Security (was: a no-kernel system)

Mike Prince mprince@crl.com
Mon, 2 Jan 1995 11:42:41 -0800 (PST)


On Wed, 28 Dec 1994, Francois-Rene Rideau wrote:

> > It doesn't make sense to say that nothing allows more security than
> > something.
>    Yes, it does mean something that people are more secure in a democratic
> country than in a totalitarian one.

How did we start talking about countries?

> > There is no way you can weed out all the crashable programs..
>    Of course there is ! That's just what program proof is all about !
> Sometimes you can't prove just all you need about a program; but you
> may just refuse to run a program that wasn't proven correct with
> respect to some crashing criterion.
>    As for faulty hardware, no OS will ever correct it.

We can reduce the likelyhood of an individual component fault causing a 
system fault.  See symetric fault tolerant CPU designs, or memory error 
recovery hardware.  These greatly decrease hardware failures.

> If you made the
> system believe that the hardware was such, whereas it wasn't, then *you*
> are responsible, not the system. If you trust floating point operations,
> then *you* are responsible.

What are you trying to say?  You must agree _nothing_ is perfect.  Every 
computer will fault eventually, every one!  We must be able to recognize 
this.  And do what we can to deal with this.  On an old PC, you toggled 
the power switch.  Can we do better?  Than what will it be?

Please step into reality here.

>    Now, as for program isolation, I agree that's the only remaining
> solution *when no proof is available*. But it means incredible overhead,
> that should be avoided when possible.

Please illuminate me on this incredible overhead.  My little 8086 
programs can hum along in protected mode on my 486.