http://emergentchaos.com/archives/2005/12/star-wars-and-least-common-mechanism.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://emergentchaos.com/archives/2005/12/star-wars-and-least-common-mechanism.html/comment-page-1#comment-1628 Adam Mon, 05 Dec 2005 21:02:24 +0000 http://emergentchaos.com/?p=1273#comment-1628 Nikita, I'm with you that this is a hard one, and think your analysis is good. Would you dump it if you could re-do the list? There's already least priv. Anon, TCB post-dates Saltzer and Schroeder, so that's cheatin'. Nikita,
I’m with you that this is a hard one, and think your analysis is good. Would you dump it if you could re-do the list? There’s already least priv.
Anon,
TCB post-dates Saltzer and Schroeder, so that’s cheatin’.

]]> http://emergentchaos.com/archives/2005/12/star-wars-and-least-common-mechanism.html/comment-page-1#comment-1627 Anonymous Sat, 03 Dec 2005 18:49:12 +0000 http://emergentchaos.com/?p=1273#comment-1627 Maybe "keep the TCB small" is what they are driving at. When there's a choice of whether something goes in the TCB prefer the option where it doesn't. Maybe “keep the TCB small” is what they are driving at. When there’s a choice of whether something goes in the TCB prefer the option where it doesn’t.

]]> http://emergentchaos.com/archives/2005/12/star-wars-and-least-common-mechanism.html/comment-page-1#comment-1626 Nikita Sat, 03 Dec 2005 11:50:24 +0000 http://emergentchaos.com/?p=1273#comment-1626 I find that LCM is the Least Intuitive Principle. I think the reason for this is that when most people these days think of a shared mechanism, they think of shared libraries, and I believe the principle doesn't apply to them. Yes, writing a large number of support libraries has the potential of introducing bugs, but having everyone roll their own seems even more error prone. For example, the JPEG vulnerability had a lot of impact, but we were able to eliminate them in a fairly short amount of time. If a well-tested and widely used component has bugs, can you imagine how many more vulnerabilities there would be in the hundreds of home-brewed JPEG implementations? The principle text talks about something else, though. First, it mentionsshared data & resources as channels for information flow — something notably absent from shared libraries. The second example in fact advocates writing shared libraries instead of a privileged service used by everyone. I still have trouble wrapping my head around that one, since if there's something in your system that <em>could</em> be implemented as a user library, even if you do provide a privileged implementation of it, there's nothing forcing your users from switching. So really, I think the principle (or at least its second part) is saying that you want to design your system so that few mechanisms require privilege, but that's not the image evoked by the phrase "LCM." I find that LCM is the Least Intuitive Principle. I think the reason for this is that when most people these days think of a shared mechanism, they think of shared libraries, and I believe the principle doesn’t apply to them.
Yes, writing a large number of support libraries has the potential of introducing bugs, but having everyone roll their own seems even more error prone. For example, the JPEG vulnerability had a lot of impact, but we were able to eliminate them in a fairly short amount of time. If a well-tested and widely used component has bugs, can you imagine how many more vulnerabilities there would be in the hundreds of home-brewed JPEG implementations?
The principle text talks about something else, though. First, it mentionsshared data & resources as channels for information flow — something notably absent from shared libraries. The second example in fact advocates writing shared libraries instead of a privileged service used by everyone. I still have trouble wrapping my head around that one, since if there’s something in your system that could be implemented as a user library, even if you do provide a privileged implementation of it, there’s nothing forcing your users from switching.
So really, I think the principle (or at least its second part) is saying that you want to design your system so that few mechanisms require privilege, but that’s not the image evoked by the phrase “LCM.”

]]> http://emergentchaos.com/archives/2005/12/star-wars-and-least-common-mechanism.html/comment-page-1#comment-1625 Andrew Cory Fri, 02 Dec 2005 21:21:40 +0000 http://emergentchaos.com/?p=1273#comment-1625 In Episode 1 all the droids were shut down by the failure of 1 system. That seems like a failure to implement the LCM principle... In Episode 1 all the droids were shut down by the failure of 1 system. That seems like a failure to implement the LCM principle…

]]>