L4, High Assurance, and Protection

Volkmar Uhlig volkmar at ira.uka.de
Tue Jan 6 13:15:50 CET 2004

> -----Original Message-----
> From: Hermann Härtig [mailto:haertig at os.inf.tu-dresden.de] 
> Sent: Tuesday, January 06, 2004 11:07 AM
> BTW, the perception that Jochen Liedtke considered speed to dominate 
> everything else (see some earlier email) is simply rubbish. 
> Jonathan's statement "that performance cannot be used to justify 
> fundamental insecurity" could as well originate from Jochen Liedtke.

The hitserver is an example where this perception is not rubbish (as you phrased it).

The point I tried to make is that if you want generality of the kernel you have to look at a wide area of applications.  As I stated in previous emails, I'm aware of the insufficiencies of the security model in L4 and I believe that this is well taken care of by many people looking at.  The same is not true for the performance aspects and my feeling is that "all these important security features" are used to fatten and to slow the kernel unreasonably.

Since you referred to Jochen here a quote from "Improving IPC by kernel design":
	"IPC performance is the Master.  Anything which may lead to higher IPC performance has to be discussed. In case of doubt, decisions in favor of IPC have to be taken. But the performance and security qualities of other components must not be seriously impacted."

So far there is no sound model proposed which doesn't add significant overhead and which has the same elegance as L4 today.

- Volkmar

More information about the l4-hackers mailing list