[EROS-Arch] Questioning need for Call Count

[Bill Frantz]

At 05:32 PM 11/9/00 -0500, Jonathan S. Shapiro wrote:
>> GAK!  This proposal means if I don't fully trust the implementation of,
>and
>> the people who hold/can obtain domain keys to, every domain I call...
>
>If you don't trust these people/programs, then you already have no business
>calling the domain, as you cannot trust the integrity of any answer the
>domain may give you. You seem to be arguing that it might under some
>conditions be safe to call a domain that you do not trust. I am unable to
>imagine how that might be.

I think we have very different views of the situation.  I ask, if I trusted
the server, why would I be using a capability system?  Do I trust myself
not to make a mistake?  If so, why did I have to learn gdb?

The issues here are both security and fault isolation.  The simplest
security example I can imagine is the user's shell.  It, with it's access
to all the user's capabilities, should not trust any of the programs it
calls.  While it probably has to trust the file directory object, and the
input stream, it certainly shouldn't trust the commands it calls.

The fault isolation example I worry most about is me running the debugger
on the server.  The next one is some weird bug is, say the Oracle driver
which invokes a key register without first loading it.

If I have to use cryptographically secure random number generators to get
security in my shell, then that will certainly effect performance, and trust.