Re: OT: protection in SASOS

[Jonathan S. Shapiro]

On Thu, 2006-05-11 at 15:36 +0200, Tom Bachmann wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Marcus Brinkmann wrote:
> > At Wed, 10 May 2006 08:54:41 -0700,
> > Thomas Bushnell wrote:
> >> Still, he is essentially right.  The conclusion is--dare I say
> >> it--right as well.  The best computer systems *are* single address
> >> space systems.  Of this, I have absolutely no doubt.
> > 
> > But this just replaces the war on the best kernel with a war on the
> > best memory-safe programming language...
> > 
> 
> OT: Why implies sasos a memory-safe language?

It does not.

However, I don't agree with Thomas. The SASOS idea is a very attractive
idea, but its attraction derives from a fundamental abandonment of
encapsulation. A SASOS is easier to implement for the kernel developer,
but without fully separate address spaces there are interactions between
processes that the developer cannot control.

Fundamentally, a SASOS abandons the idea of a process-private namespace,
and reduces all addresses to global names.

Contrast this with the current situation in L4, where an *overwhelming*
effort is being made to *eliminate* global names because of severe
security issues.

> If you have a look at e.g. mungi or nemesis, they show that other
> mechanisms (virtual memory) can be used.

Yes. They also demonstrate (in both cases) that fault isolation and
security are harder to achieve in such a system.

shap