[cap-talk] Memory access based OS security

Ben Kloosterman bklooste at gmail.com
Fri Sep 4 16:04:56 PDT 2009 

<snip> 
>
>I am less familiar with LB systems. Java depends on a byte code verifier
>and Smalltalk depends on a compiler. In both cases, we have a additional
>piece of code which needs to be verified. 

Correct the run time check verification code is the only extra code that
needs to be verified but it's pretty tiny.
In both cases you trust the compiler. The Dynamic loader is also probably a
little bit larger. Even added together these pieces are about the same ( or
smaller) size and complexity  of a virtual memory /paging system.

>Verification in these systems
>seems to be also via code review and bug fixes, with more formal
>techniques
>still in the research stage. Both of these system have a track record.
>Java
>has proven itself in server-side applications. Smalltalk doesn't seem to
>be
>used in production applications, but it has proven reliable for
>prototyping
>and ad hoc programming.
>
>
>Both systems have advantages and disadvantages: LB systems can provide a
>much more efficient security domain switch. TOS systems can support a
>wider
>range of languages and provide reasonably efficient virtual machines.

Agree.  Note the languages supported can be quite extensive ( C#, VB , Java
,Managed C++ , Python , Cobol, Fortran , Small Talk , Basic etc etc)  though
it can't support languages that do a lot of complex pointer work. The big
one is C++ with pointer support   due to the existing code base.  

Not sure whether the Virtual Machine comment is valid , it is not for a LB
system with Virtual Memory as the  Virtual Machine could have HW checking in
its own separate address space but the rest of the OS not and uses a flat
address space. For single address space systems that don't use Virtual
Memory , the LB kernel can live in a hypervisor as well as the virtual
machine. A virtual machine can be provided ,provided it  ran type safe code
that could be checked  you could also actually run any native code in a
Virtual Machine but a crash could corrupt or bring down the OS , I don't
think it feasible to have a slow VM that checked unmanaged code .  With the
use of Hyper visors I don't think it's an issue unless you wanted to
maintain backward compatibility eg Windows apps and  hence A Microsoft based
Manged OS would prob use virtual memory at least for the VM.

>Both
>systems could be implemented in memory safe languages, although the TOS
>systems I am familiar with have not been. Systems which combine the
>approaches could be quite interesting, although I have not heard of any
>being designed.

Singularity  is a LB OS includes an option to use traditional Hardware
protection. Agree it's very interesting there is very little modern research
that covers practical language based OS on multi core hardware, yet there is
significant promise , not just in performance gains but more importantly
improvements in OS code quality ( and hence maintainability) and reliability
( through limiting User applications). It only gets worse when you want to
throw in Capabilities. 

As you mentioned it s proven in the form of app servers running Java or .NET
all it is doing is making the App server the kernel.

Regards, 

Ben 

>

More information about the cap-talk mailing list