[prev in list] [next in list] [prev in thread] [next in thread] 

List:       eros-arch
Subject:    [EROS-Arch] BIOS-Level Security
From:       Seth Johnson <seth.johnson () realmeasures ! dyndns ! org>
Date:       2001-04-05 5:21:12
[Download RAW message or body]


"Jonathan S. Shapiro" wrote:
> 
> Seth Johnson wrote:
> 
> > Turing-completeness isn't really the measure of the "full sense" of what
> > information producers can do.
> > 
> > One might build a case at that level, but as I said, what you end up
> > with in this case isn't a computer; it's a consumer appliance for
> > running apps and coding the OS, rather than being able to code the
> > machine.
> > 
> > Now, the OS might provide capabilities to its owners for them to access
> > machine architecture, but if it doesn't, those "information producers"
> > are proscribed from specific areas.
> 
> Okay, Seth. This has gotten unacceptably fuzzy. I think I understand
> what you are trying to say, but I'm no longer convinced that *you* do,
> because every time somebody tries to pin you down on this you sort of
> wiggle to someplace else. I think you are really arguing something about
> aesthetics, which is a fine case to make but we should be making it in a
> clearer way.

I haven't added or obfuscated anything at all, or wiggled.  I've said
the same thing precisely a few times, and only to clarify or emphasize. 
A consumer appliance limits the options of users, making them consumers
and less than full producers.  This point doesn't really require
restating, but I have presented it clearly several times.

> So: can you give a clear definition of consumer appliance vs. computer,
> and offer a litmus test for what differentiates the two? What exactly is
> it that a user can do with a computer that they cannot do with a secure
> consumer appliance in your view?
> 
> Please note that "they can install new software" is not a differentiator
> -- they can do that on both systems.
> 
> In the end, I think that your answer must come down to: "They cannot
> install just anything that would otherwise run on that hardware. In
> particular, they cannot install other operating systems without
> compromising security." I think that this statement is accurate, but I'm
> not clear why it is important given that EROS will also run on generic
> PCs.
> 
> Also, I think that you really are missing the importance of the virtual
> machine concept here. Every application in *every* operating system runs
> on a virtual machine that consists of the user-mode instructions
> augmented by the operating system services. A processor is simply a
> virtual machine embodied in hardware. Since operating system services
> can be emulated, it is possible in the limit to run unmodified Linux or
> Windows binaries on a secure EROS appliance.

This last paragraph is naturally absolutely correct, and true for
messaging, kernel-based OSes.  I'm not arguing with any of it.

However, just as a for instance, the objects defined by a messaging OS
aren't the be-all of computers.  Being able to develop (or install, as
you keep saying) other OSes, or gaining native code access, would
compromise security if the owner of the machine did not allow it, or he
didn't know what he was doing.  There might be no way in which this
point is important, if one feels that accessing registers, RAM and
devices isn't necessary if one has VMs.  If the point is that a VM is
"just like" a computer, then don't forget (as you know, of course) that
1) it is *not* the same as the computer itself; and 2) the only people
developing below that level, or for that matter below the level of the
kernel, or of C code, will be people who can gain that level of access.

If EROS can be installed on generic PCs, then what I'm saying doesn't
matter, and obviously the question of whether it affects its users is
moot.  Better yet would be providing means of access to the machine
architecture in the OS.

> I guess what I'm confused about in this second point is why you feel
> that "coding the machine" is somehow special or different from coding
> the operating system?

This is more like it.  But it's kind of strange to see this question
asked.

*Everybody* can use their computer at this level, to conduct science,
explore or whatever.  That's just *the way it is* now.  See what I said
above, which is the best I can do -- plus what I originally said about
analysis and synthesis:

> A logic tool lets you analyze and synthesize, and automate any aspect of
> that process, on any kind of information.  It's not about any particular
> object or protocol -- it's about the process of analysis and synthesis
> that makes up any science, including computer science.  That process is
> the universal, and it should not be overlooked.

If you provide capabilities to access the machine architecture, the
environment leaves us in the same position as producers.  If you don't
want to allow that, there isn't any litmus test I can offer to you, that
would define this general ability satisfactorily, beyond what I've
already said.  You are simply providing an API for secure applications. 
I do, however, provide a clear definition of the difference between a
consumer device that forces a boot into a secure OS that does not
provide for this access, and a computer, which can be used much more
generically.

Beyond that, and beyond the obvious difference in speed of execution --
which isn't *specifically* related to the difference between being able
to be a consumer or a producer -- the difference between a device that
forces a boot into an operating system providing all the Turing complete
protocols in the world, and the machine itself, is like the difference
between language and reality.  Too hard to argue sometimes with some
people, but plain and clear anyway to a lot of people.

It's perfectly understandable in the sense that it provides means for
people to use their computers for almost all purposes, securely.  But
it's not something that anybody would say is the same thing.  What
really seems to be your point, is that it would just be too tempting for
people to develop a lot of native code apps if you provided them with
true access to the machine.  That's a different question, though.

That's the best that I can do.  If you think I don't know what I'm
talking about, then either explain, or at least bear in mind that I
really do think I'm making a tremendous amount of sense.

Now, the really nagging question *I* have is:  Just who's tried to pin
me down on anything, up to this point?  You asked if I was saying we
should not offer the end user the option of rendering their machine
secure from Microsoft, and that's it.


Seth Johnson

_______________________________________________
eros-arch mailing list
eros-arch@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/eros-arch

[prev in list] [next in list] [prev in thread] [next in thread]