From: Scott Burson on
On Jan 19, 4:16 am, Tamas K Papp <tkp...(a)gmail.com> wrote:
> Imagine having desktop Lisp machines
> today, with x86-like speed but the same security model. Would you browse
> the web on that?

HELL no.

Clearly a lot of work would have had to be done on security.

-- Scott
From: Scott Burson on
On Jan 19, 12:24 pm, p...(a)informatimago.com (Pascal J. Bourguignon)
wrote:
>
> There is no way to call g so that it modify v1: there is isolation in lisp!

But not on the LispM, which had subprimitives (with names like SI:%P-
CONTENTS-OFFSET if memory serves) to read and write arbitrary
locations within any object, and which were not bounds-checked either.

On the other hand, ordinary arrays were bounds-checked, and were not
stack-allocated either, removing one familiar attack style that works
on many C programs. Still I am sure there were other vulnerabilities
-- and once you're in at all, you have the whole machine.

-- Scott
From: Frode V. Fjeld on
Helmut Eller <eller.helmut(a)gmail.com> writes:

> Tell me your implementation and I'll show how to modify v1.

Tell me your flavor of unix and I'll show you how to modify another
process. Here's an example form the machine I'm sitting at now:

frode(a)shevek:~$ sleep 1000 &
[1] 21184
frode(a)shevek:~$ ll /proc/21184/mem
-rw------- 1 frode frode 0 2010-01-20 09:47 /proc/21184/mem

My point is, in all security problems you have to be explicit about what
the threat you're protecting against is.

Typical linux desktops today have two security domains: "root" and some
user. Root privileges are if I'm not mistaken required only to do
permanent damage to the system as such (i.e. ruin the file-system other
than /home). Note that in at least one sense this is the least
protection-worthy part of the system because you can always download a
new OS CD and reinstall it. (Of course I know there are other issues
involved, but I'm making a one-sided argument here..) Most MS-windows
desktops don't even bother with this protection, and provide the user
with administrator privileges.

If you have user privileges you can still read and write *everything*
you (qua user) have on disk and in memory, so privacy is out, and safety
is out.

I'm not saying there aren't advantages to the inter-process safety that
e.g. linux provides, but it's not absolute safety, and these things do
crash, and I suspect there is a heavy, heavy cost in terms of usability
(for sure) and performance (perhaps) incurred by this safety model.

--
Frode V. Fjeld
From: Nick Keighley on
On 20 Jan, 09:13, "Frode V. Fjeld" <fr...(a)netfonds.no> wrote:
> Helmut Eller <eller.hel...(a)gmail.com> writes:

<snip>

> My point is, in all security problems you have to be explicit about what
> the threat you're protecting against is.
>
> Typical linux desktops today have two security domains: "root" and some
> user. Root privileges are if I'm not mistaken required only to do
> permanent damage to the system as such (i.e. ruin the file-system other
> than /home). Note that in at least one sense this is the least
> protection-worthy part of the system because you can always download a
> new OS CD and reinstall it. (Of course I know there are other issues
> involved, but I'm making a one-sided argument here..) Most MS-windows
> desktops don't even bother with this protection, and provide the user
> with administrator privileges.

this is less true than it used to be. I don't have admin privilege on
the windows machine I'm currently using. I suspct many office machines
are set up so the user doesn't have admin privs.

Later version of XP had better security and Vista came with them out-
of-the-box. Which caused much whining amongst those people used to the
older Windows "security model" (ie. none to speak of). Vista now has
the reputaion of prompting you every 30s for the admin password. It
doesn't, of course. And if you really want to you can turn off the
security.


> If you have user privileges you can still read and write *everything*
> you (qua user) have on disk and in memory, so privacy is out, and safety
> is out.
>
> I'm not saying there aren't advantages to the inter-process safety that
> e.g. linux provides, but it's not absolute safety, and these things do
> crash, and I suspect there is a heavy, heavy cost in terms of usability
> (for sure) and performance (perhaps) incurred by this safety model.


--
Nick Keighley
From: Nick Keighley on
On 19 Jan, 20:24, p...(a)informatimago.com (Pascal J. Bourguignon)
wrote:
> Helmut Eller <eller.hel...(a)gmail.com> writes:
> > * Frode V. Fjeld [2010-01-19 13:54+0100] writes:
>
> >> I don't know that there's anything with Firefox that would be impossible
> >> or even more difficult to do on a lispm than e.g. linux. Other than the
> >> sheer amount of work required to implement a browser, that is.
>
> > Isolation?  Unix uses the MMU to isolate process from each other.  That
> > makes it fairly safe to execute programs written in low level languages
> > like C or assembler.  The accessible memory is protected by the MMU and
> > everything else must be done via syscalls.
>
> > On the Lisp Machine every program had (intentionally) access to the
> > whole machine.  That simplified debugging.  On the downside, a bug in
> > one program could bring down the entire machine.  In Unix terms, there
> > was no distinction between user space and kernel space.
>
> > Isolation also forced the Unix people to invent shared libraries so that
> > at read-only data/code could be shared safely.  Nothing like that existed
> > on Lisp Machines, or does it?
>
> > I would not want to use an OS that doesn't provide isolation.
>
> So you can happily use an OS written in lisp, without a hardware MMU.
>
> (let ((v1 (vector 1 2 3)))
>   (defun f (x)
>     (if (<= 0 x 2) (aref v1 x))))
>
> (defun g (v i)
>   (setf (aref v i) 0))
>
> There is no way to call g so that it modify v1: there is isolation in lisp!

I recall reading some stuff anout PLT Scheme that, if I recall
correctly, was saying that the virtual machine used by PLT scheme did
much of the protection that OSs typically do. The perticular machine
prevents you from doing whatever the VM provider wishes to prevent you
from doing.