Our research into object-oriented programming languages in the context of the L1 Project led to the formulation of a new idea known as attribute types [1]. These are used to complement object types analogous to the way adjectives qualify nouns in natural language. They can be used to achieve a well-defined form of multiple inheritance, adding additional specialised features to a more general object type.

As an illustration of the general idea we could define an attribute type loanable with features such as the date of a loan, the due date for return and the name of the loanee. This could then be used for example to qualify objects of type book (resulting in a new type library book) and/or of type car (resulting in a new type hire car).

Not all adjectives can be defined simply in terms of additional features. An adjective such as synchronised requires that code be added to existing features. This is achieved by allowing an attribute type also to have bracket routines, which allow the features of an object, when invoked, to be bracketed by the defined bracket code. A bracket routine can be used to bracket all features, particular features or just an individual feature of an object. In L1 for example a distinction was made between operations (which change the state of an object), enquiries (which return information about an object's state without modifying it) and constructors (which construct new objects). These could be bracketed as separate categories. Thus an attribute type reader_writer_synchronised can be defined for example with appropriate semaphore variables as internal data, which are initialised in a constructor bracket, while an operation bracket provides writer synchronisation code and an enquiry bracket supplies reader synchronisation code.

In a bracket routine the explicitly called feature of the bracketed object is invoked via a special statement body at the appropriate point in the code. Thus for example attribute reader_writer_synchronised might be implemented as follows:

impl rws1 for reader_writer_synchronised

var sem, mutex: semaphore

 readcount: int

bracket constr

begin

 body -- first call the synchronised object's constructor

 sem:= 1                     -- then initialise the attribute variables

 mutex:= 1

 readcount:= 0

end bracket constr



bracket op -- used to bracket writers of the object

begin

 P(sem)                      -- claim the object

 body -- enter the object's writer operation

 V(sem)                      -- release the object

end bracket op



bracket enq

begin

 P(mutex)                    -- synchronise access to the variable "readcount"

 readcount:= readcount + 1   -- add 1 to count of readers

 if readcount = 1 then

 P(sem)                 -- if first reader then claim object

 endif

 V(mutex)                    -- release control of "readcount"

 body -- enter the object's reader operation

 P(mutex)                    -- synchronise access to the variable "readcount"

 readcount:= readcount - 1   -- reduce count of readers by one

 if readcount = 0 then

 V(sem)                 -- if last reader then release object

 endif

 V(mutex)                    -- release control of "readcount"

end bracket enq



end rws1

This implementation reflects the solution published by Courtois, Heymans and Parnas [2].

It will be seen that this technique can also be used for example to define an attribute logged, which logs information about calls to modules:

 write_log(date, time, caller_id)

 body 

which can be a useful enhancement to the security of a system. (It can of course also be used to produce transaction logs, etc.) Even more powerful security mechanisms can be built by including the body statement in a conditional statement, e.g.

 if <protection check successful> then

 body

 else

 write_log("illegal access attempt by ", caller_id)

 endif 

Here we see how attribute types with bracket routines can be used to implement very powerful, user-programmable protection mechanisms. The actual protection check could be of almost any conceivable kind (e.g. a password challenge and response, an access control list, membership of some society).

In the SPEEDOS system this mechanism complements the basic capability based protection mechanism (as was used in Monads) and can thus be used to solve the capability revocation problem (by checking whether the caller is included in a revocation list, i.e. a negative access control list). In fact it can be used to support any kind of rule-based access control, provided that the mechanisms to support a particular rule are available. It can for example be used to solve most forms of the confinement problem.

An extension of the bracket routine technique, which allows bracket code to be carried out before and after the execution of a call to another module, is described in another note. This allows an even finer form of confinement controls.

A realisation of this protection mechanism for the major modules of a persistent system requires an implementation in the Kernel. The SPEEDOS Kernel therefore recognises both object-like and attribute-like units as major modules and provides not only the mechanisms to call explicit features of these modules but also to link attribute modules dynamically to object modules and to invoke (implicitly) the bracket routines associated with the features of an object when they are called.

References

[1] Keedy, J. L., Evered, M., Schmolitzky, A. and Menger, G. "Attribute Types and Bracket Implementations", Proceedings of the Conference on Technology of Object-Oriented Languages and Systems, TOOLS 25, Melbourne, Australia 1997, IEEE Computer Society, pp.325-339.

[2] P. J. Courtois, F. Heymans and D. L. Parnas "Concurrent Control with Readers and Writers", Communications of the ACM, 14, 10, pp. 667-668, 1971.