[cap-talk] Tanenbaum interview - notes on microkernels and capabilities
capability at webstart.com
Sun Nov 20 17:29:58 PST 2011
On 11/20/2011 8:47 AM, A friend wrote:
> He dishes on Linus and explains why Linux and not *BSD is the dominate
> OS. Plus comments on microkernel architectures and a comment on
> capability-based systems:
Ha. Putting the blame on the lawsuit AT&T brought against the
1-800-ITS-UNIX telephone number is amusing:
> *LinuxFr.org : So you don't think the so-called "fairness" of the GPL
> ("your improvements need to be available the same way the original is
> available"), the bazaar model and a great project leader triggered the
> contributions to the Linux kernel? For you it's only dumb luck?*
> *Andrew Tanenbaum :* Yes, I think Linux succeeded against BSD, which
> was a stable mature system at the time simply because BSDI got stuck
> in a lawsuit and was effectively stopped for several years.
then regarding capabilities:
> *LinuxFr.org : Do you think a capability-based OS like Coyotos is a
> good solution to increase security?*
> *Andrew Tanenbaum :* Capability systems have been around for 40 years.
> At the recent SOSP conference, M.I.T. professor Jack Dennis got an
> award for inventing them in 1967. They definitely have potential. My
> first distributed system, Amoeba, used them.
Capabilities as data.
> *Andrew Tanenbaum :* Coyotos, however, is going nowhere.
> *LinuxFr.org : Finaly what are your dream for MINIX? Take over the
> *Andrew Tanenbaum :* I am too modest for that. One thing I would like
> is that when microkernels take over the world, which I fully expect,
> is that we at least get a footnote. Many hypervisors are getting more
> and more functionality over time until they are indistinguishable from
> a microkernel, only not designed well. With the Android people and
> Microsoft moving more and more code into user space, we are also
> moving in that direction.
> Being ahead of your time is never good. I published a paper in 1978 on
> something very close to the Java Virtual Machine, but we never got
> much credit for it although we were years ahead of Sun. Such is life
I don't see much point to microkernels if they aren't used to separate
domains for improved reliability and security. If they don't have a
means for dynamically controlled sharing of authority then what's the
point? What other means is there for dynamic and controlled sharing of
authority other than the object model (capabilities)? Are programs
going to start running around modifying ACLs on the fly? If so, which
programs? How do they decide what modifications to make? If module
(protected/restricted code running in a microkernel) with an authority
is allowed to grant such an authority to another module, then it becomes
essentially a capability model - whatever the implementation.
I see very little added value to microkernel systems if application
level programs don't participate in the reductions of authority with a
dynamic means (e.g. power boxes) of managing that authority.
In this regard, does anybody (cap-talk?) know how the Apple
(referring again to:
How are they managed dynamically? Perhaps somebody can explain this?
If not capabilities then what?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cap-talk