L4, High Assurance, and Protection

[Espen Skoglund]

>>>>> "Gernot" == Gernot Heiser <gernot at cse.unsw.edu.au> writes:

  VU> The point I tried to make is that if you want generality of the
  VU> kernel you have to look at a wide area of applications.  As I
  VU> stated in previous emails, I'm aware of the insufficiencies of
  VU> the security model in L4 and I believe that this is well taken
  VU> care of by many people looking at.  The same is not true for the
  VU> performance aspects and my feeling is that "all these important
  VU> security features" are used to fatten and to slow the kernel
  VU> unreasonably.

  Gernot> Hmm, Volkmar, I have to agree with Hermann. One of the core
  Gernot> tenets of OS designers should be that performance cannot buy
  Gernot> security, and an OS without security is worthless. And
  Gernot> security isn't optional.

An important point here is that the we-don't-need-the-extra-security
argument doesn't necessarily need to apply to the complete system.  It
may apply to only a subsystem, e.g., an "application" consisting of
several address spaces that does not need any extra security
mechanisms when communicating internally.  Another example is a system
where the device drivers and a number of other trusted services allow
efficient, unrestricted object invokation in between each other, but
object invocation from outside tasks/threads do need some security
policy to be enforced.

	eSk