Re: Potential use case for opaque space bank: domain factored network stack

[Marcus Brinkmann]

At Mon, 8 Jan 2007 03:21:33 +0100,
Pierre THIERRY <address@hidden> wrote:
> 
> Scribit Marcus Brinkmann dies 08/01/2007 hora 02:24:
> > I note that the EROS space bank is hierarchical as well, and it does
> > not inhibit POLA either.
> 
> Because of the use of the constructor, I thought EROS space bank was
> clearly not hierarchical.

The hierarchical structure on space banks is inflicted by the creation
of subspace banks for reserve management purposes.  It is not directly
related to allocation and mapping of pages from the space bank.
However, durability of memory allocated from space banks is
hierarchic, as is the allocation limit (with a strict dominance
relationship).

> > I also want to point out that today most systems deployed do not
> > implement POLA, and thus the harm, if it exists at all, is at most
> > opportunistic.
> 
> That depends on the point of view. If we plan to do as bad as others do,
> yes, the harm is only potential. But if we have as a goal to build a
> secure system and end up with a system not significantly better than the
> existing ones, this would be a failure.

I only mentioned that to make clear that I am upholding the status quo
in that regards, not calling for a radical transformation.

This is important because Jonathan keeps bringing up (rightly so, I
believe) the issue of responsibility.  Human social structures are
delicately balanced and highly dynamical systems.  Any change at a
global scale needs to be done with utmost care and under strict
monitoring.

Jonathan proposes that we make a paradigm shift in who controls the
computational resources of a machine.  Instead of giving this control
to the rightful owner of the device, he wants to give this control to
the authors of the programs and data that is put into these machines.
That is a radical paradigm shift, which is aligned with the interests
of big businesses but hardly anybody else.  We have so far only seen
weak attempts to push this change into the world, and already it is
causing considerable distress and harm.

This is justified, according to Jonathan, because eventually there
will be a world where the mechanisms are used for good and rightful
purposes instead of being abused.  That is the promise of any
revolution, of course, and should be treated with suspicion.  I don't
think it is responsible action to ask for the sacrifice of a
generation for merely the promise of a better world eventually.

> I also had understood that POLA was clearly a goal of the next Hurd.

POLA is not a goal.  It can be a mechanism that achieves a goal, and
we plan to use it appropriately.  Note that I do not share Jonathan's
pessimism that what I suggest inhibits POLA, at least not where we
plan to use it.
 
> > However, please note that virtually all systems widely deployed today
> > do have "transparent memory", do you know any exceptions?
> 
> I may use one everyday: Linux. It seems I can't debug a program that I
> have the right to execute but not to read. I'm pretty sure that a setuid
> program I can execute is totally impossible to debug or monitor.

Linux doesn't do any resource accounting, so how can you tell the
difference between a setuid program and a daemon except for the
mechanism of invocation?  Similar for the example of a --x file.

Thanks,
Marcus