Small codebase as a prerequisite for security
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Feb 10 19:00:21 PST 2016
Sean Lynch <seanl at literati.org> writes:
>And of course both Nova and seL4 have had a lot of trouble gaining any kind
>of foothold in the market.
That's because you need to add way too much other stuff to them to make them
generally useful. My favourite quote on this, attributed to Nick Foster, is:
You know, when you have a program that does something really cool, and you
wrote it from scratch, and it took a significant part of your life, you
grow fond of it. When it's finished, it feels like some kind of amorphous
sculpture that you've created. It has an abstract shape in your head
that's completely independent of its actual purpose. Elegant, simple,
beautiful. Then, only a year later, after making dozens of pragmatic
alterations to suit the people who use it, not only has your Venus-de-
Milo lost both arms, she also has a giraffe's head sticking out of her
chest and a cherubic penis that squirts colored water into a plastic
bucket. The romance has become so painful that each day you struggle with
an overwhelming urge to smash the fucking thing to pieces with a hammer.
You can write pretty good, minimal, very high-assurance code if you follow
something like DO-178B and get people who are a fair way down the ASD
spectrum to work on it, but then you've got something that's hardcoded to
do one thing really well in a tightly-controlled environment, and nothing
else. A lot of the crap out there exists because it has to interact with
a bazillion buggy pieces of hardware and software and support unique
absolutely mission-critical customer requirements that no-one else on
earth has. seL4 makes all of this someone else's problem, while Linux
and Windows and whatnot make it their problem.
Peter.
More information about the cypherpunks
mailing list