Small codebase as a prerequisite for security

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Feb 10 19:00:21 PST 2016


Sean Lynch <seanl at literati.org> writes:

>And of course both Nova and seL4 have had a lot of trouble gaining any kind 
>of foothold in the market.

That's because you need to add way too much other stuff to them to make them
generally useful.  My favourite quote on this, attributed to Nick Foster, is:

  You know, when you have a program that does something really cool, and you 
  wrote it from scratch, and it took a significant part of your life, you 
  grow fond of it. When it's finished, it feels like some kind of amorphous 
  sculpture that you've created. It has an abstract shape in your head 
  that's completely independent of its actual purpose. Elegant, simple, 
  beautiful. Then, only a year later, after making dozens of pragmatic 
  alterations to suit the people who use it, not only has your Venus-de-
  Milo lost both arms, she also has a giraffe's head sticking out of her 
  chest and a cherubic penis that squirts colored water into a plastic 
  bucket. The romance has become so painful that each day you struggle with 
  an overwhelming urge to smash the fucking thing to pieces with a hammer. 

You can write pretty good, minimal, very high-assurance code if you follow
something like DO-178B and get people who are a fair way down the ASD
spectrum to work on it, but then you've got something that's hardcoded to
do one thing really well in a tightly-controlled environment, and nothing 
else.  A lot of the crap out there exists because it has to interact with
a bazillion buggy pieces of hardware and software and support unique
absolutely mission-critical customer requirements that no-one else on 
earth has.  seL4 makes all of this someone else's problem, while Linux 
and Windows and whatnot make it their problem.

Peter.



More information about the cypherpunks mailing list