On Sat, Oct 17, 2020 at 12:16 PM Lassi Kortela <[email protected]> wrote:
1. Interpreters are written in C. Interpreters associated with compilers can be written in Scheme, though: Chicken's and Gambit's, for example. These particular generate C, so they are still involved with C. But Loko and SICL don't have any C code at all, though: they only have small inlined assembly-language primitives and everything else is compiled. > 2. We desire to implement one access control feature: restricting access > to file system pathnames. Actually there are many such mandatory access control features, but whatever. > In a monolithic kernel OS, those checks belong > in the kernel. On reflection, I think we are both wrong: they do not belong in *the* kernel, they belong in a different non-Posix kernel altogether that has only the 49 CloudABI entry points. There is no way that a permissive kernel with restrictions layered over it can be more secure than an inherently restrictive kernel. The init process also remains to be thought out: it will need to have a fd open on / and perhaps some other things. In particular, parts of the socket API should be replaced by a file system API, as on Plan 9. I also came up with the idea of a fork quota: when a process is started it has a certain quota, and every time it forks, the parent process assigns the child part of that quota, but not less than 1. Successfully waiting for a process returns its quota to the parent, but if a process has no quota it cannot fork. An analogous quota for allocating disk space might make sense. Of course the problem that not enough eyeballs will be looking for bugs will remain. And none of this is a defense against infinite loops, for example. Truly, the only way to make a computer *secure* is to drop it down a well, say about 15m deep or down to the water table, and then fill the well with concrete. We can be quite sure it will never do anything unauthorized again. I'm pretty sure there are approximately zero security researchers who > would agree with that. > That's certainly if you refer to buffer-ovrerrun attacks and the like, yes. That's the advantage of Loko and SICL. John Cowan http://vrici.lojban.org/~cowan [email protected] "Your honour puts yourself to much trouble correcting my English and doubtless the final letter will be much better literature; but it will go from me Mukherji to him Bannerji, and he Bannerji will understand it a great deal better as I Mukherji write it than as your honour corrects it." --19th-century Indian civil servant to his British superior
