- Plessey System 250
The Plessey 250 was a
computer system manufactured by thePlessey company. It was successfully deployed by the MOD for theBritish Army [http://www.army.mod.uk/royalsignals/equipment/digital.html Ptarmigan project] and served in the 1stGulf War as a tactical mobile communication switch. It was only a moderate commercial success for the public telecommunication industry. System 250 is notable historically for using a pure hardware based, capability-based architecture and addressing.The PP-250 is one
central processing unit , CPU, in a multiprocessor System-250. To protect the shared system memory capabilities, it provides two independent but related checks on access to any memory: first, location of the memory, and second, the permission level of any command. Location relates to the object: its geography in memory. Command relates to the user privileges: the Privacy and Security levels of use. Two keys to the same object can give different levels of access rights, so one gets Read access and another Write access.No
privileged mode s or modules exist in PP-250 and hence users data is not exposed to the erroneous actions of a highly privileged programs, operating system or users.
http://www.sipantic.net/images/System%20250%20Telex.jpgSystem 250 Multiprocessor System (1975)]The capability system provided an exchangeable
hard currency for objects and abstractions right down to a range definition of individually secured memory blocks used to build any abstraction guaranteeing its correct location, limited size and in permitted access rights for a specific user. A PP-250 capability represented a system wide unforgeable handle that permitted controlled access and exchange or movement of capability tokens without loss of protection within System-250. All attempted violations were checked and prevented dynamically. Faulty elements can then be isolated by revoking the set of capability tokens.PP-250 capabilities were permanent handles to an object, conferred authority and permissions and could be grouped arbitrarily on “a key ring” (in a capability block) to define access domains. This provided the principal advantage of secure and private operation within a complex solution. In a dynamic environment the execution for PP-250 was always based purely on an instantaneous need to know, using the principle of least authority (POLA) or
Principle of least privilege .In providing confidence to meet mean time between failures of decades (50 to 100 years) it was necessary to develop Fail Safe integrity in the design. The design principle of independent auditing – where no memory compromise leading to error migration could occur even in the presence of any single hardware failure or any software exception, deliberate or accidental. Privacy and security was safeguarded through failure and through equipment maintenance.
ee also
External links
*http://www.sipantic.net/third%20international%20conference%20on%20computer%20communications.mht for a lay presentation on System 250
*http://www.cs.washington.edu/homes/levy/capabook/Chapter10.pdf for a review by Hank Levey
Wikimedia Foundation. 2010.