Naming and protection concern which data objects a task may access for reading, writing, or executing. Naming refers to how tasks refer to static data objects, task instruction objects, and each other. Protection is the prevention of a user process from inappropriately accessing data or hardware belonging to another process or the runtime operating system.
A capability mechanism [Dv66] [Lev84] [TMv86] is used to provide naming and protection. Capability based addressing is similar to segmented addressing, or addressing through an object descriptor. Like those mechanisms, it provides a level of indirection that aids memory relocation (e.g. objects may be moved into slower storage over time.) It also provides for context independent naming (objects may easily be interchanged between processes), and persistent objects -- those which outlive the process that created it.
Capabilities, called tags in the MagicEight system model, may be freely copied, passed as parameters, and passed from application to application, but they may not be modified or forged by an application. There are three ways of enforcing this restriction: tagging of data with hardware support to prevent user modification of valid capabilities, maintaining the capabilities separate where a user application cannot directly manipulate them, and encoding them to prevent fraud [TMv86]. Since commonly available microprocessors are to be supported, one of the the latter methods must be used. I am proposing that the overhead of encoding is prohibitive, although the added security provided is very attractive when operating over insecure networks. Instead, MagicEight will keep the tags stored where the task cannot directly access them.
A second reason for keeping the tags isolated from the actual instruction code is that it allows the scheduling agent to easily locate them (they represent all non-temporary data accessed by a task) while performing processor selection and data prefetching. The data objects represented by the capabilities are fetched into local memory if necessary and the capability resolved into an address in the local address space before executing a task.
All data objects in a MagicEight system are accessed using tags, including task instructions, hardware devices, streams, process and system environments, and the task tokens used to schedule executions. Application access to data objects is controlled through the tags. Separate bits in a tag allow a data object to be independently readable, writeable, and executable using that tag. If the machine architectures has no way to control the behavior of a task once it has resolved a tag with read-only permission, the runtime system must only allow a process to access private copies of the object. While each (possibly replicated) data object has a single, unique, system wide, tag id, the actual tags may differ in access priviledges. The access priviledges are embedded in the tag.