- How does Mungi prevent users from bypassing the
capability-based protection system? When are capabilities
All objects are in virtual memory (VM). A thread can only access data in VM if the page containing the data is mapped (i.e., the TLB and page tables contain approriate entries). If a page is not mapped, an access will trigger a page fault, which is served by the OS by establishing the mapping. The OS will only do this if the access is valid, i.e., if the thread's protection domain contains an appropriate capability. Hence, capabilities are validated at page-fault time.
- How are objects located in the system?
Objects are identified by their virtual address. (Converting human-readable names to VM addresses is left to user-level naming services.) The OS maintains mappings from virtual addresses to RAM frames (for resident pages) and to disk blocks (for initialised pages).