Gutenberg is a port-based operating system under design by the authors. The topic of the paper is Gutenberg’s scheme for sharing resources: a capability-ba- sed approach.

The access control system of Gutenberg is strongly coupled to interprocess communication, which is managed by ports. Ports are information channels used to request access to shared objects. Gutenberg will only protect objects which are shared, and provides no ability to protect data local to a process. The guiding protection principle is clearly stated by the authors: “A port connecting a process to the manager of an object exists only if the process has the privilege to access the object with a specific operation.”

One novel aspect of Gutenberg’s handling of capabilities is a capability directory, in which all long-lived capabilities are managed. Processes are not allowed to retain capabilities in any other form. Gutenberg is also unusual in its client-server model of interprocess communication: a port created by a client process links to a server process by referring to a service operation and to a cooperation class with which the operation is associated. This functional addressing technique puts aside the need for process identifiers. Gutenberg ports have other attributes worth summarizing:

• They are typed with regard to the associated operation.

• They are restricted to a single server and a single client.

• They may be (permanent) unidirectional channels or (temporary) bidirectional channels.

• They may be used to transfer privileges.

• They are created in the context of privileges and the optional declaration of future privilege revocation.

The authors do a good job of presenting the rationale behind their approach: overhead involved in the checking of privilege transfer and revocation must have minimal impact. The comparison to other, very similar projects (e.g., Hydra and CAL) is made without much detail. However, comparisons to other analogous systems which are dissimilar in approach are not made. Discussions on the Input Tools theory[1] and capability managers[2] are notably absent. (Also of interest to readers will be a reference to Mao and Yeh’s paper introducing communication ports [3].)

Either for the sake of brevity or for the dubious cause of multiple papers, the authors have deferred discussion of cooperation classes. The paper begins with a clear and concise description of Gutenberg objects and primitive operations. Accessing kernel and user-defined objects are orthogonal actions, with parallel semantics. The early discussion leads one to the conclusion that Gutenberg manipulates ports and capabilities by information structures derived from the UNIX file system.

Later discussion, in which privilege transfer and revocation is addressed, does not display the clarity of earlier sections; fundamentally, it suffers from a lack of figures. The paper is redeemed, however; the procedural descriptions of the privilege transfer and privilege revocation mechanisms are engrossing, and the algorithms presented are quite helpful.

In summary, the Gutenberg privilege transfer and revocation mechanisms and their motivation are faithfully presented, and the technical discussion is worthwhile. The paper would be well served by more figures, but in general it succeeds in its purpose. I look forward to reading the next installment.