Re: Potential use case for opaque space bank: domain factored network stack

[Jonathan S. Shapiro]

On Mon, 2007-01-08 at 02:24 +0100, Marcus Brinkmann wrote:

> > The larger harm of the "transparent memory" proposal is that we do not
> > (yet) have any comprehensive description of an overall system design
> > based on this model, and we certainly have no security design for it
> > (yet).
> 
> Let's cut to the chase.  The issue is not the lack of formal
> descriptions and models.  The trade-offs are clear enough.  The real
> issue is that my proposal makes it impossible or hard to express and
> implement certain security policies compared to EROS.

The tradeoffs are not at all clear to me, which is exactly what I said.
This is true because I still do not understand the full picture of the
design that you propose. So far as I know, there is no comprehensively
captured description (yet) that I can study. In the absence of such a
description, it is clear that there cannot exist any comprehensive
security design.

I was also very careful to emphasize the "yet" part. It is possible
(even likely) that your design will come to be written down in time and
the security design will emerge from that. I look forward to that very
much.

I made no mention of "formal" anything.

I accept that you have a different view of what security policies are
important. I may not agree with your view, but that does not mean that
your goals are invalid. The problem right now is that I don't understand
your system and I therefore cannot understand if *any* security policies
can be enforced in your system. It is surprisingly easy to design a
system in which security enforcement is impossible. The overwhelming
majority of current general-purpose operating systems fall into this
category. When someone (you, but also anyone else) proposes a new OS
structure, I am therefore very skeptical that it will turn out to be
securable in any sense at all. This skepticism is very well motivated by
history.

What I say above is simply that no capture of your overall design exists
*today*, and so we cannot *yet* understand (and I claim that *you*
cannot yet understand either) what the implications of your design will
turn out to be.

> > I completely support Marcus in his view that the "transparent memory"
> > proposal is worth exploring, but in my opinion it would be irresponsible
> > to design this assumption into a widely deployed system until its
> > implications are more fully understood.  My concern is that I do not see
> > the necessary design work occurring that would determine that. This may
> > be simply because that discussion is not occurring here.
> 
> Jonathan, I couldn't have said it any better, but for the system
> design you propose to be widely deployed, and referring to its social,
> policital and economic implications as well as technical ones.

There is significant merit to this part of your response. The difference
between our positions (as I see it) is this:

My design is compatible with the current trend of legal and social
opinion concerning intellectual property. To the extent that this is
true, it fits directly into the current political environment and
economic framework. However, it also seeks to restore to the user a
balance of power by ensuring that end users can apply all of the same
tools that content providers can.

Your design proposes to undermine and attempt to redefine both the
current political and the current economic framework. It seeks reversal,
not balance.

I do not assert that either view is "better". Each view, in my opinion,
has significant merits, risks, benefits, and costs.

> However, please note
> that virtually all systems widely deployed today do have "transparent
> memory", do you know any exceptions?

The overwhelming majority of systems deployed today do not. I refer, of
course, to set-top boxes, game machines, music players, refrigerators,
disk drive controllers, and so forth.


shap
-- 
Jonathan S. Shapiro, Ph.D.
Managing Director
The EROS Group, LLC
+1 443 927 1719 x5100