L4, High Assurance, and Protection

[Hermann Härtig]

Volkmar Uhlig wrote:
>>-----Original Message-----
>>From: Jonathan S. Shapiro [mailto:shap at eros-os.org] 

>>My problem is that performance cannot be used to justify fundamental
>>insecurity. Speed at the cost of correctness is simply unacceptable.
> 
> 
> Agree in general, however there are application domains which don't want
> to give up speed for an unused security model.  And you have to accept
> that those apps exist, even if _you_ are not interested in those.

This discussion is going down strange roads ...

Volkmar, I strongly disagree with you here. One of the main motivations 
- if not _the_ main motivation together with fault isolation - to invent 
L3 and L4 has been security.  Isolation using address spaces will 
unavoidably cost a few cycles and can ultimately justified by (fault 
isolation and) security arguments only. We do not build micro-kernels 
just for wrist watches, and - as Jonathan pointed out correctly - for 
cell phones you need a sound security model. And L4 does not have one 
and hence needs one. In Dresden, we are aware of this situation since 
very long time and have to act _now_ because we in Dresden have 
excellent opportunities to push the usage of L4 into security domains. 
We have to stop looking at the kernel interface just from the point of 
view of kernel hackers counting cycles!

BTW, the perception that Jochen Liedtke considered speed to dominate 
everything else (see some earlier email) is simply rubbish. Jonathan's 
statement "that performance cannot be used to justify fundamental 
insecurity" could as well originate from Jochen Liedtke.

--hermann