[Cryptography] bounded pointers in C

Jerry Leichter leichter at lrw.com
Sat Apr 19 08:38:01 EDT 2014 

On Apr 19, 2014, at 1:07 AM, Ben Laurie <ben at links.org> wrote:
>> At the cost of performance, you can move the lengths off to a hidden data structure in which you can look up pointers.  When you're handed a pointer, you look it up and get its length.  This is messy because you can be handed a pointer into a block of legal memory.  So you need a structure to check whether a pointer occurs in any of a set of ranges.  How well this would work in practice, I don't know.  Presumably a smart compiler can elide most lookups:  In some cases it knows the size anyway (e.g., you take the address of a struct on the stack); in others, once it's looked it up, it can keep it around for a while (i.e., thin pointers in memory, fat pointers in registers).
> 
> The Mill does this:
> 
> http://millcomputing.com/docs/security/
> 
> I think its a pretty interesting architecture, but not convinced its
> the _right_ architecture :-)
It's a synthesis of a whole bunch of ideas that have been out there for years.  The single address space and the way they use it is the basis of the old IBM AS/400 architecture, and also appears in some form in Power.  The Intel 432 took this to its logical extreme, though parts of it still show up in the x86 memory segmentation architecture.  The portals appear in both x86 and in the old DECSystem 10.

Of course, all of this traces back to Multics in some form.

None of this is a criticism of Mill!  Learning from what others have done, digesting it, and putting it all together in new ways, is the essence of successful, useful design.  It's a myth that good design comes out of nowhere.

The common factor in the Power and x86 memory extensions is that they aren't used.  (Well, the Power memory stuff is likely used in the Power-based replacements for the AS/400.)  C and related languages, and the OS's built using them, just turn everything into one linear address space per process.  The Mill design goes out of its way to avoid that fate.  But whether anyone today is interested in a CPU architecture that is neither x64 nor ARM is questionable.

Of course, a couple of years ago, you could have said the same thing about a language that wasn't C++ or Visual Basic, or an OS that wasn't Windows or Unix.

                                                        -- Jerry

More information about the cryptography mailing list