CAP computer


The Cambridge CAP computer was the first successful experimental computer that demonstrated the use of security capabilities, both in hardware and software. It was developed at the University of Cambridge Computer Laboratory in the 1970s. Unlike most research machines of the time, it was also a useful service machine.
The sign currently on the front of the machine reads:

The CAP project on memory protection ran from 1970 to 1977. It was based on capabilities implemented in hardware, under M. Wilkes and R. Needham with D. Wheeler responsible for the implementation. R. Needham was awarded a BCS Technical Award in 1978 for the CAP Project.

Design

The CAP was designed such that any access to a memory segment or hardware required that the current process held the necessary capabilities.
The 32-bit processor featured microprogramming control, two 256-entry caches, a 32-entry write buffer and the capability unit itself, which had 64 registers for holding evaluated capabilities. Floating point operations were available using a single 72-bit accumulator. The instruction set featured over 200 instructions, including basic ALU and memory operations, to capability- and process-control instructions.
Instead of the programmer-visible registers used in Chicago and Plessey System 250 designs, the CAP would load internal registers silently when a program defined a capability. The memory was divided into segments of up to 64K 32-bit words. Each segment could contain data or capabilities, but not both. Hardware was accessed via an associated minicomputer.
All procedures constituting the operating system were written in ALGOL 68C, although a number of other closely associated protected procedures - such as a paginator - are written in BCPL.

Operation

The CAP first became operational in 1976. A fully functional computer, it featured a complete operating system, file system, compilers, and so on. The OS used a process tree structure, with an initial process called the "Master coordinator". This removed the need for separate modes of operation, as each process could directly access the resources of its children. In practice, only two levels were ever used during the CAP's operation.