 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
http://research.microsoft.com/os/Singularity/
Cool stuff. Low-overhead message passing even between separate
processes. Kind of like Hermes done reasonably well, then used to
implement AmigaDOS-like OS reasonably well. :-)
--
Darren New / San Diego, CA, USA (PST)
Ever notice how people in a zombie movie never already know how to
kill zombies? Ask 100 random people in America how to kill someone
who has reanimated from the dead in a secret viral weapons lab,
and how many do you think already know you need a head-shot?
Post a reply to this message
|
|
| |
| |
|
|
From: Darren New
Subject: Re: Who was looking for message-passing OS examples?
Date: 6 Aug 2008 16:59:41
Message: <489a10bd$1@news.povray.org>
|
|
|
| |
| |
|
|
Darren New wrote:
> http://research.microsoft.com/os/Singularity/
>
> Cool stuff.
Oh, and it also illustrates what I was saying about not needing
destructors on your GC'ed resources if your OS actually implements
things correctly.
--
Darren New / San Diego, CA, USA (PST)
Ever notice how people in a zombie movie never already know how to
kill zombies? Ask 100 random people in America how to kill someone
who has reanimated from the dead in a secret viral weapons lab,
and how many do you think already know you need a head-shot?
Post a reply to this message
|
|
| |
| |
|
|
From: Darren New
Subject: Re: Who was looking for message-passing OS examples?
Date: 7 Aug 2008 12:19:52
Message: <489b20a8$1@news.povray.org>
|
|
|
| |
| |
|
|
Darren New wrote:
> Oh, and it also illustrates what I was saying about not needing
> destructors on your GC'ed resources if your OS actually implements
> things correctly.
And right now, one apparently writes system configuration information
(i.e., what you'd normally feed into a program to generate a setup or
boot script or "package") in Haskell.
--
Darren New / San Diego, CA, USA (PST)
Ever notice how people in a zombie movie never already know how to
kill zombies? Ask 100 random people in America how to kill someone
who has reanimated from the dead in a secret viral weapons lab,
and how many do you think already know you need a head-shot?
Post a reply to this message
|
|
| |
| |
|
|
From: Darren New
Subject: Re: Who was looking for message-passing OS examples?
Date: 7 Aug 2008 16:58:47
Message: <489b6207$1@news.povray.org>
|
|
|
| |
| |
|
|
Darren New wrote:
> Oh, and it also illustrates what I was saying about not needing
> destructors on your GC'ed resources if your OS actually implements
> things correctly.
It also shows a way of doing basically C++-like allocation management
while nevertheless proving you're not leaking. That is, with minimal
additional declarations (like, this procedure consumes its argument,
like "dispose" does), you can prove at compile time that you aren't
leaking memory and not using memory you already deallocated.
And they do experiments to show that the software checks for array
bounds are actually significantly (33%) faster than the hardware checks
you have to do anyway if you don't check it in software.
Overall, a very cool system with lots of cool results.
--
Darren New / San Diego, CA, USA (PST)
Ever notice how people in a zombie movie never already know how to
kill zombies? Ask 100 random people in America how to kill someone
who has reanimated from the dead in a secret viral weapons lab,
and how many do you think already know you need a head-shot?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
I don't know about Singularity and it's particular design goals, but the
other day I was thinking: What would happen if you set out to design a
new OS completely from scratch? What would that look like?
It seems to me that most OS designs today are really quite similar. For
example, in every OS I'm aware of, there is some kind of CLI that allows
you to invoke executable programs, optionally passing some arguments,
and the invoked program inherits 3 streams - stdin, stdout and stderr.
The exact details vary, but this basic story seems to apply to every
common OS.
What if we wanted to shake that up a litle? What might we decide to do
differently?
Well, currently a program's arguments are just a giant blob of text. The
OS does nothing more than hand it over to the program, which may then
interpret them in any way it pleases. This is LCD; it works for
everything, but it's not terribly sophisticated.
How about if, say, the program could somehow "tell" the OS what
arguments it actually accepts? (In the same way a program file usually
contains metadata to "tell" the OS all kinds of other stuff about it,
such as linking information.) Then the OS could report invalid argument
names without even needing to bother actually starting the program
itself. And just think of the auto-complete possibilities.
Hey, let's go one better. The majority of CLI arguments are either
on/off switches or filenames, right? Well what if we *tell* the OS what
things are on/off switches, and that their default state should be? What
if we *tell* it which things are supposed to be filenames? (And whether
the name in question *should* or *should not* exist when the program is
run? Or whether it should be a *file* or a *directory*? Or maybe even
the name of another program?)
Once you start thinking this way, you start to see that actually, if we
get the OS to interpret the arguments and pass *structured* data to the
program [rather than just a blob of textual data], suddenly all sorts of
interesting ideas become possible.
If nothing else, it means that CLI arguments now have a standardised
format, enforced by the OS, which makes it easier to learn how to
operate each new program. Maybe all the program does is somehow list a
bunch of settings it requires? Maybe then you can specify those either
by CLI arguments, or a per-user or per-machine set of defaults? Maybe
the OS has a database of these default settings somewhere? All kinds of
interesting ideas to throw around.
Similarly, on a "normal" OS, each program sets three character streams.
(And Unix programs in particular seem to do weird trickery to discover
whether the output stream "is a TTY" and behave differently if it is.)
It's also traditional to pipe data between programs.
Maybe we can do something more interesting here? Maybe we can pass
*structured* data around instead of just plain character streams?
(Although now you start having potential difficulties with finding a
data representation that everybody likes.) Maybe not every program has
to have exactly 3 such streams? Maybe piping data between programs
running on physically seperate networked machines shouldn't be too
different from piping locally? Just a thought...
Tradition dictates that when a program exists, it returns a "status
code", which is simply an integer. Zero indicates success, anything else
indicates failure or at least some kind of warning. (And every program
uses its own slightly different set of conventions here.)
Maybe we can do something better here too? Maybe we could have a small
set of standard categories like "program bug", "resource exhaustion",
"the network won't answer me", and provide a set of application-specific
codes for the actual failures that a particular program can have?
How about logging? Windoze does this slightly better than Linux in that
there are (typically 3) logs that applications can write to if they
want. But maybe we could do something better than that? Maybe
per-application logs? (If a given application wants it.) Maybe tell the
OS how to invoke different levels of logging? Just some ideas.
Of course, when you look at filesystems, most OSes provide a construct
known as a "file" which is an opaque sequence of bytes. (And a few
provide a means to specify what those bytes are supposed to represent.)
I suppose you could go down the route of having files contain structured
data - but again you're going to get people arguing over the best way of
structuring things.
I've often thought about what would happen if, say, Smalltalk was the
entire OS. Then the OS would "know about" the internal workings of each
program to a large degree, and that opens up some rather interesting
possibilities. Things like highly structured IPC and so forth. Trouble
is, now you can only run stuff implemented in Smalltalk...
In short, once you sit down and start to question the way OSes work
today, you start to see that there are actually many things we could be
doing differently - ranging from the conservative to the highly radical.
(To me, really radical ideas are interesting to think about but probably
wouldn't work too well in practice.)
Heh, if *I* had 3 years to sit and write an OS, maybe I could experiment
with a few of these ideas? ;-)
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Does anybody *else* find it ironic that Micro$oft - the corporation
internationally renowned for its poor quality, buggy products - is
interested in methods of producing high-quality software?
Surely bug-free software isn't very profitable? :-P
Regardless, Singularity has a number of interesting ideas.
- Let the compiler enforce program isolation, not the processor
hardware. (That works great if everybody uses your compiler, but I'm not
sure what happens if you allow arbitrary 3rd party code to execute...)
- Make IPC fast and use it liberally. Use IPC for plugins instead of
dynamic loading. Use statically-checked IPC protocols.
- Put almost everything outside the kernel and make all the security
decisions there.
- Assign security rights to applications as well as users. (I have often
wondered why no OS does this already...)
Some interesting ideas there...
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Invisible <voi### [at] dev null> wrote:
> - Let the compiler enforce program isolation, not the processor
> hardware. (That works great if everybody uses your compiler, but I'm not
> sure what happens if you allow arbitrary 3rd party code to execute...)
The only way to make an OS secure is to have hardware support. Hardware
is the only thing that can stop a program from accessing what it must not
access.
(Ok, there's another alternative: Run the programs under an emulator.
Of course this is out of question because of speed issues.)
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> - Let the compiler enforce program isolation, not the processor
>> hardware. (That works great if everybody uses your compiler, but I'm not
>> sure what happens if you allow arbitrary 3rd party code to execute...)
>
> The only way to make an OS secure is to have hardware support. Hardware
> is the only thing that can stop a program from accessing what it must not
> access.
>
> (Ok, there's another alternative: Run the programs under an emulator.
> Of course this is out of question because of speed issues.)
Their approach seems to be to "verify" each program before it runs,
checking that it doesn't do any "bad" things.
Presumably verifying whether a program does or does not do something
"bad" is formally equivilent to the halting problem, so I imagine they
apply some arbitrary set of restrictions to simplify the problem.
Singularity is of course a research experiment, not a production-grade
OS. It would be interesting to see if they could make it work in the
face of hostile 3rd party code...
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Invisible <voi### [at] devnull> wrote:
> Their approach seems to be to "verify" each program before it runs,
> checking that it doesn't do any "bad" things.
That's impossible. It can be proven that it's an unsolvable problem,
exactly for the same reason as the halting problem is unsolvable. There's
no way for any program to check if a piece of code is executed and how.
It's also impossible for it to know, for example, the addresses of all
pointers by simply examining the program (for example the address of a
pointer could be calculated from user input).
> Presumably verifying whether a program does or does not do something
> "bad" is formally equivilent to the halting problem, so I imagine they
> apply some arbitrary set of restrictions to simplify the problem.
Those restrictions could seriously hinder compiler optimizations.
For example accessing the nth element of an array can usually be done
with a simple CPU opcode. However, if the system restricts this because
it cannot prove what that n might contain, it means that the compiler
cannot generate the single opcode for accessing that array, but must
perform something much more complicated to keep the system happy.
Ah, but that's the trend nowadays: Computers get faster and the amount
of RAM grows exponentially with time. There's no need for highly optimized
code.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Their approach seems to be to "verify" each program before it runs,
>> checking that it doesn't do any "bad" things.
>
> That's impossible. It can be proven that it's an unsolvable problem,
> exactly for the same reason as the halting problem is unsolvable.
In the general case, it's definitely unsolvable. I'm not sure precisely
what they're doing to "make" it solvable - but clearly it must involve
some kind of limitation or other.
>> Presumably verifying whether a program does or does not do something
>> "bad" is formally equivilent to the halting problem, so I imagine they
>> apply some arbitrary set of restrictions to simplify the problem.
>
> Those restrictions could seriously hinder compiler optimizations.
It's hard to say, but it *also* appears that Singularity runs some kind
of portable VM code.
From what I can gather, when you "install" an application, a verifier
checks that the VM code doesn't do any "bad" things, and then compiles
it to native code - whatever that might be. Then when you run the
application, it just runs the native code, trusting that it can't
possibly do bad things.
Apparently it "works" in their research prototype. Whether it could work
in a real-world OS is another matter entirely...
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
