"Gernot" == Gernot Heiser gernot@cse.unsw.edu.au writes:
VU> The point I tried to make is that if you want generality of the VU> kernel you have to look at a wide area of applications. As I VU> stated in previous emails, I'm aware of the insufficiencies of VU> the security model in L4 and I believe that this is well taken VU> care of by many people looking at. The same is not true for the VU> performance aspects and my feeling is that "all these important VU> security features" are used to fatten and to slow the kernel VU> unreasonably.
Gernot> Hmm, Volkmar, I have to agree with Hermann. One of the core Gernot> tenets of OS designers should be that performance cannot buy Gernot> security, and an OS without security is worthless. And Gernot> security isn't optional.
An important point here is that the we-don't-need-the-extra-security argument doesn't necessarily need to apply to the complete system. It may apply to only a subsystem, e.g., an "application" consisting of several address spaces that does not need any extra security mechanisms when communicating internally. Another example is a system where the device drivers and a number of other trusted services allow efficient, unrestricted object invokation in between each other, but object invocation from outside tasks/threads do need some security policy to be enforced.
eSk