I'm generally very interested in EROS and capability systems, but I might be misinformed about it, so please correct me if I get it all wrong. As I understood, EROS operates on the principle of least privilage, and small trusted code bases when possible, but a Virtual Machine under the OS seems to be contradicting this. High-level access to objects and capabilities is implemented with least-priviliage principle in mind, but what about the low-level access drivers in the VM can abuse? Low-level control of the machine is just as good as high-level control, but is generally more overlooked. The VM, forces the design to give up the principle of least-privilage for the implementation of a simple architecture, under the OS, but all that is not necessary. The OS, could be on the lowest-level, having a VM 'formed' of user-level applications, with capabilities to access hardware (drivers). That would be more consistent with the rest of the design, and even require less transitions between CPU ring levels (Jumps to kernel-level code) A capability to hardware could be implemented a bit differently - using the I/O bitmap, and IOPL as the machnism to 'implement' the capability. Due to the limited flexibilty of Intel and other processors, that would not completely follow the principle of leasy privilage, but will be much closer to i. I would be interested in knowing why EROS chose to have a large trusted-code base containing hardware-access drivers under the OS.
Eyal Lotem