Plessey System 250

From Wikipedia, the free encyclopedia

The Plessey 250 was a computer system manufactured by the Plessey company. It was successfully deployed by the DOD for the British Army and served in the 1st Gulf War as a tactical mobile communication switch. It was only a moderate commercial success for the public telecommunication industry. System 250 is notable historically for using a pure hardware based capability architecture.

The PP-250 is one CPU in a multi-processor System-250. To protect the shared system memory capabilities provide two independent but related checks on access to any memory, first location of the memory and second the permission level of any command. Location relates to the object – its geography in memory. Command relates to the user privileges – the Privacy and Security levels of use. Two keys to the same object can give different levels of access rights, so one gets Read access and another Write access.

No privileged modes or modules exist in PP-250 and hence users data is not exposed to the erroneous actions of a highly privileged programms, operating system or users.

Image:System 250 Multiprocessor System (1975)

The capability system provided and exchangeable hard currency for objects and abstractions right down to a range definition of individually secured memory blocks used to build any abstraction guaranteeing its correct location, limited size and in permitted access rights for a specific user. A PP-250 capability represented a system wide unforgable handle that permits controlled access and exchange or movement of capability tokens without loss of protection within System-250. All attempted violations being checked and prevented dynamically. Faulty elements can then be isolated by revoking the set of capability tokens.

PP-250 capabilities were permanent handles to an object, confered authority and permissions and could be grouped arbitrarily on “a key ring” (in a capability block) to define access domains. This provided the principle advantage of secure and private operation withing a complex solution. In a dynamic environment the execution for PP-250 was always based purely on an instantaneous need to know, using the principle of least authority (POLA) or Principle of least privilege.

In providing confidence to meet mean time between failures of decades (50 to 100 years) it was necessary to develop Fail Safe integrity in the design. The design principle of independent auditing – where no memory compromise leading to error migration could occur even in the presence of any single hardware failure or any software exception, deliberate or accidental. Privacy and security was safeguarded through failure and through equipment maintenance.