Shared address space and trust and what is a "user" [Re: Our Manifesto (Please Read)]
Wed, 07 May 1997 19:41:22 -0500
Content-Type: text/plain; charset=us-ascii
> The problem I can see with that, is that since all processes in a
> lispOS are "trusted", and share the same address space, then having
> native binaries opens the way for hackers to write rogue programs.
> Or maybe something can be done with trusted keys to ensure a
> particular binary is trusted???
This again brings up a topic that came up briefly with Mike in private mail.
In today's Internet environment, you really can't run services on a system in
which the server code has access to the full system because the risk of
security bugs is so great. If LispMs had become as popular as Unix systems
have become, the problem with viruses and hackers would be far worse than it
I'm entirely underqualified to solve the issues involved, but someone needs to
think about how we either isolate different users in the same address space or
how we pass objects between processes running as different users.
Also, what exactly is a "user" in a LispOS? In the mail I sent about the
security needs of an SMTP server, I mentioned running .forward-style hooks as
the receiving user rather than as something like "root". What does that really
mean in a LispOS?
The model I have in mind for a MTA (Mail Transport Agent) runs someting like
A daemon runs in a secure space and listens to port 25. It receives a
messaage and stores it in an object which it then passes to...
A second process which runs in a mode that is capable of starting new
processes in various user spaces. It looks at the message from the daemon and
if it's for a local user, it spawns...
multiple processes running as various users with access to their data. These
processes look for .forward type hooks (are these methods on user objects,
maybe?) and run the code in those hooks or drops the email in a mailbox for
the user. If that user happens to be logged in and happens to be running an
MUA (Mail User Agent) it passes a message to that user agent that new mail has
arrived so that it can do the appropriate thing.
I don't even know what half the things I just said would actually mean in
LispOS, but I do know that a server system will need to be able to deal with
BTW, much of this would be needed for applications other than email as well:
A user would need to be able to remotely log into another system that already
has someone on the console w/o interfering with the programs that the other
user has up and running, but they would need to be able to "talk" with one
another somehow. A web server would need to run in a secure space with it's
cgi running in an even more secure space. An ftp server would need to be able
to support anonymous dropoffs as well as dropoffs as any existing user. &c.
Who out there understands these issues well enough to make a LispOS system a
safer network citizen than a Unix box?
Chris Garrigues O- cwg@DeepEddy.Com
Deep Eddy Internet Consulting +1 512 432 4046
609 Deep Eddy Avenue
Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/
-----BEGIN PGP MESSAGE-----
-----END PGP MESSAGE-----