Also, this paper suggests that the answer to multi-tasking problems is to move the complexity out into the language. It's funny how PL researchers will always spin the situation so that it demands more PL research. If we're really moving into a many cores future as people suggest, then we should have architectures that give each application a dedicated core. No context switching. Of course, you'd need a simple system and not a billion daemons running in the background waiting to be exploited by criminals.
Jonathan Shapiro is not a traditional PL researcher. He is the architect and lead developer of EROS (www.eros-os.org) and CapROS (http://www.capros.org), and the author of a vast number of papers on secure and high-performance reliable real-time operating systems. The confinement mechanism in EROS was provably secure (i.e. provably impossible for applications to leak permissions) by Shapiro, and AFAIK is still the only meaningful and practical security mechanism demonstrated to do so, which is a pretty significant contribution in the field of computer science.
(Although having been a voyeur of his work for over a decade now, I'm sure he would be quick to point out that much of EROS was based on formalising ideas from GNOSIS and KeyKOS, and the work of Hardy, Franz, Landau et al. over 20-30 years earlier.)
BitC evolved out of a need to prove that the implementation of the confinement mechanism (prototyped in EROS) matched the model (proven in his PhD thesis), and so the CapROS system (built in BitC) was born (well that plus some architectural changes based on lessons learned from EROS). From that perspective it's much more than just another systems programming language - it has a definitive purpose to advance the state of the art in practical and theoretical computer science. (FWIW, they never did accomplish this goal [http://www.bitc-lang.org/docs/bitc/bitc-origins.html]).
I've been looking through EROS, CapROS, Coyotes, etc. for a bit - thanks for all the references.
Is there still any forward motion here? It seems like a lot of the sites haven't been updated for a good number of years. A notable exception was BitC, which was news from 2010 - still not that recent.
Not that I'm aware of, unfortunately. I haven't followed things much over the past 2-3 years, though.
I suspect there are two forces at play:
1. Building a pure capability-based operating system has minimal payoff. While personally I believe the result will be an amazingly reliable, high performance, secure system, the fact is the operating systems we have today are apparently "good enough" that nobody is interested in funding further work in this area (AFAIK Shapiro and others did form a venture in this regard; what came of it I don't know). Keep in mind that much existing software will have to be re-engineered, and a good part of the OS utilities redesigned since if you're going the pure capability route the significance of files becomes pretty much purely a user thing.
2. At a higher level, in my opinion (as an amateur capability-based systems theorist) the benefits of distributed capability-based systems have already been realised as the shape of the evolving web, albeit on much cruder foundations than those designed as part of the literature. Cookies + URLs are pretty much capabilities, and web services (including web sites!) are effectively distributed objects. Javascript + HTML have fulfilled the dream of being able to ship and run data, code and user interfaces remotely, which is the foundation for an unplanned human + computer usable distributed ecosystem.
Javascript, while not the cleanest language, is a solid language for a capability-based system (in terms of capability rules: everything is an object, objects can only be accessed via references [capabilities], objects references can only be acquired by (a) creating the object or (b) by receiving a capability), i.e. capabilities cannot be forged. If you're interested in what an even more pure approach, designed by people who really know what they're talking about, would look like then take a look at http://www.erights.org and http://www.waterken.com .
In this sense, the first true modern capability-based operating system will probably be the first true web operating system.
I think it's pretty cool, and a confirmation of the ideas in Gnosis, KeyKOS, EROS, Coyotos, CapROS, E, etc. that the natural evolution of the largest distributed system on the planet (the Internet) effectively took the form of a distributed capability-based system.
Thanks, I really appreciate the info. Sorry for my slow response, I hope you see this.
Building a pure capability-based operating system has minimal payoff.
Given the massive security problems we see today, if capabilities are the right solution (are they?), it seems like the payoff could be massive. It seems like "mass adoption" would be hard to achieve (except in the really long term), but it seems like it would be possible to find early adopters who "really really" need good security (e.g. certain military applications, maybe?).
At a higher level, in my opinion (as an amateur capability-based systems theorist) the benefits of distributed capability-based systems have already been realised as the shape of the evolving web, albeit on much cruder foundations than those designed as part of the literature.
This is extremely interesting. Reminds me of the idea behind the "separation kernel" which is supposed to mimic in software the security that can be achieved by connecting systems only over extremely well-defined channels (e.g., the systems are physically disconnected except for an ethernet port that is very well controlled). I can find a refence on security kernels if you're interested and not aware of them already.
Anyway, it does seem to me that there are lots of applications (e.g., embedded applications) where distributing everything over the Internet isn't really going to work (not that you're suggesting that). I'd really like to see people tackle security for this kind of system in an entirely new way. Maybe capabilities is part of that.
A better idea would be to just build a small system whose security was obvious. Computer scientists are right to mimic mathematics. They're just mimicking it too directly. Mathematics is based on construction from simple axioms and cross-checking of different theories. Computer systems should be reduced to small parts with redundant checks against human error. If you prove a kernel "correct" that just means it will be that much harder to rewrite it if it turns out not to be what you wanted.
I've read many of your comments on this thread, and I believe most of them to be unrealizable for non-trivial applications. Anyone can write a simple web-service, but how does one write a super low latency network file system in such a way that "security is obvious?"
Your accusation is useless because the PL tools don't solve this problem either. Currently the only tools we have in networks are cryptographic and social, and those are not provably secure. And the point is that what is considered "non-trivial" nowadays is actually "monstrously huge and self-serving". A computer is just a tool but people want to build a whole world in there. And after that they become addicts, leading to absurd rationalisations about how we need more to cure us.
Wasn't me (I can't downvote) but I have had a similar experience in the Go thread so I share your frustration. This is the reason I stopped visiting Reddit.
I just downvoted you because you are saying something dismissive about someone who has clearly spent a long time studying the alternatives and making a balanced informed decision.
Now it may be that you have some great insight but your post doesn't seem to give me any epiphanies.
"If we're really moving into a many cores future as people suggest, then we should have architectures that give each application a dedicated core. No context switching."
You probably don't want that either because the cost of moving data between cores will be so high from both a performance and a power consumption POV. The days of free coherency between cores will eventually come to an end; you can already see evidence of that in multi-socket Intel and AMD machines (if you try to ignore the NUMA nature of memory, you swamp the link between sockets and perf tanks in a variety of apps).
Why would you be moving data between cores? I'm talking about an arrangement where each core is dedicated to a single program. No sharing of memory, even via the kernel. Each hardware devices talks to a single core only. Multiplexing of hardware would be done in.. hardware. For all intents and purposes the "core" could be out on the network.
All this throughput nonsense is benchmrk lies. Websites are not as a general rule highly responsive. They have huge variability in response times. Who cares if it costs a bit more to run the system if it means having a nice predictable system built for simplcity and safety from the ground up?
You need an event-driven system because the number of "tasks" rarely matches the number of physical cores available. One tried and true, fault-tolerant event-driven interface is provided by the kernel: processes (and threads). It has interfaces for binding to NUMA regions and such.
Any system you design will have to tackle a lot of the hard problems that kernels deal with. Now maybe you have a simpler system in mind, but it has to be drastically better for anyone to consider giving up binary compatibility.
You are completely misunderstanding me. I am not saying "let's all move to this new utopian system". I am suggesting that we move away from the idea of making universal systems entirely. Write software that is small enough that complete rewrites can be accomplished without trouble. The current situation is to build ourselves a problem that gets harder and harder to undo as time goes on.
You can't call something that's been around for less than 100 years "tried and true". I'm not saying we can't have "virtual CPUs" for tasks that can handle a performance hit. But it is becoming an unavoidable impediment. "Simple" doesn't mean "easy". It means predictable, small and undoable. The exact opposite to where we are heading.
I write a lot of code that runs in funny environments like the Compute Node Kernel running on Blue Gene systems, with offset-mapped memory (no TLB) and no over-subscription. It's fantastic for reproducible performance, but it's a specialized environment and people want to do things like run Python (as "glue" for some scientific applications) which needs dynamic loading. Since all IO is exported to separate IO nodes, and due to file system consistency semantics, dynamic loading is a tremendous bottleneck. This has escalated to the point where people burn a quarter million core hours to load Python (plus C extension modules) once on a large machine. To really solve the scalability problem, we needed to make dlopen() avoid touching the file system (by patching ld.so and implementing the POSIX file API with collective semantics served over the fast network).
The point here is that there are good reasons to want to use different systems together and then you end up putting in lot of effort working around the limitations of the specialized environments.
It sounds like you're basically proposing Plan 9--lots of very small, single-purpose components with one standardized way of passing data between them used across the entire system.
Also, you can ask a lot of people to give up binary compatibility and be okay, but asking people to give up source compatibility and change applications is a much, much harder pill to swallow. Specialized environments (like the syscall-shipping CNK on Blue Gene like jedbrown mentions) are usually seen as something to work around because they are impediments to productivity. A more robust system wouldn't be considered useful if everyone has to start from scratch.
I'm not really interested in what's "considered useful". Look at the state of web applications. Basically what we could already do in 1996 but using more resources and full of ads and other distractions. And yet to many people this step backwards represents state of the art computing. "Productivity" is highly overrated. Computers are already extremely useful without a bunch of gimmicks. Most of the Web 2.0 companies are creating the desire for their own product. Facebook has turned family photo sharing into a circus show. It doesn't serve any need other than to push for more neomaniacal computerisation. Some people will want to share family photos over the web. We can do that with very simple software. It can even be loaded on demand and sandboxed without any configuration without a hugely complex platform. _Simple_ virtual machines capable of this kind of work aren't hard to construct. But people keep chasing idiotic benchmarks instead. And if it's too slow then change the hardware to make sandboxing easier.
Each hardware device is accessed by a single process at a time. Any multiplexing that needs to be fast is done in hardware. Other multiplexing can be done in user space. For example, and application can request a dedicated channel to some blocks on the hard disk (adjudicated by the OS) or just use another hard disk. Remember, we're building simple applications here so things don't need to constantly write off the the disk for various tasks. You would only be dealing with the disk if your actual data was too big to fit into memory. Cases like that need careful design, not delegation off to some other programmer who doesn't know your problem.
If you're running a server application you split it into some reasonable number of tasks and allocate cores to them as needed. Nothing else runs on the system at all. If you need more cores either upgrade your hardware or you build another identical machine and talk to it over the network. If you look at the way Moore designs, he's crafting a complete artifact to solve a specific problem, not just throwing generic parts together.