David Chisnall (one of the main developers behind Étoilé) has been working full-time on CHERI for the last decade to bring hardware that enables Étoilé's vision.
> I’d spent a lot of the previous years on Étoilé, which was a project to build a user-focused desktop environment that was built out of composable components with end-user programming as a key focus. We were inspired by the STEPS project at VPRI, which tried to build an entire system in under 20,000 lines of code. Our rule was simpler: we aimed to keep individual components to under 10 KLoC, which is small enough that a single person can understand it. This meant that we needed to be able to both use expressive languages and build expressive DSLs. We were starting from an Objective-C base, which gave us a nice model for late-bound components but brought along a lot of C baggage.
> Unlike STEPs, I didn’t want to rewrite the world in high-level languages. I wanted to use things like libavcodec and libavformat as-is, but without bugs in them being able to destroy the invariants that higher-level software depended on. I’d tried building isolation mechanisms with the MMU and found it severely limiting. I’d also looked at Mondrian Memory Protection, but the table-based approach didn’t compose well with language-level abstractions. Early CHERI wasn’t the right thing either, but it was close enough that I felt I could evolve it into the right shape.
> Most of my fingerprints in CHERI ISAs are with that goal in mind. I want to be able to compile existing C/C++ libraries for a CHERI compiler and use them safely from higher-level languages and use them directly. I’ve written a bit about this before:
> https://www.linkedin.com/pulse/i-dont-care-memory-safety-dav...
> I want to be able to have documents embed scripting-language programs that can directly call large native libraries and still have strong guarantees that my system won’t be compromised. The key point is this observation:
> Isolation is easy, (safe) sharing is hard.
> It’s trivial to fully isolate two components. Separate cores, sandboxed processes, or WebAssembly sandboxes can give this kind of isolation, depending on the degree of isolation that you need. Most interesting things are built from communicating components and keeping things mostly isolated, but able to communicate safely, is much harder. For example, Rust says FFI is unsafe, but if you wanted it to be safe except that objects passed from Rust to C may contain arbitrary bit patterns after the call, that’s harder. You can do it with deep copies, but that’s a lot of overhead and very hard to do in the general case. You can do it with CHERI fairly easily, including richer things like deep immutability (in CHERIoT, we can also provide shallow and deep no-capture guarantees).
https://lobste.rs/s/ttr8op/lobsters_interview_with_david_chi...
Thank you for sharing this interview link! I didn’t know that Étoilé was inspired by Alan Kay’s STEPS project. It makes a lot of sense. It would have been really cool to see a desktop environment that pushed Alan Kay’s ideas further.
Chisnall has stated several times over on Lobsters that he's thinking of basing is future project on Arcan (https://arcan-fe.com/). It's a very interesting project.
This thing about Arcan is that the writing about it is almost deliberately incomprehensible.
There are yt-videos embedded on the site. They may be helpful.
Otherwise give https://lobste.rs/s/w3zkxx/lobsters_interview_with_bjorn_sta... a try?
Yes, it's good! And I have a lot of sympathy for what I perceive to be Stahl's goals, and indeed, his methods. But I think I need an intercessor or interpreter to his prose style. This is probably a me problem and not a him problem, to be maximally fair.
Björn's writing style is intentional. He tries to make it understandable for people that have deeper understanding of the subject, but to keep out the people that doesn't know enough. It's primarily to convey what Arcan is to the people that can do something with Arcan, but to avoid attention that will ultimately lead to flame wars.
Ståhl _hates_ attention, both from being a quite private individual to having problem with weirdos showing up at his apartment when some of his videos have gone viral here on HN. (Everyone's home addresses are public here in Sweden)