On Ambient Authority
This blog is the second in a series on Genode for not-so-technical people. In the blogs I try to answer the question what Genode offers on safety and usability that other systems don't. Read the first part here.
This blog discusses the concept of Ambient Authority.
- Ambient
-
it's in the air around, just ready to be picked.
- Authority
-
The right to use a resource.
This authority could be explicit: "here's the key to my car, be careful with it," or implicit: "no need to ask if you want to charge your phone, just plug it in". Or it could be literally ambient: "the air we breathe".
The concept of ambient authority in computers is best explained with an analogy.
Image you're in a supermarket. You have a basket in your left hand. You walk around the aisles and pick the products you want with your right hand and put those in your basket. At some point you decide you have all you need and head for the checkout. You put all the items on the conveyor belt. The cashier calculates the total price and you pay. Then you take your items and leave.
What authorities are given to you by the supermarket?
-
browse the aisles.
-
collect products.
-
take them out. (paying changes ownership)
But there are more, you can:
-
leave products at different shelves;
-
eat the food before paying;
-
throw them on the ground (destroy items);
-
throw a whole shelve to the ground;
-
take your gun and shoot shoppers and employees;
-
detonate your nuclear bomb and destroy the entire supermarket.
The first three are expected behaviour that most people live up to. The other six are unwanted behaviour in a supermarkt. You have to option to misbehave, there is nothing a shop owner can do to prevent you from doing so. The shop owner could report you to the police, but that's too late, the damage has been done.
In computers it's just like that. You can:
-
browse your files
-
collect them in a zip file
-
mail these to a friend
The other rights also apply to computers, you can:
-
move files around;
-
change the files (edit documents, bomb some photos);
-
delete emails, photos, files;
-
delete folders;
-
stop processes (called kill in linux);
-
reformat the hard disk and destroy everything on it.
What's considered inappropriate in a supermarket is actually needed to use a computer.
The rights I described are just the rights to work with files on disk. There are more rights in a computer but these don't translate so easy to a supermarket analogy. With the network-rights, you can browse the web, copy photos via bluetooth from your phone to your desktop computer or play a network game with strangers.
In an ambient authority system each process can access these rights when it needs to. Many processes need a just subset of the capabilities that an OS provides. A game needs keyboard and joystick input, audio-video output and some space on the disk to store the program and your progress. A multiplayer game needs network connectivity as well to connect to the game server.
Without those rights available, the software would not work.
In the next blog, I'll describe why ambient authority is not a good architecture for normal computer users.