2014-12-20

securing the virtual machine #addm

addm/sec/securing the virtual machine:
4.20: 12.20: summary:
. a virtual machine can provide security
along with some user freedom to develope code
by using a microkernel architecture
and learning from the Chrome browser team:
you can't build a secure app unless you
secure the underlying OS and firmware too .

4.20: 12.19..20: intro:
. addm is a virtual machine;
it accepts instructions from .addm files;
. adda is a high-level programming language
and the adda compiler can produce .addm files .
. addm has root privileges and can do great damage,
so it needs to know who it is getting its instructions from:
like when a bank gets a command from a user,
there needs to be authentication identifying the user,
and strong encryption to avoid a man-in-the-middle attack;
but encryption is good only for brief secrets:
addm can't rely on encryption indefinitely;
it needs a way to ensure without encryption
that only the secure adda compiler
can overwrite .addm files .
12.19:
. each entity (human users, admin's, or bots)
that can write .addm files with the adda compiler
is assigned a certain set of capabilities;
eg, an admin can modify the kernel,
whereas a user can modify only the user's account .
. adda ensures that
the .addm files it generates for a client
never have more permissions than the client has,
but usually the client will specify fewer permissions,
such as when an editor can modify only files that are
selected by the user or by any bots that are
given access to that editor by the user .
4.20: 12.20:
. the capabilities of a program that a user permits
include its ability to edit instructions .
. an .addm file should never be modifiable
but a bot can use the adda compiler
which can ensure capabilities are limited
to those permitted by the bot's author;
adda can be told to replace an .addm file
by a bot who has permission from the file's owner .
4.20:
. there should be an efficient way to
distribute minor changes to many .addm files;
this can be done with patch files:
instead of sending out .addm files,
send a patch for a specific .addm file;
then the adda compiler will input
the patch and the given .addm file,
and output a new .addm file that has
merged the patch with the intended .addm file;
the patch includes the checksum of the intended file
to ensure it gets merged with the intended file .
. the adda compiler can accept patch files from
a trusted distributer's website;
and can make a patch file
for uploading to a distributer .

. the addm app (implemented by a native executable)
is just the microkernel of the addm vm;
the rest of the vm can be implemented by .addm files
[12.20: so that most of the vm can be
upgraded by users instead of only by admin's;
but security essentials in the microkernel
are updateable only by admin's .]