[cap-talk] Concrete application, WebCVOS

[Jed Donnelley]

Mark Miller wrote:
> On 7/18/07, Jed Donnelley <capability at webstart.com> wrote:
>   
>> [...] (may have to take over a bit to
>> get what amounts to a hardware VMM - let
>> me leave the details of that out for now)
>> [...]
>> This is much like a Java sandbox, but it
>> isn't Java (real hardware instructions),
>> [...]
>> I don't see much difficulty in developing
>> Window and/or Unix compatibility libraries
>> that would run in this environment and
>> make much of their respective environments
>> appear to be there.  To me this is a bit
>> like the libraries that support cygwin
>> or wine or any other compatibility package.
>>     
>
> Hi Jed,
>
> I like most aspects of your scenario. But by proposing to execute
> hardware machine instructions, rather than leveraging portable
> memory-safe language technology, I think you've made everything
> several times harder.
Some things I agree are harder, but I believe with the hardware machine
instruction approach the most important things are simpler (more below).
> Web apps are already written in portable memory
> safe languages (Javascript, Actionscript/Flash, Java), so starting
> from there, there's no entrenched installed base of machine code
> forcing us to do something ugly.
>   
While it's true today that "Web apps" are already written in languages like
Javascript, Actionscript/Flash, and Java, because they have no alternative,
most applications that people use (I mentioned a few in the list of things
that I was afraid to run - Acrobat reader, Powerpoint, email readers,
editors, Turbotax, Roxio, Multimedia, etc., etc., etc. - just look at what
you have installed on your Windows or Unix workstation) are written for
an environment where they execute machine instructions in an
OS environment.

What I'm suggest is writing a compatibility library (e.g. one for
Unix [/Mac?] and one for Windows) would allow all such
applications to run with just a reload under this 'WebCVOS'.
In my view this would make many more applications available
much more easily in a shorter period of time.

> If you still think it doesn't seem that hard, how are you going to
> intercept all OS traps on Windows without cooperation from Microsoft?
> AFAIK, there's no ptrace equivalent exposed to Windows programmers.
>
>   
I don't feel it's all that important, certainly at the beginning, to provide
such a WebCVOS natively on Windows.  Providing it to begin with
on Unix would be fine - e.g. as you suggest on top of ptrace.  This
approach can be considered as an alternative to Plash, but I believe
with much more functionality, specifically Web capabilities as data,
confinement (does Plash provide confinement?  I don't see how),
and Windows compatibility in addition to Unix/Mac (see below).
Also, I agree with JohnathanS:

Jonathan S. Shapiro wrote:
> On Thu, 2007-07-19 at 08:20 -0700, Mark Miller wrote:
>   
>> If you still think it doesn't seem that hard, how are you going to
>> intercept all OS traps on Windows without cooperation from Microsoft?
>> AFAIK, there's no ptrace equivalent exposed to Windows programmers.
>>     
>
> No, but there are plenty of ways to hook that API. Rootkits often do
> this.
I just don't think support for running such a WebCVOS
on native Windows would be likely to be a substantial issue.

I believe most of the code needed to get a Windows compatibility
library running under such a WebCVOS is available with Wine:

http://www.winehq.org/

I don't believe replacing the Wine backend with a Web
capabilities as data mechanism vs. native Unix would be
all that difficult.  The compatibility would be unlikely to
be any better than Wine (likely somewhat worse), but
I believe that is sufficient to sell - certainly if the concept
started getting a bit of attention.

Consider what you have if you achieve as much as I've
suggested above.  You've got a free OS that you can
download (Linux) with an environment in which you
can run Unix[/Mac?] and Windows application in a POLA
safe environment.  You can start with your current
applications (Windows and Unix/Mac) and then start loading
applications from the Web.  I believe that application designers,
if given the choice between the non-market they get programming
strictly for Windows (or Unix) - because people are
afraid to run their application in the environment that is
subject Microsoft's first law - and the larger market
they would get with the slight mods (if any) for
WebCVOS - because people can trust that they can
run such applications safely - would choose to support
the WebCVOS environment.

One thing I really like (probably not new?) that I
hadn't considered before is the simple initialization
for POLA that one gets just by the expedient of
allocating a directory for every application that will
be made available to the initialized application as a
Web capability as data directory (e.g. YURL) - from
which to extract file capabilities as needed to do any
needed I/O.  The interface could easily provide,
for example, any needed RO access to Windows
files typically needed for Windows programs
(shared libraries, state files, etc., etc.).  I expect
some sort of "Windows" capability would likely be
needed to provide ancillary Windows functionality
(We had such a capability for our LTSS emulation),
but I don't think that is a particularly big deal.

I believe the only substantive issues that may
need individual attention (e.g. at initialization
or through a Powerbox) from users would be
things like devices (do I give it access to audio
in or out, my DVD device, some IP address/port
on the Internet, etc.).  These are things that I
believe would be easily asked and answered at
initialization time and easily dealt with at run
time through a Powerbox if needed (e.g.
"Would you like that permission provided
automatically when this application is
initialized in the future?").

If an approach like this were to gain even
a little bit of momentum on Unix and Mac,
I don't think it would be difficult to make
something available for Windows, e.g. using
virtual machine technology.  E.g. at the least
just run Windows under a VM and Linux
under a separate VM with WebCVOS under
Linux.  With suitable file sharing between
the environments one could probably even
make the needed Windows compatibility
files available from Windows itself (e.g.
updates by Microsoft, etc.).  Now wouldn't
it be interesting to see how Microsoft
would treat a situation like that ...

For me the primary issue is putting together
environments (compatibility libraries) on
top of the WebCVOS that are sufficiently
the same as the native Unix[/Mac?] and Windows
environments so that application developers -
perhaps with very minor twists - can make their
codes available to run under WebCVOS.

Of course it would be relatively trivial to also
provide library support to run the portable
memory safe languages that you mention
MarkM - on top of the WebCVOS.
I just don't believe this would provide nearly
the market that would be provided by being
able to run existing Windows and Unix[/Mac]
applications in a safe environment - not subject
to Microsoft's first law.

--Jed   http://www.webstart.com/jed/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20070719/3c0587db/attachment.html