[cap-talk] Computer security traction - e.g. CapROS web server (was: Re: Running code)

Capability capability at webstart.com
Fri Mar 5 00:15:16 PST 2010


On 3/4/2010 8:36 AM, Charles Landau wrote:
> On 3/4/10 4:22 AM, Kevin Reid wrote:
>    
>> ...On somebody else's hand, I think that in the current situation,
>> much more than marketing materials, we need APPLICATIONS and LIBRARIES
>> and other forms of RUNNING CODE and LIVE DEMOS that *demonstrate* the
>> effectiveness of capability design. We've had far too much talk about
>> “this problem can be solved cap-ishly this way” and not enough of
>> *actually implementing* those designs.
>>      
> On that note, I've just announced on capros-devel that CapROS now has
> PCI, USB, and Ethernet drivers for the PC. You can now set up a
> capability-based web server on a PC.
>    

Has anybody?  Using what software running over CapROS (e.g. Apache?  A 
native CapROS web server?)?  What potential value would there be in 
doing so?

Supposing for a moment that improved security is a potential value, is 
there adequate library support for communication to back end servers 
(e.g. database, application, etc.)?

I'm willing to explore opportunities for added value from a system like 
CapROS, but in my current environment at MyPoints (a .com with roughly 
500 servers inc. ~20 load balanced Web servers) computer security seems 
even less a concern that it did while I worked at NERSC (a supercomputer 
center with several 10k processor systems valued at about $100M).  At 
NERSC we were enough of a target that we had a couple of rather 
expensive security incidents.  One shut a major server in the center for 
about a week.  At MyPoints there hasn't been anything resembling a 
security incident since I've been working there.  Possibly MyPoints is 
just less of a target or perhaps we have so few vectors into our systems 
(e.g. so few "users" - e.g. with shell access).  Occasionally we see 
what amounts to a DOS attack on the MyPoints web servers, but no such 
"attack" has been serious enough to get much notice (perhaps a Nagios 
alarm or two, but only temporary).  We have many more self inflicted 
problems (e.g. our own toolbar misbehaving and stressing the web 
servers).  I'm not sure the reason, but computer security doesn't seem 
to be a serious practical issue at MyPoints.  I wonder if this condition 
(computer security not a particularly serious issue) isn't more common 
than I'd previously supposed?  Of course this situation could change 
overnight, but if it is common then I can well understand why 
opportunities for improved computer security get little traction, 
especially if they come with a cost in software compatibility.

--Jed  http://www.webstart.com/jed/


More information about the cap-talk mailing list