From: bakul at bitblocks.com (Bakul Shah)
Subject: [COFF] Other OSes?
Date: Thu, 05 Jul 2018 22:42:55 -0700 [thread overview]
Message-ID: <20180706054302.72718156E400@mail.bitblocks.com> (raw)
In-Reply-To: Your message of "Thu, 05 Jul 2018 20:55:38 -0400." <CAEoi9W4EOHmP342vShW742duLVQUi1T3Yj=Nx-2nbYooWr6Q7A@mail.gmail.com>
On Thu, 05 Jul 2018 20:55:38 -0400 Dan Cross <crossd at gmail.com> wrote:
> A few more specific things I think would be cool to see in a beyond-Unix OS:
>
> 1. Multics-style multi-level security within a process. Systems like CHERI
> are headed in that direction and Dune and gVisor give many of the benefits,
> but I've wondered if one could leverage hardware-assisted nested
> virtualization to get something analogous to Multics-style rings. I imagine
> it would be slow....
In traditional machines a protection domain is tightly
coupled with a virtual address space. Code in one
address space can not touch anything in another address
space (unless the same VM object is mapped in both). Except
for shared memory mapping, any other communication must be
mediated by a kernel. [x86 has call gates but they are not
used much if at all]
In the Mill arch. a protection domain is decoupled from
virtual address space. That is, code in one domain can not
directly touch anything in another domain but can call
functions in another domain, provided it has the right sort of
access rights. Memory can be mapped into multiple domains so
once mapped, access becomes cheap. This also means everything
can be in the same virtual address space.
In traditional systems there is a mode switch when a process
makes a supervisor call but this is dangerous (access to
everything in kernel mode so people want nested domains).
In Mill a thread can traverse through multiple protection
domains -- sort of like in the Alpha Real Time Kernel where a
thread can traverse through a number of nodes[1] -- and each
node in effect is its own protection domain. This means
instead of a syscall you can make a shared librar call
directly to service running in anothter domain and what this
function can access from your domain is very tighly
constrained. The need for a privileged kernel completely
disappears!
Mill ideas are very much worth exploring. It will be possible
to build highly secure systems with it -- if it ever gets
sufficiently funded and built! IMHO layers of mapping as with
virtualization/containerization are not really needed for
better security or isolation.
> 2. Is mmap() *really* the best we can do for mapping arbitrary resources
> into an address space?
I think this is fine. Even remote objects mmapping should
work!
> 3. A more generalized message passing system would be cool. Something where
> you could send a message with a payload somewhere in a synchronous way
> would be nice (perhaps analogous to channels). VMS-style mailboxes would
> have been neat.
Erlang. Carl Hewitt's Actor model has this.
[1] http://tierra.aslab.upm.es/~sanz/cursos/DRTS/AlphaRtDistributedKernel.pdf
next prev parent reply other threads:[~2018-07-06 5:42 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-05 5:56 wkt
2018-07-05 6:29 ` spedraja
2018-07-05 6:40 ` bakul
2018-07-05 15:23 ` clemc
2018-07-05 20:49 ` scj
2018-07-05 21:25 ` david
2018-07-06 15:42 ` gtaylor
2018-07-05 22:38 ` ralph
2018-07-05 23:11 ` bakul
2018-07-06 0:06 ` lm
2018-07-06 15:49 ` gtaylor
2018-07-06 0:52 ` tytso
2018-07-06 5:59 ` ralph
2018-07-06 15:59 ` gtaylor
2018-07-06 16:10 ` ralph
2018-07-06 16:47 ` gtaylor
2018-07-06 15:57 ` gtaylor
2018-07-06 15:38 ` gtaylor
2018-07-09 1:56 ` tytso
2018-07-09 3:25 ` gtaylor
2018-07-09 3:35 ` crossd
2018-07-09 3:43 ` gtaylor
2018-07-09 3:52 ` imp
2018-07-09 11:32 ` perry
2018-07-09 11:50 ` perry
2018-07-09 11:34 ` crossd
2018-07-09 5:23 ` tytso
2018-07-09 12:52 ` clemc
2018-07-09 13:06 ` [COFF] PiDP Obsolesces Guaranteed clemc
2018-07-09 14:39 ` [COFF] Other OSes? tytso
2018-07-09 14:46 ` clemc
2018-07-09 11:24 ` perry
2018-07-05 22:51 ` ewayte
2018-07-08 20:31 ` perry
2018-07-08 20:53 ` perry
2018-07-09 2:44 ` crossd
2018-07-10 5:30 ` bakul
2018-07-16 14:49 ` crossd
2018-07-16 16:59 ` [COFF] Capabilities (was " bakul
2018-07-06 0:55 ` [COFF] " crossd
2018-07-06 5:42 ` bakul [this message]
2018-07-09 2:51 ` crossd
2018-07-10 5:41 ` bakul
2018-07-06 4:04 ` grog
2018-07-06 16:10 ` gtaylor
2018-07-06 18:27 ` [COFF] Editor Scripts scj
2018-07-06 19:04 ` gtaylor
2018-07-08 20:50 ` [COFF] Other OSes? perry
2018-07-08 23:27 ` bakul
2018-07-09 0:00 ` grog
2018-07-09 0:13 ` perry
2018-07-09 0:05 ` crossd
2018-07-09 0:56 ` lm
2018-07-09 2:23 ` crossd
2018-07-09 0:11 ` perry
2018-07-09 0:19 ` crossd
2018-07-09 2:00 ` bakul
2018-07-09 3:02 ` [COFF] Origination of awful security design [COFF, COFF] bill
2018-07-09 13:10 ` [COFF] Other OSes? david
2018-07-09 13:17 ` perry
2018-07-09 13:13 ` perry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180706054302.72718156E400@mail.bitblocks.com \
--to=coff@minnie.tuhs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).