[bitc-dev] nondeterminism and access control
Mark Miller
erights at gmail.com
Sun Mar 15 18:02:18 EDT 2009
On Sun, Mar 15, 2009 at 2:49 PM, Eric Rannaud <eric.rannaud at gmail.com> wrote:
> This kind of consideration doesn't belong to a language's runtime (maybe
> in a system like Singularity from MS Research,
Or any of <http://wiki.erights.org/wiki/Object-capability_languages>.
> but we're not talking about that for BitC).
I am. As with Scheme and ML, the attention paid by BitC to good
modularity and software engineering considerations has led it into
being almost an object-capability language. I do not speak for the
BitC project, but I am interested in seeing BitC used in this way.
> The reason is that the OS already cares about
> security (and containment between processes), and it cannot trust the
> applications (and their runtime) to not look at the content of newly
> allocated pages. So the OS has to clear the pages itself.
Certainly. But just because the OS doesn't trust a process, it does
not follow that all parts of an individual process must trust all
parts of the same process. BitC is almost perfectly suitable for
supporting mutual suspicion at much finer grain than individual
processes. It would be a shame to blow this possibility on details.
> When you use BitC to program the OS itself, you will have to zero
> pages explicitly. You cannot just clear any newly allocated memory: for
> instance, it doesn't make a lot of sense to zero out an area reserved
> for DMA.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the bitc-dev
mailing list