On Wed, 2005-04-13 at 17:01, Dan Sugalski wrote:[...]So here's what I was thinking of for Parrot's security and quota model. (Note that none of this is actually *implemented* yet...)It's actually pretty straightforward, the hard part being the whole "don't screw up when implementing" thing, along with designing the base set of privs. Personally I think taking the VMS priv and quota system as a base is a good way to go -- it's well-respected and well-tested, and so far as I know theoretically sound. Unix's priv model's a lot more primitive, and I don't think it's the one to take. (We could invent our own, but history shows that people who invent their own security system invent ones that suck, so that looks like something worth avoiding)
VMS at least *is* a priv-based security model, but VMS privs are not appropriate for parrot on the whole.
Right. The privileges themselves are generally inappropriate for our use, which is fine. It's the model that I'm interested in, as it's the model that gets screwed up so badly, or so I'm told.
Anyway, a number of people I deeply respect (and who do this sort of thing for a living, at deep levels) have told me flat-out that we're better not having a security system than we are trying to roll our own, and the common response to "We're lifting VMS'" has been "Good. Do that."
I think it would be easier to start from scratch, personally. I understand your concerns, but I don't think you run any less risk by creating a new VM security model out of an OS security model than you do by creating a new one. They both create many opportunities to make a mistake.
That's not been the general consensus I've seen from people doing security research and implementation. This is an area that I've no real experience doing any sort of design in, and the people who have the experience say not to, so I think it best to take them at their word.
If you really want to reduce the chances that you'll make a mistake, swipe the security model from JVM or CLR and start with that. At least those have been tested in the large, and map closer to what Parrot wants to do than VMS.
The problem is twofold with those. First, there's some indications that they're busted, and second (and more importantly) they're both very coarse-grained, and that leads to excessive privs being handed out, which increases your exposure to damage. If a library routine needs to potentially exceed memory quotas we'd rather not give it the equivalent of root privileges.
Don't get me wrong. I loved VMS back in the day. It was a pain in the ass at times, but what isn't. It's just that it's not a VM trying to execute byte-code... it's an operating system which directly manages hardware.
Yeah, but don't forget that for all intents and purposes parrot is an OS trying to execute bytecode, especially when you look at the environments that the features will get used in.
--
Dan
--------------------------------------it's like this-------------------
Dan Sugalski even samurai
[EMAIL PROTECTED] have teddy bears and even
teddy bears get drunk
