L4, High Assurance, and Protection
haertig at os.inf.tu-dresden.de
Tue Jan 6 11:07:09 CET 2004
Volkmar Uhlig wrote:
>>From: Jonathan S. Shapiro [mailto:shap at eros-os.org]
>>My problem is that performance cannot be used to justify fundamental
>>insecurity. Speed at the cost of correctness is simply unacceptable.
> Agree in general, however there are application domains which don't want
> to give up speed for an unused security model. And you have to accept
> that those apps exist, even if _you_ are not interested in those.
This discussion is going down strange roads ...
Volkmar, I strongly disagree with you here. One of the main motivations
- if not _the_ main motivation together with fault isolation - to invent
L3 and L4 has been security. Isolation using address spaces will
unavoidably cost a few cycles and can ultimately justified by (fault
isolation and) security arguments only. We do not build micro-kernels
just for wrist watches, and - as Jonathan pointed out correctly - for
cell phones you need a sound security model. And L4 does not have one
and hence needs one. In Dresden, we are aware of this situation since
very long time and have to act _now_ because we in Dresden have
excellent opportunities to push the usage of L4 into security domains.
We have to stop looking at the kernel interface just from the point of
view of kernel hackers counting cycles!
BTW, the perception that Jochen Liedtke considered speed to dominate
everything else (see some earlier email) is simply rubbish. Jonathan's
statement "that performance cannot be used to justify fundamental
insecurity" could as well originate from Jochen Liedtke.
More information about the l4-hackers