Re: Arbitrary Sandbox

[tmoran@acm.org]

> -- a design that requires compilers to have special privileges
> is a bad idea, whether you call that a "mode" or a "per-file privilege
> attribute" or whatever.

  Catching/preventing bugs earlier rather than later is a good idea.  If
the regular compiler doesn't generate I/O instructions or bad instruction
sequences, then the hardware doesn't need a "user" mode to detect those at
run-time.  You've pushed back the detection so it's done essentially at
the time you give a particular programmer the security status of being
able to use the fancy, I/O Op generating, systems programmer compiler.
Modern computers are designed to run as executable code any sequence of
bits that anyone, including fools and knaves, gives them.  That means you
have to delay protection till run time, with things like user/kernel mode.

> >...  I imagine the Burroughs compiler writers lived under the
> > same situation, except that they could work in the daytime on their
> > own "development" machine.
> The ones I was talking about _shared_ a machine.  So rebooting it
> disrupted the entire project, not just one programmer.

  I think we're talking different eras of computing here.  In the mid '60s
very few people had their own development machines - they were million
dollar mainframes (with only a few hundred kilobytes of core) and were
shared.  At that time very few machines ran multiprogramming - they were
in effect rebooted between each batch job.  Things like memory protection
(eg, Burroughs' "descriptor") were new and rare so there was no
alternative to rebooting when a program crashed hard.  OTOH, a reboot took
seconds, not minutes.