The Iron Yuppie

One of the best parts about having a blog is that when you say something controversial/ intelligent/stupid/etc, someone who is equally, if not more, controversial/intelligent/stupid/etc comes along to give you feedback. Hopefully she is more intelligent than stupid, but any feedback is great. Certainly this was the case when an individual commented on my post of a few weeks ago. It was quite thorough, and I hated the thought of the comment being buried in an archived comment. So, in its entirety:

Generally speaking, of course, Joel is correct. But every once in a while you learn that the model that a piece of software implements genuinely is broken, and you're left with no choice but to revisit the architecture. If the state of the art in software development were more advanced than it is, "revisiting the architecture" wouldn't mean "rewrite," but here we are.

So why a Coyotos? The reason is that it's an object-capability OS, and only object-capability security addresses two major flaws in the traditional ACL model that Windows, Mac OS X, Linux... use. They are the Confused Deputy Problem and the Grant Matcher Puzzle. The overwhelming majority of security issues that Windows exhibits are of the Confused Deputy type.

You can indeed paper over a lot of the issues in Windows; see Polaris: Toward Virus Safe Computing for Windows XP (PDF) for an initial attempt. But pay careful attention to the limitations and consider the costs that this approach imposes in the form of installing an external "shell" and the overhead of some of the file-copying operations that it performs under the covers.

So while it's true that something like Coyotos isn't like to ever become mainstream, what will hopefully happen is that it will inspire the Microsofts and Apples and Linus Torvalds of the world to migrate from ACLs to object-capability security in future OS releases.

To the degree that the project is a research experiment and encourages behavior in more commonly used OSs, I very much agree with him. And because the amount I know about ACLs and confused deputies certainly does not match up with Mr. Snively, I will not debate this point either. It is a problem that we, as computer users, attach so much value to legacy, and ultimately may lock us into the decisions that were made 15 years ago when it came to designing a security model. If we were willing (or able) to throw it all away, there is no doubt there would be new and better ways to design the products today. But of all the product redesign and refactoring I've seen while maintaining some semblance of compatibility, I remain confident that people will be able to rework Linux and Windows XP to attempt to address these problems. With Mr. Snively's comments, at least I now know what to look for.

D