[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cap-talk
Subject:    Re: [cap-talk] Specs for our 'ideal' language?
From:       Matej Kosik <kosik () fiit ! stuba ! sk>
Date:       2009-09-28 21:45:35
Message-ID: 4AC12E7F.3030504 () fiit ! stuba ! sk
[Download RAW message or body]

David Barbour wrote:
> On Sun, Sep 27, 2009 at 12:39 AM, Matej Kosik <kosik@fiit.stuba.sk> wrote:
>> Various tricks (like JIT) may:
>> - improve performance
>> - decrease the size of the virtual machine
>>  (e.g. by elliminating the interpreter)
>> but do they elliminate the virtual machine altogether?
>>
>>
>> Perhaps then, `managed code' is then equivalent to `code executed with a
>> help of a virtual machine (sometimes called as runtime)'.
> 
> Even C code executes on an 'abstract machine'. It's just a rather
> 'thin' abstract machine when implemented on certain computer
> architectures - in particular, when executed on a single-core uniform
> memory architectures. C is doing less well today: its virtual machine
> does not effectively account for concurrency, GPUs, FPGAs,
> event-processing, etc. Most C in use today requires complex,
> incomplete, frameworks and much self-discipline to make up for the gap
> and mismatch between its virtual machine and the real machine.
> 
> The difference between 'abstract machine' and 'virtual machine' is a
> rather arbitrary line in the sand regarding thickness of the
> implementation, how much mapping is required. I don't consider it to
> be a worthy distinction, not nearly so much as considering practical
> qualitative and quantifiable concerns such as performance and
> optimizations achievable.

ok

> 
>> I am not focusing very much on performance. Rather, on elegance of
>> object-capability security model in certain contexts. I am experimenting
>> with it in kernel-space and there are some nice comparisons with other
>> approaches that use other security mechanisms which lead to different
>> results. I am interested in all the language properties that are related
>> to creation of software systems that are robust.
> 
> I'm curious: How do you measure 'elegance'?

I will not try to define elegance in general.

I can try to explain why I think object-capability security model is
elegant.

- it is bogusless
  (I do not systematically bookmark bogus but if it were necessary
   I can find some samples)
- it is simple
  (simple to understand, simple to use, simple to explain---the
   less people initially know the better).
  (things cannot be made more simple as they are)
- it is powerful
  (I can enforce arbitrary "computable security policy")
  (I can enforce arbitrary "describable security policy")
  (I do not have to choose between security and usability)
  (I can follow POLA)

I am not yet quite sure if it is not also partially a matter of honor
(to stop issuing inherently fragile software; that is crazy).

> 
> Have you considered social language properties, such as support for
> distributed multi-user programming (including pair programming),

I think this problem will start to bother me if I get to a certain level
with the language I haven't yet reached. But I am adding this to the
mindmap.

> integration with zero-button unit-testing, etc.

Likewise.
(I like unit-tests even though I do not have (cannot have at the moment)
any such framework. I have primitive form of unit tests only for the
compiler. Unit-tests check the behavior of terminating and
non-terminating processes. In case of non-terminating processes I let
them run for a second and match their output with a regexp.)

> Object capability
> itself is extremely suitable for testing environments, since it
> guarantees the environment can be modeled entirely within software
> even for larger integration tests. Certain properties for the language
> - especially its namespace design and nominative vs. structural typing
> - can determine whether programmers tend to specialize code into tiny
> little niches vs. share it.

I can't agree or disagree with you above because I do not fully
understand what you mean.

> 
> Have you considered other robustness properties? My own interest in
> 'robust' computing had much to do with *survivable* computing. That
> is, computing that can survive natural disasters, slashdot effect,
> military jamming, intermittent stealth-mode, and network attacks.
> Hallmarks of such a design are more than mere 'robustness' - one also
> needs graceful degradation (partial service while under attack) and
> resilience (self-healing and recovery).  Object capability model only
> helps for a few of these: one also requires secure models for
> distribution, replication (for both disruption resistance and
> regeneration), persistence, etc.

I have made bookmark to this.
(I, alas, cannot do more)

There are many useful and good things that can be done with proper
technology but we do not want to discuss everything on the record.
-- 
Matej Kosik
_______________________________________________
cap-talk mailing list
cap-talk@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic