Slashdot Mirror
Coyotos, A New Security-focused OS & Language
wap writes "For those who haven't been following the EROS project, it has now migrated to the Coyotos project. EROS, the Extremely Reliable Operating System, was a project to create an operating system whose security relied on capabilities rather than the traditional Unix model of root or non-root. Capabilities allow a rigorous verification of the security of a system, something which is not possible in Unix-style and MS Windows systems. Coyotos is to be a real-world usable implementation of the ideas from EROS, complete with a Linux emulator layer. It also specifies a new language, called BitC which allows the programmer to prove that the code implements certain semantics, thus providing another layer of verifiable security. Could this be the most leet OS and language of 2005?" Another submittor asks how this stacks up against using Systems Management and "standard" OSes.
One of the problems I see with high levels of security without a superuser-style account is the possibility of someone leaving, dying, or forgetting his password, and not being able to get to critical business data.
How is this resolved without a superuser?
500GB of disk, 5TB of transfer, $5.95/mo
Only if you pass the proper message to the correct mailbox.
And even then only if you have permissions.
*yawn*
How Coyotos compares with Multics? Multics was most secured OS ever created with his multi-ring security architecture and security supported directly in HW.
love their site design ;)
Maybe we will finally get an operating system with a thorough security model....hopefully not so thorough that it can't be used...
((At least (to me).))
(pan)
I said no... but I missed and it came out yes.
Unless it's implemented on a RISCy processor
Any user could encrypt data, leaving it locked forever if the key is lost. That's just the nature of electronic keys. When someone loses a physical key there is always some way to spend enough money to open the safe or whatever. That's not true in the world of encryption. The solution to that problem lies outside of the scope of the OS. Or rather, the Unix/Linux/MS Windows designers decided to put it in the scope of the OS by making certain types of protection non-existant. But that's not a solution to the problem; that's just omitting features which should be there, like giving users good encryption tools for stored files.
"It contains all the design mistakes you can make, and manages to even make up a few of its own." - Torvalds regarding Mach/Microkernels (Though he says it's not OSX, I still think he meant it, he just didn't want bad press so he reclassified)
"For example, I used to like the _concept_ of microkernels, I just disliked every implementation I had ever seen (both Mach and Minix included, which was the basic reason for the debate/flamewar in question). These days I've pretty much come to the conclusion that the reason few people like microkernel implementations is that the whole concept is flawed -- even if it sounds good in theory." - Torvalds
This has been possible in Linux (and some proprietary Unices) for some time now. Why the need for a separate OS? But mechanism alone won't solve your problems. You need to have suitable policies that make use of those mechanisms. And as the Fedora guys have found out with their SELinux adventures, getting the policies right for any non-trivial system is a bitch.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
only on slashdot can a comment like Microkernels SUCK! get modded flamebait.
If I had created the world I wouldn't have messed about with butterflies and daffodils. I would have started with lasers
and life's a BitCh.
Hmm. does it work with Roadrunner? :)
In Soviet Russia, Trojan exploits YOU!
There are others too.
Imagine what happens when Microsoft tries to compete by making a buggier implementation of BitC. It'll give us yet another reason to BitC# at Microsoft.
Is it me, or is there no mention of what kind of licence it will be distributed under?
I had hoped to see some mention of one of the following:
+ GNU;
+ BSD;
or MIT.
I don't know... the unix model of security seems adequate, if not sufficient, for most (all?)security needs. The problem comes when users get thrown in the mix. It's an eternal battle between usability and security.
#include <BitC.h>
perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
Does anyone have any idea what license it uses? I hunted around their site but couldn't find any info. The fact that they plan to release the source and releases suggests some sort of OSS license though.
That's like saying "cars are safe enough, it's the drivers that are the problem." Actually, there are a whole bunch of things that have been done to make cars safer: seatbelts, better brake lights, ABS brakes, etc. Saying "it's the users' fault" is just an excuse for doing nothing, when there are plenty of things that could be done. I'm tired of hearing it.
Capabilities and verifiable code are a good start. Now it just needs a systems programming language that allows for proof (mathematical proofs that is) of correctness. Basically, get something better than C and some of the problems inherant in UNIX will disappear.
If it looks like a duck, and quacks like a duck, it must be a duck.
"...It also specifies a new language, called BitC which allows the programmer to prove that the code implements certain semantics, thus providing another layer of verifiable security...."
Developers, promoters and users of this language should consider the fate of Ada83 language before they invest a ton of effort or money. Yes, it may be strong as Fort Knox but writing software costs money and the language supports provability but does NOT eliminate the need to do up front design and heavy integration testing at the end of a project...Only the proprietors of Fort Knox would consider the cost benefit ratio of such software worthwhile. The rest of us would have to weigh it more carefully. C-derived languages got a lot of code written quickly mostly because they did not encumber the engineer with many considerations beyond the function or behavior and representation of data...the "I'm not going to give you a chance to screw up" approach to programming embodied in Ada does not map well to typical [if somewhat shoddy] coding practices and creates a much steeper learning curve for would-be programmers. I admit I have yet to RTFA but I already have this "here we go again" feeling.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
Computer security is a low priority concern for most people. If you had a perfectly secure OS, but not the OS you want then people would not even turn the computers on and that would be secure, right?
Secutiry is mainly a people thing anyway. Give 'em Linux and they'd just run everything as root.
Engineering is the art of compromise.
Make the interface so hard to use that no one can even get to anything. No command lines or script interfaces, and yet everything is tabbed funny and offset so you can't even tell what you are looking at with the GUI.
m.
They developed a language called BitC for doing exactly what you described. You not only didn't RTFA but you didn't even read the one-paragraph story version of it. But you know enough to post!
It has no writeable drives, network access, or output port support and the only GUI looks suspicously like a windows 95 bsod... hmm.
m.
must port linux emulator to windows....
Man, those Coyotos folks desparately need someone at least a little web savvy to handle their project site. What a disaster!
JoloK
I'm sure it'll be super-secure since there will be no buggy software for it (actually no software). There won't be an worms or virus either!
Just one problem - it can't do anything useful either.
Since Jonathan S. Shapiro is a professor at John Hopkins University, and has been involved in EROS since 1991, I suspect he has had the chance to met Ada 83.
only on slashdot can a comment like Microkernels SUCK! get modded flamebait.
Only on Slashdot can a comment like "microkernels ROCK!" get modded insightful or informative. Or debated at all, for that matter.
To elaborate a bit on what happened to Ada 83:
That version supported provability of correctness, a feature that was easy to sell to a security conscious customer [not customers as there was really only one]. But that provability meant that many dynamic coding practices, in particular the method dispatching needed for object oriented programming, were not tolerable: for a compiler to prove code was right, it had to be immutable and look at run time exactly as it did at compile time. This restriction proved intolerable and the next version, Ada 95, added features in a vain attempt to achieve OOness...and explicitly abandonded provability for the more valuable and pervasive need: re-use. on-the-fly and informal and inherent re-use by inheritance. Too little too late though: what got proved was that Ada proved to be a language even its mother didn't love. [I mean the BNF has 277 production rules...it is seriously ugly to map to other languages.]
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
It sounds wonderful, doesn't it?
Come, raise a toast to all those restrictive languages that are so wildly popular with programmers today. Let us all thank Wirth that none of their free-wheeling, permissive contemporaries are still in use.
"We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
Sucks, eh? :)
The reason to have a "superuser" is because new stuff comes up all the time. The capabilities model is useful when the general applications are already known, and set out at system setup. Once a system is running for a couple years and there's a new Whizbang Network Filesystem Protocol, you either need to set the bastard up from scratch or have some user that can define new capabilities. That user is effectively r00t.
Sometimes seventeen/Syllables aren't enough to/Express a complete
Sure, this might be a secure OS, and you might be using "Systems Management," but unless you are using something like radmind to fully tripwire your machine, you really don't know what's there.
Not really a joke
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Sorry, I tried to start my own EROS project.
But it was a real BitCh to learn.
"Ask not what your country can do for you." --John F. Kennedy
One way to block those double-underlined "intellitxt" ads is to host-file them... (look in html source, search for intelli...
0.0.0.0 uk.intellitxt.com
0.0.0.0 toms.us.intellitxt.com
0.0.0.0 www.vibrantmedia.com
0.0.0.0 vibrantmedia.com
0.0.0.0 intellitxt.com
0.0.0.0 compnet.us.intellitxt.com
0.0.0.0 askmen.us.intellitxt.com
0.0.0.0 forbes.us.intellitxt.
I think those problems can be solved better by relying only on memory-access objects with bounds checking, and signature/ACLs for every method call, and a stripped microkernel that's privileged only for HW and IPC access. Linux itself could be refactored along these lines, applying lessons learned by experimenting with Coyotos.
--
make install -not war
Doesn't matter too much what extra security layers are in your OS if your users are just haphazardly clickety-clicketying everything in front of their noses.
For a while there I thought this new language was named after my ex-girlfriend.
Socialism: A feeling of discontent and resentment caused by a desire for the possessions or qualities of another.
While that was nice, my favorite feature of EROS (besides the name) was the idea that instead of a filesystem a disk was simply non-volitile memory cache. That facilitated my next favorite idea, orthogonal persistance, the somewhat like a persistant software suspend. I'd be interested in finding out (while the home page does not say) if these were the shortcomings of EROS it was alluding to.
Some will always be above others. Destroy the equality today, and it will appear again tomorrow. --Ralph Waldo Emerson
If you browse the Eros archives, you can see that Mr. Shapiro (the creator of Eros) makes frequent references to Multics as the inspiration for Eros (and therefore Coyotos). I'm not able to answer that question myself but clearly there is a close connection between Coyotos and Multics.
Am I the only one who read it as Coitus?
Gustavo J.A.M. Carneiro
Why not just call it pr0n OS?
We can't just scrap the existing OSs of today, even Windows. These will simply have to be hardened as best as we can. I see a new OS as useful mostly for testing ideas that can be borrowed by other mainstream OSs.
If you only use the buzz word "security" you can sell a pile of shit nowadays. And I am not talking about energy yielding cow manure...
So, instead of using the name of a God of Love, they changed to the name of a prostitute's rights organization. Do they ever want to be found in a search?
Go ahead and RTFA. I'm only marginally familiar with Ada83. However, I'm a fan of functional programming languages. I can't tell you how many times I've wished for type inference and pattern matching.
The problem is that, like Haskell, I will probably never work for a company who adopts BitC.
You are not a beautiful or unique snowflake -- but you could be if you got off your ass.
Which one will it be the first to procure the secured operating system?
IEEE BOSS
or
Coyote OS
My money is on Coyote.
And this will suffer from the same problem: capabilities and ACLs are very difficult to get right, and require extremely good tools as well as informed administrators.
For quite a while (as the OP points out) the Linux kernel hasn't checked for "uid=0". Instead it checks for one of many capabilities, like CAP_SET_SYSTEM_TIME or whatever. You can give these fine-grained capabilities to other users. SELinux does something similar for applications, letting you restrict in extremely fine-grained detail what a process can do.
The key word is fine grained. It's pretty difficult to build a sand castle if you have to move individual grains. If you can manage it, it's one hell of a sand castle, but you need tools, patterns, and layers to do it.
Implementing capabilties, roles, contexts, etc. doesn't solve anything by itself, any more than a compiler solves problems by itself. It gives us the ability to solve the problem, but we're still left with the hard work.
The most interesting work going on in this area IMO is (believe it or not) Fedora. They're trying really hard to integrate SELinux into a usable operating system. It's much harder than it looks; at the moment they only have certain services running under SELinux restrictions, but eventually they'll get to a complete model where it really will be difficult to comprimise the system.
It's not hard to secure a system; just turn it off. It's very hard to secure a system so that it allows "approved" actions and disallows everything else.
The File Vault feature of Mac OS X is an example of what the Anonymous Coward said is missing from Unix/Linux/MS Windows, if I understand his comment correctly. File Vault deals with the possibility of a lost person/key by having a master password, separate from root. It's also a stronger encryption than what is used for authentication as root to the OS.
This is like the behavior where you typo your login password after the eighth character. You get into your account because the OS, like other BSD based OSes, only uses an eight character password, but your keychain won't unlock until you provide it the full, correct password.
That's funny but it does make sense. A process is just a state that can be serialized like any other state. And any state that can be serialized can be unserialized on some other piece of hardware, why not. But that is a very funny concept.
I'm curious how an OS with no Superuser can allow someone to assign permissions to other users. Are there Superusers for different parts of the OS, and if I want my access to span across these parts, I have to get access from multiple "superusers?"
While I can see a role for EROS and other capability-based systems in places where security is not just important, it's the product (banks, the military, intelligence agencies), I become deeply suspicious when someone suggests placing such systems in the consumer marketplace (desktop computers, media servers, etc.).
The reason I become suspicious is because capability-based systems are designed to distrust the person using them, including the machine's owner. Again, in environments where security is paramount, this is a reasonable thing to do -- you don't want personal or sensitive information getting in the hands of an unauthorized person, even if they own the machine it's stored on. But in all other environments, the machine should treat the owner as God and obey all commands and yield up any and all data He/She demands.
I fear that capability-based systems will be one of the prongs media companies will use to attack Fair Use and other rights. I worry that "content providers" will demand PCs that distrust their owners and obey their commands, not mine. Capability-based systems are an excellent way to bring this about. Yes, I know capability-based systems can be hacked into obeisance, but it's a lot more trouble. Frankly, I would prefer it didn't happen at all.
Schwab
Editor, A1-AAA AmeriCaptions
These people are creating a new language to program the operating system in, which "combines the 'low level' nature of C with the semantic rigor of Scheme or ML". When will people learn that it isn't the lack of semantic rigor (aka provability) of C that is the problem... it's the memory allocation and pointers?
Just look a the Java standard library, since it's roughly on the same par as a kernel (it is huge, complicated, and has to defend against malicious use). Sure, there are bugs, but in 10+ years there have only been like 2-3 security flaws cause by the standard library (as opposed to some vuln in a C-based library is uses), and those were problems with dynamic class loading. It's not because Sun's Java developers are THAT much better coders than anybody else, it's because Java is a safe language (no arbitrary pointers or manual memory handling).
Why doesn't somebody make a few tweaks to Java and use it to make an OS? That would be way better than some scheme language that has all the dangerous features of C added back in and that nobody wants to program in anyway (stylistically). But at least these guys are trying to use a better language for the OS.
I love what EROS did and have very high hopes for this project, but why the new language? Some Java people (maybe that's why...) already inspired by EROS created (or just 'E'), a capability secure Java based laguage.
Either way, things I like:
*Provable security
*Extremely fine grain, almost fractally self-similar, security
*No need for 'root'
Things I'm not so sure about:
*No filesystem (at least with EROS)
*Not having 'root' is such a change, it's hard for me to understand how someone would take care of a system
Restrictive languages are far older than I am. And since they've been around all my life, I can handle them. I know C, I'm pretty good at it - after all, you have to be - but although there's a few very cool things you can do with it for fun, I'd honestly prefer something with bounds-checking for real coding. Not that I make mistakes, of course, and I even wrote one program that depended rather heavily on accessing just outside an array. But it's simply easier to write a good program if your language can stop buffer overflows for you.
I am trolling
The purpose behind the EROS or Coyotos kernels is to provide a *fast* capability-based system. You can build a capability system on top of Linux using sockets and other mechanisms; it'll just be slower. It's easier to build in some ways, but the total complexity (including Linux's complexity) is higher, so you have a bit less confidence about how secure the whole thing is.
An example of this is Plash http://freshmeat.net/projects/plash/. Plash runs processes under Linux with access to nothing by default (by putting them in a chroot() jail, etc.), except that it can make requests to objects via a socket using an object-capability protocol. Plash also provides a modified GNU libc so that normal Linux executables make their filesystem requests as object invocations, basically virtualising the filesystem.
Plash shows how unmodified Unix programs would work under EROS/Coyotos: it provides a shell (similar to Bash) that lets you run Linux programs with access to a limited set of files, in a convenient way.
And here is why: They have been working on this since 1991. At some point a project needs to "shit or get off the pot". At some point all momentum is lost and people start making jokes about it (cf. Hurd) and then the project will never recover. The way to keep momentum is to not only make promises of what the system will do in the future, but to show them some of what it can do (maybe not perfectly) today. If implementing persistence is going to slow them down from getting something out the door they should leave it out. Also, not having persistence makes it more "conventional" which is going to get more software written for it. And finally, it's not at all clear to me that having persistence magically built-in is the right thing to do. That's not clear at all. Like in Java there are various persistence systems like JDO and Hibernate but they all have to have special query languages. That's the right way to do it. Persisting an object and just having an object in memory really do have different meanings and should not be handled "transparently". I think that if the Eros/Coyotos guys had had some experience with Java and Hibernate/JDO/etc they would come to a different conclusion about this.
Only the proprietors of Fort Knox would consider the cost benefit ratio of such software worthwhile.
I think this is a great analogy for Coyotos. Developing and verifying the kernel will cost tens of millions of dollars, but once it's done it can be used by a lot of people for a long time without much change.
It appears that Persistence was removed from Coyotos. Not sure why, as it appeared to be one of the key features in EROS that differentiated it from 'conventional' OS's. Now what I'm reading is you are simply building a capability based kernel and will run Linux on top. Yeach. Marc
How about having better password and encryption algorithm recovery features to close the loop-hole.
Some researchers are working on trojan-resistant/phishing-resistant user interfaces that make it much harder for users to screw things up.
Hmmm, might have interesting merits though. A security focused OS? Call me moronic, but isnt that the idea behind SElinux crap?
"God of Rock, thank you for this chance to kick ass. "
They have one for each state, like this:
http://www.eros-minn.com/eros.htm
They even have escorts for you if you need help installing.
Compared to war, all other forms of human endeavor shrink to insignificance. God, how I love it. - Gen. George Patton
Funny, I have the same feeling about your post
Check the history, they're getting rid of persistence in Coyotos...they want to make it posix-compatible and more familiar to people. The other big change is writing the whole thing in BitC, using patterns that allow security proofs on the entire kernal: "If we are successful, we will produce the first general-purpose operating system and utility set with end-to-end verification of security and correctness properties that extends all the way through to the code."
there should be only one...
CPU: 6502
programming language: assembler
OS: CPM
graphical desktop: none
now can we stop whinging about the one true OS / language / GUI??? _real_ programmers need none
-- How I want a drink, alcoholic of course, after the heavy lectures involving quantum mechanics.
what the hell is the mod down for redundant???
did you read the whole thread?
*yawn*
....skimming
....yumm, nice parens! tastes a bit like Lisp...hurray for econmomical parsing.
....skimming...
monomorphic variables ? what happens to procedure with two variables not bound as to type? infer all you want but how to mix/promote types?
....no module idea, charset limited to 7bit unicode: thats gotta get fixed.
OMG! Shades of Ada "MOD" types in wolves clothing!..breaks all attempts at straightforward mapping to C/C++/Java short of introducing a class template that replaces "int" and overloads all the arithmetic and bitwise operators...yuch! SKIMMING HALTED
indeed, here we go again. Actually not a bad language...just not of this world.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
Developers, promoters and users of this language should consider the fate of Ada83 language before they invest a ton of effort or money.
Yes -- Ada83 died on the vine not because it couldn't get programmers, but because it couldn't get reasonable compilers. The hurdles were just far too high.
Now there is a reliable, cheap, well supported Ada compiler, and in spite of the lack of programmers many projects are able to use Ada appropriately.
BTW, Ada didn't support provability; it encouraged software engineering principles. A later branch of Ada (SPARK Ada) was developed to support provability, and it's finding a surprising amount of use in critical embedded system, enough so that some proposed modifications from it were taken for the Ada 2005 specification. (Interestingly, every SPARK Ada program is a correct Ada program which compiles and executes in precisely the same way on every Ada platform and compiler.)
the "I'm not going to give you a chance to screw up" approach to programming embodied in Ada does not map well to typical [if somewhat shoddy] coding practices and creates a much steeper learning curve for would-be programmers.
Although there's truth in this, it doesn't lead one to C; it leads to Smalltalk, Python, and Lisp.
I do get the impression that you probably don't know Ada, and almost certainly haven't used it. Is this the case?
-Billy
You first have to get the Anvil, Catapult, and Boulder modules from ACME corporation
They both lost. They are trying to solve a problem that doesn't really have any demand for being solved, and trying to do it by scrapping everything we have and starting from scratch. How many people do you really hear complaining that unix isn't gay? VMS is dead for a reason, let it go.
... it is :)
One thing about capability-based secure systems is that they allow for better security solutions to be designed. For example, you could build a a capability that would have read access to all the things you need backed up.
More info at http://erights.org.
The ACL model (based on the notion of principal) is limited because it doesn't scale (your access matrix grows fast as you need finer level access control) and still allows compromised applications to use their permissions for the wrong purpose (confused deputy problem).
CP/M never ran on 6502s!
what the hell is the mod down for redundant???
Because slashdot is a clusterfuck of ignorance and stupidity?
That version supported provability of correctness,
There's only steps of provability. Ada 83 was more provable than most languages, but there's a lot more to it. And its failure in many cases seems to have been high-price, low-quality compilers designed for sale only to the DoD, which fought Ada internally in a lot of places.
he next version, Ada 95, added features in a vain attempt to achieve OOness
In a vain attempt? Do you care to explain why Ada 95 is not an OO language?
explicitly abandonded provability
Not really. Again, there are steps of provability, and Ada is still easier to prove correct than C. It's also possible to produce an Ada subset (SPARK) that is strongly provable; the company that did that has looked at a C++ subset on the request of customers and dismissed it as impossible.
what got proved was that Ada proved to be a language even its mother didn't love.
There's a lot of people out there that love Ada. Personally I got tired of beating my head against C++. (No, this is not an excuse for a flamewar; it's a personal choice.)
[I mean the BNF has 277 production rules...it is seriously ugly to map to other languages.]
C++ is a complete pain to map to other languages, and nobody seems to care. I don't know where you came up with that number, but I strongly suspect that C++ would be more. In any case, if everyone liked simple syntax, we'd all be using Lisp; most grammar complexities are added on the excuse of making things easier for the programmer at the cost of making it harder for the compiler.
the "I'm not going to give you a chance to screw up" approach to programming embodied in Ada does not map well to typical [if somewhat shoddy] coding practices and creates a much steeper learning curve for would-be programmers.
And for that we all pay on a daily basis as boxes get rooted and used as zombies and spam servers. It is so easy to stop buffer overflows, at such a little cost, that it's a crying shame C is still being written for anything that connects to the network. (C++ might be better, if people would give up their arrays and use bounds checked classes instead.)
Looks like Microsoft Access SQL statements to me!
Well, then DO RTFA. Ada, as well as PL/1, COBOL, Java and similar atrocities, is "specified" by a several hundred page document designed by committee. In its case, a military committee. Its flaws were manifold and pointed out before the spec was even ready (by, among others, Edsger Dijkstra). I would not hesitate for a moment to agree with you that Ada did not fulfill its promise; nor, for that matter, did PL/1, COBOL, or Java. BitC, on the other hand, as far as I can tell, turns out to be a tiny language, with a syntax based on Scheme and a semantics based on ML with a whiff of Pascal for the low-level details. It's description is terse and clear, and it seems to focus on fixing glaring problems with previous languages rather than making the programmer treat their work like a form in triplicate.
/usr/share/morlock
Except the existence of root,
What's the difference between a "capability"-based OS, and a Unix-like os with correct group policies ?
I mean I you want some user to be able to to partitionning on SCSI drivers, juste assign "/dev/sd*" to group "scsi-disk" and make user member of that group.
Even Windows NT family could do this if there wasn't that "user-mode can almost only browse web for near everything else you need to be admin" problem.
This is NOT a troll.
Could someone explain me what's the big deal ?
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Sorry, but the Ada ISO specification is way shorter than the ISO C++ spec.
So it looks like your little ad hoc theory is completely wrong.
Well, you are quite right that the array bounds checking built into Ada would toss an exception anytime somebody tried a buffer overflow attack on an IP stack. I have to explain my rather jaded view of Ada: I am getting paid to translate 10 year old ada code to C++. Its a nightmare. In theory [and all the whitepapers, now yellow with age, on Ada vs C++ assure me] Ada is superior. Wonderful! But the fact that Ada has 2 or 3 ways to enforce things that are damned awkward in C++ is only an obstacle for me. I expect that interchangability between the proposed BitC [which actually strikes me as a pretty good language as far as I have read] and other languages will be similarly broken by the significant differences between what is built in and what must be programmed in to code written in the various languages.
BTW, page 479 of Schildt's 3rd Ed. of C++ the Complete Reference shows how to create a templated class that replaces arrays and overloads the array ref operator, [] for bounds checking. I wish I was working with a clean slate instead of 50k lines of code sans authors
I wish there were as clean a way to emulate bit lenghth wraping and packing in C++...they are primative in Ada so code that uses them has no syntactic handles upon which to work an automated change.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
see /boot/kernel/mac_*.ko for a few ....
Seriously. The group I work in has a Beowulf cluster. The scheduling is, IMAO, rather a mess. Although there are queues for (e.g.) jobs that use 16 nodes simultaniously, I doubt anything on such a queue would ever get run, because there are never 16 free nodes simultaniously. Short jobs can wait for ages for a node while long jobs run.
All this is hard to avoid with the current architecture. If it were possible to suspend a process, dump it to disk, and later restart on a different node, the scheduling could be much more rational:
* Clear 16 nodes to start a multi-processor job. Put the suspended jobs back in the queue for the next free processors.
* Suspend long-running jobs to give potentially quick jobs waiting on the queue a chance to run.
(Disclaimer: I'm just a user on our Beowulf cluster - I'm not too familiar with the current capabilities. Perhaps they are more advanced than I think.)
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
He's a neat little dot. Basically, when you're done making a statement, you put him at the end. By doing this, readers can clearly tell where one statement ends and another one is about to begin! It's really great. Without him, written words can get confusing and all jumbled. Like your post!
The web page is a joke
C programmers constantly have to be aware of array indices going out of bounds, pointers being valid, making sure values are constrained appropriately (like keeping a day of the month being between 1 and 31), accidentally assigning two incompatible variables to each other, and a host of other potential problems. When a mistake is made in any of these areas, the effects of the bug are often far removed from the source.
Ada, on the other hand, is more of a set-and-forget language. Yes, it might take one or two extra lines of code to declare a variable, but it pays off by making the body of the function much more consise, easier to write, easier to maintain, and less likely to contain bugs.
Consider aircraft software that must deal with altitudes in feet and meters as an example. An Ada compiler will instantly catch most unit confusion errors that a C programmer may spend hours tracking down or even worse, never find.
The irony is that Ada is a great language for sloppy programmers because it catches so many careless mistakes, and those are the very people who shun it.
This space intentionally left blank.
Probably: yes. My feeling is that orthogonal persistance and extreme reliability (2 goals of the EROS project) are conflicting goals.
Orthogonal persistance is very useful from a user point of view: you don't need to 'save' files, you don't need to 'close' apps, so noobs can't forget it. Application programmers don't need to worry about closing files, there's just a state of the app that's saved in regular intervals, transparently done by the OS.
But the other goal, extreme reliability, requires something else: extreme simplicity of some aspects/components of the OS. If you introduce too much complexity, the extreme reliability goes out the door.
My guess is that EROS has shown that you can't have both as a core feature, and that you are forced to choose: drop the extreme reliability, or move the persistance feature out of the core into another layer (like do it an application level). It seems that developers have chosen the latter, to preserve reliability as a core feature. IMO a good choice: persistance may be a nice thing to have, but no good to use it everywhere. The project history explains this some more.
An easy example:
char *strcpy(char *to, const char *from)
{
char *start = to;
while (*from)
*to++ = *from++;
return start;
}
Hint: what if 'to' is greater than 'from'?
If they're pushing a security focused OS, why the hell are they writing it in C in the first place? Given that they are writing it in C, they aren't exactly going out of their way to avoid pointer problems, are they?
But the fact that Ada has 2 or 3 ways to enforce things that are damned awkward in C++ is only an obstacle for me. [...] I wish there were as clean a way to emulate bit lenghth wraping and packing in C++...they are primative in Ada so code that uses them has no syntactic handles upon which to work an automated change.
So Ada is bad because it does something's better than C++? If it's easy in Ada and hard in C++, shouldn't that make Ada the better language?
Linux? Kids these days... Capabilities is a feature from the 1970s. If Coyotos is anything like EROS or KeyKOS, then they don't mean POSIX "capabilities" but real capabilities as described in 1975 by Jerome Saltzer and Michael Schroeder in the famous The Protection of Information in Computer Systems paper: "Capability--In a computer system, an unforgeable ticket, which when presented can be taken as incontestable proof that the presenter is authorized to have access to the object named in the ticket." For an excellent introduction to capabilities, read What is a Capability, Anyway? by Jonathan Shapiro. Then read the Capability Theory by Sound Bytes essays by Norman Hardy for more informations. Those papers are classics, just like Reflections on Trusting Trust by Ken Thompson. It's a must-read for anyone who wants to have even the slightest idea about computer security at all.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
With the right number of bits, you can set it up so that someone would have to convert all the mass of the Earth into computer chips and use it to crunch numbers for a billion years to decode it. No amount of money can accomplish that; it's outside of the realm possibility now, and will be for a long long time. The number of bits needed to achieve this is low and in routine use; it's something like a 256 bit key. Google around for it.
Even if some administrator has "dredge through the raw disk" permissions, that doesn't mean you need One Big Omnipotent Superuser that has *all* the special permissions. Controlling printer hardware or network routing protocols or delivering email don't all need to be done by the same process or the same person, and it's much safer to keep those powers separate (even if the same Actual Human ends up owning all those capabilities.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
That's the first comment I've read here that actually has some understanding of capability-based OS's...
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
KeyKOS was usable, within a limited application space that made sense 20+ years ago. EROS was pretty rough, and how much work it got depended a lot on what Jon was up to any given year (and his students, after he was teaching), but adapting to all the modern things like TCP/IP and X and Email and such took work - maybe they'll finish this time :-) Some of the people involved (I think it was an incarnation of KeyKOS, with Bill and Norm) were once at a trade show where the people next to them were advertising the reliability of their system, and got very annoyed by a few cycles of "Here's KeyKOS running, let's start some complex application running, let's pull the power cord out of the wall, see the blinkenlights go dark, plug it in, blinkenlights start up again, application's running just fine except the clock ticked a couple of times, think the machine in the next booth could do that?" That's the reliability-and-persistence aspect of the system rather than the security aspect of it, but they're related, and it's more than just tacking on a journaling file system.
On the other hand, security-oriented systems spend a lot of time either saying "No", or at least not saying "Yes", that getting stuff done isn't always easy, and for a lot of people, Knoppix and a UPS can provide enough security and reliability.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
With C, it's perfectly easy to write safe, reliable, trustable programs - but the language doesn't force you to do so. C++ gives you a bunch of tools that are safer than doing some of the same things by hand, but it also doesn't force you to use them, and you can usually take your old dangerous C programs and force the C++ compiler to accept them (though some dangerous activities might need to be wedged pretty hard to get them to work :-) C++ has the advantage that some of the basic I/O libraries don't have some of the glaring holes that C's stdio.o does, but you can still *use* stdio if you want. You don't *have* to do dangerous and stupid things in C++, but you didn't have to do them in C either. It's still possible to drill a nice neat hole in your third metatarsal, but in C++ you're as likely to take out the second and fourth while you're at it, or maybe just nail a couple of toes.
I never did any real work in Ada, but I read a lot about it back in the day. It pretty much forced you to do a lot of your design work upfront before getting down to coding, which was often a Good Thing on larger projects, and meant that more of your bugs got dealt with at the design stage than at the coding stage.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
This is using the term "capability" in an entirely different manner than the Unix-policy folks use it. A "Capability" in this context is approximately an object-method handle - everything interesting in the system is an object, and to invoke any method on an object, you need to know the capa that invokes the method, and you can only know that if something that already knows that capa decides to tell you. A capa is represented as a long enough string of bits (e.g. 64 or 128) that you won't guess it. The granularity of a capa is often as fine as "a block of disk" or "a page of RAM". Objects that you don't know capas for are invisible - rather than the OS deciding whether to permit or refuse you access to it (which you may be able to spoof), if you don't know any capas for an object, you don't have a way to ask for access to it. Just because something's extremely secure doesn't mean it's easy to use.... and the underlying models are sufficiently different from Unix that you can't usually just port your code and make a few tweaks.
Since it's object-based, the natural storage model is persistent objects, and EROS and its relatives spend a lot of time making sure they stay persistent, e.g. syncing them to disk when needed - they tend to not mind if you do things like unplugging the power cord while processes are running, and start right where they left off when you plug them back in. On the other hand, the storage models aren't what you're used to unless somebody's written an emulation layer on top of it, and the emulations may also be different than what you're expecting.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Hmmm, in this day of Homeland Security, just design the CPU board with the CLIPPER CHIP and give the keys to the FBI to hold onto til they day you have a need for them! :)
Don't get me wrong; Ada is technically a better language. And what, other than technology especially concerning reliability, criteria should be used to measure a language? You measure it against the needs of your job and the costs you can bear. My employer's job is to find people who can maintain Ada code...they failed in that. So my job is to translate Ada code to C++ and as I've tried to explain, that is hard...Its an "interesting" problem but its using me up and teaching me nothing that will make me more employable in a year or two
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
In fact, Jonathan was at Bell Labs when the first validated implementation of Ada83 was completed by a guy down the hall: Charlie Weatherall.
Jonathan S. Shapiro (The EROS Guy)
That being said, it also needs to be said that there is a small body of programs whose correctness is critical: operating systems, power substation control systems, flight control systems, medical systems, and so forth. It simply isn't a goal (for us) to take over the entire systems programming world with this language. It's our goal to be able to do a smaller set of critical things well enough that I'ld be willing to run the resulting code on my (personal) pacemaker when the time comes to need one.
shap
Jonathan S. Shapiro (The EROS Guy)
If I understand what they are doing correctly, this is the path that must be taken if we are to have a truly robust computing world.
Human beings make mistakes, which are iteratively corrected. This is OK, but it turns out when it comes to computers a DEVELOPER correction does not translate into a USER correction 100% of the time. People do not update systems. And systems are so complex nowadays that often times fixing one problem will break other software, mission critical software. This is unacceptable, but it is a fact of life. So if we want a clean, non-virus ridden network that is also worldwide, we have to Get It Right The First Time.
Coyotos is a possible solution to the statement "if we built houses the way we build computers/networks/OSs/software, the first woodpecker would destroy civilization." From the ground up, if we do it RIGHT with the best tools we can bring to bear (i.e. formal proof) we can stop worrying so much about woodpeckers.
There is no such thing as 100%, of course. Proofs are checked either by computers programmed by humans, or by humans. Both are fallible. But this is as close as we are going to get to a perfect system, and with any luck it will raise the barrior of entry for black hats so high they won't even bother.
It's a lot of work to create, and far more work to re-educate all the programmers out there. But there is NO easy solution. The thinking represented by Coyotos, in my opinion, represents the only POSSIBLE solution. So let's hope in 20 years universities are teaching BitC as the default language. Computer programmers and developers have been solving the same basic problems over and over and over for the past few decades. Thanks to open source, a new philosophy can and needs to emerge - express the logic of your feature to the computer once, completely, and be done forever. Then we can build to greater things.
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
I gotta say it- I'm surprised as hell no one is complaining about BitC, the Lisp-like language behind Coyotos. Don't get me wrong, I love Lisp, whether it's CL, ISLISP (kind of my favorite), Scheme or something else... But it seems to me, basing a project in some Lisp-like language is a recipe for an early death. The current FOSS community is pretty harsh towards languages outside of the accepted mainstream as far as how much support it gets. It seems that the language choice of E, something based on Java, would have had a much better chance to draw users.
;)
Not that I'm into selecting a language for those reasons... My projects are almost all in Squeak Smalltalk and will continue to be so until Slate or something better than Squeak comes along.
Working toward a usable PDA environment in the spirit of Newton OS: Dynapad
Thanks. Informed perspective is what I always HOPE for in /. comments and once in a while I get it!
I shouldn't complain about my job, but as a tax payer, I am aghast at what I am paid to rescue 10 year old algorithm's from death by insupportability. I would
LOVE to be translating the crypt full of Ada to some language that was not downright hostile to non-zero-based and range checked array indices [to mention one of several headaches they pay me to endure].
I am tempted to mention BitC to the Lab supervisor but they weren't the ones who chose to abandon Ada...the customer is always "right" about C++ :-(
Personally, I jumped from C to Java and then got dragged back into C++ and lately have had to learn Ada PDQ...the weakness of my opinions about Ada has no end of great exuses. [Actually, I wish the world had stopped changing after we got DEC to ordain BLISS for systems programming but try and tell 10000 cowboy engineers what language they ought to use!]
If anything, the years since the rise and fall of Ada have led to an attenuation of the extent to which humans can intervene ( man-in-the-loop style or as human-monitored autonomous systems) in the operation of critical software. Consider for instance how much of our defense relies on space born platforms...if you have a bug or a lack of stability up there, you pray for a work-around. More than ever, we need tools that, at the very least, don't get in the way of making reliable systems.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
Actually, that's not true. The same problem comes up with key management. You can always have a system whereby, one person does not have permission to create an account to every other system. By allowing other accounts (which the admin can not create) to counter-sign, thus giving permission to the counter-sgned elements of the system, completely removes the concept of one account is god.
Of course, this is still not perfect and greatly increases complexity, but systems which address the chicken and the egg problem are very obtainable.
Of course, you'll come back and say, well the admin will just create more counter-signing accounts and then do his won counter signing....but for those new counter signing accounts to work, would have to be counter signed by the actual counter-signers to achieve that level of access, in the first place.
Basically, this means that you would have to have a fixed number of base counter signing accounts, which get greated and setup, during initial system setup. Like I said, this is easily obtainable....just more complex...and requires administration, ideally, by three or more admins; whereby, the more admins you have, the harder it is to cheat the system.