Re: Part 2: System Structure

[Bas Wijnen]

On Thu, May 25, 2006 at 11:02:07AM +0200, Michal Suchanek wrote:
> >> I don't see how your proposal enables a process to check anything
> >> accurately and in a tamperproof way about it's environment. In your
> >> model, it is mandatory for a process to trust all of it's parents.
> >>
> >> In the ping or competition case, that's not possible.
> >
> >It is.  The parent space bank is the user session, which is not under user
> >control.
> 
> In your proposal the user can choose to run the program in opaque
> storage.  But the administrator cannot choose to set up a program that
> can be run only in opaque storage to ensure its integrity (much like
> suid programs on unix).

He can.  My proposal (which, for clarity, I'd prefer not to need.  But if we
need opaque storage I think this is the way to implement it) makes opaque
storage possible.  A constructor is simply a service which starts a program.
No special features are needed for it.  A constructor which allows running on
opaque user provided storage of course needs a way for the user to provide
opaque storage (and for the constructor to check it).  That's what the
proposal provides.  Implementing a constructor around it which works identical
to constructors in Jonathan's proposal is trival.

Thanks,
Bas

-- 
I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see http://129.125.47.90/e-mail.html

signature.asc
Description: Digital signature