL, IT IS COMMON PRACTICE TO EMPLOY THE WORD 'OBJECT' TO REFER TO BOTH PHYSICAL AND LOGICAL RESOURCES. @IN PARTICULAR, A DOMAIN IS A SYSTEM OBJECT PROTECTED BY A CAPABILITY. $P @IT IS USEFUL TO MAKE AN ANALOGY BETWEEN CAPABILITIES AND THE DESCRIPTORS CONSTRUCTED BY A COMPILER WHILE TRANSLATING A SOURCE PROGRAM. @A COMPILER USES THE DESCRIPTOR OF A DECLARED VARIABLE, E. G. AN INTEGER OR A PROCEDURE, IN ORDER TO VERIFY THE CORRECTNESS OF THE STATEMENTS IN THE SOURCE PROGRAM AND ALSO TO GENERATE CODE WHICH RESPECTS THE PROTECTION RULES EMBEDDED IN THE SEMANTICS OF THE LANGUAGE. @SIMILARLY, A CAPABILITY CAN BE CONSIDERED AS A RUN-TIME DESCRIPTOR EMPLOYED BY THE PROTECTION MECHANISM TO VALIDATE EVERY OPERATION ON EVERY OBJECT. @SPECIFICALLY, THE CAPABILITY FOR A DOMAIN IS SIMILAR TO THE DESCRIPTOR ASSOCIATED WITH A PROCEDURE OR SUBROUTINE NAME. @WHEN A CALL-DOMAIN INSTRUCTION IS EXECUTED BY A GIVEN PROCESS, THE HARDWIRED PROTECTION MECHANISM ENFORCES SYSTEM-WIDE SCOPE AND EXTENT RULES BY MEANS OF SETTING THE VALUES OF CERTAIN NON-PROGRAMMABLE REGISTERS. @THUS, THE PROTECTION REGIME OF A PROCESS IS CHANGED BY HARDWARE AS A RESULT OF THE PASSAGE FROM ONE DOMAIN TO ANOTHER. $P @WE HAVE CHOSEN TO BIAS OUR STUDY TOWARDS THE SUPPORT OF FREELY AVAILABLE @INTER-PROCESS SYNCHRONISATION MECHANISMS. @WE NOW PROCEED TO EXPOSE THE MOTIVES OF OUR SELECTION. $P @THE DESIGN IS INTENDED FOR IMPLEMENTATION IN A MULTIPROCESSOR SYSTEM. @MORE PRECISELY, A COMPUTER COMPRISING AT LEAST TWO, BUT HOPEFULLY MORE, GENERAL PURPOSE PROCESSORS. @THE VARIOUS PROCESSORS ARE NOT DEDICATED TO SPECIFIC FUNCTIONS; THAT IS, THERE CAN BE MORE THAN ONE ACTIVE (RUNNING) USER PROCESS AT A CERTAIN POINT IN TIME. @MOREOVER, IN GENERAL, THE NUMBER OF PROCESSES REQUIRING THE USE OF A PROCESSOR IS GREATER THAN THE NUMBER OF PROCESSORS AVAILABLE. @FOR SIMPLICITY, WE ASSUME THAT THE VARIOUS PROCESSORS ARE IDENTICAL. @THE ASSUMPTION PERMITS US TO IGNORE VARIOUS COMPLICATIONS OF RESOURCE (PROCESSOR) ALLOCATION. @FOR EXAMPLE, IF ONLY ONE PROCESSOR WERE EQUIPPED WITH FLOATING POINT HARDWARE IT WOULD BE NECESSARY TO ALLOCATE THAT PARTICULAR PROCESSOR TO CERTAIN PROCESSES. @THE ALLOCATION COULD TAKE PLACE DYNAMICALLY, I. E. WHEN ONE OF THE LESS POWERFUL PROCESSORS SENSES A FLOATING POINT OPERATION, OR A PRIORI. @IN ANY CASE, THE SCHEDULING ALGORITHMS HAVE TO TAKE THESE CONSIDERATIONS INTO ACCOUNT. $P @THE INTERRUPT IS ONE OF THE MOST SIGNIFICANT INVENTIONS IN COMPUTERS AND TO ABSTRACT THE INTERRUPT HAS BEEN ONE OF THE MAJOR CONTRIBUTIONS TO COMPUTING. $P @THE INTERRUPT WAS INVENTED IN ORDER TO RESOLVE IN AN EFFICIENT MANNER THE VAST DIFFERENCES IN SPEED OF THE VARIOUS COMPONENTS OF COMPUTER SYSTEMS. @HOWEVER, THE NECESSARY INVENTION INTRODUCED A HIGH DEGREE OF COMPLEXITY IN THE PROGRAMS NEEDED TO ADMINISTER COMPUTERS. $P @THE INTERRUPT WAS ABSTRACTED WITH THE INTRODUCTION OF THE NOTION OF SEQUENTIAL PROCESSES WHICH CO-OPERATE IN ORDER TO ACCOMPLISH QUASI-INDEPENDENT OBJECTIVES [@DI68]. @THE CONCEPT HAS PROVEN TO BE AN INVALUABLE TOOL TO AMELIORATE THE COMPLICATIONS ARISING FROM THE NEED TO BUFFER THE EFFECTS OF THE DIFFERENT SPEEDS OF PHYSICAL DEVICES. @NEEDLESS TO SAY, THE CONCEPT IS PRESENT IN EVERY MODERN OPERATING SYSTEM. $P @THE CO-OPERATION BETWEEN PSEUDO-INDEPENDENT PROCESSES WHICH PROCEED WITH DIFFERENT SPEEDS DEMANDS THAT THE PROCESSES BE ABLE TO SYNCHRONISE. @SYNCHRINISATION MECHANISMS FULFIL THAT DEMAND. @SYNCHRONISING MECHANISMS PROVIDE THE BASIS FOR @INTER-PROCESS @COMMUNICATION .(IPC) MECHANISMS: @THE CONGLOMERATION OF FACILITIES WHICH ENABLE PROCESSES TO EXCHANGE INFORMATION. $P @OBVIOUSLY, .IPC FACILITIES ARE SUPPORTED IN EVERY OPERATING SYSTEM. @NEVERTHELESS, THE FACILITIES ARE USUALLY RESTRICTED TO SUPPORT THE COMMUNICATIONS BETWEEN SYSTEM PROCESSES AND USER PROCESSES WITH SUPERVISOR PROCESSES. @THE COMMUNICATIONS BETWEEN USER PROCESSES ARE NORMALLY RESTRICTED TO THE INTERACTIONS WHICH CAN BE ACHIEVED VIA INPUT/OUTPUT FUNCTIONS AND THE SHARING OF FILES. $P @FROM A STRICTLY PRACTICAL STANDPOINT IT IS ARTIFICIAL TO DIVIDE USER PROGRAMS INTO CONCURRENT SUB-PROCESSES. @THE DIVISION ONLY INTRODUCES OVERHEADS SINCE THE VARIOUS SUB-PROCESSES (TASKS) HAVE TO BE EXECUTED SEQUENTIALLY. @THIS IS ONE OF THE MAIN REASONS FOR THE EMPHASIS FOUND IN THE USER MANUALS OF MOST MULTIPROGRAMMING SYSTEMS TO THE EFFECT THAT THE EXISTENCE OF MORE THAN ONE PROCESS IS TRANSPARENT TO THE USER. @DENNIS AND @VAN @HORN POINT OUT A COUNTER ARGUMENT [@DE66]. @THE SEPARATION OF A COMPUTATION INTO CONCURRENT TASKS REMOVES SEQUENCING RESTRICTIONS. @THE INCREASED FLEXIBILITY CAN BE EXPLOITED BY THE PROCESS SCHEDULER TO ACHIEVE A BETTER THROUGHPUT. $P @DESPITE THE FACT THAT A MULTI-PROGRAMMING SYSTEM EXHIBITS MANY OF THE CHARACTERISTICS OF A MULTIPROCESSOR SYSTEM, TRUE CONCURRENCY INTRODUCES SEVERAL COMPLICATIONS. @FIRSTLY, THE THEORETICAL POSSIBILITY OF PARALLEL PROCESSING BECOMES A QUESTION OF PRACTICAL IMPORTANCE. @CONSEQUENTLY, AN INCREASE IN THE DEMAND FOR USER AVAILABLE SYNCHRONISING MECHANISMS IS TO BE EXPECTED. @SECONDLY, THE EXISTENCE OF MORE THAN ONE ACTIVE (RUNNING) PROCESS IMPLIES THE POSSIBILITY OF COLLISION IN THE EXECUTION OF SYNCHRONISING PRIMITIVES. @A SYNCHRONISATION COLLISION, SIMPLY A COLLISION, OCCURS WHEN TWO OR MORE PROCESSES ATTEMPT TO EXECUTE SIMULTANEOUSLY A SYNCHRONISING OPERATION ON THE SAME VARIABLE. @FROM A MICROSCOPIC STANDPOINT, THE MECHANICS OF SYNCHRONISING PRIMITIVES ENFORCE A STRICTLY SEQUENTIAL EXECUTION BY THE CONTENDING PROCESSES. @FURTHERMORE, A POSSIBLE CONSEQUENCE OF EXECUTING A SYNCHRONISING OPERATION IS THE SUSPENSION OF THE EXECUTING PROCESS. @PROCESS SUSPENSION IS NOT A TIME-LESS ACTION; THEREFORE, COLLISIONS IMPLY PROCESSOR IDLING TIME. @IN SUMMARY, THE EFFICIENCY OF A MULTI-PROCESSOR SYSTEM IS MORE SENSITIVE TO THE ADEQUACY OF INTER-PROCESS SYNCHRONISATION MECHANISMS THAN ITS UNI-PROCESSOR COUNTERPART. $P @THERE ARE MAINLY TWO WAYS TO AMELIORATE THE HARMFUL SIDE EFFECT OF COLLISIONS: @THE FIRST IS TO DESIGN SYNCHRONISING PRIMITIVES WHOSE EXECUTION SPEED MAKES THE EFFECT OF COLLISIONS COMPARABLE, FOR EXAMPLE, TO THE EFFECT OF MEMORY CONTENTION ON PROCESSOR UTILISATION. @THE SECOND IS TO MINIMISE THE FREQUENCY OF COLLISIONS SO THAT THE EFFECT OF RELATIVELY SLOW SYNCHRONISING OPERATIONS BECOMES INNOCUOUS. $P @THE LOWER BOUND IN THE SPEED OF SYNCHRONISING OPERATIONS IS IMPOSED BY THE TIMING CHARACTERISTICS OF THE UNDERLYING HARDWARE AND THE NEED TO INTERFACE WITH THE PROCESS SCHEDULER FOR THE PURPOSE OF PROCESSOR MULTIPLEXING. @IN PRACTICE, THIS LOWER BOUND IS NOT NEGLIGIBLE. $P @SEVERAL FACTORS CONTRIBUTE TO THE FREQUENCY OF COLLISIONS: A) THE OVERALL FREQUENCY OF EXECUTION OF SYNCHRONISATION OPERATIONS IN THE SYSTEM; B) THE DISTRIBUTION, IN TIME, OF THE OCCURRENCE OF SYNCHRONISING PRIMITIVES AND C) THE DEGREE OF PARALLELISM IN THE EXECUTION OF LOGICALLY UNRELATED SYNCHRONISATIONS. @THE FIRST FACTOR DEPENDS ON THE BEHAVIOUR OF USER PROGRAMS; HENCE IT CANNOT BE CONTROLLED DIRECTLY BY THE OPERATING SYSTEM. @POINT B) IS A STATISTICAL FUNCTION OF THE PROGRESS OF THE CO-OPERATING PROCESSES. @IT CAN BE ESTIMATED, BUT NOT CONTROLLED, BY THE SYSTEM. @FINALLY, C) DEPENDS ON THE DISTRIBUTION, IN SPACE, OF THE SYNCHRONISING PRIMITIVES AND THE VARIABLES, E. G. SEMAPHORES OR MESSAGE BUFFERS, ON WHICH THEY OPERATE. @FOR INSTANCE, THE IMPLEMENTATION OF A CENTRAL ROUTINE IN CHARGE OF ALL COMMUNICATION ACTIVITIES AND USING A COMMON DATA STRUCTURE TO ALLOCATE COMMUNICATIONS BUFFERS INCREASES THE PROBABILITY OF COLLISIONS. @IN CONTRAST, IF EVERY COMMUNICATION ACTION TAKES PLACE INDEPENDENTLY COLLISIONS CAN TAKE PLACE ONLY WHEN THE SYNCHRONISATION ACTIVITIES ARE LOGICALLY RELATED. @THUS, INTER-PROCESS COMUNICATIONS TEND TO FORM CLUSTERS WHERE COLLISIONS ARE INEVITABLE. $P @THE FREQUENCY OF COLLISIONS IN A GIVEN CLUSTER DEPENDS ON THE DESIGN OF THE CO-OPERATING PROCESSES INVOLVED. @PARALLELISM CAN BE EFFECTIVE ONLY IF THE COMMUNICATING PROCESSES ARE SUFFICIENTLY INDEPENDENT; OTHERWISE IT IS MORE ECONOMICAL TO DEFINE SEQUENTIAL RELATIONSHIPS. @CLEARLY, THE COST OF ENTERING A CRITICAL SECTION MUST NOT EXCEED THE COST OF EXECUTING IT. @THE MEASURE OF INDEPENDENCE, IN TURN, DEPENDS ON THE SPEED OF THE SYNCHRONISING MECHANISMS. $P @THE MOST IMPORTANT ISSUE OF INTER-PROCESS COMMUNICATIONS IS THE DEADLOCK PROBLEM. @IN ORDER TO PREVENT DEADLOCKS IT IS NECESSARY TO ALLOW THE USAGE OF .IPC MECHANISMS IN ACCORDANCE WITH PROTOCOLS WHICH GUARANTEE TO PREVENT DEADLY EMBRACE. @IF .IPC FACILITIES ARE TO BE AVAILABLE TO USER PROGRAMS, THEN THE .IPC MECHANISMS MUST VERIFY EVERY REQUEST IN ORDER TO DETERMINE IF THE ACTION CAN TAKE PLACE WITHOUT DANGER OF DEADLOCK. @THE NEED TO APPLY A DEADLOCK PREVENTION ALGORITHM ON EVERY COMMUNICATION REQUEST IS EXPENSIVE. @MOREOVER, THE KNOWN ALGORITHMS FOR DEADLOCK PREVENTION IMPOSE STRINGENT LIMITATIONS ON THE FLEXIBILITY OF .IPC FACILITIES [@HO72]. @FINALLY, THE DISTRIBUTION OF SYNCHRONISING OPERATIONS IN SPACE INCREASES THE COMPLEXITY OF THE PROGRAMS NEEDED TO SET UP THE DATA STRUCTURES NEEDED BY THE DEADLOCK PREVENTION ALGORITHMS. @FOR EXAMPLE, THE SYSTEM HAS TO DECIDE WHICH COMMUNICATIONS CLUSTER IS APPLICABLE TO EVERY NEW COMMUNICATION CHANNEL BEFORE ALLOCATION SPACE FOR MESSAGE BUFFERS: @AN ADDITIONAL PROBLEM OF RESOURCE ALLOCATION. $P @TO ALLOW THE OCCURRENCE OF DEADLY EMBRACE SITUATIONS, DETECT THEM WHEN THEY TAKE PLACE AND TAKE CORRECTIVE ACTION INCREASES THE THE RANGE OF APPLICATIONS OF SYNCHRONISATION MECHANISMS. @FIRSTLY, SYNCHRONISING PRIMITIVES NEED NOT EXECUTE DEADLOCK DETECTION ALGORITHMS; HENCE THEY ARE FASTER. @SECONDLY, NO LIMITATIONS ARE IMPOSED ON THE WAYS IN WHICH SYNCHRONISING PRIMITIVES AND VARIABLES CAN BE EMPLOYED BY PROGRAMS. @ON THE NEGATIVE SIDE, THERE IS AN INEVITABLE WASTE OF RESOURCES DURING THE TIME BETWEEN THE OCCURRENCE OF DEADLOCK AND ITS DETECTION BY THE SYSTEM. @IN ADDITION, DEADLOCK DETECTION ALGORITHMS ARE COSTLY. @HOWEVER, THE FREQUENCY OF EXECUTION OF THE SYSTEM'S DEADLOCK DETECTION PROCESS CAN BE DETERMINED DYNAMICALLY ACCORDING TO THE BEHAVIOUR OF THE SYSTEM; AN ADVANTAGE OVER THE NEEED TO CHECK FOR DEADLOCK AT ALL TIMES. @IT IS INTERESTING TO NOTE THAT @LYNCH REPORTS A 10000 FOLD DROP IN THE SPEED OF EXECUTION OF .EXEC .III AS A CONSEQUENCE OF ENSURING THE ABSENCE OF DEADLOCK [@LY72]. $P @A NECESSARY CONDITION FOR DEADLOCK DETECTION (OR PREVENTION) IS THAT THE SYSCHRONISATION DATA STRUCTURES BE WELL PROTECTED. @CLEARLY, IN A MASTER/SLAVE PROTECTION SYSTEM THIS IMPLIES THAT ALL THE COMMUNICATIONS ACTIVITIES BE PERFORMED IN MASTER MODE. @WITH THE DEFINITION OF THE PROTECTION REGIMES OF PROCESSES IT BECOMES SIMPLER TO PROVIDE USERS WITH USEFUL SYNCHRONISATION FACILITIES. @FROM THE CONCEPTUAL VIEWPOINT, THE OPERATING SYSTEM IS RELIEVED OF MANY OF THE BURDENS ARISING FROM THE CONTINUOUS SUPERVISION OF COMMUNICATIONS ACTIVITIES. @FROM THE PRACTICAL VIEWPOINT, THE REMOVAL OF OPERATING SYSTEM INTERVENTION INCREASES THE EFFICIENCY OF SYNCHRONISING OPERATIONS. $B @STRUCTURE OF THE THESIS: $P @IN CHAPTER 1 WE REVIEW SYNCHRONISING PRIMITIVES. @A PAIR OF MACHINE INSTRUCTIONS FOR IMPLEMENTING @P AND @V OPERATIONS ON SEMAPHORES IS PROPOSED. @THE PROTECTION REQUIREMENTS FOR THE SUPPORT OF FREELY AVAILABLE SYNCHRONISING PRIMITIVES ARE HIGHLIGHTED. $P @CHAPTER 2 IS A SURVEY OF CAPABILITY SYSTEMS. @PARTICULAR EMPHASIS IS MADE ON THE PASSING OF PARAMETERS BETWEEN DOMAINS AND THE PROVISION OF TYPE EXTENSION FACILITIES. $P @A FUNCTIONAL CAPABILITY SYSTEM IS DEVELOPED IN CHAPTER 3. @PROTECTION REGIMES ARE CHARACTERISED AS TYPED OBJECTS. @THE PROBLEM OF PREVENTING SHARED DOMAINS FROM DISTRIBUTING PARAMETERS TO UNAUTHORISED PROCESSES IS DISCUSSED IN DETAIL. $P @IN CHAPTER 4 WE PRESENT THE CHARACTERISATION OF PROCESSES AND WE DEFINE PROCESSOR MULTIPLEXING IN TERMS OF OPERATIONS ON PROCESSES. @A HIGHLY CONCURRENT SCHEDULING ALGORITHM IS PRESENTED. @FINALLY, WE EXAMINE THE INTERACTIONS BETWEEN THE SYSTEM'S DEADLOCK DETECTOR AND THE CREATION AND DISTRIBUTION OF SEMAPHORES. $P @AN OUTLINE OF THE CONTENTS OF EACH SECTION IS GIVEN IN THE INTRODUCTION TO EVERY CHAPTER. $E