> One simple thing is when the administrator gives you memory that > nobody else can access unless you give them capability for some part > of the memory. The problem is that if you request a service from a > system server you should provide the memory the service requires, and > it is not apparent if it is good idea that you can read that memory at > any time. And if you cannot you got DRM.
My understanding of this problem is that if we want to improve security of the system, it would be necessary to implement memory that would be allocated from user memory pool (memory accounted against this user) that this user nor the system administrator can access. The unwanted consequence is that it prevents debugging when the process to be debugged doesn't cooperate and also it could be miss-used to implement effective DRM. But maybe we can modify the system so that the user could access this memory if such request would be _approved_ by the system administrator. This could enable debugging and also prevent effective DRM when user and administrator act together. I don't have any practical experience with secure systems, so perhaps there are some problems with this idea. The problem I can think of is that such feature could be removed from the system at later stage (leading to re enabling effective DRM). Could the system license prevent such modifications? I think that providing foundation for improved security could attract some developers to Hurd. Especially as we witness major operating systems struggling with security problems. To achieve this we could promote "defend in depth" principle. We could use modular design with strict enforcement of interactions between modules. Using capability microkernel may be the best foundation for such design. Regards, Piotr
