
The Synthesis Kernel (1988) [pdf] - mpweiher
https://www.usenix.org/legacy/publications/compsystems/1988/win_pu.pdf
======
sdhsdh
This paper was somewhat famous in the Berkeley system department when I was
there; the lore was that it was the perfect academic system that proved a
point but crashed ... frequently.

~~~
exikyut
This could apply as a partial general explanation:
[https://news.ycombinator.com/item?id=15048914](https://news.ycombinator.com/item?id=15048914)

------
brandonmenc
Also:
[http://valerieaurora.org/synthesis/SynthesisOS/index.html](http://valerieaurora.org/synthesis/SynthesisOS/index.html)

------
kazinator
It says "Winter 1988"; the Morris Worm broke out in November that year.
Security wouldn't really have been on people's minds so much yet. Which is
perhaps why that word doesn't occur even once in this paper!

Clumsy system calls which start from first principles and traverse some data
structures to get to the state they want can be verified for security issues.
At every step they can validate each datum. For instance, a given integer file
descriptor can not only become invalid between two successive read calls; it
can point to a completely different object. We cannot cache/curry the
resolution of that descriptor number to a descriptor object; we have to
validate it from scratch on each call.

If you take any shortcuts via synthesized code or other tricks, you have to be
able to convince yourself that security holes aren't created by skipping the
sanity checks performed by the original system calls.

~~~
maemre
If you can describe your synthesis operations in terms of some program
transformation, you may be able to verify/prove that they preserve certain
semantic properties (similar to compiler verification). We have both verified
compilers and verified kernels already so this is not a long stretch but it
would still be a research project of its own IMO. Also, there has been some
research on breaking invariants temporarily between computational steps while
preserving them overall [0] (unfortunately, behind a paywall and I couldn't
find a non-paywall version).

My point is that although this paper doesn't discuss the security aspect, this
work can be implemented in a secure manner.

[0]
[http://dl.acm.org/citation.cfm?id=2661142](http://dl.acm.org/citation.cfm?id=2661142)

~~~
gwern
You can just get it off Libgen as usual: [http://dl.acm.org.sci-
hub.io/citation.cfm?id=2661142](http://dl.acm.org.sci-
hub.io/citation.cfm?id=2661142)

~~~
kazinator
Man that strikes close to home! Breaking invariants when nobody observes it.

I did something in this spirit in my Lisp dialect.

I broke the invariant which says "no matter how you terminate a form, the
unwind-protect cleanup forms get called".

I broke it by introducing the concept of "absconding": leaving a scope in such
a way that the local resources tied to lexical/dynamic contours are left
alone. No unwinding calls are done.

The justification is precisely that it is OK if the scope is later re-entered
(specifically: restarted via revived continuation). The revived control then
finds everything intact --- and can leave the scopes _normally_ at which point
the cleanup _does_ take place.

By doing this, I solved the problem of how to integrate continuations with
scoped resource acquisition/cleanup, without the horror of _dynamic-wind_ or
its ilk.

------
convolvatron
apparently Massalin is still at MicroUnity after 20 years. does anyone know if
they do any business outside of patent licensing?

------
exikyut
Mods: This needs a (1988)

------
markhahn
ow! my eyes burn from the 80's texture background...

Synthesis was one of my favorite papers - sort of more Unixy, traditional-ish
than Self (another fav from that decade...)

