Re: Broken dream of mine :(

[William Leslie]

2009/11/4 Michal Suchanek <address@hidden>:
> 2009/10/28 Jonathan S. Shapiro <address@hidden>:
>> My one concern with Viengoos -- and I have expressed this to Neal many times
>> -- is that in the pursuit of better resource arbitrage Neal has given up
>> resource isolation, and there are fairly important (and unfortunate)
>> security consequences for that. It is possible that these can be addressed,
>> and it is fair to experiment on one thing at a time, but it needs to be
>> clearly understood that Viengoos is an experimental kernel, and that it is
>> *not* suitable in its current form for production use.
>>
>
> The main difference as I understand it is that Coyotos enforces 'hard'
> resource allocation - the resource either is allocated to the process
> or it is not.

I would probably say that "the resource is allocated or not".
Ownership is not addressed by the Coyotos model, quite simply whoever
has the capability to it can use the resource. The question of who
pays is not part of the core.

When you allocate a resource, you do so by invoking some authority.
This authority does not, at least in the case of the core servers,
specify how the resource is to be divided or shared: that
functionality must be implemented by the servers that implement that
user resource.

Capabilities that specify actual hardware allocation, the kind that
are dealt with by Coyotos, should probably be proxied by the operating
system and not handed out directly. The operating system should do as
Viengoos does: turn invocations of capabilities to relative time
slices into concrete ones.

> This is not something that is completely addressed in Coyotos either -
> there still can be observable increase in latency when the system is
> under load. Coyotos aims to get nearer to the absolute isolation
> ideal, though.

Coyotos privides page pinning and intended to provide (only!) hard
time slices. Between these two, you can positively assert that some
exact set of resources are provided. You even have isolated TLB-fill
times. The only covert channel that I can see is cache utilisation (I
could say "on architectures that don't support cache locking", but I
don't think there were plans to reify this where available either).

> When this kind of security is a concern the Viengoos model can be
> amended by introducing 'hard' domains which cannot access surplus
> resources outside of the domain.

Yes, the Viengoos paper does mention this.

I always saw Viengoos as 'providing ways to apportion resources' and
Coyotos as 'providing the indivisible resources'.

William Leslie