On Thu, 05 Jul 2018 20:55:38 -0400 Dan Cross <crossd(a)gmail.com> wrote:
A few more specific things I think would be cool to
see in a beyond-Unix OS:
1. Multics-style multi-level security within a process. Systems like CHERI
are headed in that direction and Dune and gVisor give many of the benefits,
but I've wondered if one could leverage hardware-assisted nested
virtualization to get something analogous to Multics-style rings. I imagine
it would be slow....
In traditional machines a protection domain is tightly
coupled with a virtual address space. Code in one
address space can not touch anything in another address
space (unless the same VM object is mapped in both). Except
for shared memory mapping, any other communication must be
mediated by a kernel. [x86 has call gates but they are not
used much if at all]
In the Mill arch. a protection domain is decoupled from
virtual address space. That is, code in one domain can not
directly touch anything in another domain but can call
functions in another domain, provided it has the right sort of
access rights. Memory can be mapped into multiple domains so
once mapped, access becomes cheap. This also means everything
can be in the same virtual address space.
In traditional systems there is a mode switch when a process
makes a supervisor call but this is dangerous (access to
everything in kernel mode so people want nested domains).
In Mill a thread can traverse through multiple protection
domains -- sort of like in the Alpha Real Time Kernel where a
thread can traverse through a number of nodes[1] -- and each
node in effect is its own protection domain. This means
instead of a syscall you can make a shared librar call
directly to service running in anothter domain and what this
function can access from your domain is very tighly
constrained. The need for a privileged kernel completely
disappears!
Mill ideas are very much worth exploring. It will be possible
to build highly secure systems with it -- if it ever gets
sufficiently funded and built! IMHO layers of mapping as with
virtualization/containerization are not really needed for
better security or isolation.
2. Is mmap() *really* the best we can do for mapping
arbitrary resources
into an address space?
I think this is fine. Even remote objects mmapping should
work!
3. A more generalized message passing system would be
cool. Something where
you could send a message with a payload somewhere in a synchronous way
would be nice (perhaps analogous to channels). VMS-style mailboxes would
have been neat.
Erlang. Carl Hewitt's Actor model has this.
[1]
http://tierra.aslab.upm.es/~sanz/cursos/DRTS/AlphaRtDistributedKernel.pdf