From mboxrd@z Thu Jan 1 00:00:00 1970 From: bakul at bitblocks.com (Bakul Shah) Date: Thu, 05 Jul 2018 22:42:55 -0700 Subject: [COFF] Other OSes? In-Reply-To: Your message of "Thu, 05 Jul 2018 20:55:38 -0400." References: <20180705055650.GA2170@minnie.tuhs.org> Message-ID: <20180706054302.72718156E400@mail.bitblocks.com> On Thu, 05 Jul 2018 20:55:38 -0400 Dan Cross wrote: > A few more specific things I think would be cool to see in a beyond-Unix OS: > > 1. Multics-style multi-level security within a process. Systems like CHERI > are headed in that direction and Dune and gVisor give many of the benefits, > but I've wondered if one could leverage hardware-assisted nested > virtualization to get something analogous to Multics-style rings. I imagine > it would be slow.... In traditional machines a protection domain is tightly coupled with a virtual address space. Code in one address space can not touch anything in another address space (unless the same VM object is mapped in both). Except for shared memory mapping, any other communication must be mediated by a kernel. [x86 has call gates but they are not used much if at all] In the Mill arch. a protection domain is decoupled from virtual address space. That is, code in one domain can not directly touch anything in another domain but can call functions in another domain, provided it has the right sort of access rights. Memory can be mapped into multiple domains so once mapped, access becomes cheap. This also means everything can be in the same virtual address space. In traditional systems there is a mode switch when a process makes a supervisor call but this is dangerous (access to everything in kernel mode so people want nested domains). In Mill a thread can traverse through multiple protection domains -- sort of like in the Alpha Real Time Kernel where a thread can traverse through a number of nodes[1] -- and each node in effect is its own protection domain. This means instead of a syscall you can make a shared librar call directly to service running in anothter domain and what this function can access from your domain is very tighly constrained. The need for a privileged kernel completely disappears! Mill ideas are very much worth exploring. It will be possible to build highly secure systems with it -- if it ever gets sufficiently funded and built! IMHO layers of mapping as with virtualization/containerization are not really needed for better security or isolation. > 2. Is mmap() *really* the best we can do for mapping arbitrary resources > into an address space? I think this is fine. Even remote objects mmapping should work! > 3. A more generalized message passing system would be cool. Something where > you could send a message with a payload somewhere in a synchronous way > would be nice (perhaps analogous to channels). VMS-style mailboxes would > have been neat. Erlang. Carl Hewitt's Actor model has this. [1] http://tierra.aslab.upm.es/~sanz/cursos/DRTS/AlphaRtDistributedKernel.pdf