Re: Supporting POSIX *users*

[Jonathan S. Shapiro]

On Thu, 2005-10-27 at 15:17 +0200, Alfred M. Szmidt wrote:
>    >       open() -- assumes a universally shared, mutable store.
>    >
>    > Nothing wrong with that.
> 
>    There is.  It is possible to protect private data from becoming
>    shared by malicious applications.  This is a good thing.  What you
>    need for it is confinement: in that case, a hostile application
>    which can read your private data cannot share it.  A universally
>    shared mutable store makes confinement impossible, and therefore
>    giving private data to potentially hostile programs dangerous.
> 
> I consider that a absurd level of paranoia totally unsuitable for a
> system that you use on a daily basis.

Okay. Please explain how to safely run a browser plugin when the plugin
can write to anything in the file system.

>    Right, you want to secure your system by not making the wrong
>    syscalls in your code?  And why do you think a hostile application
>    is going to live by that rule?
> 
> And by not implementing the `evil syscalls', as I have said repetedly!
> You cannot use a syscall if it doesn't exist.  That is what I mean by
> don't call it, don't use it, etc.

Cool. Please remove open(), socket(), [gs]etuid(), and fork() for
starters.

>    But a system which only does parts of it is not a POSIX system.
> 
> Yes it is, POSIX doesn't mandate that everything must be implemented.

Could you please post the address of your drug supplier? It must be
*great* stuff!

Seriously: I think you have not actually sat on a standards committee if
you can say this.

>    I think Jonathan will not consider OpenBSD defensible. ;-)
> 
> Jonathan won't consider anything defensible other than EROS.

Actually, no.  KeyKOS was just as defensible. The VAX/VMM work was
nearly as defensible, and the later Multics work was VERY good from a
security standpoint (but probably not from a performance standpoint).
The Blacker kernel (GemSOS) was adequate, but insufficiently general
purpose. The ASOS kernel was *extremely* good, but was targeted at a
narrower and more specialized base of applications.

OpenBSD is probably the best attempt to retrofit security onto a
hopeless situation that I have ever seen. It is a *great* holding
action, but it is not a solution that will stand the test of time.
Several core people on the OpenBSD project, by the way, have agreed with
that statement.

>    Running untrusted code is useful, and people will do it anyway, no
>    matter what the consequences are.  We can build an operating system
>    which makes this acceptable, instead of highly dangerous.
> 
> We already such a system.

Alfred: you are simply wrong. And you have been pointed at the formal
results that conclusively, mathematically *prove* that you are wrong,
you have ignored them, and you persist in making this wrong assertion. I
am very sorry, but 2+2 will not be 5 no matter how many times you insist
that it is so.


shap