This note will not soon be well organized.
When resources are allocated with capabilities it is possible to reason about covert information flow by following the capabilities. In Keykos, resource allocation is controlled by capabilities at a gross level but small scale allocation is delegated to the kernel which does not follow capability discipline as it allocates:
There is a delicate “bottoming out” issue: “What resources do the allocation routines run with?” or “Who allocates time for the allocators?”. These problems are more confusing than difficult. In the current Keykos meter keepers always run on meters superior to the meters that they keep and the highest meters are unkept. Similarly there are debuggers with no debuggers above them. In conventional computer architectures, instruction traps in the instruction trap routine go unprocessed. I imagine a similar solution here.
We are initially agnostic about whether the described function is in the kernel. That is an engineering question with a heavy bias of removing stuff from the kernel with performance the main impediment.
A new object called the RAM-claim is proposed. Some slowly changing relation between pages and RAM-claims exists. I don’t know yet how this relation is represented, but with keys, somehow! A service key to a RAM-claim also exists.
The motivating idea behind a RAM-claim is to identify sets of pages that need to live in RAM for periods of time. These periods will be determined by software decisions made at the beginning and ends of those periods. Perhaps at a lower level there will be futures as well.
The Firewire scheme for allocating bandwidth is an attractive model of allocating time on a resource so as to meet hard real time requirements.
In this scheme, there would be meter keys for definite periods of time. Keys for past periods would useless. Domains running directly or indirectly on a “current meter key” would run as domains do now while domains running on a future key would not be dispatched until that time arrived.