[E-Lang] Performance and complete mediation

[David Wagner]

Alan Karp recently wrote the following about mediated requests
between processes in e-speak Beta 1.0:
> After a fair amount of tuning effort, our round trip trivial
> request time was 1 ms on a 300 MHz Pentium.

Maybe I misunderstood something, but it seems that the stack introspection
paper argued that this is orders of magnitude larger than one would like.
Am I missing something?

In Wallach et. al's paper on stack introspection, they argue that
an important barrier to fine-grained protection domains is the cost
of crossing protection domains.  They show some simple applications
that make about 30,000 boundary crossings per second, and argue that
cross-domain calls need to run in microseconds to take advantage of the
natural structure of the system (in terms of least privilege).

They argued that if cross-domain calls take longer than this, programmers
would be dissuaded from taking advantage of the natural structure of code
and would structure the application in unnaturally coarse-grained domains,
with attendant loss in security.  (Since the isolation properties of a
safe language are partially intended to prevent failures from crossing
protection domains, aggregating domains in this way violates the principle
of least privilege and thereby increases the risks.)

If you buy into this argument, and if cross-domain calls take 1 ms on
your platform, then it would appear that programmers will be artificially
steered towards unnecessarily risky architectures for the code they
write.  This line of reasoning suggests that performance has important
implications on security, and moreover that 1 ms might not be fast enough.

That's if you buy into their argument.  If you're not convinced by this
argument, then all bets are off, of course.

Did I go wrong somewhere?