Discussion:
SandStorm.io on Genode ?
Peter Lindener
2016-02-20 21:13:15 UTC
Permalink
Dear
Kenton (Varda <https://github.com/kentonv> founder of SandStorm.io
<https://sandstorm.io/>,
Norman (Feske <https://github.com/nfeske>founder of genode-labs.com
<http://genode.org/>

and Fellow Genodians...

Given Kenton's concern for security in SandStorm.io
<https://sandstorm.io/>..
and that it's unlikely that Linux, with it's humongous monolithic kernel,
will ever deliver anything that resembles real security..

.. so I'm wondering if it might be a good match to look at running
SandStorm.io <https://sandstorm.io/> severs within the Genode OS
<http://genode.org/> ?

To further fill out a possible vision:
I just ordered a couple of Pine_64, Quadcore ARM64 boards
<https://www.pine64.com/> (with 2GB of ram)..

I am currently bringing up the code for Social Decision System kernel
based upon the Groves-Clarke Mechanism
<http://www.econ.ucsb.edu/~tedb/Courses/UCSBpf/pflectures/groves.pdf>,
which is essentially the ideal when it comes to Strategic Voting Game
Theoretic Mechanism Design
<http://www.eecs.harvard.edu/~parkes/pubs/ch2.pdf>..
while the Python / C++11 code is still in an embryonic state... the
underlying theory for how this Game Theoretic solver would operate is
fairly far along..
The plan is to open source this solver code, once it passes a full set
of included cross validation unit tests.
I have been looking at how this Groves-Clarke Mechanism
<http://www.econ.ucsb.edu/~tedb/Courses/UCSBpf/pflectures/groves.pdf> solver
can be deployed across a network, to permit this algorithm to scale up to
tackle larger problems in Information / Game Social Choice
<https://en.wikipedia.org/wiki/Social_choice_theory> theory. (i.e, the
longer term direction of our democracy)...

I was encouraged to find Kenton's 2nd generation work Cap'n-proto
<https://capnproto.org/> which I gather provides some of SandStorm.io
<https://sandstorm.io/>'s core network functionality... a clear advance in
the state of networked system affairs...
I also have taken notice of Genode's Server framework
<http://genode.org/documentation/api/base_index#Inter-process_communication>..
and I would like to leverage the advanced perspectives of both, as I
construct the network services layer that will underlie this computer
assisted support of a truly democratic Social Decision system.

my wish list is as follows:
1. Genode might somday run on ARMv8 (64bit)... It would be great if the
Pine_64 would eventualy run Genode right out of the box..

2.Cap'n-proto <https://capnproto.org/> might be supported within the Genode
ecosystem... and that a collaboration between Kenton and Norman... might
end up yielding the nicest Client / Server framework / protocol stack the
world might have the privilege to enjoy.

3. That people with significant technical vision and influence, will see
the ultimate level of creativity that will be leveraged if SandStorm.io
<https://sandstorm.io/> and genode-labs.com <http://genode.org/> would be
provided with real financial support for striving towards the
inter-operation of these significant advancements of a better foundation
for network based computation.

4. That SandStorm.io <https://sandstorm.io/>'s open source code
<https://github.com/sandstorm-io/sandstorm> might also run eventually on
the Pine_64 <https://www.pine64.com/>, within Genode OS <http://genode.org/>,
such that the Trusted Computing Base
<https://en.wikipedia.org/wiki/Trusted_computing_base> of SandStorm
<https://sandstorm.io/>'s personal sever system would be further reduced..

5.. That the release of an open source network based (Information/Game
Theoretic) Social Decision system kernel, will inspire many to dream about
the very bright future that our truly democratic society will begin to
explore.

I thus close, requesting that many may choose to support the vision that
is already well underway in the implementations of both SandStorm
<https://sandstorm.io/> the Genode OS <http://genode.org/>,.. and that
such a collaboration will yield a close to ideal foundation upon which this
advanced, Information/Game Theoretic Social Design systems might then
flourish..

With the greatest of respect for those who would help pull these pieces
together.
your's Sincerely
Peter (SaxMan) Lindener.

-----------
Kenton Varda
2016-02-26 04:51:00 UTC
Permalink
Hi all,
From a brief look at Genode, it seems it and Sandstorm have a lot in common
at an abstract level. We're both building capability systems, and we're
both aiming to solve security an the platform level so that apps don't have
to think about it.

Practically speaking, though, Sandstorm applications currently expect a
Linux ABI (including most common syscalls), which probably means that
making Sandstorm run directly on top of Genode would be a complicated
project. I would love to see Sandstorm running on a better kernel than
Linux someday, but it's going to be tricky.

In the shorter term, the way to achieve interoperability between the
systems would be to define some sort of a bridge between Cap'n Proto and
Genode's RPC -- or maybe adopt Cap'n Proto as the RPC system in Genode, if
that is still possible. If we can all agree on a capability transport
protocol then it becomes a lot easier to gradually move software into purer
systems. (Note that Cap'n Proto is based on CapTP with direct input from
Mark Miller. But, compared to CapTP, Cap'n Proto is much more efficient to
encode/decode.)

-Kenton
Dear
Kenton (Varda <https://github.com/kentonv> founder of SandStorm.io
<https://sandstorm.io/>,
Norman (Feske <https://github.com/nfeske>founder of genode-labs.com
<http://genode.org/>
and Fellow Genodians...
Given Kenton's concern for security in SandStorm.io
<https://sandstorm.io/>..
and that it's unlikely that Linux, with it's humongous monolithic kernel,
will ever deliver anything that resembles real security..
.. so I'm wondering if it might be a good match to look at running
SandStorm.io <https://sandstorm.io/> severs within the Genode OS
<http://genode.org/> ?
I just ordered a couple of Pine_64, Quadcore ARM64 boards
<https://www.pine64.com/> (with 2GB of ram)..
I am currently bringing up the code for Social Decision System kernel
based upon the Groves-Clarke Mechanism
<http://www.econ.ucsb.edu/~tedb/Courses/UCSBpf/pflectures/groves.pdf>,
which is essentially the ideal when it comes to Strategic Voting Game
Theoretic Mechanism Design
<http://www.eecs.harvard.edu/~parkes/pubs/ch2.pdf>..
while the Python / C++11 code is still in an embryonic state... the
underlying theory for how this Game Theoretic solver would operate is
fairly far along..
The plan is to open source this solver code, once it passes a full set
of included cross validation unit tests.
I have been looking at how this Groves-Clarke Mechanism
<http://www.econ.ucsb.edu/~tedb/Courses/UCSBpf/pflectures/groves.pdf> solver
can be deployed across a network, to permit this algorithm to scale up to
tackle larger problems in Information / Game Social Choice
<https://en.wikipedia.org/wiki/Social_choice_theory> theory. (i.e, the
longer term direction of our democracy)...
I was encouraged to find Kenton's 2nd generation work Cap'n-proto
<https://capnproto.org/> which I gather provides some of SandStorm.io
<https://sandstorm.io/>'s core network functionality... a clear advance
in the state of networked system affairs...
I also have taken notice of Genode's Server framework
<http://genode.org/documentation/api/base_index#Inter-process_communication>..
and I would like to leverage the advanced perspectives of both, as I
construct the network services layer that will underlie this computer
assisted support of a truly democratic Social Decision system.
1. Genode might somday run on ARMv8 (64bit)... It would be great if the
Pine_64 would eventualy run Genode right out of the box..
2.Cap'n-proto <https://capnproto.org/> might be supported within the
Genode ecosystem... and that a collaboration between Kenton and Norman...
might end up yielding the nicest Client / Server framework / protocol stack
the world might have the privilege to enjoy.
3. That people with significant technical vision and influence, will see
the ultimate level of creativity that will be leveraged if SandStorm.io
<https://sandstorm.io/> and genode-labs.com <http://genode.org/> would be
provided with real financial support for striving towards the
inter-operation of these significant advancements of a better foundation
for network based computation.
4. That SandStorm.io <https://sandstorm.io/>'s open source code
<https://github.com/sandstorm-io/sandstorm> might also run eventually on
the Pine_64 <https://www.pine64.com/>, within Genode OS
<http://genode.org/>, such that the Trusted Computing Base
<https://en.wikipedia.org/wiki/Trusted_computing_base> of SandStorm
<https://sandstorm.io/>'s personal sever system would be further reduced..
5.. That the release of an open source network based (Information/Game
Theoretic) Social Decision system kernel, will inspire many to dream about
the very bright future that our truly democratic society will begin to
explore.
I thus close, requesting that many may choose to support the vision
that is already well underway in the implementations of both SandStorm
<https://sandstorm.io/> the Genode OS <http://genode.org/>,.. and that
such a collaboration will yield a close to ideal foundation upon which this
advanced, Information/Game Theoretic Social Design systems might then
flourish..
With the greatest of respect for those who would help pull these pieces
together.
your's Sincerely
Peter (SaxMan) Lindener.
-----------
Peter Lindener
2016-02-26 19:57:28 UTC
Permalink
Dear
Kenton, Norman,
and fellow Genodians-

Good to hear that things are beginning to work well in Sandstorm Land..
Norman and others at Genode Labs, have already brought up Virtual_Box under
Genode, so perhaps, one might be able to alreay run a SandStorm server
within Genode's Virual_Box ? ... I take it, that Genode's bridging of
Virtual_Box's network service should already be enough to do the trick on
the server side..
Genode also already supports QT5, but I gather a Genode customized Linux
ABI layer may still be a ways off (Norman?)..

It would be great if Genode were to adopt Capt'n_Proto.. as part of it's
next Gen RPC support... but my hunch is that both might learn a few tricks
from the other...
..so I'm hopping that the Technical exchange between the teams at Genode
Labs and Sandstorm turns out to be a gold mine for architecting the next
generation of significant innovation in both.

-Peter (SaxMan) Lindener.. [Advanced Voting System Theorist]
Post by Kenton Varda
Hi all,
From a brief look at Genode, it seems it and Sandstorm have a lot in
common at an abstract level. We're both building capability systems, and
we're both aiming to solve security an the platform level so that apps
don't have to think about it.
Practically speaking, though, Sandstorm applications currently expect a
Linux ABI (including most common syscalls), which probably means that
making Sandstorm run directly on top of Genode would be a complicated
project. I would love to see Sandstorm running on a better kernel than
Linux someday, but it's going to be tricky.
In the shorter term, the way to achieve interoperability between the
systems would be to define some sort of a bridge between Cap'n Proto and
Genode's RPC -- or maybe adopt Cap'n Proto as the RPC system in Genode, if
that is still possible. If we can all agree on a capability transport
protocol then it becomes a lot easier to gradually move software into purer
systems. (Note that Cap'n Proto is based on CapTP with direct input from
Mark Miller. But, compared to CapTP, Cap'n Proto is much more efficient to
encode/decode.)
-Kenton
Post by Peter Lindener
Dear
Kenton (Varda <https://github.com/kentonv> founder of SandStorm.io
<https://sandstorm.io/>,
Norman (Feske <https://github.com/nfeske>founder of genode-labs.com
<http://genode.org/>
and Fellow Genodians...
Given Kenton's concern for security in SandStorm.io
<https://sandstorm.io/>..
and that it's unlikely that Linux, with it's humongous monolithic kernel,
will ever deliver anything that resembles real security..
.. so I'm wondering if it might be a good match to look at running
SandStorm.io <https://sandstorm.io/> severs within the Genode OS
<http://genode.org/> ?
I just ordered a couple of Pine_64, Quadcore ARM64 boards
<https://www.pine64.com/> (with 2GB of ram)..
I am currently bringing up the code for Social Decision System kernel
based upon the Groves-Clarke Mechanism
<http://www.econ.ucsb.edu/~tedb/Courses/UCSBpf/pflectures/groves.pdf>,
which is essentially the ideal when it comes to Strategic Voting Game
Theoretic Mechanism Design
<http://www.eecs.harvard.edu/~parkes/pubs/ch2.pdf>..
while the Python / C++11 code is still in an embryonic state... the
underlying theory for how this Game Theoretic solver would operate is
fairly far along..
The plan is to open source this solver code, once it passes a full
set of included cross validation unit tests.
I have been looking at how this Groves-Clarke Mechanism
<http://www.econ.ucsb.edu/~tedb/Courses/UCSBpf/pflectures/groves.pdf> solver
can be deployed across a network, to permit this algorithm to scale up to
tackle larger problems in Information / Game Social Choice
<https://en.wikipedia.org/wiki/Social_choice_theory> theory. (i.e, the
longer term direction of our democracy)...
I was encouraged to find Kenton's 2nd generation work Cap'n-proto
<https://capnproto.org/> which I gather provides some of SandStorm.io
<https://sandstorm.io/>'s core network functionality... a clear advance
in the state of networked system affairs...
I also have taken notice of Genode's Server framework
<http://genode.org/documentation/api/base_index#Inter-process_communication>..
and I would like to leverage the advanced perspectives of both, as I
construct the network services layer that will underlie this computer
assisted support of a truly democratic Social Decision system.
1. Genode might somday run on ARMv8 (64bit)... It would be great if the
Pine_64 would eventualy run Genode right out of the box..
2.Cap'n-proto <https://capnproto.org/> might be supported within the
Genode ecosystem... and that a collaboration between Kenton and Norman...
might end up yielding the nicest Client / Server framework / protocol stack
the world might have the privilege to enjoy.
3. That people with significant technical vision and influence, will see
the ultimate level of creativity that will be leveraged if SandStorm.io
<https://sandstorm.io/> and genode-labs.com <http://genode.org/> would
be provided with real financial support for striving towards the
inter-operation of these significant advancements of a better foundation
for network based computation.
4. That SandStorm.io <https://sandstorm.io/>'s open source code
<https://github.com/sandstorm-io/sandstorm> might also run eventually on
the Pine_64 <https://www.pine64.com/>, within Genode OS
<http://genode.org/>, such that the Trusted Computing Base
<https://en.wikipedia.org/wiki/Trusted_computing_base> of SandStorm
<https://sandstorm.io/>'s personal sever system would be further reduced..
5.. That the release of an open source network based (Information/Game
Theoretic) Social Decision system kernel, will inspire many to dream about
the very bright future that our truly democratic society will begin to
explore.
I thus close, requesting that many may choose to support the vision
that is already well underway in the implementations of both SandStorm
<https://sandstorm.io/> the Genode OS <http://genode.org/>,.. and that
such a collaboration will yield a close to ideal foundation upon which this
advanced, Information/Game Theoretic Social Design systems might then
flourish..
With the greatest of respect for those who would help pull these
pieces together.
your's Sincerely
Peter (SaxMan) Lindener.
-----------
Norman Feske
2016-02-27 09:44:59 UTC
Permalink
Hello Peter,

your enthusiasm about our projects is great to see.

Admittedly, I feel a bit uneasy about being urged to deliver a statement
about how both projects relate to each other. As I am not proficient in
the domain of web applications, an assessment from my side would be
shallow at best.

When I first stumbled upon Standstorm (on Hacker News), I could not spot
an obvious connection between Sandstorm and Genode. And still, I'm
somehow lacking the imagination to see it. Granted, both projects
facilitate capability-based security. But they are seemingly based on
different premises (i.e., with respect to the reliance on a monolithic
OS) and address different domains (web applications vs. OS services).
Post by Peter Lindener
Good to hear that things are beginning to work well in Sandstorm Land..
Norman and others at Genode Labs, have already brought up Virtual_Box
under Genode, so perhaps, one might be able to alreay run a SandStorm
server within Genode's Virual_Box ? ...
Sure, it is possible to run a guest OS on top of Genode. But what would
be the benefit for Sandstorm users?
Post by Peter Lindener
It would be great if Genode were to adopt Capt'n_Proto.. as part of
it's next Gen RPC support... but my hunch is that both might learn a few
tricks from the other...
On Genode, we don't delegate capabilities over the network. In your
previous email, you mentioned Genode's "Server API" in the context of
Capt'n'Proto. The ambiguous terminology may misguided you a bit. Our
server API is not related to networking. In the context of Genode, a
server is simply a software component living in a dedicated address
space (think of a process on Unix) that provides a service to another
software component running on the same machine.
Post by Peter Lindener
..so I'm hopping that the Technical exchange between the teams at Genode
Labs and Sandstorm turns out to be a gold mine for architecting the next
generation of significant innovation in both.
You obviously see opportunities worth exploring. I encourage you to get
your hands dirty, e.g., by building a prototype. Once someone like you
who has a natural interest in both projects steps up and pursues the
actual integration work, your vision may become more tangible to all of us.

Cheers
Norman
--
Dr.-Ing. Norman Feske
Genode Labs

http://www.genode-labs.com · http://genode.org

Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden
Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth
Peter Lindener
2016-02-27 23:35:49 UTC
Permalink
Hi
Norman-

you wrote: "*Sure, it is possible to run a guest OS on top of Genode.
But what would*
*be the benefit for Sandstorm users?*"

to clarify, here, I was suggesting that Kenton might want to consider
running SandStorm UNDER Genode, potentially providing a development path
towards better security for SandStorm.io in the longer run... Norman I'm
not sure why you would see the value that Genode would bring to SandStorm's
longer term growth path... You certainly have put in the effort.. to make
Genode a great security oriented foundation upon which to build.. I'm
sure Kenton see's the real security concerns surrounding the all to large
TCB of Linux, even after Kenton's team as whittled the Linux Kernel down a
bit.

Once Sandstorm is running UNDER the Genode OS, I would gather that one
would utilize the opportunity to incrementally migrate part of Snadstorm's
security orientated service infrastructure to run under the Genode API,
without relying on the Linux Kernel as part of it's fully trusted code
base..

Norman I take encouragement from your suggestion that I "*get **your
hands dirty, e.g., by building a prototype*", but then perhaps you have
overlooked the note that I sent that started this thread..
.. I'm already in the thick of it, But in all honesty, I really don't
want to be put in the position of having to pick which platform to use
during early development.. That is: If you want Genode to claim center
stage as THE security orientated OS to build our future on... Working
with Kenton and his team might be just the way to help make it happen...
That is what I am asking...
My hunch is that if Kenton...ends up liking what he see's in Genode's
underlying design.. he will Likelty have good things to say to other's who
might see the wisdom in further financial support for Genode Labs... (ie.
a potential contract to help address the security oriented aspects of
Sandstorm's longer term development path...

As for my own (rather significant) in the computational aspects of
Information/Game Theoretic Social Decision Systems theory... I will
continue to do most of my work in Python and C++, while doing my best to
avoid counting on much from the underlying target platform, that is...
until I can see that both Genode and Sandstorm..are doing well enough that
the longer term development of both is a sure bet (I think the odds are
good) in the longer run, you have to admit it is about sharing some vision
about development directions.
It is fairly likely, that Capt'n Proto will come into the picture as the
more demanding computations in my code (Strategic VnM ranked Ballot
Tallying) scale up via network distributed computation..

My hunch is that most people would not take kindly to nation states
(surveilling the (supposedly privet, personal) input data of such a
system.. and thus I take the need for security the system that will
ultimately run this code... For this reason, I am doing my best to
encourage SandStorm.io and Genode Labs to consider the benefits of working
together... I.e... My code, will need what both combined together would
offer...

To this end... I write both suggesting a dialog as to how these systems
could grow in the same directions.. That Kenton, might give some thought
with the support of Genode Labs, as to how Sandstorm.io, over time could
further secure its TCB via a migration path where Genode's API would become
fairly easy to assess... I also see that Capt'n Proto, might bring about
some real value to the Genode OS... and yes, when I get the chance, I will
see about what it might take to port Capt'n Proto to Genode... but in all
honesty... I rather that the financial minds supporting SandStorm.io..
might see the wisdom in the security orientated migration path for
SandStorm... so hopefully I can keep my own focus on the Game Theoretic
aspects of the Social Decision systems problem...

all the best

-Peter (SaxMan) Lindener
Post by Norman Feske
Hello Peter,
your enthusiasm about our projects is great to see.
Admittedly, I feel a bit uneasy about being urged to deliver a statement
about how both projects relate to each other. As I am not proficient in
the domain of web applications, an assessment from my side would be
shallow at best.
When I first stumbled upon Standstorm (on Hacker News), I could not spot
an obvious connection between Sandstorm and Genode. And still, I'm
somehow lacking the imagination to see it. Granted, both projects
facilitate capability-based security. But they are seemingly based on
different premises (i.e., with respect to the reliance on a monolithic
OS) and address different domains (web applications vs. OS services).
Post by Peter Lindener
Good to hear that things are beginning to work well in Sandstorm
Land..
Post by Peter Lindener
Norman and others at Genode Labs, have already brought up Virtual_Box
under Genode, so perhaps, one might be able to alreay run a SandStorm
server within Genode's Virual_Box ? ...
Sure, it is possible to run a guest OS on top of Genode. But what would
be the benefit for Sandstorm users?
Post by Peter Lindener
It would be great if Genode were to adopt Capt'n_Proto.. as part of
it's next Gen RPC support... but my hunch is that both might learn a few
tricks from the other...
On Genode, we don't delegate capabilities over the network. In your
previous email, you mentioned Genode's "Server API" in the context of
Capt'n'Proto. The ambiguous terminology may misguided you a bit. Our
server API is not related to networking. In the context of Genode, a
server is simply a software component living in a dedicated address
space (think of a process on Unix) that provides a service to another
software component running on the same machine.
Post by Peter Lindener
..so I'm hopping that the Technical exchange between the teams at Genode
Labs and Sandstorm turns out to be a gold mine for architecting the next
generation of significant innovation in both.
You obviously see opportunities worth exploring. I encourage you to get
your hands dirty, e.g., by building a prototype. Once someone like you
who has a natural interest in both projects steps up and pursues the
actual integration work, your vision may become more tangible to all of us.
Cheers
Norman
--
Dr.-Ing. Norman Feske
Genode Labs
http://www.genode-labs.com · http://genode.org
Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden
GeschÀftsfÌhrer: Dr.-Ing. Norman Feske, Christian Helmuth
Loading...