radix42 at gmail.com
Sun Sep 27 21:15:36 PDT 2009
From: David-Sarah Hopwood <david-sarah at jacaranda.org>
Sent: Sunday, September 27, 2009 9:05 PM
To: General discussions concerning capability systems. <cap-talk at mail.eros-os.org>
Subject: [cap-talk] Microsoft
Do the Singularity designers do it the straightforward way? Noooo....
That would be just too easy. They manage to identify the TOCTTOU bug
that would occur if the receiver asked for the sending principal in
a separate kernel call. But the way they choose to fix it is about the
most error-prone, non-compositional, fragile (in the sense of depending
on other design decisions that should be orthogonal), and non-local
("let's extend the reliance set of one process to the state machine
for another process just for the hell of it") way you could think of --
or that you probably wouldn't think of, actually.
This is *absolutely typical* of Microsoft design. There's something
about the culture and environment of the company, that turns intelligent
people with a good sense of design aesthetics (Martín Abadi has done
really excellent work in cryptography, type theory, and program
verification, for example), into ... well, I don't know what it does
to them, and I don't particularly want to find out.
If I am ever tempted to join the dark side, which I very much doubt,
please remind me of this email.
Incidentally, when browsing through Abadi's papers at
<http://users.soe.ucsc.edu/~abadi/allpapers.html#jsds>, I came across
Authentication in the Taos Operating System
[with Edward Wobber, Michael Burrows, and Butler Lampson]
ACM Transactions on Computer Systems 12, 1 (February 1994), 3-32.
Also appeared as SRC Research Report 117.
Notice in section 3.1 (Authenticating messages):
PROCEDURE Receive(): (Prin, Msg);
Yep, that's right: two of the authors previously designed a system
that solved this problem the straightforward way. Something about
Microsoft really does warp your mind.
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
At work recently i havd been forced into coding some projects with MS tools. As nice as some things about Visual Studio can be, the fact that a crypto operation that takes a one-line call in php/perl/ruby and a number of other languages needs two pages of code in .net, regardless of language used, boggles my mind.
To make this slam of MS on topic, the amount of unneeded complexity and amount of code (boilerplate or otherwise) needed in MS programming frameworks in relation to just about everything else i've seen makes things so error prone and hard to verify that ot has literally had me in tears.
This makes even coding in a pola style nigh unto impossible.
More information about the cap-talk