5.16: adde/gui/integrating terminal with gui:
. the terminal (aka, command line interface(cli))
can be integrated with the gui features
by printing a stream of windows instead of lines .
. the subwindows roll out of view like lines
but you can drag them out of the cli window
and then they stay pinned .
. these windows are titled command`output#nnn .
5.16: adde/gui/numeric presentations:
. the structures have a natural default
graphic representation,
but numbers have some options
if it doesn't show 3 significant digits,
then we move from decimal notation (n.nn)
to engineering version of scientific notation (n.n e n)
(with exponent a multiple of 3 and we show 6..7 digits )
0.00nnn -> n.nnn e -3
0.000nnnn -> 0.nnnn e -3
0.000,00n -> n.nnn e -6
. if users change the default,
we ask if it should be acct-wide,
it works like a calculator
with format options including
fixed, number of frac digits, sci, eng,
or mixed whole + fractions .
2012-05-31
enforce mem limits or support vmem
5.15: adda/mem'mgt/enforce limits or support vmem:
. how to handle the situation where
a process may use too much memory ?
how do we set limits ?
. if a subprogram has a large job,
it might get a warning exception
and its exception handler for that
wants to offer to OS some reassurance:
just like it should be telling user how far along the job is,
each subprogram needs to declare a
max memory usage intention,
or know of the default max,
or handle the max'd-mem.exception
with a percentage of work done .
. another strategy for avoiding memory limits
is to implement our own virtual memory,
so that unused local heaps can be stored ....
. the c heap provides only a finite virtual memory:
each process may have a 4gb vmem limit .
. so, we need to get around this limit
by using files to store our memory;
then we only need to keep an eye on harddisk limits .
. how to handle the situation where
a process may use too much memory ?
how do we set limits ?
. if a subprogram has a large job,
it might get a warning exception
and its exception handler for that
wants to offer to OS some reassurance:
just like it should be telling user how far along the job is,
each subprogram needs to declare a
max memory usage intention,
or know of the default max,
or handle the max'd-mem.exception
with a percentage of work done .
. another strategy for avoiding memory limits
is to implement our own virtual memory,
so that unused local heaps can be stored ....
. the c heap provides only a finite virtual memory:
each process may have a 4gb vmem limit .
. so, we need to get around this limit
by using files to store our memory;
then we only need to keep an eye on harddisk limits .
revocability and transivity of capabilities
5.15: adda/cap'based/revocable capabilities:
. I'm seeing how to do revocable capabilities
-- the same way as concurrency:
the client is given the server's mail box,
the client sends a link of who they are
and which client mail box the result is wanted in;
then the client id is ok'd with security
-- asking: (does client x have access to service y ?).
web:
Grand Unified Capabilities/Advantages:
. if you give A access to B, and B access to C,
you are implicitly giving A access to C;
so, if you wanted to deny A access to C,
you have to check the capabilities of
everything A is allowed to call .
. I'm seeing how to do revocable capabilities
-- the same way as concurrency:
the client is given the server's mail box,
the client sends a link of who they are
and which client mail box the result is wanted in;
then the client id is ok'd with security
-- asking: (does client x have access to service y ?).
web:
Grand Unified Capabilities/Advantages:
embodies OrthogonalSecurity, FineGrainedHistory,5.15: adda/cap'based/transivity of capabilities:
BidirectionalCapabilities .
. One achieves orthogonal security
in precisely the same way as TransparentPersistence:
by building it in at such a low level
that programmers never see it .
It entails pervasive use of the FacetPattern
(Restrict an interface to obtain a smaller interface
that provides less authority)
and the PrincipleOfLeastPrivilege.
. see security patterns:
FacetPattern
CaretakerPattern
ProtectionProxy
UserPassword
PermissionFlags
TwoKindsOfCapabilities
RevokableCapabilities
. if you give A access to B, and B access to C,
you are implicitly giving A access to C;
so, if you wanted to deny A access to C,
you have to check the capabilities of
everything A is allowed to call .
Labels:
adda,
cap'based,
capabilities
numeric literals
5.12: adda/syntax/value literals:
. since numeric literals from an arbitrary base
will be using the usual symbols,
we could declare them to be a numeric sub type:
11.B = 2*1+1,
11.B8= 8*1+1,
11.H = 16*1+1 .
. however, that doesn't work because then we are
reserving that symbol for the number literals;
what we need is a way to say BEEF.someType,
and still be able to say BEEF(base16)
in the same context .
. I had previously noted that
[@] 5.10: mis.adda/type/number's base like a dimension?
math's traditional way for expressing base
is with a subscript, hence BEEF#16;
my problem with that was that it
precluded many symbols from being array names;
but, now I see it could still be possible
if we use type names instead of the base's number:
H.type: number; BEEF#H .
but that does get noisy when combining with arrays!
eg, BEEF# BEEF#H = BEEF#48879 .
number sign for value of a type:
. how about a new context notation
for accessing a type's value:
Typemark#valueLiteral,
and then as a special case of that,
numeric bases are types:
eg, H#BEEF
-- not unlike Ada's 16#BEEF#;
but, we can't use 16#BEEF because
it's confusing when used as an array subscript:
eg, A# 16#10 ambiguously means either
A#(16,10) or A#(16#10) (returns an array) .
eg, B#10 for base 2, H#10 for hexadecimals,
O#10 for octals, and T#10 for tetroctals
(base 32 = 4*8 = tetra-oct-al = tetroctal).
review of multi-subscript arrays:
. AT.type: #.int; -- a named array type .
A#.AT; -- an array of array;
means the same as A#.#.int .
. then A is accessed as either A#i#j, or A#(i,j) .
currency sign for value literal spaces:
. another idea is that bases are not really subtypes,
so what we need is a new syntax for value literals:
. it could be like the above except replacing (#) with ($)
-- currency is the sign of value (as in worth);
eg, B$10 = 2, O$10 = 8, and H$10 = 16,
while $10 = still means usa cash;
but, $green can be an abbreviation for
color$green since green is obviously not a number .
. by having the option of using ($) on enumerations,
we can have separate name spaces for them,
so that I can use both the variable green
and the literal color $green in the same context .
TypeId#value vs ValueType$valueLiteral:
. types can be thought of as arrays of values,
so t#x evals x as one of t's values .
. B$10 = the value 10 as parsed by the binary value type .
Color#green works only if green is not redefined;
because in the expression (aType#x),
x can be any expression, not just a literal;
Color$green is always unambiguous;
because the ($) says what follows is
one of a type Color's literals .
. RGB$(0,0,1) -- RGB color model for color literals .
5.10: mis.adda/type/number's base like a dimension?:
. can the notation indicating a number's base
be unified with the dimension system ?
not elegantly, because it confuses a concept:
. the number is a measure,
and the dimension indicates
which property is being measured;
whereas,
in the case of the numeric base indicator,
it indicates how to parse the text .
. we need special syntax for an identifier
to differentiate a typed symbol
from a typed literal value;
because,
the set of literals is indefinitely large from being
defined as a regular expression,
such that there are no identifiers left for symbols .
. numeric literals are from a reserved set of identifiers:
ie, no other symbols than numbers
can start with the digit characters;
but then in bases above 10,
the numeric literal can be confused with a symbol .
. notice too how bases share identifiers:
10 means something different in every base .
. therefore, each literal for non-default base
must have a syntax that says not only the base,
but the fact that this a numeric literal, not a symbol .
. the core system expects ( [, " ) to mean something special,
and all other symbols mean a symbol name .
. a string literal starts with (")
a numeric literal starts with a digit,
an operator symbol starts with non-alphanumeric;
and any other symbol starts with
([),(_), or an alphabetic .
-- literal expressions start with (')
but that's a 2nd meaning of literal because
other literals mean adda should neither parse nor eval,
whereas literal expressions should be parsed .
5.10: adda/type/
defining value literals with regular expressions:
. the general way of handling expressions of literals
is to let the type mgt define it,
so numbers need not be part of the core lang at all,
instead being a module that comes with the core system .
. to generalize the way numeric type define literals,
a type mgt can defines its literals either as
enumerations or as regular expressions .
5.31:
. but if type mgt's are handling all reading of literals,
then constants types aren't known by their assigned values;
because, the value could be a literal,
and no longer implies a particular type .
. one way the above idea could still be useful,
is in talking about compilers that are partial,
and are completed by importing a set of native types,
so then these native types complete the definition of the compiler;
eg, the compiler generator's job is to
analyze all the given native types,
making sure that their literal definitions
are not overlapping .
. it would be a lot simpler to stay classical,
and make some native literals be part of the core language .
5.10: adda/type/review of dimension systems:
. a number can have 3 parts
qty, dimension of qty, and thing being measured:
3 liter water
-- water is a noun measurable by either
volume, mass, moles, or monetary value .
5.12:
. dimensions are used by type physical;
the physical measure type includes a pointer to
a symbol of type physical .
. since numeric literals from an arbitrary base
will be using the usual symbols,
we could declare them to be a numeric sub type:
11.B = 2*1+1,
11.B8= 8*1+1,
11.H = 16*1+1 .
. however, that doesn't work because then we are
reserving that symbol for the number literals;
what we need is a way to say BEEF.someType,
and still be able to say BEEF(base16)
in the same context .
. I had previously noted that
[@] 5.10: mis.adda/type/number's base like a dimension?
math's traditional way for expressing base
is with a subscript, hence BEEF#16;
my problem with that was that it
precluded many symbols from being array names;
but, now I see it could still be possible
if we use type names instead of the base's number:
H.type: number; BEEF#H .
but that does get noisy when combining with arrays!
eg, BEEF# BEEF#H = BEEF#48879 .
number sign for value of a type:
. how about a new context notation
for accessing a type's value:
Typemark#valueLiteral,
and then as a special case of that,
numeric bases are types:
eg, H#BEEF
-- not unlike Ada's 16#BEEF#;
but, we can't use 16#BEEF because
it's confusing when used as an array subscript:
eg, A# 16#10 ambiguously means either
A#(16,10) or A#(16#10) (returns an array) .
eg, B#10 for base 2, H#10 for hexadecimals,
O#10 for octals, and T#10 for tetroctals
(base 32 = 4*8 = tetra-oct-al = tetroctal).
review of multi-subscript arrays:
. AT.type: #.int; -- a named array type .
A#.AT; -- an array of array;
means the same as A#.#.int .
. then A is accessed as either A#i#j, or A#(i,j) .
currency sign for value literal spaces:
. another idea is that bases are not really subtypes,
so what we need is a new syntax for value literals:
. it could be like the above except replacing (#) with ($)
-- currency is the sign of value (as in worth);
eg, B$10 = 2, O$10 = 8, and H$10 = 16,
while $10 = still means usa cash;
but, $green can be an abbreviation for
color$green since green is obviously not a number .
. by having the option of using ($) on enumerations,
we can have separate name spaces for them,
so that I can use both the variable green
and the literal color $green in the same context .
TypeId#value vs ValueType$valueLiteral:
. types can be thought of as arrays of values,
so t#x evals x as one of t's values .
. B$10 = the value 10 as parsed by the binary value type .
Color#green works only if green is not redefined;
because in the expression (aType#x),
x can be any expression, not just a literal;
Color$green is always unambiguous;
because the ($) says what follows is
one of a type Color's literals .
. RGB$(0,0,1) -- RGB color model for color literals .
5.10: mis.adda/type/number's base like a dimension?:
. can the notation indicating a number's base
be unified with the dimension system ?
not elegantly, because it confuses a concept:
. the number is a measure,
and the dimension indicates
which property is being measured;
whereas,
in the case of the numeric base indicator,
it indicates how to parse the text .
. we need special syntax for an identifier
to differentiate a typed symbol
from a typed literal value;
because,
the set of literals is indefinitely large from being
defined as a regular expression,
such that there are no identifiers left for symbols .
. numeric literals are from a reserved set of identifiers:
ie, no other symbols than numbers
can start with the digit characters;
but then in bases above 10,
the numeric literal can be confused with a symbol .
. notice too how bases share identifiers:
10 means something different in every base .
. therefore, each literal for non-default base
must have a syntax that says not only the base,
but the fact that this a numeric literal, not a symbol .
. the core system expects ( [, " ) to mean something special,
and all other symbols mean a symbol name .
. a string literal starts with (")
a numeric literal starts with a digit,
an operator symbol starts with non-alphanumeric;
and any other symbol starts with
([),(_), or an alphabetic .
-- literal expressions start with (')
but that's a 2nd meaning of literal because
other literals mean adda should neither parse nor eval,
whereas literal expressions should be parsed .
5.10: adda/type/
defining value literals with regular expressions:
. the general way of handling expressions of literals
is to let the type mgt define it,
so numbers need not be part of the core lang at all,
instead being a module that comes with the core system .
. to generalize the way numeric type define literals,
a type mgt can defines its literals either as
enumerations or as regular expressions .
5.31:
. but if type mgt's are handling all reading of literals,
then constants types aren't known by their assigned values;
because, the value could be a literal,
and no longer implies a particular type .
. one way the above idea could still be useful,
is in talking about compilers that are partial,
and are completed by importing a set of native types,
so then these native types complete the definition of the compiler;
eg, the compiler generator's job is to
analyze all the given native types,
making sure that their literal definitions
are not overlapping .
. it would be a lot simpler to stay classical,
and make some native literals be part of the core language .
5.10: adda/type/review of dimension systems:
. a number can have 3 parts
qty, dimension of qty, and thing being measured:
3 liter water
-- water is a noun measurable by either
volume, mass, moles, or monetary value .
5.12:
. dimensions are used by type physical;
the physical measure type includes a pointer to
a symbol of type physical .
combining records and arrays
5.4: adda/dstr/combining records and arrays:
5.31: summary:
. records and arrays in the Python language are seen as
2 different operations even within the same object;
and, that is a feature that can't be emulated
if records and arrays are seen as
2 methods for accessing the same components;
eg, you couldn't have separate components for
agg.field and agg# field .
. we can use arrays as an extension of records,
so if the array has no such item agg# field,
then it checks for an agg.field;
and conversely, if there's no agg.field,
then it checks agg# field
-- always giving priority to the accessor in use,
so that there can exist both agg.field and agg# field .
. if there exists an agg.field
and we'd like to create an agg# field,
we can do so by making the assignment: agg#(field)`= ... .
. if we haven't yet made that assignment,
then reading agg#field will default to returning agg.field .
. records and array notation have been seen as interchangeable;
but, Python's ability to provide both
dictionaries and record fields,
has me wondering if I can do that,
and still use them interchangeably .
[5.30:
. an array is simply a record with an additional constraint:
all the components or fields are the same type;
however, with oop, arrays can be varying type
as long as all fields have a common supertype .
. conversely, record field selection can be computed
just like arrays use indexing for selection
if there is some function that returns symbols,
(if the symbol isn't a field then there's a range exception). ]
. the record notation has been for
any time one wants to use a literal field name
whereas the array syntax has been for
computing the field name(ie, with a non-literal)
but of course computing included the use of literals .
. the syntax for doing both would be .< .( ...), #().t >
(that's a class definition with nothing but
record and array accessors).
. we want all adda symbols to be typed,
so, to allow our arrays to be like python's dictionaries,
we need a type called "(any) (same as Object)
to indicate an escape from a specific type .
. then our pythonic symbols are typed .tall
(pointer To ALL)
and that type includes the pythonic array access:
#(hashable).any .
. if the domain is floats
then interchanging {rec, array} is confusing
because the dot is used as both a field selector
and the float's fraction selector;
eg, does x.1.2 mean x#(1.2), or x#(1, 2) .
. so then, another rule of record type is that the
domain type must be a symbol, not any hashable ?
. it would be better if records and arrays were
not interchangable, except that
if you would like to compute a record's name,
you can do that with array notation
but if you use a record's field selector (x.field)
then you mean x has been declared a record
... uh,
if a symbol can be both record and array
then record names cannot be computed,
because, that requires the use of array notation,
but then the reader will be getting confused:
are you referring to your symbol's record fields
or to its array components ?!
[5.30: nevertheless, it could work because,
we are saying that the array and record
are accessing the same fields;
ok, but,
didn't you want your record's fields to be typed?
. we could say that by defining record fields,
we're reserving those fields to be a particular type,
so then if the array assigns them some other type,
that raises an exception .]
another way record's can be like arrays is you say ...enum,
.( .. .trafficlight: .t ) as shorthand for
.( black, red, yellow, green: .t )ie,
in a record declaration,
.. can be followed by an enum type name
you can also list integer ranges?
. uh,
as part of keeping the language simple,
if we want to use range notation,
we should declare it to be an array .
5.30:
. if we didn't declare the domain to be type .type,
then types could still be shorthand for sets of values,
so we could give assignments like this:
A#( .trafficlight)`= {0; 1; 2; 3}
as shorthand for
A#{black; red; yellow; green}`= {0; 1; 2; 3} .
5.31: summary:
. records and arrays in the Python language are seen as
2 different operations even within the same object;
and, that is a feature that can't be emulated
if records and arrays are seen as
2 methods for accessing the same components;
eg, you couldn't have separate components for
agg.field and agg# field .
. we can use arrays as an extension of records,
so if the array has no such item agg# field,
then it checks for an agg.field;
and conversely, if there's no agg.field,
then it checks agg# field
-- always giving priority to the accessor in use,
so that there can exist both agg.field and agg# field .
. if there exists an agg.field
and we'd like to create an agg# field,
we can do so by making the assignment: agg#(field)`= ... .
. if we haven't yet made that assignment,
then reading agg#field will default to returning agg.field .
. records and array notation have been seen as interchangeable;
but, Python's ability to provide both
dictionaries and record fields,
has me wondering if I can do that,
and still use them interchangeably .
[5.30:
. an array is simply a record with an additional constraint:
all the components or fields are the same type;
however, with oop, arrays can be varying type
as long as all fields have a common supertype .
. conversely, record field selection can be computed
just like arrays use indexing for selection
if there is some function that returns symbols,
(if the symbol isn't a field then there's a range exception). ]
. the record notation has been for
any time one wants to use a literal field name
whereas the array syntax has been for
computing the field name(ie, with a non-literal)
but of course computing included the use of literals .
. the syntax for doing both would be .< .( ...), #().t >
(that's a class definition with nothing but
record and array accessors).
. we want all adda symbols to be typed,
so, to allow our arrays to be like python's dictionaries,
we need a type called "(any) (same as Object)
to indicate an escape from a specific type .
. then our pythonic symbols are typed .tall
(pointer To ALL)
and that type includes the pythonic array access:
#(hashable).any .
. if the domain is floats
then interchanging {rec, array} is confusing
because the dot is used as both a field selector
and the float's fraction selector;
eg, does x.1.2 mean x#(1.2), or x#(1, 2) .
. so then, another rule of record type is that the
domain type must be a symbol, not any hashable ?
. it would be better if records and arrays were
not interchangable, except that
if you would like to compute a record's name,
you can do that with array notation
but if you use a record's field selector (x.field)
then you mean x has been declared a record
... uh,
if a symbol can be both record and array
then record names cannot be computed,
because, that requires the use of array notation,
but then the reader will be getting confused:
are you referring to your symbol's record fields
or to its array components ?!
[5.30: nevertheless, it could work because,
we are saying that the array and record
are accessing the same fields;
ok, but,
didn't you want your record's fields to be typed?
. we could say that by defining record fields,
we're reserving those fields to be a particular type,
so then if the array assigns them some other type,
that raises an exception .]
another way record's can be like arrays is you say ...enum,
.( .. .trafficlight: .t ) as shorthand for
.( black, red, yellow, green: .t )ie,
in a record declaration,
.. can be followed by an enum type name
you can also list integer ranges?
. uh,
as part of keeping the language simple,
if we want to use range notation,
we should declare it to be an array .
5.30:
. if we didn't declare the domain to be type .type,
then types could still be shorthand for sets of values,
so we could give assignments like this:
A#( .trafficlight)`= {0; 1; 2; 3}
as shorthand for
A#{black; red; yellow; green}`= {0; 1; 2; 3} .
2012-05-17
robonet maintaining confidentiality
4.14: pol/robonet/maintaining confidentiality:
[. robonet is my name for
internet-based security video systems .]
. suppose when robonet does residential policing,
it can't send picts over the net because
every encryption is crackable within a few years;
it needs local acess to a processor that interprets the scenes
and saves suspect frames;
then it uses internet only to report an infraction
(it could also use a cell or phone modem);
the message being sent is just an address and urgency code:
code#0: am still functioning (sent often)
code#1(suspicions): requires a human to investigate a saved image;
code#2(alerts): reports an obvious crime in progress;
code#3(dangers): reports a violence-prone criminal in action .
[. robonet is my name for
internet-based security video systems .]
. suppose when robonet does residential policing,
it can't send picts over the net because
every encryption is crackable within a few years;
it needs local acess to a processor that interprets the scenes
and saves suspect frames;
then it uses internet only to report an infraction
(it could also use a cell or phone modem);
the message being sent is just an address and urgency code:
code#0: am still functioning (sent often)
code#1(suspicions): requires a human to investigate a saved image;
code#2(alerts): reports an obvious crime in progress;
code#3(dangers): reports a violence-prone criminal in action .
reliable drivers for monolithics #linux
5.17: summary:
. many of the crashes we endure on rock-solid linux
are due to device driver errors .
. here are my edits of several papers that offer hope
by transitioning drivers to an event-based architecture .
4.23: news.cyb/sec/reliable drivers for monolithics:
Leonid Ryzhyk(Ph.D. 2009)`
On the Construction of Reliable Device Drivers
Previous research on driver reliability
has concentrated on detecting and mitigating
defects in existing drivers
using static analysis or runtime isolation.
In contrast,
this dissertation presents an approach to
reducing the number of defects
through an improved device driver architecture
and development process.
This implementation allows our reliable drivers
to coexist with conventional Linux drivers,
providing a gradual migration path .
. many of the crashes we endure on rock-solid linux
are due to device driver errors .
. here are my edits of several papers that offer hope
by transitioning drivers to an event-based architecture .
4.23: news.cyb/sec/reliable drivers for monolithics:
Leonid Ryzhyk(Ph.D. 2009)`
On the Construction of Reliable Device Drivers
Previous research on driver reliability
has concentrated on detecting and mitigating
defects in existing drivers
using static analysis or runtime isolation.
In contrast,
this dissertation presents an approach to
reducing the number of defects
through an improved device driver architecture
and development process.
This implementation allows our reliable drivers
to coexist with conventional Linux drivers,
providing a gradual migration path .
Labels:
adds,
design patterns,
dev.linux,
preemptive,
security,
sw.eng,
unix
2012-05-16
commented PyQt code for main windows
. I’ve been learning pyqt coding from
Rapid GUI Programming with Python and Qt:
The Definitive Guide to PyQt Programming
by Mark Summerfield .
. the book includes openware examples
featuring several language versions;
I’m using the examples for Python 2.6 .
. I’ve been adding comments to his source;
the example I commented is from the file
chapter 6 (main windows)/imageChanger.pyw
(for a working program
you’ll also need the other files).
. I posted the commented code at my knol(wordpress)
where the format is wider,
and they have a Python language formatting tag!
[sourcecode language="python" wraplines="false" collapse="false"]. that special enclosure causes the code within
your source code goes here
[/sourcecode]
to be color-coded according to syntactic category .
. see it in action .
2012-05-15
okL4 & Minix3 vs Xen #microkernel #security
4.23: web: okl4 vs xen:
what is okL4? a microkernel impl'ing a hypervisor:
4.29: web.cyb/sec/minix vs okL4/minix on L4/
searching the minix3 group:
(vs the group for the old minix)
[minix3] Re: minix as hypervisors
jayesh 11/5/09
what is okL4? a microkernel impl'ing a hypervisor:
A hypervisor is a virtual-machine monitor,4.23: web: minix and okL4 are complementary:
designed for running de-privileged “guest” OS's .
. it contains a kernel (ie, a part that is running in
the most privileged mode of the hardware).
A microkernel contains the minimal amount of code
needed to run in the most privileged mode of the hardware
in order to build arbitrary (yet secure) systems.
So the primary difference between the two is purpose,
and that has implications on structure and APIs.
By the microkernel's generality requirement,
it can be used to implement a hypervisor.
This is what OKL4 labs is doing .
In fact, the 1997 SOSP paper by Härtig et al
. the AIM benchmarks for L4-Linux
report a maximum throughput which is
only 5% lower than that of native Linux;
therefore, (well-designed) microkernels are
quite usable as hypervisors.
How about the other way round?
Can a hypervisor be used to implement a microkernel?
While a hypervisor is less powerful in the sense that
it doesn't have the generality of a microkernel,
it typically has a much larger TCB
(trusted computing base) .
It contains all the virtualization logic,
and all the physical device drivers .
For example, the Xen hypervisor itself is about
5–10 times the size of the OKL4 microkernel
(in kLOC [1000's of Lines Of Code]).
In addition, it has the privileged
special virtual machine “Dom0”,
which contains a complete Linux system,
all part of the TCB (which is therefore
of the order of a MLOC [1000 kLOC]).
Compare this 1000 kLOC hypervisor
to the OKL4's 15 kLOC TCB .
A small TCB is important for
safety, security and reliability
-- by enforcing the principle of least authority --
and as such, it's especially important to
mission-critical embedded systems.
4.29: web.cyb/sec/minix vs okL4/minix on L4/
searching the minix3 group:
(vs the group for the old minix)
[minix3] Re: minix as hypervisors
jayesh 11/5/09
. we are thinking of using theTomas Hruby 11/5/09
microkernel feature of minix
to implement hypervisors,
can anybody suggest on where to start ...
Is your goal to make Minix kernel a hypervisorBen Leslie (ok-labs.com) Mon Jul 9 09:24:46 EST 2007
or you want to use it without touching?
You would need to change the kernel a lot
to be able to use it as a hypervisor
as it is fairly tight with the userspace.
Changing the kernel (and userspace to be compliant)
so that the kernel could host another personality
would be very valuable work.
We already work on certain features
which should get us closer to a true hypervisor
although it is not our high priority.
Unlike in Linux where kernel is what makes difference,
in Minix the userspace system is what makes it unique.
In theory, there is not much difference between a
hypervisor and a micro-kernel,
Minix kernel would need substantial changes though.
As I mentioned, we sort of follow that direction.
It's going to take some time and effort.
The biggest obstacle I see is how the new VM works.
There is a strong coupling between the kernel and VM.
Right now you cannot have
multiple VM servers on top of Minix kernel,
therefore you cannot have multiple
independent virtual machines.
I can imagine a stage between the current state
and Minix-true-hypervisor
when the machines share the one VM server.
They would not be cleanly isolated though.
On the other hand, it would be a great improvement.
Possibly an interesting project would be to
port the Minix system (server, driver, etc,
except the kernel) to some variant of L4.
L4 is a high performing micro-kernel
used primarily for virtualization
that lacks a server-based system like Minix.
This would be an interesting, valuable
and much simpler task.
In contrast to Minix,
some L4 clones run on many architectures
which would make Minix OS
immediately available for them too.
On Wed Jun 27, 2007 at 12:45:39 +0200, Martin Christian wrote:
>> As for Minix3, it grows fast since last year due to
>> good organization and open strategy
>> that attracts open-source programmers.
>> And I think maybe one day, it will become
>> more influential than L4 if things progress as now.
>That's a good point! I was also wondering
> what OKL4's understanding of Open Source is?
> More precisly these are my questions:
>1.) Why is OKL4 developed in a closed source repository?
> It would add much more confidence over
> OKLs commitment to Open Source
> if they used an open repository
> like the Linux kernel does.
Some of our work is subject to NDAs [non-disclosure agreements]
which have been signed with the relevant clients.
As such this work cannot be made public
and we cannot even 'talk around' the work being done.
We therefore made the conservative decision to
not make our repositories open to the public
but instead to release the publicly releasable code
in the form of a tarball that we can verify
contains nothing that would put us in breach of any NDA.
We take our customers' privacy concerns very seriously.
At the same time, we also want to keep our code open
for use by the community.
The solution we have arrived at allows us to
keep the released source very much 'open'.
...
We are quite happy with how Minix is going
and think there is enough room for both of us
out there in the development community.
In fact there have been thesis topics at UNSW
about reusing Minix component on top of OKL4[1].
It seems that there has also been other interest
in this in the past such as the L4/Minix project[2],
although this was based on Minix 2, not Minix 3.
Ben
[1] www.cse.unsw.edu.au ... KJE13.html
[2] http://research.nii.ac.jp/~kazuya/L4.Minix/
Labels:
architecture,
microkernel,
minix,
okL4,
security,
Xen
2012-05-14
historical moment linux is announced #minix #microkernel #security
4.23: news.cyb/sec/minix/
historical moment linux is announced to minix list:
. Linus is asking comp.os.minix
what they would like to see featured
in his 86-specific rewrite of minix .
. the first thread ends with an ignored call to
not have to compile device drivers into the kernel .
. decades later I would find a youtube lecture
complaining that linux really needs to have
modular device drivers
so that you don't have to reinstall them
every time a kernel upgrade comes out .
Adam David 8/26/91
may not be the real issue:
. much of what Linus objects to in minix
is not that it's a microkernel vs a monolithic;
rather, minix in 1992 was also
high-level coded to be portable,
whereas linux is tailor-fit to the 80386 cpu
using very-low level assembler code .
. making the best use of a particular processor
requires a lot of assembly language programming;
so, couldn't you have a tailor-fit microkernel ?
. the primary intent of the microkernel
is to take advantage of the fact that
a processor has 2 privilege levels;
and, your job as a microkernel designer
is to minimize the amount of code
that is running within supervisor mode;
such that even the drivers are in user mode .
. Linus stated "( porting things to linux
is generally /much/ easier
than porting them to minix );
now, I'm not sure of the particulars,
but it seems that this ease of porting
would come from the fact that most programs
are making full use of unix-usable C language,
and apparently the problem with minix was
requiring security-related modifications to source code
such that the minix-usable C
looked much different than unix-usable C .
. the key to popular security, it would seem,
is creating a special compiler that
transforms unix-C source code
into binaries that respect our boundaries .
. if the C code is also including assembler,
then only virtualization can save us .
the multi-threaded issue:
. when writing a unix file system
a monolithic os is naturally multithreaded
whereas the minix microkernel
required hacks of its message queues?
. perhaps this means that the filesystem
was considered to be one object,
such that if multiple processes want to access files,
they have to request jobs through one interface;
whereas, linux is not using one interface,
rather, each process is capable of locking a file
and so, any time a process is given some cpu time,
it has direct access to its file buffer
(in both cases the disk drive would be seen as one object;
because, it queues the disk access requests
and orders them to minimize disk arm movement;
then it buffers some files in ram,
and processes have instant access to their file's buffer).
Frans Meulenbroeks and Linus debate multi-threading:
Linus>
[5.14: TODO: back to the main point:
. I'm still wondering what it is about Linus's
definition of "(microkernel)
that precludes it having a high degree of parallelism
regardless of whether you're being multi-threaded
or using message queues .]
Linus Benedict Torvalds 1/29/92
...
. the new minix3 is much like
Linus was wishing minix 1 would have been;
plus, it's a microkernel .
historical moment linux is announced to minix list:
. Linus is asking comp.os.minix
what they would like to see featured
in his 86-specific rewrite of minix .
. the first thread ends with an ignored call to
not have to compile device drivers into the kernel .
. decades later I would find a youtube lecture
complaining that linux really needs to have
modular device drivers
so that you don't have to reinstall them
every time a kernel upgrade comes out .
Adam David 8/26/91
One of the things that really bugs me about minixSamuel S. Paik 6/26/92
is the way device drivers have to be compiled into the kernel.
So, how about doing some sensible
installable device driver code
(same goes for minix 2.0 whenever).
(adamd@rhi.hi.is)
User Level Drivers! User Level Drivers!Frans Meulenbroeks 6/29/92
Why should device drivers per se
be part of the kernel? (Well, performance purposes...)
I've liked Domain OS where you could
map a device's registers into your process memory.
If you also include a way of bouncing interrupts
from a particular device to a process,
then we could have user level device drivers.
Then, for performance reasons,
after everything is debugged
there should be a way to move device drivers
into the kernel--but only if we want to...
Samuel Paik
d65y@vax5.cit.cornell.edu
Nice idea, but there are a lot of hardware configurationsmicrokernel vs a monolithic
where you cannot simply give [a process]
access to one device register .
may not be the real issue:
. much of what Linus objects to in minix
is not that it's a microkernel vs a monolithic;
rather, minix in 1992 was also
high-level coded to be portable,
whereas linux is tailor-fit to the 80386 cpu
using very-low level assembler code .
. making the best use of a particular processor
requires a lot of assembly language programming;
so, couldn't you have a tailor-fit microkernel ?
. the primary intent of the microkernel
is to take advantage of the fact that
a processor has 2 privilege levels;
and, your job as a microkernel designer
is to minimize the amount of code
that is running within supervisor mode;
such that even the drivers are in user mode .
. Linus stated "( porting things to linux
is generally /much/ easier
than porting them to minix );
now, I'm not sure of the particulars,
but it seems that this ease of porting
would come from the fact that most programs
are making full use of unix-usable C language,
and apparently the problem with minix was
requiring security-related modifications to source code
such that the minix-usable C
looked much different than unix-usable C .
. the key to popular security, it would seem,
is creating a special compiler that
transforms unix-C source code
into binaries that respect our boundaries .
. if the C code is also including assembler,
then only virtualization can save us .
the multi-threaded issue:
. when writing a unix file system
a monolithic os is naturally multithreaded
whereas the minix microkernel
required hacks of its message queues?
. perhaps this means that the filesystem
was considered to be one object,
such that if multiple processes want to access files,
they have to request jobs through one interface;
whereas, linux is not using one interface,
rather, each process is capable of locking a file
and so, any time a process is given some cpu time,
it has direct access to its file buffer
(in both cases the disk drive would be seen as one object;
because, it queues the disk access requests
and orders them to minimize disk arm movement;
then it buffers some files in ram,
and processes have instant access to their file's buffer).
Frans Meulenbroeks and Linus debate multi-threading:
Linus>
I'd also suggest adding threading support:Frans>
the fs and mm processes need to be multithreaded
(or page faults etc are very difficult indeed to handle,
as a page-fault can happen in the fs process
and often needs the fs process to be handled).
My thoughts about multithreading are mixed.Linus Jun 26 1992>
On the one side I like the performance gain.
On the other hand this complicates things,
so it does not really fit into the minix scope.
Multi-threading isn't a question of performance:Frans Jun 29 1992>
you generally get better performance too,
but the most important part is that,
without multithreading, some things are
impossible or much more complicated .
I already mentioned demand-paging and virtual memory
that effectively /need/ multithreading,
but some other quite mundane things are simply
not possible to do without it.
The filesystem simply /has/ to be multithreaded
or you need a lot of ugly hacks.
Look at the tty code in the minix fs:
it's not exactly logical or nice.
As a tty request can take a long time,
minix has to do small ugly hacks
to free the fs process as fast as possible
so that it can do some other request while the tty is hanging.
It does a messy kind of message redirection,
but the redirection isn't a kernel primitive,
but an ugly hack to get this particular problem solved.
Not having multithreading
also results in the fact that the system tasks
cannot send each other messages freely:
you have to be very careful that there aren't
dead-locks where different system calls try to
send each other messages. Ugly.
Having multithreaded system tasks
would make a lot of things cleaner
(I don't think user tasks need to multi-thread,
but if the kernel supports it for system tasks,
it might as well work for user tasks also).
...
[. a hacked single-process message-passing fs]
removes a lot of the good points of messages.
What's the idea in using minix as a teaching tool
if it does some fundamentally buggy things?
Sorry, but I do not understand why I cannot get
paging or virtual memory without multithreaded systems.
Of course there are essential parts of the system
that must remain in memory permanently.
But why can't the core kernel do
demand paging or virtual memory
(or dispatch the work to another tasks).
What other mundane things are not possible??
I don't think multithreadedness is needed. Not even for fs.
What is needed is a message buffering ipc mechanism
and a version of fs which does not do a sendrec, but only send,
and which has a global receives
which gets all the result messages.
Then a single threaded fs does work.
--
Frans Meulenbroeks (meulenbr@prl.philips.nl)
Philips Research Laboratories
[5.14: TODO: back to the main point:
. I'm still wondering what it is about Linus's
definition of "(microkernel)
that precludes it having a high degree of parallelism
regardless of whether you're being multi-threaded
or using message queues .]
Linus Benedict Torvalds 1/29/92
>1. MICROKERNEL VS MONOLITHIC SYSTEMKen Thompson 2/4/92
True, linux is monolithic,
and I agree that microkernels are nicer. ... .
From a theoretical (and aesthetical) standpoint
linux loses.
If the GNU kernel had been ready last spring,
I'd not have bothered to even start my project:
the fact is that it wasn't and still isn't.
Linux wins heavily on points of being available now.
...
I would generally agree that microkernels are5.14:
probably the wave of the future.
However, it is in my opinion easier to
implement a monolithic kernel.
It is also easier for it to turn into a mess in a hurry
as it is modified.
Regards,
Ken
-- "Rowe's Rule: The odds are five to six
that the light at the end of the tunnel
is the headlight of an oncoming train." -- Paul Dickson
. the new minix3 is much like
Linus was wishing minix 1 would have been;
plus, it's a microkernel .
Labels:
adds,
architecture,
linux,
microkernel,
minix,
multitasking,
multithreading,
security
2012-05-13
MIT's opencourseware for python
4.5: news.cyb/dev.py/mit course:
intro:
. aimed at students with little or no programming experience
.. not a focus on Python but on solving problems .
the courseware download:
. 19mb courseware 6-00sc-spring-2011 .
(it expects you to see vid's too,
with broadband {youttube, itunes})
recommended links:
. includes doc's to hit first:
docs.python.org/library/string.html
docs.python.org/tutorial/floatingpoint.html#tut-fp-issues
docs.python.org/tutorial/datastructures.html#tut-tuples
docs.python.org/tutorial/datastructures.html#more-on-lists
docs.python.org/tutorial/datastructures.html#dictionaries
www.greenteapress.com/thinkpython/thinkCSpy/html/chap11.html
docs.python.org/release/2.5.4/tut/node10.html
beastie.cs.ua.edu/cs150/book/book_13.html
www.greenteapress.com/thinkpython/thinkCSpy/html/chap04.html
www.diveintopython.net/toc/index.html
www.greenteapress.com/thinkpython/thinkCSpy/html/
intro:
. aimed at students with little or no programming experience
.. not a focus on Python but on solving problems .
the courseware download:
. 19mb courseware 6-00sc-spring-2011 .
(it expects you to see vid's too,
with broadband {youttube, itunes})
recommended links:
. includes doc's to hit first:
docs.python.org/library/string.html
docs.python.org/tutorial/floatingpoint.html#tut-fp-issues
docs.python.org/tutorial/datastructures.html#tut-tuples
docs.python.org/tutorial/datastructures.html#more-on-lists
docs.python.org/tutorial/datastructures.html#dictionaries
www.greenteapress.com/thinkpython/thinkCSpy/html/chap11.html
docs.python.org/release/2.5.4/tut/node10.html
beastie.cs.ua.edu/cs150/book/book_13.html
www.greenteapress.com/thinkpython/thinkCSpy/html/chap04.html
www.diveintopython.net/toc/index.html
www.greenteapress.com/thinkpython/thinkCSpy/html/
Labels:
dev.python,
openware,
sw.eng
college attracts female software engineers
4.3: news.cyb/dev.py/
college attracts female software engineers:
. after switching to an easy programming language
(going from Java to Python)
Mudd college is attracting many more females
into their computer science programs .
David MacQuigg:
edu-sig@python.org/transforming CS at Harvey Mudd/5:40 PM:
. the article he refers to said women got interested
in a computer science program
after the program shifted its focus:
. so many of tomorrow's leaders
are being put off by the monster languages;
and, they are destined thereafter to have
little understanding or appreciation
of what techies[automators] do.
(make the world a more efficient place).
. engineers are not invited to requirements meetings?
I don't think it's because of a lack of
understanding or appreciation of what techies do;
rather, the psychology of leadership
includes something like computer science's
Principle of Least Priviledge:
the safest and simplest way to conduct business
is to develop modules with clean, minimal interfaces:
that means interfaces that don't include
inputs a module doesn't need .
. engineers may prefer having a say in their job,
but an engineer's performance should not require that,
unless it's a very new technology,
in which case the mgt has no idea what is possible
without the engineer's input .
. what's missing from an optimal world
is making everyone fluent in their ability to
automate or precisely document their job;
and, I think moving to Python
is a step in the right direction .
college attracts female software engineers:
. after switching to an easy programming language
(going from Java to Python)
Mudd college is attracting many more females
into their computer science programs .
David MacQuigg:
edu-sig@python.org/transforming CS at Harvey Mudd/5:40 PM:
Excellent article. It is good to see the revolutionmy response:
moving forward in at least a few schools.
Khan Academy is also adding CS.
This is very encouraging.
When I read the headline
"Giving Women the Access Code",
I was worried that it sounded like a
watered-down course for women.
It's not that at all.
It's the guys that need to change their attitude.
When I see our introductory class
with 220 freshmen in a course on C,
2/3 of whom will be "washed out" by next year,
I wonder how many of them will go on to be
leaders in law, politics, even technology.
What will be the impact of their lack of
understanding or appreciation of what us techies do.
It's no wonder engineers are not even in the room
when important decisions are made.
. the article he refers to said women got interested
in a computer science program
after the program shifted its focus:
"(. this course isn't about wrestling withI think he goes on to say:
monster languages like Java or C;
we use an easy language like Python
so you can get on with what's important:
getting your machine to do more of your job .)
. so many of tomorrow's leaders
are being put off by the monster languages;
and, they are destined thereafter to have
little understanding or appreciation
of what techies[automators] do.
(make the world a more efficient place).
. engineers are not invited to requirements meetings?
I don't think it's because of a lack of
understanding or appreciation of what techies do;
rather, the psychology of leadership
includes something like computer science's
Principle of Least Priviledge:
the safest and simplest way to conduct business
is to develop modules with clean, minimal interfaces:
that means interfaces that don't include
inputs a module doesn't need .
. engineers may prefer having a say in their job,
but an engineer's performance should not require that,
unless it's a very new technology,
in which case the mgt has no idea what is possible
without the engineer's input .
. what's missing from an optimal world
is making everyone fluent in their ability to
automate or precisely document their job;
and, I think moving to Python
is a step in the right direction .
Labels:
constitution,
cyborganics,
dev.python,
doc'ing
2012-05-01
robotics as the economical meds nurse
4.22: adds/robotics/the economical meds nurse:
. to use the robotics meds nurse,
you get these locked cylinders that only the robot can open,
and once you install it in the robot, it locks in place;
and, you can't get it back until the meds are used;
then you take that empty cylinder back for a refill,
like a propane tank recycling deal .
. it has vision and intelligence,
and checks your mouth for cheating .
. if there's cheating of any kind,
it stops using your phone for I'm-ok signals,
and the DEA knocks on your door .
. to use the robotics meds nurse,
you get these locked cylinders that only the robot can open,
and once you install it in the robot, it locks in place;
and, you can't get it back until the meds are used;
then you take that empty cylinder back for a refill,
like a propane tank recycling deal .
. it has vision and intelligence,
and checks your mouth for cheating .
. if there's cheating of any kind,
it stops using your phone for I'm-ok signals,
and the DEA knocks on your door .
David Chisnall`Failure of the GPL
4.21: news.adds/openware/David Chisnall`Failure of the GPL:
By David Chisnall Aug 31, 2009
By David Chisnall Aug 31, 2009
. Richard Stallman believes thatmy comment:
writing proprietary software is antisocial.
Unfortunately, this mentality leads to lost opportunities.
The GPL doesn't give you the choice of
writing some proprietary software
and contributing it to Free Software.
If you want to use some GPL'd code,
you have to GPL your entire project
(which is sometimes impossible due to
third-party requirements).
This is where the FSF and I have a
fundamental philosophical disagreement.
I believe that the community benefits when
the amount of Free Software increases.
The FSF believes that the community is harmed
when the amount of proprietary software increases,
and that making it easier to write a proprietary application
is a bad thing,
even when the side-effect is that
the developers improve some Free Software.
robot simulations with Python
4.9: web.adds/robotics/robot simulations with python:
pyro does 3d robotics
pyrobot-latest.tgz 01-Apr-2008
-- this was NSF-funded for 3years until 2006 .
. but here at the source the most recent update was 2 weeks ago .
. the forum traffic ends by 2011.11 .
4.10: intro:
"( Pyro can provide a smooth transition for the student
from symbolic agents to real-world robots,
which significantly reduces the cost of learning to use robots. )
. you can see the 3d in this white paper: AImag'05
4.10: well, pyro seems unpopular?:
. I know mit.edu is getting into Python,
so they must have the advances in pythonic robotics:
pyro does 3d robotics
pyrobot-latest.tgz 01-Apr-2008
-- this was NSF-funded for 3years until 2006 .
. but here at the source the most recent update was 2 weeks ago .
. the forum traffic ends by 2011.11 .
4.10: intro:
"( Pyro can provide a smooth transition for the student
from symbolic agents to real-world robots,
which significantly reduces the cost of learning to use robots. )
. you can see the 3d in this white paper: AImag'05
4.10: well, pyro seems unpopular?:
. I know mit.edu is getting into Python,
so they must have the advances in pythonic robotics:
Labels:
adds,
dev.pyqt,
dev.python,
robotics
tooltips explaining disabled menu items
4.21: adde/tooltips/explaining disabled menu items:
. part of greying -out menu items should be to
have a menu item's tooltip explaining why it is not enabled,
common reasons include: doc is not modified, no selection,
and selection not of relevant type .
. part of greying -out menu items should be to
have a menu item's tooltip explaining why it is not enabled,
common reasons include: doc is not modified, no selection,
and selection not of relevant type .
save without crash-corrupting log file
4.21: adde/journaling/save without crash-corrupting log file:
. when saving the user's commands log,
each save needs to re-open and re-close the file;
because, a crash when a file is open might corrupt it .
. this could be done using a pair of files;
or we could use the platform's way of writing to a file buffer;
and then atomically set the save-file's pointer to point at buffer;
or (copy saved; append the command; close the copy;
rename copy as saved).
. when saving the user's commands log,
each save needs to re-open and re-close the file;
because, a crash when a file is open might corrupt it .
. this could be done using a pair of files;
or we could use the platform's way of writing to a file buffer;
and then atomically set the save-file's pointer to point at buffer;
or (copy saved; append the command; close the copy;
rename copy as saved).
Labels:
adde,
journaling
editor has modes of display like finder
4.18: adde/editor has modes of display like finder:
. the editor has modes of display like the mac finder does;
an editor's usual state is large icon mode,
where you choose how the text and image panes are
tiled together in a layout .
. the other views relevant to an editor are:
subtitles tree, listview of panes,
and any number of other customized layout views
for adjusting the #columns and paging length
to fit the various window dimensions
(1024x726, half, quarter, ipod-sized ).
5.1:
. the small icon mode makes it easier to do
layout changes from a bird's eye view,
seeing several pages at once .
. the editor has modes of display like the mac finder does;
an editor's usual state is large icon mode,
where you choose how the text and image panes are
tiled together in a layout .
. the other views relevant to an editor are:
subtitles tree, listview of panes,
and any number of other customized layout views
for adjusting the #columns and paging length
to fit the various window dimensions
(1024x726, half, quarter, ipod-sized ).
5.1:
. the small icon mode makes it easier to do
layout changes from a bird's eye view,
seeing several pages at once .
unicode inputting
4.17: adde/unicode inputting:
. the editor should make it easy to type unicode:
menu#0 brings up the submenus
which arrange the unicodes in pages .
. each menu shows the key matrix map:
ie, what a key on the keyboard is launching,
either another menu,
or a unicode character in this situation;
that is, after it brings up the main menu,
the next key takes you to another key map,
and eventually the submenus get to a leaf menu,
where the key matrix map shows which
unicode character is currently assigned to each key .
5.1:
. the unicode menu system should also include
a recent-keys menu and a favorites menu .
. the editor should make it easy to type unicode:
menu#0 brings up the submenus
which arrange the unicodes in pages .
. each menu shows the key matrix map:
ie, what a key on the keyboard is launching,
either another menu,
or a unicode character in this situation;
that is, after it brings up the main menu,
the next key takes you to another key map,
and eventually the submenus get to a leaf menu,
where the key matrix map shows which
unicode character is currently assigned to each key .
5.1:
. the unicode menu system should also include
a recent-keys menu and a favorites menu .
converting attribute-text to html
4.29: adde/gui/converting attribute-text to html:
. a pyqt text object uses a system of fragments to express
each change in the text's combinations of attributes in
(color, bold shade, underline, italics, superscript, subscript );
but when converting to html,
you want to combine contiguous modes;
eg, say you have 3 words, 1,2,3,
with u=underline, and b=bold;
so, when pyqt gives you:
1(u), 2(b,u), 3(u)
your html writer should be converting that to:
u(1, b(2), 3) .
. a pyqt text object uses a system of fragments to express
each change in the text's combinations of attributes in
(color, bold shade, underline, italics, superscript, subscript );
but when converting to html,
you want to combine contiguous modes;
eg, say you have 3 words, 1,2,3,
with u=underline, and b=bold;
so, when pyqt gives you:
1(u), 2(b,u), 3(u)
your html writer should be converting that to:
u(1, b(2), 3) .
Labels:
adde,
algorithms,
gui,
html
Subscribe to:
Posts (Atom)