Coyotos Secure Operating System

Coyotos Secure Operating System via Slashdot

I see this kind of thing all the time, and not just in software. "Blah is broken; we need to totally rewrite/rerelease/throw-out the old version of blah!" I'd like to quote Joel on Software here:
[They made] the single worst strategic mistake that any software company can make:

They decided to rewrite the code from scratch.

Don't throw away, reuse! I was a big fan of this theory in '99-2000 when I was the CTO of a company and yet when the VCs came in and said throw it all out, I did! Never again (he says with ominous sounds in the background).

To the point at hand, as an intellectual exercise, this new "secure" operating system is interesting. But you will have no users of it except in very limited custom applications, you will have no apps for it and, more importantly, the time spent designing this operating system from scratch would be much better spent on securing (either in code, or through procedures) existing operating systems. Linux, MacOS, Windows XP, etc etc all have the ability to be far more secure than you would ever need, and the only reason they are or are not is because application vendors need a little insecurity or else it would be brutally hard to run ("You just double-clicked an application that has not be dual signed by two trusted parties, would you like to run it?")

Upvote Upvoted 0
1 response
Generally speaking, of course, Joel is correct. But every once in a while you learn that the model that a piece of software implements genuinely is broken, and you're left with no choice but to revisit the architecture. If the state of the art in software development were more advanced than it is, "revisiting the architecture" wouldn't mean "rewrite," but here we are.

So why a Coyotos? The reason is that it's an object-capability OS, and only object-capability security addresses two major flaws in the traditional ACL model that Windows, Mac OS X, Linux... use. They are the Confused Deputy Problem and the Grant Matcher Puzzle. The overwhelming majority of security issues that Windows exhibits are of the Confused Deputy type.

You can indeed paper over a lot of the issues in Windows; see Polaris: Toward Virus Safe Computing for Windows XP (PDF) for an initial attempt. But pay careful attention to the limitations and consider the costs that this approach imposes in the form of installing an external "shell" and the overhead of some of the file-copying operations that it performs under the covers.

So while it's true that something like Coyotos isn't like to ever become mainstream, what will hopefully happen is that it will inspire the Microsofts and Apples and Linus Torvalds of the world to migrate from ACLs to object-capability security in future OS releases.
Paul Snively
Add Website URL »