naasking is saying you could try different protection strategies since it's an experimental, clean-slate OS. User/kernel model protection is among the weakest models that only works with separation kernels such as seL4 or Muen. Tiny, tiny kernels. Let me give you examples of alternative, OS architectures and protection models to show what naasking likely meant by doing it different:
Note: SPIN OS was written in safe Modula-3. Interesting thing about it was leveraging the language safety & a type-safe linker to allow code to be loaded into kernel for acceleration.
Note: LISP machines were among most powerful machines ever created for developers. The language itself had code as data philosophy to change it at will. Runtimes had REPL, incremental compilation per function, AOT compilation, and live updates of code. Do a whole OS that way you get feature 7 along with debugging or linking ones on 8-12 page that no OS has today. I mean, single coolest thing your OS could do is allow debugging or updates of it in high-level code that somehow goes through compiler and right back into memory. The same HLL that users write the applications in.
Note: The main paper on this page will tell you what this OS is about. The architecture tries to enforce POLA at a decent granularity with building blocks that are pretty easy to understand. Almost everything is safe. One thing worth copying is using different, garbage collectors for different apps or parts of OS.
Note: MOSIX was an OS I ran into when I studied supercomputers in the late 90's. The cool thing about it was how it turned a network of computers into a cluster that it automatically distributed jobs over. Treated them like one machine in a way that typically required low-level, message passing. K42 was IBM's attempt at building blocks for something similar using microkernels and hot-swappable components.
Note: EROS was a capability-secure, microkernel OS with trusted networking and GUI stacks. Abandoned when Microsoft hired Shapiro. Capability model has strong properties for enforcing POLA but one must be clever to minimize overheads.
Note: Nucleus is literally stolen from a 70's-era mainframe that did same stuff along with Per Hansen. The idea is you wrap all the low-level stuff behind an interface that forces it used safely & consistently in above layers. Then, above stuff is easy to do in high-level language. The how of this has many possibilities. Safety enforced statically with type systems or Design-by-Contract (e.g Spec#); or dynamically with argument checks; or both.
I'm super excited about the idea of removing the artificial boundaries between kernel and userspace. Equally, static and dynamic compilation.
Are there any technical or practical reasons why systems like Symbolics Genera are inferior to todays mainstream operating systems? Or do you think it's only social / economic processes that they weren't adopted?
It was economics like with most hardware of the time. Those were expensive, custom machines. The CISC and RIZC processors kept getting cheaper and faster to point that users, mostly wanting performance, were better off buying them. Genera itself eventually got hosted as an emulator or something on Alphas. Then Alphas bit the dust haha. Wait, it's not funny cuz PALcode was amazing.
Anyway, economics and market demand as usual. That's what killed it.
http://www-spin.cs.washington.edu/
Note: SPIN OS was written in safe Modula-3. Interesting thing about it was leveraging the language safety & a type-safe linker to allow code to be loaded into kernel for acceleration.
http://www.symbolics-dks.com/Genera-why-1.htm
Note: LISP machines were among most powerful machines ever created for developers. The language itself had code as data philosophy to change it at will. Runtimes had REPL, incremental compilation per function, AOT compilation, and live updates of code. Do a whole OS that way you get feature 7 along with debugging or linking ones on 8-12 page that no OS has today. I mean, single coolest thing your OS could do is allow debugging or updates of it in high-level code that somehow goes through compiler and right back into memory. The same HLL that users write the applications in.
http://www4.cs.fau.de/Projects/JX/
Note: The main paper on this page will tell you what this OS is about. The architecture tries to enforce POLA at a decent granularity with building blocks that are pretty easy to understand. Almost everything is safe. One thing worth copying is using different, garbage collectors for different apps or parts of OS.
https://en.wikipedia.org/wiki/MOSIX
http://encyclopedia.thefreedictionary.com/K42
Note: MOSIX was an OS I ran into when I studied supercomputers in the late 90's. The cool thing about it was how it turned a network of computers into a cluster that it automatically distributed jobs over. Treated them like one machine in a way that typically required low-level, message passing. K42 was IBM's attempt at building blocks for something similar using microkernels and hot-swappable components.
https://www.cs.vu.nl/pub/amoeba/amoeba.html
Note: Amoeba was a distributed, operating system. Each machine ran some code. The OS and apps were spread among them.
https://www.cs.ucsb.edu/~chris/teaching/cs290/doc/eros-sosp9...
Note: EROS was a capability-secure, microkernel OS with trusted networking and GUI stacks. Abandoned when Microsoft hired Shapiro. Capability model has strong properties for enforcing POLA but one must be clever to minimize overheads.
E language and capability model
https://www.combex.com/papers/index.html
Note: Embedding the capability model as constructs in the language, esp RPC's, can make for interesting abilities.
https://www.microsoft.com/en-us/research/publication/safe-to...
Note: Nucleus is literally stolen from a 70's-era mainframe that did same stuff along with Per Hansen. The idea is you wrap all the low-level stuff behind an interface that forces it used safely & consistently in above layers. Then, above stuff is easy to do in high-level language. The how of this has many possibilities. Safety enforced statically with type systems or Design-by-Contract (e.g Spec#); or dynamically with argument checks; or both.