By using aliens a la Smalltalk/Newspeak. The basic idea is that the VM provides an object that has functions that can do this kind of stuff. Now, because we are using a capability based security system we simply don't provide this object to most software in the system, and any we do will have to be approved by the user (with appropriate 'please, for the love of god, don't click the OK button').
This means that only, for example, drivers can access the alien, so only drivers can access memory. This is a lot less code that has to be trusted to do this stuff, a lot less code to be reviewed, and a lot less code to have bugs in it!
It does mean that drivers will have some serious time critical problems; if bytecodes are being interpreted, and memory is being accessed directly _via_ another object, then we have some serious performance issues.
That is one of the big challenges of this system, and I have some ideas about tackling them, but we'll get to that :)
No comments:
Post a Comment