Since we are all accustomed to using physical keys, how about using one for the Internet? the physical key would be a USB stick that is used by the browser to store a randomly generated password/username (or other credentials) which would then be used to logon to a site. All the users would have to do is to have this 'key' with them.
The problem is not that asymmetric warfare is challenging...the problem is that goat herders is not the enemy. That's what my sarcastic comment as about.
Do the Talibans want to kill their women? fine, we have to right to tell them what to do. Do they want to grow opium? fine, we can't tell them what do to.
What we have the right to do is to stop them from entering the country and stop the opium coming in.
Personally, I think the best approach is to go there without guns and tell them that we are truly the good guys. If the perception of the Muslims about the west doesn't change, there is no hope to eliminate terrorism. You can't win against ideology by fighting it with armies; you've got to open up to convince them the West is not the bad guy.
File sharing is a way to freely distribute content. That is not illegal. What is illegal is distributed copyrighted material.
If file sharing is equated to piracy, then this has a direct consequence on the freedom of information: any information shared electronically in the form of files (i.e. all free content out there) would be subject to strict control.
"So... I edit a copy of my Resume in Word, then later open it up and modify it in Writer (since I'm trying it out) then later I go back to Word and -- OMG! My changes are gone ! "
No. The latest version of the document will be opened, depending on if the two programs belong to the same virtual session. Think about it as if you are using a Virtual Machine for each application.
"What happens to the copy of my Resume if I delete OpenOffice ? Does it get deleted as well, or does it hang aroung in Limbo until I reinstall OpenOffice ? "
Nothing. It remains there, waiting to be opened by another application.
"Who decides when/if the resource should be hidden and from what ? There will be completely legitimate reasons why $SOME_APPLICATION might want to look at my address book. "
The application developers.
"It does "virtualise" certain parts of the system though (to support legacy applications) - Registry, certain system paths, etc. The capability exists. "
Well, ok. But it does not virtualize everything, so it does not do what I propose.
"None of those are particularly complex. They're all single or very limited purpose, with tightly controlled and well-known inputs, never extended in an ad-hoc fashion and nearly always operated by trained and certified users. "
The programs themselves are particularly complex.
"Er, in pretty much every way ? What embedded system are you thinking of that can handle all the things I listed in that paragraph ? Your "autonomous system with hundreds of processors and network nodes, with multiple tasks running autonomously with 100% uptime" isn't particularly complex if all it has to do is changing some coloured lights from green to orange to red based on half a dozen well-specified input types. "
Obviously, you never served aboard a military vessel.
"...Because they have to provide so much more functionality and deal with so much more complexity. "
No, because they are programmed without the required quality.
"But they can't because they lack the features, functionality, flexibility, extensibility, time to market and cost requirements of a general purpose OS. What embedded OS do you think could be a functional replacement for - and we'll pick the easy one - OS X ? "
No, no, and no. QNX, for example.
"Who are trained. "
That doesn't exclude spying, treason, unhappy personnel, sabotage, etc.
"Which are all known, tested and certified in advance. J. Random Soldier is not going to be able to download and run SuperAwesomeGemHunt off the intarcloudweb, nor does the system need to make any allowances for him to do that. "
Oh, they do in a regular basis. All ships have internet, and all ships run internet applications. They regularly play flash games etc.
"But the tasks they have to do are very limited and almost completely static. Manage systems with capabilities fully known in advance, manufactured to extremely high quality and tolerances, and which will never unexpectedly change. "
The tasks they have to do are vastly complex, much more complex than Microsoft Word and Internet Explorer and Outlook. Not only that, but lives depend on the software. Furthermore, software changes frequently on those ships, by updating and creating new modules.
"How well do you think the RADAR and weapons computers will do at managing the propulsion or HVAC systems ? Do you think the RADAR and weapons computers from one ship could run the hardware on another ship in another Navy ? That's the kind of scenarios a general purpose OS has to deal with. "
No. You analogy is deeply flawed. Software from one vessel can not run in any another vessel because of different protocols. General purpose OSes run the same protocols: http, html, jpeg, email, x-windows, tcp/ip etc. Military grade software that can run in anything that runs the same protocol.
"A military system can be nearly guaranteed to never have to run an unknown piece of software and, more importantly, will never be criticised
It's the Computer vs Console battle all over again. In the end, someone came out with an API for games (Direct3d), and therefore the problem was minimized quite a lot. As handheld devices become more powerful, someone will introduce an API that makes game programming much easier for Android devices.
Just for the record (since so many slashdotters have said they have problems), I am reporting that I have happily updated all my machines (one Win7, two XPs, one Win2K) to AVG 2011 and I don't have any problems so far.
Who decides which applications can manipulate what ?
Nobody.
Who decides what a "trusted" application is ?
Nobody. All applications are implicitly untrusted.
How do you share information between different applications (eg: how can a document be edited by Office, OpenOffice, or some other random application ?
You open the file normally, as you would. The system creates a copy of the file though.
How do you help with malware that's only interested in read-only access (eg: sending a trojan to everyone in an address book) ?
Two ways:
resource is hidden from the virtual session the malware belongs.
the resources the malware uses are redirected to null.
Everything you listed as an example is already possible with existing systems. Indeed, Windows has already been doing it to some degree for 3+ years.
No, it does not. Windows doesn't create a virtual session for each executable.
That has nothing to do with end users causing security breaches that don't leverage software bugs, which is what happens most of the time (trojans, third-party software errors, malicious and/or ignorant data leakages).
Where did I ever talk in our discussion about preventing users 100% from causing security breaches? what I talk about is securing software, not users. And one way to secure software is to use a programming language that makes it impossible to have bugs that allows security exploits.
What complex embedded systems are you thinking of ?
Examples: nuclear reactors, military aircraft, avionics for commercial aircraft, modern cars, military ships etc
A desktop OS is written to do a lot more than "viewing and manipulating documents and media". It has to handle multiple user contexts running arbitrary code of unknown origin and quality. It has to handle random hardware devices (and their drivers) of unknown origin and quality being connected and disconnected at arbitrary times and for arbitrary periods. It has to handle easy extensibility of capabilities in both user and kernel space. It has to handle hardware whose quality can range from rock solid to dangerously flaky. It has to handle users ranging from highly trained through completely ignorant to actively malicious. It has to handle (and remain "bug-compatible" with) software and hardware that thinks it's a version released anything up to a decade earlier, if not longer. Finally, it has to do all these things while being cheap and updated on a 2-3 year cycle.
How is that more complex than an autonomous system with hundreds of processors and network nodes, with multiple tasks running autonomously with 100% uptime?
Not only what you mention is vastly less complex than what I mention, but it also has nothing to do with Ada.
You have that backwards. Critical safety systems don't run commercial OSes precisely because commercial OSes are developed and geared towards much more complicated and complex environments, and thus have vastly larger and more capable levels of functionality, which in turn means they have vastly larger codebases, which ultimately means they are vastly more difficult to write and debug with correctness as a first priority.
Actually, it's you that has it backwards. Critical safety systems don't run commercial OSes because the commercial OSes are not secure and cannot be secured.
On the other hand, embedded real time OSes can be used as general purpose OSes, because they have the security required.
I'd like to point out, because I am sure you are ignorant about it, that military grade OSes have multiple users as well, and they run multiple applications. For example, in modern ships that run military OSes, all the weapons and radars are in the same network. There are lots
You are extremely stubborn. It's amazing that you don't get such a simple concept.
Then, for the "nth" time, how does a legitimate application modify and interact with the "real" files ? There are numerous reasons why this will be necessary, from simple editing of documents to applying patches.
By using the available file management interface: fopen, OpenFile, etc. Or whatever file management routines the programming language or library that was used to built the application.
For the application, the real files are the files it sees. It's the files the application has created or it is registered to manipulate. For the rest of the system though, the real files are different.
Here is an example: You download TextEdit and you create the file 'Foo.txt'. Every program in the system sees that file. Now you open the file with Internet Explorer. Since IE is an untrusted application, the system does a copy-on-write on file 'Foo.txt'. If any malicious program modifies 'Foo.txt', then it would be the copy of 'Foo.txt' that is being modified, and not the original one. If TextEdit opens the file 'Foo.txt', then it will open the original file, not the one Internet Explorer has modified, thus preventing malicious programs to alter the file. In case the user wants to edit the file 'foo.txt' modified by IE with TextEdit, then he/she may do so: he/she goes to open the file 'foo.txt' that was modified by IE, which is now in another position on the file system.
Here is another example: you download an email with Outlook Express that contains a Christmas Card from your grandpa. It's not a Christmas Card though, it is a rootkit. You double click the Christmas card, the rootkit runs via a buffer overflow using the JPEG library bug and tries to modify the registry by raw access. The system does a copy-on-write on the registry and the rootkit modifies a copy of the registry. Since a copy of the registry is modified, the system can easily be restored to normal status by simply deleting the rootkit's version of the registry.
Yet another example: you want to install OpenOffice. You download the file, you install it. The installation adds an item in your startup folder that loads an OpenOffice toolbar. A copy of the registry is modified as well, just as in the previous case. But this is safe: you leave it running as is. If the OpenOffice toolbar is compromised in the future by malware, you simply delete the copy of the registry. The initial registry remains intact.
So, as you can see, in all cases you have a working system. Malware can only touch and modify copies of resources; programs can manipulate the version of resources that they see as real, i.e. the resources that they have created, and the versions of those resources managed by other programs. The only thing required to restore the system to a good state is to erase the modified resources.
I didn't say they were. I said the fact they weren't being used suggested there was probably a good reason.
Unfounded speculation.
Embedded systems operate in completely different risk profiles (for example, inputs are nearly always minimal, strictly controlled and well-known in advance)
Not true. One of the reasons the US DoD has created Ada is that there was a need for a truly safe programming language that does not allow systems to be compromised due to bugs even by the personnel that uses those systems.
nd performance constraints (for example, sacrificing low latency for predictable latency in terms of responsiveness) than general purpose systems do.
There is nothing in Ada that prevents systems to manage latency as they require.
This is before even getting into things like scope of capabilities (embedded systems tend to be quite limited),
Wrong again. Embedded systems can be vastly more complex than your desktop OS, which is mostly for viewing and manipulatin
AT THIS POINT, I RECOGNIZE THAT YOU MUST BE EXTREMELY STUPID.
for the Nth time: there is no need for the system or the application or the user to know anything. all the system needs to do is to create a virtual session for an executable, where the computer's resources are virtualized for the executable.
if the executable is compromised, then the resources for the other executables will not be compromised.
if the executable launches another executable, the first executable's environment is virtualized for the second executable.
WTF, you must be extremely thick if you don't get it!!!
As for the rest of your comments, regarding Ada and security, you are just plain ignorant of embedded systems and Ada if you think they are unsuitable for general purpose operating systems. Embedded real time operating systems have the strictest performance and security requirements, covering much more ground in those two fields than generic purpose operating systems.
Then how do legitimate applications access the "real" resources ? If it is the end user that ultimately makes the decision - regardless of whether they do it beforehand (though that adds an additional burden of knowledge making it even more unworkable) or on-demand - then that is not a solution because it will fall victim to the same problem we have today: people are more than happy to do whatever it takes to see the dancing bunnies.
No, application access resources normally.
a) application vendors to correctly specify the privilege levels they need and
Application vendors do not need to specify privilege levels. All applications must be considered not trustworthy, unless proven so or set to be so manually. Each application installed can only manipulate a copy of the resources, except for the files that it has created...thus, if the application is compromised, the system is not affected.
b) end users to make educated decisions about whether or not to trust the vendors.
My proposal explicitly does not require decisions from the end users.
c) a tightly-controlled and strictly enforced source of applications that can be installed.
It's not required.
Modern systems don't lack the features you desire because people haven't thought of it. They lack them because they haven't been practical to implement. Though the exploding popularity of tightly controlled devices like the iPad and iPhone may change this.
You still haven't understood my proposal.
Because my point was the lack of general-purpose OSes written in Ada suggests it's not a viable solution for that purpose.
Not a good argument. Do you have any specific reasons why Ada is not a viable solution? I bet you don't.
Ada is not chosen for operating system development because it is not popular and there are not many developers around. It's purely economics. Other than that, there is no technical reason that Ada is not suitable for commercial operating systems, especially since complex critical safety kernels and systems are built with Ada.
A software giant like Microsoft could easily adopt Ada though. It may have cost a little more, but the end result would be much better software. The reason Ada is not adopted is because Microsoft doesn't really care about security; they care about stocks, and security perhaps even goes against that; non-security means a) easy hacking and copying of its products, b) a market generated solely around the deficiencies of its operating system. Both options raise the value of their stocks, and that's what there are interested for.
Maybe, maybe not. There are numerous and often non-obvious interwoven factors at play in these sorts of situations.
"Maybe, maybe not" is not an argument. Please list specific reasons why Ada is not suitable for general purpose operating systems.
So when the next program opens 'Bar' which copy does it get ?
How does any of this prevent the malware from opening a network connection ?
An application that is considered potentially harmful, like a web browser, runs in a virtual session. When malware asks for file 'Bar' or a network connection, then it uses the virtual resources.
If the file 'Bar' or the network connection or any other resource is a resource that requires more privileges, then then user IS NOT ASKED through UAT or privilege elevation permission to use the resource, but a virtual resource has been setup APRIORI to be used instead of the real one. The malware thinks it uses the real thing, but it does not.
This security setup is created when the application is installed. The user is not involved in any way in the process. New applications can be installed in the context of a running application (say, a new interactive session), but these applications cannot affect anything else in the system. If there is malware installed under a virtual session, then the user can log in another more privileged session to correct the problem.
Perhaps you missed the "general purpose OS" part of my question ? Listing of a bunch of highly-specialised, embedded applications isn't an answer.
Why isn't it an answer? if a programming language is suitable for safe-critical systems, then it certainly is suitable for general purpose operating systems.
I didn't reject it. Like I said, the industry isn't exactly crawling with general purposes OSes (or software, for that matter) written in Ada.
That's why I said that Ada should have been used more.
There is no technology advancement coming out of Apple, but they sure do have the most polished products out there.
Which is not bad in itself. It actually is very good, because it allows non-technical people to enjoy computers, which is very important for the advancement of society as w hole.
Slashdot Mirror
I guess STVI is so bad that it is not even worth mentioning.
there's not nearly as much money in it as replacing Microsoft in the home
Apparently, it's not only the home, it's also the office, according to the article: demand for tablets is high in enterprise environments.
They could named their new O/S "Windows NG", for 'next-generation'. They could run legacy apps via emulation...
Damn you kids and your fancy object-oriented garbage-collected languages!!! back in the day, we had to account for every BYTE allocated!!!!
True. How about storing the amounts we want onto a device, and use this device to transfer the value onto another device? wouldn't that work?
Since we are all accustomed to using physical keys, how about using one for the Internet? the physical key would be a USB stick that is used by the browser to store a randomly generated password/username (or other credentials) which would then be used to logon to a site. All the users would have to do is to have this 'key' with them.
The problem is not that asymmetric warfare is challenging...the problem is that goat herders is not the enemy. That's what my sarcastic comment as about.
Do the Talibans want to kill their women? fine, we have to right to tell them what to do. Do they want to grow opium? fine, we can't tell them what do to.
What we have the right to do is to stop them from entering the country and stop the opium coming in.
Personally, I think the best approach is to go there without guns and tell them that we are truly the good guys. If the perception of the Muslims about the west doesn't change, there is no hope to eliminate terrorism. You can't win against ideology by fighting it with armies; you've got to open up to convince them the West is not the bad guy.
You are right. Fighting goat herders with outdated rifles has never been so challenging.
And people who's names end with -Berg, -It, -Man, -Stein etc have a special place in history.
For example, Kirk (a young Shatner) interacting with the new Kirk (Chris Pine)...or new TNG/DS9 stories...etc
File sharing is a way to freely distribute content. That is not illegal. What is illegal is distributed copyrighted material.
If file sharing is equated to piracy, then this has a direct consequence on the freedom of information: any information shared electronically in the form of files (i.e. all free content out there) would be subject to strict control.
"So... I edit a copy of my Resume in Word, then later open it up and modify it in Writer (since I'm trying it out) then later I go back to Word and -- OMG! My changes are gone ! "
No. The latest version of the document will be opened, depending on if the two programs belong to the same virtual session. Think about it as if you are using a Virtual Machine for each application.
"What happens to the copy of my Resume if I delete OpenOffice ? Does it get deleted as well, or does it hang aroung in Limbo until I reinstall OpenOffice ? "
Nothing. It remains there, waiting to be opened by another application.
"Who decides when/if the resource should be hidden and from what ? There will be completely legitimate reasons why $SOME_APPLICATION might want to look at my address book. "
The application developers.
"It does "virtualise" certain parts of the system though (to support legacy applications) - Registry, certain system paths, etc. The capability exists. "
Well, ok. But it does not virtualize everything, so it does not do what I propose.
"None of those are particularly complex. They're all single or very limited purpose, with tightly controlled and well-known inputs, never extended in an ad-hoc fashion and nearly always operated by trained and certified users. "
The programs themselves are particularly complex.
"Er, in pretty much every way ? What embedded system are you thinking of that can handle all the things I listed in that paragraph ? Your "autonomous system with hundreds of processors and network nodes, with multiple tasks running autonomously with 100% uptime" isn't particularly complex if all it has to do is changing some coloured lights from green to orange to red based on half a dozen well-specified input types. "
Obviously, you never served aboard a military vessel.
"...Because they have to provide so much more functionality and deal with so much more complexity. "
No, because they are programmed without the required quality.
"But they can't because they lack the features, functionality, flexibility, extensibility, time to market and cost requirements of a general purpose OS. What embedded OS do you think could be a functional replacement for - and we'll pick the easy one - OS X ? "
No, no, and no. QNX, for example.
"Who are trained. "
That doesn't exclude spying, treason, unhappy personnel, sabotage, etc.
"Which are all known, tested and certified in advance. J. Random Soldier is not going to be able to download and run SuperAwesomeGemHunt off the intarcloudweb, nor does the system need to make any allowances for him to do that. "
Oh, they do in a regular basis. All ships have internet, and all ships run internet applications. They regularly play flash games etc.
"But the tasks they have to do are very limited and almost completely static. Manage systems with capabilities fully known in advance, manufactured to extremely high quality and tolerances, and which will never unexpectedly change. "
The tasks they have to do are vastly complex, much more complex than Microsoft Word and Internet Explorer and Outlook. Not only that, but lives depend on the software. Furthermore, software changes frequently on those ships, by updating and creating new modules.
"How well do you think the RADAR and weapons computers will do at managing the propulsion or HVAC systems ? Do you think the RADAR and weapons computers from one ship could run the hardware on another ship in another Navy ? That's the kind of scenarios a general purpose OS has to deal with. "
No. You analogy is deeply flawed. Software from one vessel can not run in any another vessel because of different protocols. General purpose OSes run the same protocols: http, html, jpeg, email, x-windows, tcp/ip etc. Military grade software that can run in anything that runs the same protocol.
"A military system can be nearly guaranteed to never have to run an unknown piece of software and, more importantly, will never be criticised
It's the Computer vs Console battle all over again. In the end, someone came out with an API for games (Direct3d), and therefore the problem was minimized quite a lot. As handheld devices become more powerful, someone will introduce an API that makes game programming much easier for Android devices.
I wouldn't mind going through the body scanners, as long as their viewing is not done in public.
However, this detail is unknown to us Europeans at this time, so I'd be grateful if this question is answered.
Just for the record (since so many slashdotters have said they have problems), I am reporting that I have happily updated all my machines (one Win7, two XPs, one Win2K) to AVG 2011 and I don't have any problems so far.
The exemption was that you can jailbreak YOUR OWN phone.
And if you have a few thousand phones that you own, what then?
Who decides which applications can manipulate what ?
Nobody.
Who decides what a "trusted" application is ?
Nobody. All applications are implicitly untrusted.
How do you share information between different applications (eg: how can a document be edited by Office, OpenOffice, or some other random application ?
You open the file normally, as you would. The system creates a copy of the file though.
How do you help with malware that's only interested in read-only access (eg: sending a trojan to everyone in an address book) ?
Two ways:
Everything you listed as an example is already possible with existing systems. Indeed, Windows has already been doing it to some degree for 3+ years.
No, it does not. Windows doesn't create a virtual session for each executable.
That has nothing to do with end users causing security breaches that don't leverage software bugs, which is what happens most of the time (trojans, third-party software errors, malicious and/or ignorant data leakages).
Where did I ever talk in our discussion about preventing users 100% from causing security breaches? what I talk about is securing software, not users. And one way to secure software is to use a programming language that makes it impossible to have bugs that allows security exploits.
What complex embedded systems are you thinking of ?
Examples: nuclear reactors, military aircraft, avionics for commercial aircraft, modern cars, military ships etc
A desktop OS is written to do a lot more than "viewing and manipulating documents and media". It has to handle multiple user contexts running arbitrary code of unknown origin and quality. It has to handle random hardware devices (and their drivers) of unknown origin and quality being connected and disconnected at arbitrary times and for arbitrary periods. It has to handle easy extensibility of capabilities in both user and kernel space. It has to handle hardware whose quality can range from rock solid to dangerously flaky. It has to handle users ranging from highly trained through completely ignorant to actively malicious. It has to handle (and remain "bug-compatible" with) software and hardware that thinks it's a version released anything up to a decade earlier, if not longer. Finally, it has to do all these things while being cheap and updated on a 2-3 year cycle.
How is that more complex than an autonomous system with hundreds of processors and network nodes, with multiple tasks running autonomously with 100% uptime?
Not only what you mention is vastly less complex than what I mention, but it also has nothing to do with Ada.
You have that backwards. Critical safety systems don't run commercial OSes precisely because commercial OSes are developed and geared towards much more complicated and complex environments, and thus have vastly larger and more capable levels of functionality, which in turn means they have vastly larger codebases, which ultimately means they are vastly more difficult to write and debug with correctness as a first priority.
Actually, it's you that has it backwards. Critical safety systems don't run commercial OSes because the commercial OSes are not secure and cannot be secured.
On the other hand, embedded real time OSes can be used as general purpose OSes, because they have the security required.
I'd like to point out, because I am sure you are ignorant about it, that military grade OSes have multiple users as well, and they run multiple applications. For example, in modern ships that run military OSes, all the weapons and radars are in the same network. There are lots
Was it a buffer overflow?
Then, for the "nth" time, how does a legitimate application modify and interact with the "real" files ? There are numerous reasons why this will be necessary, from simple editing of documents to applying patches.
By using the available file management interface: fopen, OpenFile, etc. Or whatever file management routines the programming language or library that was used to built the application.
For the application, the real files are the files it sees. It's the files the application has created or it is registered to manipulate. For the rest of the system though, the real files are different.
Here is an example: You download TextEdit and you create the file 'Foo.txt'. Every program in the system sees that file. Now you open the file with Internet Explorer. Since IE is an untrusted application, the system does a copy-on-write on file 'Foo.txt'. If any malicious program modifies 'Foo.txt', then it would be the copy of 'Foo.txt' that is being modified, and not the original one. If TextEdit opens the file 'Foo.txt', then it will open the original file, not the one Internet Explorer has modified, thus preventing malicious programs to alter the file. In case the user wants to edit the file 'foo.txt' modified by IE with TextEdit, then he/she may do so: he/she goes to open the file 'foo.txt' that was modified by IE, which is now in another position on the file system.
Here is another example: you download an email with Outlook Express that contains a Christmas Card from your grandpa. It's not a Christmas Card though, it is a rootkit. You double click the Christmas card, the rootkit runs via a buffer overflow using the JPEG library bug and tries to modify the registry by raw access. The system does a copy-on-write on the registry and the rootkit modifies a copy of the registry. Since a copy of the registry is modified, the system can easily be restored to normal status by simply deleting the rootkit's version of the registry.
Yet another example: you want to install OpenOffice. You download the file, you install it. The installation adds an item in your startup folder that loads an OpenOffice toolbar. A copy of the registry is modified as well, just as in the previous case. But this is safe: you leave it running as is. If the OpenOffice toolbar is compromised in the future by malware, you simply delete the copy of the registry. The initial registry remains intact.
So, as you can see, in all cases you have a working system. Malware can only touch and modify copies of resources; programs can manipulate the version of resources that they see as real, i.e. the resources that they have created, and the versions of those resources managed by other programs. The only thing required to restore the system to a good state is to erase the modified resources.
I didn't say they were. I said the fact they weren't being used suggested there was probably a good reason.
Unfounded speculation.
Embedded systems operate in completely different risk profiles (for example, inputs are nearly always minimal, strictly controlled and well-known in advance)
Not true. One of the reasons the US DoD has created Ada is that there was a need for a truly safe programming language that does not allow systems to be compromised due to bugs even by the personnel that uses those systems.
nd performance constraints (for example, sacrificing low latency for predictable latency in terms of responsiveness) than general purpose systems do.
There is nothing in Ada that prevents systems to manage latency as they require.
This is before even getting into things like scope of capabilities (embedded systems tend to be quite limited),
Wrong again. Embedded systems can be vastly more complex than your desktop OS, which is mostly for viewing and manipulatin
Which is how it's supposed to be, because duplicating bits may be proven to be much more harmful than actual theft.
Supposing that one writes a very popular piece of art, why shouldn't he/she profit infinitely from it, if there is demand?
AT THIS POINT, I RECOGNIZE THAT YOU MUST BE EXTREMELY STUPID.
for the Nth time: there is no need for the system or the application or the user to know anything. all the system needs to do is to create a virtual session for an executable, where the computer's resources are virtualized for the executable.
if the executable is compromised, then the resources for the other executables will not be compromised.
if the executable launches another executable, the first executable's environment is virtualized for the second executable.
WTF, you must be extremely thick if you don't get it!!!
As for the rest of your comments, regarding Ada and security, you are just plain ignorant of embedded systems and Ada if you think they are unsuitable for general purpose operating systems. Embedded real time operating systems have the strictest performance and security requirements, covering much more ground in those two fields than generic purpose operating systems.
Then how do legitimate applications access the "real" resources ? If it is the end user that ultimately makes the decision - regardless of whether they do it beforehand (though that adds an additional burden of knowledge making it even more unworkable) or on-demand - then that is not a solution because it will fall victim to the same problem we have today: people are more than happy to do whatever it takes to see the dancing bunnies.
No, application access resources normally.
a) application vendors to correctly specify the privilege levels they need and
Application vendors do not need to specify privilege levels. All applications must be considered not trustworthy, unless proven so or set to be so manually. Each application installed can only manipulate a copy of the resources, except for the files that it has created...thus, if the application is compromised, the system is not affected.
b) end users to make educated decisions about whether or not to trust the vendors.
My proposal explicitly does not require decisions from the end users.
c) a tightly-controlled and strictly enforced source of applications that can be installed.
It's not required.
Modern systems don't lack the features you desire because people haven't thought of it. They lack them because they haven't been practical to implement. Though the exploding popularity of tightly controlled devices like the iPad and iPhone may change this.
You still haven't understood my proposal.
Because my point was the lack of general-purpose OSes written in Ada suggests it's not a viable solution for that purpose.
Not a good argument. Do you have any specific reasons why Ada is not a viable solution? I bet you don't.
Ada is not chosen for operating system development because it is not popular and there are not many developers around. It's purely economics. Other than that, there is no technical reason that Ada is not suitable for commercial operating systems, especially since complex critical safety kernels and systems are built with Ada.
A software giant like Microsoft could easily adopt Ada though. It may have cost a little more, but the end result would be much better software. The reason Ada is not adopted is because Microsoft doesn't really care about security; they care about stocks, and security perhaps even goes against that; non-security means a) easy hacking and copying of its products, b) a market generated solely around the deficiencies of its operating system. Both options raise the value of their stocks, and that's what there are interested for.
Maybe, maybe not. There are numerous and often non-obvious interwoven factors at play in these sorts of situations.
"Maybe, maybe not" is not an argument. Please list specific reasons why Ada is not suitable for general purpose operating systems.
How ?
So when the next program opens 'Bar' which copy does it get ?
How does any of this prevent the malware from opening a network connection ?
An application that is considered potentially harmful, like a web browser, runs in a virtual session. When malware asks for file 'Bar' or a network connection, then it uses the virtual resources.
If the file 'Bar' or the network connection or any other resource is a resource that requires more privileges, then then user IS NOT ASKED through UAT or privilege elevation permission to use the resource, but a virtual resource has been setup APRIORI to be used instead of the real one. The malware thinks it uses the real thing, but it does not.
This security setup is created when the application is installed. The user is not involved in any way in the process. New applications can be installed in the context of a running application (say, a new interactive session), but these applications cannot affect anything else in the system. If there is malware installed under a virtual session, then the user can log in another more privileged session to correct the problem.
Perhaps you missed the "general purpose OS" part of my question ? Listing of a bunch of highly-specialised, embedded applications isn't an answer.
Why isn't it an answer? if a programming language is suitable for safe-critical systems, then it certainly is suitable for general purpose operating systems.
I didn't reject it. Like I said, the industry isn't exactly crawling with general purposes OSes (or software, for that matter) written in Ada.
That's why I said that Ada should have been used more.
There is no technology advancement coming out of Apple, but they sure do have the most polished products out there.
Which is not bad in itself. It actually is very good, because it allows non-technical people to enjoy computers, which is very important for the advancement of society as w hole.