Shared address space and trust and what is a "user" [Re: Our Manifesto (Please Read)]

cwg@DeepEddy.Com cwg@DeepEddy.Com
Wed, 07 May 1997 19:41:22 -0500

Content-Type: text/plain; charset=us-ascii

> The problem I can see with that, is that since all processes in a
> lispOS are "trusted", and share the same address space, then having
> native binaries opens the way for hackers to write rogue programs.
> Or maybe something can be done with trusted keys to ensure a
> particular binary is trusted???

This again brings up a topic that came up briefly with Mike in private mail. 

In today's Internet environment, you really can't run services on a system in
which the server code has access to the full system because the risk of 
security bugs is so great.  If LispMs had become as popular as Unix systems 
have become, the problem with viruses and hackers would be far worse than it 

I'm entirely underqualified to solve the issues involved, but someone needs to 
think about how we either isolate different users in the same address space or 
how we pass objects between processes running as different users.

Also, what exactly is a "user" in a LispOS?  In the mail I sent about the 
security needs of an SMTP server, I mentioned running .forward-style hooks as 
the receiving user rather than as something like "root".  What does that really 
mean in a LispOS?

The model I have in mind for a MTA (Mail Transport Agent) runs someting like 

A daemon runs in a secure space and listens to port 25.  It receives a 
messaage and stores it in an object which it then passes to...

A second process which runs in a mode that is capable of starting new 
processes in various user spaces.  It looks at the message from the daemon and 
if it's for a local user, it spawns...

multiple processes running as various users with access to their data.  These 
processes look for .forward type hooks (are these methods on user objects, 
maybe?) and run the code in those hooks or drops the email in a mailbox for 
the user.  If that user happens to be logged in and happens to be running an 
MUA (Mail User Agent) it passes a message to that user agent that new mail has
arrived so that it can do the appropriate thing.

I don't even know what half the things I just said would actually mean in 
LispOS, but I do know that a server system will need to be able to deal with 
such concepts.

BTW, much of this would be needed for applications other than email as well:
A user would need to be able to remotely log into another system that already 
has someone on the console w/o interfering with the programs that the other 
user has up and running, but they would need to be able to "talk" with one 
another somehow.  A web server would need to run in a secure space with it's 
cgi running in an even more secure space.  An ftp server would need to be able 
to support anonymous dropoffs as well as dropoffs as any existing user.  &c.

Who out there understands these issues well enough to make a LispOS system a 
safer network citizen than a Unix box?


Chris Garrigues                    O-              cwg@DeepEddy.Com
  Deep Eddy Internet Consulting                     +1 512 432 4046
  609 Deep Eddy Avenue
  Austin, TX  78703-4513              http://www.DeepEddy.Com/~cwg/

Content-Type: application/pgp-signature

Version: 2.6.2